Detecting TCP/IP Connections via IPID Hash Collisions

Open access


We present a novel attack for detecting the presence of an active TCP connection between a remote Linux server and an arbitrary client machine. The attack takes advantage of side-channels present in the Linux kernel’s handling of the values used to populate an IPv4 packet’s IPID field and applies to kernel versions of 4.0 and higher. We implement and test this attack and evaluate its real world effectiveness and performance when used on active connections to popular web servers. Our evaluation shows that the attack is capable of correctly detecting the IP-port 4-tuple representing an active TCP connection in 84% of our mock attacks. We also demonstrate how the attack can be used by the middle onion router in a Tor circuit to test whether a given client is connected to the guard entry node associated with a given circuit.

In addition we discuss the potential issues an attacker would face when attempting to scale it to real world attacks, as well as possible mitigations against the attack. Our attack does not exhaust any global resource, and therefore challenges the notion that there is a direct one-to-one connection between shared, limited resources and non-trivial network side-channels. This means that simply enumerating global shared resources and considering the ways in which they can be exhausted will not suffice for certifying a kernel TCP/IP network stack to be free of privacy risk side-channels.

[1] Alexa. Alexa Top 500 Global Sites.

[2] G. Alexander and J. R. Crandall. Off-path round trip time measurement via TCP/IP side channels. In 2015 IEEE Conference on Computer Communications (INFOCOM), pages 1589–1597. IEEE, 2015.

[3] Y. Angel and P. Winter. obfs4 (the obfourscator)., 2014.

[4] Antirez. new tcp scan method. Posted to the bugtraq mailing list, 18 December 1998.

[5] S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of the 6th ACM Conference on Computer and Communications Security, CCS ’99, pages 1–7, New York, NY, USA, 1999. ACM.

[6] S. M. Bellovin. A technique for counting NATted hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, pages 267–272. ACM, 2002.

[7] Y. Cao, Z. Qian, Z. Wang, T. Dao, S. V. Krishnamurthy, and L. M. Marvel. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16), pages 209–225. USENIX Association.

[8] Y. Cao, Z. Qian, Z. Wang, T. Dao, S. V. Krishnamurthy, and L. M. Marvel. Off-Path TCP Exploits of the Challenge ACK Global Rate Limit. IEEE/ACM Transactions on Networking, 26(2):765–778, 2018.

[9] W. Chen, Y. Huang, B. F. Ribeiro, K. Suh, H. Zhang, E. d. S. e Silva, J. Kurose, and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement, pages 108–120. Springer, 2005.

[10] W. Chen and Z. Qian. Off-path TCP exploit: How wireless routers can jeopardize your secrets. In 27th USENIX Security Symposium (USENIX Security 18), Baltimore, MD, 2018. USENIX Association.

[11] M. Cotton, L. Eggbert, J. Touch, M. Westerlund, and S. Cheshire. Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry. RFC 6335 (Draft Standard), Aug. 2011.

[12] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM’04, pages 21–21, Berkeley, CA, USA, 2004. USENIX Association.

[15] R. Ensafi, D. Fifield, P. Winter, N. Feamster, N. Weaver, and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 Internet Measurement Conference, pages 445–458. ACM, 2015.

[16] R. Ensafi, J. Knockel, G. Alexander, and J. R. Crandall. Detecting intentional packet drops on the internet via TCP/IP side channels. In Passive and Active Measurement, pages 109–118. Springer, 2014.

[17] R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In USENIX Security Symposium, pages 257–272, 2010.

[18] Y. Gilad and A. Herzberg. Spying in the dark: TCP and Tor traffic analysis. In International Symposium on Privacy Enhancing Technologies Symposium, pages 100–119. Springer, 2012.

[19] Y. Gilad and A. Herzberg. Off-path TCP injection attacks. ACM Transactions on Information and System Security (TISSEC), 16(4):13, 2014.

[20] Gilad, Yossi and Herzberg, Amir. Fragmentation considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the 5th USENIX conference on Offensive technologies, pages 2–2. USENIX Association, 2011.

[21] J. Knockel and J. R. Crandall. Counting Packets Sent Between Arbitrary Internet Hosts. In 4th USENIX Workshop on Free and Open Communications on the Internet (FOCI 14), 2014.

[22] T. Kohno, A. Broido, and K. C. Claffy. Remote physical device fingerprinting. Dependable and Secure Computing, IEEE Transactions on, 2(2):93–108, 2005.

[23] Personal communication. .

[24] B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, and V. Paxson. China’s great cannon. Citizen Lab, 10, 2015.

[25] M. Morbitzer. TCP Idle Scans in IPv6. Master’s thesis, Radboud University Nijmegen, The Netherlands, 2013.

[26] P. Pearce, R. Ensafi, F. Li, N. Feamster, and V. Paxson. Augur: Internet-wide detection of connectivity disruptions. In Security and Privacy (SP), 2017 IEEE Symposium on, pages 427–443. IEEE, 2017.

[27] J. Postel. Transmission Control Protocol. RFC 793, RFC Editor, September 1981.

[28] Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack. In Security & Privacy. IEEE, 2012.

[29] Qian, Zhiyun and Mao, Zhuoqing Morley. Off-path TCP sequence number inference attack-how firewall middleboxes reduce security. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 347–361. IEEE, 2012.

[30] A. Quach, Z. Wang, and Z. Qian. Investigation of the 2016 Linux TCP Stack Vulnerability at Scale. Proceedings of the ACM on Measurement and Analysis of Computing Systems, 1(1):4, 2017.

[31] The Tor Project. Tor Metrics.

[32] L. Torvalds. Linux Kernel V4.16., March 2018.

[33] L. Torvalds. Linux Kernel V4.16., March 2018.

[34] P. Watson. Slipping in the Window: TCP Reset attacks. Presentation at, 2004.

[35] X. Zhang, J. Knockel, and J. R. Crandall. High Fidelity Off-Path Round-Trip Time Measurement via TCP/IP Side Channels with Duplicate SYNs. In Global Communications Conference (GLOBECOM), 2016 IEEE, pages 1–6. IEEE, 2016.

[36] Zhang, Xu and Knockel, Jeffrey and Crandall, Jedidiah R. Original SYN: Finding machines hidden behind firewalls. In 2015 IEEE Conference on Computer Communications (INFOCOM), pages 720–728. IEEE, 2015.

[37] Zhang, Xu and Knockel, Jeffrey and Crandall, Jedidiah R. ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path. In IEEE INFOCOM 2018, 2018.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 31 31 31
PDF Downloads 20 20 20