off path tcp exploits global rate limit considered
play

Off-Path TCP Exploits: Global Rate Limit Considered - PowerPoint PPT Presentation

Oct 07, 2023 •16 likes •376 views

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous Yue Cao , Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth Krishnamurthy, Lisa M. Marvel USENIX

  1. Off-­‑Path ¡TCP ¡Exploits: ¡Global ¡Rate ¡Limit ¡ Considered ¡Dangerous Yue ¡Cao , ¡Zhiyun ¡Qian, ¡Zhongjie ¡Wang, ¡Tuan ¡Dao, ¡ Srikanth ¡Krishnamurthy, ¡Lisa ¡M. ¡Marvel† † USENIX Security 2016 Yue Cao 1

  2. Our TCP Attack • Discovered a subtle TCP side channel vulnerability in Linux 3.6+ (CVE-2016-5696) • Given any two arbitrary hosts on the internet, blind attacker can infer: • Existence of communication • Sequence number • ACK number • Can be used towards: • TCP connection termination attack • Malicious data injection attack USENIX Security 2016 Yue Cao 2

  3. Outline • Threat Model • Background • Vulnerability • Our Attacks • Evaluation • Defense & Conclusion 3 USENIX Security 2016 Yue Cao

  4. Outline • Threat Model • Background • Vulnerability • Our Attack • Evaluation • Defense & Conclusion 4 USENIX Security 2016 Yue Cao

  5. Threat Model • Consists of: • An arbitrary pair of client and server • A blind o ff-path attacker(no eavesdropping capability) • Assumption: the attacker can send spoofed packets with the victim (client or server)’s IP address Client Server Attacker Threat Model USENIX Security 2016 Yue Cao 5

  6. Outline • Thread Model • Background • History of RFC 5961 • 3 modifications in RFC 5961 • Why does this vulnerability exist? • Vulnerability • Our Attack • Evaluation • Defense & Conclusion USENIX Security 2016 Yue Cao 6

  7. Background • Traditional blind in-window attacks (brute force): • Connection termination & data injection attack • Success requirement (spoofed packet with): • Known 4-tuple <src IP , dst IP , src port, dst port> • Guessed SEQ # is in-window (recv window) • RFC 5961 (Aug 2010) • Mitigate blind in-window attacks • Modification of receiving scheme • SYN receiving scheme • RST receiving scheme • Data receiving scheme • Ironically , Linux implementation introduced the side channel vulnerability USENIX Security 2016 Yue Cao 7

  8. SYN Receiving Scheme • Before RFC 5961: blind RST Attack by sending spoofed SYN packet RCV.NXT Before RFC 5961 After RFC 5961 SEQ #: RCV_Window Out-of-Window ACK back Challenge ACK RCV.NXT+RCV.WND In_Window Challenge ACK Reset Connection SEQ # Space Challenge ACK: ask sender to confirm if it indeed restarted SYN Sender Receiver USENIX Security 2016 Yue Cao 8

  9. RST Receiving Scheme • Before RFC 5961: blind RST Attack by sending spoofed RST packet RCV.NXT After RFC 5961 SEQ #: Before RFC 5961 0/4G RCV_Window Out-of-Window Drop the Packet Drop the Packet In-Window Reset Connection Challenge ACK RCV.NXT+RCV.WND Reset Connection Exactly match SEQ # Space tell sender to confirm if it indeed terminated Challenge ACK: RST the connection Sender Receiver USENIX Security 2016 Yue Cao 9

  10. Data Receiving Scheme • Before RFC 5961: blind Data Injection Attack by injecting spoofed DATA packet Challenge Accept Before RFC 5961 After RFC 5961 ACK #: Window Window SND.UNA Out-of-Window Drop Drop SND.UNA-2G SND.NXT In-Accpt_Window Process Data Process Data Challenge Window Challenge ACK (Old ACK) ACK # Space RCV.NXT SEQ #: In-RCV_Window —> Check ACK # RCV_Window RCV.NXT+RCV.WND SEQ # Space USENIX Security 2016 Yue Cao 10

  11. Why Does This Vulnerability Exist? • RFC 5961: a much stricter check on incoming packets • Challenge ACK is triggered in a established connection: • SYN packet with correct 4-tuples <srcIP, dstIP, srcPort, dstPort> (any SEQ #) • RST packet with 4-tuples, in-window SEQ # • Data packet with 4-tuples, in-window SEQ #, old ACK #(in challenge window) SYN-triggered RST-triggered ACK-triggered challenge ACK challenge ACK challenge ACK Rate limit of challenge ACK Side-Channel Side-Channel Side-Channel (recommended by RFC 5961) Port number SEQ number ACK number Linux followed faithfully SYN RST Data USENIX Security 2016 Yue Cao 11

  12. Outline • Thread Model • Background • Vulnerability • Side channel vulnerability • Guess-Then-Check Method • Optimizations • Our Attack • Evaluation • Defense & Conclusion USENIX Security 2016 Yue Cao 12

  13. Side Channel Vulnerability • sysctl_tcp_challenge_ack_limit: implemented in Linux 3.6+ • Global limit of all challenge ACK per sec, shared across all connections • Default value: 100 ( reset per second) Client Server Any OS at Client! T S R 0 0 1 K C A e g n e l l a h c 0 0 1 Attacker Side-Channel Vulnerability Example USENIX Security 2016 Yue Cao 13

  14. Exploit The Vulnerability • Guess-then-Check method: SYN-triggered RST-triggered Data-triggered challenge ACK challenge ACK challenge ACK • Send spoofed packets with guessed values • Example: to guess correct client-port number Port number SEQ number ACK number Inference Inference Inference • If it’s a correct guess: 1 challenge ACK Spoofed SYN packets with c lient’s IP and a guessed src port Guess Phase Server Client T S R 0 0 K 1 C A e g n e l l a h c 9 9 Check Phase Attacker USENIX Security 2016 Yue Cao 14

  15. Guess-Then-Check Method • Send spoofed packets with guessed values • Example: to guess correct client-port number • If it’s a wrong guess: No challenge ACK Spoofed SYN packets with c lient’s IP and a guessed src port Client Server T S R 0 0 1 K C A e g n e l l a h c 0 0 1 Attacker USENIX Security 2016 Yue Cao 15 15

  16. Guess-Then-Check Method • Challenge: expensive time cost • N: maximum spoofed probing packets in one second • Bandwidth dependent Spoofed SYN packets with c lient’s IP and guessed src port Client Server Attacker USENIX Security 2016 Yue Cao 16 16

  17. Guess-Then-Check Method • Same process works for guessing SEQ SYN-triggered RST-triggered Data-triggered challenge ACK challenge ACK challenge ACK number and ACK number • Correct guess: Port number SEQ number ACK number Inference Inference Inference • SEQ number RST packet with correct 4-tuples, SEQ # in-window • ACK number Data packet with 4-tuples, SEQ # in-window, old ACK # s ’ t n e i l c h t i w Q E s t S e d k e c s a s P e u T S g R d n d a e f t o r o o p p S c Server : r Q s s E ’ n t S w n e o Client i R n l C k O h , K P t C I i w A d s t e e s k s c e a u p g T d S n R a d Q e E f S o o , t p r S o p : K c C r A s n w o n k , P I Attacker USENIX Security 2016 Yue Cao 17 17

  18. Guess-Then-Check Method • Guess is correct when: • Src Port SYN packet with correct 4-tuples(src Port) • SEQ number RST packet with correct 4-tuples, SEQ # in-window • ACK number Data packet with correct 4-tuples, SEQ # in-window, old ACK • Traditional brute-force attack: 10 4 •10 9 •10 9 =10 22 different combinations • Our attack: Time cost is additive instead of multiplicative Possible to finish within 1 minute! Src Port SEQ number ACK number Dst IP, Src IP 10 4 10 9 10 9 Dst Port USENIX Security 2016 Yue Cao 18 18

  19. Optimizations • Binary-style search • Reduce the number of probing rounds • Multi-bin search • Further improvement • Redundancy-encoded search • Account for packet loss USENIX Security 2016 Yue Cao 19

  20. Binary-style Search • Send spoofed packet for all the ports in the 1st half range. • Narrow down the search space by half and proceed to the next round …… If Challenge ACK # < 100 If Challenge ACK # ==100 If Challenge ACK # < 100 If Challenge ACK # ==100 …… Binary Search Algorithm USENIX Security 2016 Yue Cao 20

  21. Outline • Thread Model • Background • Vulnerability • Our Attack • Attack overview • Time synchronization • Inference of possible TCP connection • TCP connection termination attack • TCP hijacking attack • Evaluation • Defense & Conclusion USENIX Security 2016 Yue Cao 21

  22. Attack Overview • Given client and server, we already know: • Src IP address: client IP • Dst IP address: server IP • Dst Port number: service at server(e.g. 80) Pre-process: Src Port SEQ number ACK number Time Inference Inference Inference Synchronization Inference of Connection Hijacking existence of a Termination Attack TCP connection Attack USENIX Security 2016 Yue Cao 22

  23. Time Synchronization • Challenge: • Challenge ACK count resets each second • All the spoofed and non-spoofed packets MUST be within the same 1-second interval at server 200 time slots • Our own method: • A time synchronization strategy based on …………. RST RST RST this side channel …………. 1 second Time synchronization example USENIX Security 2016 Yue Cao 23

  24. Inference Of Possible TCP Connection • Given src IP , dst IP and expected dst port: • To see if client opened a port Range size: N Src Port # • To infer src port: • 1. Throughout all port number[probe N ports in 1 sec] • To infer connection exists or not Step1: Identify Port Range • 2. Find exact correct port number[Binary/Multi-bin search] • To be used for termination attacker or hijacking attack Src Port # Step2: Identify Exact Port 24 USENIX Security 2016 Yue Cao

Recommend

On the Rate of Convergence in the Quantum Central Limit Theorem M. Cramer Ulm University on

On the Rate of Convergence in the Quantum Central Limit Theorem M. Cramer Ulm University on

On the Rate of Convergence in the Quantum Central Limit Theorem M. Cramer Ulm University on work with F.G.S.L. Brando Microsoft Research and University College London M. Guta University of Nottingham The Rate of Convergence in the Central

779 views • 60 slides
A Hard Path: Captive Consumers, the Independent Rate Approval Process and the 2020/21 MPI

A Hard Path: Captive Consumers, the Independent Rate Approval Process and the 2020/21 MPI

A Hard Path: Captive Consumers, the Independent Rate Approval Process and the 2020/21 MPI General Rate Application Closing submissions of the Public Interest Law Centre on behalf of the Consumers Association of Canada (Manitoba) October

1.71k views • 127 slides
Sname 19 September 2015 Impact to marine fuels Lefteris Capatos ECA = Emission Control Area

Sname 19 September 2015 Impact to marine fuels Lefteris Capatos ECA = Emission Control Area

Sname 19 September 2015 Impact to marine fuels Lefteris Capatos ECA = Emission Control Area Hong Kong 0,5-0,05%? Global Limit ECA Limit Global Limit ECA Limit 1 st Jan 2020 OR 1 st Jan 2025 1 st July 2010 1 st Jan 2012 1 st Jan 2015 0.5%

491 views • 47 slides
Solar Eclipse Virtual Peer Exchange Joel McCarroll, P.E. ODOT Region 4 District 10 Manager

Solar Eclipse Virtual Peer Exchange Joel McCarroll, P.E. ODOT Region 4 District 10 Manager

Solar Eclipse Virtual Peer Exchange Joel McCarroll, P.E. ODOT Region 4 District 10 Manager NOCoEs Solar Eclipse Virtual Peer Exchange April 9, 2018 The Path of Totality. Northern Path Limit Central Line Southern Path Limit

456 views • 9 slides
Labor Classification Yrs Rate 1 Rate 2 Rate 3 Rate 4 Rate 5 Rate 6 Rate 7 Rate 8 Rate 9

Labor Classification Yrs Rate 1 Rate 2 Rate 3 Rate 4 Rate 5 Rate 6 Rate 7 Rate 8 Rate 9

Labor Classification Yrs Rate 1 Rate 2 Rate 3 Rate 4 Rate 5 Rate 6 Rate 7 Rate 8 Rate 9 Rate 10 Oz 30+ $ 72.50 Wicked Witches 20+ $ 61.00 $ 60.00 $ 58.00 $ 53.00 $ 52.00 $ 49.00 Scare Crows 15+ $ 48.00 $ 45.00 $

278 views • 7 slides
CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update

CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update

CS 457 Lecture 18 Global Internet Fall 2011 Solution: Path Vectors Each routing update carries the entire path Loops are detected as follows: when AS gets route check if AS already in path if yes, reject route if no, add

448 views • 29 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
Greetings from India GIC Re, the Indian Reinsurer, on its path to be a leading global reinsurer 2

Greetings from India GIC Re, the Indian Reinsurer, on its path to be a leading global reinsurer 2

Greetings from India GIC Re, the Indian Reinsurer, on its path to be a leading global reinsurer 2 World Bank 3 World Economic Forum 2008 2018, Global Risks Reports 4 a sound national insurance and reinsurance market is an essential

952 views • 28 slides
Average Annual Growth Rates of Global GDP by Decade, and from 2011-13 1960s 1970s 1980s

Average Annual Growth Rates of Global GDP by Decade, and from 2011-13 1960s 1970s 1980s

A Structural Crisis of Capitalism Global Stagnation, Financialization &amp; Trends in the Average Rate of Profit, the Rate of Surplus-Value, and the Composition of Capital in the U.S. Economy Based on Chapters 1 and 2 of Murray E.G. Smith,

296 views • 17 slides
MIRCC: Mul)path-aware ICN Rate-based Conges)on Control Milad Mahdian Somaya Arianfar

MIRCC: Mul)path-aware ICN Rate-based Conges)on Control Milad Mahdian Somaya Arianfar

MIRCC: Mul)path-aware ICN Rate-based Conges)on Control Milad Mahdian Somaya Arianfar Northeastern University Cisco Systems Jim Gibson Dave Oran Cisco Systems Cisco Systems Outline I. Introduc9on II. Single-Path MIRCC III. Mul9path MIRCC I.

833 views • 25 slides
The Emissions Gap Report Are the Copenhagen Accord pledges sufficient to limit global warming to

The Emissions Gap Report Are the Copenhagen Accord pledges sufficient to limit global warming to

The Emissions Gap Report Are the Copenhagen Accord pledges sufficient to limit global warming to 2C or 1.5C? Overview presentation 23 November 2010 www.unep.org/publications/ebooks/emissionsgapreport What are we aiming for? Findings from

485 views • 13 slides
The Path to The Path to Climate Climate Neutrality Neutrality But why? Global Warming

The Path to The Path to Climate Climate Neutrality Neutrality But why? Global Warming

The Path to The Path to Climate Climate Neutrality Neutrality But why? Global Warming Potential (GWP Global Warming Potential (GWP 100 ) of ) of 100 Main Greenhouse Gases Main Greenhouse Gases Carbon Dioxide (CO 2 ) 1 Methane (CH 4 )

218 views • 21 slides
Malnutrition Considered the gravest single threat to global public health.

Malnutrition Considered the gravest single threat to global public health.

Malnutrition Considered the gravest single threat to global public health. Solved in the developed world Simply a lack of food

737 views • 35 slides
Math 211 Math 211 Lecture #39 Limit Sets April 25, 2001 2 Limit Sets Limit Sets The

Math 211 Math 211 Lecture #39 Limit Sets April 25, 2001 2 Limit Sets Limit Sets The

1 Math 211 Math 211 Lecture #39 Limit Sets April 25, 2001 2 Limit Sets Limit Sets The (forward) limit set of the solution Definition: y ( t ) that starts at y 0 is the set of all limit points of the solution curve. It is denoted by ( y 0

302 views • 11 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
MSC Cruises A global player on a path to further growth 1 MSC Cruises: Masters of the Sea Our

MSC Cruises A global player on a path to further growth 1 MSC Cruises: Masters of the Sea Our

MSC Cruises A global player on a path to further growth 1 MSC Cruises: Masters of the Sea Our mission, as a family-owned business, Our story begins in the heart of the is to translate our love and passion for the Mediterranean Sea, in Sorrento

798 views • 21 slides
We now mention some useful modifications of the limit idea. One-sided limits. + or

We now mention some useful modifications of the limit idea. One-sided limits. + or

14 Modifications of the limit idea We now mention some useful modifications of the limit idea. One-sided limits. + or as limit. Limit as the input variable approaches + or . Infinite limit at infinty. 14.1

513 views • 8 slides
Interest Rate Setting and Political Uncertainty Claus Vinge Skrumsager Co-Head of Global Capital

Interest Rate Setting and Political Uncertainty Claus Vinge Skrumsager Co-Head of Global Capital

Interest Rate Setting and Political Uncertainty Claus Vinge Skrumsager Co-Head of Global Capital Markets EMEA December, 2014 Risk Free Rate How it normally Works GE 10 Year Yield vs 5y5y Inflation 6-Feb 24-Jun 4-Sep 15-Oct ECB

340 views • 6 slides
Rate Mitigation Options and Impacts Review Introductions: Jabez Lane, Business Manager Duane

Rate Mitigation Options and Impacts Review Introductions: Jabez Lane, Business Manager Duane

Rate Mitigation Options and Impacts Review Introductions: Jabez Lane, Business Manager Duane Warren, President Transfer of assets to NF Power Consolidation of Power Supply &amp; NL Hydro Efficiencies within Nalcor Exploits

287 views • 15 slides
Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP

Payload Already Inside: Payload Already Inside: Data re-use for ROP Exploits Data re-use for ROP Exploits Long Le longld@vnsecurity.net BLACKHAT USA 2010 BLACKHAT USA 2010 1 Who am I? VNSECURITY founding member Capture-The-Flag

759 views • 43 slides
Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a

The C-Path Vision: Sharing Data and Expertise to Accelerate the Development of Safe and Effective Therapies for Neonates Martha Brumfield, President and CEO C-Path Mission C-Path The Critical Path Institute is a catalyst in the development of

410 views • 20 slides
Global Contexts Chi-yue Chiu The Chinese University of Hong Kong Infection rate of the world

Global Contexts Chi-yue Chiu The Chinese University of Hong Kong Infection rate of the world

Illness and Happiness in Global Contexts Chi-yue Chiu The Chinese University of Hong Kong Infection rate of the world Infection rate of Hong Kong For each country, ln(# of new case on Day N) ~ a + b * ln(# of total confirmed cases) 1.5000

524 views • 33 slides
Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits

Industrial Bug Mining Industrial Bug Mining Extracting, Grading and Enriching the Ore of Exploits the Ore of Exploits Private &amp; Confidential Property of COSEINC The Bug Mining Analogy The Bug Mining Analogy Phase 1: Extraction Phase 2:

591 views • 37 slides
Nutritional, Environmental, and Management Factors that Influence the Health, Growth Rate, and

Nutritional, Environmental, and Management Factors that Influence the Health, Growth Rate, and

Nutritional, Environmental, and Management Factors that Influence the Health, Growth Rate, and Productivity of the Young Dairy Calf Robert B Corbett DVM, PAS, dipl. ACAN Introduction Heifer programs are considered to be a major cost with

1.24k views • 68 slides

More recommend