Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
110 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks (2404.04601v1)

Published 6 Apr 2024 in cs.CR

Abstract: In this paper, we uncover a new side-channel vulnerability in the widely used NAT port preservation strategy and an insufficient reverse path validation strategy of Wi-Fi routers, which allows an off-path attacker to infer if there is one victim client in the same network communicating with another host on the Internet using TCP. After detecting the presence of TCP connections between the victim client and the server, the attacker can evict the original NAT mapping and reconstruct a new mapping at the router by sending fake TCP packets due to the routers' vulnerability of disabling TCP window tracking strategy, which has been faithfully implemented in most of the routers for years. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server's incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are affected by this attack. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks. The experimental results show that 75 of these evaluated Wi-Fi networks (81%) are fully vulnerable to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate an SSH connection, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (58)
  1. 360-ARP, “360 total security: Free antivirus protection for home and devices,” http://www.360totalsecurity.com/en/, Accessed July 2023.
  2. A. M. Alsahlany, A. R. Almusawy, and Z. H. Alfatlawy, “Risk analysis of a fake access point attack against wi-fi network,” International Journal of Scientific & Engineering Research, vol. 9, pp. 322–326, 2018.
  3. A. Ayer, “Icmp redirect attacks in the wild,” https://www.agwa.name/blog/post/icmp_redirect_attacks_in_the_wild, Accessed March 2023.
  4. F. Baker and P. Savola, “Ingress Filtering for Multihomed Networks,” RFC 3704, Tech. Rep. 3704, Mar. 2004. [Online]. Available: https://www.rfc-editor.org/info/rfc3704
  5. A. Biggadike, D. Ferullo, G. Wilson, and A. Perrig, “NATBLASTER: Establishing TCP connections between hosts behind NATs,” in Proceedings of ACM SIGCOMM ASIA Workshop, 2005.
  6. Y. Cao, Z. Qian, Z. Wang, T. Dao, S. V. Krishnamurthy, and L. M. Marvel, “Off-path tcp exploits: Global rate limit considered dangerous,” in 25th USENIX Security Symposium (USENIX Security 16), 2016, pp. 209–225.
  7. W. Chen and Z. Qian, “Off-path tcp exploit: How wireless routers can jeopardize your secrets,” in 27th USENIX Security Symposium (USENIX Security 18), 2018, pp. 1581–1598.
  8. A. Chirila, “Arp antispoofer,” https://www.softpedia.com/get/Security/Firewall/ARP-AntiSpoofer.shtml, Accessed July 2023.
  9. X. Feng, Q. Li, K. Sun, Y. Yang, and K. Xu, “Man-in-the-middle attacks without rogue ap: When wpas meet icmp redirects,” in 2023 IEEE Symposium on Security and Privacy (SP) (SP).   IEEE Computer Society, 2023.
  10. X. Feng, C. Fu, Q. Li, K. Sun, and K. Xu, “Off-path tcp exploits of the mixed ipid assignment,” in Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020, p. 1323–1335.
  11. X. Feng, Q. Li, K. Sun, C. Fu, and K. Xu, “Off-path tcp hijacking attacks via the side channel of downgraded ipid,” IEEE/ACM Transactions on Networking, pp. 409–422, 2022.
  12. X. Feng, Q. Li, K. Sun, Z. Qian, G. Zhao, X. Kuang, C. Fu, and K. Xu, “Off-Path network traffic manipulation via revitalized ICMP redirect attacks,” in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 2619–2636.
  13. FOFA, “Fofa search engine,” https://en.fofa.info/, Accessed March 2023.
  14. B. Ford, S. Guha, K. Biswas, S. Sivakumar, and P. Srisuresh, “NAT Behavioral Requirements for TCP,” RFC 5382, Tech. Rep. 5382, Oct. 2008. [Online]. Available: https://www.rfc-editor.org/info/rfc5382
  15. B. Ford and P. Srisuresh, “Unintended consequences of nat deployments with overlapping address space,” Internet Requests for Comments, Internet Engineering Task Force, RFC 5684, February 2010. [Online]. Available: {http://www.rfc-editor.org/rfc/rfc5684.txt}
  16. B. Ford, P. Srisuresh, and D. Kegel, “Peer-to-peer communication across network address translators,” in Proceedings of the Annual Conference on USENIX Annual Technical Conference, ser. ATEC ’05.   USENIX Association, 2005, p. 13.
  17. Y. Gilad and A. Herzberg, “Off-path tcp injection attacks,” ACM Trans. Inf. Syst. Secur., 2014.
  18. A. Herzberg and H. Shulman, “Security of patched dns,” in Computer Security – ESORICS 2012.   Springer Berlin Heidelberg, 2012, pp. 271–288.
  19. S. Hijazi and M. S. Obaidat, “Address resolution protocol spoofing attacks and security approaches: A survey,” Security and Privacy, vol. 2, no. 1, pp. 1–9, 2019.
  20. M. Holdrege and P. Srisuresh, “IP Network Address Translator (NAT) Terminology and Considerations,” RFC 2663, Tech. Rep. 2663, Aug. 1999. [Online]. Available: https://www.rfc-editor.org/info/rfc2663
  21. Huawei, “Rogue device detection,” https://support.huawei.com/enterprise/en/doc/EDOC1100096321/3eb0a62e/example-for-configuring-rogue-device-detection-and-containment, Accessed July 2023.
  22. M. Kol, A. Klein, and Y. Gilad, “Device tracking via linux’s new TCP source port selection algorithm,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023.
  23. M. Lepinski and K. Sriram, “BGPsec Protocol Specification,” Internet Requests for Comments, Internet Engineering Task Force, RFC 8205, September 2017. [Online]. Available: {http://www.rfc-editor.org/rfc/rfc8205.txt}
  24. Linksys, “How to enable rogue ap detection on your linksys wireless-ac access point,” https://www.linksys.com/support-article?articleNum=135793, Accessed July 2023.
  25. Linux, “Netfilter conntrack sysfs variables,” https://docs.kernel.org/networking/nf_conntrack-sysctl.html, Accessed March 2023.
  26. ——, “rp_filter,” https://sysctl-explorer.net/net/ipv4/rp_filter/, Accessed March 2023.
  27. Q. Lone, A. Frik, M. Luckie, M. Korczyński, M. van Eeten, and C. Gañán, “Deployment of source address validation by network operators: A randomized control trial,” in 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 2361–2378.
  28. C. Low, “Icmp attacks illustrated,” https://www.sans.org/reading-room/whitepapers/threats/paper/477, Accessed March 2023.
  29. V. Mahajan and S. K. Peddoju, “Deployment of intrusion detection system in cloud: A performance-based study,” in 2017 IEEE Trustcom/BigDataSE/ICESS, 2017, pp. 1103–1108.
  30. K. Man, Z. Qian, Z. Wang, X. Zheng, Y. Huang, and H. Duan, “Dns cache poisoning attack reloaded: Revolutions with side channels,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2020, pp. 1337–1350.
  31. K. Man, X. Zhou, and Z. Qian, “Dns cache poisoning attack: Resurrections with side channels,” in Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.   ACM, 2021, pp. 3400–3414.
  32. D. S. Mathy Vanhoef, “Macstealer: Wi-fi client isolation bypass,” https://github.com/vanhoefm/macstealer#id-test-isolation, Accessed July 2023.
  33. J. McCann, S. Deering, and J. Mogul, “Path mtu discovery for ip version 6,” Internet Requests for Comments, Internet Engineering Task Force, RFC 1981, August 1996. [Online]. Available: {http://www.rfc-editor.org/rfc/rfc1981.txt}
  34. J. Mogul and S. Deering, “Path mtu discovery,” Internet Requests for Comments, Internet Engineering Task Force, RFC 1191, November 1990. [Online]. Available: {http://www.rfc-editor.org/rfc/rfc1191.txt}
  35. S. Y. Nam, S. Jurayev, S.-S. Kim, K. Choi, and G. S. Choi, “Mitigating arp poisoning-based man-in-the-middle attacks in wired or wireless lan,” EURASIP Journal on Wireless Communications and Networking, pp. 1–17, 2012.
  36. Nmap, “The network mapper,” https://nmap.org/, Accessed March 2023.
  37. T. Ohigashi and M. Morii, “A practical message falsification attack on wpa,” Proc. JWIS, vol. 54, p. 66, 2009.
  38. OpenVPN, “Concepts-policyrouting-linux,” https://community.openvpn.net/openvpn/wiki/Concepts-PolicyRouting-Linux, Accessed July 2023.
  39. R. Orsi, “Understanding evil twin ap attacks and how to prevent them,” https://www.darkreading.com/attacks-breaches/understanding-evil-twin-ap-attacks-and-how-to-prevent-them, 2018.
  40. pfSense, “pfsense- world’s most trusted open source firewall,” https://www.pfsense.org/, Accessed July 2023.
  41. Ping, “Linux manual page,” https://man7.org/linux/man-pages/man8/ping.8.html, Accessed March 2023.
  42. J. Postel, “Transmission Control Protocol,” RFC 793, Tech. Rep. 793, Sep. 1981. [Online]. Available: https://www.rfc-editor.org/info/rfc793
  43. Z. Qian and Z. M. Mao, “Off-path tcp sequence number inference attack - how firewall middleboxes reduce security,” in 2012 IEEE Symposium on Security and Privacy, 2012, pp. 347–361.
  44. Z. Qian, Z. M. Mao, and Y. Xie, “Collaborative tcp sequence number inference attack: How to crack sequence number under a second,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012, p. 593–604.
  45. P. Richter, F. Wohlfart, N. Vallina-Rodriguez, M. Allman, R. Bush, A. Feldmann, C. Kreibich, N. Weaver, and V. Paxson, “A multi-perspective analysis of carrier-grade nat deployment,” in Proceedings of the 2016 Internet Measurement Conference.   New York, NY, USA: Association for Computing Machinery, 2016, p. 215–229.
  46. D. Schepers, A. Ranganathan, and M. Vanhoef, “On the robustness of wi-fi deauthentication countermeasures,” in WiSec ’22: 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks, San Antonio, TX, USA, May 16 - 19, 2022.   ACM, 2022, pp. 245–256.
  47. ——, “Framing frames: Bypassing Wi-Fi encryption by manipulating transmit queues,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023.
  48. D. Senie and P. Ferguson, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” RFC 2827, Tech. Rep. 2827, May 2000. [Online]. Available: https://www.rfc-editor.org/info/rfc2827
  49. SHODAN, “Search engine for the internet of everything,” https://www.shodan.io/, Accessed March 2023.
  50. W. J. Tolley, B. Kujath, M. T. Khan, N. Vallina-Rodriguez, and J. R. Crandall, “Blind In/On-Path attacks and applications to VPNs,” in 30th USENIX Security Symposium (USENIX Security 21).   USENIX Association, 2021, pp. 3129–3146.
  51. Traceroute, “Linux manual page,” https://man7.org/linux/man-pages/man8/traceroute.8.html, Accessed March 2023.
  52. M. Vanhoef, “Fragment and forge: Breaking Wi-Fi through frame aggregation and fragmentation,” in 30th USENIX Security Symposium (USENIX Security 21), 2021, pp. 161–178.
  53. M. Vanhoef, P. Adhikari, and C. Pöpper, “Protecting wi-fi beacons from outsider forgeries,” in Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, 2020, p. 155–160.
  54. M. Vanhoef and F. Piessens, “Key reinstallation attacks: Forcing nonce reuse in wpa2,” in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1313–1328.
  55. ——, “Release the kraken: new kracks in the 802.11 standard,” in Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, 2018, pp. 299–314.
  56. M. Vanhoef and E. Ronen, “Dragonblood: Analyzing the dragonfly handshake of wpa3 and eap-pwd,” in 2020 IEEE Symposium on Security and Privacy (SP), 2020.
  57. Z. Yongjun and Z. Shiquan, “Nat hole punching based on simultaneous tcp open,” in IEEE Computer Society, USA, 2013, p. 235–238.
  58. X. Zheng, C. Lu, J. Peng, Q. Yang, D. Zhou, B. Liu, K. Man, S. Hao, H. Duan, and Z. Qian, “Poison over troubled forwarders: A cache poisoning attack targeting DNS forwarding devices,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 577–593.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Yuxiang Yang (91 papers)
  2. Xuewei Feng (7 papers)
  3. Qi Li (354 papers)
  4. Kun Sun (51 papers)
  5. Ziqiang Wang (149 papers)
  6. Ke Xu (309 papers)
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now