Off-Path TCP Sequence Number Inference Attack How Firewall

Download Report

Transcript Off-Path TCP Sequence Number Inference Attack How Firewall

33 rd Security & Privacy (May, 2012)

Zhiyun Qian, Zhuoqing Morley Mao

University of Michigan

Outline

 Introduction  Fundamentals of the TCP Sequence Number Inference Attack  TCP Attack Analysis and Design  Attack Implementation and Experimental Results  Vulnerable Networks  Discussion 2012/4/30 A Seminar at Advanced Defense Lab 2

Introduction

 TCP was initially designed without many security considerations.

 4-tuple: local IP, local Port, foreign IP, foreign Port  Off-path spoofing attacks 2012/4/30 A Seminar at Advanced Defense Lab 3

Off-Path Spoofing Attacks

 One of the critical patches is the randomization of TCP initial sequence numbers (ISN)  RFC 6528 [ link ]  Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively

drop invalid packets

they can reach end-hosts even before 2012/4/30 A Seminar at Advanced Defense Lab 4

Fundamentals of the TCP Sequence Number Inference Attack  Sequence-Number-Checking Firewalls 2012/4/30 A Seminar at Advanced Defense Lab 5

Sequence-Number-Checking Firewalls  Window size   Fixed 64K x 2 N , N is the window scaling factor in SYN and SYN-ACK packet.

 Left-only or right-only window  Window moving behavior   Window advancing Window shifting 2012/4/30 A Seminar at Advanced Defense Lab 6

Threat Model

 On-site TCP injection/hijacking  An

unprivileged

malware runs on the client with access to network and the list of active connections through standard OS interface.

 Off-site TCP injection  only when the target connection is long-lived  Establish TCP connection using spoofed IPs 2012/4/30 A Seminar at Advanced Defense Lab 7

Obtaining Feedback – Side Channels  OS packet counters  IPIDs from responses of intermediate middleboxes  An attacker can craft packets with

TTL

values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL expired messages .

2012/4/30 A Seminar at Advanced Defense Lab 8

Sequence Number Inference 2012/4/30 A Seminar at Advanced Defense Lab 9

Timing of Inference and Injection — TCP Hijacking  For the TCP sequence number inference and subsequent data injection to be successful, a critical challenge is

timing

.

 To address the challenge, we design and implement a number of

TCP hijacking

attacks.

2012/4/30 A Seminar at Advanced Defense Lab 10

TCP Attack Analysis and Design  Two base requirements for all attacks  The ability to spoof legitimate server’s IP  A sequence-number-checking firewall deployed 2012/4/30 A Seminar at Advanced Defense Lab 11

Attack Requirements

2012/4/30 A Seminar at Advanced Defense Lab 12

On-site TCP Hijacking

 Reset-the-server 2012/4/30 A Seminar at Advanced Defense Lab 13

On-site TCP Hijacking

 Preemptive-SYN Hijacking 2012/4/30 A Seminar at Advanced Defense Lab 14

On-site TCP Hijacking

 Hit-and-run Hijacking 2012/4/30 A Seminar at Advanced Defense Lab 15

Off-site TCP Injection/Hijacking  URL phishing  An attacker can also acquire target four tuples by luring a user to visit a malicious webpage that subsequently

redirects

the user to a legitimate target website.

 But it is not implemented in this paper.

2012/4/30 A Seminar at Advanced Defense Lab 16

Off-site TCP Injection/Hijacking  Long-lived connection inference  An approach we discover is through sending a single ICMP error message (e.g., network or port unreachable) to query a four-tuple.

 Pass through firewall and trigger TTL expired message 2012/4/30 A Seminar at Advanced Defense Lab 17

Establish Spoofed Connections  We found that there are many such unresponsive IPs in the nation-wide cellular network that we tested.

2012/4/30 A Seminar at Advanced Defense Lab 18

Attack Implementation and Experimental Results  Client platform  Android 2.2 and 2.3.4

 TCP window scaling factor: 2 and 4  Vendors: HTC, Samsung, and Motorola  Network  An anonymized nation-wide carrier that widely deploys firewall middleboxes at the GGSN-level 2012/4/30 A Seminar at Advanced Defense Lab 19

Side-channel

/proc/net/snmp: InSegs

 the number of incoming TCP packets received 

/proc/net/netstat: PAWSEstab

 packets with an old timestamp is received  IPID side-channel  the noise level is quite tolerable.

2012/4/30 A Seminar at Advanced Defense Lab 20

Sequence Number Inference  Assuming a cellular RTT of 200ms  32 times for binary search (4G)  About 10s in practice  N-way search  Mix all methods  It takes only about 4 –5 seconds to complete the inference 2012/4/30 A Seminar at Advanced Defense Lab 21

On-site TCP Hijacking

 Android 2.3.4 + m.facebook.com + Planetlab server [ link ] 2012/4/30 A Seminar at Advanced Defense Lab 22

Reset-the-server [

Demo

]

 We leverage requirement C4 which tells the attacker that the

victim connection’s ISN

is at most 2 24 away from the ISN of the attacker-initiated connection.

 Since RST packets with any sequence number that falls in the receive window can terminate the connection.

 P. A. Watson. “Slipping in the Window: TCP Reset Attacks,” 2004.

2012/4/30 A Seminar at Advanced Defense Lab 23

Reset-the-server

 The max number of required RST   server_init_window  m.facebook.com: 4380  require 7661 RST  twitter.com: 5840  require 5746 RST  chase.com: 32805 2012/4/30 A Seminar at Advanced Defense Lab 24

Reset-the-server

 Bandwidth requirements   327 Kbps ~ 12 Mbps 2012/4/30 A Seminar at Advanced Defense Lab 25

Hit-and-run

 Bandwidth requirements   WIN is 64K x 2 window_scaling_factor  For the two Oses is 26Mbps and 6.6Mbps

2012/4/30 A Seminar at Advanced Defense Lab 26

On-site TCP Hijacking

2012/4/30 A Seminar at Advanced Defense Lab 27

Off-site TCP Injection

 URL phishing  No implement  Because NAT is deployed.

 long-lived connection inference  a particular push server IP 74.125.65.188 and port 5228  About 7.8% of the IPs have a connection with the server 2012/4/30 A Seminar at Advanced Defense Lab 28

Establish Spoofed Connections  Find unresponsive IP  We send a SYN packet with a spoofed IP from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back.

 There are 80% of IPs are unresponsive.

 We can make about 0.6 successful connection per second on average with more than 90% success rate 2012/4/30 A Seminar at Advanced Defense Lab 29

Vulnerable Networks

 We deployed a mobile application (referred to as

MobileApp) on the Android market.

 The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified 2012/4/30 A Seminar at Advanced Defense Lab 30

Firewall Implementation Types  Overall, out of the 149 carriers, we found 47 carriers ( 31.5% ) that deploy sequence-number-checking firewalls.

2012/4/30 A Seminar at Advanced Defense Lab 31

Intermediate Hop Feedback  24 carriers have responsive intermediate hops that reply with TTL expired ICMP packets.

 8 carriers have NAT that allow single ICMP packet probing to infer active four tuples.

2012/4/30 A Seminar at Advanced Defense Lab 32

Discussion

 Firewall design  Side-channels  HTTPS-only world 2012/4/30 A Seminar at Advanced Defense Lab 33

2012/4/30 A Seminar at Advanced Defense Lab 34