ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path

We present ONIS, a new scanning technique that can perform network measurements such as: inferring TCP/IP-based trust relationships off-path, stealthily port scanning a target without using the scanner's IP address, detecting off-path packet drops between two international hosts. These tasks typically rely on a core technique called the idle scan, which is a special kind of port scan that appears to come from a third machine called a zombie. The scanner learns the target's status from the zombie by using its TCP/IP side channels. Unfortunately, the idle scan assumes that the zombie has IP identifiers (IPIDs) which exhibit the now-discouraged behavior of being globally incrementing. The use of this kind of IPID counter is becoming increasingly rare in practice. Our technique, unlike the idle scan, is based on a much more advanced IPID generation scheme, that of the prevalent Linux kernel. Although Linux's IPID generation scheme is specifically intended to reduce information flow, we show that using Linux machines as zombies in an indirect scan is still possible. ONIS has 87% accuracy, which is comparable to nmap's implementation of the idle scan at 86%. ONIS's much broader choice of zombies will enable it to be a widely used technique which can fulfill various network measurement tasks.

[1]  Joseph B. Kadane,et al.  Scan Detection on Very Large Networks Using Logistic Regression Modeling , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[2]  Stuart Staniford-Chen,et al.  Practical Automated Detection of Stealthy Portscans , 2002, J. Comput. Secur..

[3]  Yinglian Xie,et al.  Collaborative TCP sequence number inference attack: how to crack sequence number under a second , 2012, CCS '12.

[4]  James Cannady,et al.  Artificial Neural Networks for Misuse Detection , 1998 .

[5]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Kwan-Liu Ma,et al.  Interactive Visualization for Network and Port Scan Detection , 2005, RAID.

[7]  Ítalo S. Cunha,et al.  PoiRoot: investigating the root cause of interdomain path changes , 2013, SIGCOMM.

[8]  Jeffrey Knockel,et al.  Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels , 2014, PAM.

[9]  Dawn Xiaodong Song,et al.  Distributed Evasive Scan Techniques and Countermeasures , 2007, DIMVA.

[10]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[11]  Srikanth V. Krishnamurthy,et al.  Off-Path TCP Exploits: Global Rate Limit Considered Dangerous , 2016, USENIX Security Symposium.

[12]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[13]  Deepak Kapur,et al.  Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking , 2010, USENIX Security Symposium.

[14]  Zhuoqing Morley Mao,et al.  Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Ramesh Govindan,et al.  Quantifying violations of destination-based forwarding on the internet , 2012, IMC '12.

[16]  Amir Herzberg,et al.  Fragmentation Considered Vulnerable , 2011, TSEC.

[17]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[18]  Joanne Treurniet,et al.  A Network Activity Classification Schema and Its Application to Scan Detection , 2011, IEEE/ACM Transactions on Networking.

[19]  Zhongjie Wang,et al.  Investigation of the 2016 Linux TCP Stack Vulnerability at Scale , 2017, SIGMETRICS.

[20]  m. morbitzer,et al.  Master ' s Thesis TCP Idle Scans in IPv 6 , 2013 .

[21]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[23]  Jon Postel,et al.  Transmission Control Protocol , 1981, RFC.

[24]  Carrie Gates,et al.  Co-ordinated port scans: a model, a detector and an evaluation methodology , 2006 .

[25]  Xu Zhang,et al.  Original SYN: Finding machines hidden behind firewalls , 2015, 2015 IEEE Conference on Computer Communications (INFOCOM).

[26]  Thomas E. Anderson,et al.  Reverse traceroute , 2010, NSDI.

[27]  Jian Li,et al.  The research and implementation of intelligent intrusion detection system based on artificial neural network , 2004, Proceedings of 2004 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.04EX826).

[28]  Jeffrey Knockel,et al.  Counting Packets Sent Between Arbitrary Internet Hosts , 2014, FOCI.

[29]  Amir Herzberg,et al.  Off-Path TCP Injection Attacks , 2014, TSEC.