Sequence Number Attacks
By Rik Farrow
Kevin Mitnick's alleged attack on Tsutomu Shimomura's Computers used a vulnerability in TCP/IP and mistaken trust.
Questions regarding this article should be directed to the author at firstname.lastname@example.org .
December 25, 1994 found Tsutomu Shimomura, a computational physicist for the San Diego Supercomputer Center, on his way to the Sierra Nevadas to go skiing. He had left his personal network of computers running at his beach cottage in Del Mar, just north of San Diego. Perhaps it is fortunate for us he did so.
Just after two o'clock in the afternoon, Shimomura's home
systems were probed, then successfully attacked using something
new in Internet attacks,
Shimomura also works as a security expert, which made his systems
both desirable targets for attack, and allows us to understand in
detail what happened. Because, unlike most networks, Shimomura
Sequence number guessing is not really new. Steve Bellovin, a researcher at Bell Labs, and co-author of the Firewalls and Internet Security book (Addison-Wesley, 1994, ISBN 0-201-63357-4), included details of an attack scenario in his 1989 paper entitled ``Security Problems in the TCP/IP Protocol Suite'' . But the Christmas day attack is the first known use of the technique.
To better understand what happened, it helps to understand a
little about how TCP (Transport Control Protocol) works. TCP is
used for establishing
those used for remote terminal connections (established with
TCP provides a reliable connection. That is, unlike most other parts of the Internet Protocol suite (such as ICMP, Internet Control Message Protocol, or UDP, User Datagram Protocol), TCP establishes a connection between the local and remote site. Once the connection has been successfully established, groups of bytes of data are acknowledged by sending a sequence number back to the sending site. If the sending site does not receive an acknowledgement quickly enough, it will resend the data. If the sending site has resent the same data several tim es unsuccessfully, it will send an error to the application saying that the connection has been broken.
The sequence number is used to acknowledge receipt of data. At the beginning of a TCP connection, the client sends a TCP packet with an initial sequence number, but no acknowledgement (there can't be one yet). If there is a server application running at the other end of the connection, the server sends back a TCP packet with its own initial sequence number, and an acknowledgement: the initial sequence number from the client's packet plus one. When the client system receives this packet, it must send back its own acknowledgement: the server's initial sequence number plus one. Thus, it takes three packets to establish a TCP connection (see Part A of Figure 1 which shows the time-line diagram.
There's more to TCP, of course. You won't learn all about TCP in this short article (try Doug Comer's book Internetworking with TCP/IP, Volume 1, Principles, Protocols, a nd Architecture. Second Edition (Prentice Hall, 1991 ISBN 0-13-468505-9) or W. Richard Steven's TCP/IP Illustrated, Volume 1 (Addison-Wesley, 1993, ISBN 0-201-63346-9). For now, it's important to understand that TCP packets include flag bits that get set to indicate conditions. When you read Shimomura's account of the attack , he makes reference to several flags.
The SYN flag (shown as a capital ``S'' in
The PUSH (shown as a capital ``P'') flag means that the data in this packet should be pushed to the application, rathered than queued until more data arrives. The RESET (``R'') flag tells TCP to break (reset) the connection, and is sent when a client attempts to connect to a server application that is not running. In the attack, RESETs are used to close the half-open connections used to keep the server busy.
The FIN bit (``F'') is used to close a connection. Each end of the connection sends a packet with the FIN flag, which must be acknowledged, so four packets are used to close a TCP connection. Of course in the attack you won't see two FIN packets, because the attacker never sees the responses from the target system, the X terminal.
With this background, you are ready to read
Shimomura's own description
, if you haven't
already. Essentially, the attack begins when several probes were
The probes, using
In the next phase of the attack, thirty TCP SYN packets are
sent to the
Next, a system at Loyola University of Chicago
The stage is now set for abusing the trust between the X
terminal and the server. The attacker generates packets that
appear to come from the server to open a TCP connection with the
Because the X terminal trusts the server, the attacker,
masquerading as root, sends the command
There was more to the attack, but I'd like to save taking over TCP connections for another day. There is also a CERT advisory about this attack, which you can read.