OFF-PATH TCP SEQUENCE NUMBER INFERENCE

ATTACKHOW FIREWALL MIDDLEBOXES

REDUCE SECURITY

Zhiyun Qian, Zhuoqing Morley Mao

University of Michigan

33rd Security & Privacy (May, 2012)

A Seminar at Advanced Defense Lab 2

Outline

Introduction Fundamentals of the TCP Sequence

Number Inference Attack TCP Attack Analysis and Design Attack Implementation and Experimental

Results Vulnerable Networks Discussion

2012/4/30

A Seminar at Advanced Defense Lab 3

Introduction

TCP was initially designed without many security considerations.4-tuple: local IP, local Port, foreign IP,

foreign Port Off-path spoofing attacks

2012/4/30

A Seminar at Advanced Defense Lab 4

Off-Path Spoofing Attacks One of the critical patches is the

randomization of TCP initial sequence numbers (ISN)RFC 6528 [link]

Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts

2012/4/30

A Seminar at Advanced Defense Lab 5

Fundamentals of the TCP Sequence Number Inference Attack

Sequence-Number-Checking Firewalls

2012/4/30

A Seminar at Advanced Defense Lab 6

Sequence-Number-Checking Firewalls Window size

Fixed64K x 2N, N is the window scaling factor in SYN

and SYN-ACK packet.

Left-only or right-only window

Window moving behaviorWindow advancingWindow shifting

2012/4/30

A Seminar at Advanced Defense Lab 7

Threat Model

On-site TCP injection/hijackingAn unprivileged malware runs on the client

with access to network and the list of active connections through standard OS interface.

Off-site TCP injectiononly when the target connection is long-lived

Establish TCP connection using spoofed IPs

2012/4/30

A Seminar at Advanced Defense Lab 8

Obtaining Feedback – Side Channels OS packet counters

IPIDs from responses of intermediate middleboxesAn attacker can craft packets with TTL

values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL-expired messages.

2012/4/30

A Seminar at Advanced Defense Lab 9

Sequence Number Inference

2012/4/30

A Seminar at Advanced Defense Lab 10

Timing of Inference and Injection — TCP Hijacking

For the TCP sequence number inference and subsequent data injection to be successful, a critical challenge is timing.

To address the challenge, we design and implement a number of TCP hijacking attacks.

2012/4/30

A Seminar at Advanced Defense Lab 11

TCP Attack Analysis and Design

Two base requirements for all attacksThe ability to spoof legitimate server’s IPA sequence-number-checking firewall

deployed

2012/4/30

A Seminar at Advanced Defense Lab 12

Attack Requirements

2012/4/30

A Seminar at Advanced Defense Lab 13

On-site TCP Hijacking

Reset-the-server

2012/4/30

A Seminar at Advanced Defense Lab 14

On-site TCP Hijacking

Preemptive-SYN Hijacking

2012/4/30

A Seminar at Advanced Defense Lab 15

On-site TCP Hijacking

Hit-and-run Hijacking

2012/4/30

A Seminar at Advanced Defense Lab 16

Off-site TCP Injection/Hijacking

URL phishingAn attacker can also acquire target four

tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website.

But it is not implemented in this paper.

2012/4/30

A Seminar at Advanced Defense Lab 17

Off-site TCP Injection/Hijacking

Long-lived connection inferenceAn approach we discover is through sending

a single ICMP error message (e.g., network or port unreachable) to query a four-tuple.

Pass through firewall and trigger TTL-expired message

2012/4/30

A Seminar at Advanced Defense Lab 18

Establish Spoofed Connections

We found that there are many such unresponsive IPs in the nation-wide cellular network that we tested.

2012/4/30

A Seminar at Advanced Defense Lab 19

Attack Implementation and Experimental Results

Client platformAndroid 2.2 and 2.3.4TCP window scaling factor: 2 and 4Vendors: HTC, Samsung, and Motorola

NetworkAn anonymized nation-wide carrier that

widely deploys firewall middleboxes at the GGSN-level

2012/4/30

A Seminar at Advanced Defense Lab 20

Side-channel

/proc/net/snmp: InSegsthe number of incoming TCP packets

received /proc/net/netstat: PAWSEstab

packets with an old timestamp is received IPID side-channel

the noise level is quite tolerable.

2012/4/30

A Seminar at Advanced Defense Lab 21

Sequence Number Inference

Assuming a cellular RTT of 200ms 32 times for binary search (4G)

About 10s in practice N-way search Mix all methods

It takes only about 4–5 seconds to complete the inference

2012/4/30

A Seminar at Advanced Defense Lab 22

On-site TCP Hijacking

Android 2.3.4 + m.facebook.com + Planetlab server [link]

2012/4/30

A Seminar at Advanced Defense Lab 23

Reset-the-server [Demo]

We leverage requirement C4 which tells the attacker that the victim connection’s ISN is at most 224 away from the ISN of the attacker-initiated connection.

Since RST packets with any sequence number that falls in the receive window can terminate the connection.P. A. Watson. “Slipping in the Window: TCP

Reset Attacks,” 2004.

2012/4/30

A Seminar at Advanced Defense Lab 24

Reset-the-server

The max number of required RST

server_init_windowm.facebook.com: 4380 require 7661 RSTtwitter.com: 5840 require 5746 RSTchase.com: 32805

2012/4/30

rwndserver _

2224

A Seminar at Advanced Defense Lab 25

Reset-the-server

Bandwidth requirements

327 Kbps ~ 12 Mbps

2012/4/30

bitsbytesRTTrwndserver

840_2224

A Seminar at Advanced Defense Lab 26

Hit-and-run

Bandwidth requirements

WIN is 64K x 2window_scaling_factor

For the two Oses is 26Mbps and 6.6Mbps

2012/4/30

bitsbytesRTTWIN 8401232

A Seminar at Advanced Defense Lab 27

On-site TCP Hijacking

2012/4/30

A Seminar at Advanced Defense Lab 28

Off-site TCP Injection

URL phishingNo implementBecause NAT is deployed.

long-lived connection inferencea particular push server IP 74.125.65.188

and port 5228About 7.8% of the IPs have a connection

with the server

2012/4/30

A Seminar at Advanced Defense Lab 29

Establish Spoofed Connections

Find unresponsive IPWe send a SYN packet with a spoofed IP

from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back.

There are 80% of IPs are unresponsive. We can make about 0.6 successful

connection per second on average with more than 90% success rate

2012/4/30

A Seminar at Advanced Defense Lab 30

Vulnerable Networks

We deployed a mobile application (referred to as MobileApp) on the Android market.

The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified

2012/4/30

A Seminar at Advanced Defense Lab 31

Firewall Implementation Types

Overall, out of the 149 carriers, we found 47 carriers (31.5%) that deploy sequence-number-checking firewalls.

2012/4/30

A Seminar at Advanced Defense Lab 32

Intermediate Hop Feedback

24 carriers have responsive intermediate hops that reply with TTL-expired ICMP packets.

8 carriers have NAT that allow single ICMP packet probing to infer active four tuples.

2012/4/30

A Seminar at Advanced Defense Lab 33

Discussion

Firewall design

Side-channels

HTTPS-only world

2012/4/30

A Seminar at Advanced Defense Lab 34

Q & A

2012/4/30