Editing Transmission Control Protocol (section)

==Vulnerabilities==
TCP may be attacked in a variety of ways. The results of a thorough security assessment of TCP, along with possible mitigations for the identified issues, were published in 2009,<ref>{{cite web |url=http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf |title=Security Assessment of the Transmission Control Protocol (TCP) |access-date=2010-12-23 |url-status=bot: unknown |archive-url=https://web.archive.org/web/20090306052826/http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf |archive-date=March 6, 2009 }}</ref> and was pursued within the [[IETF]] through 2012.<ref>[https://tools.ietf.org/html/draft-ietf-tcpm-tcp-security Survey of Security Hardening Methods for Transmission Control Protocol (TCP) Implementations]</ref> Notable vulnerabilities include denial of service, connection hijacking, TCP veto and [[TCP reset attack]].

===Denial of service===
By using a [[IP address spoofing|spoofed IP address]] and repeatedly sending [[mangled packet|purposely assembled]] SYN packets, followed by many ACK packets, attackers can cause the server to consume large amounts of resources keeping track of the bogus connections. This is known as a [[SYN flood]] attack. Proposed solutions to this problem include [[SYN cookies]] and cryptographic puzzles, though SYN cookies come with their own set of vulnerabilities.<ref>{{Cite web |url=http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ |title=Quick Blind TCP Connection Spoofing with SYN Cookies |author=Jakob Lell |date=13 August 2013 |access-date=2014-02-05 |archive-date=2014-02-22 |archive-url=https://web.archive.org/web/20140222101226/http://www.jakoblell.com/blog/2013/08/13/quick-blind-tcp-connection-spoofing-with-syn-cookies/ |url-status=live }}</ref> [[Sockstress]] is a similar attack, that might be mitigated with system resource management.<ref>{{cite web|url=http://www.gont.com.ar/talks/hacklu2009/fgont-hacklu2009-tcp-security.pdf|title=Some insights about the recent TCP DoS (Denial of Service) vulnerabilities|access-date=2010-12-23|archive-date=2013-06-18|archive-url=https://web.archive.org/web/20130618235445/http://www.gont.com.ar/talks/hacklu2009/fgont-hacklu2009-tcp-security.pdf|url-status=dead}}</ref> An advanced DoS attack involving the exploitation of the TCP ''persist timer'' was analyzed in [[Phrack]] No. 66.<ref>{{cite web|url=http://phrack.org/issues.html?issue=66&id=9#article|title=Exploiting TCP and the Persist Timer Infiniteness|access-date=2010-01-22|archive-date=2010-01-22|archive-url=https://web.archive.org/web/20100122131412/http://www.phrack.org/issues.html?issue=66&id=9#article|url-status=live}}</ref> [[PUSH and ACK floods]] are other variants.<ref>{{cite web|url=https://f5.com/glossary/push-and-ack-flood|title=PUSH and ACK Flood|website=f5.com|access-date=2017-09-27|archive-date=2017-09-28|archive-url=https://web.archive.org/web/20170928005428/https://f5.com/glossary/push-and-ack-flood|url-status=live}}</ref>

===Connection hijacking===
{{Main|TCP sequence prediction attack}}
An attacker who is able to eavesdrop on a TCP session and redirect packets can hijack a TCP connection. To do so, the attacker learns the sequence number from the ongoing communication and forges a false segment that looks like the next segment in the stream. A simple hijack can result in one packet being erroneously accepted at one end. When the receiving host acknowledges the false segment, synchronization is lost.<ref>{{cite web|url=https://www.usenix.org/legacy/publications/library/proceedings/security95/full_papers/joncheray.pdf |author=Laurent Joncheray|title=Simple Active Attack Against TCP |date=1995|access-date=2023-06-04}}</ref> Hijacking may be combined with [[ARP spoofing]] or other routing attacks that allow an attacker to take permanent control of the TCP connection.

Impersonating a different IP address was not difficult prior to {{harvtxt|RFC 1948}} when the initial ''sequence number'' was easily guessable. The earlier implementations allowed an attacker to blindly send a sequence of packets that the receiver would believe came from a different IP address, without the need to intercept communication through ARP or routing attacks: it is enough to ensure that the legitimate host of the impersonated IP address is down, or bring it to that condition using [[denial-of-service attack]]s. This is why the initial sequence number is now chosen at random.

===TCP veto===
An attacker who can eavesdrop and predict the size of the next packet to be sent can cause the receiver to accept a malicious payload without disrupting the existing connection. The attacker injects a malicious packet with the sequence number and a payload size of the next expected packet. When the legitimate packet is ultimately received, it is found to have the same sequence number and length as a packet already received and is silently dropped as a normal duplicate packet—the legitimate packet is ''vetoed'' by the malicious packet. Unlike in connection hijacking, the connection is never desynchronized and communication continues as normal after the malicious payload is accepted. TCP veto gives the attacker less control over the communication but makes the attack particularly resistant to detection. The only evidence to the receiver that something is amiss is a single duplicate packet, a normal occurrence in an IP network. The sender of the vetoed packet never sees any evidence of an attack.<ref>{{cite conference |author1=John T. Hagen |author2=Barry E. Mullins |title=2013 IEEE PES Innovative Smart Grid Technologies Conference (ISGT) |chapter=TCP veto: A novel network attack and its Application to SCADA protocols |journal=Innovative Smart Grid Technologies (ISGT), 2013 IEEE PES |pages=1–6 |year=2013|doi=10.1109/ISGT.2013.6497785 |isbn=978-1-4673-4896-6 |s2cid=25353177 }}</ref>