A Horizontal Study on the Mixed IPID Assignment Vulnerability in the Linux Ecosystem

Abstract

The off-path TCP hijacking attack poses a significant threat to Internet security, allowing attackers to manipulate various upper-layer applications and causing severe real-world damage. In this paper, we undertake a horizontal study on a critical TCP hijacking attack affecting Linux servers, which was reported in November 2020 (CVE-2020-36516). This attack has the potential to compromise over 20% of popular websites on the Internet. Our study particularly focuses on determining the extent to which the developed stack patches, designed to address this vulnerability, have been effectively deployed in the real world and whether they have successfully mitigated the identified attack. In our horizontal study, we thoroughly examine the current status of the vulnerability, covering upstream and downstream components of the Linux ecosystem. This study encompasses 12 mainstream Linux distributions, 296 images from 7 leading cloud vendors, 2.92 million IPs from 301 network segments belonging to 6 major CDN vendors, as well as the top 1 million websites from 3 datasets. Our large-scale measurement study has resulted in significant discoveries. Our study unveils a notable disparity in the patching of the vulnerability in the Linux ecosystem, spanning various ISPs and vendors, which leaves the vulnerability open to potential exploitation and poses a serious threat to the Internet.