SlideShare a Scribd company logo

Zhiyun Qian-what leaves attacker hijacking USA Today site

G
GeekPwn Keen

In GeekPwn2016 Mid-year Contest, doctoral student Cao Yue of Dr.Zhiyun Qian showed ‘TCP hijacking’ attack. This attack can pop up a fishing web page and steal user’s password. This vulnerability in TCP/IP stack exists in almost all Android and Linux editions. Explained by Cao Yue, this vulnerability is found by his director, Mr. Qian found this vulnerability by reviewing Linux kernel source code.

Internet
1 of 37
Download to read offline
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous Zhiyun Qian, UC Riverside
Our TCP Attack • Discovered a subtle TCP side channel vulnerability in Linux 3.6+ (CVE-2016-5696) • Given any two arbitrary hosts on the internet, blind attacker can infer: • Existence of communication • Sequence number • ACK number • Can be used towards: • TCP connection termination attack • Malicious data injection attack
Outline • Threat Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
Outline • Threat Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
Threat Model • Consists of: • An arbitrary pair of client and server • A blind off-path attacker(no eavesdropping capability) • Assumption: the attacker can send spoofed packets with the victim (client or server)’s IP address Client Server Attacker Threat Model
Outline • Thread Model • Background • History of RFC 5961 • 3 modifications in RFC 5961 • Why does this vulnerability exist? • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
Background • Traditional blind in-window attacks (brute force): • Connection termination & data injection attack • Requirements (spoofed packet with): • Guessed 4-tuple <src IP, dst IP, src port, dst port> • Guessed SEQ # is in-window (recv window) • RFC 5961 (Aug 2010) • Mitigate blind in-window attacks • Modification of receiving scheme • SYN receiving scheme • RST receiving scheme • Data receiving scheme • Ironically, Linux implementation introduced the side channel vulnerability
SYN Receiving Scheme • Before RFC 5961: blind RST Attack by sending spoofed SYN packet Sender Receiver SYN Out-of-Window ACK back In_Window Reset Connection After RFC 5961 Challenge ACK Challenge ACK RCV.NXT RCV.NXT+RCV.WND RCV_Window SEQ # Space Before RFC 5961SEQ #: Challenge ACK: ask sender to confirm if it indeed restarted
RST Receiving Scheme • Before RFC 5961: blind RST Attack by sending spoofed RST packet RST Out-of-Window Drop the Packet In-Window Reset Connection After RFC 5961 Exactly match Drop the Packet Challenge ACK Reset Connection Sender Receiver RCV.NXT RCV.NXT+RCV.WND RCV_Window SEQ # Space Before RFC 5961SEQ #: Challenge ACK: tell sender to confirm if it indeed terminated the connection
Data Receiving Scheme • Before RFC 5961: blind Data Injection Attack by injecting spoofed DATA packet In-RCV_Window —> Check ACK # After RFC 5961 In-Accpt_Window Process Data Out-of-Window Drop Challenge Window (Old ACK) Challenge ACK Drop Process Data SND.NXT SND.UNA Accept Window SND.UNA-2G Challenge Window ACK # Space Before RFC 5961 SEQ #: ACK #:
Why Does This Vulnerability Exist? • RFC 5961: a much stricter check on incoming packets • Challenge ACK is triggered in an established connection: • SYN packet with correct 4-tuples <srcIP, dstIP, srcPort, dstPort> (any SEQ #) • RST packet with 4-tuples, in-window SEQ # • Data packet with 4-tuples, in-window SEQ #, old ACK # (in challenge window) Port number SEQ number ACK number SYN-triggered challenge ACK RST-triggered challenge ACK ACK-triggered challenge ACK Rate limit of challenge ACK (recommended by RFC 5961) Linux followed faithfully Side-Channel Side-Channel Side-Channel SYN RST Data
Outline • Thread Model • Background • Vulnerability • Side channel vulnerability • Guess-Then-Check Method • Optimizations • Our Attack • Evaluation • Defense & Conclusion
Side Channel Vulnerability • sysctl_tcp_challenge_ack_limit: implemented in Linux 3.6+ • Global limit of all challenge ACK per sec, shared across all connections • Default value: 100 (reset per second) Client Server Attacker Side-Channel Vulnerability Example Any OS at Client!
Exploit The Vulnerability • Guess-then-Check method: • Send spoofed packets with guessed values • Example: to guess correct client-port number • If it’s a correct guess: 1 challenge ACK Client Server Attacker Guess Phase Check Phase Port number Inference SEQ number Inference ACK number Inference SYN-triggered challenge ACK RST-triggered challenge ACK Data-triggered challenge ACK
Guess-Then-Check Method • Send spoofed packets with guessed values • Example: to guess correct client-port number • If it’s a wrong guess: Client Server Attacker
Guess-Then-Check Method • Challenge: expensive time cost • N: maximum spoofed probing packets in one second • Bandwidth dependent Client Server Attacker
Guess-Then-Check Method • Same process works for guessing SEQ number and ACK number • Correct guess: • SEQ number • ACK number Client Server Attacker RST packet with correct 4-tuples, SEQ # in-window Data packet with 4-tuples, SEQ # in-window, old ACK # Port number Inference SEQ number Inference ACK number Inference SYN-triggered challenge ACK RST-triggered challenge ACK Data-triggered challenge ACK
Guess-Then-Check Method • Guess is correct when: • Src Port • SEQ number • ACK number • Traditional brute-force attack: 104•109•109=1022 different combinations • Our attack: Time cost is additive instead of multiplicative RST packet with correct 4-tuples, SEQ # in-window Data packet with correct 4-tuples, SEQ # in-window, old ACK SYN packet with correct 4-tuples Dst IP, Src IP Dst Port Src Port 104 SEQ number 109 ACK number 109 Possible to finish within 1 minute!
Optimizations • Binary-style search • Reduce the number of probing rounds • Multi-bin search • Further improvement • Redundancy-encoded search • Account for packet loss
Binary-style Search • Send spoofed packet for all the ports in the 1st half range. • Narrow down the search space by half and proceed to the next round …… If Challenge ACK # ==100If Challenge ACK # < 100 If Challenge ACK # ==100If Challenge ACK # < 100 …… Binary Search Algorithm
Outline • Thread Model • Background • Vulnerability • Our Attack • Attack overview • Time synchronization • Inference of possible TCP connection • TCP connection termination attack • TCP hijacking attack • Evaluation • Defense & Conclusion
Attack Overview • Given client and server, we already know: • Src IP address: client IP • Dst IP address: server IP • Dst Port number: service at server(e.g. 80) Pre-process: Time Synchronization Src Port Inference SEQ number Inference ACK number Inference Inference of existence of a TCP connection Connection Termination Attack Hijacking Attack
Time Synchronization • Challenge: • Challenge ACK count resets each second • All the spoofed and non-spoofed packets MUST be within the same 1-second interval at server • Our solution • A time synchronization strategy based on how many challenge ACKs are observed 1 second …………. 200 time slots RST ………….RST RST Time synchronization example
Inference Of Possible TCP Connection • Given src IP, dst IP and expected dst port: • To see if client opened a port • To infer src port: • 1. Throughout all port number[probe N ports in 1 sec] • To infer connection exists or not • 2. Find exact correct port number[Binary/Multi-bin search] • To be used for termination attacker or hijacking attack Src Port # Step1: Identify Port Range Step2: Identify Exact Port Src Port # Range size: N
TCP Connection Termination Attack • Given 4-tuples: src IP, dst IP, src Port, dst Port, • To send a RST packet with exactly matched SEQ # • Optimization: locate receive window first, then specific SEQ number Step1: identify the window range Step2: narrow down to a single window Step3: probe RCV.NXT RCV_WND RCV_WND RCV_WND Find Receive Window Find Exact SEQ # Range Size: N*Win_size
TCP Hijacking Attack • Challenge: a RST packet with correct SYN packet will terminate the connection • Main idea (take a detour): • 1. Locate rough SEQ # in-window (same as before) • 2. Use Data-based probing to infer a rough ACK # in window • 3. Use Data-based probing to infer exact SEQ # Rough SEQ # Inference Exact SEQ # Inference Termination Attack: Hijacking Attack: RST-based Probing Data-based Probing Rough ACK # Inference Exact SEQ # Inference X
Outline • Thread Model • Background • Vulnerability • Our Attack • Evaluation • Time micro-analysis • Case study: termination attack • Case study: hijacking attack • Defense & Conclusion
Evaluation: Time Cost • Time Micro-analysis: • Time cost differences in each step between Binary search and Multi-bin search • Time cost vs bandwidth Fig1. Time Breakdown Fig2. Attack intensity impact on time to succeed
Case Study: Termination Attack • Setting: client and attacker at different part of campus • EC2: 8 different regions • Success rate: 96% • Attack time: ~42s
Evaluation: Termination Attack • Setting: client and attacker at different part of campus • Tor: 8 different regions • Success rate: 89% • Attack time: ~61s •
Evaluation: Hijacking Attack • Target: long-lived TCP connection without using SSL/TLS • news website • advertisements connection • Behavior at USAToday: • Client refreshes data periodically(30s) • Requests may vary during time 30s 30s 30s Request Response Client Server
Evaluation: Hijacking Attack • Hijacking: the usatoday.com website • Desynchronization[1] • Injection Client ServerAttacker 30s Request Spoofed Request Response Spoofed Response Spoofed Response …… Spoofed Response Desynchronized [1]ABRAMOV, R., AND HERZBERG, A. Tcp ack storm dos attacks. Journal Computers and Security (2013).
Evaluation: Hijacking Attack • Hijacking: the usatoday.com website • Success rate of inferring the correct sequence and ACK number: 90% • Success rate of injecting the phishing window: 70% • Average Time Cost: 81.05s (with BW: 5000 pkt/s)
Video demo
Outline • Thread Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
Defense & Conclusion • Our defense scheme: • Add random noise to the channel (global challenge ACK rate limit) • Eliminate the side channel • Set sysctl_tcp_challenge_ack_limit to extremly large value [temporary] • Conclusion • Discovered a subtle yet critical flaw in the design and implementation of TCP in Linux 3.6+ • Demonstrated blind off-path TCP attacks within ~1 minute • Proposed defense schemes Patched in Linux kernel 4.7 in July 2016 Subsequent patch
Thank you! Q & A

Recommended

Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
GeekPwn Keen
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with nose
GeekPwn Keen
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
JaeYeoul Ahn
 
Types Of Attack.
Types Of Attack.Types Of Attack.
Types Of Attack.
Greater Noida Institute Of Technology
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 

Recommended

Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
GeekPwn Keen
 
Nick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with noseNick Stephens-how does someone unlock your phone with nose
Nick Stephens-how does someone unlock your phone with nose
GeekPwn Keen
 
Mitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacksMitm(man in the middle) ssl proxy attacks
Mitm(man in the middle) ssl proxy attacks
JaeYeoul Ahn
 
Types Of Attack.
Types Of Attack.Types Of Attack.
Types Of Attack.
Greater Noida Institute Of Technology
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
Extending Zeek for ICS Defense
Extending Zeek for ICS DefenseExtending Zeek for ICS Defense
Extending Zeek for ICS Defense
James Dickenson
 
Recon with Nmap
Recon with Nmap Recon with Nmap
Recon with Nmap
OWASP Delhi
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
Jerome Smith
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
Filip Waeytens
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
Shellmates
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
n|u - The Open Security Community
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
Novizul Evendi
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
Alexandre Moneger
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
mark scott
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
Jerome Smith
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
guestf2e41
 
Cafe Latte
Cafe LatteCafe Latte
Cafe Latte
AirTight Networks
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows
Vrushank Narola
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_reference
Craig Cannon
 
Automated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersAutomated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across Clusters
Naveen S.R
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
AirTight Networks
 
Caffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In Toorcon
Md Sohail Ahmad
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
marcioalma
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
Sam Bowne
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 
Poodle
PoodlePoodle
Poodle
Mukesh Chaudhari
 
vulnerabilities in IP.pdf
vulnerabilities in IP.pdfvulnerabilities in IP.pdf
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
Deepak Swain
 

More Related Content

What's hot

BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
Shellmates
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
mark scott
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
guestf2e41
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_reference
Craig Cannon
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
AirTight Networks
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
DefconRussia
 

What's hot (20)

SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
The state of wireless security
The state of wireless security The state of wireless security
The state of wireless security
 
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama ElhamerBSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
BSides Algiers - Layer7 DoS Attacks - Oussama Elhamer
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 
Wireless Hacking Fast Track
Wireless Hacking Fast TrackWireless Hacking Fast Track
Wireless Hacking Fast Track
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stack
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Cafe Latte
Cafe LatteCafe Latte
Cafe Latte
 
How to Hack WiFi on Windows
How to Hack WiFi on Windows How to Hack WiFi on Windows
How to Hack WiFi on Windows
 
Nessus v6 command_line_reference
Nessus v6 command_line_referenceNessus v6 command_line_reference
Nessus v6 command_line_reference
 
Automated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across ClustersAutomated Deployment Using Jenkins Across Clusters
Automated Deployment Using Jenkins Across Clusters
 
Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
 
Caffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In ToorconCaffe Latte Attack Presented In Toorcon
Caffe Latte Attack Presented In Toorcon
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed Hashing
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Tomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNSTomas Hlavacek - IP fragmentation attack on DNS
Tomas Hlavacek - IP fragmentation attack on DNS
 
Poodle
PoodlePoodle
Poodle
 

Similar to Zhiyun Qian-what leaves attacker hijacking USA Today site

Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
Deepak Swain
 
Socket网络编程
Socket网络编程Socket网络编程
Socket网络编程
qhm123
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
dkaya
 

Similar to Zhiyun Qian-what leaves attacker hijacking USA Today site (20)

vulnerabilities in IP.pdf
vulnerabilities in IP.pdfvulnerabilities in IP.pdf
vulnerabilities in IP.pdf
 
Socket programming in C
Socket programming in CSocket programming in C
Socket programming in C
 
Socket网络编程
Socket网络编程Socket网络编程
Socket网络编程
 
Java socket programming
Java socket programmingJava socket programming
Java socket programming
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
 
Part 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCPPart 7 : HTTP/2, UDP and TCP
Part 7 : HTTP/2, UDP and TCP
 
Socket programming using C
Socket programming using CSocket programming using C
Socket programming using C
 
Transport Layer Description By Varun Tiwari
Transport Layer Description By Varun TiwariTransport Layer Description By Varun Tiwari
Transport Layer Description By Varun Tiwari
 
Cryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotationCryptographic Protocols: Practical revocation and key rotation
Cryptographic Protocols: Practical revocation and key rotation
 
26 security2
26 security226 security2
26 security2
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
 
Security attacks
Security attacksSecurity attacks
Security attacks
 
Auto mac rateless wireless concurrent medium access
Auto mac rateless wireless concurrent medium accessAuto mac rateless wireless concurrent medium access
Auto mac rateless wireless concurrent medium access
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
 
Load Balancing 101
Load Balancing 101Load Balancing 101
Load Balancing 101
 
Transport Control Protocol
Transport Control ProtocolTransport Control Protocol
Transport Control Protocol
 

More from GeekPwn Keen

PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
GeekPwn Keen
 
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
GeekPwn Keen
 
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
GeekPwn Keen
 
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGEADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
GeekPwn Keen
 
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
GeekPwn Keen
 
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
GeekPwn Keen
 
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
GeekPwn Keen
 
Bo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural networkBo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural network
GeekPwn Keen
 

More from GeekPwn Keen (12)

PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
PRACTICAL ADVERSARIAL ATTACKS AGAINST CHALLENGING MODELS ENVIRONMENTS - Moust...
 
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGETHE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
THE VANISHING TRICK FOR SELF-DRIVING CARS - Weilin Xu - DEF CON 26 CAAD VILLAGE
 
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
TARGETED ADVERSARIAL EXAMPLES FOR BLACK BOX AUDIO SYSTEMS - Rohan Taori, Amog...
 
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
TRANSFERABLE ADVERSARIAL PERTURBATIONS - Tencent Blade Team - DEF CON 26 CAA...
 
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGEADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
ADVERSARIAL^2 TRAINING - Yao Zhao, Yuzhe Zhao - DEF CON 26 CAAD VILLAGE
 
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
HOW TO LEVERAGE THE OPEN-SOURCE INFORMATION TO MAKE AN EFFECTIVE ADVERSARIAL ...
 
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
BOOSTING ADVERSARIAL ATTACKS WITH MOMENTUM - Tianyu Pang and Chao Du, THU - D...
 
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
RECENT PROGRESS IN ADVERSARIAL DEEP LEARNING ATTACK AND DEFENSE - Wenbo Guo a...
 
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
WEAPONS FOR DOG FIGHT:ADAPTING MALWARE TO ANTI-DETECTION BASED ON GAN - Zhuan...
 
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
Hardware Trojan Attacks on Neural Networks - Joseph Clements - DEF CON 26 CAA...
 
Bo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural networkBo Li-they’ve created images that reliably fool neural network
Bo Li-they’ve created images that reliably fool neural network
 
Alexey kurakin-what's new in adversarial machine learning
Alexey kurakin-what's new in adversarial machine learningAlexey kurakin-what's new in adversarial machine learning
Alexey kurakin-what's new in adversarial machine learning
 

Recently uploaded

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
F
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
F
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 

Recently uploaded (20)

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 

Zhiyun Qian-what leaves attacker hijacking USA Today site

  • 1. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous Zhiyun Qian, UC Riverside
  • 2. Our TCP Attack • Discovered a subtle TCP side channel vulnerability in Linux 3.6+ (CVE-2016-5696) • Given any two arbitrary hosts on the internet, blind attacker can infer: • Existence of communication • Sequence number • ACK number • Can be used towards: • TCP connection termination attack • Malicious data injection attack
  • 3. Outline • Threat Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
  • 4. Outline • Threat Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
  • 5. Threat Model • Consists of: • An arbitrary pair of client and server • A blind off-path attacker(no eavesdropping capability) • Assumption: the attacker can send spoofed packets with the victim (client or server)’s IP address Client Server Attacker Threat Model
  • 6. Outline • Thread Model • Background • History of RFC 5961 • 3 modifications in RFC 5961 • Why does this vulnerability exist? • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
  • 7. Background • Traditional blind in-window attacks (brute force): • Connection termination & data injection attack • Requirements (spoofed packet with): • Guessed 4-tuple <src IP, dst IP, src port, dst port> • Guessed SEQ # is in-window (recv window) • RFC 5961 (Aug 2010) • Mitigate blind in-window attacks • Modification of receiving scheme • SYN receiving scheme • RST receiving scheme • Data receiving scheme • Ironically, Linux implementation introduced the side channel vulnerability
  • 8. SYN Receiving Scheme • Before RFC 5961: blind RST Attack by sending spoofed SYN packet Sender Receiver SYN Out-of-Window ACK back In_Window Reset Connection After RFC 5961 Challenge ACK Challenge ACK RCV.NXT RCV.NXT+RCV.WND RCV_Window SEQ # Space Before RFC 5961SEQ #: Challenge ACK: ask sender to confirm if it indeed restarted
  • 9. RST Receiving Scheme • Before RFC 5961: blind RST Attack by sending spoofed RST packet RST Out-of-Window Drop the Packet In-Window Reset Connection After RFC 5961 Exactly match Drop the Packet Challenge ACK Reset Connection Sender Receiver RCV.NXT RCV.NXT+RCV.WND RCV_Window SEQ # Space Before RFC 5961SEQ #: Challenge ACK: tell sender to confirm if it indeed terminated the connection
  • 10. Data Receiving Scheme • Before RFC 5961: blind Data Injection Attack by injecting spoofed DATA packet In-RCV_Window —> Check ACK # After RFC 5961 In-Accpt_Window Process Data Out-of-Window Drop Challenge Window (Old ACK) Challenge ACK Drop Process Data SND.NXT SND.UNA Accept Window SND.UNA-2G Challenge Window ACK # Space Before RFC 5961 SEQ #: ACK #:
  • 11. Why Does This Vulnerability Exist? • RFC 5961: a much stricter check on incoming packets • Challenge ACK is triggered in an established connection: • SYN packet with correct 4-tuples <srcIP, dstIP, srcPort, dstPort> (any SEQ #) • RST packet with 4-tuples, in-window SEQ # • Data packet with 4-tuples, in-window SEQ #, old ACK # (in challenge window) Port number SEQ number ACK number SYN-triggered challenge ACK RST-triggered challenge ACK ACK-triggered challenge ACK Rate limit of challenge ACK (recommended by RFC 5961) Linux followed faithfully Side-Channel Side-Channel Side-Channel SYN RST Data
  • 12. Outline • Thread Model • Background • Vulnerability • Side channel vulnerability • Guess-Then-Check Method • Optimizations • Our Attack • Evaluation • Defense & Conclusion
  • 13. Side Channel Vulnerability • sysctl_tcp_challenge_ack_limit: implemented in Linux 3.6+ • Global limit of all challenge ACK per sec, shared across all connections • Default value: 100 (reset per second) Client Server Attacker Side-Channel Vulnerability Example Any OS at Client!
  • 14. Exploit The Vulnerability • Guess-then-Check method: • Send spoofed packets with guessed values • Example: to guess correct client-port number • If it’s a correct guess: 1 challenge ACK Client Server Attacker Guess Phase Check Phase Port number Inference SEQ number Inference ACK number Inference SYN-triggered challenge ACK RST-triggered challenge ACK Data-triggered challenge ACK
  • 15. Guess-Then-Check Method • Send spoofed packets with guessed values • Example: to guess correct client-port number • If it’s a wrong guess: Client Server Attacker
  • 16. Guess-Then-Check Method • Challenge: expensive time cost • N: maximum spoofed probing packets in one second • Bandwidth dependent Client Server Attacker
  • 17. Guess-Then-Check Method • Same process works for guessing SEQ number and ACK number • Correct guess: • SEQ number • ACK number Client Server Attacker RST packet with correct 4-tuples, SEQ # in-window Data packet with 4-tuples, SEQ # in-window, old ACK # Port number Inference SEQ number Inference ACK number Inference SYN-triggered challenge ACK RST-triggered challenge ACK Data-triggered challenge ACK
  • 18. Guess-Then-Check Method • Guess is correct when: • Src Port • SEQ number • ACK number • Traditional brute-force attack: 104•109•109=1022 different combinations • Our attack: Time cost is additive instead of multiplicative RST packet with correct 4-tuples, SEQ # in-window Data packet with correct 4-tuples, SEQ # in-window, old ACK SYN packet with correct 4-tuples Dst IP, Src IP Dst Port Src Port 104 SEQ number 109 ACK number 109 Possible to finish within 1 minute!
  • 19. Optimizations • Binary-style search • Reduce the number of probing rounds • Multi-bin search • Further improvement • Redundancy-encoded search • Account for packet loss
  • 20. Binary-style Search • Send spoofed packet for all the ports in the 1st half range. • Narrow down the search space by half and proceed to the next round …… If Challenge ACK # ==100If Challenge ACK # < 100 If Challenge ACK # ==100If Challenge ACK # < 100 …… Binary Search Algorithm
  • 21. Outline • Thread Model • Background • Vulnerability • Our Attack • Attack overview • Time synchronization • Inference of possible TCP connection • TCP connection termination attack • TCP hijacking attack • Evaluation • Defense & Conclusion
  • 22. Attack Overview • Given client and server, we already know: • Src IP address: client IP • Dst IP address: server IP • Dst Port number: service at server(e.g. 80) Pre-process: Time Synchronization Src Port Inference SEQ number Inference ACK number Inference Inference of existence of a TCP connection Connection Termination Attack Hijacking Attack
  • 23. Time Synchronization • Challenge: • Challenge ACK count resets each second • All the spoofed and non-spoofed packets MUST be within the same 1-second interval at server • Our solution • A time synchronization strategy based on how many challenge ACKs are observed 1 second …………. 200 time slots RST ………….RST RST Time synchronization example
  • 24. Inference Of Possible TCP Connection • Given src IP, dst IP and expected dst port: • To see if client opened a port • To infer src port: • 1. Throughout all port number[probe N ports in 1 sec] • To infer connection exists or not • 2. Find exact correct port number[Binary/Multi-bin search] • To be used for termination attacker or hijacking attack Src Port # Step1: Identify Port Range Step2: Identify Exact Port Src Port # Range size: N
  • 25. TCP Connection Termination Attack • Given 4-tuples: src IP, dst IP, src Port, dst Port, • To send a RST packet with exactly matched SEQ # • Optimization: locate receive window first, then specific SEQ number Step1: identify the window range Step2: narrow down to a single window Step3: probe RCV.NXT RCV_WND RCV_WND RCV_WND Find Receive Window Find Exact SEQ # Range Size: N*Win_size
  • 26. TCP Hijacking Attack • Challenge: a RST packet with correct SYN packet will terminate the connection • Main idea (take a detour): • 1. Locate rough SEQ # in-window (same as before) • 2. Use Data-based probing to infer a rough ACK # in window • 3. Use Data-based probing to infer exact SEQ # Rough SEQ # Inference Exact SEQ # Inference Termination Attack: Hijacking Attack: RST-based Probing Data-based Probing Rough ACK # Inference Exact SEQ # Inference X
  • 27. Outline • Thread Model • Background • Vulnerability • Our Attack • Evaluation • Time micro-analysis • Case study: termination attack • Case study: hijacking attack • Defense & Conclusion
  • 28. Evaluation: Time Cost • Time Micro-analysis: • Time cost differences in each step between Binary search and Multi-bin search • Time cost vs bandwidth Fig1. Time Breakdown Fig2. Attack intensity impact on time to succeed
  • 29. Case Study: Termination Attack • Setting: client and attacker at different part of campus • EC2: 8 different regions • Success rate: 96% • Attack time: ~42s
  • 30. Evaluation: Termination Attack • Setting: client and attacker at different part of campus • Tor: 8 different regions • Success rate: 89% • Attack time: ~61s •
  • 31. Evaluation: Hijacking Attack • Target: long-lived TCP connection without using SSL/TLS • news website • advertisements connection • Behavior at USAToday: • Client refreshes data periodically(30s) • Requests may vary during time 30s 30s 30s Request Response Client Server
  • 32. Evaluation: Hijacking Attack • Hijacking: the usatoday.com website • Desynchronization[1] • Injection Client ServerAttacker 30s Request Spoofed Request Response Spoofed Response Spoofed Response …… Spoofed Response Desynchronized [1]ABRAMOV, R., AND HERZBERG, A. Tcp ack storm dos attacks. Journal Computers and Security (2013).
  • 33. Evaluation: Hijacking Attack • Hijacking: the usatoday.com website • Success rate of inferring the correct sequence and ACK number: 90% • Success rate of injecting the phishing window: 70% • Average Time Cost: 81.05s (with BW: 5000 pkt/s)
  • 35. Outline • Thread Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion
  • 36. Defense & Conclusion • Our defense scheme: • Add random noise to the channel (global challenge ACK rate limit) • Eliminate the side channel • Set sysctl_tcp_challenge_ack_limit to extremly large value [temporary] • Conclusion • Discovered a subtle yet critical flaw in the design and implementation of TCP in Linux 3.6+ • Demonstrated blind off-path TCP attacks within ~1 minute • Proposed defense schemes Patched in Linux kernel 4.7 in July 2016 Subsequent patch