Off-path hacking: The illusion of challenge-response authentication

Yossi Gilad*, Amir Herzberg, Haya Shulman

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

29 Scopus citations


Everyone is concerned about Internet security, yet most traffic isn't cryptographically protected. The typical justification is that most attackers are off path and can't intercept traffic; hence, intuitively, challenge-response defenses should suffice to ensure authenticity. Often, the challenges reuse existing header fields to protect widely deployed protocols such as TCP and DNS. This practice might give an illusion of security. Recent off-path TCP injection and DNS poisoning attacks enable attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are nontrivial, yet practical. The attacks foil widely deployed security mechanisms and allow a wide range of exploits, such as long-term caching of malicious objects and scripts.

Original languageAmerican English
Article number6627890
Pages (from-to)68-77
Number of pages10
JournalIEEE Security and Privacy
Issue number5
StatePublished - Sep 2014
Externally publishedYes

Bibliographical note

Publisher Copyright:
© 2003-2012 IEEE.


  • DNS cache poisoning
  • TCP injections
  • challenge-response defenses
  • off-path attacks
  • security


Dive into the research topics of 'Off-path hacking: The illusion of challenge-response authentication'. Together they form a unique fingerprint.

Cite this