Off-Path TCP Sequence Number Inference Attack
https://www.ispeech.org
How Firewall Middleboxes Reduce Security
Abstract
In this paper, we report a newly discovered “offpath TCP sequence number inference” attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middleboxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middlebox can be leaked to an off-path attacker. We found such firewall middleboxes to be very popular in cellular networks — at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.
Download PDF https://web.eecs.umich.edu
https://web.eecs.umich.edu/~zhiyunq/tcp_sequence_number_inference
Gloss