A Off-Path TCP Injection Attacks

TCP is the main transport protocol over the Internet, ensuring reliable and efficient connections. TCP is trivially vulnerable to man-in-the-middle (MitM) attackers; they can intercept, modify and inject TCP traffic [Joncheray 1995]. Despite significant possible threats, a common assumption is that MitM capabilities are difficult to obtain; this assumption is demonstrated by OWASP’s list of top ten security risks [The Open Web Application Security Project (OWASP) 2013] where the majority of attacks do not require MitM capabilities. Even without cryptographic defenses against MitM, network protocols should be secure against weaker but common off-path attackers. Off-path attackers are weaker than MitM attackers since they cannot eavesdrop on packets sent to others; however, they can send ‘spoofed’ packets, i.e., packets containing fake source IP address. There is a widespread belief that it is not feasible for an off-path attacker to inject traffic into a TCP connection. The reasoning is that (modern) TCP implementations randomize the 32-bit sequence number [Gont and Bellovin 2012], and most implementations also randomize the 16-bit client port [Larsen and Gont 2011]; hence, in order to successfully inject data to the TCP stream, the off-path adversary seems to have