Off-Path Hacking: The Illusion of Challenge-Response Authentication
This work exposes critical vulnerabilities in internet security for users and systems relying on non-cryptographic protections, highlighting an incremental but urgent need for stronger defenses.
The paper demonstrates that off-path attackers can circumvent challenge-response authentication in widely-used protocols like TCP and DNS, enabling practical injection and poisoning attacks that compromise security mechanisms such as the Same Origin Policy.
Everyone is concerned about the Internet security, yet most traffic is not cryptographically protected. The usual justification is that most attackers are only off-path and cannot intercept traffic; hence, challenge-response mechanisms suffice to ensure authenticity. Usually, the challenges re-use existing `unpredictable' header fields to protect widely-deployed protocols such as TCP and DNS. We argue that this practice may often only give an illusion of security. We present recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet very efficient and practical. The attacks foil widely deployed security mechanisms, such as the Same Origin Policy, and allow a wide range of exploits, e.g., long-term caching of malicious objects and scripts. We hope that this article will motivate adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, and of correct, secure challenge-response mechanisms.