Issue No.05 - Sept.-Oct. (2014 vol.12)
Yossi Gilad , Bar Ilan University
Amir Herzberg , Bar Ilan University
Haya Shulman , Technische Universität Darmstadt
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2013.130
Everyone is concerned about Internet security, yet most traffic isn't cryptographically protected. The typical justification is that most attackers are off path and can't intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges reuse existing header fields to protect widely deployed protocols such as TCP and DNS. This practice might give an illusion of security. Recent off-path TCP injection and DNS poisoning attacks enable attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are nontrivial, yet practical. The attacks foil widely deployed security mechanisms and allow a wide range of exploits, such as long-term caching of malicious objects and scripts.
Ports (Computers), Computer crime, Protocols, Internet, Cryptography, IP networks, Computer security,security, off-path attacks, DNS cache poisoning, TCP injections, challenge-response defenses
Yossi Gilad, Amir Herzberg, Haya Shulman, "Off-Path Hacking: The Illusion of Challenge-Response Authentication", IEEE Security & Privacy, vol.12, no. 5, pp. 68-77, Sept.-Oct. 2014, doi:10.1109/MSP.2013.130