Special Topic: TCP Session Hijacking

Transcription

1 Special Topic: TCP Session Hijacking Prof. Yinqian Zhang The Ohio State University Copyright Prof. Zhiyun Qian, UC Riverside

2 2 Outline TCP Attacks Off-path TCP sequence number prediction Off-path TCP sequence number inference Firewall-middlebox-enabled attacks Host-based attacks

3 3 Common Threat Models in Networks (targeting confidentiality and integrity) Eavesdropper Read (and at most Insert) Man-in-the-middle (MITM) On the communication path (compromised router) Arbitrary Read/Write capability (modify, drop, etc.) Off-Path attacker (no read capability)

4 4 Eavesdropper Capability: Read + Insert Examples Open wifi networks, e.g., Coffee shop Walkie-talkie Ethernet hub network

5 5 MITM Capability: Read + Write (Drop, Modify, Insert) Examples Compromising a router Route Hijacking IP redirection (e.g., DNS poisoning)

6 6 Attacks against Applications over TCP Assuming read + write (e.g., insert) capability HTTP Phishing, cookie stealing (impersonation) Telnet Inject commands (like a remote shell) Instant Messenger Social engineering (fake messages)

7 7 TCP Sequence Numbers Sequence number (32 bits) has a dual role: If the SYN flag is set, then this is the initial sequence number. The sequence number of the actual first data byte is this sequence number plus 1. If the SYN flag is clear, then this is the accumulated sequence number of the first data byte of this packet for the current session. Acknowledgment number (32 bits) If the ACK flag is set then this the next sequence number that the receiver is expecting. This acknowledges receipt of all prior bytes (if any).

8 8 TCP Handshake C S SYN (seq=x) Listening Store data SYN ACK (ack=x+1 seq=y) Wait ACK (ack=y+1,seq=x+1) Connected

9 9 TCP sequence prediction attack Predict the sequence number used to identify the packets in a TCP connection, and then counterfeit packets. Naively, success prob. is 1/2 32 (32-bit seq. # s). Most systems allow for a large window of acceptable seq. # s Much higher success probability. Adversary: do not have full control over the network, but can inject packets with fake source IP addresses E.g., control a computer on the local network TCP sequence numbers are used for authenticating packets Initial seq# needs high degree of unpredictability If attacker knows initial seq # and amount of traffic sent, can estimate likely current values Some implementations are vulnerable

10 10 Risks from Session Hijacking Inject data into an unencrypted server-to-server traffic, such as an exchange, DNS zone transfers, etc. Inject data into an unencrypted client-to-server traffic, such as ftp file downloads, http responses. Spoof IP addresses, which are often used for preliminary checks on firewalls or at the service level. Carry out MITM attacks on weak cryptographic protocols. often result in warnings to users that get ignored Denial of service attacks, such as resetting the connection.

11 11 Off-Path Attacker Capability: Insert Advantage: Low requirement Challenge: hard to know the attack timing Let s attack enemy Let s retreat (???)

12 Ini*al TCP sequence number Three-way handshake (challenge-response) SYN Seq=X, Ack = 0 Remembers X SYN-ACK Seq=Y, Ack = X+1 Checks Ack=X+1 Remembers Y ACK Seq=X+1, Ack = Y+1 Checks Ack=Y+1

13 TCP sequence number war *meline Predictable initial seq num Morris Bellovin Still vulnerable Zalewsky Windows attack (hours to finish) klm 99% of TCP connections lasts < 60s [Qian09] Mitnik Real exploit Watson BGP DoS 1. Firewall-enabled 2. Linux/FreeBSD/Mac

14 14 Outline TCP Attacks NEXT Off-path TCP sequence number prediction Off-path TCP sequence number inference Firewall-middlebox-enabled attacks Host-based attacks

15 Ini*al TCP sequence number (ISN) predic*on 15 Predicting server s ISN to setup connections spoofing a trusted host s IP address SYN(ISN x ), SRC=T SYN(ISN s ), ACK(ISN x ) Intruder X ACK(ISN s ), SRC=T ACK(ISN s ), SRC=T Serve r Host T

16 16 How to predict the random ISN? Well, they are not so random in the early days The ISN is incremented by a constant amount for fixed time interval (e.g., second) Later ISN is incremented by a random amount for fixed time interval

17 17 Defense to ISN prediction? Long story short, ISNs today are randomized so it won t be possible to predict it anymore Still not fully randomized due to backwardcompatibility reasons But secure enough to defeat prediction

18 18 Outline TCP Attacks Off-path TCP sequence number prediction NEXT Off-path TCP sequence number inference Firewall-middlebox-enabled attacks Host-based attacks

19 19 Threat model and problem formula*on Seq =? Unprivileged malware + off-path attackers Attack goal Know when a victim app initiates a connection with a server (e.g., facebook) Inferring sequence number of the server so attacker can write into connections owned by other apps (e.g., a phishing facebook login page)

20 20 TCP sequence number inference a?ack Seq =? Required information Target four tuples (srcip, dstip, srcport, dstport) Sequence number How? Unprivileged malware is isolated from other apps

21 21 Req 1 Obtaining target four tuples On-site unprivileged malware netstat (no root required) Four-tuple query netstat -nn Active Internet connections NAT boxes leak active four-tuple info Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp CLOSE_WAIT Initiate fake connections tcp CLOSE_WAIT tcp CLOSE_WAIT tcp LAST_ACK tcp LAST_ACK tcp LAST_ACK tcp LAST_ACK tcp ESTABLISHED

22 22 Req 2 Obtaining feedback of guesses Not correct! Correct! Seq = X Seq = Y Expecting seq Y Intuition: actively guess sequence numbers and observe feedbacks through unexpected channels

23 23 Outline TCP Attacks Off-path TCP sequence number prediction Off-path TCP sequence number inference Firewall-middlebox-enabled attacks Host-based attacks NEXT

24 24 Firewall Middleboxes Common in organizations (e.g., enterprise, universities) Intend to block unwanted/malicious traffic

25 25 TCP sequence- number- checking firewall Purpose: drop blindly injected packets Cut down resource waste Prevent feedback on sequence number guessing 33% of the 179 tested carriers deploy such firewalls Vendors: Checkpoint, Cisco, Juniper Could be used in other networks as well

26 26 Stateful firewall that tracks TCP sequence number Required information Target four tuples Feedback (if packets dropped by the firewall)

27 27 Side- channels Packet counter and IPID Host packet counter (e.g., # of incoming packets) netstat s or procfs Error counters particularly useful IPID from intermediate hops Error counter++ Error Header Error Header Seq Seq

28 28 Side- channels Packet counter and IPID netstat s Tcp: 3466 active connections openings passive connection openings connection resets received segments received segments send out segments retransmited 489 bad segments received resets sent TcpExt: ICMP packets dropped because they were out-of-window 9491 TCP sockets finished time wait in fast timer 1646 packets rejects in established connections because of timestamp

29 How counters leaks sequence number (example) Error counter++ Seq = 0 Seq = 2WIN Seq = 4WIN Seq = 2G Counter++

30 30 Efficient probing to extract sequence number 2G Error counter++ 4G

31 31 Efficient probing to extract sequence number 2G 4G

32 32 Efficient probing to extract sequence number 2G Error counter++ 4G Total # of packets required: 4G/2WIN Typically, WIN = 256K, 512K, 1M # of packets = (~300kbps) Time: 4 9 seconds

33 33 Outline TCP Attacks Off-path TCP sequence number prediction Off-path TCP sequence number inference Firewall-middlebox-enabled attacks Host-based attacks NEXT

34 34 TCP sequence number inference a?ack Without firewall

35 TCP sequence number checking leaks informa*on Packet checking sequence in Linux (and other OS) 35 Error check Error counter ++ Seq # check tcp_send_dupack() Ack # check Drop Additional checks Others Accept

36 Feedback channel: DelayedACKLost counter DelayedACKLost++ when a received packet with sequence number smaller than the expected sequence number if (TCP_SKB_CB(skb)- >end_seq!= TCP_SKB_CB(skb)- >seq && before(tcp_skb_cb(skb)- >seq, tp- >rcv_nxt)) { NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_DELAYEDACKLOST); } Since Linux (in 2002) static inline int before( u32 seq1, u32 seq2) { return ( s32)(seq1- seq2) < 0; } FreeBSD / Mac OS has similar counters

37 37 A new feedback channel 2G counter++ 4G Binary search 1 st iteration

38 38 Efficient probing to extract sequence number 2G 4G Binary search 2 nd iteration Total # of packets and iterations required: 32 Inference time: a few seconds

39 39 Efficient probing to extract sequence number x3 Counter+=1 x1 x2 4-way search 1 st iteration

40 40 Efficient probing to extract sequence number x3 x1 Counter+=3 x2 4-way search 1 st iteration

41 41 Efficient probing to extract sequence number x3 x1 x2 Counter+=2 4-way search 1 st iteration

42 42 Efficient probing to extract sequence number x3 Counter+=1 Counter+=4 x1 x2 Counter+=2 Counter+=5 4-way search 16 iterations (instead of 32) Total inference time: ~1s