TCP Injection Attacks in the Wild - A Large Scale Study

Black Hat USA 2016

Presented by: Gabi Nakibly
Date: Thursday August 04, 2016
Time: 09:45 - 10:35
Location: Mandalay Bay EF

In this work we present a massively large-scale survey of Internet traffic that studies the practice of false content injections on the web. We examined more than 1.5 Peta-bits of data from over 1.5 million distinct IP addresses. Earlier this year we have shown that false content injection is practiced by network operators for commercial purposes. These network operators inject advertisements and malware into webpages viewed by potentially ALL users on the Internet.

In this presentation we recap the injections we discovered earlier this year and show them in detail. Additionally, we shall show new types of non- commercial injections, identify the injectors behind them and discuss their modi operandi. Finally, we shall discuss in detail analysis of a targeted injection attack against an American website.

The attacks we discovered are done using out-of-band TCP injection of false packets (rather than in-band alteration of the original packets). This is what actually allowed us to detect the injection events in the first place. We also present a novel client-side tool to mitigate such attacks that has minimal performance impact.

Gabi Nakibly

Gabi Nakibly is a network security research leader at the National Cyber andElectronics Research Center at Rafael Advanced Defense Systems (an aerospaceand defense company). Gabi has a track record of more than a decade of high-end security research. He holds a PhD in computer science (Technion) and is anadjunct lecturer and researcher at the Technion. Gabi was a visiting scholarat Stanford University and is an active speaker at top security conferences:Black Hat USA, Black Hat Europe, RSA Conference.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats