COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Chapter 7 – Transport Layer Protocols
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Gursharan Singh Tatla Transport Layer 16-May
Process-to-Process Delivery:
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
Transport Layer: UDP, TCP
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Networking Basics CCNA 1 Chapter 11.
ECE 4110 – Internetwork Programming
© Jörg Liebeherr (modified by Malathi Veeraraghavan) 1 Overview Formats, Data Transfer, etc. Connection Management.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Version 3.1 Module 10 Intermediate TCP/IP (Layer 4)
4343 X2 – The Transport Layer Tanenbaum Ch.6.
© 2002, Cisco Systems, Inc. All rights reserved..
Data Communications and Networks Chapter 6 – IP, UDP and TCP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Cisco I Introduction to Networks Semester 1 Chapter 7 JEOPADY.
3. END-TO-END PROTOCOLS (PART 1) Rocky K. C. Chang Department of Computing The Hong Kong Polytechnic University 22 March
Network Models. 2.1 what is the Protocol? A protocol defines the rules that both the sender and receiver and all intermediate devices need to follow,
Ch23 Ameera Almasoud 1 Based on Data Communications and Networking, 4th Edition. by Behrouz A. Forouzan, McGraw-Hill Companies, Inc., 2007.
Chapter 7: Transport Layer
Executive Director and Endowed Chair
Chapter 5 Network and Transport Layers
Chapter 9: Transport Layer
Instructor Materials Chapter 9: Transport Layer
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
5. End-to-end protocols (part 1)
Transport Layer.
Process-to-Process Delivery, TCP and UDP protocols
TCP/IP Internetworking
TCP.
TCP/IP Internetworking
Introduction to Networking
TCP Transport layer Er. Vikram Dhiman LPU.
Magda El Zarki Professor, ICS UC, Irvine
TCP - Part I Karim El Defrawy
Transport Layer Unit 5.
CCNA 2 v3.1 Module 10 Intermediate TCP/IP
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
University of Michigan
Process-to-Process Delivery:
IP Spoofing Sometimes on the internet, a girl named Alice is really a man named Yves.
Figure 3-23: Transmission Control Protocol (TCP) (Study Figure)
TRANSMISSION CONTROL PROTOCOL
Internet Control Message Protocol
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Computer Networks Topic :User datagram protocol Transmission Control Protocol -Hemashree S( )
ITECH1102 Networking and Security
Process-to-Process Delivery: UDP, TCP
Transport Layer 9/22/2019.
TCP Connection Management
Attacks on TCP.
Presentation transcript:

COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK BY Zhiyun Qian, Z.Morley, MaoYinglian Xie Presented By: Yugendhar Reddy Sarabudla

Today’s AGENDA Introduction Background description TCP Sequence Number Inference Attack Design and Implementation of TCP Attack Impact Analysis of an Attack from case studies Conclusion

TCP Introduction TCP - Most commonly used protocol over the internet Built on top of Internet Protocol. Hence TCP/IP. Transmits bits of data in terms of IP packets Connection-oriented. Highly reliable for transmission of data. Receiver sends acknowledgement for the packets received, based on that re-transmission is done for failed packets

Understanding tCP Fields

The Three-Way Handshake TCP utilizes many 1-bit boolean flags to maintain the state of the connection. The three fields that we are interested in are SYN : initiates a connection ACK : used to acknowledge received data FIN : terminates a connection

SEQUENCE AND ACKNOWLEDGEMENT NUMBERS Sequence and Acknowledgement are two more fields of TCP header, used to track a connection’s packet These are different from “SYN flag” and “ACK flag” Both client and server of a TCP session maintains a 32-bit sequence number Sequence number is included in every packet that is sent and it is used to track the amount of data that has been sent When the opposite host receives a packet it send the sequence number as acknowledgement number to the sender, conforming that it received the packet.

The Three-Way Handshake So TCP 3 way handshake is all about SYN—>SYN-ACK—>ACK. This 3 way handshake is one of the reason which makes TCP a reliable protocol.

Sequence and Acknowledgement numbers OBESERVaNCE

Background Description TCP- Not originally designed for security, for years it has been patched to address various security holes Randomization of TCP’s initial sequence number (ISN), introduced in RFC 1948 was an important one. Proposed to guard against off-path spoofing attacks attempting to inject packets with forged source addresses Prevents easy prediction of ISN, by which arbitrarily inserted messages are likely to be discarded at the receiver due to invalid sequence numbers

Background Description A function has been defined to obtain a unique random number using a 4 micro second timer M, which decreases the probability of guessing sequence number Below is the equation to generate ISN ISN = M + F(localhost, localport, remotehost, remoteport) F is the hash function

TCP SEQUENCE NUMBER INFERENCE ATTACK Threat Model Packet Counter Side Channels TCP Incoming Packet Validation Sequence Number Dependent Counter in Linux Sequence Number Dependent Counter in Windows Sequence Number Dependent Counter in Mac/BSD

THREAT MODEL In Threat model, there are four main entities The victim smartphone and a target application The legitimate server which communicates with victim smartphone using an unencrypted application layer (HTTP) The on-device malware, which doesn’t have privileges and cannot tamper other apps directly The off-path attacker, capable of spoofing the legitimate server IP address

THREAT MODEL- Work Flow Attacker sends a probing packet to target and the malware residing in the target checks whether attacker has sent the correct sequence number or not and replies with a feedback

THREAT MODEL The off-path attacker needs the two piece of information Four tuples of target connection i.e., source/destination IP address and source/destination port numbers Correct sequence number The on-device malware will be able to identify the current active tcp connection but not the sequence number that is in use

PACKET COUNTER SIDE CHANNELS Provides indirect feedback on sequence number. Some of the processes could be used to attain this. ‘netstat –s’ => Extracts information The IPID side channel => A special form of packet counter to record outgoing packets.

TCP INCOMING PACKET VALIDATION Five checks from referred source code in Linux Error check : MD5, Timestamp, Packet Length, Checksum Sequence Number check : seq_end >= X, seq <= X +rcv_win Ack Number check : Valid ACK -> [Y, Y+remaining_bytes] 0-payload check : If payload = 0, drop Retransmission check: If seq_end <= X, drop

TCP INCOMING PACKET VALIDATION

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX Problems with Previous attack (Phrack attack) Too Large : Required number of packets is too large Too Noisy : The counter that records the total number of outgoing packets is too noisy

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX Both the problems mentioned can be addressed by using “sequence-number-dependent packet counters”

SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX DelayedACKLost (Binary Search) DelayedACKLost (Four-way Search)

SEQUENCE NUMBER DEPENDENT COUNTER IN Mac/BSD Findings of sequence dependent counters in BSD/Mac OS, they are. rcvduppack and rcvdupbyte rcvpackafterwin and rcvbyteafterwin rcvoopack and acvoobyte rcvdupack and rcvacktoomuch The first three pairs can be used to infer server-side sequence numbers. The last pair is used to determine the client-side sequence numbers.

SEQUENCE NUMBER DEPENDENT COUNTER IN WINDOWS Windows OS doesn’t expose such sequence number dependent counters and are not vulnerable to the attack. Windows 7- TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets c. Number of packets These Packet counters do not leak sequence numbers directly.

Inference Performance Overhead A sequence number inference is implemented on android and Mac OS. Top Figure - Tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total. Bottom Graph - Inference time increases as the RTT between attacker and client increases.

NOISNESS OF SEQUENCE-NUMBER Dependent Counters Claim : Clean side channels that rarely increment, naturally even with background traffic. Running web pages playing You tube video in background. Probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%. Windows 7 - TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets c. Number of packets

DESIGN AND IMPLEMENTATION OF TCP ATTACKS Attack Requirements Client-Side TCP Injection Passive TCP Hijacking Server-Side TCP Injection Active TCP Hijacking

ATTACK REQUIREMENTS Internet access to malware. Malware that can run in the background and read packet counters Ability of Malware to read the list of active TCP connections and their four tuples A predictable external port number if NAT is deployed

Client-SIDE TCP INJECTION Inject malicious data into a connection established by other apps. Challenge – May compete with the data sent from legitimate server.

PASSIVE TCP HIJACKING

SERVER-Side TCP INJECTION Attackers injects malicious payload into connection destined for server Straight forward : Combines Sequence number inference and attack

ACTIVE TCP HIJACKING

ATTACK IMPACT ANALYSIS FROM CASE STUDIES Facebook Javascript Injection Phishing Facebook Login Page Command Injection on Windows Live Messenger Restricted Facebook Login Page Hijack

SUCCESS RATE AND ANALYSIS OF THE ATTACKS Success rate for Facebook javascript injection when RTT=100ms is 87.5% Success rate for phishing Facebook Login Page : <50% With two nodes for latency values of 70ms and 100ms it increases to 62.5% and 82.5%. Windows Live Messenger - Command line injection was carried out using server- side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds. Restricted Facebook Login page Hijack : The app indeed has a relationship with the target website so that the user will enter his password into the browser.

CONCLUSION The paper provides few defense strategies to avoid the attack. Always using SSL/TLS Removing unnecessary global data or only allow privileged programs to access such state. providing better isolation among resources

Questions ?

Thank YOU 