Resilience of Deployed TCP to Blind FIN Attacks
In prior work we conducted in 2015, we considered the resilience of deployed TCP implementations to blind in-window RST, SYN, and data attacks. These three attacks and defenses to the attacks were previously described in RFC5961. In this report, we consider the resilience of deployed TCP implementations to blind in-window FIN attacks, an attack not explicitly covered in RFC5961, where an off-path adversary disrupts an established connection by sending a packet that the victim believes came from its peer, causing the connection to be prematurely closed. We extended scamper, a parallelized packet prober with existing TCP behaviour inference capability, to add an active measurement test that infers whether or not a TCP implementation will accept a FIN packet that contains an acknowledgement value that should cause the receiver to discard the packet. We tested operating systems (and middleboxes deployed in front) of 4397 webservers in the wild in September 2017 and found 18% of tested connections were vulnerable to in-window FIN attack packets, consistent with our prior measurements testing the resilience of TCP implementations to blind in-window RST, SYN, and data attacks.