Off-Path TCP Exploits of the Challenge ACK Global Rate Limit

In this paper, we report a subtle yet serious side channel vulnerability (CVE-2016-5696) introduced in a recent transmission control protocol (TCP) specification. The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 s to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.

[1]  Jedidiah R. Crandall,et al.  Off-path round trip time measurement via TCP/IP side channels , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[2]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[3]  Ramesh Govindan,et al.  Quantifying violations of destination-based forwarding on the internet , 2012, IMC '12.

[4]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[5]  Randall R. Stewart,et al.  Improving TCP's Robustness to Blind In-Window Attacks , 2010, RFC.

[6]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[7]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[8]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[9]  Zhuoqing Morley Mao,et al.  Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks , 2015, CCS.

[10]  Amir Herzberg,et al.  When tolerance causes weakness: the case of injection-friendly browsers , 2013, WWW '13.

[11]  Amir Herzberg,et al.  Off-Path Hacking: The Illusion of Challenge-Response Authentication , 2014, IEEE Security & Privacy.

[12]  Michael K. Reiter,et al.  Mitigating Storage Side Channels Using Statistical Privacy Mechanisms , 2015, CCS.

[13]  Xu Zhang,et al.  Original SYN: Finding machines hidden behind firewalls , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[14]  Thomas E. Anderson,et al.  Reverse traceroute , 2010, NSDI.

[15]  Dawn Xiaodong Song,et al.  Timing Analysis of Keystrokes and Timing Attacks on SSH , 2001, USENIX Security Symposium.

[16]  Feng Qian,et al.  TCP revisited: a fresh look at TCP in the wild , 2009, IMC '09.

[17]  Fang Yu,et al.  Investigation of Triangular Spamming: A Stealthy and Efficient Spamming Technique , 2010, 2010 IEEE Symposium on Security and Privacy.

[18]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[19]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Jeffrey Knockel,et al.  Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels , 2014, PAM.

[21]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[22]  Jonathan Billington,et al.  Termination Properties of TCP's Connection Management Procedures , 2005, ICATPN.

[23]  John S. Heidemann,et al.  On the characteristics and reasons of long-lived internet flows , 2010, IMC '10.

[24]  Amir Herzberg,et al.  TCP Ack storm DoS attacks , 2011, Comput. Secur..

[25]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[26]  Robert Beverly,et al.  Understanding the efficacy of deployed internet source address validation filtering , 2009, IMC '09.

[27]  Amir Herzberg,et al.  Off-Path Attacking the Web , 2012, WOOT.

[28]  kc claffy,et al.  Initial longitudinal analysis of IP source spoofing capability on the Internet , 2013 .

[29]  Ítalo S. Cunha,et al.  PoiRoot: investigating the root cause of interdomain path changes , 2013, SIGCOMM.

[30]  W. Marsden I and J , 2012 .