Exploiting Cross-Layer Vulnerabilities: Off-Path Attacks on the TCP/IP Protocol Suite

TL;DR

This paper uncovers cross-layer vulnerabilities in the TCP/IP protocol suite caused by ICMP error messages, demonstrating their exploitation potential and proposing countermeasures to improve Internet security.

Contribution

It provides a comprehensive analysis of vulnerabilities caused by ICMP errors and introduces effective defenses, highlighting the security risks of cross-layer interactions in TCP/IP.

Findings

Vulnerabilities affect over 20% of popular websites.

More than 89% of public Wi-Fi networks are vulnerable.

Off-path attackers can exploit these vulnerabilities stealthily.

Abstract

After more than 40 years of development, the fundamental TCP/IP protocol suite, serving as the backbone of the Internet, is widely recognized for having achieved an elevated level of robustness and security. Distinctively, we take a new perspective to investigate the security implications of cross-layer interactions within the TCP/IP protocol suite caused by ICMP error messages. Through a comprehensive analysis of interactions among Wi-Fi, IP, ICMP, UDP, and TCP due to ICMP errors, we uncover several significant vulnerabilities, including information leakage, desynchronization, semantic gaps, and identity spoofing. These vulnerabilities can be exploited by off-path attackers to manipulate network traffic stealthily, affecting over 20% of popular websites and more than 89% of public Wi-Fi networks, thus posing risks to the Internet. By responsibly disclosing these vulnerabilities to affected vendors and proposing effective countermeasures, we enhance the robustness of the TCP/IP protocol suite, receiving acknowledgments from well-known organizations such as the Linux community, the OpenWrt community, the FreeBSD community, Wi-Fi Alliance, Qualcomm, HUAWEI, China Telecom, Alibaba, and H3C.