[multipathtcp] MPTCP backup flag attack via MP_PRIO message
Zhiyun Qian <zhiyunq@cs.ucr.edu> Thu, 20 July 2017 07:16 UTC
Return-Path: <qzy888@gmail.com>
X-Original-To: multipathtcp@ietfa.amsl.com
Delivered-To: multipathtcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45071131D04 for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 00:16:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.45
X-Spam-Level:
X-Spam-Status: No, score=-1.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsqGYfMUKTbH for <multipathtcp@ietfa.amsl.com>; Thu, 20 Jul 2017 00:15:59 -0700 (PDT)
Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5505F131D0B for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 00:15:41 -0700 (PDT)
Received: by mail-ua0-x22d.google.com with SMTP id 35so16532178uax.3 for <multipathtcp@ietf.org>; Thu, 20 Jul 2017 00:15:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=o7f7UI4igTK7yEhrNXRFimpcyCttvzDFha2lTnLu7F0=; b=VuRazhefBTRu88D0BJZMI95UVf6pKm2MMhm4v4dgJh11zTkHhmi0ZtOcmSErGH38pF rLTZVhqijNJdJk3GEYcaDfQZV0PsijMSoslZDk6MH/eGrM9YcCtsdywVEYTKLxSkdG+c YA+xkszlPZQJScjn6mwB0bLobQzk9kQM4h5QLgown3p4VSneQNK8W+7mF6ADfu+vO9g/ yL1RAsOIqQbCNx2vrTM3w62/dgS4unBnlaVNhzxY8141Z4gAXWHnbwl6MC9f+nNZNbUL BSI9SV+/TUvY4bC9ZTrUj17z38Q1j+EEb1dH2uPk7zPTykiPqGNDJ1J71hY+oeg0z/iR Kyjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc:content-transfer-encoding; bh=o7f7UI4igTK7yEhrNXRFimpcyCttvzDFha2lTnLu7F0=; b=E/OOkNH4rKjnyTpXVlV7z3xRwjY8BA5ouXpsoy/uV1n3Aw/VvbBjj89Kx8ZlFbsxlb KNZm1MHlkhG3jz6DzWgSifBejAPa0m8neQhmHeL2LebDPi/JBkJ5FSt6QsCGJQrDrQEg loGrB8g9rOnMPnuBAobSE/SDbt9W1tTHqiqrqUA/7jNsemo/Ktp1Wh3OpWccf2c4OCop 2jCEo+zQzepNIOtYG0F3D44uQgZkTGvSbs20V0jQPO5lFY6kpuX2gif2r3UA/wOjchBh BoiaWlkQa6bvaXXW3Bwq/EgCzmHabgNon142DSeH+Et9RJlyysbPS4kWZRhgPQ2Oxj5P 2MUw==
X-Gm-Message-State: AIVw113vdzzenp8RaW1baFJQ2pBljnWy4aPpnjCYwSSPKVGMrutJ92Ez WPLezYSatpfByzH4uszasjKMZ9i64tJs
X-Received: by 10.31.159.201 with SMTP id i192mr1393337vke.116.1500534940130; Thu, 20 Jul 2017 00:15:40 -0700 (PDT)
MIME-Version: 1.0
Sender: qzy888@gmail.com
Received: by 10.103.149.65 with HTTP; Thu, 20 Jul 2017 00:15:39 -0700 (PDT)
From: Zhiyun Qian <zhiyunq@cs.ucr.edu>
Date: Thu, 20 Jul 2017 00:15:39 -0700
X-Google-Sender-Auth: KolM8jBEwMTPOca4SkZfFFLEoTw
Message-ID: <CALvgte-JTCN=O3nBa5gLQL+ea3oGS-zrRBRZ_pt_npb4EvSsvQ@mail.gmail.com>
To: multipathtcp@ietf.org
Cc: Ali Munir <munirali@msu.edu>, Zubair <zubair-shafiq@uiowa.edu>, Alex Liu <alexliu@cse.msu.edu>, Franck Le <fle@us.ibm.com>, Olivier Bonaventure <Olivier.Bonaventure@uclouvain.be>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/multipathtcp/RVUG8IbZOQWE1M7v9EClj1WohVY>
Subject: [multipathtcp] MPTCP backup flag attack via MP_PRIO message
X-BeenThere: multipathtcp@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-path extensions for TCP <multipathtcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/multipathtcp/>
List-Post: <mailto:multipathtcp@ietf.org>
List-Help: <mailto:multipathtcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/multipathtcp>, <mailto:multipathtcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 07:17:48 -0000
Dear all, We are a group of researchers (cc:ed on the email) who recently discovered a security flaw in the MP_PRIO messge that allows a man-in-the-middle attacker on a single path to divert all traffic to its own path, effectively hijacking the entire MPTCP connection. Below we describe the problem in brief (more details will be found in our upcoming ICNP paper. We also hope to submit an Internet draft soon). We thank Olivier Bonaventure for his valuable feedback. --------------------------------------------------------------- MPTCP supports using sub-connections as backup – i.e., using a sub-connection to send data only if there is no other sub-connection available. Specifically, an MPTCP host can send a request to the other host to set any sub-connection as a backup by using the MPTCP MP_PRIO option. Hosts can request change in the priority to use a subconnection as regular or backup. To set a sub-connection as backup, a host can request a change in the sub-connection priority by sending MPTCP MP_PRIO option to the other host with the corresponding address identifier. The key property of MP_PRIO messages is that they can be sent on any sub-connection. The reason is that if a sub-connection is already congested, it may not be possible to deliver the message to pause itself. After receiving such a control packet, the sender will stop sending data and the corresponding sub-connection’s throughput will drop to zero. Unfortunately, unlike MP_JOIN, such a MP_PRIO option has no authentication required by the specification whatsoever, allowing an attacker controlling only one path to set any sub-connection as backup and launch traffic divergence and connection hijack attacks. The backup flag vulnerability allows an attacker to divert traffic among MPTCP sub-connections. An attacker can offload traffic from the eavesdropped sub-connection to other MPTCP sub-connections by sending forged packets with the MP_PRIO option to set the eavesdropped sub-connection as a backup. An attacker can also onload traffic from non-eavesdropped sub-connections to the eavesdropped sub-connection by sending forged packets with the MP_PRIO option to set all other sub-connections as backup. This attack is similar to connection hijack attack, where an attacker diverts all the traffic to pass through the sub-connection on the eavesdropped path. Connection Hijack Example: Consider a scenario where two sub-connections of an MPTCP connection pass through paths p1 and p2. An attacker can hijack the non-eavesdropped subconnection on p2 by dynamically changing the priority of a sub-connection and declaring it as backup. To launch this attack an attacker only needs to know the address identifier of the host , which can be obtained by eavesdropping other paths or easily guessed as they are set incrementally in current Linux implementation of MPTCP. Since the identifier has only 8 bits, it can even be brute forced. To set a non-eavesdropped sub-connection as backup between hosts A and B, an attacker can request a change in the sub-connection priority by sending MPTCP MP_PRIO option to host B with the address identifier of host A. Since by design the MP_PRIO messages can be sent on any sub-connection, the attacker eavesdropping on any path capable of sending such a forged backup message can pause any other path. Note that a backup MPTCP sub-connection may still be used for data transmission later, which can be detected by the attacker by observing the overall MPTCP throughput. Effectively, this attack degrades an MPTCP connection to a regular TCP connection as all traffic will be routed through the attacker-controlled path. We argue that this vulnerability makes MPTCP less secure than TCP, because the entire MPTCP connection can be compromised (fully controlled by an attacker) as long as any one of the communication paths is compromised. Unfortunately, MPTCP specification does not include any authentication mechanism whatsoever regarding the MP_PRIO message. We discuss several solutions in a forthcoming paper [ICNP2017], but a simple approach to cope with this attack would be to reconsider the utilisation of the address identifier in the MP_PRIO option. This option allows a host to set/change the priority of all the subflows associated to a given address identifier on another subflow. It could have use cases, such as sending MP_PRIO over a WiFi subflow to put the cellular subflow in backup mode without sending a packet over the cellular interface, but this looks like an edge case. Looking at the attack that we have identified, the working group should evaluate the removal of the address identifier in rfc6824bis. If the MP_PRIO option does not include an address identifier, then it becomes impossible for an attacker who is on-path of a given subflow to change the priority of the other subflows. Best, -Zhiyun