Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!pasteur!ucbvax!ulysses!smb
From: smb@ulysses.homer.nj.att.com (Steven M. Bellovin)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: Sequence numbers provide security?? (Bellovin's article)
Message-ID: <11501@ulysses.homer.nj.att.com>
Date: 9 May 89 01:41:50 GMT
References: <8905081540.AA07029@TIS.COM>
Organization: AT&T Bell Laboratories, Murray Hill
Lines: 36

The point of a sequence number attack is to spoof a host *if you can't
hear the return packets*.  For example, suppose we have hosts A and
B on a local net, along with gateway G.  I'm off on attacker host X,
also connected to G but on another LAN:


	A-------G---------B----------C
		|
		|
		|
		|
		X
		|
		|
		|

Suppose I want to talk to A, and impersonate B.  Normally, I can't do that,
since I can't complete the 3-way handshake -- A's replies will go to the
real B.  That is, without a routing attack, I can't persuade A to route
packets to B through G.

With a sequence number attack, though, X doesn't have to hear A's reply.
It can be predicted; thus, the third message of the open sequence can
be sent blind.  Once that's done, A thinks that the connection is open,
and from B.  X can't receive any output from the connection -- but
with the ability to use rsh to execute commands, that hardly matters.

Just rebooting C with B's IP address works on some networks, i.e.,
Ethernet cables and the like.  But there are networks where the IP
address is bound to the switching harware -- such as the ARPANET itself.
There's no way (at the IP level or above) to make the ARPANET IMPs deliver
addressed to B to C instead -- it just isn't wired that way.  But a
sequence number attack, where C claims to be B, will still work.


		--Steve Bellovin