
Off-Path TCP Sequence Number Inference Attack - wglb
http://web.eecs.umich.edu/~zhiyunq/tcp_sequence_number_inference/
======
JoachimSchipper
This is a grab-bag of clever tricks, based on one idea.

As you know, a TCP connection consists of a (sender_IP, sender_port,
receiver_IP, receiver_port) tuple, and individual packets additionally need a
valid sequence number ("valid" is rather complicated; TCP opens two of these
connections at once, one host1->host2 and one host2->host1.) An attacker with
these five numbers can inject arbitrary data into the connection.

The linked article assumes that between the client and server there is a
firewall that does sequence number checking (i.e. drops any packets that
couldn't possibly be valid; note that packet loss may cause the firewall to
see packet2 and packet3 but not packet1, so it has to accept "valid plus a
little bit".)

Now, if you have a little information from the client (such as can be obtained
by running "netstat", which is an unprivileged operation on pretty much all
OSes) and know the server's (IP, port) information (e.g. (www.facebook.com,
80)), you can play around with the firewall.

The most basic attack is simple: send packets with randomly-chosen sequence
numbers through the firewall, and see if they make it to the client (the
firewall will forward anything in "valid" to "valid + something", and drop
anything else; the client will increment the netstat-visible error counter if
it receives anything but "valid".) Once a packet makes it through the
firewall, you know that the "valid" sequence number is within "something" of
the sequence number of that packet. Various refinements and nastier attacks
are explored.

~~~
papsosouid
I don't get how this is an issue with the firewall. If the firewall wasn't
there tossing away packets with invalid sequence numbers, then the actual host
would toss them away anyhow right? So what's the difference having the
firewall there or not? Either way you can figure out the sequence number by
trying until you guess right.

~~~
JoachimSchipper
Yes, the host would toss drop/reject them anyway. However, having the firewall
allows you to find the valid number in all_numbers / something + something
(where "something" is as in the grandparent) by first using the firewall to
find the correct interval ([0, something[, [something, 2 * something[, ...)
and then bruteforcing only those sequence numbers.

------
jws
In a nutshell, given IP spoofing, in order to hijack a TCP connection they
need to work out the sequence number. They take advantage of a firewall that
throws away invalid sequence numbers to pervert it into a device that reveals
the valid sequence number.

It hinges on knowing if a packet was tossed or not. They do this with either a
TTL that will expire between the firewall and destination, or by an
unprivileged conspirator program on the target device (e.g. watching the linux
packet counters on an android phone).

They apparently have success with about one third of the mobile carriers they
have tried.

------
jbert
Is ip spoofing generally do-able on todays internet? don't core routers In
general implement ingress filters? So if I send a packet with a src ip outside
of my providers op space it will get dropped?

