{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T05:40:20Z","timestamp":1756273220263,"version":"3.44.0"},"reference-count":54,"publisher":"IEEE","license":[{"start":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T00:00:00Z","timestamp":1751241600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2025,6,30]],"date-time":"2025-06-30T00:00:00Z","timestamp":1751241600000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,6,30]]},"DOI":"10.1109\/eurosp63326.2025.00051","type":"proceedings-article","created":{"date-parts":[[2025,8,26]],"date-time":"2025-08-26T19:04:11Z","timestamp":1756235051000},"page":"807-821","source":"Crossref","is-referenced-by-count":0,"title":["The Danger of Packet Length Leakage: Off-path TCP\/IP Hijacking Attacks Against Wireless and Mobile Networks"],"prefix":"10.1109","author":[{"given":"Guancheng","family":"Li","sequence":"first","affiliation":[{"name":"Tencent Security Xuanwu Lab"}]},{"given":"Minghao","family":"Zhang","sequence":"additional","affiliation":[{"name":"Tsinghua University"}]},{"given":"Jianjun","family":"Chen","sequence":"additional","affiliation":[{"name":"Tsinghua University"}]},{"given":"Ge","family":"Dai","sequence":"additional","affiliation":[{"name":"Tencent Security Xuanwu Lab"}]},{"given":"Pinji","family":"Chen","sequence":"additional","affiliation":[{"name":"Tsinghua University"}]},{"given":"Huiming","family":"Liu","sequence":"additional","affiliation":[{"name":"Tencent Security Xuanwu Lab"}]},{"given":"Yang","family":"Yu","sequence":"additional","affiliation":[{"name":"Tencent Security Xuanwu Lab"}]},{"given":"Haixin","family":"Duan","sequence":"additional","affiliation":[{"name":"Tsinghua University"}]},{"given":"Zhiyun","family":"Qian","sequence":"additional","affiliation":[{"name":"University of California,Riverside"}]}],"member":"263","reference":[{"journal-title":"5g; nr; overall description; stage-2 (3gpp ts 38.300 version 15.3.1 release 15)","year":"2018","key":"ref1"},{"journal-title":"5g; nr; packet data convergence protocol (pdcp) specification (3gpp ts 38.323 version 15.2.0 release 15)","year":"2018","key":"ref2"},{"journal-title":"Lte; evolved universal terrestrial radio access (e-utra); packet data convergence protocol (pdcp) specification (3gpp ts 36.323 version 15.3.0 release 15)","year":"2019","key":"ref3"},{"key":"ref4","first-page":"492","article-title":"Wi-fi protected access: Strong, standards-based, interoperable security for today\u2019s wi-fi networks","year":"2003","journal-title":"White paper, University of Cape Town"},{"key":"ref5","first-page":"1307","article-title":"Watching the watchers: Practical video identification attack in LTE networks","volume-title":"31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022","author":"Bae"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2012.52"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.17487\/rfc7323"},{"volume-title":"Caida spoofer project","year":"2025","key":"ref8"},{"key":"ref9","first-page":"209","article-title":"Off-path TCP exploits: Global rate limit considered dangerous","volume-title":"25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016","author":"Cao"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1145\/2976749.2978394"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23442"},{"article-title":"Composition Kills: A Case Study of Email Sender Authentication","volume-title":"29th USENIX Conference on Security Symposium","author":"Chen","key":"ref12"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2025.231086"},{"key":"ref14","first-page":"1581","article-title":"Off-path TCP exploit: How wire-less routers can jeopardize your secrets","volume-title":"27th USENIX Security Symposium, USENIX Security 2018, Baltimore, MD, USA, August 15-17, 2018","author":"Chen"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.1109\/35.620533"},{"key":"ref16","article-title":"Traditional IP Network Address Translator (Traditional NAT)","author":"Egevang","year":"2001","journal-title":"RFC 3022"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1145\/3495243.3560525"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417884"},{"key":"ref19","article-title":"NAT Behavioral Requirements for TCP","author":"Ford","year":"2008","journal-title":"RFC 5382"},{"key":"ref20","first-page":"41","article-title":"Off-path attacking the web","volume-title":"6th USENIX Workshop on Offensive Technologies, WOOT\u201912, August 6-7, 2012, Bellevue, WA, USA, Proceedings","author":"Gilad"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1145\/2488388.2488427"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2013.130"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1145\/2980159.2980163"},{"journal-title":"RFC 2663","article-title":"IP Network Address Translator (NAT) Terminology and Considerations","year":"1999","key":"ref24"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.17487\/rfc7858"},{"key":"ref26","first-page":"1291","article-title":"Ltrack: Stealthy tracking of mobile phones in LTE","volume-title":"31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022","author":"Kotuliak"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/ICFCC.2009.32"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2018.8548317"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3690361"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354232"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417280"},{"article-title":"The Silent Danger in HTTP: Identifying HTTP Desync Vulnerabilities with Gray-box Testing","volume-title":"34th USENIX Conference on Security Symposium","author":"Mu","key":"ref32"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3507657.3528559"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1109\/90.330413"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.29"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382258"},{"key":"ref37","article-title":"DNS Security Introduction and Requirements","author":"Rose","year":"2005","journal-title":"RFC 4033"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00006"},{"issue":"6","key":"ref39","article-title":"Wpa 2 (wi-fi protected access 2) security enhancement: Analysis & improvement","volume":"12","author":"Sakib","year":"2012","journal-title":"Global Journal of Computer Science and Technology"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23236"},{"key":"ref41","article-title":"Improving TCP\u2019s Robustness to Blind In-Window Attacks","author":"Stewart","year":"2010","journal-title":"RFC 5961"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1145\/1514274.1514286"},{"key":"ref43","first-page":"161","article-title":"Fragment and forge: Breaking wi-fi through frame aggregation and fragmentation","volume-title":"30th USENIX Security Symposium, USENIX Security 2021, August 11-13, 2021","author":"Vanhoef"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1145\/2484313.2484368"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134027"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243807"},{"journal-title":"Default protocol https usage statistics","year":"2025","key":"ref47"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00129"},{"volume-title":"WPA3 Specification","year":"2023","key":"ref49"},{"key":"ref50","first-page":"55","article-title":"Hiding in plain signal: Physical signal overshadowing attack on LTE","volume-title":"28th USENIX Security Symposium, USENIX Security 2019, Santa Clara, CA, USA, August 14-16, 2019","author":"Yang"},{"key":"ref51","doi-asserted-by":"publisher","DOI":"10.1145\/3643833.3656131"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2024.23419"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1145\/3658644.3670386"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.1109\/CNS56114.2022.9947238"}],"event":{"name":"2025 IEEE 10th European Symposium on Security and Privacy (EuroS&amp;P)","start":{"date-parts":[[2025,6,30]]},"location":"Venice, Italy","end":{"date-parts":[[2025,7,4]]}},"container-title":["2025 IEEE 10th European Symposium on Security and Privacy (EuroS&amp;amp;P)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/11129252\/11129260\/11129339.pdf?arnumber=11129339","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,27]],"date-time":"2025-08-27T05:04:14Z","timestamp":1756271054000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11129339\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,30]]},"references-count":54,"URL":"https:\/\/doi.org\/10.1109\/eurosp63326.2025.00051","relation":{},"subject":[],"published":{"date-parts":[[2025,6,30]]}}}