Usage-inflation Attack
NOTICE: This attack is applicable to ISPs that account for TCP retransmission. As of November 2013, the majority of ISPs (outside of South Korea) blindly account for every IP packet regardless of TCP retransmission.
The "usage-inflation" attack arbitrarily inflates the cellular data usage of a target subscriber by intentionally retransmitting packets in the flow even without actual packet losses.
ATTACK METHODS
-
At the application layer, the malicious server transfers the
requested content to the client in a normal TCP connection.
However, the server behaves as if it did not receive any ACKs
from the client or as if its RTO fired prematurely, and injects
the retransmission packets in the background. This attack is
easy to launch since it does not require compromising the client.
- 1) Retransmit after FIN (Not possible on some ISPs):
Retransmit the packets after the client finishes downloading
the content. That is, the server pretends as if it did not
receive the client-side FIN/RST as well as the ACKs for the last
batch of packets, and retransmits the packets that belong to the
last send window. This approach is advantageous to the attacker
since she can greatly overcharge the usage in a short time by
utilizing the full bandwidth between the server and the client.
- 2) Retransmit during normal transfer: Embed the retransmission packets in the stream of normal packets. Instead of blindly retransmitting the same packet over and over again, the attacker can carefully pick a random packet in its send window. To prevent the user from noticing any slowdown of the download, the attacker can control the goodput in case of interactive contents while injecting the retransmission packets in the background.
Source code
- We will release the attack source code when ISPs fix this problem.
- We do hope that cellular ISPs consider changing the accounting policy to take out TCP retransmission from the bill but guard against free-riding attacks by adopting an accurate accounting system like Abacus.
Publications
- Gaining Control of Cellular Traffic Accounting by Spurious TCP Retransmission
Younghwan Go, Jongil Won, Denis Foo Kune, EunYoung Jeong, Yongdae Kim, and KyoungSoo Park
In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS 2014)
San Diego, CA, USA, February 2014 - Impact of Malicious TCP Retransmission on Cellular Traffic Accounting
Younghwan Go, Denis Foo Kune, Shinae Woo, KyoungSoo Park, and Yongdae Kim
In Proceedings of the 5th Annual Wireless of the Students, by the Students, for the Students Workshop (S3 2013)
Miami, FL, USA, September 2013 - Awarded Best Paper - Towards Accurate Accounting of Cellular Data for TCP Retransmission
Younghwan Go, Denis Foo Kune, Shinae Woo, KyoungSoo Park, and Yongdae Kim
In Proceedings of the 14th International Workshop on Mobile Computing Systems and Applications (HotMobile 2013)
Jekyll Island, GA, USA, February 2013
People
Students:
Younghwan Go,
Jongil Won,
Denis Foo Kune, and
EunYoung Jeong
Faculty:
KyoungSoo Park and
Yongdae Kim