{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:17:32Z","timestamp":1766441852730,"version":"3.48.0"},"publisher-location":"New York, NY, USA","reference-count":53,"publisher":"ACM","content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,11,19]]},"DOI":"10.1145\/3719027.3744888","type":"proceedings-article","created":{"date-parts":[[2025,11,22]],"date-time":"2025-11-22T23:32:38Z","timestamp":1763854358000},"page":"4574-4587","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Off-Path TCP Exploits: PMTUD Breaks TCP Connection Isolation in IP Address Sharing Scenarios"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3736-6623","authenticated-orcid":false,"given":"Xuewei","family":"Feng","sequence":"first","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-3890-8133","authenticated-orcid":false,"given":"Zhaoxi","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8776-8730","authenticated-orcid":false,"given":"Qi","family":"Li","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-0216-4968","authenticated-orcid":false,"given":"Ziqiang","family":"Wang","sequence":"additional","affiliation":[{"name":"Southeast University, Nanjing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4152-2107","authenticated-orcid":false,"given":"Kun","family":"Sun","sequence":"additional","affiliation":[{"name":"George Mason University, Fairfax, Virginia, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2587-8517","authenticated-orcid":false,"given":"Ke","family":"Xu","sequence":"additional","affiliation":[{"name":"Tsinghua University, Beijing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,11,22]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1109\/INFOCOM.2019.8737514"},{"key":"e_1_3_2_1_2_1","unstructured":"Francois Audet and Cullen Jennings. 2007. Network Address Translation (NAT) Behavioral Requirements for Unicast UDP. RFC 4787. Internet Engineering Task Force. 1-29 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc4787.txt"},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc1812"},{"key":"e_1_3_2_1_4_1","doi-asserted-by":"crossref","unstructured":"Fred Baker and Pekka Savola. 2004. Ingress Filtering for Multihomed Networks . Technical Report 3704. Internet Engineering Task Force. https:\/\/doi.org\/10.17487\/RFC3704","DOI":"10.17487\/rfc3704"},{"key":"e_1_3_2_1_5_1","doi-asserted-by":"crossref","unstructured":"K Biswas B Ford S Sivakumar and P Srisuresh. 2008. NAT Behavioral Requirements for TCP. RFC 5382. Internet Engineering Task Force. 1-21 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc5382.txt","DOI":"10.17487\/rfc5382"},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"crossref","unstructured":"M Boucadair A Durand P Levis and P Roberts. 2011. Issues with IP Address Sharing . RFC 6269. Internet Engineering Task Force. 1-29 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc6269.txt","DOI":"10.17487\/rfc6269"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","unstructured":"Robert Braden. 1989. Requirements for Internet Hosts - Communication Layers . RFC 1122. Internet Engineering Task Force. 1-116 pages. https:\/\/doi.org\/10.17487\/RFC1122","DOI":"10.17487\/RFC1122"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243790"},{"key":"e_1_3_2_1_9_1","first-page":"209","volume-title":"Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16)","author":"Cao Yue","year":"2016","unstructured":"Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V Krishnamurthy, and Lisa M Marvel. 2016. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. In 25th USENIX Security Symposium (USENIX Security 16). 209-225."},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2018.2797081"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354250"},{"key":"e_1_3_2_1_12_1","first-page":"1581","volume-title":"Off-Path TCP Exploit: How Wireless Routers Can Jeopardize Your Secrets. In 27th USENIX Security Symposium (USENIX Security 18)","author":"Chen Weiteng","year":"2018","unstructured":"Weiteng Chen and Zhiyun Qian. 2018. Off-Path TCP Exploit: How Wireless Routers Can Jeopardize Your Secrets. In 27th USENIX Security Symposium (USENIX Security 18). 1581-1598."},{"key":"e_1_3_2_1_13_1","volume-title":"DNS cache poisoning and network address translation. Post at IBM's Frequency X blog (http:\/\/blogs.iss.net\/archive\/dnsnat.html)","author":"Cross Tom","year":"2008","unstructured":"Tom Cross. 2008. DNS cache poisoning and network address translation. Post at IBM's Frequency X blog (http:\/\/blogs.iss.net\/archive\/dnsnat.html) (2008)."},{"key":"e_1_3_2_1_14_1","unstructured":"Wesley Eddy. 2022. Transmission Control Protocol (TCP) . RFC 9293. Internet Engineering Task Force. 1-98 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc9293.txt"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417884"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2021.3115517"},{"key":"e_1_3_2_1_17_1","first-page":"2619","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Feng Xuewei","year":"2022","unstructured":"Xuewei Feng, Qi Li, Kun Sun, Zhiyun Qian, Gang Zhao, Xiaohui Kuang, Chuanpu Fu, and Ke Xu. 2022a. Off-Path Network Traffic Manipulation via Revitalized ICMP Redirect Attacks. In 31st USENIX Security Symposium (USENIX Security 22). 2619-2636."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2022.24381"},{"key":"e_1_3_2_1_19_1","volume-title":"2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 694-709","author":"Feng Xuewei","year":"2022","unstructured":"Xuewei Feng, Qi Li, Kun Sun, Yuxiang Yang, and Ke Xu. 2022c. Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects. In 2023 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, 694-709."},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.230972"},{"key":"e_1_3_2_1_21_1","first-page":"41","article-title":"Off-Path Attacking the Web","author":"Gilad Yossi","year":"2012","unstructured":"Yossi Gilad and Amir Herzberg. 2012a. Off-Path Attacking the Web. In WOOT. 41-52.","journal-title":"WOOT."},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-31680-7_6"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/2445566.2445568"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488427"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2597173"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2013.130"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICDCS.2018.00088"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"crossref","unstructured":"Fernando Gont. 2010. ICMP Attacks against TCP . RFC 5927. Internet Engineering Task Force. 1-36 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc5927.txt","DOI":"10.17487\/rfc5927"},{"key":"e_1_3_2_1_29_1","first-page":"271","volume-title":"Pisa","author":"Herzberg Amir","year":"2012","unstructured":"Amir Herzberg and Haya Shulman. 2012. Security of patched DNS. In Computer Security-ESORICS 2012: 17th European Symposium on Research in Computer Security, Pisa, Italy, September 10-12, 2012. Proceedings 17. Springer, 271-288."},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1109\/CNS.2013.6682711"},{"key":"e_1_3_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354232"},{"key":"e_1_3_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879155"},{"key":"e_1_3_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417280"},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3486219"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.17487\/rfc1981"},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"crossref","unstructured":"J McCann S Deering and J Mogul. 2017. Path MTU Discovery for IP version 6 . RFC 8201. Internet Engineering Task Force. 1-19 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc8201.txt","DOI":"10.17487\/RFC8201"},{"key":"e_1_3_2_1_37_1","first-page":"18","article-title":"Attacking connection tracking frameworks as used by virtual private networks","volume":"1","author":"Mixon-Baca Benjamin","year":"2024","unstructured":"Benjamin Mixon-Baca, Jeffrey Knockel, Diwen Xue, Tarun Ayyagari, Deepak Kapur, Roya Ensafi, and Jedidiah R Crandall. 2024. Attacking connection tracking frameworks as used by virtual private networks. Proceedings on Privacy Enhancing Technologies (PETS), Vol. 1 (2024), 18.","journal-title":"Proceedings on Privacy Enhancing Technologies (PETS)"},{"key":"e_1_3_2_1_38_1","doi-asserted-by":"crossref","unstructured":"Jeffrey Mogul and Steve Deering. 1990. Path MTU Discovery. RFC 1191. Internet Engineering Task Force. http:\/\/www.rfc-editor.org\/rfc\/rfc1191.txt","DOI":"10.17487\/rfc1191"},{"key":"e_1_3_2_1_39_1","volume-title":"Slow-port-exhaustion DoS Attack on Virtual Network Using Port Address Translation. In 2018 International Symposium on Computing and Networking. IEEE, 126-132","author":"Nguyen Son Duc","year":"2018","unstructured":"Son Duc Nguyen, Mamoru Mimura, and Hidema Tanaka. 2018. Slow-port-exhaustion DoS Attack on Virtual Network Using Port Address Translation. In 2018 International Symposium on Computing and Networking. IEEE, 126-132."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00265"},{"key":"e_1_3_2_1_41_1","doi-asserted-by":"crossref","unstructured":"Jon Postel. 1981 a. Internet Control Message Protocol . RFC 792. Internet Engineering Task Force. 1-21 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc792.txt","DOI":"10.17487\/rfc0792"},{"key":"e_1_3_2_1_42_1","unstructured":"Jon Postel. 1981 b. Transmission Control Protocol. RFC 793. Internet Engineering Task Force. 1-85 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc793.txt"},{"key":"e_1_3_2_1_43_1","volume-title":"Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security. In 2012 IEEE Symposium on Security and Privacy. IEEE, 347-361","author":"Qian Zhiyun","year":"2012","unstructured":"Zhiyun Qian and Z Morley Mao. 2012. Off-Path TCP Sequence Number Inference Attack How Firewall Middleboxes Reduce Security. In 2012 IEEE Symposium on Security and Privacy. IEEE, 347-361."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382258"},{"key":"e_1_3_2_1_45_1","first-page":"82","article-title":"Holistic Approach to ARP Poisoning and Countermeasures by Using Practical Examples and Paradigm","volume":"5","author":"Abdur Rahman Md F","year":"2014","unstructured":"Md F Abdur Rahman and Parves Kamal. 2014. Holistic Approach to ARP Poisoning and Countermeasures by Using Practical Examples and Paradigm. International Journal of Advancements in Technology, Vol. 5, 2 (2014), 82-95.","journal-title":"International Journal of Advancements in Technology"},{"key":"e_1_3_2_1_46_1","doi-asserted-by":"crossref","unstructured":"Anantha Ramaiah R Stewart and Mitesh Dalal. 2010. Improving TCP's Robustness to Blind In-Window Attacks . RFC 5961. Internet Engineering Task Force. 1-19 pages. http:\/\/www.rfc-editor.org\/rfc\/rfc5961.txt","DOI":"10.17487\/rfc5961"},{"key":"e_1_3_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.1145\/3507509.3507510"},{"key":"e_1_3_2_1_48_1","doi-asserted-by":"crossref","unstructured":"Teemu Rytilahti and Thorsten Holz. 2020. On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways.. In NDSS.","DOI":"10.14722\/ndss.2020.24389"},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"crossref","unstructured":"Daniel Senie and Paul Ferguson. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing . Technical Report 2827. Internet Engineering Task Force. https:\/\/doi.org\/10.17487\/RFC2827","DOI":"10.17487\/rfc2827"},{"key":"e_1_3_2_1_50_1","volume-title":"Ipv6 security issues. Scanning","author":"Sotillo Samuel","year":"2006","unstructured":"Samuel Sotillo. 2006. Ipv6 security issues. Scanning (2006), 1-6."},{"key":"e_1_3_2_1_51_1","first-page":"3129","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Tolley William J","year":"2021","unstructured":"William J Tolley, Beau Kujath, Mohammad Taha Khan, Narseo Vallina-Rodriguez, and Jedidiah R Crandall. 2021. Blind In\/On-Path attacks and applications to VPNs. In 30th USENIX Security Symposium (USENIX Security 21). 3129-3146."},{"volume-title":"Accessed","year":"2023","key":"e_1_3_2_1_52_1","unstructured":"TP-Link. Accessed December 2023. Brief Introduction of AP Isolation. https:\/\/www.tp-link.com\/us\/support\/faq\/2089\/."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"crossref","unstructured":"Yuxiang Yang Xuewei Feng Qi Li Kun Sun Ziqiang Wang and Ke Xu. 2024. Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks. In NDSS.","DOI":"10.14722\/ndss.2024.23419"}],"event":{"name":"CCS '25: ACM SIGSAC Conference on Computer and Communications Security","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"],"location":"Taipei Taiwan","acronym":"CCS '25"},"container-title":["Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3719027.3744888","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T22:15:03Z","timestamp":1766441703000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3719027.3744888"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,11,19]]},"references-count":53,"alternative-id":["10.1145\/3719027.3744888","10.1145\/3719027"],"URL":"https:\/\/doi.org\/10.1145\/3719027.3744888","relation":{},"subject":[],"published":{"date-parts":[[2025,11,19]]},"assertion":[{"value":"2025-11-22","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}