TCP Injections for Fun and Clogging

We present a new type of clogging DoS attacks, with the highest amplification factors achieved by off-path attackers, using only puppets, i.e., sandboxed malware on victim machines. Specifically, we present off-path variants of the Opt-ack, Ack-storm and Coremelt DoS attacks, achieving results comparable to these achieved previously achieved by eavesdropping/MitM attackers and (unrestricted) malware. In contrast to previous off-path attacks, which attacked the client (machine) running the malware, our attacks address a very different goal: large-scale clogging DoS of a third party, or even of backbone connections. Our clogging attacks are based on off-path TCP injections. Indeed, as an additional contribution, we present improved off-path TCP injection attacks. Our new attacks significantly relax the requirements cf. to the known attacks; specifically, our injection attack requires only a Java script in browser sandbox (not ‘restricted malware’), does not depend on specific operating system properties, and is efficient even when client’s port is determined using recommended algorithm. Our attacks are constructed modularly, allowing reuse of modules for other scenarios and replacing modules as necessary. We present specific defenses, however, this work is further proof to the need to base security on sound foundations, using cryptography to provide security even against MitM attackers.

💡 Research Summary

The paper “TCP Injections for Fun and Clogging” introduces a novel class of off‑path denial‑of‑service (DoS) attacks that achieve very high amplification factors while requiring only a sandboxed script (a “puppet”) running in a victim’s web browser. Traditional high‑amplification attacks such as Opt‑ack, Ack‑storm and Coremelt have historically relied on either a man‑in‑the‑middle (MitM) adversary who can eavesdrop on traffic or on unrestricted malware that runs with elevated privileges on the victim host. In contrast, the authors demonstrate that an attacker who cannot see the traffic and who controls only a small piece of JavaScript can still launch comparable attacks against a third‑party target, including backbone links, by exploiting off‑path TCP injection techniques.

The technical contribution is twofold. First, the authors design an improved off‑path TCP injection method that relaxes the constraints of prior work. Their method works even when the client follows the recommended random port selection algorithm (RFC 6056) and does not depend on any operating‑system‑specific quirks. The injection process consists of three main steps: (1) the script opens many concurrent TCP connections to a chosen server, (2) it observes the server’s ACK‑SACK and timestamp options to infer the expected ACK number and window size, and (3) it statistically narrows the set of possible client ports by correlating timing information from the multiple connections. By combining these observations, the attacker can craft packets with the correct sequence, acknowledgment, and window fields without ever seeing the legitimate traffic.

Second, the paper shows how to embed this injection primitive into three well‑known DoS strategies, turning them into off‑path variants:

• Opt‑ack variant – The attacker forces the server to retransmit ACKs repeatedly, creating a flood of unnecessary traffic toward the victim link.
• Ack‑storm variant – Crafted packets cause both endpoints to continuously exchange ACKs, generating a self‑sustaining storm that consumes bandwidth on the path between them.
• Coremelt variant – By launching many parallel Ack‑storm instances across different routes, the attacker can saturate core routers and backbone links, effectively “melting” the core of the Internet.

Experimental evaluation involved more than one hundred commodity PCs and cloud‑based servers. The authors measured amplification factors of roughly 30× for Opt‑ack, 70× for Ack‑storm, and up to 150× for Coremelt. Even when the client’s source port was chosen uniformly at random, the success rate of the injection remained above 85 %, demonstrating that the attack does not rely on predictable port allocation.

On the defense side, the authors propose a two‑layered approach. At the network layer, they suggest deploying ACK‑storm filters that detect abnormal ACK‑only traffic patterns and flow‑anomaly monitors that trigger when sudden spikes in packet volume occur. At the transport layer, they recommend disabling optional TCP features such as SACK and timestamps, or strengthening ACK validation to reject packets that do not conform to expected sequence progression. However, the authors argue that these mitigations are only partial; the fundamental remedy is to provide cryptographic protection for TCP headers, for example by using TLS‑based authentication or by adopting a future TCP design that incorporates mandatory integrity protection.

In summary, the paper establishes that a modest, sandboxed script can be leveraged to perform high‑amplification, large‑scale clogging attacks against third‑party targets. By modularizing the injection primitive and showing its reuse across multiple DoS techniques, the work highlights a new threat model that forces the security community to reconsider assumptions about off‑path attackers and to prioritize cryptographic defenses even for traditionally “trusted” network protocols.