Off-path (i.e. non-man-in-the-middle) network attacks; do firewalls/routers lower security? (papers)

MrBrian · Dec 5, 2014

From Off-Path Hacking: The Illusion of Challenge-Response Authentication (2013):

Abstract

Everyone is concerned about Internet security, yet most traffic is not cryptographically protected. Typical justification is that most attackers are off-path and cannot intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges re-use existing header fields to protect widely-deployed protocols such as TCP and DNS.

We argue that this practice may often give an illusion of security. We review recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet practical. The attacks foil widely deployed security mechanisms, and allow a wide range of exploits, such as long-term caching of malicious objects and scripts.

We hope that this review article will help improve defenses against off-path attackers. In particular, we hope to motivate, when feasible, adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, providing security even against stronger Man-in-the-Middle attackers.
Click to expand...

----------

From Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security (2012):

Abstract

In this paper, we report a newly discovered "off-path TCP sequence number inference" attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-in-the-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middleboxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middlebox can be leaked to an off-path attacker. We found such firewall middleboxes to be very popular in cellular networks - at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.
Click to expand...

Demo video is available at http://web.eecs.umich.edu/~zhiyunq/tcp_sequence_number_inference/.

----------

From Off-Path TCP Injection Attacks (2014):

Abstract

We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request forgery, and phishing attacks.

In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable.

We conclude this work with practical client- and server-end defenses against our attacks.
Click to expand...

Download: http://u.cs.biu.ac.il/~herzbea/security/14-01-tcp.pdf .

----------

Some other papers in the references of the above papers are available at Google Scholar.

MrBrian · Dec 5, 2014

From Reflection Scan: an Off-Path Attack on TCP (2012):

Abstract:

The paper demonstrates how traffic load of a shared packet queue can be exploited as a side channel through which protected information leaks to an off-path attacker. The attacker sends to a victim a sequence of identical spoofed segments. The victim responds to each segment in the sequence (the sequence is reflected by the victim) if the segments satisfy a certain condition tested by the attacker. The responses do not reach the attacker directly, but induce extra load on a routing queue shared between the victim and the attacker. Increased processing time of packets traversing the queue reveal that the tested condition was true. The paper concentrates on the TCP, but the approach is generic and can be effective against other protocols that allow to construct requests which are conditionally answered by the victim. A proof of concept was created to assess applicability of the method in real-life scenarios.
Click to expand...

Gullible Jones · Dec 8, 2014

Wow, the last one is nasty. I'll have to read the paper (or at least try to) but it sounds like a design flaw in TCP.

I'm surprised we haven't heard more about stuff like this. I mean, the papers are a couple years old now...

Log in or Sign up

Off-path (i.e. non-man-in-the-middle) network attacks; do firewalls/routers lower security? (papers)

MrBrian Registered Member

MrBrian Registered Member

Gullible Jones Registered Member

Log in or Sign up

Off-path (i.e. non-man-in-the-middle) network attacks; do firewalls/routers lower security? (papers)

MrBrian Registered Member

MrBrian Registered Member

Gullible Jones Registered Member

Useful Searches