research-article

Resilience of Deployed TCP to Blind Attacks

Authors:

Matthew Luckie,

Robert Beverly,

kc claffyAuthors Info & Claims

IMC '15: Proceedings of the 2015 Internet Measurement Conference

Pages 13 - 26

https://doi.org/10.1145/2815675.2815700

Published: 28 October 2015 Publication History

Abstract

As part of TCP's steady evolution, recent standards have recommended mechanisms to protect against weaknesses in TCP. But adoption, configuration, and deployment of TCP improvements can be slow. In this work, we consider the resilience of deployed TCP implementations to blind in-window attacks, where an off-path adversary disrupts an established connection by sending a packet that the victim believes came from its peer, causing data corruption or connection reset. We tested operating systems (and middleboxes deployed in front) of webservers in the wild in September 2015 and found 22% of connections vulnerable to in-window SYN and reset packets, 30% vulnerable to in-window data packets, and 38.4% vulnerable to at least one of three in-window attacks we tested. We also tested out-of-window packets and found that while few deployed systems were vulnerable to reset and SYN packets, 5.4% of connections accepted in-window data with an invalid acknowledgment number. In addition to evaluating commodity TCP stacks, we found vulnerabilities in 12 of 14 of the routers and switches we characterized -- critical network infrastructure where the potential impact of any TCP vulnerabilities is particularly acute. This surprisingly high level of extant vulnerabilities in the most mature Internet transport protocol in use today is a perfect illustration of the Internet's fragility. Embedded in historical context, it also provides a strong case for more systematic, scientific, and longitudinal measurement and quantitative analysis of fundamental properties of critical Internet infrastructure, as well as for the importance of better mechanisms to get best security practices deployed.

References

[1]

FreeBSD-SA-14:19.tcp: Denial of service in TCP packet processing. https://www.freebsd.org/security/advisories/FreeBSD-SA-14:19.tcp.asc.

[2]

Alexa. Top 1,000,000 sites. http://www.alexa.com/topsites.

[3]

M. Allman. Comments on selecting ephemeral ports. ACM SIGCOMM Computer Communication Review, 39(2):14--19, 2009.

Digital Library

[4]

F. Baker and P. Savola. Ingress filtering for multihomed networks. RFC 3704, Mar. 2004.

Digital Library

[5]

S. Bauer, R. Beverly, and A. Berger. Measuring the state of ECN readiness in servers, clients, and routers. In IMC, Nov. 2011.

Digital Library

[6]

S. Bellovin. Defending against sequence number attacks. RFC 1948, May 1996.

Digital Library

[7]

R. Beverly, A. Berger, Y. Hyun, and k claffy. Understanding the efficacy of deployed Internet source address validation. In IMC, pages 356--369, Nov. 2009.

Digital Library

[8]

Cisco. TCP Vulnerabilities in Multiple IOS-Based Cisco Products, 2004. http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20040420-tcp-ios.

[9]

S. Convery and M. Franz. BGP vulnerability testing: separating fact from FUD. In Blackhat, 2003.

[10]

M. Cotton, L. Eggert, J. Touch, M. Westerlund, and S. Cheshire. Internet assigned numbers authority (IANA) procedures for the management of the service name and transport protocol port number registry. RFC 6335, Aug. 2011.

[11]

R. Craven, R. Beverly, and M. Allman. A middlebox-cooperative TCP for a non end-to-end Internet. In SIGCOMM, pages 151--162, 2014.

Digital Library

[12]

J. Durand, I. Pepelnjak, and G. Doering. BGP Operations and Security. RFC 7454 (Best Current Practice), Feb. 2015.

[13]

P. Ferguson and D. Senie. Network ingress filtering: Defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000.

Digital Library

[14]

Y. Gilad and A. Herzberg. Off-path TCP injection attacks. ACM Transactions on Information and System Security, 16(4), Apr. 2014.

Digital Library

[15]

V. Gill, J. Heasley, D. Meyer, and P. Savola. The generalized TTL security mechanism (GTSM). RFC 5082, Oct. 2007.

[16]

A. Heffernan. Protection of BGP sessions via the TCP MD5 signature option. RFC 2385, Aug. 1998.

Digital Library

[17]

B. Hesmans, F. Duchene, C. Paasch, G. Detal, and O. Bonaventure. Are TCP extensions middlebox-proof? In HotMiddlebox, pages 37--42, 2013.

Digital Library

[18]

Y. Hyun and k. claffy. Archipelago measurement infrastructure, 2015. http://www.caida.org/projects/ark/.

[19]

Internet Assigned Numbers Authority (IANA). Service name and transport protocol port number registry. http://www.iana.org/assignments/port-numbers.

[20]

V. Jacobson, R. Braden, D. Borman, and R. Scheffenegger. TCP Extensions for High Performance. RFC 7323, Sept. 2014.

[21]

D. Kaminsky. Black Ops 2008: It's the end of the cache as we know it. Black Hat USA, 2008.

[22]

S. Kent. IP authentication header. RFC 4302, Dec. 2005.

[23]

M. Larsen and F. Gont. Recommendations for transport-protocol port randomization. RFC 6056, Jan. 2011.

[24]

M. Luckie. Scamper: a scalable and extensible packet prober for active measurement of the Internet. In IMC, pages 239--245, Nov. 2010.

Digital Library

[25]

M. Luckie and B. Stasiewicz. Measuring path MTU discovery behaviour. In IMC, pages 102--108, Nov. 2010.

Digital Library

[26]

M. Mathis, J. Mahdavi, S. Floyd, and A. Romanow. TCP selective acknowledgment options. RFC 2018, Oct. 1996.

Digital Library

[27]

A. Medina, M. Allman, and S. Floyd. Measuring interactions between transport protocols and middleboxes. In IMC, pages 336--341, Oct. 2004.

Digital Library

[28]

A. Medina, M. Allman, and S. Floyd. Measuring the evolution of transport protocols in the Internet. ACM SIGCOMM Computer Communication Review, 35(2):37--52, 2005.

Digital Library

[29]

J. Pahdye and S. Floyd. On inferring TCP behavior. In SIGCOMM, pages 287--298, 2001.

Digital Library

[30]

J. Postel. Transmission control protocol. RFC 791, Sept. 1981.

[31]

Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack: How firewall middleboxes reduce security. In IEEE Symposium on Security and Privacy, pages 347--361, May 2012.

Digital Library

[32]

A. Ramaiah, R. Stewart, and M. Dalal. Improving TCP's robustness to blind in-window attacks. RFC 5961, Aug. 2010.

[33]

Y. Rekhter, T. Li, and S. Hares. A Border Gateway Protocol 4 (BGP-4). RFC 4271 (Draft Standard), Jan. 2006.

[34]

M. Sargent and M. Allman. Performance within a fiber-to-the-home network. volume 44, July 2014.

Digital Library

[35]

J. Semke, J. Mahdavi, and M. Mathis. Automatic TCP buffer tuning. In SIGCOMM, pages 315--323, Sept. 1998.

Digital Library

[36]

J. Touch. Defending TCP against spoofing attacks. RFC 4953, July 2007.

[37]

J. Touch, A. Mankin, and R. Bonica. The TCP authentication option. RFC 5925, June 2010.

[38]

P. Watson. Slipping in the window: TCP reset attacks, Apr. 2004.

[39]

M. Zalewski. p0f v3 (version 3.08b). http://lcamtuf.coredump.cx/p0f3/.

[40]

M. Zalewski. Strange attractors and TCP/IP sequence number analysis, 2002.

Cited By

Wang AFeng XLi QYang YXu K(2024)A Horizontal Study on the Mixed IPID Assignment Vulnerability in the Linux Ecosystem2024 IEEE/ACM 32nd International Symposium on Quality of Service (IWQoS)10.1109/IWQoS61813.2024.10682845(1-10)Online publication date: 19-Jun-2024
https://doi.org/10.1109/IWQoS61813.2024.10682845
Hou TBi SWei MWang TLu ZLiu Y(2022)When Third-Party JavaScript Meets Cache: Explosively Amplifying Security Risks on the Internet2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947247(290-298)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947247
Shamsi ZCline DLoguinov D(2021)Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS FingerprintingIEEE/ACM Transactions on Networking10.1109/TNET.2021.308833329:5(2339-2352)Online publication date: Oct-2021
https://doi.org/10.1109/TNET.2021.3088333
Show More Cited By

Index Terms

Resilience of Deployed TCP to Blind Attacks
1. General and reference
  1. Cross-computing tools and techniques
    1. Measurement
    2. Metrics
2. Security and privacy
  1. Network security

Recommendations

TCP Ack storm DoS attacks

We present Ack-storm DoS attacks, a new family of DoS attacks exploiting a subtle design flaw in the core TCP specifications. The attacks can be launched by a very weak MitM attacker, which can only eavesdrop occasionally and spoof packets (a Weakling ...
Low-rate TCP-targeted denial of service attacks: the shrew vs. the mice and elephants
SIGCOMM '03: Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications

Denial of Service attacks are presenting an increasing threat to the global inter-networking infrastructure. While TCP's congestion control algorithm is highly robust to diverse network conditions, its implicit assumption of end-system cooperation ...
RFC 5961: Improving TCP's Robustness to Blind In-Window Attacks

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '15: Proceedings of the 2015 Internet Measurement Conference

October 2015

550 pages

ISBN:9781450338486

DOI:10.1145/2815675

General Chairs:
Kenjiro Cho
IIJ/Keio University
,
Kensuke Fukuda
NII/Sokendai
,
Program Chairs:
Vivek Pai
Google
,
Neil Spring
University of Maryland

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
SIGCOMM: ACM Special Interest Group on Data Communication
USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Best Paper

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

IMC '15

Sponsor:

SIGMETRICS
SIGCOMM
USENIX Assoc

IMC '15: Internet Measurement Conference

October 28 - 30, 2015

Tokyo, Japan

Acceptance Rates

IMC '15 Paper Acceptance Rate 31 of 96 submissions, 32%;

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
277
Total Downloads

Downloads (Last 12 months)21
Downloads (Last 6 weeks)3

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang AFeng XLi QYang YXu K(2024)A Horizontal Study on the Mixed IPID Assignment Vulnerability in the Linux Ecosystem2024 IEEE/ACM 32nd International Symposium on Quality of Service (IWQoS)10.1109/IWQoS61813.2024.10682845(1-10)Online publication date: 19-Jun-2024
https://doi.org/10.1109/IWQoS61813.2024.10682845
Hou TBi SWei MWang TLu ZLiu Y(2022)When Third-Party JavaScript Meets Cache: Explosively Amplifying Security Risks on the Internet2022 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS56114.2022.9947247(290-298)Online publication date: 3-Oct-2022
https://doi.org/10.1109/CNS56114.2022.9947247
Shamsi ZCline DLoguinov D(2021)Faulds: A Non-Parametric Iterative Classifier for Internet-Wide OS FingerprintingIEEE/ACM Transactions on Networking10.1109/TNET.2021.308833329:5(2339-2352)Online publication date: Oct-2021
https://doi.org/10.1109/TNET.2021.3088333
Foppe LMartin JMayberry TRye EBrown L(2018)Exploiting TLS Client Authentication for Widespread User TrackingProceedings on Privacy Enhancing Technologies10.1515/popets-2018-00312018:4(51-63)Online publication date: 29-Aug-2018
https://doi.org/10.1515/popets-2018-0031
Quach AWang ZQian Z(2017)Investigation of the 2016 Linux TCP Stack Vulnerability at ScaleACM SIGMETRICS Performance Evaluation Review10.1145/3143314.307851045:1(8-8)Online publication date: 5-Jun-2017
https://dl.acm.org/doi/10.1145/3143314.3078510
Shamsi ZCline DLoguinov DThuraisingham BEvans DMalkin TXu D(2017)FauldsProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security10.1145/3133956.3133963(971-982)Online publication date: 30-Oct-2017
https://dl.acm.org/doi/10.1145/3133956.3133963
Quach AWang ZQian Z(2017)Investigation of the 2016 Linux TCP Stack Vulnerability at ScaleProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/30844411:1(1-19)Online publication date: 13-Jun-2017
https://dl.acm.org/doi/10.1145/3084441
Quach AWang ZQian ZHajek BOh SChaintreau AGolubchik LZhang Z(2017)Investigation of the 2016 Linux TCP Stack Vulnerability at ScaleProceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer Systems10.1145/3078505.3078510(8-8)Online publication date: 5-Jun-2017
https://dl.acm.org/doi/10.1145/3078505.3078510
Shamsi ZLoguinov D(2017)Unsupervised Clustering Under Temporal Feature Volatility in Network Stack FingerprintingIEEE/ACM Transactions on Networking10.1109/TNET.2017.269064125:4(2430-2443)Online publication date: 1-Aug-2017
https://dl.acm.org/doi/10.1109/TNET.2017.2690641
Shamsi ZLoguinov D(2016)Unsupervised Clustering Under Temporal Feature Volatility in Network Stack FingerprintingACM SIGMETRICS Performance Evaluation Review10.1145/2964791.290144944:1(127-138)Online publication date: 14-Jun-2016
https://dl.acm.org/doi/10.1145/2964791.2901449

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten