Two Methods of TCP Spoofing Attack

TCP is a connection-oriented and reliable byte stream established based on the IP protocol. Today, as many hacker attacks emerge, an attacker can cheat by sending IP data from the IP Address Source Address belonging to another machine. TCP spoofing attackers don't really care whether they can receive the response from the data, but other machines will accept the spoofed data and think they come from legitimate owners. Currently, there are two main methods to implement TCP spoofing.

There are two methods to implement TCP Spoofing Attacks:

1. Non-blind attacks

The attacker and the target host are on the same network. The attacker can use a protocol analyzer (sniffer) to capture TCP packets and obtain the required serial number. The attack steps are as follows:

(1) The attacker X wants to ensure that the trusted host B of the target host A is not in the working state. If it is in the working state, it also uses SYN flooding and other attack methods to make it in the DOS state.

(2) attacker X spoofs data packets: B-> A: SYN (isn c). The source IP address uses B and the initial serial number ISN is C. The attacker sends A TCP SYN packet to the target host, request to establish a connection.

(3) response data packet of the target host: A-> B: SYN (ISN S), ACK (ISN C), initial serial number is S, and confirmation serial number is C. Because B is in the DOS status, no response packet is sent. Attacker X uses the sniffer tool to capture TCP packets and obtain the initial serial number S.

(4) The attacker X spoofs the data packet: B-> A: ACK (ISN S) and completes three handshakes to establish A TCP connection.

(5) attacker X always uses B's IP address to communicate with.

2. blind attacks

Because the attacker and the target host are not in the same network, the attacker cannot use the sniffer tool to capture TCP packets. The attack steps are almost the same as those of non-blind attacks. However, in step (3), the sniffer tool cannot be used. You can use the TCP Initial serial number Prediction Technology to obtain the initial serial number. In step (5), attacker X can send the first packet, but cannot receive A response packet, making interaction difficult.

From the attacker's point of view, blind attacks are more difficult, because the response of the target host is sent to an inaccessible host, and the attacker cannot directly determine the success or failure of the attack. However, attackers can use routing spoofing to convert blind attacks into non-blind attacks.

The main protection policies for TCP spoofing attacks include:

(1) Use the pseudo-random number generation tool to generate the TCP initial sequence number;

(2) The router rejects data packets from the Internet and the source IP address is the Intranet;

(3) Use the TCP segment encryption tool for encryption.