Reflection Scan: an Off-Path Attack on TCP JanWro´bel [email protected] 2 1 0 2 n a Abstract suchasIPaddressesofendpointsandaserverport,are J easy to determine in many scenarios. Each TCP seg- The paper demonstrates how traffic load of a shared 4 mentexchangedwithinanestablishedconnectioncarries packetqueuecanbeexploitedasasidechannelthrough 2 all three secret values. For a segment to be accepted, whichprotectedinformationleakstoanoff-pathattacker. it mustcontaina correctephemeralportnumber,its se- ] The attacker sends to a victim a sequence of identical R quence number must be within receiver’s window and spoofedsegments. Thevictimrespondstoeachsegment C a sequence number the segment is acknowledging (ac- inthesequence(thesequenceisreflectedbythevictim) knowledge number) must be acceptable. According to s. if the segments satisfy a certain condition tested by the the recent recommendations, an ephemeral port should c attacker.Theresponsesdonotreachtheattackerdirectly, [ berandomlypickedfroma1025-65535rangeandanac- butinduceextraloadonaroutingqueuesharedbetween knowledgenumbershouldbeacceptedonlyifitisequal 2 thevictimandtheattacker. Increasedprocessingtimeof to the nextoctet to be sent or lower by at most ’largest v packets traversing the queue reveal that the tested con- 4 senderwindowseen’. Ifanendpointfollowstheserec- ditionwastrue. ThepaperconcentratesontheTCP,but 7 ommendations,theattackerneeds theapproachisgenericandcanbeeffectiveagainstother 0 2 protocolsthatallowtoconstructrequestswhicharecon- (216−1025)×232×232 1. ditionally answered by the victim. A proof of concept windowsizeA×windowsizeB 0 wascreatedtoassessapplicabilityofthemethodinreal- 2 lifescenarios. attempts to generate an acceptable segment. Assuming 1 bothwindowshave65kB,about248attemptsareneeded. : IftheendpointfollowsstrictRSTvalidationrules,which v 1 Introduction requireRSTsegmenttohaveasequencenumberequalto i X the next expected sequence number, the attacker needs r TheTCP protocolwithoutan additionalencryptionand (216−1025)×232 attemptstoblindlyresettheconnec- a authentication layer is inherently vulnerable to man-in- tion,whichisalsoabout248.Thenumberislargeenough the-middleattacks. An attacker that hasa way to inter- tomakeblindattacksimpracticalinmostscenarios. The ceptnetworktrafficbetweenTCPendpoints,caneasily attacker would need to push segments for 500 hours at read and alter the communication. Off-path attacks, in 100Gb/s rate to have one segment accepted. Even if a which the attacker can notinterceptnetworktraffic, are segmentisaccepted,theprobabilitythatitlinesupwith muchharderto execute. Along the yearsseveralweak- a startof a window is only 1 . Thus, a success- windowsize nessesintheprotocolorparticularimplementationsthat ful blind attack can corrupt or reset the session, but it made off-path attacks easier were disclosed. Protocol has low chances of inserting a meaningfulpayload in a specificationwasimprovedandmanyvendorsfixedim- correctplace. plementations to close discovered holes. A TCP con- WhiletheriskofacceptingspoofedTCPsegmentsas nectionbetweenhoststhatimplementthenewestrecom- valid is recognized and well studied, the recommenda- mendations ([3], [4], [5]) is believed to be reasonably tionsandimplementationsoverlooktheriskofrespond- wellprotectedagainstoff-pathattacks. ingtorejectedsegments.ATCPlayercaneithersilently A TCP session is protected by three secret numbers: droparejectedsegmentorrespondtoit(withanACKor a 16-bit ephemeral port and two 32-bit sequence num- a RST).Theactiontoperformdiffersbetweendifferent bers, one for each side of the connection. Other fields, implementationsoftheprotocol. Itwasoriginallyspec- 1 ified in the ’Event Processing’ section of RFC 793 [1], but new systems, especially firewalls, do not fully fol- lowtheRFC,butimplementstricterfilteringrules,asfor exampledescribedin[2]. Thesenewrulesarecarefully specified to preserve interoperability between different implementations. IfforaparticularTCPimplementationconditionalre- sponse to a rejected segment depends on one of secret valuessetinthesegment,andifanattackercandiscover thata systemrespondedto a spoofedsegment,the TCP sessioncanbecompromised.Theattackercandetermine if a tested secret value satisfied certain condition (an ephemeral port was correct, a sequence number was in window, an acknowledgenumberwas acceptable). The secretscanberevealedinseparatesteps,eachofthesteps requiresrelativelysmallresources. Congestion of a queue shared between the off-path attacker and the targeted TCP stream is a side channel through which the attacker can determine if the TCP layer responded to spoofed segments. Detecting negli- gible load caused by a single response would be hard inpractice,buttheattackercansendasequenceofseg- mentsofanydesiredlength.Ifeachsegmentfromthese- quenceisanswered,theanswerscancauseasubstantial trafficspikeorevenqueueoverflow. Figure1illustrates thetechnique. Figure1: High levelattack scheme. Theattacker sends aquerytothevictiminaformofasequenceofspoofed 2 Related work segments. Iftheanswertothequeryispositive,thevic- tim respondswith a sequence of segments addressedto Ahighcorrelationbetweentrafficpatternsofusersshar- itspeer.Atthesametime,theattackersendspingprobes ingaroutingresourcewasdemonstratedin[6]. Theau- that share an outbound queue with segments from the thorsmonitoredpingroundtriptimetoarouterthatcon- victim. Increasedroundtriptimerevealsthepositivean- nectedausertotheInternetandcomparedthemeasure- swertothequery. mentswithtrafficpatternsgeneratedbytheuser’sonline activities.Inthistechniquetheeavesdropperwaspassive anddidnotsendanypacketstotriggertrafficspikesand The authors of [9] showed that TCP congestioncon- gainadditionalinformation. trolmechanismcanbeexploitedbyamaliciousreceiver Theattackdescribedinthispapersharesalotofsimi- toimproveperformanceofhis/herconnectionatthecost laritieswithwellknownoff-pathtechniquesthatexploit ofothers.ApplicabilityofsuchtechniqueforaDenialof weak implementationsof IP ID generation mechanism. Serviceattackwasstudiedin[10]. Insimulatedenviron- SomelegacysystemsincreasetheIDfieldofsubsequent mentthe authorswere ableto significantlydecreasethe IPpacketsthatleaveamachinebyone. Thisprovidesa bandwidth of participating TCP connections. Security side channel to determine if a host sent a packet in re- AssessmentoftheTCP[5]explainsthatsuchattackscan sponse to incomingtraffic. The channelcan be used to beexecutedblindlybyanoff-pathattacker. Congestion performstealth port scans [7] or to execute off-pathat- controlmechanismisdrivenbyACKsegmentsandTCP tacksagainstestablishedTCPconnections[8]. Contrary layercanbeeasilytrickedtogenerateACKsbyspoofed tothetechniquedescribedinthispaper,theexploitation segmentswithincorrectsequencenumbers. ofIPIDchannelrequiresanattackertoestablishalegit- imate,bidirectionalcommunicationchanneltoavulner- able host. Today firewalls commonly disallow creation 3 Requirements and applicability ofsuchchannelstoclientmachines.Thisdocumentcon- centrates on compromising TCP session, but the tech- Asincaseofmostoff-pathattacks,theattackermustbe nique can also be used to perform a stealth port scan able to send spoofed IP packets to one end of the tar- analogoustotheonedescribedin[7]. geted connection. It is also assumed that IP addresses 2 of both ends and a port number of a server are known 100Mb/slink, butdid nothave directaccess to the vic- to the attacker. Throughoutthe paper, the end point to tim’straffic. Threedifferentscenarioswereconsidered: whichspoofedsegmentsareaddressediscalled’thevic- • Idle TCP connectionwith negligiblenaturaltraffic tim’,thesecondendpointiscalled’thevictim’speer’. traversingthebottleneck.Thisscenariowastheeas- In addition to these usual requirements, the attacker iest one, induced responses constituted substantial mustbeabletosendlegitimatetrafficprobesthrough(or partofbottleneck’straffic. to)oneofthemachines(arouteroranendpoint)onthe path of the targeted TCP traffic. Ideally, the machine • The victim downloading data at full speed (satu- should be a bottleneck for the TCP connection. As de- rateddownlink). scribed in [6], a good candidate is an edge router con- • The victim uploading data at full speed (saturated necting the victim to the Internet. The probes can be uplink). ICMP pings, but also segments exchanged within a le- gitimate TCP connection, anything that would allow to The attacker sent ping requests to a router one hop be- detectchangesintrafficloadofthebottleneck. yondtheedgerouter.Thisensuredpingpacketsandseg- There are various factors that influence applicability ments sent by the victim in response to spoofed traffic oftheattack: sharedan outgoingqueueof the edgerouter. When the link to the outside world was idle, the pingRound Trip • Availablebandwidthandtime.Thebiggertheband- Time wasabout20ms,whenthe linkwas saturated, the widthbetweentheattackerandthevictimthebetter. RTTincreasedtoabout700ms. Thesmallerthebandwidthbetweenthevictimand Two systems were analyzed. WindowsXP SP3 with itspeerthebetter. firewall enabled and Linux 3.0.0. Linux had Netfilter • Bottleneck’s natural traffic patterns. The attack is firewallenabledwithfollowingcommands: harderifthetraffictraversingthebottleneckislarge iptables -A INPUT -m state \ orhasvariablecharacteristic. --state ESTABLISHED -j ACCEPT; • Network topology. The attack is easier if spoofed iptables -A INPUT -j DROP; segmentsfromtheattackertothevictimdonottra- Thisisacommonconfigurationforaclientmachine.All versethebottleneck,andthusdonotdisturbtraffic incomingtrafficthatitnotdirectedtoconnectionsiniti- probessentbytheattacker. atedbytheprotectedmachineisdropped. The two tested systems implementdifferentrules for • Bottleneck’squeuingpolicy.Goodisolationoftraf- processingTCPsegments.Todeterminehowahostpro- fic comingfrom differentusers can impede the at- tectedbyafirewallrespondstoanincomingsegmenttwo tack. steps need to be analyzed: is firewall goingto drop the • Traffic measuring and analyzing technique. Ad- segmentandifnot,howTCPlayerisgoingtohandlethe segment? The differences between the two tested sys- vancedtechniquescanincreasetheattackfeasibility temscomefromthefirststep-Netfilterimposesstricter inadversescenarios. filteringrules([2])thanWindowsXPfirewall. Thesec- It is beyond the scope of this paper to determine the ondstepforbothsystemsisthesame(inrespecttopro- practical limits of the technique. The results of per- cessingrulesexploitedbytheattack)andcloselyfollows formed experiments can provide a reference point for RFC 793. Processing rules that are importantfrom the analyzingapplicabilityof the attack in differentscenar- attackperspectivearebrieflyexplainedinfollowingsec- ios. The proof of concept can be used a starting point tions. forfurtherexperiments. Theattackrequiresmuchfewer The proof of conceptthat was used to obtain experi- resourcesthantrulyblindoff-pathattack,buttherequire- mentalresultscanbefoundat[16]. Thepaperdoesnot mentsarestillsignificantenoughtomakeitimpractical discuss low level details of the implementation, an in- inmanyreal-lifescenarios. terested reader is encouraged to study a documentation accompanyingthecode. ItisimportanttonotethatnobugsinTCPimplemen- 4 Experimental setup tationsoftargetedsystemswereexploited. Theexperimentswereperformedinfavorablefortheat- tacker,butnotimprobableconditions. Theattackerwas 5 Attack details sharing an edge router with the victim. The router had 2500kb/sdownlinkand320kb/suplinkconnectiontothe AssumingasharedrouterimplementsFIFOqueuingpol- Internet. Theattackerwasconnectedto thevictimwith icy, delay introduced by a series of N packets of equal 3 sizeis: ephemeralport. AspikeinRTToccursreliably,butusu- N∗packetsize ally it is not the only detected spike. Proof of concept bandwith coderepeatedallqueriesforwhichaspikewasdetected ThevictimistrickedtogenerateACK segments,which until a single query was left. This allowed to reveal an haveabout80bytes(assumingabout40Bforlayertwo ephemeralportwithahighsuccessrate. header,20BforIPandabout20BforTCPheaders).Ap- plyingthe formulato the experimentalsetup, a theoret- RTT Avarge Lost pings ical delay introduced by 30 ACK segments should be 30∗80∗8s=0.06s. It is three times more than the ping 23.5 5 320000 23 RTT for the idle link (20ms), and should be easily de- 4 s] tectableintheeasiestexperimentalscenario.1000ACKs m 22.5 should introduce a delay of 1000∗80∗8s=2.0s. This is ge [ 22 3 ngs about three times more than th3e20p0i0n0g RTT for the satu- avera 21.5 2 ost pi ratedlink(700ms),andshouldbeeasilydetectableinthe TT 21 L downloadanduploadexperiments. R 1 20.5 20 0 5.1 Ephemeral port number 11230 11231 11232 11233 11234 11235 11236 11237 11238 11239 11240 ’EventProcessing’sectionofRFC793requiresanACK scanned port segment to be sent in response to any segment that be- (a) Connectionidle,5pings/port,30spoofedsegments/port longs to an established connection (has correct IP ad- dressesandports)butisoutsideofawindow(hasanin- 1100 10 correctsequencenumber).Ifahostadherestothisspec- 9 1000 ification,andisprotectedbyafirewallthatsilentlydrops 8 segments not belonging to any connection (a common ms] 900 7 case),theattackercanusesegmentswithanincorrectse- ge [ 800 6 ngs quencenumbertodetermineaclientportnumber. avera 700 45 ost pi Windowsand Linux TCP stacks follow the RFC and T L T 600 3 respondwithACKtoanysegmentwithanincorrectse- R 2 quencenumber.LinuxNetfilterfirewallusesstricterval- 500 1 idationrulestodropsegmentsthatarenotpartofacon- 400 0 nection: 1123 01123 11123 21123 31123 41123 51123 61123 71123 81123 911240 • SegmentswithoutACKflagaredropped. scanned port • Acknowledge number is validated. It is (b) Connection downloading data, 10 pings/port, 1000 spoofed seg- ments/port accepted only if it is equal to the next octet to be sent or lower by at most max(66000,largestsenderwindowseen). Figure 2: The change in pings’ loss rate reveal an ephemeral port in use (11235). Ping is considered lost Acknowledgenumbervalidationmakesitmuchharder iftheresponsedidnotarrivewithintwo RTTsofprevi- to use segments with an incorrect sequence number to ouspingsrelatedtothesameport. searchforaclientport.Butthereisahole: • SegmentsthathavebothSYNandACKflagsetare The lower bound on a query time is a single ping RTT, because at least one ping needs to be sent to de- alwaysacceptedandpassedtotheTCPlayer. terminethequeryresult. EvenforarelativelyshortRTT TCP layer responds with ACK to such segments if of 20ms, if a full range of 64k ephemeral ports needs their sequencenumberis outsideof a window. Thisal- tobescanned,thesequentialscanwouldrequireatleast lows to discover an ephemeral port of a Netfilter pro- 21 minutes. When bandwidth from the attacker to the tectedhost.Theonlydrawbackisthatifasequencenum- victimislarge,continuousrangeofportscanbeprobed berofSYN-ACKsegmentaccidentallyhappenstobein- in each sequence of spoofed segments. Such sequence window,LinuxrespondswithRSTandtheconnectionis can be interpretedas a query’Is the connectionusinga closed. Theprobabilityofthisislow: windowsize. portbetweenXandY?’. Ifapartofthesequenceisre- 232 Figure 2 shows how ping RTT increases when a se- flected,theanswerisyes,andasequentialsearchcanbe quence of spoofed segments is directed at the correct used to find the exactportnumber. In the experimental 4 setup such range queries worked well and considerably 5.2 Sequence numbers reducedtimeofthescan(seefigure3). Table1summa- Toinjectdataatthestartofawindowofaoneendofthe rizes experimentalresults. The results were similar for connection(thevictimoritspeer),theattackerneedsto both tested systems. The attacker can further improve know the sequence number of the next octet to be sent performance if the targeted connection uses ephemeral (SND.NXT) by the other end. The exact value of the portfromasmallerrange. SND.NXToftheendpointtowhichdataisinserteddoes notneedtobeknown,itisenoughthatthesegmentthat RTT Avarge Lost pings injectsdata hasan acceptableacknowledgenumberset. Injectingdataisrelativelyeasyiftheendpointisnotac- 36 5 tively receiving data from its peer. If it is not the case, 34 4 thewindowandSND.NXTconstantlychange,introduc- s] 32 m inganadditionalobstaclethattheattackerneedstoover- e [ 30 3 gs g n come.Thepaperdoesnottrytoaddressthesedifficulties. avera 2268 2 ost pi Steps needed to determine SND.NXTs significantly T L differ for the two tested systems. In both cases ACK T 24 R 1 segmentswithanephemeralportdeterminedinthepre- 22 viousstepareused. WindowsfirewallneverdropsACK 20 0 10200 10400 10600 10800 11000 11200 11400 11600 11800 12000 sneegcmtioennts(htahvaetacroererexccthaIPngaedddwreisthseinsgaanndepstoarbtsli)s,hseodoconnly- scanned port range start rulesdefinedin RFC 793need to be taken into account when analyzing Windows responses. Netfilter imple- mentsstricter filtering rules. The followingsubsections Figure3:Therangescanofanidleconnection.Spoofed demonstratethatstricterfilteringcansignificantlyreduce segmentsarecovering200portranges.5pingsand6000 resourcesneededbytheattack. spoofed segments (30 to each port) are sent for each range. RTT and loss rate spikes reveal the ephemeral HoststrictlyfollowingRFC793 portissomewherebetween11200and11400. The sequence number of the victim’s peer needs to be determined first. If a sequence number of an incoming ACKsegmentisinwindow,andanacknowledgenumber isacceptable,thesegmentdoesnottriggeranyresponse. AsidenoteonNetfilter Otherwise, ACK segment is sent in response. Accord- ingtoRFC793,acknowledgenumberisacceptableifit It is interesting why Netfilter does not drop SYN-ACK is equalto the nextoctetto be sent or lowerby at most segmentsarrivingin a contextofan alreadyestablished 231. Inotherwords,anacceptableacknowledgenumber connection. Thereareatleasttwosignalsthatindicatea lies in range: [SND.NXT−231, SND.NXT] (using the SYN-ACK segment is incorrect: 1. ACK number does ’sequencespacearithmetic’).Becauseofthis,outoftwo notacknowledgeanySYNsegment,2.Datawasalready acknowledge numbers that differ by 231 one is guaran- exchangedinbothdirections,threewayhandshakemust teedtobeacceptable.Theattackerneedstosend have had finished successfully. A commentin the Net- filtersourcecodesays’Ourconnectionentrymaybeout 2×232 ofsync,soignorepacketswhichmaysignaltherealcon- N= windowsize nection between the client and the server’ (ignore here means do not drop). The problem is that Netfilter is a queries to find in-window sequence number. The risk completelyseparatelayerfromtheLinuxTCPstack. It ofaccidentallycorruptingthesessionisnegligible. The doesnothave access to the realstate of a TCP connec- session wouldbecorruptedonlyiftheattackerhappens tion, but recreates it based on segments it has seen. It toacknowledgedatathatwaslostintransit. Insuchcase doesnotassume the protectedendpointis on the same thedatawon’tberetransmitted. machine and that segments it has accepted reached the Theattackerdoesnotneedtoknowthesizeofthevic- destination. For these reasons, tracking state of a TCP tim’swindow,althoughitcanbeofteneasilydetermined connection and determining if a segment can be safely (see [11]). The attacker can first assume the maximum droppedisverycomplex. Asdemonstratedin[2], there allowed window (1GB) and try sequence numbers that aremanycornercasestoconsiderthatcanleadtohanged differ by 230. If none of such sequence numbers is in- connectionswhenhandledincorrectly. window, the attacker can try sequence numbers in the 5 Table1:Ephemeralportsearch. Thefullspaceof65kephemeralportswassearched. connection scan queries pings maxports spoofed reflected type time[s] perquery segments segments idle 35 592 2960 200 2202780 330 5/query 30/port/query 25kB 0.25MBtotal 171MBtotal 22msavgRTT download 852 849 8490 100 73614000 12000 10/query 1000/port/query 0.9MB 0.7MBtotal 5741MBtotal 749msavgRTT upload 690 852 8520 100 74013000 10000 10/query 1000/port/query 0.8MB 0.7MBtotal 5773MBtotal 656msavgRTT middleofrangesprobedinthepreviousstep. Ifthevic- in-windowsequence numberand can be found with bi- timuses0.5GBwindow,oneofsuchsequencenumbers narysearchinlog(windowsize)queries. should be in-window. The steps can be repeated, each Also,ifthevalueofthevictim’sSND.NXTisneeded, time the assumed window size is divided by two until itcanbenoweasilydetermined. 31queriesarerequired in-window sequence number is found. Such search is to binary search for the highest acknowledge number describedwithmoredetailsin[8]. thatdoesnotgenerateanyresponse(isacceptable).This Outof N queries, a single one thatdoesnotgenerate numberisequaltotheSND.NXTofthevictim. a positive response needs to be found. The situation is oppositeto theportscanning,wherea singlequerythat HostprotectedbyNetfilter does generate a response was searched for. In practice, searchingforanegativeanswerismoredifficult: The sequence number of the victim is determined first. The technique exploits acknowledge number valida- • Bottleneck is constantly overloaded. Scanning tion rules described in section 5.1. An ACK seg- needs to be done in sequence, with long enough ment is accepted only if its acknowledge number is intervals between subsequent queries for a bottle- equal to the next octet to be sent or lower by at neck’squeue to empty. Scanning severalvaluesat most max(66000,largestsenderwindowseen). In other onceis notpossible- it is relativelyeasy to distin- words,anacceptableacknowledgenumberliesinrange: guish between a traffic spike and a lack of traffic [SND.NXT−max(66000,largestsenderwindowseen), spike, it is much harder to distinguish between a SND.NXT] (using the ’sequence space arithmetic’). A trafficspikeandaslightlysmallertrafficspike. segment with not acceptable acknowledge number is • Natural traffic may mask the lack of response. In silently dropped by the firewall. Netfilter does not val- idate sequence numbers of ACKs. Linux TCP layer to contrast,whenquerytowhichthesystemresponds which not droppedsegments are passed, validates a se- issearchedfor,naturaltrafficcanonlymagnifythe quencenumberand respondswith ACK if it is outof a trafficspike. window. Figure4illustrateshowRTTdecreaseswhenaprobed Thisallowstofindanacceptableacknowledgenumber sequencenumberis withinwindow. Table2 showsthat in232/max(66000,largestsenderwindowseen)tries. If even in case of an idle connection, the time needed for the victim responds to a segment that had an incor- ascantofinishissignificant. Intheexperimentalsetup, rect sequence number, it means the acknowledge num- thePoCcodewouldneedroughlyabout36hourstocom- ber was accepted by Netfilter. Searchingfor an accept- pleteasequentialscanofaconnectionuploadingdata. ableacknowledgenumberis analogousto searchingfor Knowing in-window sequence number, the attacker an ephemeralport. At most232/66000=65075values canfind thevictim’speerSND.NXT bylookingforthe needtobeprobedandonlyoneofthesevaluesgenerates lowest sequence number that does not generate a re- a positive response, which allows to probe several val- sponse. Such value is at most window size before the uesina singlequery. See table1againforestimatesof 6 Table2: In-windowsequencenumbersearchforthehoststrictlyfollowingRFC793processingrules. Thehostused awindowof65kB. connection scan queries pings spoofed reflected type time[s] segments segments idle 16860 131338 394014 3940140 3939930 ∼5h 3/query 30/query 32MBtotal 307MBtotal 85msavgRTT RTT Avarge Lost pings resourcesneeded. There is a trick that allows to further improve the 200 5 search efficiency. Netfilter can be easily fooled to set 180 s] 160 4 thevalueofthe’largestsenderwindowseen’tothemax- e [m 112400 3 gs imumvalueallowedbyawindowscalingfactorthatwas g n setduringtheconnectionestablishment. Todoit,65075 avera 1 8000 2 ost pi ACKsneedtobesent,coveringthewhole232 acknowl- T 60 L edge number space with values that differ by 66000. T R 40 1 All these ACKs need to have window size set to the 20 maximum allowed value: 0xFFFF. One of the ACKs 0 0 -3932-130276-725621-410966-015310-760553 50 6553 51310 710966 025621 43027675 sdhoowulsdeebneasoccfeaprtetdob0yxFNFetFfiFlte×ra2nwdinsdeowtsscmalainxgifmacutomr (wnointe- scanned sequence number (normalized: 0 within window) that this does not affect the real window size, the TCP endpointrejectstheACKbecauseitcarriesanincorrect (a) Connectionidle,5pings/seqnumber,30spoofedsegments/seqnum- ber sequencenumber).Intheexperimentalsetup,thesender set the window size to 114 with the scaling factor of 7, 1100 10 whichresultedinasmallwindowof114×27=14592B. 1000 9 900 8 ThesequenceofspoofedACKsfooledNetfilterthatthe ms] 800 7 window increased to 0xFFFF×27 =8388480B. Such e [ 700 6 gs a window allowed to cover the whole 232 acknowledge T averag 456000000 45 Lost pin nwuhmenbetrhesphaocsetwfoiltlhowoninlyg5R1F2Cva7l9u3esw. aAsstaitrgwetaesdt,htehecaaste- RT 300 3 tacker does not need to know the size of the victim’s 200 2 windowandthescalingfactor. Maximumallowedwin- 100 1 dowof1GBcanbeassumed,anddividedbytwountilan 0 0 -3932-130276-725621-410966-015310-760553 05 6553 51310 710966 025621 43027675 accSeepetatbalbeleac3knfoorwsluedmgmeanruymobferreissofuorucneds.needed by the search. scanned sequence number (normalized: 0 within window) Knowing an acceptable acknowledgenumber, binary (b) Connectionuploadingdata,10pings/seqnumber,1000spoofedseg- ments/seqnumber search can be used to find the sequence number of the next octet to be sent by the victim. This requires log(max(66000,largestsenderwindowseen))queries. Figure 4: When a sequence number of a spoofed seg- Ifthevictim’speerSND.NXTneedstobeknown,the ment is in-window, the smallest average RTT and loss attackerhasseveralwaystorevealit: ratearemeasured.TheRTTandlossrateofotherprobes arelarge,increasingdurationofthescan. Naturaltraffic • Segments with a single byte of data can be used. spikecouldmaskaminimum. Pingisconsideredlostif Netfilter validates sequence numbers of segments theresponsedidnotarrivewithintwoRTTsofprevious thatcarrydata.Ifthenumberisin-window,theseg- pingsrelatedtothesamesequencenumber. ment is passed to the TCP layer which generates ACK in response because data is out of order. If thesequencenumberisoutofthewindow,Netfilter drops the segment. This technique carries the risk 7 Table3: Acceptableacknowledgenumbersearch. TheattackerfooledNetfilter thatthesenderwindowincreasedto 8.3MB,thisallowedtocoverthewholeacknowledgenumberspacewithasmallnumberofqueries. connection scan queries pings maxackvalues spoofed reflected type time[s] perquery segments segments idle 3.4 60 300 25 20520 240 5/query 30/ackvalue/query 18kB 24kBtotal 1.6MBtotal 21msavgRTT download 61 51 510 25 627000 4000 10/query 1000/ackvalue/query 0.3MB 42kBtotal 49MBtotal 866msavgRTT upload 59 56 560 25 728000 6000 10/query 1000/ackvalue/query 0.5MB 45kBtotal 57MBtotal 602msavgRTT ofcorruptingthesessionwiththeacceptedbyte. 6 Advanced scanning technique • Iftheattackerisabletosendspoofedtraffictoboth ends, and to reliably monitor traffic spikes of both TCP Fast Retransmit [13] can be exploited to trigger ends, the other end of the connection can be tar- substantial traffic spikes with relatively small number geted. If the other end follows the RFC 793, only of spoofed segments. Fast Retransmit is activated by 32queriesareneededtofindthesecondSND.NXT. 3 duplicated ACKs. TCP layer interprets such dupli- IfitisprotectedbyNetfilter,thestepsdescribedin cates as a message that a segment was lost but 3 sub- thissectioncanbeusedagain. sequentsegmentssuccessfullyarrivedatthedestination. • Resource intensive search for a sequence number Each followingduplicatedACK is interpretedas an ac- that does not generate any response can be per- knowledgement that another segment was successfully formed in a similar way it was done for a sys- received, butthe lost segmentstill didn’treachthe des- temfollowingRFC793intheprevioussubsection. tination. Because segmentsare successfullyleavingthe Theonlydifferenceisthatacceptableacknowledge network,sendersendsanewsegmentinresponsetoeach numberisalreadyknown,onlyin-windowsequence such duplicated ACK. A burst of ACKs can trick the numberneedstobefound. sendertosendafullwindowofdatainaveryshorttime as described in [9]. The amplification factor for a net- workwithMTU1500is37. Thisallowstheattackerto 5.3 Other variants triggerobservabletrafficspikeswithmuchfewerspoofed DifferentTCP stacks may implementdifferentsegment segments. processingrules, possibly closing some leaks described The technique can also be used to detect ephemeral inthispaper,oropeningnewones. Forexample,topre- port number of a host that does not filter segments ad- ventablindRSTinjectionattackdescribedin[12],anew dressedtonotexistingconnectionbutrespondswithRST recommendation for RST processing was created [3]. toeachsuchsegment. Asequenceofspoofedsegments According to RFC 793 any in-window RST should be directed to an incorrect port, results in a sequence of accepted and should reset the connection. The stricter RSTs that are silently dropped by the other end point andsaferrulesrequireRSTtohavesequencenumberex- withnosideeffect. Asequenceofspoofedsegmentsdi- actly equal to the next expected sequence number, oth- rectedtothecorrectport,resultsinasequenceofACKs erwise, in-window RST segment should generate ACK that trigger the other side to abruptly send a full win- inresponsewithoutresettingtheconnection. Thedocu- dowofdata. Iftheattackercandetectthespikeintraffic ment advises to optionally throttle such ACKs. If such caused by this window of data, the port can be deter- ACKsarenotthrottled,theattackercanqueryforawin- mined. dowusingRST segmentswithlittle risk ofaccidentally resettingtheconnection. Thetechniquewasnottestedinpractice. 8 7 Protection bility. To be fully protected against side channel information 8 Summary leakagedescribedinthispaper,theprotocolwouldneed to ensure that not authenticated segments are never an- Thepaperdemonstratedhowchangesinprocessingtime swered. If it was the case, the only information that ofpacketsthattraverseasharedqueuecanrevealifahost would leak to an off-path attacker, would be that the respondedtospoofedtraffic.Itwasshownthatincaseof segmentwasnotauthenticated.Providingauthentication theTCPprotocol,beingabletodetermineifasystemre- mechanismisstrongenoughtomakeprobabilityofgen- spondedtospoofedsegmentsissufficienttocompromise eratingacceptablerequestnegligible,theattackerlearns the session, direct interception of the TCP traffic is not nothingthroughthesidechannelthatcouldn’tbefigured required. Two differentTCP implementationswith dif- out withoutmountingthe attack. The TCP Authentica- ferentprocessingruleswereexamined. Bothimplemen- tion Option [14] provides exactly such mechanism, but tations responded to partially incorrect TCP segments, theoptionisnotwidelyused. allowingtheattackertodeterminevaluesofsecretfields In case of sequence numbersbased authentication, it inseparatesteps. Substantialpartoftheworkwasdedi- canbedifficulttoensureinabackwardcompatibleway catedtoexperimentstodetermineiftheattackispractical that the protocol never responds to rejected segments. inreal-lifescenarioandtoprovideestimatesofresources Sequencenumbershavedoublepurpose. Theywerein- needed.Thepaperconcludedwiththediscussionofpos- tended primary for detecting duplicates, lost and out of sibleattackpreventionmechanisms. ordersegments. Theuseofsequencenumbersasapro- Theworkdidnottrytodeterminethepracticallimits tection mechanism against an adversary was emergent, ofthetechnique.Thereisalotofroomforfurtherexper- notevenmentionedintheoriginalspecification. IfNet- imentsinscenariosmoreadversefortheattacker(lower filterfilteredSYN-ACKsegmentsaddressedtoanestab- bandwidthbetweentheattackerandthevictim,busybot- lished connection and dropped ACK segments with in- tleneck shared between many users, different queuing validsequencenumbers,theattackagainstasystempro- policies). Provided proof of concept can be used as a tected by Netfilter would be probably impossible. But starting point for such experiments. The paper also did such stricter filtering rules require very careful analysis notattemptto providea detailedsurveyofapplicability topreventhangedconnectionsincornercases. of the technique against popular TCP implementations. Throttling responses to rejected segments should Finally, the paper concentrated on compromising TCP be sufficient to make the information leakage non- session,butthepresentedtechniquecanbeapplicablein exploitableinpractice. ThrottlingmechanismforACKs otherscenarios. generatedinresponsetoin-windowRSTsandin-window SYN-ACKs was proposed in [3]. To be effective, the 9 Acknowledgments mechanismwouldneedtothrottlealsoACKsgenerated inresponsetootherrejectedsegments. The author would like to pass a non-spoofed ACK to Theattackistheeasiestiftheattackersharesanedge Wojtek Matyjewicz for reviewing first drafts of the pa- router with the victim. The first few hops are also the per,valuablecommentsanddiscussions. bestplacetoreliablyfilterspoofedIPpackets. Network thatisconfiguredtodropsuchtrafficisprotectedatleast References againstalocalattacker. Queueing policy that better isolates traffic coming [1] J. Postel, Transmission control protocol, RFC fromdifferentuserscouldmaketheattackmoredifficult 793,InternetEngineeringTaskForce,1981, http: to execute. A privacyprotectingscheduling policy was //tools.ietf.org/html/rfc793 studied in [15]. The authors were able to significantly reduce the correlation between traffic patterns of users [2] G.VanRooij, RealStatefulTCPPacketFilteringin sharing a routingqueue withoutintroducingprohibitive IPFilter,2001,www.usenix.org/events/sec01/ performancedegradation. The designed policy reduced invitedtalks/rooij.pdf the leakage of information regarding the traffic pattern [3] A.Ramaiah,R.Stewart,M.Dalal, ImprovingTCP’s of a user, but the traffic load of a user was still leaking RobustnesstoBlindIn-WindowAttacks,RFC5961, throughtheincreasedpacketprocessingtime.Toexecute 2011, http://tools.ietf.org/html/rfc5961 the attack describedin this paper, it is enoughto detect increasedtrafficload,knowingtheexacttrafficpatternis [4] M. Larsen, F. Gont, Transport Protocol Port Ran- not necessary. Further research is needed to assess the domization Recommendations, RFC 6056, 2011, effectofdifferentqueuingpoliciesontheattackapplica- http://tools.ietf.org/html/rfc6056 9 [5] F. Gont, Security Assessment of the Transmission ControlProtocol,2011http://tools.ietf.org/ html/draft-ietf-tcpm-tcp-security-0 [6] S. Kadloor, Xun Gong, N. Kiyavash, T. Tezcan, N. Borisov. 2010, Low-Cost Side Channel Remote Traffic Analysis Attack in Packets Networks, IC- CIEEE,2010 [7] Antirez, New tcp scan method, 1998, http:// seclists.org/bugtraq/1998/Dec/79 [8] klm, Blind TCP/IP hijacking is still alive, 2007, http://www.phrack.org/issues.php? issue=64&id=15 [9] S. Savage, N. Cardwell, D. Wetherall, T. Ander- son, TCP Congestion Control with a Misbehaving Receiver, ACMComputerCommunicationReview, 29(5),October1999 [10] A. Kumar, D. Sisalem, TCP based denial- of-service attacks to edge network: Analysis and detection, 2004, iptel.org/~dor/papers/ Kumar1204_TCP.pdf [11] Fyodor, Remote OS Detection, Nmap Network Scanning. http://nmap.org/book/osdetect. html [12] P. Watson, Slipping in the Window: TCP Reset Attacks, CanSecWest2004Conference [13] M. Allman, V. Paxson, W. Stevens, TCP Conges- tion Control, RFC 2581, 1999, http://tools. ietf.org/html/rfc2581 [14] J.Touch,A.Mankin,R.Bonica, TheTCPAuthen- ticationOption, RFC5925,2010, http://tools. ietf.org/html/rfc5925 [15] S. Kadloor, Xun Gong, N. Kiyavash, P. Venkita- subramaniam, DesigningPrivacyPreservingRouter SchedulingPolicies, InformationSciencesandSys- tems(CISS),2011 [16] Reflection Scan Proof of Concept https:// github.com/wrr/reflection_scan 10