25th USENIX Security Symposium has ended
Back To Schedule
Wednesday, August 10 • 4:00pm - 4:30pm
Off-Path TCP Exploits: Global Rate Limit Considered Dangerous

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

In this paper, we report a subtle yet serious side channel vulnerability (CVE-2016-5696) introduced in a recent TCP specification. The specification is faithfully implemented in Linux kernel version 3.6 (from 2012) and beyond, and affects a wide range of devices and hosts. In a nutshell, the vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection. Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks. We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking. Through extensive experiments, we show that the attack is fast and reliable. On average, it takes about 40 to 60 seconds to finish and the success rate is 88% to 97%. Finally, we propose changes to both the TCP specification and implementation to eliminate the root cause of the problem.


Srikanth V. Krishnamurthy

University of California, Riverside
avatar for Zhiyun Qian

Zhiyun Qian

Associate Professor in Computer Science and Engineering, University of California Riverside
I work on system and network security, primarily focusing on vulnerability discovery and management, as well as exploitation techniques.

Wednesday August 10, 2016 4:00pm - 4:30pm PDT
Zilker Ballroom 2