15

I have read the TCP Connection Establishment on Wikipedia

In brief the packets to start are

  • SYN, with a (hopefully) random sequence number A from the client.
  • SYN-ACK, responding, with A+1 and (hopefully) random sequence number B from the server.
  • ACK, responding with B+1.

Theoretically, a client cannot open a connection to a server, without reading the packets. That is where brute force might come in.

My questions are

  1. Is brute force usually necessary? (assuming a modern OS, and an unencrypted connection)

    If so, are we talking about a brute force of a short(65k possibilities) or an int (4 billion)?

  2. Is it relevant for SSL/TLS/HTTPS connections?
  3. Is it relevant for SSH?

I am asking because it has been implied in the answers this question that the IP address can be spoofed with little effort by someone who knows how.

700 Software
  • 13,897
  • 3
  • 53
  • 82

2 Answers2

9

To brute-force, you'd have to correctly guess the server's initial sequence number which is 32-bit (4 billion).

However, TCP is sent in plaintext. So if you can eavesdrop to a spoofed IP address (e.g., you can sniff packets from a router between the client and host), you don't need to guess the initial sequence number, you can just intercept it.

If you can intercept the packets you can start an ssl/tls/https/ssh connection. Otherwise you cannot.

dr jimbob
  • 38,936
  • 8
  • 92
  • 162
5

To answer your questions,

As mentioned in one of the answers to the question you linked to, it's trivial to spoof IP packets, but not TCP connections.

Your question assumes that the spoofer cannot intercept outgoing packets to his spoofed IP address from the target, which is not always the case.

  1. Is brute force usually necessary?

    • If the spoofer cannot intercept outgoing packets and the sender's OS properly randomises TCP sequence numbers, then yes, brute force is necessary (whether it will work is a different question entirely).
    • If the spoofer can intercept, then no, they can just peek at the outgoing packet's TCP sequence number and construct their response in kind.
  2. Is it relevant for SSL/TLS/HTTPS connections?

    • Spoofing a TCP connection with these protocols would require that the spoofer be able to intercept outgoing packets from the target. As far as authentication goes, this is done by certificate (see 3 for more details)
  3. Is it relevant for SSH?

    • See the answer for 2 (yes, can be spoofed if spoofer can intercept outgoing packets). Authentication is done by public keys/fingerprints, so if the attacker (oops, I mean spoofer! Surely they aren't attacking anything...:) has access to the private key of the system he is trying to spoof, then the spoofer can be surreptitiously authenticated.
Codebling
  • 151
  • 2
  • 2
    Good point about proper randomization. Pre RFC-1948 (1996) it was trivial to guess sequence numbers due to poor randomization. Most modern TCP should be resistant to these flaws, but could have weaknesses -- though arguably not trivial ones or ones that are widely known. – dr jimbob Mar 15 '12 at 04:53