Hacker News new | past | comments | ask | show | jobs | submit login
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous [pdf] (ucr.edu)
44 points by jfindley on Aug 10, 2016 | hide | past | favorite | 1 comment

This is very grave problem that especially affects Tor users.

> In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%.

> We emphasize that the attack can be carried out by a purely off-path attacker without running malicious code on the communicating client or server. This can have serious implications on the security and privacy of the Internet at large.

The authors say this vulnerability was introduced in RFC 5961 [1], implemented in Linux kernel 3.6 from late 2012. As well as being able to infer if there is an active connection between two arbitrary IPs, a practical DoS attack on Tor connections is demonstrated by injecting reset packets. The attack can also be used to disrupt connections between relay nodes to force traffic through exit nodes controlled by the attacker.

While apparently fixed in kernel 4.7, the vast majority of Tor nodes and Linux endusers are likely to be using older vulnerable versions, as 4.7 was only released July 24 of this year [2].

[1] https://tools.ietf.org/html/rfc5961

[2] https://kernelnewbies.org/Linux_4.7

Applications are open for YC Summer 2021

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact