Off-Path TCP Sequence Number Inference Attack, enabled by Sequence-Number-Checking Firewall Middleboxes

What is sequence-number-checking firewall?

Simply put, it is a type of stateful firewalls that tracks the state of TCP connections and drop packets that do not match the current state. One specific state that it checks is the TCP sequence number state. Specifically, the firewall only allows packets with legitimate sequence numbers (or rather a range of valid sequence numbers) to go through. A picture of the design is shown below -- the firewall middlebox initializes the valid sequence number window (X-WIN, X+WIN) and (Y-WIN, Y+WIN) upon seeing the TCP SYN and SYN-ACK packets. Later packets in the session have to have sequence numbers within the range in order to be considered valid.

This feature is by design, however, we found that the design is flawed and can allow various forms of TCP sequence number inference attacks. We found tens of cellular network providers deploy such firewall middleboxes, rendering their network and devices vulnerable.

What is off-path TCP sequence number inference attack?

Off-path sequence number inference attack is a new network attack that we discovered which can further enable TCP injection and hijacking attacks. One form of the attack is that an attacker on the Internet can collaborate with an on-device malware (unprivileged, such as a disguised third-party app) to hijack the facebook webpage (which is loaded by a separate app -- browser). Here's a picture of the threat model. In this particular threat model, the unprivileged malware collaborates with an Internet attacker to hijack the connection to the Facebook server. A more complete list of attacks possible is described in our paper.

A demo of the attack is shown below:

What can you do?

You can download our app through Google Play (formerly known as Android Market) if you like to find out if your network has deployed the sequence-number-checking firewall middlebox. It also helps us collect more data on which network providers are vulnerable so that we can report the issue to them.
Android app download
We have decided not to publish the app anymore due to the security concern. If you are affiliated with a carrier or firewall vendor, please feel free to contact us and we will send you a copy. Thanks for your understanding.


This study is published at IEEE Security & Privacy (Oakland) 2012. You can download the paper here.

Please feel free to contact us for more information: Zhiyun Qian (zhiyunq at, Z. Morley Mao (zmao at


We are researchers at the University of Michigan, in the RobustNet research group. We are interested in security, performance and network characterization in mobile devices. Our other apps include MobiPerf, a tool to characterize your network, andPowerTutor, a tool to characterize the power consumption of system components and different applications.

[Back to Main]