INFERENCE ATTACK BY Zhiyun Qian ZMorley MaoYinglian Xie Presented By Yugendhar Reddy Sarabudla Todays AGENDA Introduction Background description TCP Sequence Number Inference Attack ID: 754251
Download Presentation The PPT/PDF document "COLLABORATIVE TCP SEQUENCE NUMBER" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK
BY Zhiyun Qian, Z.Morley, MaoYinglian Xie Presented By:Yugendhar Reddy SarabudlaSlide2
Today’s AGENDAIntroductionBackground descriptionTCP Sequence Number Inference AttackDesign and Implementation of TCP AttackImpact Analysis of an Attack from case studies
ConclusionSlide3
TCP IntroductionTCP - Most commonly used protocol over the internetBuilt on top of Internet Protocol. Hence TCP/IP.Transmits bits of data in terms of IP packetsConnection-oriented.Highly reliable for transmission of data.Receiver sends acknowledgement for the packets received, based on that re-transmission is done for failed packetsSlide4
Understanding tCP FieldsSlide5
The Three-Way HandshakeTCP utilizes many 1-bit boolean flags to maintain the state of the connection.The three fields that we are interested in are SYN : initiates a connectionACK : used to acknowledge received dataFIN : terminates a connectionSlide6
SEQUENCE AND ACKNOWLEDGEMENT NUMBERSSequence and Acknowledgement are two more fields of TCP header, used to track a connection’s packetThese are different from “SYN flag” and “ACK flag”Both client and server of a TCP session maintains a 32-bit sequence numberSequence number is included in every packet that is sent and it is used to track the amount of data that has been sentWhen the opposite host receives a packet it send the sequence number as acknowledgement number to the sender, conforming that it received the packet. Slide7
The Three-Way HandshakeSo TCP 3 way handshake is all about SYN—>SYN-ACK—>ACK. This 3 way handshake is one of the reason which makes TCP a reliable protocol.Slide8
Sequence and Acknowledgement numbers OBESERVaNCESlide9
Background DescriptionTCP- Not originally designed for security, for years it has been patched to address various security holesRandomization of TCP’s initial sequence number (ISN), introduced in RFC 1948 was an important one. Proposed to guard against off-path spoofing attacks attempting to inject packets with forged source addressesPrevents easy prediction of ISN, by which arbitrarily inserted messages are likely to be discarded at the receiver due to invalid sequence numbersSlide10
Background DescriptionA function has been defined to obtain a unique random number using a 4 micro second timer M, which decreases the probability of guessing sequence numberBelow is the equation to generate ISN ISN = M + F(localhost, localport, remotehost, remoteport
) F is the hash functionSlide11
TCP SEQUENCE NUMBER INFERENCE ATTACKThreat ModelPacket Counter Side ChannelsTCP Incoming Packet ValidationSequence Number Dependent Counter in LinuxSequence Number Dependent Counter in WindowsSequence Number Dependent Counter in Mac/BSDSlide12
THREAT MODELIn Threat model, there are four main entitiesThe victim smartphone and a target applicationThe legitimate server which communicates with victim smartphone using an unencrypted application layer (HTTP)The on-device malware, which doesn’t have privileges and cannot tamper other apps directlyThe off-path attacker, capable of spoofing the legitimate server IP addressSlide13
THREAT MODEL- Work FlowAttacker sends a probing packet to target and the malware residing in the target checks whether attacker has sent the correct sequence number or not and replies with a feedbackSlide14
THREAT MODELThe off-path attacker needs the two piece of informationFour tuples of target connection i.e., source/destination IP address and source/destination port numbersCorrect sequence numberThe on-device malware will be able to identify the current active tcp connection but not the sequence number that is in useSlide15
PACKET COUNTER SIDE CHANNELS Provides indirect feedback on sequence number.
Some of the processes could be used to attain this.‘netstat –s’ => Extracts information The IPID side channel => A special form of packet counter to record outgoing packets.Slide16
TCP INCOMING PACKET VALIDATIONFive checks from referred source code in Linux
Error check : MD5, Timestamp, Packet Length, Checksum Sequence Number check : seq_end >= X, seq <= X +rcv_win Ack Number check : Valid ACK -> [Y, Y+remaining_bytes]0-payload check : If payload = 0, dropRetransmission check: If seq_end <= X, dropSlide17
TCP INCOMING PACKET VALIDATIONSlide18
SEQUENCE NUMBER DEPENDENT COUNTER IN LINUXProblems with Previous attack (Phrack attack)Too Large : Required number of packets is too largeToo Noisy :
The counter that records the total number of outgoing packets is too noisySlide19
SEQUENCE NUMBER DEPENDENT COUNTER IN LINUXBoth the problems mentioned can be addressed by using “sequence-number-dependent packet counters”Slide20
SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX
DelayedACKLost (Binary Search)DelayedACKLost (Four-way Search)Slide21
SEQUENCE NUMBER DEPENDENT COUNTER IN Mac/BSDFindings of sequence dependent counters in BSD/Mac OS, they are.rcvduppack and rcvdupbytercvpackafterwin and rcvbyteafterwinrcvoopack
and acvoobytercvdupack and rcvacktoomuchThe first three pairs can be used to infer server-side sequence numbers.The last pair is used to determine the client-side sequence numbers.Slide22
SEQUENCE NUMBER DEPENDENT COUNTER IN WINDOWSWindows OS doesn’t expose such sequence number dependent counters and are not vulnerable to the attack.Windows 7- TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets
c. Number of packetsThese Packet counters do not leak sequence numbers directly.Slide23
Inference Performance OverheadA sequence number inference is implemented on android and Mac OS.Top Figure - Tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total.Bottom Graph - Inference time increases as the RTT between attacker and client increases.Slide24
NOISNESS OF SEQUENCE-NUMBER Dependent CountersClaim : Clean side channels that rarely increment, naturally even with background traffic.Running web pages playing You tube video in background. Probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%.Windows 7 - TCP related packet counters includes (netstat -s”) a. Incoming packets
b. Outgoing packets c. Number of packetsSlide25
DESIGN AND IMPLEMENTATION OFTCP ATTACKSAttack RequirementsClient-Side TCP InjectionPassive TCP HijackingServer-Side TCP InjectionActive TCP HijackingSlide26
ATTACK REQUIREMENTSInternet access to malware.Malware that can run in the background and read packet countersAbility of Malware to read the list of active TCP connections and their four tuplesA predictable external port number if NAT is deployedSlide27
Client-SIDE TCP INJECTIONInject malicious data into a connection established by other apps.Challenge – May compete with the data sent from legitimate server.Slide28
PASSIVE TCP HIJACKINGSlide29
SERVER-Side TCP INJECTIONAttackers injects malicious payload into connection destined for serverStraight forward : Combines Sequence number inference and attackSlide30
ACTIVE TCP HIJACKINGSlide31
ATTACK IMPACT ANALYSIS FROM CASE STUDIESFacebook Javascript InjectionPhishing Facebook Login PageCommand Injection on Windows Live MessengerRestricted Facebook Login Page HijackSlide32
SUCCESS RATE AND ANALYSIS OF THE ATTACKSSuccess rate for Facebook javascript injection when RTT=100ms is 87.5%Success rate for phishing Facebook Login Page :<50% With two nodes for latency values of 70ms and 100ms it increases to 62.5% and 82.5%.Windows Live Messenger - Command line injection was carried out using server-side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds.
Restricted Facebook Login page Hijack :The app indeed has a relationship with the target website so that the user will enter his password into the browser.Slide33
CONCLUSIONThe paper provides few defense strategies to avoid the attack.Always using SSL/TLSRemoving unnecessary global data or only allow privileged programs to access such state.providing better isolation among resourcesSlide34
Questions ?Slide35
Thank YOU