Though TCP protocol is a connection oriented and reliable protocol but still there a various loopholes that can be exploited. These loop holes are mostly explained in terms of attacks.
In the previous article on the TCP/IP Attacks series, we explained about ARP Cache Poisoning.
This article explains the following two attacks:
- TCP sequence prediction attack
- TCP reset attacks
An overview of TCP
Before getting started with explanations of attacks. Lets develop a basic understanding of how TCP works.
A TCP header looks like the following:
The below explanation explains how a connection is established between two hosts at TCP level. This is known as three way handshake. This handshake is required before any kind of data can be sent in each direction. Once the connection is established, data can flow bi-directionally with each packet containing sequence number of beginning byte of data it contains and acknowledgment of data received.
- Suppose there are two hosts (A and B) who want to communicate with each other. Lets suppose host A starts the communication. Now from TCP point of view, the host A sends a SYN packet to host B.
- A SYN packet is a TCP packet with SYN flag ON.
- Also mentioned in this packet is the Initial sequence number (which is a value generated by the TCP of host A),source port,destination port etc.
- When this packet is received at TCP layer of host B, this host replies with a TCP packet with SYN and ACK flags ON, Initial sequence number and other information.
- When host A receives this packet, it checks some information like the SYN flag, Acknowledgment Number (which should be Host A’s initial sequence number + 1) etc to verify that this is an expected packet from Host B.
- In reply, host A sends a packet with ACK flag On and Acknowledgment number set to host B’s Initial sequence number + 1.
So we see that sequence numbers play an important role in TCP communication. A sequence number is a number that TCP associates with the starting byte of data in a particular packet. This way the receiving TCP keeps track of data received and acknowledges accordingly. The acknowledgment number is always the next expected sequence number.
TCP Sequence Prediction Attack
Suppose Host A and Host B are communicating with each other. Now, lets say an attacker sitting in between is somehow able to monitor the packets between A and B.
Lets see what the attacker does :
- The attacker wants to attack Host A.
- It floods Host B with new requests causing a Denial of service attack to stop Host B from communicating with A.
- Now, the attacker can predict the sequence number of the packet that A is expecting from B.
- Attacker prepares such kind of packet and sends it to Host A.
- Since its a faked packed so host A thinks its coming from B.
- Now, this packet can be a packet terminating the connection or asking host A to run some malicious commands/scripts etc.
So this way a connection can be hijacked by an attacker.
Another way could be the prediction of ISN(initial sequence number).
Lets see an excerpt from RFC-793 :
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN’s will be unique.
BSD TCP/IP stacks diverts away from the above mechanism. BSD TCP/IP stacks increase the sequence number by 128,000 every second and by 64,000 for every new TCP connection. This as you can imagine is more predictable and hence can be easily exploited.
TCP Reset Attacks
This attack is fairly simple to understand once the above attack is clear to you. In this attack :
- Once the attacker is able to hijack a TCP session (as told above), this attack can be launched.
- The attacker sends packets with RST Flag ON to both A and B or any one of the host.
- Since both A and B do not know that an attacker has sent these packets so they treat these packets normally.
- Since they are reset packets so connection between A and B is terminated.
So we can see that TCP reset attacks are aimed to terminate a valid TCP connection between two hosts.