This is a grab-bag of clever tricks, based on one idea.
As you know, a TCP connection consists of a (sender_IP, sender_port, receiver_IP, receiver_port) tuple, and individual packets additionally need a valid sequence number ("valid" is rather complicated; TCP opens two of these connections at once, one host1->host2 and one host2->host1.) An attacker with these five numbers can inject arbitrary data into the connection.
The linked article assumes that between the client and server there is a firewall that does sequence number checking (i.e. drops any packets that couldn't possibly be valid; note that packet loss may cause the firewall to see packet2 and packet3 but not packet1, so it has to accept "valid plus a little bit".)
Now, if you have a little information from the client (such as can be obtained by running "netstat", which is an unprivileged operation on pretty much all OSes) and know the server's (IP, port) information (e.g. (www.facebook.com, 80)), you can play around with the firewall.
The most basic attack is simple: send packets with randomly-chosen sequence numbers through the firewall, and see if they make it to the client (the firewall will forward anything in "valid" to "valid + something", and drop anything else; the client will increment the netstat-visible error counter if it receives anything but "valid".) Once a packet makes it through the firewall, you know that the "valid" sequence number is within "something" of the sequence number of that packet. Various refinements and nastier attacks are explored.
I don't get how this is an issue with the firewall. If the firewall wasn't there tossing away packets with invalid sequence numbers, then the actual host would toss them away anyhow right? So what's the difference having the firewall there or not? Either way you can figure out the sequence number by trying until you guess right.
Yes, the host would toss drop/reject them anyway. However, having the firewall allows you to find the valid number in all_numbers / something + something (where "something" is as in the grandparent) by first using the firewall to find the correct interval ([0, something[, [something, 2 * something[, ...) and then bruteforcing only those sequence numbers.
In a nutshell, given IP spoofing, in order to hijack a TCP connection they need to work out the sequence number. They take advantage of a firewall that throws away invalid sequence numbers to pervert it into a device that reveals the valid sequence number.
It hinges on knowing if a packet was tossed or not. They do this with either a TTL that will expire between the firewall and destination, or by an unprivileged conspirator program on the target device (e.g. watching the linux packet counters on an android phone).
They apparently have success with about one third of the mobile carriers they have tried.
Is ip spoofing generally do-able on todays internet? don't core routers In general implement ingress filters? So if I send a packet with a src ip outside of my providers op space it will get dropped?
As you know, a TCP connection consists of a (sender_IP, sender_port, receiver_IP, receiver_port) tuple, and individual packets additionally need a valid sequence number ("valid" is rather complicated; TCP opens two of these connections at once, one host1->host2 and one host2->host1.) An attacker with these five numbers can inject arbitrary data into the connection.
The linked article assumes that between the client and server there is a firewall that does sequence number checking (i.e. drops any packets that couldn't possibly be valid; note that packet loss may cause the firewall to see packet2 and packet3 but not packet1, so it has to accept "valid plus a little bit".)
Now, if you have a little information from the client (such as can be obtained by running "netstat", which is an unprivileged operation on pretty much all OSes) and know the server's (IP, port) information (e.g. (www.facebook.com, 80)), you can play around with the firewall.
The most basic attack is simple: send packets with randomly-chosen sequence numbers through the firewall, and see if they make it to the client (the firewall will forward anything in "valid" to "valid + something", and drop anything else; the client will increment the netstat-visible error counter if it receives anything but "valid".) Once a packet makes it through the firewall, you know that the "valid" sequence number is within "something" of the sequence number of that packet. Various refinements and nastier attacks are explored.