IP Spoofing and Sniffing
TCP Data Exchange During normal TCP data exchange, one party will send one or more TCP/IP datagrams. The other party will occasionally send back a TCP/IP datagram with the TCP header having the ACK flag set to let the sender know that the data arrived. During establishment of the connection both parties also inform the other how much room they have in their receive buffers. TCP transmits the amount of available room in the window field of the TCP header in each datagram sent to inform the sender how much more data may be sent before the receive buffer fills. As the program on the receiving side empties the receive buffer, the number in the window field increases. The acknowledgment number specifies the lowest sequence number of a data byte that it expects to receive. The acknowledgment number plus the number in the window field specifies the highest sequence number of a data byte that will be placed in the input buffer when received. Occasionally, IP datagrams will arrive out of order. When a datagram arrives earlier than expected, the early datagram goes into the receiver’s input buffer but the receiver does not immediately acknowledge it. When the expected datagram arrives, the receiver may acknowledge both sets of TCP data at once. However, at this point, the receiving program will be able to read both sets of data without waiting for any more action from the sender.
Forged TCP/IP Datagrams To successfully forge a TCP/IP datagram that will be accepted as part on an existing connection, an attacker only needs to estimate the sequence number to be assigned to the next data byte to be sent by the legitimate sender. Consider the three cases of being exact, being a bit too low with the estimate, and being a bit too high with the estimate. If the attacker knows or successfully guesses the exact value of the next sequence number of the next byte being sent, the attacker can forge a TCP/IP datagram containing data that will be placed in the receiver’s input buffer in the next available position. If the forged datagram arrives after the legitimate datagram, the receiver may completely discard the forged datagram if it contains less data than the legitimate one. However, if the forged datagram contains more data, the receiver will discard only the first part. The receiver will place into its input buffer the part of the forged datagram with data bytes having larger sequence numbers than those received in the earlier legitimate datagram. On the other hand, if the forged datagram arrives before the legitimate datagram, the legitimate datagram will be discarded by the receiver (at least partially). If the attacker’s guess of the sequence number is a bit too low, it will definitely not get the first part of the data in the forged TCP/IP datagram placed in the receiver’s input buffer. However, if the forged datagram contains enough data, the receiver may place the last part of the forged data in its input buffer.
p1vPHCP/nhb1
Internet Security Pro Ref 577-7 Gina 1-27-96 CH06 LP#3
311