TMS zl Management and Configuration Guide ST.1.2.100916
4-109
Firewall
Attack Checking
The two devices participating in the three-way handshake exchange initial
sequence numbers (ISNs) in the first two steps of the three-way TCP hand-
shake. An attacker can mount a sequence-number-prediction attack in two
ways by:
■ Guessing the ISN and using a spoofed IP address, thereby securing a
session with the targeted network device.
■ Hijacking a TCP session by predicting a packet’s sequence number and
injecting a packet with that number. If the attacker’s packet reaches the
server before the legitimate client, the attacker will have successfully
high-jacked the session.
Figure 4-71. Session Hijacked with Sequence Number Prediction
If an attacker successfully guesses an ISN, the attacker may feasibly access
your full network. Therefore, it is important that the ISN be generated ran-
domly, making it significantly harder to guess. When the sequence-number-
prediction attack check is enabled, the TMS zl Module will general pseudo-
random ISNs.
Note This attack is sometimes called a TCP sequence-prediction attack, but we will
refer to it only as a sequence number prediction attack.
Protection against the sequence number prediction attack applies only to
traffic that originates from the External zone.
Sequence Number Out of Range
TCP headers include a 16-bit sliding window field that specifies the maximum
number of unacknowledged bytes allowed in a session.