Exploiting Linux’s DelayedACKLost Counter to Infer TCP Sequence Numbers

Uninvited Guests

Two mysterious operatives, one tall and one short, infiltrate the "Linux Empire" and receive a mission to assist in a TCP connection hijack. Their only instruction is to report the value of a counter called DelayedACKLost by executing cat /proc/net/netstat.

They discover that the file contains a wealth of network protocol statistics, including the hidden counter, which is publicly readable but not writable.

Secret Mission

The next night they repeatedly query the counter, reporting its value each time. Their superior keeps asking whether the counter has increased, forcing them to run the command dozens of times.

Strange TCP Connection

Meanwhile, a new employee, Robert, reports a TCP connection that constantly receives packets with sequence numbers that are either too small or too large, causing many retransmissions. His colleague Cerf suspects the connection is being hijacked and notes that the attacker seems to be guessing the sequence number using a binary search, which would require feedback on whether each guess is too high or too low.

Tracking the Infiltrator

The security minister orders a review of the TCP stack code. The investigation focuses on the function tcp_send_dupack, which is invoked when a received packet’s sequence number is lower than expected, triggering a delayed ACK response.

Cerf explains the Delayed ACK optimization: instead of sending an ACK for every packet, the kernel batches acknowledgments to reduce traffic. The function tcp_enter_quickack_mode disables this optimization for immediate ACKs.

The minister points out a line that increments the global DelayedACKLost counter whenever a delayed ACK is lost. He hypothesizes that an external observer could watch this counter to learn whether the attacker’s guessed sequence number is too high or too low, effectively leaking binary‑search feedback.

Although the counter is intended for internal diagnostics, its rare increments make it a potential side‑channel for an adversary.

Easter Egg

The attack technique is adapted from the 2018 Xunlei security conference talk “TCP’s Doom: Network‑Protocol Side‑Channel Analysis and Exploitation” by security researcher Qian Zhiyun. Original discussion can be found at https://bbs.pediy.com/thread-245982.htm.