After TCP receives a stream of data, it assembles the data into packets (TCP segments). After a segment has been constructed, TCP adds a header to the front. This header includes a sequence number that is used by the sending and the receiving ends to verify the order of TCP segments and to identify any missing packets, even if there’s no real “data” in the packet. The TCP layer then sends the packaged segment down to the IP layer, which encapsulates it and sends it over the network as a datagram. An attacker can send packets that are forged to appear to come from trusted machines. These forged packets can compromise services, such as rsh and rlogin, because their authentication is based on IP addresses. The percentage of guessed packets increases the likelihood that an attacker could predict the sequence and compromise the system.
Internet Scanner attempts to predict sequences by reading the TCP packet header at the “transport” layer. The header includes source and destination port fields that are used to identify the applications for which the connection is being established. The Sequence and Acknowledgment Number fields are used for positive acknowledgment and retransmission. Integrity checks are accommodated using the Checksum field.
Internet Scanner uses a pre-defined algorithm to predict the value in the Sequence Number field. When there are several segments to the message, the destination machine’s TCP software reassembles the message using the sequence numbers in the TCP header. (These sequence numbers have nothing to do with datagram segmentation performed by IP. The IP layer handles its own reassembly of segmented datagrams first, then passes the results to TCP for reassembly in that layer).