tcp sequence number inference attac [schreibgesch tzt]) · 2013-07-10 · known attacks against tcp...
TRANSCRIPT
Off-Path TCP Sequence Number Inference
Attack
(How Firewall Middleboxes Reduce Security)
Zhiyun Qian, Z. Morley Mao
University of Michigan
1111
Known Attacks against TCP
2222
� Man-in-the-middle based attacks
� Read, modify, insert TCP content
� Off-path attacks
� Write to existing TCP connection by guessing � Write to existing TCP connection by guessing
sequence numbers
� Defense: initial sequence number nowadays
are randomized (2^32)
X = ? Y = ?
Outline
3333
� TCP sequence number inference attack
-- threat model
� How firewall middleboxes enable it
� Attacks built on top of it
Outline
4444
� TCP sequence number inference attack
-- threat model
� How firewall middleboxes enable it
� Attacks built on top of it
TCP sequence number inference
attack
5555
Seq = ?Seq = ?Seq = ?Seq = ?
� Required information
� Target four tuples (source/dest IP,
source/dest port)
� Feedback on whether guessed sequence
numbers are correct
Req 1 – obtaining target four
tuples
6666
� On-site unprivileged malware
� netstat (no root required)
� Four-tuple query
� Connection state can be leaked via ICMP
netstat -nn
Active Internet connections
Proto Recv-Q Send-Q Local Address Foreign Address � Connection state can be leaked via ICMP
probing
� Initiate fake connections
Proto Recv-Q Send-Q Local Address Foreign Address
(state)
tcp4 37 0 192.168.1.102.50469 199.47.219.159.443
CLOSE_WAIT
tcp4 37 0 192.168.1.102.50468 174.129.195.86.443
CLOSE_WAIT
tcp4 37 0 192.168.1.102.50467 199.47.219.159.443
CLOSE_WAIT
tcp4 0 0 192.168.1.102.50460 199.47.219.159.443
LAST_ACK
tcp4 0 0 192.168.1.102.50457 199.47.219.159.443
LAST_ACK
tcp4 0 0 192.168.1.102.50445 199.47.219.159.443
Req 2 – obtaining feedback
through side channels ?
7777
Seq = XSeq = XSeq = XSeq = X
Not Not Not Not Seq = YSeq = YSeq = YSeq = Y
correct!correct!correct!correct!
Not Not Not Not
correct!correct!correct!correct!
Seq = YSeq = YSeq = YSeq = Y
Correct!Correct!Correct!Correct!
Expecting seq Y
Outline
8888
� TCP sequence number inference attack
-- threat model
� How firewall middleboxes enable it
� Attacks built on top of it
TCP sequence-number-checking
firewall
9999
� Purpose: drop blindly injected packets
� Cut down resource waste
� Prevent feedback on sequence number guessing
� 33% of the 179 tested carriers deploy such
firewalls
� Vendors: Cisco, Juniper, Checkpoint…
� Could be used in other networks as well
Attack model
10101010
� Required information
� Target four tuples (source/dest IP,
source/dest port)
� Feedback (if packets went through the
firewall)
Side-channels: Packet counter
and IPID
11111111
� Host packet counter (e.g., # of incoming
packets)
� “netstat –s” or procfs
� Error counters particularly useful
netstat –s
Tcp:
3466 active connections openings
HeaderHeaderHeaderHeader
Error Error Error Error
HeaderHeaderHeaderHeader
SeqSeqSeqSeq
HeaderHeaderHeaderHeader
Error Error Error Error
HeaderHeaderHeaderHeader
SeqSeqSeqSeq
� Error counters particularly useful
� IPID from intermediate hops
Error counter++
3466 active connections openings
242344 passive connection openings
19300 connection resets received
157921111 segments received
125446192 segments send out
39673 segments retransmited
489 bad segments received
679561 resets sent
TcpExt:
25508 ICMP packets dropped because they were out-of-
window
9491 TCP sockets finished time wait in fast timer
1646 packets rejects in established connections
because of timestamp
Side-channels: Packet counter
and IPID
12121212
� Host packet counter (e.g., # of incoming
packets)
� “netstat –s” or procfs
� Error counters particularly useful� Error counters particularly useful
� IPID from intermediate hops
IPID++
Sequence number inference – an
example
13131313
Seq = 0Seq = 0Seq = 0Seq = 0
X
Seq = 0Seq = 0Seq = 0Seq = 0
Seq = 2WINSeq = 2WINSeq = 2WINSeq = 2WIN
Seq = 4WINSeq = 4WINSeq = 4WINSeq = 4WIN
Seq = 2GSeq = 2GSeq = 2GSeq = 2G
XX
Error counter++
Counter++Counter++Counter++Counter++
Binary search on sequence
number14141414
� Total # of packets required: 4G/2WIN
� Typically, WIN = 256K, 512K, 1M
� # of packets = 4096 – 16384
� Time: 4 – 9 seconds
Outline
15151515
� TCP sequence number inference attack
-- threat model
� How firewall middleboxes enable it
� Attacks built on top of it
Attacks built on top of it
16161616
� TCP connection hijacking
� TCP active connection inference
� No malware requirement
� Target long-lived connections� Target long-lived connections
� Spoofed TCP connections to a target
server
� Denial of service
� Spamming
Attacks built on top of it
17171717
� TCP connection hijacking
� TCP active connection inference
� No malware requirement
� Target long-lived connections� Target long-lived connections
� Spoofed TCP connections
� Denial of service
� Spamming
Facebook login page hijack
demo18181818
A step further – TCP connection
hijack: Reset-the-server
19191919
SYNSYNSYNSYN
NotificatiNotificatiNotificatiNotificatiNotificatiNotificatiNotificatiNotificati
onononon
Success rate: 65%
onononononononon
SYNSYNSYNSYN----ACKACKACKACK
Connection reset
Seq Seq Seq Seq
-------- endendendend
Seq Seq Seq Seq
inference inference inference inference
-------- endendendend
…
SeqSeqSeqSeq
-------- startstartstartstart
SeqSeqSeqSeq
inference inference inference inference
-------- startstartstartstart
Spoofed Spoofed Spoofed Spoofed
RSTsRSTsRSTsRSTs
Spoofed Spoofed Spoofed Spoofed
RSTsRSTsRSTsRSTs
ACK/RequestACK/RequestACK/RequestACK/Request
payloadpayloadpayloadpayload
Malicious Malicious Malicious Malicious
payloadpayloadpayloadpayload
TCP connection hijacks
20202020
ResetResetResetReset----thethethethe----serverserverserverserver Preemptive SYNPreemptive SYNPreemptive SYNPreemptive SYN HitHitHitHit----andandandand----runrunrunrun
Bandwidth requirement Additional attack
phone
Low bandwidth
requirement
Succ rate: 65% Succ rate: 65% Succ rate: 85%Succ rate: 65% Succ rate: 65% Succ rate: 85%
Lessons learned
21212121
� Failed to secure sensitive state against
side-channels
� Firewall middlebox stores sensitive state
(sequence number)
� IPID and packet counter side-channels allows
sequence number inference
� Future network middlebox design needs to
better secure sensitive state (e.g.,
cryptographic keys)
� Mitigations
� Eliminate or access control on the side-
channel
Remove the redundant state
HTTP
TCP
Backup slides
23232323
Outline
24242424
� TCP sequence number inference attack --
threat model
� How firewall middleboxes enable it
TCP connection hijacking� TCP connection hijacking
� TCP active connection inference
� Spoofed TCP connections
TCP active connection
inference25252525
?:? -> ?:?
1.1.1.1:11111 ->
2.2.2.1:80
1.1.1.2:22222 ->
2.2.2.2:80
1.1.1.3:33333 ->
2.2.2.3:80
...
TCP active connection
inference26262626
How many clients are
connected to Android
push notification
1.1.1.1:11111 ->
2.2.2.1:80
1.1.1.2:22222 ->
2.2.2.2:80
1.1.1.3:33333 ->
2.2.2.3:80
...
push notification
server?
7.8% IPs have active
connections to the
server
Outline
27272727
� TCP sequence number inference attack --
threat model
� How firewall middleboxes enable it
TCP connection hijacking� TCP connection hijacking
� TCP active connection inference
� Spoofed TCP connections
Spoofed TCP connections
28282828
Sequence number inference
IPID side channel
� Denial of service
attack
� Spamming
IP ID
29292929
Introspective side-channels
– Packet counter and IPID
30303030
� Host packet counter (e.g., # of incoming
packets)
� “netstat –s” or procfs
� Error counters particularly useful
netstat –s
Tcp:
3466 active connections openings
242344 passive connection openings
19300 connection resets received� Error counters particularly useful
� IPID from intermediate hops
HeaderHeaderHeaderHeader
Error Error Error Error
HeaderHeaderHeaderHeader
SeqSeqSeqSeq
HeaderHeaderHeaderHeader
Error Error Error Error
HeaderHeaderHeaderHeader
SeqSeqSeqSeqError counter++
19300 connection resets received
157921111 segments received
125446192 segments send out
39673 segments retransmited
489 bad segments received
679561 resets sent
TcpExt:
25508 ICMP packets dropped because they were out-of-
window
9491 TCP sockets finished time wait in fast timer
1646 packets rejects in established connections
because of timestamp
SeqSeqSeqSeq = = = =
2WIN2WIN2WIN2WIN
SeqSeqSeqSeq = = = =
Y Y Y Y –
2WIN2WIN2WIN2WINSeqSeqSeqSeq = Y = Y = Y = Y
TTL TTL TTL TTL
expiredexpiredexpiredexpired
TTL TTL TTL TTL
expiredexpiredexpiredexpired
IPID++IPID++IPID++IPID++
Identification of introspective
side-channel
31313131
� Packet checking sequence in Linux (and
other OS)
Sensitive network state “TCP
sequence number” also stored on
end-hosts32323232
More efficient probing to extract
sequence number from introspective
side channels33333333
� 4-way search
Total # of packets required:
96
Inference time: ~1s
Network-level defenses against
spamming34343434
� Attack: BotnetBotnetBotnetBotnet----basedbasedbasedbased spamming to hide real
identity
� Defense:
� IPIPIPIP----based blacklist: based blacklist: based blacklist: based blacklist: making IP addresses
important resources,
limit spammer’s throughputlimit spammer’s throughput
� Port 25 blocking: Port 25 blocking: Port 25 blocking: Port 25 blocking: limit end-user IP addresses
for spamming
Triangular spamming
35353535
� Relatively unknown but real attack [NANOG
Mailing list Survey]
� Not proposing a new attack
� But “how it can bypass SMTP port blocking”
3.3.3.
Legend
SrcSrcSrcSrcSrcSrcSrcSrc
IPIPIPIP
DstDstDstDstDstDstDstDst
IPIPIPIP
Msg Msg Msg Msg
TypeTypeTypeType
3333
3.3.3.3.3.3.3.3.3.3.3.3.
3333
2222
2.2.2.2.2.2.2.2.2.2.2.2.
2222
1.1.1.
1
2.2.2.
2
3333
3.3.3.3.3.3.3.3.3.3.3.3.
3333
2222
2.2.2.2.2.2.2.2.2.2.2.2.
2222
2222
2.2.2.2.2.2.2.2.2.2.2.2.
2222 1111
1.1.1.1.1.1.1.1.1.1.1.1.
1111
3
SYNSYNSYNSYN
ACKACKACKACK
SYNSYNSYNSYN----
ACKACKACKACK
ACKACKACKACK
SYNSYNSYNSYN----
ACKACKACKACK
Legend
IPIPIPIPIPIPIPIP IPIPIPIPIPIPIPIP TypeTypeTypeTypeTypeTypeTypeType
Sensitive state – port blocking
policy
36363636
� Hypothesis on current ISP’s policy
� Directional traffic blocking
� Blocking outgoing traffic with dst port 25 (OUT)
� NOT blocking incoming traffic with src port 25 (IN)
� Relay bot’s IP can be used to send spam
SrcSrcSrcSrc Port: Port: Port: Port:
25252525
SrcSrcSrcSrc Port: Port: Port: Port:
****
DstDstDstDst Port: Port: Port: Port:
25252525
X
SrcSrcSrcSrc Port: Port: Port: Port:
25252525
SrcSrcSrcSrc Port: Port: Port: Port:
****
DstDstDstDst Port: Port: Port: Port:
25252525
SrcSrcSrcSrc Port: Port: Port: Port:
****
SrcSrcSrcSrc Port: Port: Port: Port:
****
DstDstDstDst Port: Port: Port: Port:
****
SrcSrcSrcSrc Port: Port: Port: Port:
Port: Port: Port: Port:
* * * *
SrcSrcSrcSrc Port: Port: Port: Port:
25252525
DstDstDstDst Port: Port: Port: Port:
* * * *
Introspective side-channel –
IPID37373737
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
25252525
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
25252525
688 Networks
block IN or OUT
traffic
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
80808080
SrcSrcSrcSrc: : : :
25 25 25 25 DstDstDstDst: : : :
80808080
SrcSrcSrcSrc: : : :
: : : :
IPID: 2IPID: 2IPID: 2IPID: 2
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
25252525
IPID: 2IPID: 2IPID: 2IPID: 2
SrcSrcSrcSrc: : : :
: : : :
IPID: 3IPID: 3IPID: 3IPID: 3
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
25252525
IPID: 3IPID: 3IPID: 3IPID: 3
SrcSrcSrcSrc: : : :
: : : :
IPID: 4IPID: 4IPID: 4IPID: 4
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
25252525
IPID: 4IPID: 4IPID: 4IPID: 4
SrcSrcSrcSrc: : : :
: : : :
IPID: 5IPID: 5IPID: 5IPID: 5
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
25252525
IPID: 5IPID: 5IPID: 5IPID: 5
SrcSrcSrcSrc: : : :
: : : :
IPID: 6IPID: 6IPID: 6IPID: 6
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
25252525
IPID: 6IPID: 6IPID: 6IPID: 6
SrcSrcSrcSrc: : : :
: : : :
IPID: 1IPID: 1IPID: 1IPID: 1
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
80808080
IPID: 1IPID: 1IPID: 1IPID: 1
SrcSrcSrcSrc: : : :
: : : :
IPID: 7IPID: 7IPID: 7IPID: 7
SrcSrcSrcSrc: : : :
80 80 80 80 DstDstDstDst: : : :
80808080
IPID: 7IPID: 7IPID: 7IPID: 7
� IPID Side-channel (identifier in IP header)
� Monotonically increasing
96.8% networks
block only OUT
traffic!
traffic
IPID from intermediate hop
38383838
TTLTTLTTLTTL
Small Small Small Small
TTLTTLTTLTTL
XXXX
IP ID = IP ID = IP ID = IP ID =
XXXX
SeqSeqSeqSeq
SeqSeqSeqSeq
IPID++
TTLTTLTTLTTL
Small Small Small Small
TTLTTLTTLTTL
X+2X+2X+2X+2
IP ID = IP ID = IP ID = IP ID =
X+2X+2X+2X+2
IPID++IPID++
X+1X+1X+1X+1
IP ID = IP ID = IP ID = IP ID =
X+1X+1X+1X+1
TCP connection hijack:
Preemptive SYN
39393939
-No bandwidth requirement
-But requires another
attack phone
-Success rate: 65%
TCP connection hijack 3:
Hit-and-run40404040
Success rate: 85%
Side-channels: Packet counter
and IPID
41414141
� Host packet counter (e.g., # of incoming
packets)
� “netstat –s” or procfs
� Error counters particularly useful� Error counters particularly useful
� IPID from intermediate hops
TTLTTLTTLTTL
Small Small Small Small
TTLTTLTTLTTL
XXXX
IP ID = IP ID = IP ID = IP ID =
XXXX
SeqSeqSeqSeq
SeqSeqSeqSeq
IPID++
TTLTTLTTLTTL
Small Small Small Small
TTLTTLTTLTTL
X+2X+2X+2X+2
IP ID = IP ID = IP ID = IP ID =
X+2X+2X+2X+2
IPID++IPID++
X+1X+1X+1X+1
IP ID = IP ID = IP ID = IP ID =
X+1X+1X+1X+1