2

I know about IP spoofing is it the same thing? The question originated from the question Is TCP more secure than UDP?

Community
  • 1
Ulkoma
  • 8,793
  • 16
  • 65
  • 95
  • 2
    It's just a poorly worded answer. Philip just confused terminology, which confused you (and, confused me as well). TCP spoofing refers to the network engineering process of improving the performance of the protocol due to inadequacies in certain conditions ([more on that](https://en.wikipedia.org/wiki/Protocol_spoofing)). IP spoofing is falsifying the IP address to make the connection appear as it's coming from somewhere other than the real source. The spoofing that Philip is talking about is modifying the content of a TCP message in transmit (lack of integrity). – Adi Oct 08 '14 at 12:56

1 Answers1

7

"Spoofing" in the context of networking means that you create communication in a network system which appears to originate from another host. In order to do this successfully, you need to impersonate them on every protocol layer of the application you want to impersonate them on.

Just injecting IP packets which seems to originate from another host is insufficient to impersonate that host during a TCP connection, because every TCP segment has a 32bit sequence number. A segment with a sequence number which is out of line will be ignored. That means in order to successfully insert a TCP segment into an existing transmission you need to guess the next sequence number, or your segment will be discarded. This isn't so hard when you can eavesdrop at least on the client, but when you can't, you can only brute-force it. With more simple transport protocols, like UDP for example, you don't have that problem. UDP has no sequence numbers, so unless an upper protocol layer replicates such functionality, you can just insert additional segments which will then be treated as if they were coming from the real host.

You also have another problem when you have no existing connection and instead want to establish a new TCP connection which appears to originate from another host. In order to establish a TCP connection, a 3-way handshake is required. (client sends SYN, server sends SYN,ACK, client sends ACK). The SYN,ACK by the server includes a random number which you need for an acceptable ACK. So when you can only send IP packets but not receive any of the packets intended for the spoofed host, you will have to guess this number.

Ángel
  • 17,578
  • 3
  • 25
  • 60
Philipp
  • 48,867
  • 8
  • 127
  • 157