One of the more fascinating security holes was described by Robert Morris. This form of attack takes advantage of the predictability of sequence numbers used in TCP implementations. In particular BSD 4.2 and 4.3 (and their many siblings) have been shown to be vulnerable.
1) The initial sequence numbers (ISN) used by TCP should be random, incrementing values, Berkeley Unix starts with an ISN of 1and increments it a fixed number of times per second and per connection. It is therefore possible to estimate the next ISN that will be used by: connecting to the server, recording the ISN and then measuring the time to the next connection.
2) To avoid the attacked host sending a reset message to the spoofed host the attacker must flood the appropriate port on the spoofed host.
3) The attack proper starts by opening a connection to the server (S) but with the source address spoofed to be that of a trusted host (T) on the network.
4) The server will respond with an acknowledgment and its own ISN. This will be sent to the trusted host because of the address spoof. Under normal circumstances the host would not recognise this acknowledgment, the attacker actually opened this connection, however the attacker disabled the trusted host in [2].
5) The attacker uses its predicted server ISN to carry on the conversation, for example it could instruct the server to send it the password file.
Defences against this attack include using TCP stacks with less predictable ISNs. Firewalls should also be block packets with internal source addresses arriving on the external interface (input filtering) and similarly block packets with an source address different from the internal network to stop attacks originating from the site. Logging could also detect the unusual network activity (e.g. host T generating RST messages) this kind of attack generates.