Operator On The Wire
← Back to Knowledge Base
BLUE TEAM / SOC / FILTERING / ATTACKS / TRANSPORT LAYER / TCP

Connection Hijacking


Hunting

Statistics → Conversations → IPv4
Statistics → Endpoints → IPv4
Statistics → Protocol Hierarchy
Statistics → IO Graph


Goal

  1. Attacker sniffs traffic (needs visibility)
  2. Observes:
    • Sequence numbers
    • Acknowledgment numbers
  3. Injects packet with correct sequence number
  4. Spoofs source IP
  5. Disrupts legitimate endpoint (often via ARP poisoning)

(CRITICAL) Hijacking requires:

  • On-path position (MITM)
  • Or predictable sequence numbers (old stacks)

Modern TCP makes blind hijacking extremely difficult.


Red Flags

  • Duplicate sequence numbers
  • Unexpected data packets
  • ACK desynchronization
  • TCP retransmissions spike
  • Window size inconsistencies
  • ARP anomalies
  • Out-of-order packets

Filters

# Duplicate ACK
tcp.analysis.duplicate_ack

# Retransmission (Hijacking often causes desync)
tcp.analysis.retransmission

# Out-of-order packets
tcp.analysis.out_of_order

# Same 4-tuple, different MAC (possible ARP poisoning/hijack)
# Inspect ethernet source address
ip.addr == TARGET_IP 

Killchain

  • Attacker gains on-path visibility (ARP poisoning)
  • Monitors sequence numbers
  • Blocks legitimate ACKs
  • Injects crafted packet with valid sequence
  • Session desynchronizes
  • Legitimate endpoint retransmits
  • Connection instability observed