![Page 1: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/1.jpg)
Off-Path Attacking the Web
Yossi Gilad and Amir HerzbergComputer Science Department, Bar Ilan University
![Page 2: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/2.jpg)
2.2.22.2.23.3.33.3.3
1.1.11.1.1
Alice2.2.2.5
Bob3.3.3.7
Off-pathOscar6.6.6.6
4.4.44.4.4
5.5.5 5.5.5
6.6.66.6.6
Oscar: the Off-Path Attacker
Bob,I love you!Alice
Bob,I leave you!Alice
![Page 3: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/3.jpg)
Why Off-Path Attacks? Why not MitM (Eavesdropper)?
Harder: physical access or control router Can Oscar spoof IP packets?
Often not: most ISPs ingress-filter But enough ISPs don’t (18%-22%)
What of challenge-response Defense? Correct use of challenge-response suffices But: Often, challenge-response used
incorrectly Since used for other purposes, e.g., in TCP for
SEQ/ACK This work: Off-Path TCP Injection
Allows XSS, phishing and more…
![Page 4: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/4.jpg)
Related Work Predictable ISNs: Morris85, Mitnick95,
Zalewski01,05 Address-based client authentication
vulnerable [Bellovin89] `PoC’ for Windows clients: klm07
We improve (FW, efficiency), extend to exploit
QianMao12, QMXie12: (limited) malware QM12: Also assumes seq#-checking-fw Does not work for Windows clients
![Page 5: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/5.jpg)
Attack Scenario and Goal1. Alice surfs to Oscar’s site2. Alice’s browser runs Oscar’s script
(puppet)3. Puppet sends HTTP requests to Bob4. Oscar injects response into the
connection between Alice and Bob (est. by the puppet)
Internet Internet1. Surf toOscar.com
2. Send pagewith script
3. Script opens (hidden) frame of Bob.com
4. Inject (e.g., script) as content from Bob
![Page 6: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/6.jpg)
Attack Goal and Scenario Alice’s browser assigns Oscar’s spoofed
response with context of `Bob’ Can contain script: cross site scripting (XSS) Request objects: cross site request forgery (CSRF) Spoof a web-page, response may be cached
![Page 7: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/7.jpg)
What Do We Need? Grocery List Task #1: identify the `victim-connection’ between Alice and Bob Spoofed data needs to correspond with a real
connection Task #2: learn sequence numbers
TCP discards packets with invalid seq # Task #3: exploit
Send (spoofed) data in correct HTTP context Browser assigns data the credentials of server
(Bob)
![Page 8: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/8.jpg)
Attack and Talk Overview Learn connection identifiers (IPs:ports) Learn server’s sequence number Learn client’s sequence number Exploit(s):
XSS CSRF Phishing
Conclusions
![Page 9: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/9.jpg)
Identify Victim-Connection A TCP connection has four Identifiers:
<ServerIP:port, ClientIP:port> Puppet opens connection to Bob (server)
ServerIP:port selected by puppet (attacker) Client IP: known from client connection to
Oscar Client port: sequentially assigned…
[Windows]
Not sequential? See [GH PETS’12]
![Page 10: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/10.jpg)
Finding Server Sequence Number TCP sequence numbers are 32-bits
that’s too long to guess Need to learn the sequence #. How?
Use TCP responses to probe packets Empty-ACK packets provide useful
response: If seq# out of WIN: send ACK
to re-sync If seq# is in WIN: no response
to avoid `ACK storm’
![Page 11: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/11.jpg)
Finding Server Sequence Number How to detect if response is sent?
Use IP-ID side channel IP-ID: 16 bit identifier in IP header
Used to correctly reconstruct packet from fragments
In Windows: implemented as a global-counter One connection (to Oscar) leaks info about
another! Old trick: NMAP’s idle-scan, Bellovin
machine-count,…
![Page 12: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/12.jpg)
Finding Server Sequence Number1. Puppet opens connection to server
2. Oscar sends query-probe-query:1. Query: unordered 1-byte packets ACK (ipid)2. Probe (srcIP = server): empty-ACK with seq#
=i∙w w is estimate of WIN size
Found binary search finds exact seq#
![Page 13: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/13.jpg)
Attack and Talk Overview Learn connection identifiers (IPs:ports) Learn server’s sequence number Learn client’s sequence number Exploit(s):
XSS CSRF Phishing
Conclusions
![Page 14: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/14.jpg)
Finding Client Sequence Number Already know server seq# (and IPs, ports) This should have been enough to inject
(according to TCP spec) But Windows implementations (as of XP
SP2) also validate the ack number of packets
The valid ack# is the client’s seq#
![Page 15: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/15.jpg)
Finding Client Sequence Number To find client seq#: send pkt w/ data
With server’s IP:port, correct seq# TCP’s handling depends on ack#
For Windows clients: Silently discards pkt
with `old` ack number Otherwise: send ACK
Leaks: ack#>UNA Binary search…
UnAcked
Next
Process
Windows: silently discardRFC: Process (often, ack)
Discard and send duplicate Ack
![Page 16: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/16.jpg)
Attack and Talk Overview Learn connection identifiers (IPs:ports) Learn server’s sequence number Learn client’s sequence number Exploit(s):
XSS CSRF Phishing
Conclusions
![Page 17: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/17.jpg)
Exploiting Injections: XSS, CSRF Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com Typical XSS: exploit bug in site or browser Off-path-injected XSS: no need for vulnerable
site/browser! Script can post fake HTTP requests
(CSRF)
![Page 18: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/18.jpg)
Exploiting Injections: XSS, CSRF Cross Site Scripting (XSS): cause browser to run MalScript in context of victim.com Typical XSS: exploit bug in site or browser Off-path-injected XSS: no need for vulnerable
site/browser!
![Page 19: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/19.jpg)
XSS Exploit: Results Top 1024 sites, 10Mb win clients, 1Mb
Oscar Average 32 pkts/s `noise` Immune sites: mostly SSL or non-
persistent
![Page 20: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/20.jpg)
Phishing by Injection Off-path XSS, CSRF may fail:
To collect user-entered data, e.g., passwords Esp. if site uses SSL for passwords
Alternative: phish / deface ! Change contents: steal PWDs, push
malware… Cache spoofed page
at local browser or network proxy User receives the spoofed page when
he/she expects real page
![Page 21: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/21.jpg)
Phishing by Injection Off-path XSS, CSRF may fail:
To collect user-entered data, e.g., passwords Esp. if site uses SSL for passwords
Alternative: phish / deface ! Change contents: steal PWDs, push
malware…
![Page 22: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/22.jpg)
Conclusions TCP may not be secure against off-path
attackers! Use `real’ security: SSL/TLS, IPsec, etc
Attacks may be improved, abused further…
![Page 23: Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University](https://reader036.vdocuments.net/reader036/viewer/2022062515/56649ceb5503460f949b6276/html5/thumbnails/23.jpg)
Thank You! Special thank you to CPIIS for supporting
my research Questions?