Abstract
To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced a subtle yet serious security flaw. Assigned CVE-2016-5696, the flaw exploits the challenge ACK rate limiting feature that could allow an off-path attacker to infer the presence/absence of a TCP connection between two arbitrary hosts, terminate such a connection, and even inject malicious payload. In this work, we perform a comprehensive measurement of the impact of the new vulnerability. This includes (1) tracking the vulnerable Internet servers, (2) monitoring the patch behavior over time, (3) picturing the overall security status of TCP stacks at scale. Towards this goal, we design a scalable measurement methodology to scan the Alexa top 1 million websites for almost 6 months. We also present how notifications impact the patching behavior, and compare the result with the Heartbleed and the Debian PRNG vulnerability. The measurement represents a valuable data point in understanding how Internet servers react to serious security flaws in the operating system kernel.
- TCP protocol - Linux man page. http://man7.org/linux/man-pages/man7/tcp.7.html.Google Scholar
- Amazon AWS IP Address Ranges. http://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html.Google Scholar
- AWS Managed Services. https://aws.amazon.com/cn/managed-services/.Google Scholar
- Blind TCP/IP Hijacking is Still Alive. http://phrack.org/issues/64/13.html.Google Scholar
- Censys Scan Data Repository. https://censys.io/data.Google Scholar
- CVE-2016--5696 and its effects on Tor. https://blog.patternsinthevoid.net/cve-2016--5696-and-its-effects-on-tor.html.Google Scholar
- Linux Blind TCP Spoofing Vulnerability. http://www.securityfocus.com/bid/580/info.Google Scholar
- Linux bug leaves USA Today, other top sites vulnerable to serious hijacking attacks. http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/ http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top- http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/sites-vulnerable-to-serious-hijacking- http://arstechnica.com/security/2016/08/linux-bug-leaves-usa-today-other-top-sites-vulnerable-to-serious-hijacking-attacks/.Google Scholar
- {PATCH net} TCP: enable per-socket rate limiting of all 'challenge acks'. https://www.mail-archive.com/[email protected]/msg119411.html.Google Scholar
- {PATCH net} TCP: make challenge acks less predictable. https://www.mail-archive.com/[email protected]/msg118677.html.Google Scholar
- {PATCH v2 net} TCP: make challenge acks less predictable. https://www.mail-archive.com/[email protected]/msg118918.html.Google Scholar
- Rackspace Managed Hosting Services. https://www.rackspace.com/en-us/managed-hosting.Google Scholar
- RFC 1948. https://tools.ietf.org/html/rfc1948.Google Scholar
- RFC 5961. https://tools.ietf.org/html/rfc5961.Google Scholar
- RFC 6056. https://tools.ietf.org/html/rfc6056.Google Scholar
- The Heartbleed Bug. http://heartbleed.com/.Google Scholar
- The TCP "challenge ACK" side channel. http://lwn.net/Articles/696868/.Google Scholar
- Vulnerability in the Linux kernel's TCP stack implementation. https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html https://blogs.akamai.com/2016/08/ https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html vulnerability-in-the-linux-kernels-tcp- https://blogs.akamai.com/2016/08/vulnerability-in-the-linux-kernels-tcp-stack-implementation.html stack-implementation.html.Google Scholar
- Cao, Y., Qian, Z., Wang, Z., Dao, T., Krishnamurthy, S. V., and Marvel, L. M. Off-path TCP exploits: Global rate limit considered dangerous. In 25th USENIX Security Symposium (USENIX Security 16) (2016).Google Scholar
- Durumeric, Z., Kasten, J., Adrian, D., Halderman, J. A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., and Paxson, V. The matter of heartbleed. In Proceedings of the 2014 Conference on Internet Measurement Conference (2014), IMC '14. Google ScholarDigital Library
- Durumeric, Z., Kasten, J., Bailey, M., and Halderman, J. A. Analysis of the HTTPS certificate ecosystem. In Proceedings of the 2013 Conference on Internet Measurement Conference (2013), IMC '13. Google ScholarDigital Library
- Durumeric, Z., Wustrow, E., and Halderman, J. A. Zmap: Fast internet-wide scanning and its security applications. In Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13) (2013). Google ScholarDigital Library
- Gilad, Y., and Herzberg, A. Off-Path Attacking the Web. In USENIX WOOT (2012). Google ScholarDigital Library
- Gilad, Y., and Herzberg, A. When tolerance causes weakness: the case of injection-friendly browsers. In WWW (2013). Google ScholarDigital Library
- Gilad, Y., Herzberg, A., and Shulman, H. Off-Path Hacking: The Illusion of Challenge-Response Authentication. Security Privacy, IEEE (2014).Google Scholar
- Li, F., Durumeric, Z., Czyz, J., Karami, M., Bailey, M., McCoy, D., Savage, S., and Paxson, V. You've got vulnerability: Exploring effective vulnerability notifications. In 25th USENIX Security Symposium (USENIX Security 16) (2016).Google Scholar
- Luckie, M., Beverly, R., Wu, T., Allman, M., and claffy, k. Resilience of deployed TCP to blind attacks. In Proceedings of the 2015 ACM Conference on Internet Measurement Conference (2015), IMC '15. Google ScholarDigital Library
- Morris, R. A Weakness in the 4.2BSD Unix TCP/IP Software. Tech. rep., 1985.Google Scholar
- Qian, Z., and Mao, Z. M. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In IEEE Symposium on Security and Privacy (2012). Google ScholarDigital Library
- Qian, Z., Mao, Z. M., and Xie, Y. Collaborative TCP sequence number inference attack: How to crack sequence number under a second. In CCS (2012). Google ScholarDigital Library
- Redhat. Bug 1354708 - (CVE-2016--5696) CVE-2016--5696 kernel: challenge ACK counter information disclosure. https://bugzilla.redhat.com/show_bug.cgi?id=1354708.Google Scholar
- Redhat. CVE-2016--5696. https://access.redhat.com/security/cve/cve-2016--5696.Google Scholar
- Shamsi, Z., Nandwani, A., Leonard, D., and Loguinov, D. Hershel: Single-packet OS fingerprinting. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems (2014), SIGMETRICS '14. Google ScholarDigital Library
- Stock, B., Pellegrino, G., Rossow, C., Johns, M., and Backes, M. Hey, you have a problem: On the feasibility of large-scale web vulnerability notification. In 25th USENIX Security Symposium (USENIX Security 16) (2016).Google Scholar
- UCR Today. Study Highlights Serious Security Threat to Many Internet Users. https://ucrtoday.ucr.edu/39030.Google Scholar
- Watson, P. Slipping in the window: TCP reset attacks, Apr. 2014.Google Scholar
- Yilek, S., Rescorla, E., Shacham, H., Enright, B., and Savage, S. When private keys are public: Results from the 2008 Debian OpenSSL vulnerability. In Proceedings of the 9th ACM SIGCOMM Conference on Internet Measurement Conference (2009), IMC '09. Google ScholarDigital Library
- Zalewsk, M. Strange attractors and TCP/IP sequence number analysis. Tech. rep., 2001. http://lcamtuf.coredump.cx/oldtcp/tcpseq.html.Google Scholar
Index Terms
- Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
Recommendations
Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
To combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced ...
Investigation of the 2016 Linux TCP Stack Vulnerability at Scale
SIGMETRICS '17 Abstracts: Proceedings of the 2017 ACM SIGMETRICS / International Conference on Measurement and Modeling of Computer SystemsTo combat blind in-window attacks against TCP, changes proposed in RFC 5961 have been implemented by Linux since late 2012. While successfully eliminating the old vulnerabilities, the new TCP implementation was reported in August 2016 to have introduced ...
Vulnerability Profile for Linux
AINA '05: Proceedings of the 19th International Conference on Advanced Information Networking and Applications - Volume 1A system with efficient security tools is not secured if its operating system is vulnerable. Various security enhancements for operating systems provide different security levels and profiles. Administrators have to choose the appropriate level or ...
Comments