research-article

Off-Path TCP Injection Attacks

Authors:

Yossi Gilad and

Amir HerzbergAuthors Info & Claims

ACM Transactions on Information and System Security (TISSEC), Volume 16, Issue 4

Article No.: 13, Pages 1 - 32

https://doi.org/10.1145/2597173

Published: 01 April 2014 Publication History

Abstract

We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request forgery, and phishing attacks.

In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable.

We conclude this work with practical client- and server-end defenses against our attacks.

References

[1]

Advanced Network Architecture Group. 2013. Spoofer project. http://spoofer.csail.mit.edu/summary.php.

[2]

Alexa Web Information Company. 2013. Top sites. http://www.alexa.com/topsites.

[3]

Antonatos, S., Akritidis, P., Lam, V. T., and Anagnostakis, K. G. 2008. Puppetnets: Misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12, 2, 12:1--12:15.

Digital Library

[4]

Baker, F. and Savola, P. 2004. Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice).

Digital Library

[5]

Barth, A. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard).

[6]

Barth, A., Jackson, C., and Mitchell, J. C. 2008. Robust defenses for cross-site request forgery. In Proceedings of the ACM Conference on Computer and Communications Security. P. Ning, P. F. Syverson, and S. Jha Eds., ACM Press, New York, 75--88.

Digital Library

[7]

Bellovin, S. M. 1989. Security problems in the tcp/ip protocol suite. Comput. Comm. Rev. 19, 2, 32--48.

Digital Library

[8]

Bellovin, S. M. 2004. A look back at “security problems in the tcp/ip protocol suite”. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04). IEEE Computer Society, 229--249.

Digital Library

[9]

Bernstein, D. J. 1996. SYN cookies. http://cr.yp.to/syncookies.html.

[10]

Beverly, R., Berger, A., Hyun, Y., and Claffy, K. C. 2009. Understanding the efficacy of deployed internet source address validation filtering. In Proceedings of the Internet Measurement Conference. A. Feldmann and L. Mathy Eds., ACM Press, New York, 356--369.

Digital Library

[11]

Browserscope. 2012. Browser comparison. http://www.browserscope.org.

[12]

Eddy, W. 2007. TCP syn flooding attacks and common mitigations. RFC 4987 (Informational).

[13]

Ehrenkranz, T. and Li, J. 2009. On the state of ip spoofing defense. ACM Trans. Internet Technol. 9, 2, 6:1--6:29.

Digital Library

[14]

Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704.

Digital Library

[15]

Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. Hypertext transfer protocol -- Http/1.1. RFC 2616 (Draft Standard).

Digital Library

[16]

Gilad, Y. and Herzberg, A. 2012. Off-path attacking the web. In Proceedings of the USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA, 41--52.

Digital Library

[17]

Gilad, Y. and Herzberg, A. 2013a. Puppet code (java script). http://u.cs.biu.ac.il/_herzbea/security/code/puppet-example.js.

[18]

Gilad, Y. and Herzberg, A. 2013b. When tolerance becomes weakness: The case of injection-friendly browsers. In Proceedings of the International World Wide Web Conference.

Digital Library

[19]

Gilad, Y., Herzberg, A., and Shulman, H. 2014. Off-path hacking: The illusion of challenge-response authentication. IEEE Secur. Privacy Mag. PP, 99.

[20]

Gont, F. and Bellovin, S. 2012. Defending against sequence number attacks. RFC 6528 (Proposed Standard).

[21]

Herzberg, A. and Jbara, A. 2008. Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technol. 8, 4, 16:1--16:36.

Digital Library

[22]

Herzberg, A. and Shulman, H. 2012. Security of patched dns. In ESORICS, S. Foresti, M. Yung, and F. Martinelli Eds., Lecture Notes in Computer Science, vol. 7459, Springer, 271--288.

[23]

Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International Conference on World Wide Web. C. L. Williamson, M. E. Zurko, P. F. Patel-Schneider, and P. J. Shenoy Eds., ACM Press, New York, 601--610.

Digital Library

[24]

Joncheray, L. 1995. A simple active attack against tcp. In Proceedings of the 5th Symposium on UNIX Security. USENIX Association, Berkeley, CA, 7--20.

Digital Library

[25]

Kaminsky, D. 2011. Black ops of tcp/ip. In Black Hat Conference.

[26]

Killalea, T. 2000. Recommended internet service provider security services and procedures. RFC 3013 (Best Current Practice).

Digital Library

[27]

Klein, A. 2004. Divide and conquer. HTTP response splitting, web cache poisoning attacks and related topics. Sanctum white paper.

[28]

Klein, A. 2005. DOM based cross site scripting or xss of the third kind. Tech. rep., Web Application Security Consortium: Articles.

[29]

Klein, A. 2011. Web cache poisoning attacks. In Encyclopedia of Cryptography and Security 2nd Ed. Springer, 1373--1373.

[30]

KLM. 2007. Remote blind tcp/ip spoofing. Phrack Mag.

[31]

Larsen, M. and Gont, F. 2011. Recommendations for transport-protocol port randomization. RFC 6056 (Best Current Practice). http://tools.ietf.org/html/rfc6056.

[32]

Lemon, J. 2002. Resisting syn flood dos attacks with a syn cache. In Proceedings of the Conference on File and Storage Technologies (BSDCon’02). S. J. Leffler Ed., USENIX Association, Berkeley, CA, 89--97.

Digital Library

[33]

Marlinspike, M. 2009. New tricks for defeating ssl in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf.

[34]

Morris, R. T. 1985. A weakness in the 4.2bsd unix tcp/ip software. Tech. rep., AT&T Bell Laboratories.

[35]

The Open Web Application Security Project. 2009. Cache poisoning. https://www.owasp.org/index.php/CachePoisoning.

[36]

The Open Web Application Security Project. 2010. Cross-site request forgery. https://www.owasp.org/index.php/Cross-Site.

[37]

Petefish, P., Sheridan, E., and Wichers, D. 2011. Cross-site request forgery (csrf) prevention cheat sheet. https://www.owasp.org/index.php/Cross-Site.

[38]

Postel, J. 1981. Transmission control protocol. RFC 793 (Internet Standard). Updated by RFCs 1122, 3168, 6093, 6528. http://www.ietf.org/rfc/rfc793.txt.

[39]

Qian, Z. and Mao, Z. M. 2012. Off-path tcp sequence number inference attack. In Proceedings of the IEEE Symposium on Security and Privacy. 347--361.

Digital Library

[40]

Qian, Z., Mao, Z. M., and Xie, Y. 2012. Collaborative tcp sequence number inference attack: How to crack sequence number under a second. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, New York, 593--604.

Digital Library

[41]

Ruderman, J. 2001. Same origin policy for javascript. https://developer.mozilla.org/En/Same.

[42]

Sanfilippo, S. 1998. A new tcp scan method. http://seclists.org/bugtraq/1998/Dec/79.

[43]

Shimomura, T. and Markoff, J. 1995. Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaws - by the Man Who Did It 1st Ed. Hyperion Press.

Digital Library

[44]

Stamm, S., Sterne, B., and Markham, G. 2010. Reining in the web with content security policy. In Proceedings of the International Conference on World Wide Web. M. Rappa, P. Jones, J. Freire, and S. Chakrabarti Eds., ACM Press, New York, 921--930.

Digital Library

[45]

Touch, J. 2007. Defending tcp against spoofing attacks. RFC 4953. http://tools.ietf.org/html/rfc4953.

[46]

Watson, P. 2004. Slipping in the window: TCP reset attacks. http://bandwidthco.com/whitepapers/netforensics/tcpip/TCP&percnt;20Reset&percnt;20Attacks.pdf.

[47]

Zalewski, M. 2001. Strange attractors and tcp/ip sequence number analysis. http://lcamtuf.coredump.cx/newtcp/.

[48]

Zalewski, M. 2011. The Tangled Web: A Guide to Securing Modern Web Applications 1st Ed. No Starch Press, San Francisco, CA.

Digital Library

Cited By

Fan WWu SChen H(2024)An SDN-Enabled Elliptic-Curve Diffie-Hellman Key Exchange Towards Secure P2P Networking2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556089(677-683)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556089
Li SShi SXiao YZhang CHou YLou W(2023)Bijack: Breaking Bitcoin Network with TCP VulnerabilitiesComputer Security – ESORICS 202310.1007/978-3-031-51479-1_16(306-326)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51479-1_16
Seo MKim JMarin EYou MPark TLee SShin SKim J(2022)Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control TrafficProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564642(949-963)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564642
Show More Cited By

Index Terms

Off-Path TCP Injection Attacks
1. Networks
  1. Network protocols

Recommendations

When tolerance causes weakness: the case of injection-friendly browsers
WWW '13: Proceedings of the 22nd international conference on World Wide Web

We present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user ...
Read More
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Read More
Scriptless attacks: Stealing more pie without touching the sill
Web Application Security Web @ 25

Due to their high practical impact, Cross-Site Scripting (XSS) attacks have attracted a lot of attention from the members of security community worldwide. In the same way, a plethora of more or less effective defense techniques have been proposed, ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Information and System Security

ACM Transactions on Information and System Security Volume 16, Issue 4

April 2014

154 pages

ISSN:1094-9224

EISSN:1557-7406

DOI:10.1145/2617317

Editor:
Gene Tsudik
University of California at Irvine, USA

Issue’s Table of Contents

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 April 2014

Accepted: 01 November 2013

Received: 01 July 2013

Published in TISSEC Volume 16, Issue 4

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Israel Science Foundation
Check Point Institute for Information Security
Ministry of Science and Technology, Israel

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

19
Total Citations
View Citations
968
Total Downloads

Downloads (Last 12 months)42
Downloads (Last 6 weeks)2

Other Metrics

View Author Metrics

Citations

Cited By

Fan WWu SChen H(2024)An SDN-Enabled Elliptic-Curve Diffie-Hellman Key Exchange Towards Secure P2P Networking2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556089(677-683)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556089
Li SShi SXiao YZhang CHou YLou W(2023)Bijack: Breaking Bitcoin Network with TCP VulnerabilitiesComputer Security – ESORICS 202310.1007/978-3-031-51479-1_16(306-326)Online publication date: 25-Sep-2023
https://dl.acm.org/doi/10.1007/978-3-031-51479-1_16
Seo MKim JMarin EYou MPark TLee SShin SKim J(2022)Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control TrafficProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564642(949-963)Online publication date: 5-Dec-2022
https://dl.acm.org/doi/10.1145/3564625.3564642
Feng XLi QSun KFu CXu K(2022)Off-Path TCP Hijacking Attacks via the Side Channel of Downgraded IPIDIEEE/ACM Transactions on Networking10.1109/TNET.2021.311551730:1(409-422)Online publication date: Feb-2022
https://doi.org/10.1109/TNET.2021.3115517
Fan WChang SZhou XXu S(2021)ConMan: A Connection Manipulation-based Attack Against Bitcoin Networking2021 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS53000.2021.9705018(101-109)Online publication date: 4-Oct-2021
https://doi.org/10.1109/CNS53000.2021.9705018
Hou FYu XQiu KLiu JShi ZLi Y(2021)Research on Off-Path Exploits of Network ProtocolsData Mining and Big Data10.1007/978-981-16-7476-1_7(73-80)Online publication date: 31-Oct-2021
https://doi.org/10.1007/978-981-16-7476-1_7
Feng XFu CLi QSun KXu KLigatti JOu XKatz JVigna G(2020)Off-Path TCP Exploits of the Mixed IPID AssignmentProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417884(1323-1335)Online publication date: 30-Oct-2020
https://dl.acm.org/doi/10.1145/3372297.3417884
Jeitner PShulman HWaidner M(2020)The Impact of DNS Insecurity on Time2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48063.2020.00043(266-277)Online publication date: Jun-2020
https://doi.org/10.1109/DSN48063.2020.00043
Alexander GEspinoza ACrandall J(2019)Detecting TCP/IP Connections via IPID Hash CollisionsProceedings on Privacy Enhancing Technologies10.2478/popets-2019-00712019:4(311-328)Online publication date: 30-Jul-2019
https://doi.org/10.2478/popets-2019-0071
Selvarathinam NDhar ABiswas S(2019)Evil Twin Attack Detection using Discrete Event Systems in IEEE 802.11 Wi-Fi Networks2019 27th Mediterranean Conference on Control and Automation (MED)10.1109/MED.2019.8798568(316-321)Online publication date: Jul-2019
https://doi.org/10.1109/MED.2019.8798568
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents