Is Your Firewall Vulnerable to a TCP Hijack Attack?

Recently a very interesting discovery – a common feature in modern firewalls (discarding out-of-state packets) actually leaks useful information to a malicious hacker – was published at the top academic conference specializing in computer security. To understand the type of attack that would exploit this risk we need to step back and recall how TCP works and what firewalls do.

When two devices communicate via TCP over the internet (e.g. one is a browser on a computer or smartphone, and the other is a web server), they number the exchanged packets with “sequence numbers”. Each side checks that it is getting packets from the other in a correctly increasing series of these sequence numbers, and discards any packet that has an unexpected number (“out of state”). In order to make it hard for attackers to inject correctly-sequenced attack traffic into the communication stream (a.k.a. hijack the connection), the two devices pick random sequence numbers to start from during the connection setup. This mechanism has been in use for many years and is working well. And indeed as long as an attacker doesn’t know these randomly-chosen initial sequence numbers, it needs to be impossibly lucky to successfully hijack a connection.

Firewall vendors decided to enhance this traffic protection by tracking the exchange of sequence numbers between the client and server – and discarding any out-of-state packets. The idea here is basically a good one: discard malicious traffic as soon as possible. The rationale is why waste effort on sending the out-of-state packets all the way to the destination where they will surely be discarded? This protection has also been around for years, and firewall vendors in fact tout this as a feature of their products.

What the authors discovered is that when the out-of-state packets are being dropped by the firewall (and not by the communicating parties) – a clever attacker can discover the random initial sequence numbers, and successfully hijack a connection! Adding a second defense mechanism in the firewall turns out to undermine the original defense mechanism.

This technique is not an attack in and of itself – it is a new tool for attackers. With this tool in their arsenal, attackers can mount new forms of well known attacks (e.g. more convincing phishing attacks).

There is some “fine print” though. For this to work the attacker typically needs to have some malware on the victim client (e.g. on the smartphone). The attacker also needs the ability to send packets with fake IP addresses (“spoofing”), plus some other requirements. However, the authors demonstrated that these details can be handled, and were able to show working attacks. So this is a real threat, not just a theoretical idea.

Now we wait and see if and how firewall vendors respond. Do they release some counter-measures to this vulnerability? Or will they recommend turning off the “drop out-of-state packets” feature?

Stay tuned and let me know what you think.