TCP sequence prediction attack
TCP sequence prediction attack
Main page
T

TCP sequence prediction attack

logo
Community Hub0 subscribers
Read side by side
TCP sequence prediction attack
View on Wikipedia
from Wikipedia

A TCP sequence prediction attack is an attempt to predict the sequence number used to identify the packets in a TCP connection, which can be used to counterfeit packets.[1]

The attacker hopes to correctly guess the sequence number to be used by the sending host. If they can do this, they will be able to send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may in fact originate from some third host controlled by the attacker. One possible way for this to occur is for the attacker to listen to the conversation occurring between the trusted hosts, and then to issue packets using the same source IP address. By monitoring the traffic before an attack is mounted, the malicious host can figure out the correct sequence number. After the IP address and the correct sequence number are known, it is basically a race between the attacker and the trusted host to get the correct packet sent. One common way for the attacker to send it first is to launch another attack on the trusted host, such as a denial-of-service attack. Once the attacker has control over the connection, they are able to send counterfeit packets without getting a response.[2]

If an attacker can cause delivery of counterfeit packets of this sort, they may be able to cause various sorts of mischief, including the injection into an existing TCP connection of data of the attacker's choosing, and the premature closure of an existing TCP connection by the injection of counterfeit packets with the RST bit set, a TCP reset attack.

Theoretically, other information such as timing differences or information from lower protocol layers could allow the receiving host to distinguish authentic TCP packets from the sending host and counterfeit TCP packets with the correct sequence number sent by the attacker. If such other information is available to the receiving host, if the attacker can also fake that other information, and if the receiving host gathers and uses the information correctly, then the receiving host may be fairly immune to TCP sequence prediction attacks. Usually, this is not the case, so the TCP sequence number is the primary means of protection of TCP traffic against these types of attack.

Another solution to this type of attack is to configure any router or firewall to not allow packets to come in from an external source but with an internal IP address. Although this does not fix the attack, it will prevent the potential attacks from reaching their targets.[2]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

TCP sequence prediction attack

View on Grokipedia
from Grokipedia
A TCP sequence prediction attack is a network security exploit that allows an off-path attacker to hijack or inject packets into an established TCP connection by accurately guessing the sequence numbers used to order data packets.[1] These attacks target the Transmission Control Protocol (TCP), which relies on 32-bit sequence numbers to ensure reliable data delivery, starting from an Initial Sequence Number (ISN) chosen at connection setup.[1] By predicting these numbers, attackers can spoof packets appearing to originate from a trusted host, bypassing authentication mechanisms in trust-based systems.[2] The vulnerability was first systematically described in 1985 by Robert T. Morris, who identified weaknesses in the 4.2BSD Unix TCP/IP implementation where ISNs were generated predictably, incrementing by fixed amounts based on time and connection attempts.[2] This predictability enabled remote attackers to masquerade as trusted hosts and execute unauthorized commands, such as appending trusted entries to .rhosts files for passwordless access via services like rsh.[2] The attack gained widespread notoriety in December 1994 when hacker Kevin Mitnick reportedly used it against systems owned by Tsutomu Shimomura, spoofing connections to a diskless workstation by probing for sequence number patterns and injecting commands within seconds.[3] To execute such an attack, the adversary typically monitors or probes traffic to infer ISN generation patterns, then sends forged SYN packets with predicted sequence numbers while performing a denial-of-service on the legitimate host to prevent conflicting responses.[1] Success requires knowledge of the connection's four-tuple (source/destination IP and ports) and exploits non-random ISN algorithms, such as those in early RFC 793 implementations that cycled predictably every 4.55 hours.[1] Historical analyses of operating systems, such as Windows 95, revealed prediction feasibility rates exceeding 90% due to weak pseudorandom number generators.[4] Modern TCP implementations have largely mitigated these risks through cryptographically secure ISN generation, as standardized in RFC 6528, which recommends using a pseudorandom function incorporating connection details and a secret key to produce unpredictable values.[1] However, as of 2025, gaps in RFC implementation persist in some systems, potentially leaving them vulnerable.[5] Despite these advances, legacy systems or misconfigured networks remain vulnerable, underscoring the importance of regular updates.[6]

TCP Fundamentals

Sequence Numbers in TCP

Transmission Control Protocol (TCP) employs 32-bit sequence numbers to manage the reliable delivery of data across a connection-oriented network. These sequence numbers, which range from 0 to 2^{32} - 1 and wrap around using modulo arithmetic, assign a unique identifier to every byte of data transmitted. This mechanism enables the receiver to order incoming packets correctly, acknowledge the receipt of specific bytes, and detect issues such as duplicates, losses, or out-of-order arrivals.[7] During the TCP three-way handshake, sequence numbers are initially established to synchronize the endpoints. The client initiates the connection by sending a SYN segment containing its Initial Sequence Number (ISN) as the sequence number (SEQ). The server responds with a SYN-ACK segment, which includes its own ISN as SEQ and acknowledges the client's ISN by incrementing it by 1 (ACK = client's ISN + 1). Finally, the client sends an ACK segment with SEQ equal to its ISN + 1 and ACK equal to the server's ISN + 1, confirming the synchronization. This process ensures both sides agree on the starting point for their respective byte streams.[8] In ongoing data transmission, sequence numbers track the position of data within the byte stream. Each TCP segment's SEQ field specifies the sequence number of its first data byte, allowing the receiver to reconstruct the original stream by reassembling segments in order. Acknowledgments are cumulative: an ACK value of X indicates that all bytes up to but not including X have been successfully received and buffered. The sender advances its next sequence number (SND.NXT) after transmitting data and uses the oldest unacknowledged sequence number (SND.UNA) to manage the send window, ensuring flow control and reliability.[7] For illustration, consider a simple connection where the client selects an ISN of 1000:
  • Client → Server: SEQ=1000, SYN
  • Server → Client: SEQ=3000, ACK=1001, SYN-ACK
  • Client → Server: SEQ=1001, ACK=3001, ACK
Subsequent data segments from the client would continue with SEQ=1001 for the first byte, incrementing thereafter based on the payload size, while ACKs confirm progress in the stream.[8]

Initial Sequence Number Selection

In the original TCP specification outlined in RFC 793, the initial sequence number (ISN) serves a critical purpose: to ensure that sequence numbers for a new connection are sufficiently distant from those of any prior connection using the same port pair, thereby preventing the acceptance of old or duplicate packets that could confuse the protocol state machine. This mechanism addresses potential issues arising from network delays or system crashes, where lingering packets from terminated sessions might otherwise be misinterpreted as valid. To achieve this, each TCP endpoint selects its own ISN independently at the start of a connection, which becomes the starting point for all subsequent sequence numbers in that direction.[9] RFC 793 recommends generating the ISN using a 32-bit clock-based mechanism to promote uniqueness over time. Specifically, the ISN generator is tied to a 32-bit clock whose least significant bit increments roughly every 4 microseconds, resulting in the full sequence space wrapping around approximately every 4.55 hours, as specified in the RFC (a literal calculation using exactly 4 microseconds per tick yields about 4.77 hours). This design aims to provide a degree of randomness and progression. However, the relatively slow tick rate and deterministic nature of the clock make the ISN somewhat predictable if an attacker can observe or estimate the system's timing.[9] Early TCP implementations often deviated from this ideal, introducing even greater predictability in ISN selection. For instance, the 4.2BSD Unix TCP/IP stack employed a global ISN counter that incremented linearly: by 128 (or 272^7) every second of system uptime and by an additional 64 after each new connection initiation. This approach, while simple, exacerbated vulnerability to prediction, as the ISN for a new connection could be estimated by monitoring prior connections and applying the fixed increments. Other early systems similarly relied on fixed starting values or purely linear progressions without sufficient randomization, further compromising the intended protections of the RFC.

Attack Mechanism

Predicting Sequence Numbers

In a TCP sequence prediction attack targeting an ongoing session, the off-path attacker predicts the sequence numbers based on known vulnerabilities in the target's TCP implementation, such as predictable Initial Sequence Number (ISN) generation algorithms or patterns inferred from probing the system.[1] Attackers may establish probe connections to the target host to observe ISN values and model the generation process, for example, by noting time-based increments without accessing the actual session traffic.[10] Prediction methods rely on exploiting predictable patterns in vulnerable TCP implementations, such as those deriving sequence numbers from system clocks. In early systems like 4.2BSD Unix, sequence numbers incremented linearly by a fixed amount—typically 128 per second plus 64 per new connection—enabling attackers to estimate future numbers by observing probe values and applying the known offset.[10] More generally, attackers guess based on clock-derived increments, adding time-based offsets (e.g., microseconds since boot) or assuming linear progression in flawed generators that lack sufficient randomness.[11] Key challenges include sequence number wrapping, where the 32-bit field overflows after reaching 4,294,967,295, potentially disrupting predictions if the session spans the wrap point.[9] Variable increments further complicate accuracy, as retransmissions, packet delays, or out-of-order delivery can alter the expected progression beyond simple linear estimates.[1] Success depends on low network latency to enable real-time prediction and injection, minimizing the gap between prediction and action. For instance, using data from probes, the attacker can predict the current sequence number by adding estimated increments based on elapsed time and connection activity to a baseline ISN value. This approach succeeds in vulnerable systems where patterns remain consistent, but modern randomized implementations render it ineffective.[11]

Session Hijacking via Injection

Once the attacker has successfully predicted the TCP sequence numbers for an ongoing session, the hijacking proceeds by injecting forged packets that exploit the legitimacy checks based on these numbers. The attacker injects forged packets using the predicted sequence number (SEQ), the estimated acknowledgment number (ACK), and the legitimate source IP address and port to impersonate the sender. For instance, a data packet carrying malicious payload—such as commands in a telnet session—can be injected directly into the stream. The packet includes the attacker's controlled payload while maintaining TCP header details like flags (e.g., PSH/ACK) and the predicted SEQ to pass validation; upon receipt, the receiver accepts it as valid if the SEQ falls within the current window, effectively incorporating the injected content.[12][2] The attack culminates in the receiver processing the injected payload, leading to outcomes such as session takeover. In vulnerable services like telnet or rlogin, this enables command injection, allowing the attacker to execute arbitrary instructions on the target host as if from the legitimate user, or to manipulate data flows, such as redirecting traffic or altering session state. For example, injecting a command like "whoami" in a shell session could reveal user privileges, escalating the compromise.[1][2] However, the attack has inherent limitations that constrain its feasibility. It requires the attacker to have network visibility or routing that allows spoofed packets to reach the target without being filtered, often necessitating proximity to the same subnet or control over intervening routers. Additionally, if the predicted SEQ deviates from the actual value by more than the receiver's current window size—typically 1 to 65,535 bytes—the forged packet will be rejected as out-of-sequence, rendering the injection ineffective.[1][12]

Historical Context

Early Vulnerabilities

The Transmission Control Protocol (TCP) was introduced as part of the TCP/IP protocol suite in the 4.2BSD release in August 1983, marking a significant milestone in the development of the ARPANET and early internetworking.[13] This implementation, derived from the specifications in RFC 793 published in 1981, established TCP as a reliable transport protocol but contained inherent design and implementation flaws that exposed it to sequence prediction attacks.[14] Initial vulnerabilities became evident shortly after deployment, with the first detailed analysis appearing in 1985. This vulnerability was further analyzed publicly by Steve Bellovin in his 1989 paper, which described sequence number spoofing in conjunction with IP spoofing.[12] A primary flaw stemmed from the predictable generation of Initial Sequence Numbers (ISNs) in early TCP implementations. According to RFC 793, ISNs were intended to be selected from a clock-driven 32-bit counter that incremented approximately every 4 microseconds, cycling every 4.55 hours to ensure uniqueness across connection incarnations.[14] However, the 4.2BSD implementation rendered this mechanism highly predictable by incrementing the global ISN by 128 units every second and by an additional 64 units after each new connection was established, allowing an attacker to observe ongoing traffic and compute future ISNs with relative ease.[10] This lack of randomization meant that sequence numbers for new connections could be guessed accurately, especially given the small size of the receiver's window—typically ranging from 1 KB to 32 KB in early systems, such as the default 2 KB receive buffer in 4.2BSD—which limited the range of acceptable sequence numbers and increased the likelihood of successful injection.[10][15] These vulnerabilities affected early UNIX variants, particularly 4.2BSD and subsequent releases up to the early 1990s, which were widely adopted in academic, research, and defense networks.[10] Systems running these implementations, including those at Bell Labs and U.S. Department of Defense sites, relied solely on sequence numbers for data integrity and connection validation, without any cryptographic protections or additional authentication mechanisms in the protocol design.[14] As noted by Robert Morris in his 1985 technical report, this dependence on guessable sequence numbers enabled off-path attackers to forge packets and hijack sessions, highlighting a fundamental weakness in the trust model of early TCP.[10]

Notable Exploits

One of the earliest notable demonstrations of a TCP sequence prediction attack was detailed by Robert T. Morris in his 1985 paper on vulnerabilities in the 4.2BSD Unix TCP/IP implementation. Morris illustrated how the predictable generation of initial sequence numbers (ISNs) allowed an off-path attacker to forge packets and hijack ongoing sessions by guessing the next expected sequence number with high probability after observing prior connections from the target host.[10] This proof-of-concept highlighted the potential for session hijacking without direct network access, establishing the foundational risks of non-random ISNs. In the 1990s, hacker Kevin Mitnick applied TCP sequence prediction techniques to hijack sessions in networks including DECNET, most famously during his 1994 intrusion into Tsutomu Shimomura's systems. By combining IP spoofing with accurate prediction of sequence numbers, Mitnick gained unauthorized access to workstations, demonstrating the attack's real-world viability against production environments without on-path presence.[16] This exploit, part of Mitnick's broader activities, evaded detection long enough to steal proprietary software and data, amplifying concerns over TCP's authentication weaknesses. Early proof-of-concept tools emerged in the mid-1990s to test and demonstrate sequence prediction vulnerabilities, such as a 1995 implementation shared on the Bugtraq mailing list that achieved high success rates on systems with linear or incremental ISN generators by brute-forcing guesses during connection establishment.[17] These tools, often scripted in C or Perl, targeted legacy Unix variants and revealed that many deployed systems remained susceptible, with prediction difficulty varying based on ISN algorithms. The exploits collectively drove widespread awareness, as documented in academic literature and CERT advisories, which quantified risks like session hijacking probabilities and urged protocol improvements to prevent off-path attacks.[18]

Defenses and Mitigations

Randomization of ISNs

To mitigate TCP sequence prediction attacks, the randomization of Initial Sequence Numbers (ISNs) emerged as a core defense mechanism, evolving through IETF standards to ensure unpredictability. In 1996, RFC 1948 proposed an initial approach using a combination of a fine-grained timer (advancing every 4 microseconds) and a cryptographic hash function applied to the connection tuple (source and destination IP addresses and ports) along with a secret value, aiming to produce ISNs that resist guessing by off-path attackers.[11] This time-based randomization sought to avoid the predictable increments used in earlier TCP implementations, such as those incrementing by a fixed value per connection or time unit. By 2012, RFC 6528 advanced this to standards track status, mandating a cryptographically secure pseudorandom function (PRF) for ISN generation—typically MD5 or a stronger hash like SHA-1—incorporating the same connection details plus a periodically refreshed secret key (at least 128 bits) and the timer offset, thereby formalizing robust protection against sequence number inference.[1] Modern TCP implementations in operating systems have adopted these standards using per-connection cryptographic computations to derive 32-bit ISNs from larger internal states, ensuring high entropy without maintaining connection-specific state. For instance, the Linux kernel has employed hash-based ISN generation since version 2.6.12 (released in 2005), leveraging functions like secure_tcp_seq that apply a keyed hash (initially MD5-based, later upgraded to SipHash for efficiency) over the connection parameters and system secrets, often combined with a 64-bit monotonic counter to prevent reuse across rapid connections.[19] Similarly, Microsoft Windows implementations from Windows Vista (2007) onward integrate strong randomization using per-connection hashing mechanisms, aligning with RFC 6528 guidelines to produce unpredictable ISNs.[20] These approaches typically reseed secrets on boot or at intervals, balancing security with performance in high-throughput environments. The effectiveness of ISN randomization lies in expanding the prediction space to the full 32-bit range of TCP sequence numbers, reducing the success probability of blind guessing to approximately 1 in 4.29 billion (2^{32}), which effectively thwarts off-path injection attacks by making valid sequence prediction computationally infeasible without observing prior traffic. This is exemplified by the common formula for ISN computation:
ISN=(SHA-1(source_IP,dest_IP,source_port,dest_port,secret)mod232)+timestamp_offset \text{ISN} = \left( \text{SHA-1}(\text{source\_IP}, \text{dest\_IP}, \text{source\_port}, \text{dest\_port}, \text{secret}) \mod 2^{32} \right) + \text{timestamp\_offset}
where the timestamp_offset is a low-resolution timer (e.g., advancing every 4 microseconds) to ensure monotonicity and avoid duplicates, and the secret is a system-wide key changed periodically.[1] Empirical assessments confirm that such methods eliminate predictable patterns.[1]

Additional Security Measures

TCP includes a mandatory 16-bit checksum in its header, computed over the header, payload, and a pseudo-header including IP addresses, which detects transmission errors and forged packets by ensuring the integrity of received segments.[21] This mechanism provides basic protection against sequence prediction attacks, as an attacker forging packets with incorrect sequence numbers would need to compute a valid checksum, though it is vulnerable to off-path attacks if the attacker can guess or spoof necessary details.[22] To enhance authentication beyond the standard checksum, the TCP MD5 Signature Option (TCP-MD5), defined in RFC 2385, appends an MD5 digest to TCP segments using a shared secret key, verifying the authenticity of packets and preventing injection of forged segments with predicted sequence numbers.[23] However, due to vulnerabilities like key management issues and collision attacks on MD5, TCP-MD5 has been deprecated in favor of the TCP Authentication Option (TCP-AO), specified in RFC 5925 and RFC 5926, which supports stronger cryptographic algorithms such as HMAC-SHA-1 for integrity and authentication, offering robust defense against spoofing and hijacking attempts.[24][25] At the upper layers, protocols like Transport Layer Security (TLS) provide comprehensive protection by encrypting the entire TCP payload and authenticating the session, making sequence number hijacking ineffective without compromising the cryptographic keys, as injected packets would lack valid encryption or integrity checks. Network-level mitigations include stateful firewalls, which track the full context of TCP connections—including sequence numbers, acknowledgments, and flags—to validate incoming packets against established session states, dropping those with anomalous sequence numbers indicative of hijacking.[26] Additionally, SYN cookies mitigate related denial-of-service attacks that exploit sequence predictability during connection setup by encoding state in the initial SYN-ACK response, avoiding server resource allocation for spoofed SYNs without revealing full sequence details.[27] Monitoring tools such as intrusion detection systems (IDS) further bolster defenses; for instance, Snort's stream preprocessor detects TCP anomalies like data on SYN packets or sequence numbers outside the expected window, generating alerts for potential prediction-based attacks through customizable rules.

References

  1. RFC 6528 - Defending against Sequence Number Attacks
  2. [PDF] A Weakness in the 4.2BSD Unix TCP/IP Software
  3. Tsutomu Shimomura's post showing logs of an actual attack
  4. Strange Attractors and TCP/IP Sequence Number Analysis
  5. What Is an Initial Sequence Number (ISN)? TCP Security Guide
  6. https://datatracker.ietf.org/doc/html/rfc793#section-3.3
  7. https://datatracker.ietf.org/doc/html/rfc793#section-3.4
  8. RFC 793: Transmission Control Protocol
  9. [PDF] Module 8 Network Security - Jackson State University
  10. None
  11. RFC 1948 - Defending Against Sequence Number Attacks
  12. [PDF] Security Problems in the TCP/IP Protocol Suite - Columbia CS
  13. Final report on TCP/IP migration in 1983 - Internet Society
  14. RFC 793: Transmission Control Protocol
  15. 20.4 Window Size | TCP/IP Illustrated, Vol. 1 - Flylib.com
  16. [PDF] The Morris worm: A fifteen-year perspective - UMD Computer Science
  17. [PDF] CIS 551 / TCOM 401 - Computer and Network Security
  18. [PDF] Network Security Via Reverse Engineering of TCP Code
  19. Bugtraq: TCP Sequence Number Prediction Implementation
  20. [PDF] A Look Back at “Security Problems in the TCP/IP Protocol Suite”
  21. Initial Sequence Number generation in Linux TCP stack
  22. Microsoft Security Bulletin MS99-046 - Critical
  23. https://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf
  24. RFC 9293: Transmission Control Protocol (TCP)
  25. https://www.cs.cmu.edu/~srini/15-849/S11/papers/B89.html
  26. RFC 2385 - Protection of BGP Sessions via the TCP MD5 Signature ...
  27. RFC 5925 - The TCP Authentication Option - IETF Datatracker
  28. RFC 5926 - Cryptographic Algorithms for the TCP Authentication ...
  29. What Is a Stateful Firewall? | Stateful Inspection Firewalls Explained
  30. RFC 4987 - TCP SYN Flooding Attacks and Common Mitigations
User Avatar
No comments yet.