Off-Path Hacking: The Illusion of Challenge-Response Authentication

TL;DR

This paper demonstrates that common challenge-response security measures in TCP and DNS can be bypassed by off-path attackers, highlighting the need for cryptographic solutions like SSL/TLS and DNSSEC.

Contribution

It presents practical off-path TCP injection and DNS poisoning attacks that undermine existing challenge-response defenses, emphasizing the importance of cryptographic security.

Findings

Off-path attacks can bypass challenge-response mechanisms.

TCP and DNS attacks enable long-term malicious caching.

Current security measures may provide only an illusion of safety.

Abstract

Everyone is concerned about the Internet security, yet most traffic is not cryptographically protected. The usual justification is that most attackers are only off-path and cannot intercept traffic; hence, challenge-response mechanisms suffice to ensure authenticity. Usually, the challenges re-use existing `unpredictable' header fields to protect widely-deployed protocols such as TCP and DNS. We argue that this practice may often only give an illusion of security. We present recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet very efficient and practical. The attacks foil widely deployed security mechanisms, such as the Same Origin Policy, and allow a wide range of exploits, e.g., long-term caching of malicious objects and scripts. We hope that this article will motivate adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, and of correct, secure challenge-response mechanisms.