The talk will introduce two new network-based attacks. Both attacks can apply to any network. The first attack is against next-generation firewalls and can be used to bypass data limits of Wi-Fi or cellular subscriptions or to exfiltrate data. As a concrete demo, I will abuse it to bypass the usage limits of a cellular network in the Philippines, allowing an attacker to access to internet even though they ran out of consumable data. The second attack is against rate-limiting systems where the user is, for instance, only allowed to try a password three times before having to wait for one minute. I will present new techniques that can try more passwords than normally allowed and demonstrate this against a phone number verification system, where the presented technique can brute-force a 4-digit SMS code within roughly 15 minutes.

Two novel attacks are introduced. Both can apply to many networks and/or web services:

– The attacks presented against rate-limiting systems may apply against many more systems. Attendees will want to audit their own software to see if they can be attacker in similar ways.

– The attack against next-generation firewalls teaches attendees that such firewalls must be configured with care and illustrates some possible pitfalls. This will hopefully inspire attendees to double-check the security of their own networks.

-First attack

The first attack is against next-generation firewalls. In the talk I will start with a concrete, real-life scenario, where this attack was demonstrated. In particular, I will first explain how this was used against a cellular network provider of the Philippines that uses a firewall to block access to the internet once the consumable data is used up. In that situation, the user can still access the website of the cellular provider to pay for new consumable data, but cannot visit any other website. I will explain how the firewall inspects plaintext HTTP requests, and based on data in the HTTP request either allows or blocks access to the website. However, before the client can send this HTTP request, it must complete a TCP handshake with the remove server. Interestingly, the user can complete a TCP handshake with *any* server on the internet, but cannot send data over the established TCP connection.

-Second attack

The second attack targets rate-limiting systems. Similar to the first attack, I will start with a concrete scenario, and generalize from that. In particular, I will explain how a phone number verification system can be bypassed by guessing the SMS verification code within 15 minutes. In the system being targeted, the phone number verification system allows a user to enter the SMS verification code three times. After three attempts, the user must wait two minutes after which they can request a new SMS verification number. In other words, by default an adversary can make only 3 guesses for the SMS verification code per two minutes.

About the speaker