off-path tcp sequence number inference attack how firewall middleboxes reduce security
DESCRIPTION
33 rd Security & Privacy (May, 2012). Zhiyun Qian , Zhuoqing Morley Mao University of Michigan. Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security. Outline. Introduction Fundamentals of the TCP Sequence Number Inference Attack - PowerPoint PPT PresentationTRANSCRIPT
OFF-PATH TCP SEQUENCE NUMBER INFERENCE
ATTACKHOW FIREWALL MIDDLEBOXES
REDUCE SECURITY
Zhiyun Qian, Zhuoqing Morley MaoUniversity of Michigan
33rd Security & Privacy (May, 2012)
A Seminar at Advanced Defense Lab 2
Outline Introduction Fundamentals of the TCP Sequence
Number Inference Attack TCP Attack Analysis and Design Attack Implementation and Experimental
Results Vulnerable Networks Discussion
2012/4/30
A Seminar at Advanced Defense Lab 3
Introduction TCP was initially designed without many
security considerations.4-tuple: local IP, local Port, foreign IP,
foreign Port Off-path spoofing attacks
2012/4/30
A Seminar at Advanced Defense Lab 4
Off-Path Spoofing Attacks One of the critical patches is the
randomization of TCP initial sequence numbers (ISN)RFC 6528 [link]
Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts
2012/4/30
A Seminar at Advanced Defense Lab 5
Fundamentals of the TCP Sequence Number Inference Attack Sequence-Number-Checking Firewalls
2012/4/30
A Seminar at Advanced Defense Lab 6
Sequence-Number-Checking Firewalls Window size
Fixed64K x 2N, N is the window scaling factor in SYN
and SYN-ACK packet.
Left-only or right-only window
Window moving behaviorWindow advancingWindow shifting
2012/4/30
A Seminar at Advanced Defense Lab 7
Threat Model On-site TCP injection/hijacking
An unprivileged malware runs on the client with access to network and the list of active connections through standard OS interface.
Off-site TCP injectiononly when the target connection is long-lived
Establish TCP connection using spoofed IPs
2012/4/30
A Seminar at Advanced Defense Lab 8
Obtaining Feedback – Side Channels OS packet counters
IPIDs from responses of intermediate middleboxesAn attacker can craft packets with TTL
values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL-expired messages.
2012/4/30
A Seminar at Advanced Defense Lab 9
Sequence Number Inference
2012/4/30
A Seminar at Advanced Defense Lab 10
Timing of Inference and Injection — TCP Hijacking For the TCP sequence number
inference and subsequent data injection to be successful, a critical challenge is timing.
To address the challenge, we design and implement a number of TCP hijacking attacks.
2012/4/30
A Seminar at Advanced Defense Lab 11
TCP Attack Analysis and Design Two base requirements for all attacks
The ability to spoof legitimate server’s IPA sequence-number-checking firewall
deployed
2012/4/30
A Seminar at Advanced Defense Lab 12
Attack Requirements
2012/4/30
A Seminar at Advanced Defense Lab 13
On-site TCP Hijacking Reset-the-server
2012/4/30
A Seminar at Advanced Defense Lab 14
On-site TCP Hijacking Preemptive-SYN
Hijacking
2012/4/30
A Seminar at Advanced Defense Lab 15
On-site TCP Hijacking Hit-and-run
Hijacking
2012/4/30
A Seminar at Advanced Defense Lab 16
Off-site TCP Injection/Hijacking URL phishing
An attacker can also acquire target four tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website.
But it is not implemented in this paper.
2012/4/30
A Seminar at Advanced Defense Lab 17
Off-site TCP Injection/Hijacking Long-lived connection inference
An approach we discover is through sending a single ICMP error message (e.g., network or port unreachable) to query a four-tuple.
Pass through firewall and trigger TTL-expired message
2012/4/30
A Seminar at Advanced Defense Lab 18
Establish Spoofed Connections We found that there are many such
unresponsive IPs in the nation-wide cellular network that we tested.
2012/4/30
A Seminar at Advanced Defense Lab 19
Attack Implementation and Experimental Results Client platform
Android 2.2 and 2.3.4TCP window scaling factor: 2 and 4Vendors: HTC, Samsung, and Motorola
NetworkAn anonymized nation-wide carrier that
widely deploys firewall middleboxes at the GGSN-level
2012/4/30
A Seminar at Advanced Defense Lab 20
Side-channel /proc/net/snmp: InSegs
the number of incoming TCP packets received
/proc/net/netstat: PAWSEstabpackets with an old timestamp is received
IPID side-channelthe noise level is quite tolerable.
2012/4/30
A Seminar at Advanced Defense Lab 21
Sequence Number Inference Assuming a cellular RTT of 200ms 32 times for binary search (4G)
About 10s in practice N-way search Mix all methods
It takes only about 4–5 seconds to complete the inference
2012/4/30
A Seminar at Advanced Defense Lab 22
On-site TCP Hijacking Android 2.3.4 + m.facebook.com +
Planetlab server [link]
2012/4/30
A Seminar at Advanced Defense Lab 23
Reset-the-server [Demo] We leverage requirement C4 which tells
the attacker that the victim connection’s ISN is at most 224 away from the ISN of the attacker-initiated connection.
Since RST packets with any sequence number that falls in the receive window can terminate the connection.P. A. Watson. “Slipping in the Window: TCP
Reset Attacks,” 2004.
2012/4/30
A Seminar at Advanced Defense Lab 24
Reset-the-server The max number of required RST
server_init_windowm.facebook.com: 4380 require 7661 RSTtwitter.com: 5840 require 5746 RSTchase.com: 32805
2012/4/30
rwndserver _2224
A Seminar at Advanced Defense Lab 25
Reset-the-server Bandwidth requirements
327 Kbps ~ 12 Mbps
2012/4/30
bitsbytesRTTrwndserver 840_2224
A Seminar at Advanced Defense Lab 26
Hit-and-run Bandwidth requirements
WIN is 64K x 2window_scaling_factor
For the two Oses is 26Mbps and 6.6Mbps
2012/4/30
bitsbytesRTTWIN 8401232
A Seminar at Advanced Defense Lab 27
On-site TCP Hijacking
2012/4/30
A Seminar at Advanced Defense Lab 28
Off-site TCP Injection URL phishing
No implementBecause NAT is deployed.
long-lived connection inferencea particular push server IP 74.125.65.188
and port 5228About 7.8% of the IPs have a connection
with the server
2012/4/30
A Seminar at Advanced Defense Lab 29
Establish Spoofed Connections Find unresponsive IP
We send a SYN packet with a spoofed IP from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back.
There are 80% of IPs are unresponsive. We can make about 0.6 successful
connection per second on average with more than 90% success rate
2012/4/30
A Seminar at Advanced Defense Lab 30
Vulnerable Networks We deployed a mobile application
(referred to as MobileApp) on the Android market.
The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified
2012/4/30
A Seminar at Advanced Defense Lab 31
Firewall Implementation Types Overall, out of the 149 carriers, we
found 47 carriers (31.5%) that deploy sequence-number-checking firewalls.
2012/4/30
A Seminar at Advanced Defense Lab 32
Intermediate Hop Feedback 24 carriers have responsive
intermediate hops that reply with TTL-expired ICMP packets.
8 carriers have NAT that allow single ICMP packet probing to infer active four tuples.
2012/4/30
A Seminar at Advanced Defense Lab 33
Discussion Firewall design
Side-channels
HTTPS-only world
2012/4/30
A Seminar at Advanced Defense Lab 34
Q & A
2012/4/30