A feature designed to make Linux-based networks harder to infiltrate has done the opposite. But can it really affect Tor?
Researchers at the University of California at Riverside have published a Linux networking flaw that could allow an attacker to blindly infiltrate a connection and even undermine the privacy afforded by Tor.
“The vulnerability allows a blind off-path attacker to infer if any two arbitrary hosts on the Internet are communicating using a TCP connection,” said the researchers.
“Further, if the connection is present, such an off-path attacker can also infer the TCP sequence numbers in use, from both sides of the connection; this in turn allows the attacker to cause connection termination and perform data injection attacks.”
“We illustrate how the attack can be leveraged to disrupt or degrade the privacy guarantees of an anonymity network such as Tor, and perform web connection hijacking.”
If one end of a connection believes the other is being tampered with, it transmits a special packet of data known as a ‘Challenge ACK’. This limit is set at 100 per second so a malicious actor cannot simply overload a network by provoking an infinite number of Challenge ACK packets.
But because this limit is known, it can allow attackers to learn more about the connection.
The researchers outline a method whereby an attacker could blindly send a fake packet of data claiming one endpoint is connected to another. If this isn’t true, then no Challenge ACK packet will be returned.
But if it is true, then there are only 99 packets left. This means that if an attacker provokes another 100 then the two endpoints are indeed connected and more is known about the network.
This, experts say, could allow criminals to see which servers you are connected to – which could be good for social engineering – and even find a way to make suspicious packets look legitimate.
The researchers said the method is “fast and reliable”, taking between 40-60 seconds to complete and achieving a success rate of between 88 and 97 percent.
However the bug is not deemed to be a doomsday scenario.
“This is an interesting rather than a calamitous bug, for all that you may have seen headlines saying that it could “disrupt Tor” and ‘inject malware’,” said Paul Ducklin, Senior Technologist at Sophos.
“Importantly, crooks can’t use this attack as a way of poisoning a specific website to attack anyone who visits it, as they could if they hacked into the site itself and altered its content directly. Also, they can’t use this attack (at least in any practicable way that we can see) to strip away your anonymity on Tor, or to sniff your traffic.”
Ducklin recommends admins of vulnerable servers increase the number of ACKs to 1 million, upgrade any web server to HTTPS and ensure routers in a network reject spoofed packets as far as possible.
The researchers have also made two recommendations to the Linux community. It suggests separate Challenge ACK counters are kept for each connection and that the limits are regularly changed up and down to minimise the threat of the attack.
“In short: this bug isn’t the end of the world as we know it, but it’s a fascinating lesson in how adding restrictions with the aim of improving security may paradoxically end up reducing it,” added Ducklin.