Students who don't understand information flow should be eaten: an experience paper
CSET'12 Proceedings of the 5th USENIX conference on Cyber Security Experimentation and Test
Collaborative TCP sequence number inference attack: how to crack sequence number under a second
Proceedings of the 2012 ACM conference on Computer and communications security
Fragmentation Considered Vulnerable
ACM Transactions on Information and System Security (TISSEC)
When tolerance causes weakness: the case of injection-friendly browsers
Proceedings of the 22nd international conference on World Wide Web
| Hi-index | 0.00 |
In this paper, we report a newly discovered "off-path TCP sequence number inference" attack enabled by firewall middle boxes. It allows an off-path (i.e., not man-in-the-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Face book login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middle boxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middle box can be leaked to an off-path attacker. We found such firewall middle boxes to be very popular in cellular networks--at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.