The attacker needs to know the two IP addresses and ports and the next serial number of the challenge ACK packets introduced in RFC 5961. These can be used to spoof packets and for example inject malicious code in HTTP traffic. For encrypted traffic like HTTPS and SSH this attack can only break the connection.
Links:
http://www.theregister.co.uk/2016/08/10/linux_tor_users_open_corrupted_communications/
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf