Off-Path TCP Sequence Number Inference Attack

TCP was, like most things, initially designed without security considerations. Historically, one of the most serious concerns that reared its head up due to this lack of oversight was the scenario in which an attacker forges a source address and injects packets against a deterministically known TCP initial sequence number. To circumvent these attacks, a patch was provided to randomize the TCP ISN, thus preventing packet injection. Additionally, firewall vendors realized that they could perform sequence number checking at the firewall and actively drop invalid packets before they reached the end-host. Much like those padding oracles everyone reads about, this firewall feature provided a side-channel in which attackers could provide and check for valid sequence numbers.

This attack is thus dubbed, “TCP sequence number inference attack,”

Off-Path TCP Sequence Number Inference Attack
Research: TCP Sequence Number Inference Attack