Multipath Transmission Control Protocol (MPTCP) is an innovative next-generation transport protocol standardized by the Internet Engineering Task Force (IETF) to overcome the single path limitation of the Transmission Control Protocol (TCP). MPTCP augments TCP with a new set of signaling options for seamless transmission and reception of application data across multiple interlinked TCP connections called subflows. In this paper, we focus on a new security concern associated with the signal exchanging process of MPTCP. To the best of our knowledge, for the first time, this paper exposes that MPTCP signal exchange scheme is vulnerable to a sophisticated packet spoofing technique, which we name as Data Sequence Signal (DSS) manipulation. We implement the vulnerability, create attack scenarios in Linux Kernel and conduct experiments over emulated testbed to demonstrate the existence of the vulnerability and means of exploiting it for powerful attacks. Our results show that DSS manipulation can be tactically exploited, on top of TCP optimistic ACKing, to generate non-responsive traffic like Denial-of-Service (DoS) attack flood. Particularly, we demonstrate two new adverse scenarios, where a MPTCP sender is forced to: (a) transmit at a rate significantly higher than the bottleneck link bandwidth, and (b) induce high intensity and harmful packet bursts at line-rate called Maliciously-induced-Bursts (MiBs). We also show that the non-responsive traffic resulting from the attack can suppress genuine congestion controlled traffic to the extent of causing DoS attack. We capture and analyze the dynamics of important MPTCP parameters, like send buffer occupancy of meta and subflow sockets, congestion window and flightsize to highlight the attack impact. DSS manipulation originates from a fundamental protocol design limitation rather than from any implementation flaw. We also propose a novel technique called data sequence map skipping for detection and countermeasure against DSS manipulation based attacks.

多路径传输控制协议（MPTCP）是Internet工程任务组（IETF）标准化的创新型下一代传输协议，旨在克服传输控制协议（TCP）的单路径限制。MPTCP通过一组新的信令选项扩展了TCP，从而可以跨多个互连的TCP连接（称为子流）无缝传输和接收应用程序数据。在本文中，我们重点关注与MPTCP信号交换过程相关的新安全问题。据我们所知，本文首次公开了MPTCP信号交换方案易受复杂的数据包欺骗技术（我们称为数据序列信号（DSS）操作）的攻击。我们实施了该漏洞，在Linux内核中创建攻击场景，并在仿真测试床上进行实验，以证明该漏洞的存在以及利用该漏洞进行强大攻击的方法。我们的结果表明，在TCP乐观ACK的基础上，可以从策略上利用DSS操纵来生成无响应流量，例如拒绝服务（DoS）攻击泛滥。特别是，我们演示了两种新的不利情况，其中MPTCP发送方被迫：（a）以远远高于瓶颈链路带宽的速率进行传输，并且（b）以称为恶意的线速诱发高强度和有害数据包突发-诱导爆发（MiBs）。我们还表明，由攻击引起的无响应流量可以将真正的拥塞控制流量抑制到引起DoS攻击的程度。我们捕获并分析重要的MPTCP参数的动态，例如元和子流套接字的发送缓冲区占用，拥塞窗口和Flightize，以突出显示攻击影响。DSS操纵源于基本协议设计限制，而不是源于任何实现缺陷。我们还提出了一种称为数据序列图跳过的新颖技术，用于针对基于DSS操作的攻击进行检测和对策。