Spoofing TCP Connections

TCP builds a connection-oriented, reliable byte stream on top of IP that can send connectionless, unreliable datagrams. It is possible for an attacker’s machine to spoof by sending IP datagrams that have an IP source address belonging to another machine. Such spoofing provides a mechanism for an attack on the security of any machine using IP to receive commands.

The attacker’s machine can send IP datagrams with a forged source address to other machines while the machine legitimately possessing that IP address is active. It can do so with no intention of getting replies to those datagrams. The other machines will accept these datagrams as coming from the legitimate holder of the IP source address of these forged datagrams. They will carry out actions not actually requested by the user of the legitimate machine.

Typically, IP-based application protocols have some notion of a session with some information exchanged at startup, which is used to identify the two parties to each another during the active part of the session. 

One effect of the information exchange is that a third party cannot pose as one of the initial two parties. If a sniffer is being used by the attacker, it becomes easy for the attacker to pose as either party. For example, in the NFS protocol, a client will first exchange information with the server’s mount daemon. After this exchange, the client will be able to open and read or write files on the server by making requests of the NFS daemon. An attacker can wait for the client to mount a file system and open a file. If the attacker sends out an appropriately formatted UDP datagram, the server will process an NFS request and send the results back to the client. Regardless of the client’s reaction to the unexpected reply, if the request was a write request, the attacker will have succeeded in writing some information to the server’s disk. If the request was a read request and the attacker has a sniffer between the client and server, the attacker will succeed in finding out some of the contents of the disk via the sniffer.

Through the use of datagrams with forged IP addresses, an attacker can get datagrams holding requests accepted as valid but cannot get replies to those requests without a sniffer. In the NFS scenario described earlier, you were using UDP and assumed the attacker had a sniffer to obtain the credentials that allowed acceptance of the request as valid. You might assume that if you use a connection-oriented protocol, such as TCP, you might be more secure. If you can rule out an attacker having a sniffer between the client and the server, the attacker would be unable to obtain the needed credentials. Unfortunately, these assumptions are valid.