TCP Sequence Prediction Attack

TCP sequence prediction attack, also known as Christmas day attack, makes use of guessed TCP sequence numbers. Although associated vulnerability was pointed out by Bellovin in 1989, it became prominent only in 1994 when it was used by Kevin Mitnick against Tsutomu Shimomura on Christmas day of 1994. Luckily, this attack was captured (not prevented) by Shimomura’s firewall and is available for us to study. Modern systems are generally not directly vulnerable to this attack. However, it is fascinating to learn about.

To carry out TCP sequence prediction attack, an intruder must correctly guess TCP sequence numbers being used between the sender and receiver. To prepare for this attack, the intruder must listen to the conversation beforehand. Due to the nature of TCP handshake, it is quite possible to counterfeit TCP sequence numbers. If successful, the attacker will be able to pose as the sender and establish communication with the victim. During Mitnick’s Christmas day attack, Shimomura’s web server was the sender and his X-terminal was the receiver. To prevent original sender from sending further packets, Mitnick used SYN-Flood attacks against legitimate sender.

To prevent TCP sequence prediction attack, random TCP sequence numbers can be used. Researchers suggest using a block of random numbers for TCP sequence number at each port. This will help prevent duplicate sequence numbers. Although this will only help against external sources of attack, firewalls can be configured to not accept packets from external sources which have internal IP address. Timing differences can also help differentiate between sending host and malicious host. An email from Shimomura explains the attack in detail and can be read at