Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks.

Saved in:
Bibliographic Details
Title: Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks.
Authors: Yang, Yuxiang1 yangyx22@mails.tsinghua.edu.cn, Feng, Xuewei1 fengxw06@126.com, Li, Qi2 qli01@tsinghua.edu.cn, Sun, Kun3 ksun3@gmu.edu, Wang, Ziqiang4 ziqiangwang@seu.edu.cn, Wang, Ao4 wangao@seu.edu.cn, Xu, Ke1 xuke@tsinghua.edu.cn
Source: IEEE Transactions on Networking. Dec2025, Vol. 33 Issue 6, p3270-3285. 16p.
Subjects: Wireless communications, HTTP (Computer network protocol)
Abstract: In this paper, we uncover a novel side-channel vulnerability arising from the shared NAT tables of Wi-Fi routers, enabling malicious insiders to hijack TCP connections between other clients and remote servers. First, by creating different NAT mappings within the shared NAT table, an off-path attacker can infer whether a victim client within the same Wi-Fi network is communicating with an external host over TCP, leveraging the widely adopted NAT port preservation strategy and insufficient reverse path validation in Wi-Fi routers. Once an active connection is detected, the attacker can manipulate the victim’s NAT mapping in the shared NAT table with spoofed TCP packets, exploiting the lack of TCP window tracking in most routers. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server’s incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are vulnerable. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks and find that 75 of them (81%) are fully affected to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate SSH connections, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. Moreover, We evaluate the feasibility of the proposed attack in NAT-enabled IPv6 Wi-Fi networks. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions. [ABSTRACT FROM AUTHOR]
Copyright of IEEE Transactions on Networking is the property of IEEE and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Description
Abstract:In this paper, we uncover a novel side-channel vulnerability arising from the shared NAT tables of Wi-Fi routers, enabling malicious insiders to hijack TCP connections between other clients and remote servers. First, by creating different NAT mappings within the shared NAT table, an off-path attacker can infer whether a victim client within the same Wi-Fi network is communicating with an external host over TCP, leveraging the widely adopted NAT port preservation strategy and insufficient reverse path validation in Wi-Fi routers. Once an active connection is detected, the attacker can manipulate the victim’s NAT mapping in the shared NAT table with spoofed TCP packets, exploiting the lack of TCP window tracking in most routers. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server’s incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are vulnerable. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks and find that 75 of them (81%) are fully affected to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate SSH connections, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. Moreover, We evaluate the feasibility of the proposed attack in NAT-enabled IPv6 Wi-Fi networks. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions. [ABSTRACT FROM AUTHOR]
ISSN:29984157
DOI:10.1109/TON.2025.3586020