{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,30]],"date-time":"2026-06-30T15:44:20Z","timestamp":1782834260962,"version":"3.54.5"},"reference-count":69,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"6","license":[{"start":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T00:00:00Z","timestamp":1764547200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T00:00:00Z","timestamp":1764547200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,12,1]],"date-time":"2025-12-01T00:00:00Z","timestamp":1764547200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"name":"National Science Foundation for Distinguished Young Scholars of China","award":["62425201"],"award-info":[{"award-number":["62425201"]}]},{"name":"Science Fund for Creative Research Groups of the National Natural Science Foundation of China","award":["62221003"],"award-info":[{"award-number":["62221003"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["62132011"],"award-info":[{"award-number":["62132011"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Netw."],"published-print":{"date-parts":[[2025,12]]},"DOI":"10.1109\/ton.2025.3586020","type":"journal-article","created":{"date-parts":[[2025,7,10]],"date-time":"2025-07-10T17:47:01Z","timestamp":1752169621000},"page":"3270-3285","source":"Crossref","is-referenced-by-count":1,"title":["Off-Path TCP Hijacking Attack to NAT-Enabled Wi-Fi Networks"],"prefix":"10.1109","volume":"33","author":[{"ORCID":"https:\/\/orcid.org\/0009-0005-7582-5917","authenticated-orcid":false,"given":"Yuxiang","family":"Yang","sequence":"first","affiliation":[{"name":"Department of Computer Science and Technology, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3736-6623","authenticated-orcid":false,"given":"Xuewei","family":"Feng","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Technology, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8776-8730","authenticated-orcid":false,"given":"Qi","family":"Li","sequence":"additional","affiliation":[{"name":"Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4152-2107","authenticated-orcid":false,"given":"Kun","family":"Sun","sequence":"additional","affiliation":[{"name":"CSIS, Department of Information Sciences and Technology, George Mason University, Fairfax, VA, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0216-4968","authenticated-orcid":false,"given":"Ziqiang","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Southeast University, Nanjing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0000-4324-9189","authenticated-orcid":false,"given":"Ao","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Cyber Science and Engineering, Southeast University, Nanjing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2587-8517","authenticated-orcid":false,"given":"Ke","family":"Xu","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Technology, Tsinghua University, Beijing, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134027"},{"key":"ref2","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243807"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00031"},{"key":"ref4","first-page":"53","article-title":"Framing frames: Bypassing Wi-Fi encryption by manipulating transmit queues","volume-title":"Proc. USENIX Secur. Symp.","author":"Schepers"},{"key":"ref5","first-page":"161","article-title":"Fragment and forge: Breaking Wi-Fi through frame aggregation and fragmentation","volume-title":"Proc. USENIX Secur. Symp.","author":"Vanhoef"},{"key":"ref6","first-page":"3129","article-title":"Blind in\/on-path attacks and applications to VPNs","volume-title":"Proc. USENIX Secur. Symp.","author":"Tolley"},{"key":"ref7","first-page":"322","article-title":"Risk analysis of a fake access point attack against Wi-Fi network","volume":"9","author":"Alsahlany","year":"2018","journal-title":"Int. J. Sci. Eng. Res."},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1002\/spy2.49"},{"key":"ref9","first-page":"1","article-title":"A practical message falsification attack on WPA","volume-title":"Proc. JWIS","author":"Ohigashi"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/3395351.3399442"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1186\/1687-1499-2012-89"},{"key":"ref12","volume-title":"NAT Behavioral Requirements for TCP","author":"Ford","year":"2008"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/2597173"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.29"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382258"},{"key":"ref16","first-page":"209","article-title":"Off-path TCP exploits: Global rate limit considered dangerous","volume-title":"Proc. USENIX Secur. Symp.","author":"Cao"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417884"},{"key":"ref18","first-page":"6167","article-title":"Device tracking via Linux\u2019s new TCP source port selection algorithm","volume-title":"Proc. USENIX Secur. Symp.","author":"Kol"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-33167-1_16"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.17487\/rfc2827"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.17487\/rfc3704"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.17487\/rfc0793"},{"key":"ref23","volume-title":"Usage Statistics of Default Protocol HTTPS for Websites","year":"2024"},{"key":"ref24","first-page":"1","article-title":"NATBLASTER: Establishing TCP connections between hosts behind NATs","volume-title":"Proc. ACM SIGCOMM ASIA Workshop","author":"Biggadike"},{"key":"ref25","volume-title":"IP Network Address Translator (NAT) Terminology and Considerations","author":"Holdrege","year":"1999"},{"key":"ref26","volume-title":"Rp_filter","year":"2023"},{"key":"ref27","volume-title":"Understanding Evil Twin AP Attacks and How to Prevent Them","author":"Orsi","year":"2023"},{"key":"ref28","volume-title":"Rogue Device Detection","year":"2023"},{"key":"ref29","volume-title":"How to Enable Rogue AP Detection on Your LinkSys Wireless-AC Access Point","year":"2023"},{"key":"ref30","volume-title":"ARP Antispoofer","author":"Chirila","year":"2023"},{"key":"ref31","volume-title":"ShARP","year":"2023"},{"key":"ref32","volume-title":"360 Total Security: Free Antivirus Protection for Home and Devices","year":"2023"},{"key":"ref33","volume-title":"Macstealer: Wi-Fi Client Isolation Bypass","author":"Vanhoef","year":"2023"},{"key":"ref34","volume-title":"Pfsense\u2014World\u2019s Most Trusted Open Source Firewall","year":"2023"},{"key":"ref35","volume-title":"The Network Mapper","year":"2023"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179441"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/2987443.2987474"},{"key":"ref38","volume-title":"Unintended Consequences of NAT Deployments With Overlapping Address Space","author":"Ford","year":"2010"},{"key":"ref39","volume-title":"Linux Manual Page","year":"2023"},{"key":"ref40","volume-title":"Linux Manual Page","year":"2023"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1109\/Trustcom\/BigDataSE\/ICESS.2017.359"},{"key":"ref42","first-page":"1581","article-title":"Off-path TCP exploit: How wireless routers can jeopardize your secrets","volume-title":"Proc. USENIX Secur. Symp.","author":"Chen"},{"key":"ref43","article-title":"Measuring NAT64 usage in the wild","author":"Boswell","year":"2024","journal-title":"arXiv:2402.14632"},{"key":"ref44","volume-title":"You Thought There Was No","author":"Scott","year":"2024"},{"key":"ref45","volume-title":"Detecting and Measuring IPV4 and IPV6 NAT","author":"Alejandro","year":"2024"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.17487\/rfc6296"},{"key":"ref47","volume-title":"Stateful NAT64: Network Address and Protocol Translation From IPv6 Clients to IPv4 Servers","author":"Matthews","year":"2011"},{"key":"ref48","volume-title":"Libtins: Packet Crafting and Sniffing Library","year":"2023"},{"key":"ref49","volume-title":"Packet Crafting for Python2 and Python3","year":"2023"},{"key":"ref50","volume-title":"Tayga: Simple, No-Fuss Nat64 for Linux","author":"Lutchansky","year":"2024"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3507657.3528548"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833701"},{"key":"ref53","volume-title":"Search Engine for the Internet of Everything","year":"2023"},{"key":"ref54","volume-title":"FOFA,  Search Engine","year":"2023"},{"key":"ref55","first-page":"235","article-title":"NAT hole punching based on simultaneous TCP open","volume-title":"Proc. 5th Int. Conf. Multimedia Inf. Netw. Secur.","author":"Yongjun"},{"key":"ref56","first-page":"1","article-title":"Peer-to-peer communication across network address translators","volume-title":"Proc. ATC","author":"Ford"},{"key":"ref57","volume-title":"Concepts-Policyrouting-Linux","year":"2023"},{"key":"ref58","volume-title":"ICMP Attacks Illustrated","author":"Low","year":"2023"},{"key":"ref59","volume-title":"ICMP Redirect Attacks in the Wild","author":"Ayer","year":"2023"},{"key":"ref60","first-page":"2619","article-title":"Off-path network traffic manipulation via revitalized ICMP redirect attacks","volume-title":"Proc. USENIX Secur. Symp.","author":"Feng"},{"key":"ref61","first-page":"577","article-title":"Poison over troubled forwarders: A cache poisoning attack targeting DNS forwarding devices","volume-title":"Proc. USENIX Secur. Symp.","author":"Zheng"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417280"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3486219"},{"key":"ref64","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354250"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2021.3115517"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.56553\/popets-2024-0070"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.17487\/rfc1981"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.17487\/rfc1191"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8205"}],"container-title":["IEEE Transactions on Networking"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/10723154\/11311125\/11076087.pdf?arnumber=11076087","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T06:17:52Z","timestamp":1766470672000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11076087\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12]]},"references-count":69,"journal-issue":{"issue":"6"},"URL":"https:\/\/doi.org\/10.1109\/ton.2025.3586020","relation":{},"ISSN":["2998-4157"],"issn-type":[{"value":"2998-4157","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,12]]}}}