Cyber Intrusions — Off-Path Attacks
In computer network security, attackers are classified according to their capabilities. These groups are known as attack models or adversary models. Eavesdropping adversary model, MitM adversary model, Off-path adversary model are few examples for them.
The off-path adversary is a well-known model we can find. The off-path attacker is often referred to by other names, including spoofer, spoofing, or blind attacker.
Keywords: adversary models, Eavesdropping, MitM, Off-path adversary, spoofing
MitM Adversary Model
The term ‘MitM’ refers to ‘Man-in-the-Middle’ or ‘Monster-in-the-Middle’. A MitM attacker is located in the middle of the path between communicating parties and can manipulate the communication between them in various ways (intercept, modify, block and inject spoofed packets).
The attacker intercepts ongoing communication without the knowledge of both endpoints. The monster-in-the-Middle adversary is also called the ‘on-path attacker’.
Off-Path Adversary (Attacker) Model
Unlike a MitM attacker, an off-path attacker cannot observe or modify legitimate packets sent between other parties. This attacker can transmit packets with a spoofed (fake) source IP address — impersonating some legitimate party.
In other words, an off-path adversary misleads recipients to think the message was sent by somebody else which was actually sent by himself. For example, as illustrated in the figure below, Oscar the off-path attacker sends a message to Bob, specifying Alice’s name as the sender.
The off-path attacker is significantly weaker than the MitM attacker. In particular, it cannot eavesdrop or modify messages sent by other parties. The below Figure shows the behaviour of both adversaries.
Off-Path Adversary used to...
Looking at the history of off-path attacks, many of them were used for phishing information. Off-path attacker succeeded in malicious TCP injection, hijacking a TCP connection, DNS poisoning. For instance, with the help of unprivileged malware, a successful adversary can hijack an HTTP session and return a phishing Facebook login page issued by a browser.
The timeline of off-path attacks begins in 1985.
Spoofing
The act of disguising a communication from an unknown source as being from a known trusted source is called ‘Spoofing’. Spoofing is a way, bad actors gain access to execute a cyber attack.
Challenge-response defences
The key to off-path attacks is a circumvention of challenge-response defences. Challenge-response defences are often relied upon to distinguish between spoofed packets from an off-path attacker and legitimate packets from legitimate(verified) communication endpoints. To authenticate a response from a server, a client sends a random challenge with the request, which is echoed in the response.
Since an off-path attacker (Oscar) cannot eavesdrop on packets exchanged between the server and the client, it appears that Oscar would have to guess the challenge. This challenge is used to avoid getting an Oscar packet. If Oscar can guess the valid response, we call it “challenge-response defence has failed against the attacker”.
The security of most Internet applications (eg: email, web surfing, and most peer-to-peer applications) relies on challenge-response mechanisms.
