Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)

Published byIsabella Doris Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)"— Presentation transcript:

1 Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)

2 Outline  Introduction  Fundamentals of the TCP Sequence Number Inference Attack  TCP Attack Analysis and Design  Attack Implementation and Experimental Results  Vulnerable Networks  Discussion 2012/4/302A Seminar at Advanced Defense Lab

3 Introduction  TCP was initially designed without many security considerations. 4-tuple: local IP, local Port, foreign IP, foreign Port  Off-path spoofing attacks 2012/4/30A Seminar at Advanced Defense Lab3

4 Off-Path Spoofing Attacks  One of the critical patches is the randomization of TCP initial sequence numbers (ISN) RFC 6528 [link]link  Firewall vendors soon realized that they can in fact perform sequence number checking at network-based firewalls and actively drop invalid packets even before they can reach end-hosts 2012/4/30A Seminar at Advanced Defense Lab4

5 Fundamentals of the TCP Sequence Number Inference Attack  Sequence-Number-Checking Firewalls 2012/4/30A Seminar at Advanced Defense Lab5

6 Sequence-Number-Checking Firewalls  Window size Fixed 64K x 2 N, N is the window scaling factor in SYN and SYN-ACK packet.  Left-only or right-only window  Window moving behavior Window advancing Window shifting 2012/4/30A Seminar at Advanced Defense Lab6

7 Threat Model  On-site TCP injection/hijacking An unprivileged malware runs on the client with access to network and the list of active connections through standard OS interface.  Off-site TCP injection only when the target connection is long-lived  Establish TCP connection using spoofed IPs 2012/4/30A Seminar at Advanced Defense Lab7

8 Obtaining Feedback – Side Channels  OS packet counters  IPIDs from responses of intermediate middleboxes An attacker can craft packets with TTL values large enough to reach the firewall middlebox, but small enough that they will terminate at an intermediate middlebox instead of the end-host, triggering the TTL- expired messages. 2012/4/30A Seminar at Advanced Defense Lab8

9 Sequence Number Inference 2012/4/30A Seminar at Advanced Defense Lab9

10 Timing of Inference and Injection — TCP Hijacking  For the TCP sequence number inference and subsequent data injection to be successful, a critical challenge is timing.  To address the challenge, we design and implement a number of TCP hijacking attacks. 2012/4/30A Seminar at Advanced Defense Lab10

11 TCP Attack Analysis and Design  Two base requirements for all attacks The ability to spoof legitimate server’s IP A sequence-number-checking firewall deployed 2012/4/30A Seminar at Advanced Defense Lab11

12 Attack Requirements 2012/4/30A Seminar at Advanced Defense Lab12

13 On-site TCP Hijacking  Reset-the-server 2012/4/30A Seminar at Advanced Defense Lab13

14 On-site TCP Hijacking  Preemptive-SYN Hijacking 2012/4/30A Seminar at Advanced Defense Lab14

15 On-site TCP Hijacking  Hit-and-run Hijacking 2012/4/30A Seminar at Advanced Defense Lab15

16 Off-site TCP Injection/Hijacking  URL phishing An attacker can also acquire target four tuples by luring a user to visit a malicious webpage that subsequently redirects the user to a legitimate target website. But it is not implemented in this paper. 2012/4/30A Seminar at Advanced Defense Lab16

17 Off-site TCP Injection/Hijacking  Long-lived connection inference An approach we discover is through sending a single ICMP error message (e.g., network or port unreachable) to query a four-tuple. Pass through firewall and trigger TTL- expired message 2012/4/30A Seminar at Advanced Defense Lab17

18 Establish Spoofed Connections  We found that there are many such unresponsive IPs in the nation-wide cellular network that we tested. 2012/4/30A Seminar at Advanced Defense Lab18

19 Attack Implementation and Experimental Results  Client platform Android 2.2 and 2.3.4 TCP window scaling factor: 2 and 4 Vendors: HTC, Samsung, and Motorola  Network An anonymized nation-wide carrier that widely deploys firewall middleboxes at the GGSN-level 2012/4/30A Seminar at Advanced Defense Lab19

20 Side-channel  /proc/net/snmp: InSegs the number of incoming TCP packets received  /proc/net/netstat: PAWSEstab packets with an old timestamp is received  IPID side-channel the noise level is quite tolerable. 2012/4/30A Seminar at Advanced Defense Lab20

21 Sequence Number Inference  Assuming a cellular RTT of 200ms  32 times for binary search (4G) About 10s in practice  N-way search  Mix all methods It takes only about 4–5 seconds to complete the inference 2012/4/30A Seminar at Advanced Defense Lab21

22 On-site TCP Hijacking  Android 2.3.4 + m.facebook.com + Planetlab server [link]link 2012/4/30A Seminar at Advanced Defense Lab22

23 Reset-the-server [Demo]Demo  We leverage requirement C4 which tells the attacker that the victim connection’s ISN is at most 2 24 away from the ISN of the attacker-initiated connection.  Since RST packets with any sequence number that falls in the receive window can terminate the connection. P. A. Watson. “Slipping in the Window: TCP Reset Attacks,” 2004. 2012/4/30A Seminar at Advanced Defense Lab23

24 Reset-the-server  The max number of required RST  server_init_window m.facebook.com: 4380  require 7661 RST twitter.com: 5840  require 5746 RST chase.com: 32805 2012/4/30A Seminar at Advanced Defense Lab24

25 Reset-the-server  Bandwidth requirements  327 Kbps ~ 12 Mbps 2012/4/30A Seminar at Advanced Defense Lab25

26 Hit-and-run  Bandwidth requirements WIN is 64K x 2 window_scaling_factor For the two Oses is 26Mbps and 6.6Mbps 2012/4/30A Seminar at Advanced Defense Lab26

27 On-site TCP Hijacking 2012/4/30A Seminar at Advanced Defense Lab27

28 Off-site TCP Injection  URL phishing No implement Because NAT is deployed.  long-lived connection inference a particular push server IP 74.125.65.188 and port 5228 About 7.8% of the IPs have a connection with the server 2012/4/30A Seminar at Advanced Defense Lab28

29 Establish Spoofed Connections  Find unresponsive IP We send a SYN packet with a spoofed IP from the attack phone inside the cellular network to our attack server which responds with a legitimate SYN-ACK back. There are 80% of IPs are unresponsive.  We can make about 0.6 successful connection per second on average with more than 90% success rate 2012/4/30A Seminar at Advanced Defense Lab29

30 Vulnerable Networks  We deployed a mobile application (referred to as MobileApp) on the Android market.  The data are collected between Apr 25th, 2011 and Oct 17th, 2011 over 149 carriers uniquely identified 2012/4/30A Seminar at Advanced Defense Lab30

31 Firewall Implementation Types  Overall, out of the 149 carriers, we found 47 carriers (31.5%) that deploy sequence-number-checking firewalls. 2012/4/30A Seminar at Advanced Defense Lab31

32 Intermediate Hop Feedback  24 carriers have responsive intermediate hops that reply with TTL- expired ICMP packets.  8 carriers have NAT that allow single ICMP packet probing to infer active four tuples. 2012/4/30A Seminar at Advanced Defense Lab32

33 Discussion  Firewall design  Side-channels  HTTPS-only world 2012/4/30A Seminar at Advanced Defense Lab33

34 2012/4/30A Seminar at Advanced Defense Lab34

Download ppt "Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)"

Similar presentations

Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks Multipath.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks Multipath.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.

1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) Transmission Control Protocol (TCP) User Datagram Protocol.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Scanning.
Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University.

Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Scanning February 23, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Scanning February 23, 2010 MIS 4600 – MBA © Abdou Illia.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.

Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google