Papers no image

Published on May 24th, 2012 📆 | 5413 Views ⚑


Off-Path TCP Sequence Number Inference Attack
How Firewall Middleboxes Reduce Security

In this paper, we report a newly discovered “offpath TCP sequence number inference” attack enabled by firewall middleboxes. It allows an off-path (i.e., not man-inthe-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Facebook login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middleboxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middlebox can be leaked to an off-path attacker. We found such firewall middleboxes to be very popular in cellular networks — at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.

Download PDF

Tagged with:

Comments are closed.