SEG_SEQ = CLT_SEQ_0, SEG_FLAG = SYN Its state is now SYN-SENT - On receipt of this packet the server acknowledges the client sequence number, sends its = SYN and set SVR_ACK=CLT_SEQ_0+1 Its state is now SYN-RECEIVED - On receipt of this packet the client acknowledges the server sequence number: SEG_SEQ = CLT_SEQ_0+1, SEQ_ACK = SVR_SEQ_0+1 and sets CLT_ACK=SVR_SEQ_0+1 Its state is now ESTABLISHED - On state. We now have: CLT_SEQ = CLT_SEQ_0+1 CLT_ACK = SVR_SEQ_0+1 SVR_SEQ = SVR_SEQ_0+1 SVR_ACK = CLT_SEQ_0+1 Server Client LISTEN CLOSED .- SYN, CLT_SEQ_0 A-.B: SYN, ISSx B's response to X's original SYN (so to speak) B-.A: SYN, ISSb', ACK(ISSx) A-.B: ACK(ISSb') using the predicted value for ISSb'. If the guess is right -- and
Although easy to detect when used on a local network, the attack presented here is quite efficient on long distance, low bandwidth, high delay networks (usually WAN). It can be carried with the same resources as for a passive sniffing . This attack has also the dangerous advantage of being Internet is becoming more and more frequent, the stealthfulness of the attack is now a very important parameter for the success of the attack and makes it more difficult to detect. When everybody's attention in the Internet is current IPv4, increasing attacks and the need for secure systems press us to develop and use a secure transport layer for the Internet community. Options should be available to send signed and eventually encrypted data to provide privacy. And since the signature of the data implies reliability the signature can be substitute More precisely, RFC 793 specifies that the 32-bit counter be incremented by 1 in the low-order position about every it by 128 every second, and 64 for each new connection. Thus, if you open a connection to a machine, you know to a very high degree of confidence what sequence number it will use for its next connection. And therein lies the
`Security Problems in the TCP/IP Protocol Suite'', Computer Communications Review 19:2, April 1989, pp. 32-48 (URLs below). Both his attack and my generalizations are special cases of a more general attack, IP source address spoofing, machine's IP address in conjunction with some protocol (such as rsh) that does address-based authentication.

Me at Defcon IV.
(after much sleep deprivation)

More Me.

Probably even more Me.