1 Overview
This attack is executed on Linux Kernel 3.13. In Linux, Kernel 3.6, RFC 5961 was faithfully implemented to stop blind in-window attacks, but it also created a new vulnerability. RFC 5961 proposed a window outside of the correct ACK-window where the server would respond with a challenge-ACK to packets that did not have the correct sequence or ACK number. Figure 1 demonstrates this below. To prevent excess resources from being used on these challenge-ACKs, a limit of 100 per second was implemented, known as the Global Rate Limit. This limit is where the vulnerability lies.
Figure 1: ACK Window Illustration
The Global Rate Limit can be exploited to show if a TCP connection is present, and then subsequently be used to infer the four-tuple of the client and server, infer the next acceptable sequence number, then finally infer the acknowledgment number. After this is completed it is trivial to inject spoofed packets.
Readings and Videos:
Video explaining how the attack works:
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/ cao
Paper that the attack is based upon:
https://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
The objective of this lab is to have students understand how this attack is carried out and write some of the code necessary to execute it.
2 Virtual Machine Setup
In this lab we will have three virtual machines: the client, server, and at- tacker. There are two virtual machines to download as the client and at- tacker use the same image. Through a python script to create a simple messaging service between the client and server, we create the TCP con- nection that will be hijacked.
The server is running a version of Ubuntu 14.04 that has not been updated. The security updates for this operating system patch the vulnerability that we are exploiting, so we must be sure not to update it.
The client and the attacker are running Ubuntu 16.04. The attacker also has the libtins libraries installed. They are the libraries that we use to spoof and send packets, so they are necessary to have on the virtual ma- chine.
By interacting with the server as seen in figure 2, we can complete all steps of the attack. After this is completed we can then inject packets imitating the server to the client, as seen in figure 3.
Figure 2: Exploiting Server Figure 3: Imitating the Server
Make sure all virtual machines only have a Host-Only Adapter in their net- work adapters.
2.1 Connecting Client and Server
On the desktop of the server and client there is a file labeled tcp_server.py and tcp_client.py respectively. The code requires the window to be larger than the standard size, so put the terminal in full screen before executing commands. Through the terminal navigate to the desktop on the server first and run the code via the command:
Once this is complete your server terminal should look like figure 4.
Figure 4: Server Waiting for Connection
Once that is complete, we can connect the client to the server. Navigate to the desktop again and run tcp_client.py using the same arguments:
Your client terminal should look like figure 5, and your server terminal should look like figure 6.
2.2 Setting up the Attacker
The attacker code is saved in the folder attacker_cpp in documents. When you alter the code and want to compile it again, remove the file named ex- ploit, then run the command make in the terminal whilst in the folder.
The attack can then be run from the terminal by typing:
Figure 5: Client Terminal after Connec- tion
Figure 6: Server Terminal after Connec- tion
The server port will be the same as the one used to set up the tcp connec- tion. The attack will not work yet though as it is missing code that will be added by you. After attempting the attack on the tcp connection, further attacks on the same connection may be slow or unsuccessful. Restart- ing the tcp connection of the server and client on a new port will mitigate this.
3 Lab Task Set 1: Clock Synchronization
To make sure all of our packets arrive within the same time interval, we must first synchronize our clock with the server. This is done by first initiat- ing a legitimate TCP connection. In synchronize_clock.cpp (Figure 7) you must choose what flags should be sent to create this connection.
Write what flag should be set to first initialize the TCP connection on line 25, then disable this flag and set another one that will be used after receiv- ing the response from the server on lines 47 and 48.
DescriptionIn this final assignment, the students will demonstrate their ability to apply two ma
Path finding involves finding a path from A to B. Typically we want the path to have certain properties,such as being the shortest or to avoid going t
Develop a program to emulate a purchase transaction at a retail store. Thisprogram will have two classes, a LineItem class and a Transaction class. Th
1 Project 1 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of
1 Project 2 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of
Get Free Quote!
343 Experts Online