what are possible TCP layer attacks?

Posted on 2005-04-16
Medium Priority
Last Modified: 2008-02-26
       TCP uses checksum for data and header. Then how can adversary modifies packet and send it to its intended destination?
        For IP adversary can change values in IP header and rebuild checksum field and fill it in IP header but what about TCP checksum and data?
         Does that mean there is no TCP data hacking/modifying attack in world?
      which are TCP layer attacks are there in world except SYN attack?
Question by:b123coder
  • 2

Expert Comment

by:David Piniella
ID: 13800996
>> which are TCP layer attacks are there in world except SYN attack?

smurf, bonk, boink, ping of death, teardrop, fraggle, hijacking, DDoS.


LVL 15

Expert Comment

ID: 13811411
TCP checksums are not meant as protection aghainst attacks,
but as a protection aghainst bad comm lines, modems, etc.

The algorithm is simple and well documented and simple, so
ist is no problem to modify any intercepted packet, then re-calc
the checksum and send the packet to the victim.

Assisted Solution

macker- earned 120 total points
ID: 13829121
In order to hijaack a TCP connection, two things need to be accomplished:

1) You need to be able to use the correct TCP sequence number for the next packet, and then send this packet with the correct source address
  The connection is now hijaacked; the client's TCP sequence number is out of sequence, so their session is no longer valid, and packets from them will be ignored.  Unless you are a man-in-the-middle, or otherwise able to intercept replies, this will be a blind attack, and probably most suited to TCP replay attacks.

2) Now that you've hijaacked the connection and are able to send new packets of data to the remote host using the correct sequence numbers, which will continue to increment, you need to preserve the session so that it continues.  The original (victim) host will continue to receive packets from the destination, in reply to your forged packets... when it sees these, but has already invalidated the session (sequence numbers no longer matching and all), RST packets are going to be sent back and forth, and possibly ICMP Port Inreachable messages as well.  You'll need to supress any network output from the originating host to  prevent the original (victim) host from sending these packets, which could cause the hijaacked session to terminate.

TCP replay attacks are the second type of attack that seems to meet your qualifications.  In short, if you've already captured a session in the past, you can resend the packets to the destination host.  Again, this is a blind attack (unless playing man-in-the-middle), and would be for purposes such as activating an authentication mechanism.  E.g. if a remote host allows SMTP traffic after you've authenticated via POP, a TCP replay attack could be used to resend the packets to authenticate the POP session, thus opening up the SMTP service.  This is a hypothetical example, and ignores the fact that extracting the POP password from the already-known traffic would be easier.

In both cases, network connections should be secured from monitoring and man-in-the-middle attacks.  SSH tunneling, IPSec and other VPN-type links can be used with great benefit.  Services should have protocol-layer mechanisms to establish per-session cryptography, tokens, timestamps, etc. to prevent replay attacks and to prevent hijaacking.

Other attacks typically involve sending unexpected data to a remote host for the purposes of buffer overflows and various DoS purposes.  This can be in the form of oversized packets, unexpected contents, manipulation of packet flags, etc.  This is usually at the protocol level, but can sometimes be a low-level packet issue that exploits issues in the TCP stack.  E.g. the "ssping" or "jolt" attack was an oversized ICMP Echo (Ping) packet.
LVL 15

Accepted Solution

DonConsolio earned 120 total points
ID: 13830055
For a nice overview of some TCP attacks read
"TCP Exploits" by Prabhaker Mateti at:

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Fine Tune your automatic Updates for Ubuntu / Debian
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month14 days, 21 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question