TCP Packet Injection Mitigations
I'm trying to understand whether TCP packet injection into a plaintext protocol is possible within a switched network (or wherever there are no validations relating to IP legitimacy).
If I know there is a TCP connection between client A and server B with server running on port 1234. The attacker is positioned on the same switching layer, but is NOT able to intercept communications via MitM or similar. What information is required in order to spoof a TCP packet, and can it be brute forced? I am primarily interested in spoofing a packet to the server in this situation, and assume that shortly after a single spoofed packet the connection will desync and terminate.
From what I can tell, the entropy is:
- Client port (generally between the port range 32k and 64k, but is OS / config dependent)
- Sequence Number
- Acknowledgement number (?)
I'm unclear on whether both the sequence and acknowledgement number is required for a single spoofed packet.
My understanding is that historically, 'TCP sequence prediction attacks' were possible, but this was mitigated by randomly generating initial Sequence and Acknowledgement numbers such that they are not easy to predict. This would result in a keyspace of (roughly) 32k * 2**32 * 2**32 (approx 604,462,909,807,314,587,353,088).
Is this math correct? Are there any other mitigations (outside of encryption) which would mitigate packet injection?
