Off-Path TCP Sequence Number Inference Attack How Firewall

Report
33rd Security & Privacy (May,
2012)
Zhiyun Qian, Zhuoqing Morley Mao
University of Michigan
Outline
Introduction
 Fundamentals of the TCP Sequence
Number Inference Attack
 TCP Attack Analysis and Design
 Attack Implementation and Experimental
Results
 Vulnerable Networks
 Discussion

2012/4/30
A Seminar at Advanced Defense Lab
2
Introduction

TCP was initially designed without many
security considerations.
 4-tuple: local IP, local Port, foreign IP, foreign
Port

Off-path spoofing attacks
2012/4/30
A Seminar at Advanced Defense Lab
3
Off-Path Spoofing Attacks

One of the critical patches is the
randomization of TCP initial sequence
numbers (ISN)
 RFC 6528 [link]

Firewall vendors soon realized that they
can in fact perform sequence number
checking at network-based firewalls and
actively drop invalid packets even before
they can reach end-hosts
2012/4/30
A Seminar at Advanced Defense Lab
4
Fundamentals of the TCP Sequence
Number Inference Attack

Sequence-Number-Checking Firewalls
2012/4/30
A Seminar at Advanced Defense Lab
5
Sequence-Number-Checking
Firewalls

Window size
 Fixed
 64K x 2N, N is the window scaling factor in SYN
and SYN-ACK packet.

Left-only or right-only window

Window moving behavior
 Window advancing
 Window shifting
2012/4/30
A Seminar at Advanced Defense Lab
6
Threat Model

On-site TCP injection/hijacking
 An unprivileged malware runs on the client
with access to network and the list of active
connections through standard OS interface.

Off-site TCP injection
 only when the target connection is long-lived

Establish TCP connection using spoofed
IPs
2012/4/30
A Seminar at Advanced Defense Lab
7
Obtaining Feedback – Side
Channels

OS packet counters

IPIDs from responses of intermediate
middleboxes
 An attacker can craft packets with TTL
values large enough to reach the firewall
middlebox, but small enough that they will
terminate at an intermediate middlebox
instead of the end-host, triggering the TTLexpired messages.
2012/4/30
A Seminar at Advanced Defense Lab
8
Sequence Number Inference
2012/4/30
A Seminar at Advanced Defense Lab
9
Timing of Inference and
Injection — TCP Hijacking

For the TCP sequence number
inference and subsequent data injection
to be successful, a critical challenge is
timing.

To address the challenge, we design
and implement a number of TCP
hijacking attacks.
2012/4/30
A Seminar at Advanced Defense Lab
10
TCP Attack Analysis and Design

Two base requirements for all attacks
 The ability to spoof legitimate server’s IP
 A sequence-number-checking firewall
deployed
2012/4/30
A Seminar at Advanced Defense Lab
11
Attack Requirements
2012/4/30
A Seminar at Advanced Defense Lab
12
On-site TCP Hijacking

Reset-the-server
2012/4/30
A Seminar at Advanced Defense Lab
13
On-site TCP Hijacking

Preemptive-SYN
Hijacking
2012/4/30
A Seminar at Advanced Defense Lab
14
On-site TCP Hijacking

Hit-and-run
Hijacking
2012/4/30
A Seminar at Advanced Defense Lab
15
Off-site TCP Injection/Hijacking

URL phishing
 An attacker can also acquire target four
tuples by luring a user to visit a malicious
webpage that subsequently redirects the
user to a legitimate target website.
 But it is not implemented in this paper.
2012/4/30
A Seminar at Advanced Defense Lab
16
Off-site TCP Injection/Hijacking

Long-lived connection inference
 An approach we discover is through sending
a single ICMP error message (e.g., network
or port unreachable) to query a four-tuple.
 Pass through firewall and trigger TTL-
expired message
2012/4/30
A Seminar at Advanced Defense Lab
17
Establish Spoofed Connections

We found that there are many such
unresponsive IPs in the nation-wide
cellular network that we tested.
2012/4/30
A Seminar at Advanced Defense Lab
18
Attack Implementation and
Experimental Results

Client platform
 Android 2.2 and 2.3.4
 TCP window scaling factor: 2 and 4
 Vendors: HTC, Samsung, and Motorola

Network
 An anonymized nation-wide carrier that
widely deploys firewall middleboxes at the
GGSN-level
2012/4/30
A Seminar at Advanced Defense Lab
19
Side-channel

/proc/net/snmp: InSegs
 the number of incoming TCP packets
received

/proc/net/netstat: PAWSEstab
 packets with an old timestamp is received

IPID side-channel
 the noise level is quite tolerable.
2012/4/30
A Seminar at Advanced Defense Lab
20
Sequence Number Inference
Assuming a cellular RTT of 200ms
 32 times for binary search (4G)

 About 10s in practice
N-way search
 Mix all methods

 It takes only about 4–5 seconds to complete
the inference
2012/4/30
A Seminar at Advanced Defense Lab
21
On-site TCP Hijacking

Android 2.3.4 + m.facebook.com +
Planetlab server [link]
2012/4/30
A Seminar at Advanced Defense Lab
22
Reset-the-server [Demo]
We leverage requirement C4 which tells
the attacker that the victim connection’s
ISN is at most 224 away from the ISN of
the attacker-initiated connection.
 Since RST packets with any sequence
number that falls in the receive window
can terminate the connection.

 P. A. Watson. “Slipping in the Window: TCP
Reset Attacks,” 2004.
2012/4/30
A Seminar at Advanced Defense Lab
23
Reset-the-server

The max number of required RST


server_init_window
 m.facebook.com: 4380  require 7661 RST
 twitter.com: 5840  require 5746 RST
 chase.com: 32805
2012/4/30
A Seminar at Advanced Defense Lab
24
Reset-the-server

Bandwidth requirements


327 Kbps ~ 12 Mbps
2012/4/30
A Seminar at Advanced Defense Lab
25
Hit-and-run

Bandwidth requirements

 WIN is 64K x 2window_scaling_factor
 For the two Oses is 26Mbps and 6.6Mbps
2012/4/30
A Seminar at Advanced Defense Lab
26
On-site TCP Hijacking
2012/4/30
A Seminar at Advanced Defense Lab
27
Off-site TCP Injection

URL phishing
 No implement
 Because NAT is deployed.

long-lived connection inference
 a particular push server IP 74.125.65.188
and port 5228
 About 7.8% of the IPs have a connection
with the server
2012/4/30
A Seminar at Advanced Defense Lab
28
Establish Spoofed Connections

Find unresponsive IP
 We send a SYN packet with a spoofed IP
from the attack phone inside the cellular
network to our attack server which responds
with a legitimate SYN-ACK back.
 There are 80% of IPs are unresponsive.

We can make about 0.6 successful
connection per second on average with
more than 90% success rate
2012/4/30
A Seminar at Advanced Defense Lab
29
Vulnerable Networks

We deployed a mobile application
(referred to as MobileApp) on the
Android market.

The data are collected between Apr
25th, 2011 and Oct 17th, 2011 over 149
carriers uniquely identified
2012/4/30
A Seminar at Advanced Defense Lab
30
Firewall Implementation Types

Overall, out of the 149 carriers, we
found 47 carriers (31.5%) that deploy
sequence-number-checking firewalls.
2012/4/30
A Seminar at Advanced Defense Lab
31
Intermediate Hop Feedback

24 carriers have responsive
intermediate hops that reply with TTLexpired ICMP packets.

8 carriers have NAT that allow single
ICMP packet probing to infer active four
tuples.
2012/4/30
A Seminar at Advanced Defense Lab
32
Discussion

Firewall design

Side-channels

HTTPS-only world
2012/4/30
A Seminar at Advanced Defense Lab
33
2012/4/30
A Seminar at Advanced Defense Lab
34

similar documents