Detecting TCP/IP Connections via IPID Hash Collisions

Open access


We present a novel attack for detecting the presence of an active TCP connection between a remote Linux server and an arbitrary client machine. The attack takes advantage of side-channels present in the Linux kernel’s handling of the values used to populate an IPv4 packet’s IPID field and applies to kernel versions of 4.0 and higher. We implement and test this attack and evaluate its real world effectiveness and performance when used on active connections to popular web servers. Our evaluation shows that the attack is capable of correctly detecting the IP-port 4-tuple representing an active TCP connection in 84% of our mock attacks. We also demonstrate how the attack can be used by the middle onion router in a Tor circuit to test whether a given client is connected to the guard entry node associated with a given circuit.

In addition we discuss the potential issues an attacker would face when attempting to scale it to real world attacks, as well as possible mitigations against the attack. Our attack does not exhaust any global resource, and therefore challenges the notion that there is a direct one-to-one connection between shared, limited resources and non-trivial network side-channels. This means that simply enumerating global shared resources and considering the ways in which they can be exhausted will not suffice for certifying a kernel TCP/IP network stack to be free of privacy risk side-channels.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Alexa. Alexa Top 500 Global Sites.

  • [2] G. Alexander and J. R. Crandall. Off-path round trip time measurement via TCP/IP side channels. In 2015 IEEE Conference on Computer Communications (INFOCOM) pages 1589–1597. IEEE 2015.

  • [3] Y. Angel and P. Winter. obfs4 (the obfourscator). 2014.

  • [4] Antirez. new tcp scan method. Posted to the bugtraq mailing list 18 December 1998.

  • [5] S. Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of the 6th ACM Conference on Computer and Communications Security CCS ’99 pages 1–7 New York NY USA 1999. ACM.

  • [6] S. M. Bellovin. A technique for counting NATted hosts. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment pages 267–272. ACM 2002.

  • [7] Y. Cao Z. Qian Z. Wang T. Dao S. V. Krishnamurthy and L. M. Marvel. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16) pages 209–225. USENIX Association.

  • [8] Y. Cao Z. Qian Z. Wang T. Dao S. V. Krishnamurthy and L. M. Marvel. Off-Path TCP Exploits of the Challenge ACK Global Rate Limit. IEEE/ACM Transactions on Networking 26(2):765–778 2018.

  • [9] W. Chen Y. Huang B. F. Ribeiro K. Suh H. Zhang E. d. S. e Silva J. Kurose and D. Towsley. Exploiting the IPID field to infer network path and end-system characteristics. In Passive and Active Network Measurement pages 108–120. Springer 2005.

  • [10] W. Chen and Z. Qian. Off-path TCP exploit: How wireless routers can jeopardize your secrets. In 27th USENIX Security Symposium (USENIX Security 18) Baltimore MD 2018. USENIX Association.

  • [11] M. Cotton L. Eggbert J. Touch M. Westerlund and S. Cheshire. Internet Assigned Numbers Authority (IANA) Procedures for the Management of the Service Name and Transport Protocol Port Number Registry. RFC 6335 (Draft Standard) Aug. 2011.

  • [12] R. Dingledine N. Mathewson and P. Syverson. Tor: The second-generation onion router. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13 SSYM’04 pages 21–21 Berkeley CA USA 2004. USENIX Association.

  • [13] E. Dumazet. inetpeer: get rid of ip_id_count. 2014.

  • [14] E. Dumazet. ip: make ip identifiers less predictable. 2014.

  • [15] R. Ensafi D. Fifield P. Winter N. Feamster N. Weaver and V. Paxson. Examining how the great firewall discovers hidden circumvention servers. In Proceedings of the 2015 Internet Measurement Conference pages 445–458. ACM 2015.

  • [16] R. Ensafi J. Knockel G. Alexander and J. R. Crandall. Detecting intentional packet drops on the internet via TCP/IP side channels. In Passive and Active Measurement pages 109–118. Springer 2014.

  • [17] R. Ensafi J. C. Park D. Kapur and J. R. Crandall. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In USENIX Security Symposium pages 257–272 2010.

  • [18] Y. Gilad and A. Herzberg. Spying in the dark: TCP and Tor traffic analysis. In International Symposium on Privacy Enhancing Technologies Symposium pages 100–119. Springer 2012.

  • [19] Y. Gilad and A. Herzberg. Off-path TCP injection attacks. ACM Transactions on Information and System Security (TISSEC) 16(4):13 2014.

  • [20] Gilad Yossi and Herzberg Amir. Fragmentation considered vulnerable: blindly intercepting and discarding fragments. In Proceedings of the 5th USENIX conference on Offensive technologies pages 2–2. USENIX Association 2011.

  • [21] J. Knockel and J. R. Crandall. Counting Packets Sent Between Arbitrary Internet Hosts. In 4th USENIX Workshop on Free and Open Communications on the Internet (FOCI 14) 2014.

  • [22] T. Kohno A. Broido and K. C. Claffy. Remote physical device fingerprinting. Dependable and Secure Computing IEEE Transactions on 2(2):93–108 2005.

  • [23] Personal communication. .

  • [24] B. Marczak N. Weaver J. Dalek R. Ensafi D. Fifield S. McKune A. Rey J. Scott-Railton R. Deibert and V. Paxson. China’s great cannon. Citizen Lab 10 2015.

  • [25] M. Morbitzer. TCP Idle Scans in IPv6. Master’s thesis Radboud University Nijmegen The Netherlands 2013.

  • [26] P. Pearce R. Ensafi F. Li N. Feamster and V. Paxson. Augur: Internet-wide detection of connectivity disruptions. In Security and Privacy (SP) 2017 IEEE Symposium on pages 427–443. IEEE 2017.

  • [27] J. Postel. Transmission Control Protocol. RFC 793 RFC Editor September 1981.

  • [28] Z. Qian and Z. M. Mao. Off-path TCP sequence number inference attack. In Security & Privacy. IEEE 2012.

  • [29] Qian Zhiyun and Mao Zhuoqing Morley. Off-path TCP sequence number inference attack-how firewall middleboxes reduce security. In Security and Privacy (SP) 2012 IEEE Symposium on pages 347–361. IEEE 2012.

  • [30] A. Quach Z. Wang and Z. Qian. Investigation of the 2016 Linux TCP Stack Vulnerability at Scale. Proceedings of the ACM on Measurement and Analysis of Computing Systems 1(1):4 2017.

  • [31] The Tor Project. Tor Metrics.

  • [32] L. Torvalds. Linux Kernel V4.16. March 2018.

  • [33] L. Torvalds. Linux Kernel V4.16. March 2018.

  • [34] P. Watson. Slipping in the Window: TCP Reset attacks. Presentation at 2004.

  • [35] X. Zhang J. Knockel and J. R. Crandall. High Fidelity Off-Path Round-Trip Time Measurement via TCP/IP Side Channels with Duplicate SYNs. In Global Communications Conference (GLOBECOM) 2016 IEEE pages 1–6. IEEE 2016.

  • [36] Zhang Xu and Knockel Jeffrey and Crandall Jedidiah R. Original SYN: Finding machines hidden behind firewalls. In 2015 IEEE Conference on Computer Communications (INFOCOM) pages 720–728. IEEE 2015.

  • [37] Zhang Xu and Knockel Jeffrey and Crandall Jedidiah R. ONIS: Inferring TCP/IP-based Trust Relationships Completely Off-Path. In IEEE INFOCOM 2018 2018.

Journal information
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 150 150 40
PDF Downloads 83 83 25