Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : papers : 2017 : resilience_deployed_tcp_blind
Resilience of Deployed TCP to Blind FIN Attacks
M. Luckie, "Resilience of Deployed TCP to Blind FIN Attacks", Tech. rep., Center for Applied Internet Data Analysis (CAIDA), Oct 2017.
|   View full paper:    PDF    |  Citation:    BibTeX   |

Resilience of Deployed TCP to Blind FIN Attacks

Matthew Luckie

University of Waikato

In prior work we conducted in 2015, we considered the resilience of deployed TCP implementations to blind in-window RST, SYN, and data attacks. These three attacks and defenses to the attacks were previously described in RFC5961. In this report, we consider the resilience of deployed TCP implementations to blind in-window FIN attacks, an attack not explicitly covered in RFC5961, where an off-path adversary disrupts an established connection by sending a packet that the victim believes came from its peer, causing the connection to be prematurely closed. We extended scamper, a parallelized packet prober with existing TCP behaviour inference capability, to add an active measurement test that infers whether or not a TCP implementation will accept a FIN packet that contains an acknowledgement value that should cause the receiver to discard the packet. We tested operating systems (and middleboxes deployed in front) of 4397 webservers in the wild in September 2017 and found 18% of tested connections were vulnerable to in-window FIN attack packets, consistent with our prior measurements testing the resilience of TCP implementations to blind in-window RST, SYN, and data attacks.

Keywords: measurement methodology, security
  Last Modified: Thu Nov-9-2017 14:25:04 PST
  Page URL: http://www.caida.org/publications/papers/2017/resilience_deployed_tcp_blind/index.xml