Home | Computer Security | Fun | About Vikram Phatak | Contact   TCP Sequence Numbers: A client machine sends a SYN signal to the host machine every time it wants to establish a new connection with it. The host machine then sends a SYN/ACK with a special identification number called the Initial Sequence Number (ISN). Both the client machine and the host machine exchange such sequence numbers (SQN) for error checking and reporting. RFC 793 specifies that the generation of a SQN be bound to a 32 bit clock which increments every 4 microseconds (i.e. 250,000 per second). Based on this timer the ISN will cycle once every 4.55 hours. Since the TTL for packets is much less than 4.55 hours it ensures that there are no more delayed segments on the network with the same SQN's. Predicting TCP Sequence Numbers: Despite these guidelines, the majority of TCP implementations increment the SQN by a constant every second, and by another constant for each new connection. (The SQN is incremented by 128,000/sec and then 64,000 for each new connection.) Therefore, when you open a connection to a computer, you can determine with a high degree of confidence what next connection's sequence number will be. Thus when an attacker A sends a SYNC to the victim server B requesting new connection it also send its ISN number. The latter then sends a SYN/ACK with its own ISN number which is 128,000 or higher than the previous connection. Blind Spoofing: Using the previously mentioned technique for predicting TCP sequence numbers, it is possible to hijack a connection by: DoS Server B through SYN flooding or other method Spoof B's IP address and talk to host C Since Server B has already been overloaded Host C will not know that it is talking to an attacker impersonating Server B. The question remains, "Why don't computers realize that the IP address is spoofed?" The answer lies in the way and the type of information that is transferred by the TCP packets and IP packets. Since TCP is connection-oriented it carries only the Sequence Number and not the IP address. The IP packet on the other hand carries only the IP address and not the Sequence Number. Since the attacker already knows the IP address of the victim server, he predicts the SQN and spoofs the trusted host. Since the first victim (Server B) has been DoSed, it will not resume communications with Host C, and therefore the target (Host C) is blind to the fact that it is speaking with the wrong computer. Non-Blind Spoofing: The principle remains the same as in blind spoofing except that the attacker exists on the same subnet as the victim. These attacks are considered to be much easier than Blind Spoofing since the attacker can get the necessary information by simply sniffing the packets on the network and does not have to do any complex calculations to predict the sequence number of the machines. Detecting IP spoofing: By looking at the source address and the destination address fields of a packet a firewall may be able to determine whether the addresses are spoofed. It uses a simple logic as explained in the following conditions: An incoming packet cannot have a source address that belongs to the internal network. An outgoing packet cannot have a source address that does not belong to the internal network. A packet leaving or entering through a firewall cannot have the same source and destination address. Computer Security Home The OSI and the TCP/IP Layers TCP IP Network & Application Layer Attacks     Network Layer DoS         Syn Flood         Ack Flood         RESET Attack         FIN Attack         Teardrop Attack     IP Spoofing         Predicting TCP Sequence Numbers     Application Layer Attacks         Buffer Overflows         Trojans         Backdoors         Cross-site Scripting         CGI abuses Firewalls     Packet Filters     Proxy Firewalls         Circuit Level Proxies         Application Level Proxies     Stateful Inspection Firewalls   Limitations of Firewalls Intrusion Detection and Prevention Systems     Signature Based     Anomaly Based         Statistical Anomaly Based         Protocol Anomaly Based     Host Based IDS (HIDS)     Network Based IDS (NIDS)         Protocol Anomaly Based NIDS         Signature Based NIDS Web Application Firewalls Vulnerability Assesment     Host Based Scanner     Network Based Scanner     Web Application Vulnerability Scanner Content Filters Encryption Conclusion Copyright © 2006 Vikram Phatak. All rights reserved.