TCP Session Hijacking

Transmission Control Protocol (TCP) hijacking (or TCP session hijacking), which is considered to be a relatively old attack that does not occur a great deal today, takes place when an attacker is able to access information contained in the TCP packet between server and client and thereby take over the connection. Harris & Hunt (1999) state that in such attacks “the attacker simply hijacks a legitimate connection to gain entry to a system as a legitimate user”. In order to carry out a TCP hijack, the attacker firstly has to know the way in which the client and server communicate using TCP, to be able to listen to (or sniff) those communications, to be able to interpolate or obtain part of the communication that will allow the IP of the client to be spoofed and finally to send a TCP message to the host server (as the legitimate client) to take over the connection.

The TCP session is established by the client sending a request for connection, the server responding and the client acknowledging the response, this is often called the “three-way handshake” Kurose & Ross (2010, p244). With respect to TCP hijacking, the key piece of information sent to the server in the first request for connection is an Initial Sequence Number (ISN) to which the server will respond with an Acknowledgement Number (AN), which is the ISN with the value of one added to it. These numbers form the identifiers for the connection and therefore in order to spoof the connection, the attacker must identify these numbers. TechRepublic (2000) identifies two methods of obtaining these identifiers by operating system knowledge and a mathematical deduction of the original ISN, which would then allow interpolation of the AN, or by attacking the host server to discover these. The way in which the ISN is generated is one of the major weaknesses of halting such attacks as their generation technique on each operating system is generally known of documented as linear on a mathematical basis from an inception date, therefore if the attacker can discover the operating system, their work in discovering the ISN is drastically reduced. Once the ISN and AN are known, the attacker can open a connection with the server as the legitimate client.

Defending against TCP hijacking attacks has improved over the years since their discovery, however such attacks are “still a very real threat, despite advances made in both initial sequence number generation and network design” according to TheTazzone Network (2009) with the only real protection lying in static routing of packets, to prevent the network packets being sniffed or redirected, and the use of hardware identifiers such as MAC addresses alongside the ISN to forge the client-server connection. The final protection is the use of Internet Protocol Security (IPSec) to encrypt the contents of packets, which is stated as the most useful defence against such attacks.


Harris, B & Hunt, R (1999) TCP/IP security threats and attack methods, Computer Communications, Volume 22, Issue 10, Pages 885-897. ScienceDirect, EBSCOhost, viewed 24 April 2011.

Kurose & Ross (2010) Computer Networking: A Top-Down Approach (Fifth Edition). Addison Wesley.

TechRepublic (2000) TCP hijacking [Online]. Available at (Accessed 24 Apr 2011).

TheTazzone Network (2009) Tutorial – A Quick Introduction to TCP Session Hijacking [Online]. Available at (Accessed 24 Apr 2011).