From Off-Path Hacking: The Illusion of Challenge-Response Authentication (2013): ---------- From Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security (2012): Demo video is available at http://web.eecs.umich.edu/~zhiyunq/tcp_sequence_number_inference/. ---------- From Off-Path TCP Injection Attacks (2014): Download: http://u.cs.biu.ac.il/~herzbea/security/14-01-tcp.pdf . ---------- Some other papers in the references of the above papers are available at Google Scholar.
Wow, the last one is nasty. I'll have to read the paper (or at least try to) but it sounds like a design flaw in TCP. I'm surprised we haven't heard more about stuff like this. I mean, the papers are a couple years old now...