Off-Path Hacking: The Illusion of Challenge-Response Authentication

Everyone is concerned about Internet security, yet most traffic isn't cryptographically protected. The typical justification is that most attackers are off path and can't intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges reuse existing header fields to protect widely deployed protocols such as TCP and DNS. This practice might give an illusion of security. Recent off-path TCP injection and DNS poisoning attacks enable attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are nontrivial, yet practical. The attacks foil widely deployed security mechanisms and allow a wide range of exploits, such as long-term caching of malicious objects and scripts.

[1]  Marcin Zalewski,et al.  Strange attractors and tcp/ip sequence number analysis , 2004 .

[2]  Amir Herzberg,et al.  Vulnerable Delegation of DNS Resolution , 2013, ESORICS.

[3]  Steven M. Bellovin,et al.  A look back at "security problems in the TCP/IP protocol suite , 2004, 20th Annual Computer Security Applications Conference.

[4]  Amir Herzberg,et al.  When tolerance causes weakness: the case of injection-friendly browsers , 2013, WWW '13.

[5]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[6]  Amir Herzberg,et al.  Fragmentation Considered Poisonous , 2012, ArXiv.

[7]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[8]  Amir Herzberg,et al.  Security of Patched DNS , 2012, ESORICS.

[9]  Amir Herzberg,et al.  Socket overloading for fun and cache-poisoning , 2013, ACSAC.

[10]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[11]  Paul Francis,et al.  A study of prefix hijacking and interception in the internet , 2007, SIGCOMM '07.

[12]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[13]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[14]  Amir Herzberg,et al.  LOT: A Defense Against IP Spoofing and Flooding Attacks , 2012, TSEC.

[15]  Amir Herzberg,et al.  Fragmentation Considered Poisonous, or: One-domain-to-rule-them-all.org , 2013, 2013 IEEE Conference on Communications and Network Security (CNS).

[16]  Amir Herzberg,et al.  Fragmentation Considered Vulnerable , 2013, TSEC.

[17]  Steven M. Bellovin,et al.  Defending against Sequence Number Attacks , 2012, RFC.

[18]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[19]  Amir Herzberg,et al.  Off-Path Attacking the Web , 2012, WOOT.

[20]  kc claffy,et al.  Initial longitudinal analysis of IP source spoofing capability on the Internet , 2013 .

[21]  Robert Morris A Weakness in the 4.2BSD Unix† TCP/IP Software , 1999 .

[22]  Technical Whitepaper,et al.  SLIPPING IN THE WINDOW: TCP RESET ATTACKS , 2003 .

[23]  Tsutomu Shimomura,et al.  Takedown: The Pursuit and Capture of Kevin Mitnick, America's Most Wanted Computer Outlaws - by the Man Who Did It , 1996 .

[24]  Ólafur Guðmundsson Observing DNSSEC validation in the wild , 2011 .

[25]  S. Bellovin Defending Against Sequence Number Attacks , 1996 .

[26]  Fernando Gont,et al.  Recommendations for Transport-Protocol Port Randomization , 2011, RFC.