How to guess sequence number of TCP packets in wireless network
Protocols carry enough information about the conversation and data being carried to correct itself when error occurs, at least a re-transmission.
Attackers can use the redundant information to exploit data carried in a conversation.
Window size can be guessed in a wireless network since:
- TCP sends a duplicate of the last ACK back to the sender if a TCP packet window failling outside the current window.
- In the wireless networks, only one device can talk while others hear and backoff
The attack works as:
- Assume an attacker sends a packet to a victim as a probe, which must be answered
- Before the victim can answer, the attacker sends a TCP segment with a sequence number that the attack thinks might be within the victim's receive window
- The attacker sends another probe which must be answered.
- If the sequence number (in step 2) is outside of current window, the victim will attempt to send a copy of its previous ACK.
- If the attacker times things correctly, the victim will attempt to send the duplicate ACK while the attacker is sending the second probe (in step 3). Two packets will collide, causing the victim to back off
- If the answer to the second probe is slower than the answer to the first one, the attacker can infer the sequence number in step 2 is outside the current window.
- if the two probes are answered in close to the same time, the attacker can infer the sequence number is within the current window.
- If the attacker times things correctly, the victim will attempt to send the duplicate ACK while the attacker is sending the second probe (in step 3). Two packets will collide, causing the victim to back off