The Hacker News Logo
Subscribe to Newsletter

Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely

linux-server-tcp-packet-hacking
If you are using the Internet, there are the possibilities that you are open to attack.

The Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (version 3.6 and above of the Linux kernel) poses a serious threat to Internet users, whether or not they use Linux directly.

This issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs.

Researchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet.

The vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays.

The flaw actually resides in the design and implementation of the Request for Comments: 5961 (RFC 5961) – a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks.

TCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP.

Web servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them.

A team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a proof-of-concept exploit at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic.

No Need of Man-in-the-Attack Position

Linux TCP Flaw allows Hackers to Hijack Internet Traffic and Inject Malware Remotely
Typically, TCP protocol assembles messages into a series of data packets that are identified by unique sequence numbers and transmitted to the receiver. When received, the data packets are then reassembled by the receiver into the original message.

Researchers found that 'Side channels' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties.

This means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet.

The researchers detailed their findings in the paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous' [PDF], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website.
You can watch the video demonstration above that shows the attack in work.

Targeting the Tor Network


The researchers also show how the flaw (CVE-2016-5696) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network.
"In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the paper reads. 
"The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays."
The team also provided recommendations on how to mitigate the attack.

Here's How to Mitigate TCP Attack


While patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached.

For this, you are required to append the following to /etc/sysctl.conf:
net.ipv4.tcp_challenge_ack_limit = 999999999
Once done, use sysctl -p to activate the new rule. You need to perform root to do this.

The researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.