Browse Prior Art Database

Improving TCP's Robustness to Blind In-Window Attacks (RFC5961) Disclosure Number: IPCOM000199147D
Original Publication Date: 2010-Aug-01
Included in the Prior Art Database: 2010-Aug-27
Document File: 38 page(s) / 45K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

A. Ramaiah: AUTHOR [+2]


TCP [RFC0793] is widely deployed and the most common reliable end-to- end transport protocol used for data communication in today's Internet. Yet, when it was standardized over 20 years ago, the Internet was a different place, lacking many of the threats that are now common. The off-path TCP spoofing attacks, which are seen in the Internet today, fall into this category.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 6% of the total text.

Internet Engineering Task Force (IETF)                        A. Ramaiah Request for Comments: 5961                                         Cisco Category: Standards Track                                     R. Stewart ISSN: 2070-1721                                                   Huawei                                                                 M. Dalal                                                                    Cisco                                                              August 2010

          Improving TCP's Robustness to Blind In-Window Attacks


   TCP has historically been considered to be protected against spoofed    off-path packet injection attacks by relying on the fact that it is    difficult to guess the 4-tuple (the source and destination IP    addresses and the source and destination ports) in combination with    the 32-bit sequence number(s).  A combination of increasing window    sizes and applications using longer-term connections (e.g., H-323 or    Border Gateway Protocol (BGP) [RFC4271]) have left modern TCP    implementations more vulnerable to these types of spoofed packet    injection attacks.

   Many of these long-term TCP applications tend to have predictable IP    addresses and ports that makes it far easier for the 4-tuple (4-tuple    is the same as the socket pair mentioned in RFC 793) to be guessed.    Having guessed the 4-tuple correctly, an attacker can inject a TCP    segment with the RST bit set, the SYN bit set or data into a TCP    connection by systematically guessing the sequence number of the    spoofed segment to be in the current receive window.  This can cause    the connection to abort or cause data corruption.  This document    specifies small modifications to the way TCP handles inbound segments    that can reduce the chances of a successful attack.

Status of This Memo

   This is an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force    (IETF).  It represents the consensus of the IETF community.  It has    received public review and has been approved for publication by the    Internet Engineering Steering Group (IESG).  Further information on    Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of this document, any errata,    and how to provide feedback on it may be obtained at

 Ramaiah, et al.              Standards Track                    [Page 1]
 RFC 5961       ...