论文信息 - Fragmentation Considered Vulnerable - 字舞流文

Fragmentation Considered Vulnerable

We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and causing over 94% loss rate. We show that our attacks are practical through experimental validation on popular industrial and open-source products, with realistic network setups that involve NAT or tunneling and include concurrent legitimate traffic as well as packet losses. The interception attack requires a zombie agent behind the same NAT or tunnel-gateway as the victim destination; the DoS attack only requires a puppet agent, that is, a sandboxed applet or script running in web-browser context. The complexity of our attacks depends on the predictability of the IP Identification (ID) field which is typically implemented as one or multiple counters, as allowed and recommended by the IP specifications. The attacks are much simpler and more efficient for implementations, such as Windows, which use one ID counter for all destinations. Therefore, much of our focus is on presenting effective attacks for implementations, such as Linux, which use per-destination ID counters. We present practical defenses for the attacks presented in this article, the defenses can be deployed on network firewalls without changes to hosts or operating system kernel.

Amir Herzberg | Yossi Gilad | A. Herzberg | Y. Gilad

[1] Paul Ferguson,et al. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[2] Steven M. Bellovin,et al. A technique for counting natted hosts , 2002, IMW '02.

[3] Amir Herzberg,et al. Security of Patched DNS , 2012, ESORICS.

[4] Paul E. Hoffman,et al. Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[5] Yinglian Xie,et al. Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[6] Randall J. Atkinson,et al. Security Architecture for the Internet Protocol , 1995, RFC.

[7] Jon Postel,et al. User Datagram Protocol , 1980, RFC.

[8] Jeffrey C. Mogul,et al. Fragmentation considered harmful , 1987, CCRV.

[9] Stephen Deering,et al. Internet Protocol Version 6(IPv6) , 1998 .

[10] Dino Farinacci,et al. Generic Routing Encapsulation (GRE) , 2000, RFC.

[11] Ravi Sandhu,et al. ACM Transactions on Information and System Security: Editorial , 2005 .

[12] Kevin Lahey,et al. TCP Problems with Path MTU Discovery , 2000, RFC.

[13] Fred Baker,et al. Ingress Filtering for Multihomed Networks , 2004, RFC.

[14] Scott Rose,et al. DNS Security Introduction and Requirements , 2005, RFC.

[15] Amir Herzberg,et al. Fragmentation Considered Vulnerable , 2011, TSEC.

[16] Cullen Jennings,et al. Network Address Translation (NAT) Behavioral Requirements for Unicast UDP , 2007, RFC.

[17] Jon Postel,et al. Internet Control Message Protocol , 1981, RFC.

[18] Amir Herzberg,et al. Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[19] Marcin Zalewski,et al. Strange attractors and tcp/ip sequence number analysis , 2004 .

[20] Fernando Gont,et al. Internet Engineering Task Force (ietf) Security Assessment of the Internet Protocol Version 4 , 2011 .

[21] Gordon Fyodor Lyon,et al. Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning , 2009 .

[22] Michal Zalewski. Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks , 2005 .

[23] Jon Postel,et al. Internet Protocol , 1981, RFC.

[24] David Moore,et al. Beyond folklore: observations on fragmented traffic , 2002, TNET.

[25] Darren Reed,et al. Security Considerations for IP Fragment Filtering , 1995, RFC.

[26] Robert Beverly,et al. Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[27] Samuel Greengard. The war against botnets , 2012, CACM.

[28] Jun Li,et al. On the state of IP spoofing defense , 2009, TOIT.

[29] Rob Sherwood,et al. Misbehaving TCP receivers can cause internet-wide congestion collapse , 2005, CCS '05.

[30] Wolfgang John,et al. Analysis of internet backbone traffic and header anomalies observed , 2007, IMC '07.

[31] Farnam Jahanian,et al. The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[32] Amir Herzberg,et al. Off-Path Attacking the Web , 2012, WOOT.

[33] Stephen E. Deering,et al. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) , 1995, RFC.

[34] Stephen E. Deering,et al. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification , 2006, RFC.

[35] Pekka Savola,et al. MTU and Fragmentation Issues with In-the-Network Tunneling , 2006, RFC.

[36] Pyda Srisuresh,et al. Traditional IP Network Address Translator (Traditional NAT) , 2001, RFC.

[37] Recommended Internet Service Provider Security Services and Procedures , 2000, RFC.

[38] Matt Mathis,et al. IPv4 Reassembly Errors at High Data Rates , 2007, RFC.

[39] Zhuoqing Morley Mao,et al. Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[40] Periklis Akritidis,et al. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[41] Scott Rose,et al. DNS Security Introduction and Requirements , 2005, RFC.

[42] G. Cox,et al. ~ " " " ' l I ~ " " -" . : -· " J , 2006 .

[43] Michael Luby,et al. How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[44] Stephen E. Deering,et al. Path MTU Discovery for IP version 6 , 1996, RFC.

[45] Radia J. Perlman,et al. DoS protection for UDP-based protocols , 2003, CCS '03.

[46] Stephen E. Deering,et al. Path MTU discovery , 1990, RFC.

[47] Stephen E. Deering,et al. Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[48] Cheng Huang,et al. Queen: Estimating Packet Loss Rate between Arbitrary Internet Hosts , 2009, PAM.

[49] Ian Miller,et al. Protection Against a Variant of the Tiny Fragment Attack (RFC 1858) , 2001, RFC.

[50] Anja Feldmann,et al. NAT Usage in Residential Broadband Networks , 2011, PAM.

[51] Hugo Krawczyk,et al. A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[52] Geoff Huston,et al. Anatomy A Look Inside Network Address Translators , 2004 .

[53] Vern Paxson,et al. An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[54] Amir Herzberg,et al. Fragmentation Considered Poisonous , 2012, ArXiv.

[55] Vern Paxson,et al. Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.