During a connection via TCP/IP to a host, the host produces an Initial TCP Sequence Number, known as ISN. This sequence number is then used in the conversation occurring between itself and the host to assist in keeping track of each data packet. This sequence number is also helpful in ensuring that the conversation continues in an adequate and appropriate fashion. Both the host and the client produce and use these sequence numbers in TCP connections.
Even as early as 1985, security experts said that by being able to come up with the next ISN, crackers could fake a one-way connection to a server by spoofing the source IP address of a trusted system. Therefore, to assist in the integrity of TCP/IP connections, security experts affirm that every stream, or communication using TCP/IP, should be given a unique, random sequence number.
A cracker wanting to establish connections using a fake address or wanting to exploit existing TCP connection integrity by putting malicious code into the stream would need to know the ISN. Because of the openness of the Internet and of the considerable number of protocols not using cryptography to protect data integrity, it is very important to design TCP/IP implementations in a manner that does not allow remote crackers to predict the ISN. The latter is relevant to a blind spoofing attack.
Cracker Kevin Mitnick was found to use the TCP sequence-number prediction method against cyber sleuth Tsutomu Shimomura. The reason that Shimomura was able to turn Mitnick in to federal agents is that Mitnick had to use a nonspoofed connection in order to grab some ISNs to predict the next sequence number.
Robert T. Morris was the first security expert to elucidate this security problem in a 1985 paper entitled “A Weakness in the 4.2BSD Unix TCP/IP Software.”
Graham, R. Hacking Lexicon. [Online, 2001.] Robert Graham Website. http://www.linuxsecurity.com/resource_files/documentation/hacking-dict.html; Zalewski, M. Strange Attractors and TCP/IP Sequence Number Analysis. [Online, March 19-21 April, 2001.] Bindview Corporation Website. http://alon.wox.org/tcpseq.html#tcpseq.