TCP Sequence Prediction

TCP sequence prediction refers to an attack to a TCP session and is done through the injection of packets that act as if they come from a computer engaged in the original TCP session.

What is TCP?

TCP is a 4-layer protocol concerned with data transmission efficiency. Packet transfers between hosts are accomplished by the TCP when it takes responsibility in delivering the packets properly to their respective layers in correct order. The TCP uses a sequence number field to do this.

TCP Attack

First, observe communications between two systems. One of these systems is your target. This is the top step to having a successful TCP sequence prediction attack. After that, issue packets coming from your own system to your target. Cloak it with the IP address that is used or is trusted by the network.

The issued packets must contain the correct replica of the number that is expected by the target system. Moreover, your packets must also arrive faster than the legitimate packets. To cause delay (to the legitimate packets), you must overflow the trusted system with a fake “access denial” mechanism.

Why Do TCP Sequence Predictions Happen?

When there are new connections, a 32 new bit ISN is selected by an ISN (Initial Sequence Number) generator. This generator can also be bound to a 32bit clock. This clock’s low order bit will be incremented every 3-5 microseconds. Normally, ISN cycles happen every 4.55 hours. The MSL (Maximum Segment Lifetime) is less than 4.55 hours so the segments stay in the network. Therefore, ISNs should be unique.

The makers of BSD Unix TCP/IP deviated from the aforementioned recommendations. TCP/IP stacks increase the number by 128,000 per second and 64,000 for every brand new TCP connection. This makes the sequence number predictable.

Can TCP Sequence Prediction be Avoided?

Yes, TCP sequence prediction attacks can be avoided. In fact, they can even be stopped. You can use a good quality router or a firewall that is designed to disallow packets from one internal IP address to come from external sources.

Although these mechanisms do not really fix the vulnerability of the TCP sequence to unwanted attacks, it still prevents the attacks from reaching their targets.