Affordable Access

Access to the full text

Detecting TCP/IP Connections via IPID Hash Collisions

Authors
  • Alexander, Geoffrey
  • Espinoza, Antonio M.
  • Crandall, Jedidiah R.
Type
Published Article
Journal
Proceedings on Privacy Enhancing Technologies
Publisher
Sciendo
Publication Date
Jul 30, 2019
Volume
2019
Issue
4
Pages
311–328
Identifiers
DOI: 10.2478/popets-2019-0071
Source
De Gruyter
License
Green

Abstract

We present a novel attack for detecting the presence of an active TCP connection between a remote Linux server and an arbitrary client machine. The attack takes advantage of side-channels present in the Linux kernel’s handling of the values used to populate an IPv4 packet’s IPID field and applies to kernel versions of 4.0 and higher. We implement and test this attack and evaluate its real world effectiveness and performance when used on active connections to popular web servers. Our evaluation shows that the attack is capable of correctly detecting the IP-port 4-tuple representing an active TCP connection in 84% of our mock attacks. We also demonstrate how the attack can be used by the middle onion router in a Tor circuit to test whether a given client is connected to the guard entry node associated with a given circuit. In addition we discuss the potential issues an attacker would face when attempting to scale it to real world attacks, as well as possible mitigations against the attack. Our attack does not exhaust any global resource, and therefore challenges the notion that there is a direct one-to-one connection between shared, limited resources and non-trivial network side-channels. This means that simply enumerating global shared resources and considering the ways in which they can be exhausted will not suffice for certifying a kernel TCP/IP network stack to be free of privacy risk side-channels.

Report this publication

Statistics

Seen <100 times