by V Anil Kumar and Debabrata Das
Multipath Transmission Control Protocol (MPTCP) is an innovative next-generation transport protocol standardized by the Internet Engineering Task Force (IETF) to overcome the single path limitation of the Transmission Control Protocol (TCP). MPTCP augments TCP with a new set of signaling options for seamless transmission and reception of application data across multiple interlinked TCP connections called subflows. In this paper, we focus on a new security concern associated with the signal exchanging process of MPTCP. To the best of our knowledge, for the first time, this paper exposes that MPTCP signal exchange scheme is vulnerable to a sophisticated packet spoofing technique, which we name as Data Sequence Signal (DSS) manipulation. We implement the vulnerability, create attack scenarios in Linux Kernel and conduct experiments over emulated testbed to demonstrate the existence of the vulnerability and means of exploiting it for powerful attacks. Our results show that DSS manipulation can be tactically exploited, on top of TCP optimistic ACKing, to generate non-responsive traffic like Denial-of-Service (DoS) attack flood. Particularly, we demonstrate two new adverse scenarios, where a MPTCP sender is forced to: (a) transmit at a rate significantly higher than the bottleneck link bandwidth, and (b) induce high intensity and harmful packet bursts at line-rate called Maliciously-induced-Bursts (MiBs). We also show that the non-responsive traffic resulting from the attack can suppress genuine congestion controlled traffic to the extent of causing DoS attack. We capture and analyze the dynamics of important MPTCP parameters, like send buffer occupancy of meta and subflow sockets, congestion window and flightsize to highlight the attack impact. DSS manipulation originates from a fundamental protocol design limitation rather than from any implementation flaw. We also propose a novel technique called data sequence map skipping for detection and countermeasure against DSS manipulation based attacks.