Understanding TCP Sequence Numbers and Attacks
Explore the fundamental concepts of TCP sequence numbers and inference attacks, along with the design, implementation, and impact analysis of TCP attacks. Delve into the significance of TCP fields, the three-way handshake process, as well as sequence and acknowledgment numbers to gain a comprehensive understanding of TCP protocols and security implications.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
C O L L A B OR ATI VE C O L L A B OR ATI VE TC P S E Q U E NCE N U M B E R TC P S E Q U E NCE N U M B E R I N F E R ENC E AT TAC K I N F E R ENC E AT TAC K B Y Z H I Y U N Q I A N , Z . M O R L E Y, M A O Y I N G L I A N X I E P R E S E NTED BY: P R E S E NTED BY: R E D DY SA RABUDL A SA RABUDL A Y U G E NDHAR Y U G E NDHAR R E D DY
TODAYS AGENDA TODAY S AGENDA Introduction Background description TCP Sequence Number Inference Attack Design and Implementation of TCP Attack Impact Analysis of an Attack from case studies Conclusion
TCP INTRODUCTION TCP INTRODUCTION TCP - Most commonly used protocol over the internet Built on top of Internet Protocol. Hence TCP/IP. Transmits bits of data in terms of IP packets Connection-oriented. Highly reliable for transmission of data. Receiver sends acknowledgement for the packets received, based on that re-transmission is done for failed packets
UNDERSTANDING UNDERSTANDING TCP TCP FIELDS FIELDS
THE THREE THE THREE- -WAY HANDSHAKE WAY HANDSHAKE TCP utilizes many 1-bit boolean flags to maintain the state of the connection. The three fields that we are interested in are 1.SYN : initiates a connection 2.ACK : used to acknowledge received data 3.FIN : terminates a connection
SEQUENCE AND ACKNOWLEDGEMENT SEQUENCE AND ACKNOWLEDGEMENT NUMBERS NUMBERS Sequence and Acknowledgement are two more fields of TCP header, used to track a connection s packet These are different from SYN flag and ACK flag Both client and server of a TCP session maintains a 32-bit sequence number Sequence number is included in every packet that is sent and it is used to track the amount of data that has been sent When the opposite host receives a packet it send the sequence number as acknowledgement number to the sender, conforming that it received the packet.
THE THREE THE THREE- -WAY HANDSHAKE WAY HANDSHAKE So TCP 3 way handshake is all about SYN >SYN-ACK >ACK. This 3 way handshake is one of the reason which makes TCP a reliable protocol.
SEQUENCE AND ACKNOWLEDGEMENT SEQUENCE AND ACKNOWLEDGEMENT NUMBERS NUMBERS OBESERVANCE OBESERVANCE
BACKGROUND DESCRIPTION BACKGROUND DESCRIPTION TCP- Not originally designed for security, for years it has been patched to address various security holes Randomization of TCP s initial sequence number (ISN), introduced in RFC 1948 was an important one. Proposed to guard against off-path spoofing attacks attempting to inject packets with forged source addresses Prevents easy prediction of ISN, by which arbitrarily inserted messages are likely to be discarded at the receiver due to invalid sequence numbers
BACKGROUND DESCRIPTION BACKGROUND DESCRIPTION A function has been defined to obtain a unique random number using a 4 micro second timer M, which decreases the probability of guessing sequence number Below is the equation to generate ISN ISN = M + F(localhost, localport, remotehost, remoteport) F is the hash function
TCP SEQUENCE NUMBER INFERENCE TCP SEQUENCE NUMBER INFERENCE ATTACK ATTACK Threat Model Packet Counter Side Channels TCP Incoming Packet Validation Sequence Number Dependent Counter in Linux Sequence Number Dependent Counter in Windows Sequence Number Dependent Counter in Mac/BSD
THREAT MODEL THREAT MODEL In Threat model, there are four main entities 1.The victim smartphone and a target application 2.The legitimate server which communicates with victim smartphone using an unencrypted application layer (HTTP) 3.The on-device malware, which doesn t have privileges and cannot tamper other apps directly 4.The off-path attacker, capable of spoofing the legitimate server IP address
THREAT MODEL THREAT MODEL- - WORK FLOW WORK FLOW Attacker sends a probing packet to target and the malware residing in the target checks whether attacker has sent the correct sequence number or not and replies with a feedback
THREAT MODEL THREAT MODEL The off-path attacker needs the two piece of information 1.Four tuples of target connection i.e., source/destination IP address and source/destination port numbers 2.Correct sequence number The on-device malware will be able to identify the current active tcp connection but not the sequence number that is in use
PACKET COUNTER SIDE CHANNELS PACKET COUNTER SIDE CHANNELS Provides indirect feedback on sequence number. Some of the processes could be used to attain this. 1. netstat s => Extracts information 2. The IPID side channel => A special form of packet counter to record outgoing packets.
TCP INCOMING PACKET VALIDATION TCP INCOMING PACKET VALIDATION Five checks from referred source code in Linux 1. Error check : MD5, Timestamp, Packet Length, Checksum 2. Sequence Number check : seq_end >= X, seq <= X +rcv_win 3. Ack Number check : Valid ACK -> [Y, Y+remaining_bytes] 4. 0-payload check : If payload = 0, drop 5. Retransmission check: If seq_end <= X, drop
TCP INCOMING PACKET VALIDATION TCP INCOMING PACKET VALIDATION
SEQUENCE NUMBER DEPENDENT COUNTER SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX IN LINUX Problems with Previous attack (Phrack attack) Too Large : Required number of packets is too large Too Noisy : The counter that records the total number of outgoing packets is too noisy
SEQUENCE NUMBER DEPENDENT COUNTER SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX IN LINUX Both the problems mentioned can be addressed by using sequence-number-dependent packet counters
SEQUENCE NUMBER DEPENDENT COUNTER SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX IN LINUX DelayedACKLost (Four-way Search) DelayedACKLost (Binary Search)
SEQUENCE NUMBER DEPENDENT SEQUENCE NUMBER DEPENDENT COUNTER IN MAC/BSD COUNTER IN MAC/BSD Findings of sequence dependent counters in BSD/Mac OS, they are. 1.rcvduppack and rcvdupbyte 2.rcvpackafterwin and rcvbyteafterwin 3.rcvoopack and acvoobyte 4.rcvdupack and rcvacktoomuch The first three pairs can be used to infer server-side sequence numbers. The last pair is used to determine the client-side sequence numbers.
SEQUENCE NUMBER DEPENDENT SEQUENCE NUMBER DEPENDENT COUNTER IN WINDOWS COUNTER IN WINDOWS Windows OS doesn t expose such sequence number dependent counters and are not vulnerable to the attack. Windows 7- TCP related packet counters includes (netstat -s ) a. Incoming packets b. Outgoing packets c. Number of packets These Packet counters do not leak sequence numbers directly.
INFERENCE PERFORMANCE INFERENCE PERFORMANCE OVERHEAD OVERHEAD A sequence number inference is implemented on android and Mac OS. Top Figure - Tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total. Bottom Graph - Inference time increases as the RTT between attacker and client increases.
NOISNESS OF SEQUENCE NOISNESS OF SEQUENCE- -NUMBER DEPENDENT COUNTERS DEPENDENT COUNTERS NUMBER Claim : Clean side channels that rarely increment, naturally even with background traffic. Running web pages playing You tube video in background. Probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%. Windows 7 - TCP related packet counters includes (netstat -s ) a. Incoming packets b. Outgoing packets c. Number of packets
DESIGN AND IMPLEMENTATION OF DESIGN AND IMPLEMENTATION OF TCP ATTACKS TCP ATTACKS Attack Requirements Client-Side TCP Injection Passive TCP Hijacking Server-Side TCP Injection Active TCP Hijacking
ATTACK REQUIREMENTS ATTACK REQUIREMENTS Internet access to malware. Malware that can run in the background and read packet counters Ability of Malware to read the list of active TCP connections and their four tuples A predictable external port number if NAT is deployed
CLIENT CLIENT- -SIDE TCP INJECTION SIDE TCP INJECTION Inject malicious data into a connection established by other apps. Challenge May compete with the data sent from legitimate server.
PASSIVE TCP HIJACKING PASSIVE TCP HIJACKING
SERVER SERVER- -SIDE TCP INJECTION SIDE TCP INJECTION Attackers injects malicious payload into connection destined for server Straight forward : Combines Sequence number inference and attack
ACTIVE TCP HIJACKING ACTIVE TCP HIJACKING
ATTACK IMPACT ANALYSIS FROM ATTACK IMPACT ANALYSIS FROM CASE STUDIES CASE STUDIES Facebook Javascript Injection Phishing Facebook Login Page Command Injection on Windows Live Messenger Restricted Facebook Login Page Hijack
SUCCESS RATE AND ANALYSIS OF THE SUCCESS RATE AND ANALYSIS OF THE ATTACKS ATTACKS Success rate for Facebook javascript injection when RTT=100ms is 87.5% Success rate for phishing Facebook Login Page : <50% With two nodes for latency values of 70ms and 100ms it increases to 62.5% and 82.5%. Windows Live Messenger - Command line injection was carried out using server- side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds. Restricted Facebook Login page Hijack : The app indeed has a relationship with the target website so that the user will enter his password into the browser.
CONCLUSION CONCLUSION The paper provides few defense strategies to avoid the attack. Always using SSL/TLS Removing unnecessary global data or only allow privileged programs to access such state. providing better isolation among resources