Detecting TCP/IP Connections via IPID Hash Collisions

Abstract We present a novel attack for detecting the presence of an active TCP connection between a remote Linux server and an arbitrary client machine. The attack takes advantage of side-channels present in the Linux kernel’s handling of the values used to populate an IPv4 packet’s IPID field and applies to kernel versions of 4.0 and higher. We implement and test this attack and evaluate its real world effectiveness and performance when used on active connections to popular web servers. Our evaluation shows that the attack is capable of correctly detecting the IP-port 4-tuple representing an active TCP connection in 84% of our mock attacks. We also demonstrate how the attack can be used by the middle onion router in a Tor circuit to test whether a given client is connected to the guard entry node associated with a given circuit. In addition we discuss the potential issues an attacker would face when attempting to scale it to real world attacks, as well as possible mitigations against the attack. Our attack does not exhaust any global resource, and therefore challenges the notion that there is a direct one-to-one connection between shared, limited resources and non-trivial network side-channels. This means that simply enumerating global shared resources and considering the ways in which they can be exhausted will not suffice for certifying a kernel TCP/IP network stack to be free of privacy risk side-channels.

[1]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[2]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[3]  Zhongjie Wang,et al.  Investigation of the 2016 Linux TCP Stack Vulnerability at Scale , 2017, Proc. ACM Meas. Anal. Comput. Syst..

[4]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[5]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[6]  Xu Zhang,et al.  High Fidelity Off-Path Round-Trip Time Measurement via TCP/IP Side Channels with Duplicate SYNs , 2016, 2016 IEEE Global Communications Conference (GLOBECOM).

[7]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[8]  Stuart Cheshire,et al.  Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry , 2011, RFC.

[9]  Amir Herzberg,et al.  Fragmentation Considered Vulnerable , 2011, TSEC.

[10]  Technical Whitepaper,et al.  SLIPPING IN THE WINDOW: TCP RESET ATTACKS , 2003 .

[11]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits of the Challenge ACK Global Rate Limit , 2018, IEEE/ACM Transactions on Networking.

[12]  Zhiyun Qian,et al.  Off-Path TCP Exploit: How Wireless Routers Can Jeopardize Your Secrets , 2018, USENIX Security Symposium.

[13]  Xu Zhang,et al.  ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path , 2018, IEEE INFOCOM 2018 - IEEE Conference on Computer Communications.

[14]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[15]  Amir Herzberg,et al.  Off-Path TCP Injection Attacks , 2014, TSEC.

[16]  Jeffrey Knockel,et al.  Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels , 2014, PAM.

[17]  Nick Feamster,et al.  Augur: Internet-Wide Detection of Connectivity Disruptions , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[18]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[19]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[21]  Jedidiah R. Crandall,et al.  Off-path round trip time measurement via TCP/IP side channels , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[22]  Bogdan M. Wilamowski,et al.  The Transmission Control Protocol , 2005, The Industrial Information Technology Handbook.

[23]  Xu Zhang,et al.  Original SYN: Finding machines hidden behind firewalls , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[24]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[25]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.