Off-Path TCP Exploits of the Mixed IPID Assignment

08/29/2020
by   Xuewei Feng, et al.
0

In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88 exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet.

READ FULL TEXT
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 3

page 6

page 7

page 8

page 9

page 12

page 13

01/14/2018

Towards Realistic Threat Modeling: Attack Commodification, Irrelevant Vulnerabilities, and Unrealistic Assumptions

Current threat models typically consider all possible ways an attacker c...
10/01/2021

Evaluating Susceptibility of VPN Implementations to DoS Attacks Using Adversarial Testing

Many systems today rely heavily on virtual private network (VPN) technol...
09/21/2020

Information Signaling: A Counter-Intuitive Defense Against Password Cracking

We introduce password strength information signaling as a novel, yet cou...
10/19/2020

The Impact of DNS Insecurity on Time

We demonstrate the first practical off-path time shifting attacks agains...
11/16/2021

Practical Timing Side Channel Attacks on Memory Compression

Compression algorithms are widely used as they save memory without losin...
08/12/2021

On the RIS Manipulating Attack and Its Countermeasures in Physical-layer Key Generation

Reconfigurable Intelligent Surface (RIS) is a new paradigm that enables ...
03/06/2020

Me Love (SYN-)Cookies: SYN Flood Mitigation in Programmable Data Planes

The SYN flood attack is a common attack strategy on the Internet, which ...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.