Does it matter?

Posted Aug 19, 2011 19:17 UTC (Fri) by njs (subscriber, #40338)
In reply to: Does it matter? by epa
Parent article: Unpredictable sequence numbers

Normally, to hijack a TCP connection, you need to be "in the middle" in some sense -- have access to some router that the TCP is flowing over, or be on the same LAN to run arp spoofing, etc. I can't just hijack your connection to LWN from my home router. Sequence numbers are the thing that stops me -- if you can guess the sequence numbers for other people's connections, then under the right circumstances you can insert stuff into any TCP connection anywhere from any internet-connected host.

("The right circumstances" are somewhat tricky to achieve -- I'll skip the details, they should be easy to google -- but there are practical attacks possible.)

to post comments

Does it matter?

Posted Aug 19, 2011 23:49 UTC (Fri) by pflugstad (subscriber, #224) [Link] (1 responses)

I think you missed epa's point.

Even being able to predict TCP sequence numbers does not allow you to inject traffic into an existing SSH or SSL (https) connection. Both protocols encrypt the data and have integrity checks over the data, so if you injected data, it would fail to decrypt and/or fail the integrity checks.

So the worst that you can probably do if you can predict TCP sequence numbers is force the connection to be reset - packets with an invalid TCP sequence number would be discarded - if the seq num is valid, then SSL/SSH would flag it and abort the connection.

Does it matter?

Posted Aug 20, 2011 1:36 UTC (Sat) by njs (subscriber, #40338) [Link]

Yes, but I also use protocols like HTTP that don't have cryptographic integrity guarantees... and those protocols are more at risk if TCP sequence numbers are predictable than if they aren't, which is why TCP sequence numbers matter beyond DoS attacks. Which was epa's question...