Off-Path TCP Exploits : Global Rate Limit Considered Dangerous

Transcription

1 Off-Path TCP Exploits : Global Rate Limit Considered Dangerous Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, and Srikanth V. Krishnamurthy, University of California, Riverside; Lisa M. Marvel, United States Army Research Laboratory. 25th USENIX Security Symposium, (August, 2016) 1

2 Threat Model Pure blind off-path TCP attack No MITM needed Without running any malicious code on client or server 2

3 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 3

4 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 4

5 Transmission Control Protocol A B SYN Seq=30 ACK Seq=31 ack=92 Seq=31, ack=100 Seq=31, ack=108 SYN/ACK Seq=91 ack=31 Seq=92, 8 bytes data Seq=100, 8 bytes data 5

6 Sequence Number 4G 0 RCV.WND RCV.NXT RCV.NXT + RCV.WND 6

7 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 7

8 Blind in-window attacks Connection termination Data Injection Success requirements <src IP, src port, dst IP, dst port> Proper Sequence Number 8

9 Blind in-window attacks B A Seq=92, 8B data Seq=100, 8B data Seq=31, ack=100 Seq=31, ack=108 SYN (A s IP Address) 9

10

11 A RFC-5961 (SYN) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> SYN (A s IP) Seq # before RFC 5961 In window Out of window Reset ACK back Challenge ACK Challenge ACK 11

12 A RFC-5961 (SYN) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> RST Good Seq # SYN (A s IP) Seq # before RFC 5961 In window Out of window Reset ACK back Challenge ACK Challenge ACK 12

13 A RFC-5961 (SYN) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> Seq=30 8B data Duplicated ACK Ack=38 Ack=38 SYN (A s IP) Seq # before RFC 5961 In window Out of window Reset ACK back Challenge ACK Challenge ACK 13

14 Blind in-window attacks A B Seq=92, 8B data Seq=31, ack=100 SYN RST (A s IP Address) 14

15 A RFC-5961 (RST) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> RST (A s IP) Seq # before RFC 5961 Match Reset Reset In window Out of window Drop Challenge ACK Drop 15

16 A RFC-5961 (RST) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> Seq # before RFC 5961 Match Reset RST (A s IP) RST Good Seq # In window Out of window Reset Drop Challenge ACK Drop 16

17 A RFC-5961 (RST) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> RST (A s IP) Seq # before RFC 5961 Match Reset Duplicated ACK In window Reset Challenge ACK Out of window Drop Drop 17

18 Blind in-window attacks A B Seq=92, 8B data Seq=31, ack=100 Data (A s IP Address) Seq number : in-window? ACK number? 18

19 Before SND.UNA 2G Accepted(O) X SND.UNA SND.NXT RFC 5961 SND.UNA 2G SND.UNA SND.MAX.WIN Challenged ACK (X) Accepted SND.UNA (O) X SND.NXT 19

20 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 20

21 ACK Throttling 21

22 ACK Throttling In order to reduce the number of challenge ACK packets that waste CPU and bandwidth resources Linux kernel has faithfully implemented this feature storing the counter in a global variable : sysctl_tcp_challenge_ack_limit control the maximum number of challenge ACKs generated per second 22

23 sysctl_tcp_challenge_ack_limit set to 100 by default shared by all TCP connections Attackers can get some information here! 23

24 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 24

25 RFC 5961 The acceptable SYN Packet needs : <src IP, src port, dst IP, dst port> In-window sequence number The acceptable RST Packet needs : <src IP, src port, dst IP, dst port> Correct sequence number The acceptable Data Packet needs : <src IP, src port, dst IP, dst port> In-window sequence number Acceptable ACK number 25

26 A RFC-5961 (SYN) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> Seq=30 8B data Ack=38 Ack=38 SYN (A s IP) Seq # before RFC 5961 In window Out of window Reset ACK back Challenge ACK Challenge ACK 26

27 Assume No Packet Loss First 27

28 src port Remain 100 SYN or SYN/ACK (client s IP) Remain 99 RST*100 Remain 0 Challenge ACK*99 28

29 src port Remain 100 RST Remain 100 SYN or SYN/ACK (client s IP) RST*100 Remain 0 Challenge ACK*100 29

30 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 30

31 Connection Reset Attack Send spoofed RST arrives with a matching sequence number of RCV.NXT. Problems : Time Synchronization Four-tuple Sequence Number 31

32 Time Problem SYN or SYN/ACK (client s IP) 1s RST*100 Challenge ACK*99 32

33 Time Problem 1s SYN or SYN/ACK (client s IP) RST*100 Challenge ACK*100 33

34 Synchronization - 1 1s RST*200 Challenge ACK = n1 Spread 200 RST packet in 1-second interval due to bandwidth limit. => 1 pkt every 5ms If(n1 == 100) synchronized! If(n1 > 100) next round! 34

35 Synchronization - 2 1s RST*200 Delay 5 ms to send those 200 RST packet => Delay 1 packet Challenge ACK = n2 If(n2 == 100) synchronized! If(n2 > 100) next round! 35

36 Synchronization 3 : Compare Assume x RST packets arrive in the first 1-second interval on the server, and y packets arrive in the second interval in step 1 n1 = min(x,100)+min(y,100) Assume (x-1) RST packets arrive in the first 1- second interval on the server, and (y+1) packets arrive in the second interval in step 2 n2 = min(x 1,100)+min(y+1,100) 36

37 Synchronization 3 : Compare Assume n1 > n2 X Y 100 X-1 Y+1 Delay = (n2 100) (sec) 37

38 Synchronization 3 : Compare Assume n2 > n1 X 100 X-1 Y+1 Y n2 = y + 1 = x + 1 x 1 = 300 n2 Delay = (300 n2) (sec) 38

39 Four-tuple src port number 39

40 A RFC-5961 (SYN) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> Seq=30 8B data Ack=38 Ack=38 SYN (A s IP) Seq # before RFC 5961 In window Out of window Reset ACK back Challenge ACK Challenge ACK 40

41 Binary search for port number The maximum possible port range is 2 16 = Binary search Test the port from to in first round If the port number doesn't fall in this range, then it must fall in the another range The attacker can narrow down the space by half each time 41

42 42

43 43

44 Search for port number The maximum number of packets that can be sent in 1 second may be limited (1-1000?) In this case, the attacker can do is to simply try as many port numbers as possible in each round 44

45 Search for seq number 45

46 A RFC-5961 (RST) B Challenge ACK : <SEQ=SND.NXT><ACK=RCV.NXT> <CTL=ACK> RST (A s IP) Seq # before RFC 5961 Match Reset In window Out of window Reset Drop Challenge ACK Drop 46

47 Search for seq number The attacker simply attempts to establish a nonspoofed TCP connection with the server to get the the initial window size on server Divide the sequence number space into blocks whose sizes are equal to the receive window size 0 4G Block =Window size 47

48 1.Search for Block Size RST Seq 0 RST Seq=2WIN if(received Challenge ACK = 100) not in this chunk if(received Challenge ACK = 99) in this chunk if(received Challenge ACK < 99) blocksize = blocksize *2 0 4G Chunk 48

49 Search for Block Size 49

50 Search for seq number RST RST RST Chunk 50

51 Mulit-bin Search for seq number if(received Challenge ACK = 99) block 0 if(received Challenge ACK = 98) block 1 if(received Challenge ACK = 97) block 2 etc RST 2*RST 3*RST 4*RST Chunk 51

52 Search for RCV.NXT Any spoofed RST packet with a sequence number less than RCV.NXT will not trigger a challenge ACK packet. Block = Window size 52

53 Mulit-bin Search for RCV.NXT if(received Challenge ACK = 100) block 0 if(received Challenge ACK = 99) block 1 if(received Challenge ACK = 98) block 2 Etc RST RST RST RST Block 53

54 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 54

55 Connection Hijacking Attack inject spoofed data! Problems : Time Synchronization Four-tuple Sequence Number Preventing connection reset ACK number 55

56 56

57 Before SND.UNA 2G Accepted(O) X SND.UNA SND.NXT RFC 5961 SND.UNA 2G SND.UNA SND.MAX.WIN Challenged ACK (X) Accepted SND.UNA (O) X SND.NXT 57

58 ACK number According to RFC 1323, MAX.SND.WND can be extended from 2 16 to a maximum of 1G the challenge ACK window size is between 1G and 2G 58

59 Before SND.UNA 2G Accepted(O) X SND.UNA SND.NXT RFC 5961 SND.UNA 2G SND.UNA SND.MAX.WIN Challenged ACK (X) Accepted SND.UNA (O) X SND.NXT 59

60 ACK number The Attacker can send 1 packet at ACK number 0, 2 packets at 1G, 4 packets at 2G, 8 packets at 3G. ACK ACK*8 ACK*2 ACK*4 60

61 ACK number Once we got the information about challenge ACK window in the previous step, we can now use the search method to find SND.UNA (2 31 1). When SND.UNA (2 31 1) is found, an acceptable ACK value (SND.UNA) can be computed. SND.UNA 2G Accepted (O) SND.UNA 61

62 Preventing connection reset Assuming an in-window sequence number is already inferred Spoofed data packets with ACK numbers that fall in the challenge ACK window and thus, intentionally trigger challenge ACKs If the guessed sequence number is before RCV.NXT, no challenge ACK will be triggered 62

63 Packet Loss Every time when a plausible chunk is detected, we repeat the probe on the same chunk Instead of sending 1, 2, or 3 packets, sending 1, 3, and 5 packets for each block. If an even number of challenge ACKs is received, packet loss must have happened 63

64 Moving window once a left-most in-window seq number is inferred, send 20,000 RST packets with sequence numbers, with offset 1, 2,..., 20,000 to the valid sequence number 64

65 Configurable maximum challenge ACK count Establishing a legitimate connection The attacker can send many RST packets which is much larger than 100, with in-window sequence values to trigger as many challenge ACKs as possible. 65

66 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 66

67 SSH Connection Reset Victim SSH Server : Amazon EC2 (worldwide) Victim Client : Ubuntu (University of California - Riverside ) Attacker : Ubuntu host in lab 67

68 SSH Connection Reset 68

69 SSH Connection Reset 69

70 SSH Connection Reset 70

71 Tor Connection Reset Tor Relay : Ubuntu (University of California - Riverside ) Running for several months Having a user using it Attacker : Ubuntu host (in lab) (in lab) (out) 71

72 Tor Connection Reset Test between our own Tor relay and 40 other Tor relays 16 of them do not appear vulnerable to the side channel attacks For the remaining 24 hosts, Average success rate is 88.8% Average time is 51.1s. 72

73 Moving Window 73

74 TCP Hijacking Case Study : long-lived TCP connection Periodically retrieves news updates every 30 seconds. Attacker machine : Ubuntu (in lab) victim client : Ubuntu (in lab) 74

75 TCP Hijacking Case Study 75

76 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 76

77 Defense Windows, Mac OS X and FreeBSD do not implemented all three conditions that trigger challenge ACKs according to RFC Each connection has a completely separate counter Use random values for each ACK throttling interval 77

78 Outline Background Knowledge TCP connection (pre-rfc 5961) Blind in-window attacks & RFC 5961 Problems in RFC 5961 Attack Method Main idea Connection Reset Attack Connection Hijacking Attack Evaluation Defense Related Works & Conclusion 78

79 Related Works Off-path TCP sequence number inference relies on executing malicious code on the client side [22] [23] [14] [16] [17] [1] Other types of information can be inferred by an TCP sequence number [12] [21] [11] [29] [5] [15]. 79

80 Conclusions we have discovered a subtle yet critical flaw in the design and implementation of TCP. The flaw manifests as a side channel that affects all Linux kernel versions 3.6 and beyond and may possibly be replicated in other operating systems if left unnoticed. 80

81 Questions? 81