research-article

Off-Path TCP Exploits of the Challenge ACK Global Rate Limit

Authors:

Srikanth V. Krishnamurthy,

Lisa M. Marvel,

Lisa M. Marvel,

Srikanth V. KrishnamurthyAuthors Info & Claims

IEEE/ACM Transactions on Networking (TON), Volume 26, Issue 2

Pages 765 - 778

https://doi.org/10.1109/TNET.2018.2797081

Published: 01 April 2018 Publication History

Abstract

In this paper, we report a subtle yet serious side channel vulnerability CVE-2016-5696 introduced in a recent transmission control protocol TCP specification. The specification is faithfully implemented in Linux kernel version 3.6 from 2012 and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 s to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.

References

[1]

Blind TCP/IP Hijacking is Still Alive. Accessed: Aug. 8, 2017. [Online]. Available: http://phrack.org/issues/64/13.html

[2]

Cloud Messaging. Accessed: Aug. 8, 2017. [Online]. Available: https://developers.google.com/cloud-messaging/

[3]

[PATCH Net] TCP: Enable Per-Socket Rate Limiting of all 'Challenge Acks'. Accessed: Aug. 8, 2017. [Online]. Available: https://www.mail-archive.com/[email protected]/msg119411.html

[4]

[PATCH Net] TCP: Make Challenge Acks Less Predictable. Accessed: Aug. 8, 2017. [Online]. Available: https://www.mail-archive.com/[email protected]/msg118677.html

[5]

[TCPM] Mitigating TCP ACK Loop ('ACK Storm') DoS attacks. Accessed: Aug. 8, 2017. [Online]. Available: https://www.ietf.org/mail-archive/web/tcpm/current/msg09450.html

[6]

R. Abramov and A. Herzberg, "TCP Ack storm DoS attacks," J. Comput. Secur., vol. 33, pp. 12-27, Mar. 2013.

Digital Library

[7]

G. Alexander and J. R. Crandall, "Off-path round trip time measurement via TCP/IP side channels," in Proc. INFOCOM, Apr. 2015, pp. 1589-1597.

[8]

S. M. Bellovin, "A technique for counting NATted hosts," in Proc. 2nd ACM SIGCOMM Workshop Internet Meas., 2002, pp. 267-272.

Digital Library

[9]

R. Beverly, A. Berger, Y. Hyun, and K. Claffy, "Understanding the efficacy of deployed Internet source address validation filtering," in Proc. ACM SIGCOMM IMC, 2009, pp. 356-369.

[10]

R. Beverly, R. Koga, and K. C. Claffy, Initial Longitudinal Analysis of IP Source Spoofing Capability on the Internet. Monterey, CA, USA: Calhoun, 2013. [Online]. Available: https://calhoun.nps.edu/handle/10945/36775

[11]

Y. Cao et al., "Off-path TCP exploits: Global rate limit considered dangerous," in Proc. USENIX Secur., 2016, pp. 209-255.

[12]

Q. A. Chen, Z. Qian, Y. J. Jia, Y. Shao, and Z. M. Mao, "Static detection of packet injection vulnerabilities: A case for identifying attacker-controlled implicit information leaks," in Proc. CCS, 2015, pp. 388-400.

Digital Library

[13]

S. Chen, R. Wang, X. Wang, and K. Zhang, "Side-channel leaks in Web applications: A reality today, a challenge tomorrow," in Proc. IEEE Symp. Secur. Privacy, May 2010, pp. 191-206.

Digital Library

[14]

R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall, "Detecting intentional packet drops on the Internet via TCP/IP side channels," in Proc. PAM, 2014, pp. 109-118.

Digital Library

[15]

R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall, "Idle port scanning and non-interference analysis of network protocol stacks using model checking," in Proc. USENIX Secur., 2010, pp. 257-272.

[16]

T. Flach, E. Katz-Bassett, and R. Govindan, "Quantifying violations of destination-based forwarding on the Internet," in Proc. IMC, 2012, pp. 265-272.

Digital Library

[17]

Y. Gilad and A. Herzberg, "Off-Path Attacking the Web," in Proc. USENIX WOOT, 2012, pp. 41-52.

[18]

Y. Gilad and A. Herzberg, "Spying in the dark: TCP and Tor traffic analysis," in Proc. PETS, 2012, pp. 100-119.

Digital Library

[19]

Y. Gilad and A. Herzberg, "When tolerance causes weakness: The case of injection-friendly browsers," in Proc. WWW, 2013, pp. 435-446.

[20]

Y. Gilad, A. Herzberg, and H. Shulman, "Off-path hacking: The illusion of challenge-response authentication," IEEE Secur. Privacy, vol. 12, no. 5, pp. 68-77, Sep. 2014.

[21]

B. Han and J. Billington, "Termination properties of TCP's connection management procedures," in Proc. ICATPN, 2005, pp. 228-249.

Digital Library

[22]

U. Javed, I. C. D. Cunha, E. Katz-Bassett, T. Anderson, and A. Krishnamurthy, "PoiRoot: Investigating the root cause of interdomain path changes," in Proc. SIGCOMM, 2013, pp. 183-194.

Digital Library

[23]

E. Katz-Bassett et al., "Reverse traceroute," in Proc. NSDI, 2010, pp. 219-234.

Digital Library

[24]

J. Knockel and J. R. Crandall, "Counting packets sent between arbitrary Internet hosts," in Proc. FOCI, 2014, pp. 1-8.

[25]

F. Qian et al., "TCP revisited: A fresh look at TCP in the wild," in Proc. ACM SIGCOMM IMC, 2009, pp. 76-89.

[26]

Z. Qian and Z. M. Mao, "Off-path TCP sequence number inference attack--How firewall middleboxes reduce security," in Proc. IEEE Symp. Secur. Privacy, May 2012, pp. 347-361.

Digital Library

[27]

Z. Qian, Z. M. Mao, and Y. Xie, "Collaborative TCP sequence number inference attack: How to crack sequence number under a second," in Proc. CCS, 2012, pp. 593-604.

Digital Library

[28]

Z. Qian, Z. M. Mao, Y. Xie, and F. Yu, "Investigation of triangular spamming: A stealthy and efficient spamming technique," in Proc. IEEE Secur. Privacy, May 2010, pp. 207-222.

Digital Library

[29]

L. Quan and J. Heidemann, "On the characteristics and reasons of long-lived Internet flows," in Proc. ACM SIGCOMM IMC, 2010, pp. 444-450.

Digital Library

[30]

R. Braden, Ed., Requirements for Internet Hosts--Communication Layers, document RFC 1122, 1989.

Digital Library

[31]

A. Ramaiah, R. Stewart, and M. Dalal, Improving TCP's Robustness to Blind In-Window Attacks, document RFC 5961, 2010.

[32]

D. X. Song, D. Wagner, and X. Tian, "Timing analysis of keystrokes and timing attacks on SSH," in Proc. USENIX Secur., 2001, pp. 1-17.

[33]

Q. Xiao, M. K. Reiter, and Y. Zhang, "Mitigating storage side channels using statistical privacy mechanisms," in Proc. CCS, 2015, pp. 1582-1594.

Digital Library

[34]

X. Zhang, J. Knockel, and J. R. Crandall, "Original SYN: Finding machines hidden behind firewalls," in Proc. INFOCOM, Apr. 2015, pp. 720-728.

Cited By

Li SShi SXiao YZhang CHou YLou W(2023)Bijack: Breaking Bitcoin Network with TCP VulnerabilitiesComputer Security – ESORICS 202310.1007/978-3-031-51479-1_16(306-326)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51479-1_16
Ru KZheng YFeng XWang D(2021)The Side-Channel Vulnerability in Network ProtocolProceedings of the 2021 11th International Conference on Communication and Network Security10.1145/3507509.3507510(1-8)Online publication date: 3-Dec-2021
https://dl.acm.org/doi/10.1145/3507509.3507510
Fu CLi QShen MXu KKim YKim JVigna GShi E(2021)Realtime Robust Malicious Traffic Detection via Frequency Domain AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484585(3431-3446)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484585
Show More Cited By

Recommendations

Off-Path TCP Exploits of the Mixed IPID Assignment
CCS '20: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security

In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux ...
Off-path TCP exploits: global rate limit considered dangerous
SEC'16: Proceedings of the 25th USENIX Conference on Security Symposium

In this paper, we report a subtle yet serious side channel vulnerability (CVE-2016-5696) introduced in a recent TCP specification. The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range ...
TCP Ack storm DoS attacks

We present Ack-storm DoS attacks, a new family of DoS attacks exploiting a subtle design flaw in the core TCP specifications. The attacks can be launched by a very weak MitM attacker, which can only eavesdrop occasionally and spoof packets (a Weakling ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking

IEEE/ACM Transactions on Networking Volume 26, Issue 2

April 2018

377 pages

ISSN:1063-6692

Issue’s Table of Contents

Copyright © 2018.

Publisher

IEEE Press

Publication History

Published: 01 April 2018

Published in TON Volume 26, Issue 2

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
75
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 29 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li SShi SXiao YZhang CHou YLou W(2023)Bijack: Breaking Bitcoin Network with TCP VulnerabilitiesComputer Security – ESORICS 202310.1007/978-3-031-51479-1_16(306-326)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51479-1_16
Ru KZheng YFeng XWang D(2021)The Side-Channel Vulnerability in Network ProtocolProceedings of the 2021 11th International Conference on Communication and Network Security10.1145/3507509.3507510(1-8)Online publication date: 3-Dec-2021
https://dl.acm.org/doi/10.1145/3507509.3507510
Fu CLi QShen MXu KKim YKim JVigna GShi E(2021)Realtime Robust Malicious Traffic Detection via Frequency Domain AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484585(3431-3446)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484585
Feng XFu CLi QSun KXu KLigatti JOu XKatz JVigna G(2020)Off-Path TCP Exploits of the Mixed IPID AssignmentProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417884(1323-1335)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417884

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents