what are possible TCP layer attacks?

Posted on 2005-04-16
Last Modified: 2008-02-26
       TCP uses checksum for data and header. Then how can adversary modifies packet and send it to its intended destination?
        For IP adversary can change values in IP header and rebuild checksum field and fill it in IP header but what about TCP checksum and data?
         Does that mean there is no TCP data hacking/modifying attack in world?
      which are TCP layer attacks are there in world except SYN attack?
Question by:b123coder
    LVL 9

    Expert Comment

    by:David Piniella
    >> which are TCP layer attacks are there in world except SYN attack?

    smurf, bonk, boink, ping of death, teardrop, fraggle, hijacking, DDoS.


    LVL 14

    Expert Comment

    TCP checksums are not meant as protection aghainst attacks,
    but as a protection aghainst bad comm lines, modems, etc.

    The algorithm is simple and well documented and simple, so
    ist is no problem to modify any intercepted packet, then re-calc
    the checksum and send the packet to the victim.
    LVL 7

    Assisted Solution

    In order to hijaack a TCP connection, two things need to be accomplished:

    1) You need to be able to use the correct TCP sequence number for the next packet, and then send this packet with the correct source address
      The connection is now hijaacked; the client's TCP sequence number is out of sequence, so their session is no longer valid, and packets from them will be ignored.  Unless you are a man-in-the-middle, or otherwise able to intercept replies, this will be a blind attack, and probably most suited to TCP replay attacks.

    2) Now that you've hijaacked the connection and are able to send new packets of data to the remote host using the correct sequence numbers, which will continue to increment, you need to preserve the session so that it continues.  The original (victim) host will continue to receive packets from the destination, in reply to your forged packets... when it sees these, but has already invalidated the session (sequence numbers no longer matching and all), RST packets are going to be sent back and forth, and possibly ICMP Port Inreachable messages as well.  You'll need to supress any network output from the originating host to  prevent the original (victim) host from sending these packets, which could cause the hijaacked session to terminate.

    TCP replay attacks are the second type of attack that seems to meet your qualifications.  In short, if you've already captured a session in the past, you can resend the packets to the destination host.  Again, this is a blind attack (unless playing man-in-the-middle), and would be for purposes such as activating an authentication mechanism.  E.g. if a remote host allows SMTP traffic after you've authenticated via POP, a TCP replay attack could be used to resend the packets to authenticate the POP session, thus opening up the SMTP service.  This is a hypothetical example, and ignores the fact that extracting the POP password from the already-known traffic would be easier.

    In both cases, network connections should be secured from monitoring and man-in-the-middle attacks.  SSH tunneling, IPSec and other VPN-type links can be used with great benefit.  Services should have protocol-layer mechanisms to establish per-session cryptography, tokens, timestamps, etc. to prevent replay attacks and to prevent hijaacking.

    Other attacks typically involve sending unexpected data to a remote host for the purposes of buffer overflows and various DoS purposes.  This can be in the form of oversized packets, unexpected contents, manipulation of packet flags, etc.  This is usually at the protocol level, but can sometimes be a low-level packet issue that exploits issues in the TCP stack.  E.g. the "ssping" or "jolt" attack was an oversized ICMP Echo (Ping) packet.
    LVL 14

    Accepted Solution

    For a nice overview of some TCP attacks read
    "TCP Exploits" by Prabhaker Mateti at:

    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

    ​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now