TCP

	TCP
advICE :Underground :Hacking :Methods :Technical :Spoofing : TCP

In order to connect to TCP, a hacker must be able to see the responses. This is because the server will send the hacker its "Initial Sequence Number (ISN)", which must used in all of the subsequent packets sent to the server. Therefore, blind IP spoofing will not work with TCP, in theory.

The problem is that many machines use predictable ISNs. Therefore, a hacker can connect to the machine, find the current ISN, then predict what the ISN will likely be in the subsequent connection.

For example, some systems simply add 64k to the ISN of a previous connection, so a hacker can connect once, then add 64k to the spoofed connection.

Microsoft Security Bulletin (MS99-046)-Patch Available to Improve TCP Initial Sequence Number Randomness This patch, available as part of SP6, will totally randomize sequence numbers in order to prevent this type of attack.
CERT: CA-95.01.IP.spoofing.attacks.and.hijacked.terminal.connections
session hijacking-The same problem from a different perspective.
BugtraqID: 604-Discusses predicatable sequence numbers in Windows NT.
BugtraqID: 670-Kernel 2.2 is vulnerable to this.
BugtraqID: 580-Kernels in the range of 2.0.3x are vulnerable.

RESOURCES

Books
FAQs
Intro
News
Lists
Notes

SEARCH