Presentation is loading. Please wait.

Presentation is loading. Please wait.

COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK

Published byJoan Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK"— Presentation transcript:

1 COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK
BY Zhiyun Qian, Z.Morley, MaoYinglian Xie Presented By: Yugendhar Reddy Sarabudla

2 Today’s AGENDA Introduction Background description
TCP Sequence Number Inference Attack Design and Implementation of TCP Attack Impact Analysis of an Attack from case studies Conclusion

3 TCP Introduction TCP - Most commonly used protocol over the internet
Built on top of Internet Protocol. Hence TCP/IP. Transmits bits of data in terms of IP packets Connection-oriented. Highly reliable for transmission of data. Receiver sends acknowledgement for the packets received, based on that re-transmission is done for failed packets

4 Understanding tCP Fields

5 The Three-Way Handshake
TCP utilizes many 1-bit boolean flags to maintain the state of the connection. The three fields that we are interested in are SYN : initiates a connection ACK : used to acknowledge received data FIN : terminates a connection

6 SEQUENCE AND ACKNOWLEDGEMENT NUMBERS
Sequence and Acknowledgement are two more fields of TCP header, used to track a connection’s packet These are different from “SYN flag” and “ACK flag” Both client and server of a TCP session maintains a 32-bit sequence number Sequence number is included in every packet that is sent and it is used to track the amount of data that has been sent When the opposite host receives a packet it send the sequence number as acknowledgement number to the sender, conforming that it received the packet.

7 The Three-Way Handshake
So TCP 3 way handshake is all about SYN—>SYN-ACK—>ACK. This 3 way handshake is one of the reason which makes TCP a reliable protocol.

8 Sequence and Acknowledgement numbers OBESERVaNCE

9 Background Description
TCP- Not originally designed for security, for years it has been patched to address various security holes Randomization of TCP’s initial sequence number (ISN), introduced in RFC 1948 was an important one. Proposed to guard against off-path spoofing attacks attempting to inject packets with forged source addresses Prevents easy prediction of ISN, by which arbitrarily inserted messages are likely to be discarded at the receiver due to invalid sequence numbers

10 Background Description
A function has been defined to obtain a unique random number using a 4 micro second timer M, which decreases the probability of guessing sequence number Below is the equation to generate ISN ISN = M + F(localhost, localport, remotehost, remoteport) F is the hash function

11 TCP SEQUENCE NUMBER INFERENCE ATTACK
Threat Model Packet Counter Side Channels TCP Incoming Packet Validation Sequence Number Dependent Counter in Linux Sequence Number Dependent Counter in Windows Sequence Number Dependent Counter in Mac/BSD

12 THREAT MODEL In Threat model, there are four main entities
The victim smartphone and a target application The legitimate server which communicates with victim smartphone using an unencrypted application layer (HTTP) The on-device malware, which doesn’t have privileges and cannot tamper other apps directly The off-path attacker, capable of spoofing the legitimate server IP address

13 THREAT MODEL- Work Flow
Attacker sends a probing packet to target and the malware residing in the target checks whether attacker has sent the correct sequence number or not and replies with a feedback

14 THREAT MODEL The off-path attacker needs the two piece of information
Four tuples of target connection i.e., source/destination IP address and source/destination port numbers Correct sequence number The on-device malware will be able to identify the current active tcp connection but not the sequence number that is in use

15 PACKET COUNTER SIDE CHANNELS
Provides indirect feedback on sequence number. Some of the processes could be used to attain this. ‘netstat –s’ => Extracts information The IPID side channel => A special form of packet counter to record outgoing packets.

16 TCP INCOMING PACKET VALIDATION
Five checks from referred source code in Linux Error check : MD5, Timestamp, Packet Length, Checksum Sequence Number check : seq_end >= X, seq <= X +rcv_win Ack Number check : Valid ACK -> [Y, Y+remaining_bytes] 0-payload check : If payload = 0, drop Retransmission check: If seq_end <= X, drop

17 TCP INCOMING PACKET VALIDATION

18 SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX
Problems with Previous attack (Phrack attack) Too Large : Required number of packets is too large Too Noisy : The counter that records the total number of outgoing packets is too noisy

19 SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX
Both the problems mentioned can be addressed by using “sequence-number-dependent packet counters”

20 SEQUENCE NUMBER DEPENDENT COUNTER IN LINUX
DelayedACKLost (Binary Search) DelayedACKLost (Four-way Search)

21 SEQUENCE NUMBER DEPENDENT COUNTER IN Mac/BSD
Findings of sequence dependent counters in BSD/Mac OS, they are. rcvduppack and rcvdupbyte rcvpackafterwin and rcvbyteafterwin rcvoopack and acvoobyte rcvdupack and rcvacktoomuch The first three pairs can be used to infer server-side sequence numbers. The last pair is used to determine the client-side sequence numbers.

22 SEQUENCE NUMBER DEPENDENT COUNTER IN WINDOWS
Windows OS doesn’t expose such sequence number dependent counters and are not vulnerable to the attack. Windows 7- TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets c. Number of packets These Packet counters do not leak sequence numbers directly.

23 Inference Performance Overhead
A sequence number inference is implemented on android and Mac OS. Top Figure - Tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total. Bottom Graph - Inference time increases as the RTT between attacker and client increases.

24 NOISNESS OF SEQUENCE-NUMBER Dependent Counters
Claim : Clean side channels that rarely increment, naturally even with background traffic. Running web pages playing You tube video in background. Probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%. Windows 7 - TCP related packet counters includes (netstat -s”) a. Incoming packets b. Outgoing packets c. Number of packets

25 DESIGN AND IMPLEMENTATION OF TCP ATTACKS
Attack Requirements Client-Side TCP Injection Passive TCP Hijacking Server-Side TCP Injection Active TCP Hijacking

26 ATTACK REQUIREMENTS Internet access to malware.
Malware that can run in the background and read packet counters Ability of Malware to read the list of active TCP connections and their four tuples A predictable external port number if NAT is deployed

27 Client-SIDE TCP INJECTION
Inject malicious data into a connection established by other apps. Challenge – May compete with the data sent from legitimate server.

28 PASSIVE TCP HIJACKING

29 SERVER-Side TCP INJECTION
Attackers injects malicious payload into connection destined for server Straight forward : Combines Sequence number inference and attack

30 ACTIVE TCP HIJACKING

31 ATTACK IMPACT ANALYSIS FROM CASE STUDIES
Facebook Javascript Injection Phishing Facebook Login Page Command Injection on Windows Live Messenger Restricted Facebook Login Page Hijack

32 SUCCESS RATE AND ANALYSIS OF THE ATTACKS
Success rate for Facebook javascript injection when RTT=100ms is 87.5% Success rate for phishing Facebook Login Page : <50% With two nodes for latency values of 70ms and 100ms it increases to 62.5% and 82.5%. Windows Live Messenger - Command line injection was carried out using server- side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds. Restricted Facebook Login page Hijack : The app indeed has a relationship with the target website so that the user will enter his password into the browser.

33 CONCLUSION The paper provides few defense strategies to avoid the attack. Always using SSL/TLS Removing unnecessary global data or only allow privileged programs to access such state. providing better isolation among resources

34 Questions ?

35 Thank YOU 

Download ppt "COLLABORATIVE TCP SEQUENCE NUMBER INFERENCE ATTACK"

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
CISCO NETWORKING ACADEMY Chabot College ELEC 99.05 Transport Layer (4)

CISCO NETWORKING ACADEMY Chabot College ELEC Transport Layer (4)
TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
CCNA – Network Fundamentals

CCNA – Network Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 OSI Transport Layer Network Fundamentals – Chapter 4.
Intermediate TCP/IP TCP Operation.

Intermediate TCP/IP TCP Operation.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.

TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
Process-to-Process Delivery:

Process-to-Process Delivery:
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)

Zhiyun Qian, Zhuoqing Morley Mao University of Michigan 33 rd Security & Privacy (May, 2012)

Similar presentations

Ads by Google