Paper 2013/623

Off-Path Hacking: The Illusion of Challenge-Response Authentication

Yossi Gilad, Amir Herzberg, and Haya Shulman


Everyone is concerned about Internet security, yet most traffic is not cryptographically protected. Typical justification is that most attackers are off-path and cannot intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges re-use existing header fields to protect widelydeployed protocols such as TCP and DNS. We argue that this practice may often give an illusion of security. We review recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet practical. The attacks foil widely deployed security mechanisms, and allow a wide range of exploits, such as long-term caching of malicious objects and scripts. We hope that this review article will help improve defenses against off-path attackers. In particular, we hope to motivate, when feasible, adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, providing security even against stronger Man-in-the-Middle attackers.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. IEEE Security and Privacy Magazine
challenge-response defensescryptographic protocolsoff-path attacksDNS cache poisoningTCP injections.
Contact author(s)
haya shulman @ gmail com
2013-09-28: received
Short URL
Creative Commons Attribution


      author = {Yossi Gilad and Amir Herzberg and Haya Shulman},
      title = {Off-Path Hacking: The Illusion of Challenge-Response Authentication},
      howpublished = {Cryptology ePrint Archive, Paper 2013/623},
      year = {2013},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.