Chapter 6.2. IP Spoofing and TCP Session Stealing


In this exercise, we are going to discuss vulnerabilities in the Internet Protocol (IP) and the Transmission Control Protocol (TCP). Specifically, we are going to examine traces of IP Spoofing and TCP Session Stealing.

IP Spoofing refers to sending a packet with a forged source IP address. For example, a machine with IP address could send a packet with source IP address This is typically done through what is called the raw IP interface. IP packets that are formed by the operating system will be marked with the proper source IP address. However, application programs can use the raw IP interface to form and send any IP packet they want.

Using IP spoofing, attackers can send segments into an ongoing TCP stream by forming an IP packet with a matching source and destination IP address as well as source and destination port number. Recall from our Follow TCP stream exercises that these four numbers define a TCP connection. If an attacker sets these values correctly, then a receiver would accept the forged packet as belonging to the ongoing TCP stream.

A receiver will respond to a forged packet as if it belongs to the ongoing TCP stream. However, to actually steal the session, it must also set the sequence number properly. If it sends a packet with a sequence number that is too low, then the receiver will simply send an acknowledgment saying that it had already received this packet. If it sends a packet ...

Get Computer Networking: Internet Protocols in Action now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.