Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks
Yuxiang Yang
Network and Distributed System Security (NDSS) Symposium 2024 · Day 1 · Side-Channel Attacks
This talk, presented by Yuxiang Yang at the NDSS Symposium, uncovers a novel and potent off-path TCP hijacking attack targeting Wi-Fi networks that employ Network Address Translation (NAT). The research meticulously details a critical side-channel vulnerability arising from the combination of common NAT port preservation strategies, insufficient Reverse Path Validation (RPV) in routers, and the widespread practice of disabling strict TCP window tracking. This confluence of factors allows an attacker connected to the same Wi-Fi network to infer active TCP connections, manipulate NAT mappings, and ultimately hijack established TCP sessions between other clients and external servers.