Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

Authors:
Alan Quach

University of California, Riverside, Riverside, CA, USA

University of California, Riverside, Riverside, CA, USA
View Profile

,
Zhongjie Wang

University of California, Riverside, Riverside, CA, USA

University of California, Riverside, Riverside, CA, USA
View Profile

,
Zhiyun Qian

University of California, Riverside, Riverside, CA, USA

University of California, Riverside, Riverside, CA, USA
View Profile

Authors Info & Claims

ACM SIGMETRICS Performance Evaluation Review Volume 45 Issue 1June 2017pp 8https://doi.org/10.1145/3143314.3078510

Published:05 June 2017Publication History

ACM SIGMETRICS Performance Evaluation Review

Abstract

To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced a subtle yet serious security flaw. Assigned CVE-2016-5696, the flaw exploits the challenge ACK rate limiting feature that could allow an off-path attacker to infer the presence/absence of a TCP connection between two arbitrary hosts, terminate such a connection, and even inject malicious payload. In this work, we perform a comprehensive measurement of the impact of the new vulnerability. This includes (1) tracking the vulnerable Internet servers, (2) monitoring the patch behavior over time, (3) picturing the overall security status of TCP stacks at scale. Towards this goal, we design a scalable measurement methodology to scan the Alexa top 1 million websites for almost 6 months. We also present how notifications impact the patching behavior, and compare the result with the Heartbleed and the Debian PRNG vulnerability. The measurement represents a valuable data point in understanding how Internet servers react to serious security flaws in the operating system kernel.

References

TCP protocol - Linux man page. http://man7.org/linux/man-pages/man7/tcp.7.html.Google Scholar
Amazon AWS IP Address Ranges. http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.Google Scholar
AWS Managed Services. https://aws.amazon.com/cn/managed-services/.Google Scholar
Blind TCP/IP Hijacking is Still Alive. http://phrack.org/issues/64/13.html.Google Scholar
Censys Scan Data Repository. https://censys.io/data.Google Scholar
CVE-2016--5696 and its effects on Tor. https://blog.patternsinthevoid.net/cve-2016--5696-and-its-effects-on-tor.html.Google Scholar
Linux Blind TCP Spoofing Vulnerability. http://www.securityfocus.com/bid/580/info.Google Scholar
Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks. http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/ http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top- http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/sites-vulnerable-to-serious-hijacking- http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/.Google Scholar
{PATCH net} TCP: enable per-socket rate limiting of all 'challenge acks'. https://www.mail-archive.com/[email protected]/msg119411.html.Google Scholar
{PATCH net} TCP: make challenge acks less predictable. https://www.mail-archive.com/[email protected]/msg118677.html.Google Scholar
{PATCH v2 net} TCP: make challenge acks less predictable. https://www.mail-archive.com/[email protected]/msg118918.html.Google Scholar
Rackspace Managed Hosting Services. https://www.rackspace.com/en-us/managed-hosting.Google Scholar
RFC 1948. https://tools.ietf.org/html/rfc1948.Google Scholar
RFC 5961. https://tools.ietf.org/html/rfc5961.Google Scholar
RFC 6056. https://tools.ietf.org/html/rfc6056.Google Scholar
The Heartbleed Bug. http://heartbleed.com/.Google Scholar
The TCP "challenge ACK" side channel. http://lwn.net/Articles/696868/.Google Scholar
Vulnerability in the Linux kernel's TCP stack implementation. https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html https://blogs.akamai.com/2016/08/ https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html vulnerability-in-the-linux-kernels-tcp- https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html stack-implementation.html.Google Scholar
Cao, Y., Qian, Z., Wang, Z., Dao, T., Krishnamurthy, S. V., and Marvel, L. M. Off-path TCP exploits: Global rate limit considered dangerous. In 25th USENIX Security Symposium (USENIX Security 16) (2016).Google Scholar
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., and Paxson, V. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (2014), IMC '14. Google ScholarDigital Library
Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. Analysis of the HTTPS certificate ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (2013), IMC '13. Google ScholarDigital Library
Durumeric, Z., Wustrow, E., and Halderman, J. A. Zmap: Fast internet-wide scanning and its security applications. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) (2013). Google ScholarDigital Library
Gilad, Y., and Herzberg, A. Off-Path Attacking the Web. In USENIX WOOT (2012). Google ScholarDigital Library
Gilad, Y., and Herzberg, A. When tolerance causes weakness: the case of injection-friendly browsers. In WWW (2013). Google ScholarDigital Library
Gilad, Y., Herzberg, A., and Shulman, H. Off-Path Hacking: The Illusion of Challenge-Response Authentication. Security Privacy, IEEE (2014).Google Scholar
Li, F., Durumeric, Z., Czyz, J., Karami, M., Bailey, M., McCoy, D., Savage, S., and Paxson, V. You've got vulnerability: Exploring effective vulnerability notifications. In 25th USENIX Security Symposium (USENIX Security 16) (2016).Google Scholar
Luckie, M., Beverly, R., Wu, T., Allman, M., and claffy, k. Resilience of deployed TCP to blind attacks. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference (2015), IMC '15. Google ScholarDigital Library
Morris, R. A Weakness in the 4.2BSD Unix TCP/IP Software. Tech. rep., 1985.Google Scholar
Qian, Z., and Mao, Z. M. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In IEEE Symposium on Security and Privacy (2012). Google ScholarDigital Library
Qian, Z., Mao, Z. M., and Xie, Y. Collaborative TCP sequence number inference attack: How to crack sequence number under a second. In CCS (2012). Google ScholarDigital Library
Redhat. Bug 1354708 - (CVE-2016--5696) CVE-2016--5696 kernel: challenge ACK counter information disclosure. https://bugzilla.redhat.com/show_bug.cgi?id=1354708.Google Scholar
Redhat. CVE-2016--5696. https://access.redhat.com/security/cve/cve-2016--5696.Google Scholar
Shamsi, Z., Nandwani, A., Leonard, D., and Loguinov, D. Hershel: Single-packet OS fingerprinting. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems (2014), SIGMETRICS '14. Google ScholarDigital Library
Stock, B., Pellegrino, G., Rossow, C., Johns, M., and Backes, M. Hey, you have a problem: On the feasibility of large-scale web vulnerability notification. In 25th USENIX Security Symposium (USENIX Security 16) (2016).Google Scholar
UCR Today. Study Highlights Serious Security Threat to Many Internet Users. https://ucrtoday.ucr.edu/39030.Google Scholar
Watson, P. Slipping in the window: TCP reset attacks, Apr. 2014.Google Scholar
Yilek, S., Rescorla, E., Shacham, H., Enright, B., and Savage, S. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference (2009), IMC '09. Google ScholarDigital Library
Zalewsk, M. Strange attractors and TCP/IP sequence number analysis. Tech. rep., 2001. http://lcamtuf.coredump.cx/oldtcp/tcpseq.html.Google Scholar

Index Terms

Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
1. Networks
2. Security and privacy
  1. Systems security
    1. Operating systems security
    2. Vulnerability management
      1. Vulnerability scanners

Recommendations

Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced ...
Read More
Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer Systems

To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced ...
Read More
Vulnerability Profile for Linux
AINA '05: Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1

A system with efficient security tools is not secured if its operating system is vulnerable. Various security enhancements for operating systems provide different security levels and profiles. Administrators have to choose the appropriate level or ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM SIGMETRICS Performance Evaluation Review Volume 45, Issue 1
Performance evaluation review
June 2017
70 pages
ISSN:0163-5999
DOI:10.1145/3143314
Editor:
Nidhi Hegde
Bell Labs, Nokia
Issue’s Table of Contents
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer Systems
June 2017
84 pages
ISBN:9781450350327
DOI:10.1145/3078505
General Chairs:
Bruce Hajek
University of Illinois
,
Sewoong Oh
University of Illinois
,
Program Chairs:
Augustin Chaintreau
Columbia University
,
Leana Golubchik
University of Southern California
,
Zhi-Li Zhang
University of Minnesota
Copyright © 2017 Owner/Author
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 5 June 2017
Check for updates
Author Tags
challenge ack
linux
measurement
off-path attacks
tcp vulnerability
Qualifiers
- abstract
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 7
  Total Citations
  View Citations
- 277
  Total Downloads
- Downloads (Last 12 months)45
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

ACM SIGMETRICS Performance Evaluation Review

Abstract

References

Cited By

Index Terms

Recommendations

Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

Investigation of the 2016 Linux TCP Stack Vulnerability at Scale

Vulnerability Profile for Linux