The Transmission Control Protocol (TCP) implementation in all Linux systems deployed since 2012 (version 3.6 and above of the Linux kernel) poses a serious threat to Internet users, whether or not they use Linux directly.
This issue is troubling because Linux is used widely across the Internet, from web servers to Android smartphones, tablets, and smart TVs.
Researchers have uncovered a serious Internet flaw, which if exploited, could allow attackers to terminate or inject malware into unencrypted communication between any two vulnerable machines on the Internet.
The vulnerability could also be used to forcefully terminate HTTPS encrypted connections and downgrade the privacy of secure connections, as well as also threatens anonymity of Tor users by routing them to certain malicious relays.
The flaw actually resides in the design and implementation of the Request for Comments: 5961 (RFC 5961) – a relatively new Internet standard that's designed to make commonly used TCP more robust against hacking attacks.
TCP protocol is the heart of all Internet communications, as all application level protocols, including HTTP, FTP, SSH, Telnet, DNS, and SMTP, stand on TCP.
Web servers and other applications make use of TCP protocol to establish connections between hosts to transfer data between them.
A team of six security researchers from the University of California, Riverside and the U.S. Army Research Laboratory has demonstrated a proof-of-concept exploit at the USENIX Security Symposium that can be used to detect if two hosts are communicating over TCP and ultimately attack that traffic.
No Need of Man-in-the-Attack Position
Researchers found that 'Side channels' attack allows hackers to guess the TCP packet sequence numbers accurately within first 10 seconds of the attack by using no more information than just the IP addresses of both parties.
This means, an attacker with spoofed IP address does not need a man-in-the-middle (MITM) position, apparently intercepting and injecting malicious TCP packets between any two arbitrary machines on the Internet.
The researchers detailed their findings in the paper titled, 'Off-Path TCP Exploits: Global Rate Limit Considered Dangerous' [PDF], which they presented at the conference, showing the audience how they injected a phishing form inside the USA Today website.
You can watch the video demonstration above that shows the attack in work.
Targeting the Tor Network
The researchers also show how the flaw (CVE-2016-5696) can be exploited to break Secure Shell (SSH) connections and tamper with encrypted communications traveling over Tor anonymity network.
"In general, we believe that a DoS [Denial of Service] attack against Tor connections can have a devastating impact on both the availability of the service as a whole and the privacy guarantees that it can provide," the paper reads.
"The default policy in Tor is that if a connection is down between two relay nodes, say a middle relay and an exit relay, the middle relay will pick a different exit relay to establish the next connection. If an attacker can dictate which connections are down (via reset attacks), then the attacker can potentially force the use of certain exit relays."The team also provided recommendations on how to mitigate the attack.
Here's How to Mitigate TCP Attack
While patches to fix the vulnerability are developed and distributed for the current Linux kernel, as a workaround you can raise the ACK rate limit on your Linux machine or gadget to large values so that it cannot be reached.
For this, you are required to append the following to /etc/sysctl.conf:
net.ipv4.tcp_challenge_ack_limit = 999999999Once done, use sysctl -p to activate the new rule. You need to perform root to do this.
The researchers also note that while Linux version 3.6 and above are vulnerable to this attack, Windows, OS X and FreeBSD are not believed to be vulnerable because they have not yet fully implemented RFC 5961.