skip to main content
research-article

Off-Path TCP Injection Attacks

Published: 01 April 2014 Publication History
  • Get Citation Alerts
  • Abstract

    We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request forgery, and phishing attacks.
    In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable.
    We conclude this work with practical client- and server-end defenses against our attacks.

    References

    [1]
    Advanced Network Architecture Group. 2013. Spoofer project. http://spoofer.csail.mit.edu/summary.php.
    [2]
    Alexa Web Information Company. 2013. Top sites. http://www.alexa.com/topsites.
    [3]
    Antonatos, S., Akritidis, P., Lam, V. T., and Anagnostakis, K. G. 2008. Puppetnets: Misusing web browsers as a distributed attack infrastructure. ACM Trans. Inf. Syst. Secur. 12, 2, 12:1--12:15.
    [4]
    Baker, F. and Savola, P. 2004. Ingress Filtering for Multihomed Networks. RFC 3704 (Best Current Practice).
    [5]
    Barth, A. 2011. The Web Origin Concept. RFC 6454 (Proposed Standard).
    [6]
    Barth, A., Jackson, C., and Mitchell, J. C. 2008. Robust defenses for cross-site request forgery. In Proceedings of the ACM Conference on Computer and Communications Security. P. Ning, P. F. Syverson, and S. Jha Eds., ACM Press, New York, 75--88.
    [7]
    Bellovin, S. M. 1989. Security problems in the tcp/ip protocol suite. Comput. Comm. Rev. 19, 2, 32--48.
    [8]
    Bellovin, S. M. 2004. A look back at “security problems in the tcp/ip protocol suite”. In Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04). IEEE Computer Society, 229--249.
    [9]
    Bernstein, D. J. 1996. SYN cookies. http://cr.yp.to/syncookies.html.
    [10]
    Beverly, R., Berger, A., Hyun, Y., and Claffy, K. C. 2009. Understanding the efficacy of deployed internet source address validation filtering. In Proceedings of the Internet Measurement Conference. A. Feldmann and L. Mathy Eds., ACM Press, New York, 356--369.
    [11]
    Browserscope. 2012. Browser comparison. http://www.browserscope.org.
    [12]
    Eddy, W. 2007. TCP syn flooding attacks and common mitigations. RFC 4987 (Informational).
    [13]
    Ehrenkranz, T. and Li, J. 2009. On the state of ip spoofing defense. ACM Trans. Internet Technol. 9, 2, 6:1--6:29.
    [14]
    Ferguson, P. and Senie, D. 2000. Network ingress filtering: Defeating denial of service attacks which employ ip source address spoofing. RFC 2827 (Best Current Practice). Updated by RFC 3704.
    [15]
    Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and Berners-Lee, T. 1999. Hypertext transfer protocol -- Http/1.1. RFC 2616 (Draft Standard).
    [16]
    Gilad, Y. and Herzberg, A. 2012. Off-path attacking the web. In Proceedings of the USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA, 41--52.
    [17]
    Gilad, Y. and Herzberg, A. 2013a. Puppet code (java script). http://u.cs.biu.ac.il/_herzbea/security/code/puppet-example.js.
    [18]
    Gilad, Y. and Herzberg, A. 2013b. When tolerance becomes weakness: The case of injection-friendly browsers. In Proceedings of the International World Wide Web Conference.
    [19]
    Gilad, Y., Herzberg, A., and Shulman, H. 2014. Off-path hacking: The illusion of challenge-response authentication. IEEE Secur. Privacy Mag. PP, 99.
    [20]
    Gont, F. and Bellovin, S. 2012. Defending against sequence number attacks. RFC 6528 (Proposed Standard).
    [21]
    Herzberg, A. and Jbara, A. 2008. Security and identification indicators for browsers against spoofing and phishing attacks. ACM Trans. Internet Technol. 8, 4, 16:1--16:36.
    [22]
    Herzberg, A. and Shulman, H. 2012. Security of patched dns. In ESORICS, S. Foresti, M. Yung, and F. Martinelli Eds., Lecture Notes in Computer Science, vol. 7459, Springer, 271--288.
    [23]
    Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the International Conference on World Wide Web. C. L. Williamson, M. E. Zurko, P. F. Patel-Schneider, and P. J. Shenoy Eds., ACM Press, New York, 601--610.
    [24]
    Joncheray, L. 1995. A simple active attack against tcp. In Proceedings of the 5th Symposium on UNIX Security. USENIX Association, Berkeley, CA, 7--20.
    [25]
    Kaminsky, D. 2011. Black ops of tcp/ip. In Black Hat Conference.
    [26]
    Killalea, T. 2000. Recommended internet service provider security services and procedures. RFC 3013 (Best Current Practice).
    [27]
    Klein, A. 2004. Divide and conquer. HTTP response splitting, web cache poisoning attacks and related topics. Sanctum white paper.
    [28]
    Klein, A. 2005. DOM based cross site scripting or xss of the third kind. Tech. rep., Web Application Security Consortium: Articles.
    [29]
    Klein, A. 2011. Web cache poisoning attacks. In Encyclopedia of Cryptography and Security 2nd Ed. Springer, 1373--1373.
    [30]
    KLM. 2007. Remote blind tcp/ip spoofing. Phrack Mag.
    [31]
    Larsen, M. and Gont, F. 2011. Recommendations for transport-protocol port randomization. RFC 6056 (Best Current Practice). http://tools.ietf.org/html/rfc6056.
    [32]
    Lemon, J. 2002. Resisting syn flood dos attacks with a syn cache. In Proceedings of the Conference on File and Storage Technologies (BSDCon’02). S. J. Leffler Ed., USENIX Association, Berkeley, CA, 89--97.
    [33]
    Marlinspike, M. 2009. New tricks for defeating ssl in practice. https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf.
    [34]
    Morris, R. T. 1985. A weakness in the 4.2bsd unix tcp/ip software. Tech. rep., AT&T Bell Laboratories.
    [35]
    The Open Web Application Security Project. 2009. Cache poisoning. https://www.owasp.org/index.php/CachePoisoning.
    [36]
    The Open Web Application Security Project. 2010. Cross-site request forgery. https://www.owasp.org/index.php/Cross-Site.
    [37]
    Petefish, P., Sheridan, E., and Wichers, D. 2011. Cross-site request forgery (csrf) prevention cheat sheet. https://www.owasp.org/index.php/Cross-Site.
    [38]
    Postel, J. 1981. Transmission control protocol. RFC 793 (Internet Standard). Updated by RFCs 1122, 3168, 6093, 6528. http://www.ietf.org/rfc/rfc793.txt.
    [39]
    Qian, Z. and Mao, Z. M. 2012. Off-path tcp sequence number inference attack. In Proceedings of the IEEE Symposium on Security and Privacy. 347--361.
    [40]
    Qian, Z., Mao, Z. M., and Xie, Y. 2012. Collaborative tcp sequence number inference attack: How to crack sequence number under a second. In Proceedings of the ACM Conference on Computer and Communications Security. ACM Press, New York, 593--604.
    [41]
    Ruderman, J. 2001. Same origin policy for javascript. https://developer.mozilla.org/En/Same.
    [42]
    Sanfilippo, S. 1998. A new tcp scan method. http://seclists.org/bugtraq/1998/Dec/79.
    [43]
    Shimomura, T. and Markoff, J. 1995. Takedown: The Pursuit and Capture of Kevin Mitnick, America’s Most Wanted Computer Outlaws - by the Man Who Did It 1st Ed. Hyperion Press.
    [44]
    Stamm, S., Sterne, B., and Markham, G. 2010. Reining in the web with content security policy. In Proceedings of the International Conference on World Wide Web. M. Rappa, P. Jones, J. Freire, and S. Chakrabarti Eds., ACM Press, New York, 921--930.
    [45]
    Touch, J. 2007. Defending tcp against spoofing attacks. RFC 4953. http://tools.ietf.org/html/rfc4953.
    [46]
    Watson, P. 2004. Slipping in the window: TCP reset attacks. http://bandwidthco.com/whitepapers/netforensics/tcpip/TCP%20Reset%20Attacks.pdf.
    [47]
    Zalewski, M. 2001. Strange attractors and tcp/ip sequence number analysis. http://lcamtuf.coredump.cx/newtcp/.
    [48]
    Zalewski, M. 2011. The Tangled Web: A Guide to Securing Modern Web Applications 1st Ed. No Starch Press, San Francisco, CA.

    Cited By

    View all
    • (2024)An SDN-Enabled Elliptic-Curve Diffie-Hellman Key Exchange Towards Secure P2P Networking2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556089(677-683)Online publication date: 19-Feb-2024
    • (2023)Bijack: Breaking Bitcoin Network with TCP VulnerabilitiesComputer Security – ESORICS 202310.1007/978-3-031-51479-1_16(306-326)Online publication date: 25-Sep-2023
    • (2022)Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control TrafficProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564642(949-963)Online publication date: 5-Dec-2022
    • Show More Cited By

    Index Terms

    1. Off-Path TCP Injection Attacks

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Transactions on Information and System Security
      ACM Transactions on Information and System Security  Volume 16, Issue 4
      April 2014
      154 pages
      ISSN:1094-9224
      EISSN:1557-7406
      DOI:10.1145/2617317
      • Editor:
      • Gene Tsudik
      Issue’s Table of Contents
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 01 April 2014
      Accepted: 01 November 2013
      Received: 01 July 2013
      Published in TISSEC Volume 16, Issue 4

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Web and network security
      2. browser security

      Qualifiers

      • Research-article
      • Research
      • Refereed

      Funding Sources

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)42
      • Downloads (Last 6 weeks)2

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)An SDN-Enabled Elliptic-Curve Diffie-Hellman Key Exchange Towards Secure P2P Networking2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556089(677-683)Online publication date: 19-Feb-2024
      • (2023)Bijack: Breaking Bitcoin Network with TCP VulnerabilitiesComputer Security – ESORICS 202310.1007/978-3-031-51479-1_16(306-326)Online publication date: 25-Sep-2023
      • (2022)Heimdallr: Fingerprinting SD-WAN Control-Plane Architecture via Encrypted Control TrafficProceedings of the 38th Annual Computer Security Applications Conference10.1145/3564625.3564642(949-963)Online publication date: 5-Dec-2022
      • (2022)Off-Path TCP Hijacking Attacks via the Side Channel of Downgraded IPIDIEEE/ACM Transactions on Networking10.1109/TNET.2021.311551730:1(409-422)Online publication date: Feb-2022
      • (2021)ConMan: A Connection Manipulation-based Attack Against Bitcoin Networking2021 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS53000.2021.9705018(101-109)Online publication date: 4-Oct-2021
      • (2021)Research on Off-Path Exploits of Network ProtocolsData Mining and Big Data10.1007/978-981-16-7476-1_7(73-80)Online publication date: 31-Oct-2021
      • (2020)Off-Path TCP Exploits of the Mixed IPID AssignmentProceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security10.1145/3372297.3417884(1323-1335)Online publication date: 30-Oct-2020
      • (2020)The Impact of DNS Insecurity on Time2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN48063.2020.00043(266-277)Online publication date: Jun-2020
      • (2019)Detecting TCP/IP Connections via IPID Hash CollisionsProceedings on Privacy Enhancing Technologies10.2478/popets-2019-00712019:4(311-328)Online publication date: 30-Jul-2019
      • (2019)Evil Twin Attack Detection using Discrete Event Systems in IEEE 802.11 Wi-Fi Networks2019 27th Mediterranean Conference on Control and Automation (MED)10.1109/MED.2019.8798568(316-321)Online publication date: Jul-2019
      • Show More Cited By

      View Options

      Get Access

      Login options

      Full Access

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media