Handshake with spoofed IP

2
votes

I noticed some legit connection is like this:

6221 29.880628 5.4.3.2   1.2.3.4 TCP 61235 > cbt [SYN] Seq=0 Win=8192 Len=0 MSS=1452 SACK_PERM=1
6222 29.880646 1.2.3.4  5.4.3.2 TCP cbt > 61235 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 SACK_PERM=1
6240 29.984383 5.4.3.2  1.2.3.4 TCP 61235 > cbt [ACK] Seq=1 Ack=1 Win=65340 Len=0
6241 29.989707 5.4.3.2  1.2.3.4 TCP 61235 > cbt [PSH, ACK] Seq=1 Ack=1 Win=65340 Len=267

So, at least in my case, if legit is always like this:

Client (Syn,Seq=0)
Server (Syn/Ack, Seq=0, Ack1)
Client (Ack, Seq=1, Ack1)

Seemed weak to me in regards of being possible to spoof and able to raise the socket up to the application. (of course spoofed IP must be down in order to avoid the RST)

So I tested sending a SYN with spoofed IP and then send the ACK.

The SYN arrives, but the ack gets like ignored til sometime.

After the spoofed SYN, the server sends 3 SYN/ACK (with no reply, of course). After some seconds if I re-send the ack, it will receive but with some error.

Is it possible to handshake with a spoofed IP in this scenario? Seems to be, but im doing something wrong..

1
ctcp
@Jim Lewis: / @RobertPitt The <pre> tag should be used here rather than markdown's formatting, because we do not want syntax coloring on the log output.Billy ONeal

1 Answers

2
votes

No, it is not possible.

The problem is when the server sends back the SYN-ACK -- because it sends it back to the spoofed ip, which would not match the actual originator of the message.

Specifically, what you describe (faking the ACK) is a TCP sequence prediction attack which is well known and is countered in pretty much every OS nowadays.