TCP Sequence Prediction Attack

In TCP sequence prediction attack, the attacker monitors traffic between two hosts to predict the sequence number of packets going back and forth.  Once the monitoring part is done, the attacker will lunch denial of service attack (DOS) to stop one of the hosts from communicating with the other host. Since one of the hosts is non-responsive, the attacker will use the sequence number to forge a packet. The forged packet will be sent to the other host as a legitimate packet. The forged packet could include payload or malicious commands. (Arora, 2012) Nmap is a very powerful tool for TCP sequence prediction. Hackers take advantage of poor initial sequence number generation to lunch blind TCP spoofing attacks. (Nmap, n.d.) In the past, TCP sequence number prediction attack was not feasible, there are 4,294,967,296 possibilities to predict the entire ISN. Today, with more bandwidth and processing speed this attack becomes very feasible. Applying anti-spoofing filters, is a good countermeasure to detect forged packets. Firewalls should be configured to not allow internal IP addresses to be originated from an external interface.(Kohli, 2007)


Arora, H. (2012, January 20). TCP attacks: TCP Sequence Number Prediction and TCP Reset Attacks. Retrieved from:

Nmap. (n.d.). Chapter 8. Remote OS Detection. Retrieved from:

Kohli, M. (2007, June 11). TCP/IP Vulnerabilities. Retrieved from:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s