COLLABORATIVE TCP SEQUENCE NUMBER - PowerPoint Presentation

Slide1

COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK

BY Zhiyun Qian, Z.Morley, MaoYinglian Xie Presented By:Yugendhar Reddy SarabudlaSlide2

Today’s AGENDAIntroductionBackground descriptionTCP Sequence Number Inference AttackDesign and Implementation of TCP AttackImpact Analysis of an Attack from case studies

ConclusionSlide3

TCP IntroductionTCP - Most commonly used protocol over the internetBuilt on top of Internet Protocol. Hence TCP/IP.Transmits bits of data in terms of IP packetsConnection-oriented.Highly reliable for transmission of data.Receiver sends acknowledgement for the packets received, based on that re-transmission is done for failed packetsSlide4

Understanding tCP FieldsSlide5

The Three-Way HandshakeTCP utilizes many 1-bit boolean flags to maintain the state of the connection.The three fields that we are interested in are SYN : initiates a connectionACK : used to acknowledge received dataFIN : terminates a connectionSlide6

SEQUENCE AND ACKNOWLEDGEMENT NUMBERSSequence and Acknowledgement are two more fields of TCP header, used to track a connection’s packetThese are different from “SYN flag” and “ACK flag”Both client and server of a TCP session maintains a 32-bit sequence numberSequence number is included in every packet that is sent and it is used to track the amount of data that has been sentWhen the opposite host receives a packet it send the sequence number as acknowledgement number to the sender, conforming that it received the packet. Slide7

The Three-Way HandshakeSo TCP 3 way handshake is all about SYN—>SYN-ACK—>ACK. This 3 way handshake is one of the reason which makes TCP a reliable protocol.Slide8

Sequence and Acknowledgement numbers OBESERVaNCESlide9

Background DescriptionTCP- Not originally designed for security, for years it has been patched to address various security holesRandomization of TCP’s initial sequence number (ISN), introduced in RFC 1948 was an important one. Proposed to guard against off-path spoofing attacks attempting to inject packets with forged source addressesPrevents easy prediction of ISN, by which arbitrarily inserted messages are likely to be discarded at the receiver due to invalid sequence numbersSlide10

Background DescriptionA function has been defined to obtain a unique random number using a 4 micro second timer M, which decreases the probability of guessing sequence numberBelow is the equation to generate ISN ISN = M + F(localhost, localport, remotehost, remoteport

) F is the hash functionSlide11

TCP SEQUENCE NUMBER INFERENCE ATTACKThreat ModelPacket Counter Side ChannelsTCP Incoming Packet ValidationSequence Number Dependent Counter in LinuxSequence Number Dependent Counter in WindowsSequence Number Dependent Counter in Mac/BSDSlide12

THREAT MODELIn Threat model, there are four main entitiesThe victim smartphone and a target applicationThe legitimate server which communicates with victim smartphone using an unencrypted application layer (HTTP)The on-device malware, which doesn’t have privileges and cannot tamper other apps directlyThe off-path attacker, capable of spoofing the legitimate server IP addressSlide13

THREAT MODEL- Work FlowAttacker sends a probing packet to target and the malware residing in the target checks whether attacker has sent the correct sequence number or not and replies with a feedbackSlide14

THREAT MODELThe off-path attacker needs the two piece of informationFour tuples of target connection i.e., source/destination IP address and source/destination port numbersCorrect sequence numberThe on-device malware will be able to identify the current active tcp connection but not the sequence number that is in useSlide15

PACKET COUNTER SIDE CHANNELS Provides indirect feedback on sequence number.

Some of the processes could be used to attain this.‘netstat –s’ => Extracts information The IPID side channel => A special form of packet counter to record outgoing packets.Slide16

TCP INCOMING PACKET VALIDATIONFive checks from referred source code in Linux

Error check : MD5, Timestamp, Packet Length, Checksum Sequence Number check : seq_end >= X, seq <= X +rcv_win Ack Number check : Valid ACK -> [Y, Y+remaining_bytes]0-payload check : If payload = 0, dropRetransmission check: If seq_end <= X, dropSlide17

TCP INCOMING PACKET VALIDATIONSlide18

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUXProblems with Previous attack (Phrack attack)Too Large : Required number of packets is too largeToo Noisy :

The counter that records the total number of outgoing packets is too noisySlide19

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUXBoth the problems mentioned can be addressed by using “sequence-number-dependent packet counters”Slide20

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX

DelayedACKLost (Binary Search)DelayedACKLost (Four-way Search)Slide21

SEQUENCE NUMBER DEPENDENT COUNTER IN Mac/BSDFindings of sequence dependent counters in BSD/Mac OS, they are.rcvduppack and rcvdupbytercvpackafterwin and rcvbyteafterwinrcvoopack

and acvoobytercvdupack and rcvacktoomuchThe first three pairs can be used to infer server-side sequence numbers.The last pair is used to determine the client-side sequence numbers.Slide22

SEQUENCE NUMBER DEPENDENT COUNTER IN WINDOWSWindows OS doesn’t expose such sequence number dependent counters and are not vulnerable to the attack.Windows 7- TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets

c. Number of packetsThese Packet counters do not leak sequence numbers directly.Slide23

Inference Performance OverheadA sequence number inference is implemented on android and Mac OS.Top Figure - Tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total.Bottom Graph - Inference time increases as the RTT between attacker and client increases.Slide24

NOISNESS OF SEQUENCE-NUMBER Dependent CountersClaim : Clean side channels that rarely increment, naturally even with background traffic.Running web pages playing You tube video in background. Probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%.Windows 7 - TCP related packet counters includes (netstat -s”) a. Incoming packets

b. Outgoing packets c. Number of packetsSlide25

DESIGN AND IMPLEMENTATION OFTCP ATTACKSAttack RequirementsClient-Side TCP InjectionPassive TCP HijackingServer-Side TCP InjectionActive TCP HijackingSlide26

ATTACK REQUIREMENTSInternet access to malware.Malware that can run in the background and read packet countersAbility of Malware to read the list of active TCP connections and their four tuplesA predictable external port number if NAT is deployedSlide27

Client-SIDE TCP INJECTIONInject malicious data into a connection established by other apps.Challenge – May compete with the data sent from legitimate server.Slide28

PASSIVE TCP HIJACKINGSlide29

SERVER-Side TCP INJECTIONAttackers injects malicious payload into connection destined for serverStraight forward : Combines Sequence number inference and attackSlide30

ACTIVE TCP HIJACKINGSlide31

ATTACK IMPACT ANALYSIS FROM CASE STUDIESFacebook Javascript InjectionPhishing Facebook Login PageCommand Injection on Windows Live MessengerRestricted Facebook Login Page HijackSlide32

SUCCESS RATE AND ANALYSIS OF THE ATTACKSSuccess rate for Facebook javascript injection when RTT=100ms is 87.5%Success rate for phishing Facebook Login Page :<50% With two nodes for latency values of 70ms and 100ms it increases to 62.5% and 82.5%.Windows Live Messenger - Command line injection was carried out using server-side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds.

Restricted Facebook Login page Hijack :The app indeed has a relationship with the target website so that the user will enter his password into the browser.Slide33

CONCLUSIONThe paper provides few defense strategies to avoid the attack.Always using SSL/TLSRemoving unnecessary global data or only allow privileged programs to access such state.providing better isolation among resourcesSlide34

Questions ?Slide35

Thank YOU 