
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous [pdf] - jfindley
http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
======
sprin
This is very grave problem that especially affects Tor users.

> In a nutshell, the vulnerability allows a blind off-path attacker to infer
> if any two arbitrary hosts on the Internet are communicating using a TCP
> connection. Further, if the connection is present, such an off-path attacker
> can also infer the TCP sequence numbers in use, from both sides of the
> connection; this in turn allows the attacker to cause connection termination
> and perform data injection attacks. We illustrate how the attack can be
> leveraged to disrupt or degrade the privacy guarantees of an anonymity
> network such as Tor, and perform web connection hijacking. Through extensive
> experiments, we show that the attack is fast and reliable. On average, it
> takes about 40 to 60 seconds to finish and the success rate is 88% to 97%.

> We emphasize that the attack can be carried out by a purely off-path
> attacker without running malicious code on the communicating client or
> server. This can have serious implications on the security and privacy of
> the Internet at large.

The authors say this vulnerability was introduced in RFC 5961 [1], implemented
in Linux kernel 3.6 from late 2012. As well as being able to infer if there is
an active connection between two arbitrary IPs, a practical DoS attack on Tor
connections is demonstrated by injecting reset packets. The attack can also be
used to disrupt connections between relay nodes to force traffic through exit
nodes controlled by the attacker.

While apparently fixed in kernel 4.7, the vast majority of Tor nodes and Linux
endusers are likely to be using older vulnerable versions, as 4.7 was only
released July 24 of this year [2].

[1] [https://tools.ietf.org/html/rfc5961](https://tools.ietf.org/html/rfc5961)

[2] [https://kernelnewbies.org/Linux_4.7](https://kernelnewbies.org/Linux_4.7)

