Permanently out of order: how to end the threat of sequence prediction attacks How to end the threat of sequence prediction attacks

When it comes to websites, 'eavesdropping' can be devastating for a business

Sequence prediction attacks

By using secure sockets layer (SSL) protocol, a website encrypts all communications going back and forth between its server and users’ browsers, so all a man in the middle attacker would gain from its eavesdropping is cryptographic code that can’t be cracked. No sequence numbers

Having your website users’ financial information intercepted outranks the vast majority of eavesdropping consequences, at school or in the workplace, for example.

And yet, are website owners taking the necessary precautions to protect against man in the middle/IP spoofing attacks like sequence prediction attacks on their websites? No. No they aren’t.

Two-headed monster

According to the internet security and CDN provider Imperva Incapsula’s IP spoofing definition, IP spoofing is the process of disguising the origin IP of internet traffic.

This is accomplished by changing the source IP address header, which is one of the headers that contains the information necessary for routing and transmission continuity.

IP spoofing has legitimate purposes, such as skirting censorship laws in authoritarian regimes, but it is often used in cyber attacks, typically in order to disguise the location of a botnet in order to pull off a DDoS attack, or to impersonate a different user or device on the internet, such as in a sequence prediction attack.

>See also: The Trojan horse: 2017 cyber security trends

A sequence prediction attack is a two-headed monster in that it’s an IP spoofing attack as well as a man in the middle attack – a man in the middle attack being one where the attacker positions him or herself between a user and a website in order to eavesdrop on the communications being exchanged.

Sequence numbers explained

When a person visits a website his or her browser connects to the site’s server using the transmission control protocol or TCP handshake.

In this handshake, the browser sends a connection request to the server, the server responds with an acknowledgement, and the browser acknowledges the acknowledgment by sending an acknowledgment of its own. Boom, session activated.

TCP stipulates that each byte of data exchanged between a browser and a server have a sequence number, which is used to identify the order of the bytes so the data can be reconstructed in the proper order.

The sequence number of the first byte is determined during the initial handshake when the browser first sends the connection request to the server.

The server responds with an acknowledgment number, which is the initial sequence number +1. The sequence/acknowledgment numbers continue like so throughout the session.

Predicting trouble

The sequence prediction attack issues begin when an attacker is able to position him or herself between the communications between the browser and the server, monitoring the data being exchanged.

By spoofing the IP of either the browser or the server and then predicting the next sequence number in the exchange, a man in the middle attacker can take the place of the browser or server and insert him or herself into the trusted connection.

>See also: Is there life after antivirus? Looking to the future of endpoint protection

Once the attacker takes the place of the browser or the server, he or she has a grab bag of malicious tricks to choose from. The attacker can terminate the connection, access information (including potentially sensitive data), or even run malicious commands or scripts.

Rendering the man in the middle ineffective

So what can a website owner do to prevent these sequence prediction attacks? It’s actually a pretty simple solution: encryption.

By using secure sockets layer (SSL) protocol, a website encrypts all communications going back and forth between its server and users’ browsers, so all a man in the middle attacker would gain from its eavesdropping is cryptographic code that can’t be cracked. No sequence numbers.

SSL is an absolute necessity for website owners concerned about these attacks, as well as website owners who run websites that deal with any kind of sensitive or confidential information including login names, passwords, email addresses, home addresses and financial information.

The drawback to additional security

There is an inherent drawback to SSL, which is that it slows down page load times.

However, this lag can be negated by the use of a content delivery network (CDN), which is a global network of servers that work to serve up website content as quickly as possible by reducing the physical distance between users and servers and caching all cacheable content.

CDNs also reduce bandwidth bills, provide network optimisation and load balancing, manages multimedia content, and compresses CSS, JavaScript, HTML and image files for faster loading.

>See also: 5 cyber security predictions for 2017

Advanced CDNs will also provide protection against DDoS attacks.

When considering the next investment you’re going to make for the good of your website (and your users), think back to all of those times you had the name of your crush spread around school or your secret weekend plans blabbed to your parents and banish eavesdroppers for good with SSL encryption.

And then banish site lag with a CDN.

Comments (0)