# CVE-2016-5696: Global Rate Limit and Challenge ACKs


Pre-RFC 5961

- When a SYN packet is received,
   - if seq.num is in-window,
      - the receiver resets this connection.
   - else,
      - the receiver sends an ACK back to the sender.

- When a RST packet is received,
   - if seq.num is in-window,
      - the receiver resets this connection.

Post-RFC 5961

- When a SYN packet is received,
   - the receiver sends a challenge ACK back to the sender.
   - the sender sends a RST with the correct seq.num (derived from the challenge ACK).

- When a RST packet is received,
   - if seq.num exactly matches the next seq.num,
      - the connection is reset.
   - else, if seq.num is in-window,
      - the receiver sends a challenge ACK back to the sender.
   - else,
      - the receiver drops the packet.

Vulnerability

Use of a Global Rate Limit counter that is static (non-random, set to 100 by default) and shared for all the TCP connections.
The shared state can be exploited as a side channel to infer:

   - if a connection specified by its four-tuple exists
   - the next expected seq.num
   - the next expected ack.num

Connection (four-tuple) inference
(attacker) -- SYN/ACK + ClientIP/¿ClientPort_N?/ServerIP/ServerPort --> (server)
(server) -- RST --> (client)
(attacker) x 100 -- SYN/ACK + AttackerIP/AttackerPort/ServerIP/ServerPort --> (server)
(server) x 100 -- Challenge ACK --> (attacker)
...
(attacker) -- SYN/ACK + ClientIP/ClientPort/ServerIP/ServePort -->  (server)
(server) -- Challenge ACK -->  (client)
(attacker) x 100 -- SYN/ACK + AttackerIP/AttackerPort/ServerIP/ServerPort -->  (server)
(server) x 99 -- Challenge ACK -->  (attacker)

Sequence number inference
(attacker) -- RST + ClientIP/ClientPort/ServerIP/ServerPort + seq.num out-of-window -->  (server)
(server) --> Drop 
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num -->  (server)
(server) x 100 -- Challenge ACK -->  (attacker)
...
(attacker) -- RST + ClientIP/ClientPort/ServerIP/ServerPort + seq.num in-window --> (server)
(server) -- Challenge ACK --> (client)
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num --> (server)
(server) x 99 -- Challenge ACK --> (attacker)

ACK number inference
(attacker) -- ACK + ClientIP/ClientPort/ServerIP/ServerPort + seq.num out-of-window --> (server)
(server) --> Drop/Accept
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num --> (server)
(server) x 100 -- Challenge ACK --> (attacker)
...
(attacker) -- ACK + ClientIP/ClientPort/ServerIP/ServerPort + seq.num in-window --> (server)
(server) -- Challenge ACK --> (client)
(attacker) x 100 -- RST + AttackerIP/AttackerPort/ServerIP/ServerPort + seq.num --> (server)
(server) x 99 -- Challenge ACK --> (attacker)

References

https://tools.ietf.org/html/rfc5961
https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_cao.pdf
https://github.com/Gnoxter/mountain_goat
https://github.com/violentshell/rover

No comments: