What is TCP Sequence Prediction Attack ?
TCP protocol is a connection-oriented protocol. When two hosts communicate with each other using TCP protocol, they first establish a connection between them. And then, the transfer of data packets begin. A data packet is sent by the sender, the receiver receives it and sends an acknowledgement. The sender gets the acknowledgement and transfers the next data packet.
When data packets are transferred over the TCP connection, usually each packet contains a sequence number. This sequence number helps in keeping track of data packets received and acknowledged.
Sometimes, attackers exploit this concept of sequence numbers of TCP packets and perpetrate attacks for malicious purposes. This type of attacks are called TCP Sequence Prediction Attacks.
Purpose of TCP Sequence Prediction Attack
Suppose, two hosts A and B are communicating to each other using a TCP connection. An attacker can perpetrate this attack to inject a counterfeit data packet to host A, impersonating to be host B. So, host A will think the data packets are coming from trusted host B, though they are actually coming from the attacker. The attacker can even close the connection to host A prematurely or do other mischiefs hiding his own identity.
Why is sequence number prediction done for TCP Packets ?
Suppose, host A and host B are communicating with each other using a TCP connection. An attacker is listening to their communication. If the attacker wants to send a counterfeit data packet to host A impersonating to be host B, he cannot simply send it to host A, using host B's identity. Because, each data packet has a sequence number, which is checked in every packet transfer. So, the attacker has to predict that sequence number and include that in the counterfeit data packet as well. And, hence the sequence number prediction.
How are TCP Sequence Prediction Attacks performed ?
The attacker typically follows these steps to perpetrate the TCP Sequence Attack.
- Suppose, host A and host B are communicating with each other using TCP connection. The attacker is listening to the conversation and wants to send counterfeit packets to host A, impersonating to be host B.
- The attacker tracks the sequence number of each data packet. He predicts the sequence number that the counterfeit data packet should have and makes the packet.
- The attacker starts sending those packets to host A, spoofing the IP address of the victim host B.
- At this point, host B may send the actual packet to host A. And, that would create confusion to host A, as it will receive both the packets.
- So, to avoid that, the attacker performs a DoS attack to host B at the same time. As a result, host B cannot send the intended data packets to host A. And, instead the attacker can easily impersonate to be host B.
- Now, the attacker can introduce counterfeit data packets to host A impersonating host B, close the TCP connection prematurely or do other mischief.
How to prevent TCP Sequence Prediction Attack ?
There are a few prevention mechanisms that can be taken.
- Instead of a predicted sequence number, a random sequence number can be used to track the data packets. In that way, it will be difficult for the attacker to predict the sequence number and perpetrate the attack.
- Instead of a sequence number, other information like time-stamps, timing differences or information from lower protocol layers can be used in the data packets. This can prove much difficult for the attackers to guess and perform such attacks.
- We can configure the router or firewall not to allow packets to come in from external sources with having an internal IP address. Though this may not completely fix the attacks, but it can prevent the attacks to a great extent.
So, be informed about the most common threats and stay safe, stay secured.