skip to main content
research-article
Public Access

Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

Authors Info & Claims
Published:13 June 2017Publication History
Skip Abstract Section

Abstract

To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced a subtle yet serious security flaw. Assigned CVE-2016-5696, the flaw exploits the challenge ACK rate limiting feature that could allow an off-path attacker to infer the presence/absence of a TCP connection between two arbitrary hosts, terminate such a connection, and even inject payload into an unsecured TCP connection.

In this work, we perform a comprehensive measurement of the impact of the new vulnerability. This includes (1) tracking the vulnerable Internet servers, (2) monitoring the patch behavior over time, (3) picturing the overall security status of TCP stacks at scale. Towards this goal, we design a scalable measurement methodology to scan the Alexa top 1 million websites for almost 6 months. We also present how notifications impact the patching behavior, and compare the result with the Heartbleed and the Debian PRNG vulnerability. The measurement represents a valuable data point in understanding how Internet servers react to serious security flaws in the operating system kernel.

References

  1. 1996. RFC 1948. (1996). Retrieved April 13, 2017 from https://tools.ietf.org/html/rfc1948Google ScholarGoogle Scholar
  2. 1999. Linux Blind TCP Spoofing Vulnerability. (1999). Retrieved April 13, 2017 from http://www.securityfocus.com/bid/580/infoGoogle ScholarGoogle Scholar
  3. 2007. Blind TCP/IP Hijacking is Still Alive. (2007). Retrieved April 13, 2017 from http://phrack.org/issues/64/13.htmlGoogle ScholarGoogle Scholar
  4. 2010. RFC 5961. (2010). Retrieved April 13, 2017 from https://tools.ietf.org/html/rfc5961Google ScholarGoogle Scholar
  5. 2011. RFC 6056. (2011). Retrieved April 13, 2017 from https://tools.ietf.org/html/rfc6056Google ScholarGoogle Scholar
  6. 2014. The Heartbleed Bug. (2014). Retrieved April 13, 2017 from http://heartbleed.com/Google ScholarGoogle Scholar
  7. 2015. TCP protocol - Linux man page. (2015). Retrieved April 13, 2017 from http://man7.org/linux/man-pages/man7/tcp.7.htmlGoogle ScholarGoogle Scholar
  8. 2016. CVE-2016--5696 and its effects on Tor. (2016). Retrieved April 13, 2017 from https://blog.patternsinthevoid.net/cve-2016--5696-and-its-effects-on-tor.htmlGoogle ScholarGoogle Scholar
  9. 2016. Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks. (2016). Retrieved April 13, 2017 from http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top sites-vulnerable-to-serious-hijacking-attacks/Google ScholarGoogle Scholar
  10. 2016. {PATCH net} TCP: enable per-socket rate limiting of all 'challenge acks'. (2016). Retrieved April 13, 2017 from https://www.mail-archive.com/[email protected]/msg119411.htmlGoogle ScholarGoogle Scholar
  11. 2016. {PATCH net} TCP: make challenge acks less predictable. (2016). Retrieved April 13, 2017 from https://www.mail-archive.com/[email protected]/msg118677.htmlGoogle ScholarGoogle Scholar
  12. 2016. {PATCH v2 net} TCP: make challenge acks less predictable. (2016). Retrieved April 13, 2017 from https://www.mail-archive.com/[email protected]/msg118918.htmlGoogle ScholarGoogle Scholar
  13. 2017. Amazon AWS IP Address Ranges. (2017). Retrieved April 13, 2017 from http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.htmlGoogle ScholarGoogle Scholar
  14. 2017. AWS Managed Services. (2017). Retrieved April 13, 2017 from https://aws.amazon.com/cn/managed-services/Google ScholarGoogle Scholar
  15. 2017. Censys Scan Data Repository. (2017). Retrieved April 13, 2017 from https://censys.io/dataGoogle ScholarGoogle Scholar
  16. 2017. Rackspace Managed Hosting Services. (2017). Retrieved April 13, 2017 from https://www.rackspace.com/en-us/managed-hostingGoogle ScholarGoogle Scholar
  17. Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. 2016. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16).Google ScholarGoogle Scholar
  18. Zakir Durumeric, James Kasten, David Adrian, J. Alex Halderman, Michael Bailey, Frank Li, Nicolas Weaver, Johanna Amann, Jethro Beekman, Mathias Payer, and Vern Paxson. 2014. The Matter of Heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (IMC '14). Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. 2013. Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (IMC'13). Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide Scanning and Its Security Applications. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13). Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Jake Edge. 2016. The TCP "challenge ACK" side channel. (2016). Retrieved April 13, 2017 from http://lwn.net/Articles/696868/Google ScholarGoogle Scholar
  22. Yossi Gilad and Amir Herzberg. 2012. Off-Path Attacking the Web. In USENIX WOOT. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Yossi Gilad and Amir Herzberg. 2013. When tolerance causes weakness: the case of injection-friendly browsers. In WWW. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Y. Gilad, A. Herzberg, and H. Shulman. 2014. Off-Path Hacking: The Illusion of Challenge-Response Authentication. Security Privacy, IEEE (2014).Google ScholarGoogle Scholar
  25. Akamai InfoSec. 2016. Vulnerability in the Linux kernel's TCP stack implementation. (2016). Retrieved April 13, 2017 from https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stackimplementation.htmlGoogle ScholarGoogle Scholar
  26. Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've Got Vulnerability: Exploring Effective Vulnerability Notifications. In 25th USENIX Security Symposium (USENIX Security 16).Google ScholarGoogle Scholar
  27. Matthew Luckie, Robert Beverly, Tiange Wu, Mark Allman, and kc claffy. 2015. Resilience of Deployed TCP to Blind Attacks. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference (IMC '15). Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. R. Morris. 1985. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical Report.Google ScholarGoogle Scholar
  29. Zhiyun Qian and Z. Morley Mao. 2012. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In IEEE Symposium on Security and Privacy. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Zhiyun Qian, Z Morley Mao, and Yinglian Xie. 2012. Collaborative TCP sequence number inference attack: How to crack sequence number under a second. In CCS. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Redhat. 2016. Bug 1354708 - (CVE-2016--5696) CVE-2016--5696 kernel: challenge ACK counter information disclosure. (2016). Retrieved April 13, 2017 from https://bugzilla.redhat.com/show_bug.cgi?id=1354708Google ScholarGoogle Scholar
  32. Redhat. 2016. CVE-2016--5696. (2016). Retrieved April 13, 2017 from https://access.redhat.com/security/cve/cve-2016--5696Google ScholarGoogle Scholar
  33. Zain Shamsi, Ankur Nandwani, Derek Leonard, and Dmitri Loguinov. 2014. Hershel: Single-packet OS Fingerprinting. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS '14). Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Ben Stock, Giancarlo Pellegrino, Christian Rossow, Martin Johns, and Michael Backes. 2016. Hey, You Have a Problem: On the Feasibility of Large-Scale Web Vulnerability Notification. In 25th USENIX Security Symposium (USENIX Security 16).Google ScholarGoogle Scholar
  35. UCR Today. 2016. Study Highlights Serious Security Threat to Many Internet Users. (2016). Retrieved April 13, 2017 from https://ucrtoday.ucr.edu/39030Google ScholarGoogle Scholar
  36. Paul Watson. 2004. Slipping in the Window: TCP Reset attacks. Cansecwest/core04 Conference (2004).Google ScholarGoogle Scholar
  37. Scott Yilek, Eric Rescorla, Hovav Shacham, Brandon Enright, and Stefan Savage. 2009. When Private Keys Are Public: Results from the 2008 Debian OpenSSL Vulnerability. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference (IMC '09). Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Michal Zalewsk. 2001. Strange attractors and TCP/IP sequence number analysis. Technical Report. http://lcamtuf.coredump.cx/oldtcp/tcpseq.htmlGoogle ScholarGoogle Scholar

Index Terms

  1. Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

            Recommendations

            Comments

            Login options

            Check if you have access through your login credentials or your institution to get full access on this article.

            Sign in

            Full Access

            • Published in

              cover image Proceedings of the ACM on Measurement and Analysis of Computing Systems
              Proceedings of the ACM on Measurement and Analysis of Computing Systems  Volume 1, Issue 1
              June 2017
              712 pages
              EISSN:2476-1249
              DOI:10.1145/3107080
              Issue’s Table of Contents

              Copyright © 2017 ACM

              Publisher

              Association for Computing Machinery

              New York, NY, United States

              Publication History

              • Published: 13 June 2017
              Published in pomacs Volume 1, Issue 1

              Permissions

              Request permissions about this article.

              Request Permissions

              Check for updates

              Qualifiers

              • research-article

            PDF Format

            View or Download as a PDF file.

            PDF

            eReader

            View online with eReader.

            eReader
            About Cookies On This Site

            We use cookies to ensure that we give you the best experience on our website.

            Learn more

            Got it!