How to Crack Sequence Number Under A Second By arararPr langenUS sz2000 dirty0 err1asolidFillaschemeClr valbg1asolidFillalatin typefaceCopperplate Gothic Bold panose020E0705020206020404 pitchFamily34 charset0arPr ID: 738070
Download Presentation The PPT/PDF document "Collaborative TCP Sequence Number Infere..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Collaborative TCP Sequence Number Inference Attack —How to Crack Sequence Number Under A Second
By
Slide2
Brief HistoryTCP was not designed for security, so numerous patches were added to it to maintain security. One such patch is randomization of TCP Initial Sequence Number(ISN) introduced in RFC 1948
and later modified in RFC 2012.
The patch
was proposed to inject off-path spoofing attacks attempting to inject packets with forged source addresses.
ISN randomization prevents easy prediction of ISN.
The patch has largely rendered ,most sequence number guessing attacks very hard to succeed.Slide3
Brief History Cont.
A function has been defined to obtain a random sequence number and a unique number obtained using a 4 micro second timer M, to minimize the probability of guessing sequence numbers.
The following equation is used to generate the initial sequence number.
ISN = M + F(localhost,
localport
,
remotehost
,
remoteport
)
where F is a MD5 hash function. Slide4
IntroductionTCP Sequence Number Inference Attack
Design and Implementation of TCP Attacks
Attack Impact Analysis
Conclusion
CONTENTSSlide5
In 2007, a study reported in Pharack Magazine has revisited the problem and claimed that TCP sequence number can still be inferred based on how a host treats in-window and out-of-window incoming packets.
In 2012 researchers discovered that sequence number inference attack can be more generally applicable impacting even short-lived HTTP connections. However this attack heavily relies on the presence of sequence-number-checking firewall
middleboxes
deployed in the network.
INTRODUCTIONSlide6
INTRODUCTION
The paper work generalizes these attacks by eliminating the strong requirements imposed on them to enable broader class of attacks.
The paper makes the following key contributions
Building a threat model
Sequence-Number-Dependent Counters
An
e
fficient way to complete the sequence number inferenceSlide7
Threat ModelPacket Counter Side Channels
TCP Incoming Packet Validation
Sequence-Number-Dependent Counter in Linux
Sequence-Number-Dependent Counter in BSD/Mac
Sequence-Number-Dependent Counter in Windows
Inference Performance and Overhead
Noisiness of Sequence-Number Dependent Counters
TCP SEQUENCE NUMBER INFERENCE ATTACKSlide8
There are four main entities of this threat model:
1. The
victim smartphone and a target application
, constituting the attack target.
2. The
legitimate server
, which talks to the victim smartphone using an unencrypted application-layer protocol (
e.g,HTTP
).
3. The
on-device malware
, which is unprivileged and cannot tamper with other apps directly.
4. The
off-path attacker
, who is capable of spoofing the IP address of the legitimate server
THREAT MODELSlide9
In the figure 1, we explain a basic flow of the threat model.In here the attacker sends probing packets to the target and the malware residing in the target checks if the attacker has sent the correct sequence number or not and replies with a feedback.
Threat Model FlowSlide10
At High level, the off-path attacker needs two pieces of information:The four tuples of a target connection, i.e., source/destination IP addresses and source/destination port numbers
The correct Sequence
Number
The on-device malware can easily identify the current active connection, but it doesn’t know the sequence number in use.
Threat Model Slide11
We look at a particular type of side channel, packet counters, that can potentially provide indirect feedback on whether a guessed sequence number is correct. Some of the processes could be used to attain this.
“
netstat
-s " exposes a set of information on all major
Oses
including Microsoft Windows, Linux, BSD, Mac OS and smartphone OSes like Android and iOS.
The IPID side channel can be considered as a special form of packet counter that records the total number of outgoing packets since it is incremented for every outgoing packet.
Packet counter side channelsSlide12
There exist five main checks performed by Linux TCP stack based on the corresponding source code as well as the controlled experiments in the paper. These checks are performed for any incoming TCP packet that is deemed to belong to an established connection based on the four tuples.
Error check
Sequence Number Check
Acknowledge Number Check
Payload check(if any)
Retransmission Check
TCP incoming packet validation Slide13
TCP Incoming Packet Validation
Error Check is for the purpose of dropping invalid packets early on.
Sequence Number check checks if the packet is in window.
ACK number should be within [
Y,Y+outstanding_bytes
].
0-payload check is used to check if the packet has payload or not.
Retransmission check is used to check if the ending sequence number of the packet is smaller than or equal to the next expected sequence number.
Y-First Un Acknowledged Sequence Number
outstanding_bytes
-Total number of outstanding bytes yet to be acknowledgedSlide14
In here we find the sequence-number-dependent counters.
The “if" condition says if the packet's starting sequence number is not equal to its ending sequence number ( i.e., the packet has nonzero pay-load), and its starting sequence number is “before" the expected sequence number, then a packet counter named
DelayedACKLost
is incremented.
Sequence Number Dependent Counter in LinuxSlide15
SERVER- SIDE SEQUENCE NUMBER INFERENCE
Sequence number inference illustration using the
DelayedACKLost
packet counter (binary search)
Sequence number inference illustration using
DelayedACKLost
packet counter (four-way search)Slide16
The work in the paper also explains the finding of sequence dependent counters in BSD/Mac OS, they are.
r
cvduppack
and
rcvdupbyte
r
cvpackafterwin
and
rcvbyteafterwin
r
cvoopack
and
acvoobyte
r
cvdupack
and
rcvacktoomuch
The first three pairs can be used to
i
nfer server-side sequence numbers.
The last pair is used to determine the client-side sequence numbers.
Sequence Number Dependent Counter in BSD/Mac OSSlide17
Microsoft Windows
Oses
do not expose such sequence number dependent counters and are not vulnerable to the attack.
On windows 7 for example, the TCP related packet counters include the total number of incoming packets, outgoing packets , and the number of packets retransmitted from the output of “
netstat
-s”.
These Packet counters do not leak sequence numbers directly.
Sequence Number Dependent Counter in windowsSlide18
A sequence number inference is implemented on android and Mac OS.
As shown in figure 7, we can see that the general tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total.
In Figure 8,we see
that the inference time increases as the RTT between attacker and client increases.
Inference Performance overheadSlide19
In the paper the authors have claimed that these sequence number dependent counters are clean side channels that rarely increment, naturally even with background traffic.
To quantitatively support this claim a worst case scenario experiment is carried out.
An
Youtube
page video is opened at the background and web pages are browsed at the same time to see how often the counters get incremented.
The experiment indicates that the probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%.
Noisiness of sequence number dependent countersSlide20
Attack Requirements
Client-Side TCP Injection
Passive TCP Hijacking
Server-Side TCP Injection
Active TCP Hijacking
DESIGN AND IMPLEMENTATION OF
TCP ATTACKSSlide21
ATTACK REQUIREMENTS
M
alware on the client with Internet access.
Malware that can run in the background and read packet counters
M
alware that can read the list of active TCP connections and their four tuples
A predictable external port number if NAT is deployedSlide22
In this attack, an attacker attempts to inject malicious data into a connection established by other apps on the phone. The essential part of the attack is the TCP sequence number inference which has already been described in detail.
The challenge is that the injected data may compete with the data sent from the legitimate server. For instance, considering the connection under attack is an HTTP session where a valid HTTP response typically follows immediately after the request is sent, by the time the sequence number inference is done, at least part of the HTTP response is already sent by the server. The injected HTTP packets likely can only corrupt the response and cause denial of service instead of serious damage
CLIENT-SIDE TCP INJECTIONSlide23
The idea is to leverage two common scenarios:
1. The server may take a long time to process a request and assemble the response. This is especially common as many services (websites) take longer than 100ms or more to process a request. The fact that the sequence number inference time in certain scenarios (when RTT from the server to the client is small) can be made below 100ms makes the injection attack as powerful as hijacking.
2. A single TCP connection is reused for more than one pair of HTTP request and response. The idea is to use the inferred sequence number for injecting malicious data not on the first HTTP request but the later ones. In both cases, an attacker has enough time to conduct sequence number inference
CLIENT-SIDE TCP INJECTIONSlide24
PASSIVE TCP HIJACKING
Slide25
ACTIVE TCP HIJACKINGSlide26
Facebook
Javascript
Injection
Phishing Facebook Login Page
Command Injection on Windows Live Messenger
Restricted Facebook Login Page Hijack
Attack impact analysis from case studiesSlide27
Success rates and analysis of the attacks
The success rate for Facebook
javascript
injection even when RTT=100ms is 87.5%
The success rate for phishing Facebook Login Page is below 50% and when we use two nodes for latency values of 70ms and 100ms the rate increases to 62.5% and 82.5%.
Command Injection on Windows Live Messenger was carried out using server-side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds.
Restricted Facebook Login page Hijack could be performed depending on the criteria that the user be convinced that the app indeed has a relationship with the target website so that the user will enter his password into the browser.Slide28
The paper provides few defense strategies to avoid the attack.
Always using SSL/TLS
Removing unnecessary global data or only allow privileged programs to access such state.
Providing better isolation among resources.
ConclusionSlide29
QUESTIONS
?