Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks.

Saved in:
Bibliographic Details
Title: Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks.
Authors: Yang, Yuxiang1 yangyx22@mails.tsinghua.edu.cn, Feng, Xuewei1 fengxw06@126.com, Li, Qi2 qli01@tsinghua.edu.cn, Sun, Kun3 ksun3@gmu.edu, Wang, Ziqiang4 ziqiangwang@seu.edu.cn, Wang, Ao4 wangao@seu.edu.cn, Xu, Ke1 xuke@tsinghua.edu.cn
Source: IEEE Transactions on Networking. Dec2025, Vol. 33 Issue 6, p3270-3285. 16p.
Subjects: Wireless communications, HTTP (Computer network protocol)
Abstract: In this paper, we uncover a novel side-channel vulnerability arising from the shared NAT tables of Wi-Fi routers, enabling malicious insiders to hijack TCP connections between other clients and remote servers. First, by creating different NAT mappings within the shared NAT table, an off-path attacker can infer whether a victim client within the same Wi-Fi network is communicating with an external host over TCP, leveraging the widely adopted NAT port preservation strategy and insufficient reverse path validation in Wi-Fi routers. Once an active connection is detected, the attacker can manipulate the victim’s NAT mapping in the shared NAT table with spoofed TCP packets, exploiting the lack of TCP window tracking in most routers. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server’s incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are vulnerable. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks and find that 75 of them (81%) are fully affected to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate SSH connections, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. Moreover, We evaluate the feasibility of the proposed attack in NAT-enabled IPv6 Wi-Fi networks. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions. [ABSTRACT FROM AUTHOR]
Copyright of IEEE Transactions on Networking is the property of IEEE and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
FullText Text:
  Availability: 0
Header DbId: egs
DbLabel: Engineering Source
An: 193230990
AccessLevel: 6
PubType: Academic Journal
PubTypeId: academicJournal
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Yang%2C+Yuxiang%22">Yang, Yuxiang</searchLink><relatesTo>1</relatesTo><i> yangyx22@mails.tsinghua.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Feng%2C+Xuewei%22">Feng, Xuewei</searchLink><relatesTo>1</relatesTo><i> fengxw06@126.com</i><br /><searchLink fieldCode="AR" term="%22Li%2C+Qi%22">Li, Qi</searchLink><relatesTo>2</relatesTo><i> qli01@tsinghua.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Sun%2C+Kun%22">Sun, Kun</searchLink><relatesTo>3</relatesTo><i> ksun3@gmu.edu</i><br /><searchLink fieldCode="AR" term="%22Wang%2C+Ziqiang%22">Wang, Ziqiang</searchLink><relatesTo>4</relatesTo><i> ziqiangwang@seu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Wang%2C+Ao%22">Wang, Ao</searchLink><relatesTo>4</relatesTo><i> wangao@seu.edu.cn</i><br /><searchLink fieldCode="AR" term="%22Xu%2C+Ke%22">Xu, Ke</searchLink><relatesTo>1</relatesTo><i> xuke@tsinghua.edu.cn</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22IEEE+Transactions+on+Networking%22">IEEE Transactions on Networking</searchLink>. Dec2025, Vol. 33 Issue 6, p3270-3285. 16p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Wireless+communications%22">Wireless communications</searchLink><br /><searchLink fieldCode="DE" term="%22HTTP+%28Computer+network+protocol%29%22">HTTP (Computer network protocol)</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: In this paper, we uncover a novel side-channel vulnerability arising from the shared NAT tables of Wi-Fi routers, enabling malicious insiders to hijack TCP connections between other clients and remote servers. First, by creating different NAT mappings within the shared NAT table, an off-path attacker can infer whether a victim client within the same Wi-Fi network is communicating with an external host over TCP, leveraging the widely adopted NAT port preservation strategy and insufficient reverse path validation in Wi-Fi routers. Once an active connection is detected, the attacker can manipulate the victim’s NAT mapping in the shared NAT table with spoofed TCP packets, exploiting the lack of TCP window tracking in most routers. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server’s incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are vulnerable. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks and find that 75 of them (81%) are fully affected to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate SSH connections, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. Moreover, We evaluate the feasibility of the proposed attack in NAT-enabled IPv6 Wi-Fi networks. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of IEEE Transactions on Networking is the property of IEEE and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=193230990
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1109/TON.2025.3586020
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 16
        StartPage: 3270
    Subjects:
      – SubjectFull: Wireless communications
        Type: general
      – SubjectFull: HTTP (Computer network protocol)
        Type: general
    Titles:
      – TitleFull: Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Yang, Yuxiang
      – PersonEntity:
          Name:
            NameFull: Feng, Xuewei
      – PersonEntity:
          Name:
            NameFull: Li, Qi
      – PersonEntity:
          Name:
            NameFull: Sun, Kun
      – PersonEntity:
          Name:
            NameFull: Wang, Ziqiang
      – PersonEntity:
          Name:
            NameFull: Wang, Ao
      – PersonEntity:
          Name:
            NameFull: Xu, Ke
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 12
              Text: Dec2025
              Type: published
              Y: 2025
          Identifiers:
            – Type: issn-print
              Value: 29984157
          Numbering:
            – Type: volume
              Value: 33
            – Type: issue
              Value: 6
          Titles:
            – TitleFull: IEEE Transactions on Networking
              Type: main
ResultId 1