off-path tcp sequence number inference attack how firewall middleboxes reduce security
DESCRIPTION
33 rd Security & Privacy (May, 2012). Zhiyun Qian , Zhuoqing Morley Mao University of Michigan. Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security. Outline. Introduction Fundamentals of the TCP Sequence Number Inference Attack - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/1.jpg)
OFF-PATH TCP SEQUENCE NUMBER INFERENCE
ATTACKHOW FIREWALL MIDDLEBOXES
REDUCE SECURITY
Zhiyun Qian, Zhuoqing Morley MaoUniversity of Michigan
33rd Security & Privacy (May, 2012)
![Page 2: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/2.jpg)
A Seminar at Advanced Defense Lab 2
Outline Introduction Fundamentals of the TCP Sequence
Number Inference Attack TCP Attack Analysis and Design Attack Implementation and Experimental
Results Vulnerable Networks Discussion
2012/4/30
![Page 3: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/3.jpg)
A Seminar at Advanced Defense Lab 3
Introduction TCP was initially designed without many
security considerations.4-tuple: local IP, local Port, foreign IP,
foreign Port Off-path spoofing attacks
2012/4/30
![Page 4: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/4.jpg)
A Seminar at Advanced Defense Lab 4
Off-Path Spoofing Attacks One of the critical patches is the
randomization of TCP initial sequence numbers (ISN)RFC 6528 [link]
Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts
2012/4/30
![Page 5: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/5.jpg)
A Seminar at Advanced Defense Lab 5
Fundamentals of the TCP Sequence Number Inference Attack Sequence-Number-Checking Firewalls
2012/4/30
![Page 6: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/6.jpg)
A Seminar at Advanced Defense Lab 6
Sequence-Number-Checking Firewalls Window size
Fixed64K x 2N, N is the window scaling factor in SYN
and SYN-ACK packet.
Left-only or right-only window
Window moving behaviorWindow advancingWindow shifting
2012/4/30
![Page 7: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/7.jpg)
A Seminar at Advanced Defense Lab 7
Threat Model On-site TCP injection/hijacking
An unprivileged malware runs on the client with access to network and the list of active connections through standard OS interface.
Off-site TCP injectiononly when the target connection is long-lived
Establish TCP connection using spoofed IPs
2012/4/30
![Page 8: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/8.jpg)
A Seminar at Advanced Defense Lab 8
Obtaining Feedback – Side Channels OS packet counters
IPIDs from responses of intermediate middleboxesAn attacker can craft packets with TTL
values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL-expired messages.
2012/4/30
![Page 9: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/9.jpg)
A Seminar at Advanced Defense Lab 9
Sequence Number Inference
2012/4/30
![Page 10: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/10.jpg)
A Seminar at Advanced Defense Lab 10
Timing of Inference and Injection — TCP Hijacking For the TCP sequence number
inference and subsequent data injection to be successful, a critical challenge is timing.
To address the challenge, we design and implement a number of TCP hijacking attacks.
2012/4/30
![Page 11: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/11.jpg)
A Seminar at Advanced Defense Lab 11
TCP Attack Analysis and Design Two base requirements for all attacks
The ability to spoof legitimate server’s IPA sequence-number-checking firewall
deployed
2012/4/30
![Page 12: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/12.jpg)
A Seminar at Advanced Defense Lab 12
Attack Requirements
2012/4/30
![Page 13: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/13.jpg)
A Seminar at Advanced Defense Lab 13
On-site TCP Hijacking Reset-the-server
2012/4/30
![Page 14: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/14.jpg)
A Seminar at Advanced Defense Lab 14
On-site TCP Hijacking Preemptive-SYN
Hijacking
2012/4/30
![Page 15: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/15.jpg)
A Seminar at Advanced Defense Lab 15
On-site TCP Hijacking Hit-and-run
Hijacking
2012/4/30
![Page 16: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/16.jpg)
A Seminar at Advanced Defense Lab 16
Off-site TCP Injection/Hijacking URL phishing
An attacker can also acquire target four tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website.
But it is not implemented in this paper.
2012/4/30
![Page 17: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/17.jpg)
A Seminar at Advanced Defense Lab 17
Off-site TCP Injection/Hijacking Long-lived connection inference
An approach we discover is through sending a single ICMP error message (e.g., network or port unreachable) to query a four-tuple.
Pass through firewall and trigger TTL-expired message
2012/4/30
![Page 18: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/18.jpg)
A Seminar at Advanced Defense Lab 18
Establish Spoofed Connections We found that there are many such
unresponsive IPs in the nation-wide cellular network that we tested.
2012/4/30
![Page 19: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/19.jpg)
A Seminar at Advanced Defense Lab 19
Attack Implementation and Experimental Results Client platform
Android 2.2 and 2.3.4TCP window scaling factor: 2 and 4Vendors: HTC, Samsung, and Motorola
NetworkAn anonymized nation-wide carrier that
widely deploys firewall middleboxes at the GGSN-level
2012/4/30
![Page 20: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/20.jpg)
A Seminar at Advanced Defense Lab 20
Side-channel /proc/net/snmp: InSegs
the number of incoming TCP packets received
/proc/net/netstat: PAWSEstabpackets with an old timestamp is received
IPID side-channelthe noise level is quite tolerable.
2012/4/30
![Page 21: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/21.jpg)
A Seminar at Advanced Defense Lab 21
Sequence Number Inference Assuming a cellular RTT of 200ms 32 times for binary search (4G)
About 10s in practice N-way search Mix all methods
It takes only about 4–5 seconds to complete the inference
2012/4/30
![Page 22: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/22.jpg)
A Seminar at Advanced Defense Lab 22
On-site TCP Hijacking Android 2.3.4 + m.facebook.com +
Planetlab server [link]
2012/4/30
![Page 23: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/23.jpg)
A Seminar at Advanced Defense Lab 23
Reset-the-server [Demo] We leverage requirement C4 which tells
the attacker that the victim connection’s ISN is at most 224 away from the ISN of the attacker-initiated connection.
Since RST packets with any sequence number that falls in the receive window can terminate the connection.P. A. Watson. “Slipping in the Window: TCP
Reset Attacks,” 2004.
2012/4/30
![Page 24: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/24.jpg)
A Seminar at Advanced Defense Lab 24
Reset-the-server The max number of required RST
server_init_windowm.facebook.com: 4380 require 7661 RSTtwitter.com: 5840 require 5746 RSTchase.com: 32805
2012/4/30
rwndserver _2224
![Page 25: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/25.jpg)
A Seminar at Advanced Defense Lab 25
Reset-the-server Bandwidth requirements
327 Kbps ~ 12 Mbps
2012/4/30
bitsbytesRTTrwndserver 840_2224
![Page 26: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/26.jpg)
A Seminar at Advanced Defense Lab 26
Hit-and-run Bandwidth requirements
WIN is 64K x 2window_scaling_factor
For the two Oses is 26Mbps and 6.6Mbps
2012/4/30
bitsbytesRTTWIN 8401232
![Page 27: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/27.jpg)
A Seminar at Advanced Defense Lab 27
On-site TCP Hijacking
2012/4/30
![Page 28: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/28.jpg)
A Seminar at Advanced Defense Lab 28
Off-site TCP Injection URL phishing
No implementBecause NAT is deployed.
long-lived connection inferencea particular push server IP 74.125.65.188
and port 5228About 7.8% of the IPs have a connection
with the server
2012/4/30
![Page 29: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/29.jpg)
A Seminar at Advanced Defense Lab 29
Establish Spoofed Connections Find unresponsive IP
We send a SYN packet with a spoofed IP from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back.
There are 80% of IPs are unresponsive. We can make about 0.6 successful
connection per second on average with more than 90% success rate
2012/4/30
![Page 30: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/30.jpg)
A Seminar at Advanced Defense Lab 30
Vulnerable Networks We deployed a mobile application
(referred to as MobileApp) on the Android market.
The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified
2012/4/30
![Page 31: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/31.jpg)
A Seminar at Advanced Defense Lab 31
Firewall Implementation Types Overall, out of the 149 carriers, we
found 47 carriers (31.5%) that deploy sequence-number-checking firewalls.
2012/4/30
![Page 32: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/32.jpg)
A Seminar at Advanced Defense Lab 32
Intermediate Hop Feedback 24 carriers have responsive
intermediate hops that reply with TTL-expired ICMP packets.
8 carriers have NAT that allow single ICMP packet probing to infer active four tuples.
2012/4/30
![Page 33: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/33.jpg)
A Seminar at Advanced Defense Lab 33
Discussion Firewall design
Side-channels
HTTPS-only world
2012/4/30
![Page 34: Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security](https://reader031.vdocument.in/reader031/viewer/2022020918/5681676a550346895ddc532a/html5/thumbnails/34.jpg)
A Seminar at Advanced Defense Lab 34
Q & A
2012/4/30