TCP Vulnerabilities

Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References

TCP Vulnerabilities and IP Spooﬁng:
Current Challenges and Future Prospects

Prakhar Bansal
Registration No. - 2011CS29

Computer Science and Engineering Department
Motilal Nehru National Institute of Technology Allahabad,
Allahabad, India

November 5, 2012
Prakhar Bansal, MNNIT Allahabad 1 / 45
TCP Vulnerabilities and IP Spooﬁng


1 Motivation

2 Problem Statement

3 TCP Vulnerabilities

4 ARP Cache Poisoning Attack

5 LOT: Lightweight Opportunistic Plug and Play Secure
Tunneling Protocol

6 Observation

7 Conclusion

8 References



Why?
Motivation



Prolexic Attack Report [1]

# of DDoS attacks 88% ⇑
average attack duration ⇑ up to 33 hours
average attack bandwidth ⇑
packets/second rate ⇑
top-most DDoS attacks originating country China



Norton Cyber Crime Report 2012 [2]

According to report, cybercrime aﬀects
556 million victims/year
2 out-of 3 online adults in their lifetime
42 million+ people in India in last 12 months
Global price tag has reached up to $110 billions
$197 average cost/victim



Cybercrime global cost

Figure: Cybercrime global cost [2]


Government Budgets and Recent Reports

UK businesses lose around £21 billion a year [3]
India spent 37.7 crores this year
US has proposed $800 million for next ﬁscal year 2013-14
Government should spend more on policing the Internet [4]



Recent Anonymous Attacks I



Recent Anonymous Attacks II

On Jan 19, 2012, group attacked US Department of Justice
and FBI in protest of SOPA.
Group claimed this to be a largest attack with over 5635
bot-nets.
Attacks on facebook on October 12, 2012, which leads
facebook to shutdown in Europe.



Recent Anonymous Attacks III

Attacked on many Indian websites including website for
Supreme court of India and other national political parties in
response to Internet censorship.
Took down UK governments websites on April, 2012, in
protest against government surveillance policies.



Problem Statement

‘To design a reliable, scalable and secure network. The network
which no one can spoof, no one can ﬂood and no one can hack.’

Protocol vulnerabilities is one of the long standing major
challenge in networks communications.
Reports and attacks discussed, shows how vulnerable our
network protocols are.



TCP Vulnerabilities
Three-way Handshake

Figure: Three-way handshake



Establishing & Closing a TCP Connection
Sequence States at Client TCP

Figure: Sequence of states at client TCP



Establishing & Closing a TCP Connection
Sequence States at Server TCP

Figure: Sequence of states at server TCP



TCP SYN Flooding Attack
Theory of Operation

Server TCP, in LISTEN state transited to SYN-RECEIVED
state, when receives a SYN segment.
Server TCP maintains Transmission Control Block (TCB).
SYN ﬂooding attacks tries to exhaust the memory at attacked
system.
The success of SYN ﬂooding attack lies in:
packet-size,
frequency, and
distinct, distributed and unreachable IP addresses.



TCP SYN Flooding Attack I
Countermeasures

Filtering
Increasing Backlog
Reducing SYN-RECEIVED Timer
Recycling the oldest half-open TCB
SYN cache
SYN cookies
SYN cookies limitations



ARP Cache Poisoning Attack
About ARP

David C. Plummer originally published in RFC 826.
To communicate with host on network we must know 48-bit
ethernet address (MAC address) of the host.
Host broadcasts ARP query on the network.
The host with given IP unicasts ARP reply.
Each node in a network maintains a data structure named
ARP cache for storing < IP, M AC > pairing.
ARP cache entries expires after some time.



ARP Cache Poisoning Attack
Theory of Operation

ARP protocol is stateless protocol.
Host updates its ARP cache by any ARP query.
The false ARP is reply is reﬂected in ARP cache as soon as
host receives it.
Once host updates its ARP cache, the attacker also gets the
packets intended for some other system.



ARP Cache Poisoning Attack I
Countermeasures

Huang in 2008, suggests to add state in ARP protocol [5].

Figure: Huang solution [5]



ARP Cache Poisoning Attack I
Countermeasures

Seung Yeob Nam in 2010 proposed voting-based resolution
mechanism to prevent ARP attacks.
Suggests host firstly asks other neighboring hosts about this
IP and MAC before updating table.
Some firewall and router manufacturers have procedure in
their products to detect the ARP spoofing attacks.
Softwares like arp-guard recognizes the changes in ARP tables
and report these to managing system [6].



LOT
About LOT

LOT is needed to be installed at communicating network
gateways [7].
Once installed one gateway would establish an eﬃcient tunnel
for secure communication with another gateway.
The working code prototype is available online at url:
‘http://lighttunneling.sourceforge.net’



LOT
LOT Features

Local and remote quotas
Filtering
Congestion detection
Ingress ﬁltering solution: adds a pseudo random tag to
each packet occurs.



LOT
Communication Model

As IP address has address space {0, 1}32 [8],
According to LOT protocol, every entity in network has
address space S of {0, 1}l .
A set N B ⊆ S is a network block, if ∃P, a preﬁx, P∈ {0, 1}l ,
l < l.
Network hosts and LOT gateways all are network entities
NB(e).
Each host entity e must be associated with single network
block |NB (h) = 1 |.
Gateway entity may be associated with a larger network block.



LOT
Communication Model

Figure: Communication model [7]



LOT
Communication Model

Network entities communicate via sending messages to next
peers.
Next peers are decided as follows:
Two entities e1 , e2 are said to be peers if and only if;
N B(e1 ) ⊂ N B(e2 ) and
N B(e1 ) N B(G) N B(e2 ) means,
for eg; entities A, C are peers.
N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and
N B(e1 ) N B(G) or N B(e2 ) N B(G)
for eg; entities F, G are peers.



Handshake Between Gateways
Phase 1: Hello Phase I

HOSTA , ∈ some N B1 behind GWA sends a packet to
HOSTB in some another N B2 not associated GWA .
It identiﬁes gateway GWB associated with N B(HOSTB ).
GWA begins handshake by sending a hello request message to
HOSTB .
Hello request message contains,
details of N B(HOSTA ) associated with GWA , and
cookie cookieA .



Phase 1: Hello Phase II

GWB intercepts the hello request message and replies with
response message.
Hello response message contains,
details of NB(HOSTB ) associated with GWB ,
cookieA , and
for optimization, cookieB .



Phase 1: Hello Phase III

Figure: Phase 1: hello phase



Phase 2: Network Block Validation I

GWA checks GWB ∈ N B(HOSTB ) or not and,
GWB checks whether GWA ∈ N B(HOSTA ) or not.
It consists of n iterations.
GWA sends packet with cookie to any random host in
N B(GWB ).
If GWB is associated with same NB then it should be able to
intercept it.
Cookie is based on N B(GWB ), current time at GWA ,
current iteration number and agreed upon iterations.



Phase 2: Network Block Validation II

GWB , after intercepting correctly, sends back challenge to
random host associated with GWA with response.
This response contains two cookies, and arguments needed for
GWA to regenerate cookie.
GWA extracts its cookie and matches it after regenerating.
And GWA ∈ N B(HOSTA ) then it intercepts challenge.
Now, GWA selects any other random host from
N B(HOSTB ).
This process is repeated till n times.
To avoid DDoS attacks, ηmax is set as a global constant and
n ≤ ηmax .



Phase 2: Network Block Validation

Figure: Phase 2: network block validation


LOT
LOT Packet Structure

IP header is modified significantly in order to encapsulate LOT.
IP flags: DF/MF flags are always unset as no packet
fragmentation within the LOT tunnel.
Protocol Type: To indicate that the packet is encapsulated
using LOT, this field is modified.
LOT Header: A LOT header is attached with the packet. It
contains:
Tag,
Fields for reconstruction of the original packet including IP
flags and transport protocol.
Fields that allow receiving-end gateway to reconstruct the
session key.



My Observation
TCP Three-way Handshake I

While studying TCP protocol, I observed few things in three-way
handshake.
The success of SYN flooding attacks depends on frequency of
SYN segments reaching at server side.
Neither ⇑ backlog nor ⇓ SYN-RECEIVED timer will work.
Attackers usually send SYN flood messages from set of
unreachable IPs.
If the backlog (half-open connections queue) is filling very
fast, why not we firstly ping the client before sending any
reply.



My Observation
TCP Three-way Handshake

Figure: Redeﬁnition of TCP three-way handshake



My Observation
TCP Three-way Handshake II

SYN-cookie limitation can be removed by using separate cookie.
Client sends SYN segment to server.
Server reply with ‘SY N/ACK/cookieserver ’.
cookieserver is based on client IP address, port address,
current time and other information.
Once it reaches to client, client acknowledges server by
sending ‘ACK/cookieserver ’.
Server authenticates its cookie and validates client.



My Observation
TCP Three-way Handshake

Figure: Redeﬁnition of TCP three-way handshake



My Observation
TCP Three-way Handshake III

In Linux OS, SYN-cookie mechanism is disabled by default
but it can be enabled via changing value of variable
sysctl.net.ipv4.tcp syncookie to 1, in /etc/sysctl.conf ﬁle.



ARP I
ARP Protocol

ARP is a stateless protocol.
ARP protocol accepts any ARP reply and updates its ARP
table as soon as any ARP reply is received.
We can add new data structure along with existing ARP table.
This data structure is a dynamic list which records all the
outstanding ARP requests.
When a ARP reply came, we check this list whether we have
sent any such query or not.
Further conﬁrm this ARP reply by asking few neighbors.
We can originate RARP for the MAC address received in ARP
response.


ARP
ARP Protocol

Figure: Redeﬁnition of ARP protocol



Conclusion

Recent network attacks has shown how vulnerable our
networks are.
Flooding, IP spoofing and denial of service attacks are
becoming a significant threats.
Ingress filtering was suggested but not yet completely
implemented by alL ISPs.
LOT protocol is best but needed to be installed on mostly all
gateways on network.
All gateways shares a secret key first through a vulnerable
network, this can dangerous.
LOT tunnels can’t pass over Network Address Translators
(NATs). However NAT devices do not prevent LOT and LOT
tunnels will be formed.



Conclusion

Now, the world is changing. The face of network
communication is changing rapidly.
Now use of smart-phones and embedded systems is increasing
rapidly.
Cloud computing and mobile computing are attackers future
targets.
Security in cloud computing is still a major issue. There is a
need of reliable, scalable and fault-tolerant clouds both on
system and mobile.
Protocols are not much sophisticated and thus vulnerable to
attacks.
The research in developing sophisticated network protocols is
still a very important area and full of challenges, thrust for
future research.


References I

“Prolexic Quarterly Global DDoS Attack Report,” Quarter 3,
2012.
“2012 Norton Cybersecurity Report,”
“Government to warn businesses about cyber crime threat,”
BBC, 5 september 2012.
Ross Anderson and Chris Bardon, “Measuring the cost of
cybercrime,”
Huang, T. and Bai, G., “Method against ARP spooﬁng baseed
on improved protocol mechanism,”
“ARP Guard,” in https://www.arp-guard.com/info.



References II

Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP
Spooﬁng and Flooding Attacks,” vol. 15 of 6, ACM
Transactions on Information and System Security, July 2012.
Postel, J., “Internet Protocol, The Protocol Speciﬁcation, RFC
791,” DARPA Internet Program.



Thankyou

Questions ?


TCP Vulnerabilities

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a TCP Vulnerabilities

Semelhante a TCP Vulnerabilities (20)

TCP Vulnerabilities