TCP with IP Spoofing, Is It Really Impossible?

Question

I was reading: IP Spoofing with real IP when TCP 3-way handshake has been made

Where the answer says:

First of all, every TCP packet has a sequential identifier, which starts at a random position. (explained briefly in this discussion) So if the attacker is spoofing (non-SYN) packets (trying to hijack an existing connection), then all of those spoofed packets will be ignored or refused (depending on the type of packet) because they will be out of sequence.

I understand this, but what about the case where the attacker is spoofing all packets (including the first SYN packet that was transmitted)?

In this case, the victim can't detect the attacker. (since the attacker decides the initial sequential identifier)

In the above answer, why the attacker can't look the initial value of sequential identifier? let's say all packets pass though him (still from what I know sequential identifier isn't encoded) maybe it's encoded in IPSec? In other words, can we encode IP headers?

In 2 I'm asking in other words, can we encode IP Headers? (I think IPSEC does that but not sure) — Rog, Jul 23 '22 at 09:51
Don't comment on your own answer to explain what you've asked. Instead edit your answer to be more precise. — Steffen Ullrich, Jul 23 '22 at 10:36

Steffen Ullrich · Answer 1 · 2022-07-23T10:48:02.333

0

I understand this, but what about the case where the attacker is spoofing all packets (including the first SYN packet)?

The attacker needs to exactly acknowledge the SYN from the server in order to proceed with the TCP handshake. Since the sequence number in the servers SYN is random and since the attacker cannot observe it (since the packet gets send to the IP spoofed by the attacker), the attacker would need to correctly guess the servers sequence number.

While the attacker might send lots of packets and thus be lucky to guess it, this has to be done for all the following exchanges too since the attacker cannot observe which of the guesses was successful.

edited Jul 23 '22 at 10:48

answered Jul 23 '22 at 10:34

Steffen Ullrich

190,458
29
381
434

Sorry but that's not quite what I asked. I mean why to wait for the victim to start the handshake at all? why not just use IP Spoofing and start the handshake on my own (as an attacker) with my own sequence number? – Rog Jul 24 '22 at 07:28
Regarding 2, can't the attacker read the sequence number in the packets sent from victim to server thus be 100% sure his attack will succeed. – Rog Jul 24 '22 at 07:29
1

@Rog: *"can't the attacker read the sequence number in the packets sent from victim to server"* - an off-path attacker can not observe the packets exchanged between the spoofed victim and server. An on-path attacker (i.e. in the middle between victim and server) can of course observe everything, but that's not the attack scenario assumed when talking about IP spoofing. – Steffen Ullrich Jul 24 '22 at 07:42

TCP with IP Spoofing, Is It Really Impossible?

1 Answers1