research-article

Collaborative TCP sequence number inference attack: how to crack sequence number under a second

Authors:

Yinglian XieAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Pages 593 - 604

https://doi.org/10.1145/2382196.2382258

Published: 16 October 2012 Publication History

Abstract

In this study, we discover a new class of unknown side channels --- "sequence-number-dependent" host packet counters --- that exist in Linux/Android and BSD/Mac OS to enable TCP sequence number inference attacks. It allows a piece of unprivileged on-device malware to collaborate with an off-path attacker to infer the TCP sequence numbers used between a client and a server, leading to TCP injection and hijacking attacks. We show that the inference takes, in common cases, under a second to complete and is quick enough for attackers to inject malicious Javascripts into live Facebook sessions and to perform malicious actions on behalf of a victim user. Since supporting unprivileged access to global packet counters is an intentional design choice, we believe our findings provide important lessons and offer insights on future system and network design.

References

[1]

Blind TCP/IP Hijacking is Still Alive. http://www.phrack.org/issues.php?issue=64&id=15.

[2]

CERT Advisory CA-1995-01 IP Spoofing Attacks and Hijacked Terminal Connections. http://www.cert.org/advisories/CA-1995-01.html.

[3]

Golomb Ruler. http://en.wikipedia.org/wiki/Golomb_ruler.

[4]

Linux Blind TCP Spoofing Vulnerability. http://www.securityfocus.com/bid/580/info.

[5]

Linux: TCP Random Initial Sequence Numbers. http://kerneltrap.org/node/4654.

[6]

MSN Messenger Protocol. http://www.hypothetic.org/docs/msn/.

[7]

RFC 1948 - Defending Against Sequence Number Attacks. http://tools.ietf.org/html/rfc1948.

[8]

RFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks. http://tools.ietf.org/html/rfc5961.

[9]

RFC 793 - Transmission Control Protocol. http://tools.ietf.org/html/rfc793.

[10]

Stateful Firewall and Masquerading on Linux. http://www.puschitz.com/FirewallAndRouters.shtml.

[11]

sysctl Mac OS X Manual. https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man3/sysctl.3.html#//apple_ref/doc/man/3/sysctl.

[12]

TCP Delayed Ack in Linux. http://wiki.hsc.com/wiki/Main/InsideLinuxTCPDelayedAck.

[13]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In Proc. of IEEE Security and Privacy, 2010.

Digital Library

[14]

M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight Provenance for Smart Phone Operating Systems. In Proc. of USENIX Security Symposium, 2011.

Digital Library

[15]

M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In NDSS, 2011.

[16]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI, 2010.

Digital Library

[17]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proc. of USENIX Security Symposium, 2011.

Digital Library

[18]

R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall. Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks using Model Checking. In Proc. of USENIX Security Symposium, 2010.

Digital Library

[19]

A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-delegation: Attacks and Defenses. In Proc. of USENIX Security Symposium, 2011.

Digital Library

[20]

Y. Gilad and A. Herzberg. Off-Path Attacking the Web. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2012.

Digital Library

[21]

S. Guha and P. Francis. Characterization and Measurement of TCP Traversal through NATs and Firewalls. In Proc. ACM SIGCOMM IMC, 2005.

Digital Library

[22]

S. Jana and V. Shmatikov. Memento: Learning secrets from process footprints. In Proc. of IEEE Security and Privacy, 2012.

Digital Library

[23]

L. Joncheray. A Simple Active Attack against TCP. In Proc. of USENIX Security Symposium, 1995.

Digital Library

[24]

G. LEECH, P. RAYSON, and A. WILSON. Procfs Analysis. http://www.nsa.gov/research/_files/selinux/papers/slinux/node57.shtml.

[25]

R. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical report, 1985.

[26]

Z. Qian and Z. M. Mao. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In Proc. of IEEE Security and Privacy, 2012.

Digital Library

[27]

Z. Qian, Z. M. Mao, Y. Xie, and F. Yu. Investigation of Triangular Spamming: A Stealthy and Efficient Spamming Technique. In Proc. of IEEE Security and Privacy, 2010.

Digital Library

[28]

R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, 2011.

[29]

D. X. Song, D. Wagner, and X. Tian. Timing Analysis of Keystrokes and Timing Attacks on SSH. In Proc. of USENIX Security Symposium, 2001.

Digital Library

[30]

M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired and wireless keyboards. In Proc. of USENIX Security Symposium, 2009.

Digital Library

[31]

Z. Wang, Z. Qian, Q. Xu, Z. M. Mao, and M. Zhang. An Untold Stody of Middleboxes in Cellular Networks. In SIGCOMM, 2011.

Digital Library

[32]

P. A. Watson. Slipping in the Window: TCP Reset Attacks. In CanSecWest, 2004.

[33]

K. Zhang and X. Wang. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. In Proc. of USENIX Security Symposium, 2009.

Digital Library

Cited By

Zhou XDeng QPu JMan KQian ZKrishnamurthy SLuo BLiao XXu JKirda ELie D(2024)Untangling the Knot: Breaking Access Control in Home Wireless Mesh NetworksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670380(2072-2086)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670380
Pan YRossow C(2024)TCP Spoofing: Reliable Payload Transmission Past the Spoofed TCP Handshake2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00265(4497-4515)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00265
Wang AFeng XLi QYang YXu K(2024)A Horizontal Study on the Mixed IPID Assignment Vulnerability in the Linux Ecosystem2024 IEEE/ACM 32nd International Symposium on Quality of Service (IWQoS)10.1109/IWQoS61813.2024.10682845(1-10)Online publication date: 19-Jun-2024
https://doi.org/10.1109/IWQoS61813.2024.10682845
Show More Cited By

Index Terms

Collaborative TCP sequence number inference attack: how to crack sequence number under a second
1. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security
SP '12: Proceedings of the 2012 IEEE Symposium on Security and Privacy

In this paper, we report a newly discovered "off-path TCP sequence number inference" attack enabled by firewall middle boxes. It allows an off-path (i.e., not man-in-the-middle) attacker to hijack a TCP connection and inject malicious content, ...
Application-based TCP hijacking
EUROSEC '09: Proceedings of the Second European Workshop on System Security

We present application-based TCP hijacking (ABTH), a new attack on TCP applications that exploits flaws due to the interplay between TCP and application protocols to inject data into an application session without either server or client applications ...
Analysis of low-rate TCP DoS attack against FAST TCP
ISDA '06: Proceedings of the Sixth International Conference on Intelligent Systems Design and Applications - Volume 03

Low rate TCP DoS attack is a novel kind of attacks discovered by Kuzmanovic. According to several experiments, it is very effective in degrading the normal TCP sender's throughput. FAST TCP is a delay-based transport layer protocol; it is used to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

58
Total Citations
View Citations
837
Total Downloads

Downloads (Last 12 months)40
Downloads (Last 6 weeks)5

Reflects downloads up to 06 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou XDeng QPu JMan KQian ZKrishnamurthy SLuo BLiao XXu JKirda ELie D(2024)Untangling the Knot: Breaking Access Control in Home Wireless Mesh NetworksProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670380(2072-2086)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670380
Pan YRossow C(2024)TCP Spoofing: Reliable Payload Transmission Past the Spoofed TCP Handshake2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00265(4497-4515)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00265
Wang AFeng XLi QYang YXu K(2024)A Horizontal Study on the Mixed IPID Assignment Vulnerability in the Linux Ecosystem2024 IEEE/ACM 32nd International Symposium on Quality of Service (IWQoS)10.1109/IWQoS61813.2024.10682845(1-10)Online publication date: 19-Jun-2024
https://doi.org/10.1109/IWQoS61813.2024.10682845
Fan WWu SChen H(2024)An SDN-Enabled Elliptic-Curve Diffie-Hellman Key Exchange Towards Secure P2P Networking2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556089(677-683)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556089
Aslan ÖAktuğ SOzkan-Okay MYilmaz AAkin E(2023)A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and SolutionsElectronics10.3390/electronics1206133312:6(1333)Online publication date: 11-Mar-2023
https://doi.org/10.3390/electronics12061333
Nam JLee SPorras PYegneswaran VShin S(2023)Secure Inter-Container Communications Using XDP/eBPFIEEE/ACM Transactions on Networking10.1109/TNET.2022.320678131:2(934-947)Online publication date: Apr-2023
https://doi.org/10.1109/TNET.2022.3206781
Ni TZhang XZuo CLi JYan ZWang WXu WLuo XZhao Q(2023)Uncovering User Interactions on Smartphones via Contactless Wireless Charging Side Channels2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179322(3399-3415)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179322
Doan HPaul AZeindlinger HZhang YKhan SSvetinovic D(2023)Threat Modeling for ML-based Topology Prediction in Vehicular Edge Computing Architecture2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361465(0523-0530)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361465
Di Paolo EBassetti ESpognardi A(2023)A New Model for Testing IPv6 Fragment HandlingComputer Security – ESORICS 202310.1007/978-3-031-51476-0_14(277-294)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51476-0_14
Feng XLi QSun KFu CXu K(2022)Off-Path TCP Hijacking Attacks via the Side Channel of Downgraded IPIDIEEE/ACM Transactions on Networking10.1109/TNET.2021.311551730:1(409-422)Online publication date: Feb-2022
https://doi.org/10.1109/TNET.2021.3115517
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten