2.4.4 TCP/IP Hijacking

A TCP/IP hijack is an attack that spoofs a server into thinking it is talking with a valid client, when in fact it is communicating with an attacker that has taken over (or hijacked) the TCP session. Assume that the client has administrator-level privileges, and that the attacker wants to steal that authority in order to create a new account with root-level access of the server for use later on. A TCP Hijacking is like a two-phased man-in-the-middle attack. The man-in-the-middle attacker lurks in the circuit between a client and a server in order to determine what port and sequence numbers are being used for the conversation.

First, the attacker knocks out the client with an attack, such as Ping of Death, or ties it up with some kind of ICMP storm. This renders the client unable to transmit any packets to the server. Then, with the client crashed, the attacker assumes the client’s identity in order to speak with the server. By this means, the attacker gains administrator-level access to the server.

One of the most effective means of preventing a hijack attack is to require a secret, that is a shared password between the client and the server. Depending on the strength of security desired, the secret can be used for random exchanges. This is when a client and server periodically challenge each other, or it can occur with every exchange, as with Kerberos.