1 / 34

Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security

33 rd Security & Privacy (May, 2012). Zhiyun Qian , Zhuoqing Morley Mao University of Michigan. Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security. Outline. Introduction Fundamentals of the TCP Sequence Number Inference Attack

tucker
Download Presentation

Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 33rd Security & Privacy (May, 2012) ZhiyunQian, Zhuoqing Morley Mao University of Michigan Off-Path TCP Sequence Number Inference AttackHow Firewall Middleboxes Reduce Security

  2. Outline • Introduction • Fundamentals of the TCP Sequence Number Inference Attack • TCP Attack Analysis and Design • Attack Implementation and Experimental Results • Vulnerable Networks • Discussion A Seminar at Advanced Defense Lab

  3. Introduction • TCP was initially designed without many security considerations. • 4-tuple: local IP, local Port, foreign IP, foreign Port • Off-path spoofing attacks A Seminar at Advanced Defense Lab

  4. Off-Path Spoofing Attacks • One of the critical patches is the randomization of TCP initial sequence numbers (ISN) • RFC 6528 [link] • Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts A Seminar at Advanced Defense Lab

  5. Fundamentals of the TCP Sequence Number Inference Attack • Sequence-Number-Checking Firewalls A Seminar at Advanced Defense Lab

  6. Sequence-Number-Checking Firewalls • Window size • Fixed • 64K x 2N, N is the window scaling factor in SYN and SYN-ACK packet. • Left-only or right-only window • Window moving behavior • Window advancing • Window shifting A Seminar at Advanced Defense Lab

  7. Threat Model • On-site TCP injection/hijacking • An unprivileged malware runs on the client with access to network and the list of active connections through standard OS interface. • Off-site TCP injection • only when the target connection is long-lived • Establish TCP connection using spoofed IPs A Seminar at Advanced Defense Lab

  8. Obtaining Feedback – Side Channels • OS packet counters • IPIDs from responses of intermediate middleboxes • An attacker can craft packets with TTL values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL-expired messages. A Seminar at Advanced Defense Lab

  9. Sequence Number Inference A Seminar at Advanced Defense Lab

  10. Timing of Inference and Injection — TCP Hijacking • For the TCP sequence number inference and subsequent data injection to be successful, a critical challenge is timing. • To address the challenge, we design and implement a number of TCP hijacking attacks. A Seminar at Advanced Defense Lab

  11. TCP Attack Analysis and Design • Two base requirements for all attacks • The ability to spoof legitimate server’s IP • A sequence-number-checking firewall deployed A Seminar at Advanced Defense Lab

  12. Attack Requirements A Seminar at Advanced Defense Lab

  13. On-site TCP Hijacking • Reset-the-server A Seminar at Advanced Defense Lab

  14. On-site TCP Hijacking • Preemptive-SYN Hijacking A Seminar at Advanced Defense Lab

  15. On-site TCP Hijacking • Hit-and-run Hijacking A Seminar at Advanced Defense Lab

  16. Off-site TCP Injection/Hijacking • URL phishing • An attacker can also acquire target four tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website. • But it is not implemented in this paper. A Seminar at Advanced Defense Lab

  17. Off-site TCP Injection/Hijacking • Long-lived connection inference • An approach we discover is through sending a single ICMP error message (e.g., network or port unreachable) to query a four-tuple. • Pass through firewall and trigger TTL-expired message A Seminar at Advanced Defense Lab

  18. Establish Spoofed Connections • We found that there are many such unresponsive IPs in the nation-wide cellular network that we tested. A Seminar at Advanced Defense Lab

  19. Attack Implementation and Experimental Results • Client platform • Android 2.2 and 2.3.4 • TCP window scaling factor: 2 and 4 • Vendors: HTC, Samsung, and Motorola • Network • An anonymized nation-wide carrier that widely deploys firewall middleboxes at the GGSN-level A Seminar at Advanced Defense Lab

  20. Side-channel • /proc/net/snmp: InSegs • the number of incoming TCP packets received • /proc/net/netstat: PAWSEstab • packets with an old timestamp is received • IPID side-channel • the noise level is quite tolerable. A Seminar at Advanced Defense Lab

  21. Sequence Number Inference • Assuming a cellular RTT of 200ms • 32 times for binary search (4G) • About 10s in practice • N-way search • Mix all methods • It takes only about 4–5 seconds to complete the inference A Seminar at Advanced Defense Lab

  22. On-site TCP Hijacking • Android 2.3.4 + m.facebook.com + Planetlab server [link] A Seminar at Advanced Defense Lab

  23. Reset-the-server [Demo] • We leverage requirement C4 which tells the attacker that the victim connection’s ISN is at most 224 away from the ISN of the attacker-initiated connection. • Since RST packets with any sequence number that falls in the receive window can terminate the connection. • P. A. Watson. “Slipping in the Window: TCP Reset Attacks,” 2004. A Seminar at Advanced Defense Lab

  24. Reset-the-server • The max number of required RST • server_init_window • m.facebook.com: 4380  require 7661 RST • twitter.com: 5840  require 5746 RST • chase.com: 32805 A Seminar at Advanced Defense Lab

  25. Reset-the-server • Bandwidth requirements • 327 Kbps ~ 12 Mbps A Seminar at Advanced Defense Lab

  26. Hit-and-run • Bandwidth requirements • WIN is 64K x 2window_scaling_factor • For the two Oses is 26Mbps and 6.6Mbps A Seminar at Advanced Defense Lab

  27. On-site TCP Hijacking A Seminar at Advanced Defense Lab

  28. Off-site TCP Injection • URL phishing • No implement • Because NAT is deployed. • long-lived connection inference • a particular push server IP 74.125.65.188 and port 5228 • About 7.8% of the IPs have a connection with the server A Seminar at Advanced Defense Lab

  29. Establish Spoofed Connections • Find unresponsive IP • We send a SYNpacket with a spoofed IP from the attack phone inside thecellular network to our attack server which responds with alegitimate SYN-ACK back. • There are 80%of IPs are unresponsive. • We can make about 0.6 successful connection per second on average with more than 90% success rate A Seminar at Advanced Defense Lab

  30. Vulnerable Networks • We deployed a mobile application (referred to as MobileApp) on the Android market. • The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified A Seminar at Advanced Defense Lab

  31. Firewall Implementation Types • Overall, out of the 149 carriers, we found 47 carriers (31.5%) that deploy sequence-number-checking firewalls. A Seminar at Advanced Defense Lab

  32. Intermediate Hop Feedback • 24 carriers have responsive intermediate hops that reply with TTL-expired ICMP packets. • 8 carriers have NAT that allow single ICMP packet probing to infer active four tuples. A Seminar at Advanced Defense Lab

  33. Discussion • Firewall design • Side-channels • HTTPS-only world A Seminar at Advanced Defense Lab

  34. Q & A A Seminar at Advanced Defense Lab

More Related