TCP sequence prediction attack

Part of a series on
Computer hacking
History Phreaking Cryptovirology Hacking of consumer electronics List of hackers
Hacker culture and ethic Hackathon Hacker Manifesto Hackerspace Hacktivism Maker culture Types of hackers Black hat Grey hat White hat
Conferences Black Hat Briefings Chaos Communication Congress DEF CON Hackers on Planet Earth Security BSides ShmooCon Summercon
Computer crime Crimeware List of computer criminals Script kiddie
Hacking tools Exploit forensics-focused operating systems Payload Social engineering Vulnerability
Practice sites HackThisSite Zone-H
Malware Rootkit Backdoor Trojan horse Virus Worm Spyware Ransomware Logic bomb Botnet Keystroke logging HIDS Web shell RCE Infostealer
Computer security Application security Cloud computing security Network security
Groups Anonymous Chaos Computer Club Homebrew Computer Club (defunct) Legion of Doom (defunct) LulzSec (defunct) Masters of Deception (defunct) Red team / Blue team
Publications 2600: The Hacker Quarterly Hacker News Nuts and Volts Phrack
v t e

A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets.

The attacker hopes to correctly guess the sequence number to be used by the sending host. If they can do this, they will be able to send counterfeit packets to the receiving host which will seem to it to originate from the sending host, even though the counterfeit packets may in fact originate from some third host controlled by the attacker.

If an attacker can cause delivery of counterfeit packets of this sort, he or she may be able to cause various sorts of mischief, including the injection into an existing TCP connection of data of the attacker's choosing, and the premature closure of an existing TCP connection by the injection of counterfeit packets with the FIN bit set.

Theoretically, other information such as timing differences or information from lower protocol layers could allow the receiving host to distinguish authentic TCP packets from the sending host and counterfeit TCP packets with the correct sequence number sent by the attacker.

If such other information is available to the receiving host, if the attacker cannot also fake that other information, and if the receiving host gathers and uses the information correctly, then the receiving host may be fairly immune to TCP sequence prediction attacks. Usually this is not the case, so the TCP sequence number is the primary means of protection of TCP traffic against these types of attack.

• Aircrack
• AirSnort
• BackTrack
• Denial-of-service attack
• Nmap
• Packet sniffer
• Snort
• SYN flood
• Wireshark

• Security problems in the TCP/IP protocol suite, April 1989, Steven M. Bellovin
• RFC 1948, Defending Against Sequence Number Attacks, May 1996, Steven M. Bellovin.
• http://www.tech-faq.com/tcp-sequence-prediction.shtml
• TCP sequence prediction Simulation

This computer networking article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e