Abstract
To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced a subtle yet serious security flaw. Assigned CVE-2016-5696, the flaw exploits the challenge ACK rate limiting feature that could allow an off-path attacker to infer the presence/absence of a TCP connection between two arbitrary hosts, terminate such a connection, and even inject payload into an unsecured TCP connection.
In this work, we perform a comprehensive measurement of the impact of the new vulnerability. This includes (1) tracking the vulnerable Internet servers, (2) monitoring the patch behavior over time, (3) picturing the overall security status of TCP stacks at scale. Towards this goal, we design a scalable measurement methodology to scan the Alexa top 1 million websites for almost 6 months. We also present how notifications impact the patching behavior, and compare the result with the Heartbleed and the Debian PRNG vulnerability. The measurement represents a valuable data point in understanding how Internet servers react to serious security flaws in the operating system kernel.
- 1996. RFC 1948. (1996). Retrieved April 13, 2017 from https://tools.ietf.org/html/rfc1948Google Scholar
- 1999. Linux Blind TCP Spoofing Vulnerability. (1999). Retrieved April 13, 2017 from http://www.securityfocus.com/bid/580/infoGoogle Scholar
- 2007. Blind TCP/IP Hijacking is Still Alive. (2007). Retrieved April 13, 2017 from http://phrack.org/issues/64/13.htmlGoogle Scholar
- 2010. RFC 5961. (2010). Retrieved April 13, 2017 from https://tools.ietf.org/html/rfc5961Google Scholar
- 2011. RFC 6056. (2011). Retrieved April 13, 2017 from https://tools.ietf.org/html/rfc6056Google Scholar
- 2014. The Heartbleed Bug. (2014). Retrieved April 13, 2017 from http://heartbleed.com/Google Scholar
- 2015. TCP protocol - Linux man page. (2015). Retrieved April 13, 2017 from http://man7.org/linux/man-pages/man7/tcp.7.htmlGoogle Scholar
- 2016. CVE-2016--5696 and its effects on Tor. (2016). Retrieved April 13, 2017 from https://blog.patternsinthevoid.net/cve-2016--5696-and-its-effects-on-tor.htmlGoogle Scholar
- 2016. Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks. (2016). Retrieved April 13, 2017 from http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top sites-vulnerable-to-serious-hijacking-attacks/Google Scholar
- 2016. {PATCH net} TCP: enable per-socket rate limiting of all 'challenge acks'. (2016). Retrieved April 13, 2017 from https://www.mail-archive.com/[email protected]/msg119411.htmlGoogle Scholar
- 2016. {PATCH net} TCP: make challenge acks less predictable. (2016). Retrieved April 13, 2017 from https://www.mail-archive.com/[email protected]/msg118677.htmlGoogle Scholar
- 2016. {PATCH v2 net} TCP: make challenge acks less predictable. (2016). Retrieved April 13, 2017 from https://www.mail-archive.com/[email protected]/msg118918.htmlGoogle Scholar
- 2017. Amazon AWS IP Address Ranges. (2017). Retrieved April 13, 2017 from http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.htmlGoogle Scholar
- 2017. AWS Managed Services. (2017). Retrieved April 13, 2017 from https://aws.amazon.com/cn/managed-services/Google Scholar
- 2017. Censys Scan Data Repository. (2017). Retrieved April 13, 2017 from https://censys.io/dataGoogle Scholar
- 2017. Rackspace Managed Hosting Services. (2017). Retrieved April 13, 2017 from https://www.rackspace.com/en-us/managed-hostingGoogle Scholar
- Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. 2016. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16).Google Scholar
- Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). Google Scholar
Digital Library
- Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. 2013. Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (IMC'13). Google Scholar
Digital Library
- Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). Google Scholar
Digital Library
- Jake Edge. 2016. The TCP "challenge ACK" side channel. (2016). Retrieved April 13, 2017 from http://lwn.net/Articles/696868/Google Scholar
- Yossi Gilad and Amir Herzberg. 2012. Off-Path Attacking the Web. In USENIX WOOT. Google Scholar
Digital Library
- Yossi Gilad and Amir Herzberg. 2013. When tolerance causes weakness: the case of injection-friendly browsers. In WWW. Google Scholar
Digital Library
- Y. Gilad, A. Herzberg, and H. Shulman. 2014. Off-Path Hacking: The Illusion of Challenge-Response Authentication. Security Privacy, IEEE (2014).Google Scholar
- Akamai InfoSec. 2016. Vulnerability in the Linux kernel's TCP stack implementation. (2016). Retrieved April 13, 2017 from https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stackimplementation.htmlGoogle Scholar
- Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In 25th USENIX Security Symposium (USENIX Security 16).Google Scholar
- Matthew Luckie, Robert Beverly, Tiange Wu, Mark Allman, and kc claffy. 2015. Resilience of Deployed TCP to Blind Attacks. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference (IMC '15). Google Scholar
Digital Library
- R. Morris. 1985. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report.Google Scholar
- Zhiyun Qian and Z. Morley Mao. 2012. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In IEEE Symposium on Security and Privacy. Google Scholar
Digital Library
- Zhiyun Qian, Z Morley Mao, and Yinglian Xie. 2012. Collaborative TCP sequence number inference attack: How to crack sequence number under a second. In CCS. Google Scholar
Digital Library
- Redhat. 2016. Bug 1354708 - (CVE-2016--5696) CVE-2016--5696 kernel: challenge ACK counter information disclosure. (2016). Retrieved April 13, 2017 from https://bugzilla.redhat.com/show_bug.cgi?id=1354708Google Scholar
- Redhat. 2016. CVE-2016--5696. (2016). Retrieved April 13, 2017 from https://access.redhat.com/security/cve/cve-2016--5696Google Scholar
- Zain Shamsi, Ankur Nandwani, Derek Leonard, and Dmitri Loguinov. 2014. Hershel: Single-packet OS Fingerprinting. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS '14). Google Scholar
Digital Library
- Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In 25th USENIX Security Symposium (USENIX Security 16).Google Scholar
- UCR Today. 2016. Study Highlights Serious Security Threat to Many Internet Users. (2016). Retrieved April 13, 2017 from https://ucrtoday.ucr.edu/39030Google Scholar
- Paul Watson. 2004. Slipping in the Window: TCP Reset attacks. Cansecwest/core04 Conference (2004).Google Scholar
- Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. 2009. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference (IMC '09). Google Scholar
Digital Library
- Michal Zalewsk. 2001. Strange attractors and TCP/IP sequence number analysis. Technical Report. http://lcamtuf.coredump.cx/oldtcp/tcpseq.htmlGoogle Scholar
Index Terms
Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
Recommendations
Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer SystemsTo combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced ...
Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
Performance evaluation reviewTo combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced ...
Potential performance bottleneck in Linux TCP
Transmission control protocol (TCP) is the most widely used transport protocol on the Internet today. Over the years, especially recently, due to requirements of high bandwidth transmission, various approaches have been proposed to improve TCP ...






Comments