Detecting TCP/IP Connections via IPID Hash Collisions

Alexander, Geoffrey; Espinoza, Antonio M.; Crandall, Jedidiah R.

doi:10.2478/popets-2019-0071

Cited by 9 publications

(11 citation statements)

References 22 publications

(29 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The existing implementation of pcapML uses a single thread. 1 We again leverage tcpreplay, and the same bigFlows.pcap traffic capture as our previous experiment examining disk overhead. We vary two input parameters.…”

Section: Pcapml Overhead and Performancementioning

confidence: 99%

Towards Reproducible Network Traffic Analysis

Holland¹,

Schmitt²,

Mittal³

et al. 2022

Preprint

View full text Add to dashboard Cite

Analysis techniques are critical for gaining insight into network traffic given both the higher proportion of encrypted traffic and increasing data rates. Unfortunately, the domain of network traffic analysis suffers from a lack of standardization, leading to incomparable results and barriers to reproducibility. Unlike other disciplines, no standard dataset format exists, forcing researchers and practitioners to create bespoke analysis pipelines for each individual task. Without standardization researchers cannot compare "applesto-apples," preventing us from knowing with certainty if a new technique represents a methodological advancement or if it simply benefits from a different interpretation of a given dataset.In this work, we examine irreproducibility that arises from the lack of standardization in network traffic analysis. First, we study the literature, highlighting evidence of irreproducible research based on different interpretations of popular public datasets. Next, we investigate the underlying issues that have lead to the status quo and prevent reproducible research. Third, we outline the standardization requirements that any solution aiming to fix reproducibility issues must address. We then introduce pcapML, an open source system which increases reproducibility of network traffic analysis research by enabling metadata information to be directly encoded into raw traffic captures in a generic manner. Finally, we use the standardization pcapML provides to create the pcapML benchmarks, an open source leaderboard website and repository built to track the progress of network traffic analysis methods.

show abstract

Section: Pcapml Overhead and Performancementioning

confidence: 99%

Towards Reproducible Network Traffic Analysis

Holland¹,

Schmitt²,

Mittal³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…If yes, then the IPID of the packet is set to 0 directly. This assignment is due to Geoffrey et al's disclosure of a side channel in previous assignment methods, i.e., IPID of the RST packet was assigned based on one of the 2048 hash counters before version 4.18, which can be exploited to detect the presence of TCP connections [3]. If the packet is not a TCP RST packet, IP protocol checks the DF flag of the packet.…”

Section: Ipid Assignment In Linuxmentioning

confidence: 99%

“…Hence, if the attacker wants to force the counter to increase linearly and facilitate the observation, it needs to restrict the increment of system ticks related to the IPID counter. Usually, if more than 3 packets are sent to the server under 10 ms, the random value added to the IPID counter will never be larger than one [3]. We send ICMP request packets to the server in parallel and restrict the increment of system ticks.…”

Section: Constructing Hash Collisionsmentioning

confidence: 99%

“…If the source port number specified in the SYN/ACK packet does not equal y, according to the TCP specification [41], the server will respond a RST packet to the client. Due to the patch fixing the vulnerability identified by Alexander et al [3], Linux kernel versions 4.18 and beyond assign an IPID of 0 to the RST packet, which will not incur an increment to the shared IPID counter. Hence, the IPID values in the reply packets observed by the attacker are continuous.…”

Section: Tcp Connection Detectionmentioning

confidence: 99%

“…The Identification field of IP protocol (IPID) is used to indicate the uniqueness of a packet [40,50]. After abandoning two previous vulnerable IPID assignment methods (i.e., global IPID assignment and per-destination IPID assignment) [14,16,17,23,29], Linux currently assigns IPID to packets based on a mixed method [3,7,53]. If a packet is generated from socket protocols such as TCP and UDP, Linux uses the per-socket-based IPID assignment policy that assigns IPID to the packet based on the counter recorded in the protocol socket.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Off-Path TCP Exploits of the Mixed IPID Assignment

Feng,

Fu,

et al. 2020

Preprint

View full text Add to dashboard Cite

In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream.We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet. CCS CONCEPTS• Security and privacy → Security protocols.

show abstract

Research on Off-Path Exploits of Network Protocols

Hou

Qiu

et al. 2021

Data Mining and Big Data

View full text Add to dashboard Cite

Detecting TCP/IP Connections via IPID Hash Collisions

Cited by 9 publications

References 22 publications

Towards Reproducible Network Traffic Analysis

Towards Reproducible Network Traffic Analysis

Off-Path TCP Exploits of the Mixed IPID Assignment

Research on Off-Path Exploits of Network Protocols

Contact Info

Product

Resources

About