Off-Path TCP Sequence Number Inference

Attack

(How Firewall Middleboxes Reduce Security)

Zhiyun Qian, Z. Morley Mao

University of Michigan

1111

Known Attacks against TCP

2222

� Man-in-the-middle based attacks

� Read, modify, insert TCP content

� Off-path attacks

� Write to existing TCP connection by guessing � Write to existing TCP connection by guessing

sequence numbers

� Defense: initial sequence number nowadays

are randomized (2^32)

X = ? Y = ?

Outline

3333

� TCP sequence number inference attack

-- threat model

� How firewall middleboxes enable it

� Attacks built on top of it

Outline

4444

� TCP sequence number inference attack

-- threat model

� How firewall middleboxes enable it

� Attacks built on top of it

TCP sequence number inference

attack

5555

Seq = ?Seq = ?Seq = ?Seq = ?

� Required information

� Target four tuples (source/dest IP,

source/dest port)

� Feedback on whether guessed sequence

numbers are correct

Req 1 – obtaining target four

tuples

6666

� On-site unprivileged malware

� netstat (no root required)

� Four-tuple query

� Connection state can be leaked via ICMP

netstat -nn

Active Internet connections

Proto Recv-Q Send-Q Local Address Foreign Address � Connection state can be leaked via ICMP

probing

� Initiate fake connections

Proto Recv-Q Send-Q Local Address Foreign Address

(state)

tcp4 37 0 192.168.1.102.50469 199.47.219.159.443

CLOSE_WAIT

tcp4 37 0 192.168.1.102.50468 174.129.195.86.443

CLOSE_WAIT

tcp4 37 0 192.168.1.102.50467 199.47.219.159.443

CLOSE_WAIT

tcp4 0 0 192.168.1.102.50460 199.47.219.159.443

LAST_ACK

tcp4 0 0 192.168.1.102.50457 199.47.219.159.443

LAST_ACK

tcp4 0 0 192.168.1.102.50445 199.47.219.159.443

Req 2 – obtaining feedback

through side channels ?

7777

Seq = XSeq = XSeq = XSeq = X

Not Not Not Not Seq = YSeq = YSeq = YSeq = Y

correct!correct!correct!correct!

Not Not Not Not

correct!correct!correct!correct!

Seq = YSeq = YSeq = YSeq = Y

Correct!Correct!Correct!Correct!

Expecting seq Y

Outline

8888

� TCP sequence number inference attack

-- threat model

� How firewall middleboxes enable it

� Attacks built on top of it

TCP sequence-number-checking

firewall

9999

� Purpose: drop blindly injected packets

� Cut down resource waste

� Prevent feedback on sequence number guessing

� 33% of the 179 tested carriers deploy such

firewalls

� Vendors: Cisco, Juniper, Checkpoint…

� Could be used in other networks as well

Attack model

10101010

� Required information

� Target four tuples (source/dest IP,

source/dest port)

� Feedback (if packets went through the

firewall)

Side-channels: Packet counter

and IPID

11111111

� Host packet counter (e.g., # of incoming

packets)

� “netstat –s” or procfs

� Error counters particularly useful

netstat –s

Tcp:

3466 active connections openings

HeaderHeaderHeaderHeader

Error Error Error Error

HeaderHeaderHeaderHeader

SeqSeqSeqSeq

HeaderHeaderHeaderHeader

Error Error Error Error

HeaderHeaderHeaderHeader

SeqSeqSeqSeq

� Error counters particularly useful

� IPID from intermediate hops

Error counter++

3466 active connections openings

242344 passive connection openings

19300 connection resets received

157921111 segments received

125446192 segments send out

39673 segments retransmited

489 bad segments received

679561 resets sent

TcpExt:

25508 ICMP packets dropped because they were out-of-

window

9491 TCP sockets finished time wait in fast timer

1646 packets rejects in established connections

because of timestamp

Side-channels: Packet counter

and IPID

12121212

� Host packet counter (e.g., # of incoming

packets)

� “netstat –s” or procfs

� Error counters particularly useful� Error counters particularly useful

� IPID from intermediate hops

IPID++

Sequence number inference – an

example

13131313

Seq = 0Seq = 0Seq = 0Seq = 0

X

Seq = 0Seq = 0Seq = 0Seq = 0

Seq = 2WINSeq = 2WINSeq = 2WINSeq = 2WIN

Seq = 4WINSeq = 4WINSeq = 4WINSeq = 4WIN

Seq = 2GSeq = 2GSeq = 2GSeq = 2G

XX

Error counter++

Counter++Counter++Counter++Counter++

Binary search on sequence

number14141414

� Total # of packets required: 4G/2WIN

� Typically, WIN = 256K, 512K, 1M

� # of packets = 4096 – 16384

� Time: 4 – 9 seconds

Outline

15151515

� TCP sequence number inference attack

-- threat model

� How firewall middleboxes enable it

� Attacks built on top of it

Attacks built on top of it

16161616

� TCP connection hijacking

� TCP active connection inference

� No malware requirement

� Target long-lived connections� Target long-lived connections

� Spoofed TCP connections to a target

server

� Denial of service

� Spamming

Attacks built on top of it

17171717

� TCP connection hijacking

� TCP active connection inference

� No malware requirement

� Target long-lived connections� Target long-lived connections

� Spoofed TCP connections

� Denial of service

� Spamming

Facebook login page hijack

demo18181818

A step further – TCP connection

hijack: Reset-the-server

19191919

SYNSYNSYNSYN

NotificatiNotificatiNotificatiNotificatiNotificatiNotificatiNotificatiNotificati

onononon

Success rate: 65%

onononononononon

SYNSYNSYNSYN----ACKACKACKACK

Connection reset

Seq Seq Seq Seq

-------- endendendend

Seq Seq Seq Seq

inference inference inference inference

-------- endendendend

…

SeqSeqSeqSeq

-------- startstartstartstart

SeqSeqSeqSeq

inference inference inference inference

-------- startstartstartstart

Spoofed Spoofed Spoofed Spoofed

RSTsRSTsRSTsRSTs

Spoofed Spoofed Spoofed Spoofed

RSTsRSTsRSTsRSTs

ACK/RequestACK/RequestACK/RequestACK/Request

payloadpayloadpayloadpayload

Malicious Malicious Malicious Malicious

payloadpayloadpayloadpayload

TCP connection hijacks

20202020

ResetResetResetReset----thethethethe----serverserverserverserver Preemptive SYNPreemptive SYNPreemptive SYNPreemptive SYN HitHitHitHit----andandandand----runrunrunrun

Bandwidth requirement Additional attack

phone

Low bandwidth

requirement

Succ rate: 65% Succ rate: 65% Succ rate: 85%Succ rate: 65% Succ rate: 65% Succ rate: 85%

Lessons learned

21212121

� Failed to secure sensitive state against

side-channels

� Firewall middlebox stores sensitive state

(sequence number)

� IPID and packet counter side-channels allows

sequence number inference

� Future network middlebox design needs to

better secure sensitive state (e.g.,

cryptographic keys)

� Mitigations

� Eliminate or access control on the side-

channel

Remove the redundant state

HTTP

TCP

Thanks

22222222

� Q/A

� Zhiyun Qian, zhiyunq@umich.edu

Backup slides

23232323

Outline

24242424

� TCP sequence number inference attack --

threat model

� How firewall middleboxes enable it

TCP connection hijacking� TCP connection hijacking

� TCP active connection inference

� Spoofed TCP connections

TCP active connection

inference25252525

?:? -> ?:?

1.1.1.1:11111 ->

2.2.2.1:80

1.1.1.2:22222 ->

2.2.2.2:80

1.1.1.3:33333 ->

2.2.2.3:80

...

TCP active connection

inference26262626

How many clients are

connected to Android

push notification

1.1.1.1:11111 ->

2.2.2.1:80

1.1.1.2:22222 ->

2.2.2.2:80

1.1.1.3:33333 ->

2.2.2.3:80

...

push notification

server?

7.8% IPs have active

connections to the

server

Outline

27272727

� TCP sequence number inference attack --

threat model

� How firewall middleboxes enable it

TCP connection hijacking� TCP connection hijacking

� TCP active connection inference

� Spoofed TCP connections

Spoofed TCP connections

28282828

Sequence number inference

IPID side channel

� Denial of service

attack

� Spamming

IP ID

29292929

Introspective side-channels

– Packet counter and IPID

30303030

� Host packet counter (e.g., # of incoming

packets)

� “netstat –s” or procfs

� Error counters particularly useful

netstat –s

Tcp:

3466 active connections openings

242344 passive connection openings

19300 connection resets received� Error counters particularly useful

� IPID from intermediate hops

HeaderHeaderHeaderHeader

Error Error Error Error

HeaderHeaderHeaderHeader

SeqSeqSeqSeq

HeaderHeaderHeaderHeader

Error Error Error Error

HeaderHeaderHeaderHeader

SeqSeqSeqSeqError counter++

19300 connection resets received

157921111 segments received

125446192 segments send out

39673 segments retransmited

489 bad segments received

679561 resets sent

TcpExt:

25508 ICMP packets dropped because they were out-of-

window

9491 TCP sockets finished time wait in fast timer

1646 packets rejects in established connections

because of timestamp

SeqSeqSeqSeq = = = =

2WIN2WIN2WIN2WIN

SeqSeqSeqSeq = = = =

Y Y Y Y –

2WIN2WIN2WIN2WINSeqSeqSeqSeq = Y = Y = Y = Y

TTL TTL TTL TTL

expiredexpiredexpiredexpired

TTL TTL TTL TTL

expiredexpiredexpiredexpired

IPID++IPID++IPID++IPID++

Identification of introspective

side-channel

31313131

� Packet checking sequence in Linux (and

other OS)

Sensitive network state “TCP

sequence number” also stored on

end-hosts32323232

More efficient probing to extract

sequence number from introspective

side channels33333333

� 4-way search

Total # of packets required:

96

Inference time: ~1s

Network-level defenses against

spamming34343434

� Attack: BotnetBotnetBotnetBotnet----basedbasedbasedbased spamming to hide real

identity

� Defense:

� IPIPIPIP----based blacklist: based blacklist: based blacklist: based blacklist: making IP addresses

important resources,

limit spammer’s throughputlimit spammer’s throughput

� Port 25 blocking: Port 25 blocking: Port 25 blocking: Port 25 blocking: limit end-user IP addresses

for spamming

Triangular spamming

35353535

� Relatively unknown but real attack [NANOG

Mailing list Survey]

� Not proposing a new attack

� But “how it can bypass SMTP port blocking”

3.3.3.

Legend

SrcSrcSrcSrcSrcSrcSrcSrc

IPIPIPIP

DstDstDstDstDstDstDstDst

IPIPIPIP

Msg Msg Msg Msg

TypeTypeTypeType

3333

3.3.3.3.3.3.3.3.3.3.3.3.

3333

2222

2.2.2.2.2.2.2.2.2.2.2.2.

2222

1.1.1.

1

2.2.2.

2

3333

3.3.3.3.3.3.3.3.3.3.3.3.

3333

2222

2.2.2.2.2.2.2.2.2.2.2.2.

2222

2222

2.2.2.2.2.2.2.2.2.2.2.2.

2222 1111

1.1.1.1.1.1.1.1.1.1.1.1.

1111

3

SYNSYNSYNSYN

ACKACKACKACK

SYNSYNSYNSYN----

ACKACKACKACK

ACKACKACKACK

SYNSYNSYNSYN----

ACKACKACKACK

Legend

IPIPIPIPIPIPIPIP IPIPIPIPIPIPIPIP TypeTypeTypeTypeTypeTypeTypeType

Sensitive state – port blocking

policy

36363636

� Hypothesis on current ISP’s policy

� Directional traffic blocking

� Blocking outgoing traffic with dst port 25 (OUT)

� NOT blocking incoming traffic with src port 25 (IN)

� Relay bot’s IP can be used to send spam

SrcSrcSrcSrc Port: Port: Port: Port:

25252525

SrcSrcSrcSrc Port: Port: Port: Port:

****

DstDstDstDst Port: Port: Port: Port:

25252525

X

SrcSrcSrcSrc Port: Port: Port: Port:

25252525

SrcSrcSrcSrc Port: Port: Port: Port:

****

DstDstDstDst Port: Port: Port: Port:

25252525

SrcSrcSrcSrc Port: Port: Port: Port:

****

SrcSrcSrcSrc Port: Port: Port: Port:

****

DstDstDstDst Port: Port: Port: Port:

****

SrcSrcSrcSrc Port: Port: Port: Port:

Port: Port: Port: Port:

* * * *

SrcSrcSrcSrc Port: Port: Port: Port:

25252525

DstDstDstDst Port: Port: Port: Port:

* * * *

Introspective side-channel –

IPID37373737

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

25252525

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

25252525

688 Networks

block IN or OUT

traffic

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

80808080

SrcSrcSrcSrc: : : :

25 25 25 25 DstDstDstDst: : : :

80808080

SrcSrcSrcSrc: : : :

: : : :

IPID: 2IPID: 2IPID: 2IPID: 2

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

25252525

IPID: 2IPID: 2IPID: 2IPID: 2

SrcSrcSrcSrc: : : :

: : : :

IPID: 3IPID: 3IPID: 3IPID: 3

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

25252525

IPID: 3IPID: 3IPID: 3IPID: 3

SrcSrcSrcSrc: : : :

: : : :

IPID: 4IPID: 4IPID: 4IPID: 4

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

25252525

IPID: 4IPID: 4IPID: 4IPID: 4

SrcSrcSrcSrc: : : :

: : : :

IPID: 5IPID: 5IPID: 5IPID: 5

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

25252525

IPID: 5IPID: 5IPID: 5IPID: 5

SrcSrcSrcSrc: : : :

: : : :

IPID: 6IPID: 6IPID: 6IPID: 6

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

25252525

IPID: 6IPID: 6IPID: 6IPID: 6

SrcSrcSrcSrc: : : :

: : : :

IPID: 1IPID: 1IPID: 1IPID: 1

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

80808080

IPID: 1IPID: 1IPID: 1IPID: 1

SrcSrcSrcSrc: : : :

: : : :

IPID: 7IPID: 7IPID: 7IPID: 7

SrcSrcSrcSrc: : : :

80 80 80 80 DstDstDstDst: : : :

80808080

IPID: 7IPID: 7IPID: 7IPID: 7

� IPID Side-channel (identifier in IP header)

� Monotonically increasing

96.8% networks

block only OUT

traffic!

traffic

IPID from intermediate hop

38383838

TTLTTLTTLTTL

Small Small Small Small

TTLTTLTTLTTL

XXXX

IP ID = IP ID = IP ID = IP ID =

XXXX

SeqSeqSeqSeq

SeqSeqSeqSeq

IPID++

TTLTTLTTLTTL

Small Small Small Small

TTLTTLTTLTTL

X+2X+2X+2X+2

IP ID = IP ID = IP ID = IP ID =

X+2X+2X+2X+2

IPID++IPID++

X+1X+1X+1X+1

IP ID = IP ID = IP ID = IP ID =

X+1X+1X+1X+1

TCP connection hijack:

Preemptive SYN

39393939

-No bandwidth requirement

-But requires another

attack phone

-Success rate: 65%

TCP connection hijack 3:

Hit-and-run40404040

Success rate: 85%

Side-channels: Packet counter

and IPID

41414141

� Host packet counter (e.g., # of incoming

packets)

� “netstat –s” or procfs

� Error counters particularly useful� Error counters particularly useful

� IPID from intermediate hops

TTLTTLTTLTTL

Small Small Small Small

TTLTTLTTLTTL

XXXX

IP ID = IP ID = IP ID = IP ID =

XXXX

SeqSeqSeqSeq

SeqSeqSeqSeq

IPID++

TTLTTLTTLTTL

Small Small Small Small

TTLTTLTTLTTL

X+2X+2X+2X+2

IP ID = IP ID = IP ID = IP ID =

X+2X+2X+2X+2

IPID++IPID++

X+1X+1X+1X+1

IP ID = IP ID = IP ID = IP ID =

X+1X+1X+1X+1