zhiyun qian, zhuoqing morley mao university of michigan 33 rd security & privacy (may, 2012)
TRANSCRIPT
OFF-PATH TCP SEQUENCE NUMBER INFERENCE
ATTACKHOW FIREWALL MIDDLEBOXES
REDUCE SECURITY
Zhiyun Qian, Zhuoqing Morley Mao
University of Michigan
33rd Security & Privacy (May, 2012)
A Seminar at Advanced Defense Lab 2
Outline
Introduction Fundamentals of the TCP Sequence
Number Inference Attack TCP Attack Analysis and Design Attack Implementation and Experimental
Results Vulnerable Networks Discussion
2012/4/30
A Seminar at Advanced Defense Lab 3
Introduction
TCP was initially designed without many security considerations.4-tuple: local IP, local Port, foreign IP,
foreign Port Off-path spoofing attacks
2012/4/30
A Seminar at Advanced Defense Lab 4
Off-Path Spoofing Attacks One of the critical patches is the
randomization of TCP initial sequence numbers (ISN)RFC 6528 [link]
Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts
2012/4/30
A Seminar at Advanced Defense Lab 5
Fundamentals of the TCP Sequence Number Inference Attack
Sequence-Number-Checking Firewalls
2012/4/30
A Seminar at Advanced Defense Lab 6
Sequence-Number-Checking Firewalls Window size
Fixed64K x 2N, N is the window scaling factor in SYN
and SYN-ACK packet.
Left-only or right-only window
Window moving behaviorWindow advancingWindow shifting
2012/4/30
A Seminar at Advanced Defense Lab 7
Threat Model
On-site TCP injection/hijackingAn unprivileged malware runs on the client
with access to network and the list of active connections through standard OS interface.
Off-site TCP injectiononly when the target connection is long-lived
Establish TCP connection using spoofed IPs
2012/4/30
A Seminar at Advanced Defense Lab 8
Obtaining Feedback – Side Channels OS packet counters
IPIDs from responses of intermediate middleboxesAn attacker can craft packets with TTL
values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL-expired messages.
2012/4/30
A Seminar at Advanced Defense Lab 10
Timing of Inference and Injection — TCP Hijacking
For the TCP sequence number inference and subsequent data injection to be successful, a critical challenge is timing.
To address the challenge, we design and implement a number of TCP hijacking attacks.
2012/4/30
A Seminar at Advanced Defense Lab 11
TCP Attack Analysis and Design
Two base requirements for all attacksThe ability to spoof legitimate server’s IPA sequence-number-checking firewall
deployed
2012/4/30
A Seminar at Advanced Defense Lab 16
Off-site TCP Injection/Hijacking
URL phishingAn attacker can also acquire target four
tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website.
But it is not implemented in this paper.
2012/4/30
A Seminar at Advanced Defense Lab 17
Off-site TCP Injection/Hijacking
Long-lived connection inferenceAn approach we discover is through sending
a single ICMP error message (e.g., network or port unreachable) to query a four-tuple.
Pass through firewall and trigger TTL-expired message
2012/4/30
A Seminar at Advanced Defense Lab 18
Establish Spoofed Connections
We found that there are many such unresponsive IPs in the nation-wide cellular network that we tested.
2012/4/30
A Seminar at Advanced Defense Lab 19
Attack Implementation and Experimental Results
Client platformAndroid 2.2 and 2.3.4TCP window scaling factor: 2 and 4Vendors: HTC, Samsung, and Motorola
NetworkAn anonymized nation-wide carrier that
widely deploys firewall middleboxes at the GGSN-level
2012/4/30
A Seminar at Advanced Defense Lab 20
Side-channel
/proc/net/snmp: InSegsthe number of incoming TCP packets
received /proc/net/netstat: PAWSEstab
packets with an old timestamp is received IPID side-channel
the noise level is quite tolerable.
2012/4/30
A Seminar at Advanced Defense Lab 21
Sequence Number Inference
Assuming a cellular RTT of 200ms 32 times for binary search (4G)
About 10s in practice N-way search Mix all methods
It takes only about 4–5 seconds to complete the inference
2012/4/30
A Seminar at Advanced Defense Lab 22
On-site TCP Hijacking
Android 2.3.4 + m.facebook.com + Planetlab server [link]
2012/4/30
A Seminar at Advanced Defense Lab 23
Reset-the-server [Demo]
We leverage requirement C4 which tells the attacker that the victim connection’s ISN is at most 224 away from the ISN of the attacker-initiated connection.
Since RST packets with any sequence number that falls in the receive window can terminate the connection.P. A. Watson. “Slipping in the Window: TCP
Reset Attacks,” 2004.
2012/4/30
A Seminar at Advanced Defense Lab 24
Reset-the-server
The max number of required RST
server_init_windowm.facebook.com: 4380 require 7661 RSTtwitter.com: 5840 require 5746 RSTchase.com: 32805
2012/4/30
rwndserver _
2224
A Seminar at Advanced Defense Lab 25
Reset-the-server
Bandwidth requirements
327 Kbps ~ 12 Mbps
2012/4/30
bitsbytesRTTrwndserver
840_2224
A Seminar at Advanced Defense Lab 26
Hit-and-run
Bandwidth requirements
WIN is 64K x 2window_scaling_factor
For the two Oses is 26Mbps and 6.6Mbps
2012/4/30
bitsbytesRTTWIN 8401232
A Seminar at Advanced Defense Lab 28
Off-site TCP Injection
URL phishingNo implementBecause NAT is deployed.
long-lived connection inferencea particular push server IP 74.125.65.188
and port 5228About 7.8% of the IPs have a connection
with the server
2012/4/30
A Seminar at Advanced Defense Lab 29
Establish Spoofed Connections
Find unresponsive IPWe send a SYN packet with a spoofed IP
from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back.
There are 80% of IPs are unresponsive. We can make about 0.6 successful
connection per second on average with more than 90% success rate
2012/4/30
A Seminar at Advanced Defense Lab 30
Vulnerable Networks
We deployed a mobile application (referred to as MobileApp) on the Android market.
The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified
2012/4/30
A Seminar at Advanced Defense Lab 31
Firewall Implementation Types
Overall, out of the 149 carriers, we found 47 carriers (31.5%) that deploy sequence-number-checking firewalls.
2012/4/30
A Seminar at Advanced Defense Lab 32
Intermediate Hop Feedback
24 carriers have responsive intermediate hops that reply with TTL-expired ICMP packets.
8 carriers have NAT that allow single ICMP packet probing to infer active four tuples.
2012/4/30
A Seminar at Advanced Defense Lab 33
Discussion
Firewall design
Side-channels
HTTPS-only world
2012/4/30