Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security

In this paper, we report a newly discovered "off-path TCP sequence number inference" attack enabled by firewall middle boxes. It allows an off-path (i.e., not man-in-the-middle) attacker to hijack a TCP connection and inject malicious content, effectively granting the attacker write-only permission on the connection. For instance, with the help of unprivileged malware, we demonstrate that a successful attack can hijack an HTTP session and return a phishing Face book login page issued by a browser. With the same mechanisms, it is also possible to inject malicious Javascript to post tweets or follow other people on behalf of the victim. The TCP sequence number inference attack is mainly enabled by the sequence-number-checking firewall middle boxes. Through carefully-designed and well-timed probing, the TCP sequence number state kept on the firewall middle box can be leaked to an off-path attacker. We found such firewall middle boxes to be very popular in cellular networks - at least 31.5% of the 149 measured networks deploy such firewalls. Finally, since the sequence-number-checking feature is enabled by design, it is unclear how to mitigate the problem easily.