Wei Wei,Yabo Dong,Dongming Lu,Guang Jin,Honglan Lao

DOI: https://doi.org/10.1007/11760146_23

2006-01-01

Abstract:Low-rate TCP-targeted Denial-of-Service (DoS) attack (shrew) is a new kind of DoS attack which is based on TCP’s Retransmission Timeout (RTO) mechanism and can severely reduce the throughput of TCP traffic on victim. The paper proposes a novel mechanism which consists of effective detection and response methods. Through analyzing sampled attack traffic, we find that there is a stable difference between attack and legitimate traffic in frequency field, especially in low frequency. We use Sum of Low Frequency Power spectrum (SLFP) for detection. In our algorithm the destination IP address is used as flow label and SLFP is applied to every flow traversing edge router. If shrew is found, all flows to the destination are processed by Aggregated Flows Balance (AFB) at a proper upstream router. Simulation shows that attack traffics are restrained and TCP traffics can obtain enough bandwidth. The result indicates that our mechanism is effective and deployable.

Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

WEI Wei,DONG Ya-bo,LU Dong-ming,JIN Guang

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.05.007

2008-01-01

Abstract:Low rate TCP-targeted denial of service(DoS) attack makes use of time-out and retransmission mechanism in transmission control protocol(TCP) and could severely decrease the throughput of legitimate TCP traffic.With its attacking traffic pattern,obvious difference was found between the power spectrum density(PSD) of legitimate and attack traffic samples.The statistical characteristic of this difference in history data was analyzed,and a detection method using the summation of low frequency was proposed.Meanwhile,based on the methods of leak bucket and the increasing of routing buffer,a response method was provided,which uses leak bucket periodically for smoothing the flow and uses buffer for holding extra traffic to send in next period,and its reasonable resource requirement was proved.Simulations show that for more general attack scenarios than the existing methods,the detection method has very low positive and negative false ratio,and the response method can depress attack flows more effectively than the previous methods and maintain the legitimate throughput in a normal level while the previous methods failed.

Ziqiang Wang,Xuewei Feng,Qi Li,Kun Sun,Yuxiang Yang,Mengyuan Li,Ganqiu Du,Ke Xu,Jianping Wu

2024-10-01

Abstract:In this paper, we unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. Despite the various security mechanisms (e.g., WEP and WPA2/WPA3) implemented to safeguard Wi-Fi networks, our study reveals that an off path attacker can still extract sufficient information from the frame size side channel to hijack the victim's TCP connection. Our side channel attack is based on two significant findings: (i) response packets (e.g., ACK and RST) generated by TCP receivers vary in size, and (ii) the encrypted frames containing these response packets have consistent and distinguishable sizes. By observing the size of the victim's encrypted frames, the attacker can detect and hijack the victim's TCP connections. We validate the effectiveness of this side channel attack through two case studies, i.e., SSH DoS and web traffic manipulation. Precisely, our attack can terminate the victim's SSH session in 19 seconds and inject malicious data into the victim's web traffic within 28 seconds. Furthermore, we conduct extensive measurements to evaluate the impact of our attack on real-world Wi-Fi networks. We test 30 popular wireless routers from 9 well-known vendors, and none of these routers can protect victims from our attack. Besides, we implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks. We have responsibly disclosed the vulnerability to the Wi-Fi Alliance and proposed several mitigation strategies to address this issue.

Networking and Internet Architecture,Cryptography and Security

Xuewei Feng,Chuanpu Fu,Qi Li,Kun Sun,Ke Xu

DOI: https://doi.org/10.1145/3372297.3417884

2020-08-29

Abstract:In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet.

Cryptography and Security

Wenyuan Xu,Timothy Wood,Wade Trappe,Yanyong Zhang

DOI: https://doi.org/10.1145/1023646.1023661

2004-01-01

Abstract:Wireless networks are built upon a shared medium that makes it easy for adversaries to launch denial of service (DoS) attacks. One form of denial of service is targeted at preventing sources from communicating. These attacks can be easily accomplished by an adversary by either bypassing MAC-layer protocols, or emitting a radio signal targeted at jamming a particular channel. In this paper we present two strategies that may be employed by wireless devices to evade a MAC/PHY-layer jamming-style wireless denial of service attack. The first strategy, channel surfing, is a form of spectral evasion that involves legitimate wireless devices changing the channel that they are operating on. The second strategy, spatial retreats, is a form of spatial evasion whereby legitimate mobile devices move away from the locality of the DoS emitter. We study both of these strategies for three broad wireless communication scenarios: two-party radio communication, an infrastructured wireless network, and an ad hoc wireless network. We evaluate several of our proposed strategies and protocols through ns-2 simulations and experiments on the Berkeley mote platform.

Chuanpu Fu,Qi Li,Ke Xu,Xuewei Feng,Kun Sun

DOI: https://doi.org/10.1109/tnet.2021.3115517

2022-02-01

IEEE/ACM Transactions on Networking

Abstract:In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond. Our attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, thus building a shared IPID counter that forms a side channel in the victim. Second, the attacker detects the presence of TCP connections by observing the side channel of the shared IPID counter. Third, the attacker infers sequence and acknowledgment numbers of the detected connection by observing the side channel. Consequently, the attacker can completely hijack the connection, e.g., resetting the connection or poisoning the data stream. We evaluate the impacts of our attack in the real world, and we uncover that more than 20% of Alexa top 100k websites are vulnerable to our attack. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Moreover, we demonstrate that our attack can be further extended to exploit IPv4/IPv6 dual-stack networks on increasing the hash collisions and enlarging vulnerable populations. Finally, we analyze the root cause and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness in the real world.

Computer Science

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1204.6623

2012-04-30

Abstract:We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

Cryptography and Security

Amit Klein

DOI: https://doi.org/10.48550/arXiv.2112.09604

2022-09-01

Abstract:We analyzed the generation of protocol header fields in the implementations of multiple TCP/IP network stacks and found new ways to leak information about global protocol states. We then demonstrated new covert channels by remotely observing and modifying the system's global state via these protocol fields. Unlike earlier works, our research focuses on hosts that reside in firewalled networks (including source address validation -- SAV), which is a very common scenario nowadays. Our attacks are designed to be non-disruptive -- in the exfiltration scenario, this makes the attacks stealthier and thus extends their longevity, and in case of host alias resolution and similar techniques -- this ensures the techniques are ethical. We focused on ICMP, which is commonly served by firewalls, and on UDP, which is forecasted to take a more prominent share of the Internet traffic with the advent of HTTP/3 and QUIC, though we report results for TCP as well. The information leakage scenarios we discovered enable the construction of practical covert channels which directly pierce firewalls, or indirectly establish communication via hosts in firewalled networks that also employ SAV. We describe and test three novel attacks in this context: exfiltration via the firewall itself, exfiltration via a DMZ host, and exfiltration via co-resident containers. These are three generic, new use cases for covert channels that work around firewalling and enable devices that are not allowed direct communication with the Internet, to still exfiltrate data out of the network. In other words, we exfiltrate data from isolated networks to the Internet. We also explain how to mount known attacks such as host alias resolution, de-NATting and container co-residence detection, using the new information leakage techniques.

Cryptography and Security

Yuxiang Yang,Xuewei Feng,Qi Li,Kun Sun,Ziqiang Wang,Ke Xu

DOI: https://doi.org/10.14722/ndss.2024.23419

2024-04-06

Abstract:In this paper, we uncover a new side-channel vulnerability in the widely used NAT port preservation strategy and an insufficient reverse path validation strategy of Wi-Fi routers, which allows an off-path attacker to infer if there is one victim client in the same network communicating with another host on the Internet using TCP. After detecting the presence of TCP connections between the victim client and the server, the attacker can evict the original NAT mapping and reconstruct a new mapping at the router by sending fake TCP packets due to the routers' vulnerability of disabling TCP window tracking strategy, which has been faithfully implemented in most of the routers for years. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server's incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are affected by this attack. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks. The experimental results show that 75 of these evaluated Wi-Fi networks (81%) are fully vulnerable to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate an SSH connection, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions.

Cryptography and Security

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1208.2357

2012-08-11

Abstract:We present a new type of clogging DoS attacks, with the highest amplification factors achieved by off-path attackers, using only puppets, i.e., sandboxed malware on victim machines. Specifically, we present off-path variants of the Opt-ack, Ack-storm and Coremelt DoS attacks, achieving results comparable to these achieved previously achieved by eavesdropping/MitM attackers and (unrestricted) malware. In contrast to previous off-path attacks, which attacked the client (machine) running the malware, our attacks address a very different goal: large-scale clogging DoS of a third party, or even of backbone connections. Our clogging attacks are based on off-path TCP injections. Indeed, as an additional contribution, we present improved off-path TCP injection attacks. Our new attacks significantly relax the requirements cf. to the known attacks; specifically, our injection attack requires only a Java script in browser sandbox (not 'restricted malware'), does not depend on specific operating system properties, and is efficient even when client's port is determined using recommended algorithm. Our attacks are constructed modularly, allowing reuse of modules for other scenarios and replacing modules as necessary. We present specific defenses, however, this work is further proof to the need to base security on sound foundations, using cryptography to provide security even against MitM attackers.

Cryptography and Security

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

Kai Bu,Yutian Yang,Zixuan Guo,Yuanyuan Yang,Xing Li,Shigeng Zhang

DOI: https://doi.org/10.1016/j.comnet.2021.108099

IF: 5.493

2021-01-01

Computer Networks

Abstract:Software-Defined Networking (SDN) greatly simplifies middlebox policy enforcement. Middleboxes need tag packet headers to avoid forwarding ambiguity on SDN switches. In this paper, we present a new attack, called middlebox-bypass attack, to breach SDN-based middlebox policy enforcement. Such an attack manipulates a compromised switch to locally tag attacking packets without handing them over to the attached middlebox for inspection. Existing SDN security solutions, however, cannot detect the middlebox-bypass attack under practical constraints of efficiency, robustness, and applicability. We design and implement FlowCloak, the first protocol for per-packet real-time detection and prevention of middlebox-bypass attacks. FlowCloak enables middleboxes to generate tags that are probabilistically unknown to an attacker and confines it to only random guessing. We propose a multi-tag verification technique to address the tradeoff between FlowCloak robustness and TCAM usage by tag verification rules on the egress switch. Experiment results show that dozens of verification rules can confine the attacking probability under 0.1%. We further explore implementation techniques of packet looping and field swapping that can enable a flow table pipeline on a single TCAM and mitigate packet correlation, respectively. FlowCloak imposes only a 0.01 ms packet processing delay on middleboxes and no obvious delay on the egress switch.

MU Jun-chen,GAN Zhi-hua,XU Hong-yun

DOI: https://doi.org/10.3969/j.issn.1009-3044.2007.06.029

2007-01-01

Abstract:Discrete Fourier transform based on the time domain sequence TCP flow sample x(n) (0,1) standardization sequences. RoQ attack is detected according to it's periodicity etc. A strategy to defense the RoQ attack is proposed. The algorithm of the strategy is given.

Geoffrey Alexander,Antonio M. Espinoza,Jedidiah R. Crandall

DOI: https://doi.org/10.2478/popets-2019-0071

2019-07-30

Proceedings on Privacy Enhancing Technologies

Abstract:Abstract We present a novel attack for detecting the presence of an active TCP connection between a remote Linux server and an arbitrary client machine. The attack takes advantage of side-channels present in the Linux kernel’s handling of the values used to populate an IPv4 packet’s IPID field and applies to kernel versions of 4.0 and higher. We implement and test this attack and evaluate its real world effectiveness and performance when used on active connections to popular web servers. Our evaluation shows that the attack is capable of correctly detecting the IP-port 4-tuple representing an active TCP connection in 84% of our mock attacks. We also demonstrate how the attack can be used by the middle onion router in a Tor circuit to test whether a given client is connected to the guard entry node associated with a given circuit. In addition we discuss the potential issues an attacker would face when attempting to scale it to real world attacks, as well as possible mitigations against the attack. Our attack does not exhaust any global resource, and therefore challenges the notion that there is a direct one-to-one connection between shared, limited resources and non-trivial network side-channels. This means that simply enumerating global shared resources and considering the ways in which they can be exhausted will not suffice for certifying a kernel TCP/IP network stack to be free of privacy risk side-channels.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

Xuewei Feng,Qi Li,Kun Sun,Zhiyun Qian,Gang Zhao,Xiaohui Kuang,Chuanpu Fu,Ke Xu

2022-01-01

Abstract:ICMP redirect is a mechanism that allows an end host to dynamically update its routing decisions for particular destinations. Previous studies show that ICMP redirect may be exploited by attackers to manipulate the routing of victim traffic. However, it is widely believed that ICMP redirect attacks are not a real-world threat since they can only occur under specific network topologies (e.g., LAN). In this paper, we conduct a systematic study on the legitimacy check mechanism of ICMP and uncover a fundamental gap between the check mechanism and stateless protocols, resulting in a wide range of vulnerabilities. In particular, we find that off-path attackers can utilize a suite of stateless protocols (e.g., UDP, ICMP, GRE, IPIP and SIT) to easily craft evasive ICMP error messages, thus revitalizing ICMP redirect attacks to cause serious damage in the real world, particularly, on the wide-area network. First, we show that off-path attackers can conduct a stealthy DoS attack by tricking various public servers on the Internet into mis-redirecting their traffic into black holes with a single forged ICMP redirect message. For example, we reveal that more than 43K popular websites on the Internet are vulnerable to this DoS attack. In addition, we identify 54.47K open DNS resolvers and 186 Tor nodes on the Internet are vulnerable as well. Second, we show that, by leveraging ICMP redirect attacks against NATed networks, off-path attackers in the same NATed network can perform a man-in-the-middle (MITM) attack to intercept the victim traffic. Finally, we develop countermeasures to throttle these attacks.

Xuewei Feng,Qi Li,Kun Sun,Ke Xu,Jianping Wu

2024-11-19

Abstract:After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.

Cryptography and Security

C. Sun,C. Hu,B. Liu

DOI: https://doi.org/10.1049/iet-ifs.2010.0158

2012-01-01

IET Information Security

Abstract:SYN flood attacks still dominate distributed denial of service attacks. It is a great challenge to accurately detect the SYN flood attacks which utilise skillful spoofs to evade traditional detection methods. An intelligent attacker would evade the public detection methods by suitably spoofing the attack to appear benign. Keeping per-flow or per-connection state could eliminate such a spoofing, but meanwhile, it is very difficult to be implemented in practice. A more accurate and fast SYN flood detection method, named SACK2, is proposed to deal with all kinds of SYN flood attacks with limited implementation costs. SACK2 exploits the behaviour of the SYN/ACK-CliACK pair to identify the victim server and the TCP port being attacked, where a SYN/ACK packet is sent by a server when receiving a connection request and a CliACK packet is the ACK packet sent by the client to complete the three-way handshake. It also utilises the space efficient data structure, counting Bloom filter, to recognise the CliACK packet. The memory cost of SACK2 for a 10 Gbps link is 364 KB and can be easily accommodated in modern routers. SACK2 can report the start of the attack in less than one detection period, and the end of the attack less than two detection periods. It is also demonstrated that SACK2 is the most accurate detection method through comprehensive experiments.

Nashat, D.,Xiaohong Jiang,Horiguchi, S.

DOI: https://doi.org/10.1109/HSPR.2008.4734440

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. The current detection schemes only work well for the detection of high-rate flooding sources. It is notable, however, that in the current DDoS attacks, the flooding rate is usually distributed among many low-rate flooding agents to make the detection more difficult. Therefore, a more sensitive and fast detection scheme is highly desirable for the efficient detection of these low-rate flooding sources. In this paper, we focus on the low-rate agent and propose a router-based detection scheme for it. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). To make our scheme more sensitive and generally applicable, the counting bloom filter is used to avoid the effect of SYN/ACK retransmission and the change point detection method is applied to avoid the dependence of detection on sites and access patterns. Extensive trace-driven simulation has been conducted to demonstrate the efficiency of the proposed scheme in terms of its detection probability and also average detection time.