Defending Against Sequence Number Attacks (RFC1948)
Original Publication Date: 1996-May-01
Included in the Prior Art Database: 2000-Sep-13
Internet Society Requests For Comment (RFCs)
IP spoofing attacks based on sequence number spoofing have become a serious threat on the Internet (CERT Advisory CA-95:01). While ubiquitous crypgraphic authentication is the right answer, we propose a simple modification to TCP implementations that should be a very substantial block to the current wave of attacks.
Network Working Group S. Bellovin
Request for Comments: 1948 AT&T Research
Category: Informational May 1996
Defending Against Sequence Number Attacks
Status of This Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
IP spoofing attacks based on sequence number spoofing have become a
serious threat on the Internet (CERT Advisory CA-95:01). While
ubiquitous crypgraphic authentication is the right answer, we propose
a simple modification to TCP implementations that should be a very
substantial block to the current wave of attacks.
Overview and Rational
In 1985, Morris  described a form of attack based on guessing what
sequence numbers TCP  will use for new connections. Briefly, the
attacker gags a host trusted by the target, impersonates the IP
address of the trusted host when talking to the target, and completes
the 3-way handshake based on its guess at the next initial sequence
number to be used. An ordinary connection to the target is used to
gather sequence number state information. This entire sequence,
coupled with address-based authentication, allows the attacker to
execute commands on the target host.
Clearly, the proper solution is cryptographic authentication [3,4].
But it will quite a long time before that is deployed. It has
therefore been necessary for many sites to restrict use of protocols
that rely on address-based authentication, such as rlogin and rsh.
Unfortunately, the prevalence of "sniffer attacks" -- network
eavesdropping (CERT Advisory CA-94:01) -- has rendered ordinary
TELNET  very dangerous as well. The Internet is thus left without
a safe, secure mechanism for remote login.
We propose a simple change to TCP implementations that will block
most sequence number guessing attacks. More precisely, such attacks
will remain possible if and only if the Bad Guy already has the
ability to launch even more devastating attacks.
Details of the Attack
In order to understand the particular case of sequence number
guessing, one must look at the 3-way handshake used in the TCP open
sequence . Suppose client machine A wants to talk to rsh server
B. It sends the following message:
A->B: SYN, ISNa
That is, it sends a packet with the SYN ("synchronize sequence
number") bit set and an initial sequence number ISNa.
B replies with
B->A: SYN, ISNb, ACK(ISNa)
In addition to sending its own initial sequence number, it
acknowledges A's. Note that the actual numeric value ISNa must
appear in the message.
A concludes the handshake by sending
The initial sequence numbers are intended to be more or less random.
More precisely, RFC 793 specifies that the 32-bit count...