COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK BY Zhiyun Qian, Z.Morley, MaoYinglian Xie Presented By: Yugendhar Reddy Sarabudla

Today’s AGENDA Introduction Background description TCP Sequence Number Inference Attack Design and Implementation of TCP Attack Impact Analysis of an Attack from case studies Conclusion

TCP Introduction TCP - Most commonly used protocol over the internet Built on top of Internet Protocol. Hence TCP/IP. Transmits bits of data in terms of IP packets Connection-oriented. Highly reliable for transmission of data. Receiver sends acknowledgement for the packets received, based on that re-transmission is done for failed packets

Understanding tCP Fields

The Three-Way Handshake TCP utilizes many 1-bit boolean flags to maintain the state of the connection. The three fields that we are interested in are SYN : initiates a connection ACK : used to acknowledge received data FIN : terminates a connection

SEQUENCE AND ACKNOWLEDGEMENT NUMBERS Sequence and Acknowledgement are two more fields of TCP header, used to track a connection’s packet These are different from “SYN flag” and “ACK flag” Both client and server of a TCP session maintains a 32-bit sequence number Sequence number is included in every packet that is sent and it is used to track the amount of data that has been sent When the opposite host receives a packet it send the sequence number as acknowledgement number to the sender, conforming that it received the packet.

The Three-Way Handshake So TCP 3 way handshake is all about SYN—>SYN-ACK—>ACK. This 3 way handshake is one of the reason which makes TCP a reliable protocol.

Sequence and Acknowledgement numbers OBESERVaNCE

Background Description TCP- Not originally designed for security, for years it has been patched to address various security holes Randomization of TCP’s initial sequence number (ISN), introduced in RFC 1948 was an important one. Proposed to guard against off-path spoofing attacks attempting to inject packets with forged source addresses Prevents easy prediction of ISN, by which arbitrarily inserted messages are likely to be discarded at the receiver due to invalid sequence numbers

Background Description A function has been defined to obtain a unique random number using a 4 micro second timer M, which decreases the probability of guessing sequence number Below is the equation to generate ISN ISN = M + F(localhost, localport, remotehost, remoteport) F is the hash function

TCP SEQUENCE NUMBER INFERENCE ATTACK Threat Model Packet Counter Side Channels TCP Incoming Packet Validation Sequence Number Dependent Counter in Linux Sequence Number Dependent Counter in Windows Sequence Number Dependent Counter in Mac/BSD

THREAT MODEL In Threat model, there are four main entities The victim smartphone and a target application The legitimate server which communicates with victim smartphone using an unencrypted application layer (HTTP) The on-device malware, which doesn’t have privileges and cannot tamper other apps directly The off-path attacker, capable of spoofing the legitimate server IP address

THREAT MODEL- Work Flow Attacker sends a probing packet to target and the malware residing in the target checks whether attacker has sent the correct sequence number or not and replies with a feedback

THREAT MODEL The off-path attacker needs the two piece of information Four tuples of target connection i.e., source/destination IP address and source/destination port numbers Correct sequence number The on-device malware will be able to identify the current active tcp connection but not the sequence number that is in use

PACKET COUNTER SIDE CHANNELS Provides indirect feedback on sequence number. Some of the processes could be used to attain this. ‘netstat –s’ => Extracts information The IPID side channel => A special form of packet counter to record outgoing packets.

TCP INCOMING PACKET VALIDATION Five checks from referred source code in Linux Error check : MD5, Timestamp, Packet Length, Checksum Sequence Number check : seq_end >= X, seq <= X +rcv_win Ack Number check : Valid ACK -> [Y, Y+remaining_bytes] 0-payload check : If payload = 0, drop Retransmission check: If seq_end <= X, drop

TCP INCOMING PACKET VALIDATION

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX Problems with Previous attack (Phrack attack) Too Large : Required number of packets is too large Too Noisy : The counter that records the total number of outgoing packets is too noisy

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX Both the problems mentioned can be addressed by using “sequence-number-dependent packet counters”

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX DelayedACKLost (Binary Search) DelayedACKLost (Four-way Search)

SEQUENCE NUMBER DEPENDENT COUNTER IN Mac/BSD Findings of sequence dependent counters in BSD/Mac OS, they are. rcvduppack and rcvdupbyte rcvpackafterwin and rcvbyteafterwin rcvoopack and acvoobyte rcvdupack and rcvacktoomuch The first three pairs can be used to infer server-side sequence numbers. The last pair is used to determine the client-side sequence numbers.

SEQUENCE NUMBER DEPENDENT COUNTER IN WINDOWS Windows OS doesn’t expose such sequence number dependent counters and are not vulnerable to the attack. Windows 7- TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets c. Number of packets These Packet counters do not leak sequence numbers directly.

Inference Performance Overhead A sequence number inference is implemented on android and Mac OS. Top Figure - Tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total. Bottom Graph - Inference time increases as the RTT between attacker and client increases.

NOISNESS OF SEQUENCE-NUMBER Dependent Counters Claim : Clean side channels that rarely increment, naturally even with background traffic. Running web pages playing You tube video in background. Probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%. Windows 7 - TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets c. Number of packets

DESIGN AND IMPLEMENTATION OF TCP ATTACKS Attack Requirements Client-Side TCP Injection Passive TCP Hijacking Server-Side TCP Injection Active TCP Hijacking

ATTACK REQUIREMENTS Internet access to malware. Malware that can run in the background and read packet counters Ability of Malware to read the list of active TCP connections and their four tuples A predictable external port number if NAT is deployed

Client-SIDE TCP INJECTION Inject malicious data into a connection established by other apps. Challenge – May compete with the data sent from legitimate server.

PASSIVE TCP HIJACKING

SERVER-Side TCP INJECTION Attackers injects malicious payload into connection destined for server Straight forward : Combines Sequence number inference and attack

ACTIVE TCP HIJACKING

ATTACK IMPACT ANALYSIS FROM CASE STUDIES Facebook Javascript Injection Phishing Facebook Login Page Command Injection on Windows Live Messenger Restricted Facebook Login Page Hijack

SUCCESS RATE AND ANALYSIS OF THE ATTACKS Success rate for Facebook javascript injection when RTT=100ms is 87.5% Success rate for phishing Facebook Login Page : <50% With two nodes for latency values of 70ms and 100ms it increases to 62.5% and 82.5%. Windows Live Messenger - Command line injection was carried out using server- side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds. Restricted Facebook Login page Hijack : The app indeed has a relationship with the target website so that the user will enter his password into the browser.

CONCLUSION The paper provides few defense strategies to avoid the attack. Always using SSL/TLS Removing unnecessary global data or only allow privileged programs to access such state. providing better isolation among resources

Questions ?

Thank YOU 