Extract Network and System resource for analysis of Network Security Modeling
TCP Vulnerabilities
1. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP Vulnerabilities and IP Spoofing:
Current Challenges and Future Prospects
Prakhar Bansal
Registration No. - 2011CS29
Computer Science and Engineering Department
Motilal Nehru National Institute of Technology Allahabad,
Allahabad, India
November 5, 2012
Prakhar Bansal, MNNIT Allahabad 1 / 45
TCP Vulnerabilities and IP Spoofing
2. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
1 Motivation
2 Problem Statement
3 TCP Vulnerabilities
4 ARP Cache Poisoning Attack
5 LOT: Lightweight Opportunistic Plug and Play Secure
Tunneling Protocol
6 Observation
7 Conclusion
8 References
Prakhar Bansal, MNNIT Allahabad 2 / 45
TCP Vulnerabilities and IP Spoofing
3. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Why?
Motivation
Prakhar Bansal, MNNIT Allahabad 3 / 45
TCP Vulnerabilities and IP Spoofing
4. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Why?
Motivation
Prakhar Bansal, MNNIT Allahabad 4 / 45
TCP Vulnerabilities and IP Spoofing
5. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Prolexic Attack Report [1]
# of DDoS attacks 88% ⇑
average attack duration ⇑ up to 33 hours
average attack bandwidth ⇑
packets/second rate ⇑
top-most DDoS attacks originating country China
Prakhar Bansal, MNNIT Allahabad 5 / 45
TCP Vulnerabilities and IP Spoofing
6. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Norton Cyber Crime Report 2012 [2]
According to report, cybercrime affects
556 million victims/year
2 out-of 3 online adults in their lifetime
42 million+ people in India in last 12 months
Global price tag has reached up to $110 billions
$197 average cost/victim
Prakhar Bansal, MNNIT Allahabad 6 / 45
TCP Vulnerabilities and IP Spoofing
7. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Cybercrime global cost
Figure: Cybercrime global cost [2]
Prakhar Bansal, MNNIT Allahabad 7 / 45
TCP Vulnerabilities and IP Spoofing
8. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Government Budgets and Recent Reports
UK businesses lose around £21 billion a year [3]
India spent 37.7 crores this year
US has proposed $800 million for next fiscal year 2013-14
Government should spend more on policing the Internet [4]
Prakhar Bansal, MNNIT Allahabad 8 / 45
TCP Vulnerabilities and IP Spoofing
9. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Recent Anonymous Attacks I
Prakhar Bansal, MNNIT Allahabad 9 / 45
TCP Vulnerabilities and IP Spoofing
10. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Recent Anonymous Attacks II
On Jan 19, 2012, group attacked US Department of Justice
and FBI in protest of SOPA.
Group claimed this to be a largest attack with over 5635
bot-nets.
Attacks on facebook on October 12, 2012, which leads
facebook to shutdown in Europe.
Prakhar Bansal, MNNIT Allahabad 10 / 45
TCP Vulnerabilities and IP Spoofing
11. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Recent Anonymous Attacks III
Attacked on many Indian websites including website for
Supreme court of India and other national political parties in
response to Internet censorship.
Took down UK governments websites on April, 2012, in
protest against government surveillance policies.
Prakhar Bansal, MNNIT Allahabad 11 / 45
TCP Vulnerabilities and IP Spoofing
12. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Problem Statement
‘To design a reliable, scalable and secure network. The network
which no one can spoof, no one can flood and no one can hack.’
Protocol vulnerabilities is one of the long standing major
challenge in networks communications.
Reports and attacks discussed, shows how vulnerable our
network protocols are.
Prakhar Bansal, MNNIT Allahabad 12 / 45
TCP Vulnerabilities and IP Spoofing
13. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP Vulnerabilities
Three-way Handshake
Figure: Three-way handshake
Prakhar Bansal, MNNIT Allahabad 13 / 45
TCP Vulnerabilities and IP Spoofing
14. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Establishing & Closing a TCP Connection
Sequence States at Client TCP
Figure: Sequence of states at client TCP
Prakhar Bansal, MNNIT Allahabad 14 / 45
TCP Vulnerabilities and IP Spoofing
15. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Establishing & Closing a TCP Connection
Sequence States at Server TCP
Figure: Sequence of states at server TCP
Prakhar Bansal, MNNIT Allahabad 15 / 45
TCP Vulnerabilities and IP Spoofing
16. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP SYN Flooding Attack
Theory of Operation
Server TCP, in LISTEN state transited to SYN-RECEIVED
state, when receives a SYN segment.
Server TCP maintains Transmission Control Block (TCB).
SYN flooding attacks tries to exhaust the memory at attacked
system.
The success of SYN flooding attack lies in:
packet-size,
frequency, and
distinct, distributed and unreachable IP addresses.
Prakhar Bansal, MNNIT Allahabad 16 / 45
TCP Vulnerabilities and IP Spoofing
17. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
TCP SYN Flooding Attack I
Countermeasures
Filtering
Increasing Backlog
Reducing SYN-RECEIVED Timer
Recycling the oldest half-open TCB
SYN cache
SYN cookies
SYN cookies limitations
Prakhar Bansal, MNNIT Allahabad 17 / 45
TCP Vulnerabilities and IP Spoofing
18. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning Attack
About ARP
David C. Plummer originally published in RFC 826.
To communicate with host on network we must know 48-bit
ethernet address (MAC address) of the host.
Host broadcasts ARP query on the network.
The host with given IP unicasts ARP reply.
Each node in a network maintains a data structure named
ARP cache for storing < IP, M AC > pairing.
ARP cache entries expires after some time.
Prakhar Bansal, MNNIT Allahabad 18 / 45
TCP Vulnerabilities and IP Spoofing
19. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning Attack
Theory of Operation
ARP protocol is stateless protocol.
Host updates its ARP cache by any ARP query.
The false ARP is reply is reflected in ARP cache as soon as
host receives it.
Once host updates its ARP cache, the attacker also gets the
packets intended for some other system.
Prakhar Bansal, MNNIT Allahabad 19 / 45
TCP Vulnerabilities and IP Spoofing
20. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning Attack I
Countermeasures
Huang in 2008, suggests to add state in ARP protocol [5].
Figure: Huang solution [5]
Prakhar Bansal, MNNIT Allahabad 20 / 45
TCP Vulnerabilities and IP Spoofing
21. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP Cache Poisoning Attack I
Countermeasures
Seung Yeob Nam in 2010 proposed voting-based resolution
mechanism to prevent ARP attacks.
Suggests host firstly asks other neighboring hosts about this
IP and MAC before updating table.
Some firewall and router manufacturers have procedure in
their products to detect the ARP spoofing attacks.
Softwares like arp-guard recognizes the changes in ARP tables
and report these to managing system [6].
Prakhar Bansal, MNNIT Allahabad 21 / 45
TCP Vulnerabilities and IP Spoofing
22. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOT
About LOT
LOT is needed to be installed at communicating network
gateways [7].
Once installed one gateway would establish an efficient tunnel
for secure communication with another gateway.
The working code prototype is available online at url:
‘http://lighttunneling.sourceforge.net’
Prakhar Bansal, MNNIT Allahabad 22 / 45
TCP Vulnerabilities and IP Spoofing
23. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOT
LOT Features
Local and remote quotas
Filtering
Congestion detection
Ingress filtering solution: adds a pseudo random tag to
each packet occurs.
Prakhar Bansal, MNNIT Allahabad 23 / 45
TCP Vulnerabilities and IP Spoofing
24. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOT
Communication Model
As IP address has address space {0, 1}32 [8],
According to LOT protocol, every entity in network has
address space S of {0, 1}l .
A set N B ⊆ S is a network block, if ∃P, a prefix, P∈ {0, 1}l ,
l < l.
Network hosts and LOT gateways all are network entities
NB(e).
Each host entity e must be associated with single network
block |NB (h) = 1 |.
Gateway entity may be associated with a larger network block.
Prakhar Bansal, MNNIT Allahabad 24 / 45
TCP Vulnerabilities and IP Spoofing
25. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOT
Communication Model
Figure: Communication model [7]
Prakhar Bansal, MNNIT Allahabad 25 / 45
TCP Vulnerabilities and IP Spoofing
26. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOT
Communication Model
Network entities communicate via sending messages to next
peers.
Next peers are decided as follows:
Two entities e1 , e2 are said to be peers if and only if;
N B(e1 ) ⊂ N B(e2 ) and
N B(e1 ) N B(G) N B(e2 ) means,
for eg; entities A, C are peers.
N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and
N B(e1 ) N B(G) or N B(e2 ) N B(G)
for eg; entities F, G are peers.
Prakhar Bansal, MNNIT Allahabad 26 / 45
TCP Vulnerabilities and IP Spoofing
27. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between Gateways
Phase 1: Hello Phase I
HOSTA , ∈ some N B1 behind GWA sends a packet to
HOSTB in some another N B2 not associated GWA .
It identifies gateway GWB associated with N B(HOSTB ).
GWA begins handshake by sending a hello request message to
HOSTB .
Hello request message contains,
details of N B(HOSTA ) associated with GWA , and
cookie cookieA .
Prakhar Bansal, MNNIT Allahabad 27 / 45
TCP Vulnerabilities and IP Spoofing
28. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between Gateways
Phase 1: Hello Phase II
GWB intercepts the hello request message and replies with
response message.
Hello response message contains,
details of NB(HOSTB ) associated with GWB ,
cookieA , and
for optimization, cookieB .
Prakhar Bansal, MNNIT Allahabad 28 / 45
TCP Vulnerabilities and IP Spoofing
29. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between Gateways
Phase 1: Hello Phase III
Figure: Phase 1: hello phase
Prakhar Bansal, MNNIT Allahabad 29 / 45
TCP Vulnerabilities and IP Spoofing
30. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between Gateways
Phase 2: Network Block Validation I
GWA checks GWB ∈ N B(HOSTB ) or not and,
GWB checks whether GWA ∈ N B(HOSTA ) or not.
It consists of n iterations.
GWA sends packet with cookie to any random host in
N B(GWB ).
If GWB is associated with same NB then it should be able to
intercept it.
Cookie is based on N B(GWB ), current time at GWA ,
current iteration number and agreed upon iterations.
Prakhar Bansal, MNNIT Allahabad 30 / 45
TCP Vulnerabilities and IP Spoofing
31. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between Gateways
Phase 2: Network Block Validation II
GWB , after intercepting correctly, sends back challenge to
random host associated with GWA with response.
This response contains two cookies, and arguments needed for
GWA to regenerate cookie.
GWA extracts its cookie and matches it after regenerating.
And GWA ∈ N B(HOSTA ) then it intercepts challenge.
Now, GWA selects any other random host from
N B(HOSTB ).
This process is repeated till n times.
To avoid DDoS attacks, ηmax is set as a global constant and
n ≤ ηmax .
Prakhar Bansal, MNNIT Allahabad 31 / 45
TCP Vulnerabilities and IP Spoofing
32. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Handshake Between Gateways
Phase 2: Network Block Validation
Figure: Phase 2: network block validation
Prakhar Bansal, MNNIT Allahabad 32 / 45
TCP Vulnerabilities and IP Spoofing
33. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
LOT
LOT Packet Structure
IP header is modified significantly in order to encapsulate LOT.
IP flags: DF/MF flags are always unset as no packet
fragmentation within the LOT tunnel.
Protocol Type: To indicate that the packet is encapsulated
using LOT, this field is modified.
LOT Header: A LOT header is attached with the packet. It
contains:
Tag,
Fields for reconstruction of the original packet including IP
flags and transport protocol.
Fields that allow receiving-end gateway to reconstruct the
session key.
Prakhar Bansal, MNNIT Allahabad 33 / 45
TCP Vulnerabilities and IP Spoofing
34. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My Observation
TCP Three-way Handshake I
While studying TCP protocol, I observed few things in three-way
handshake.
The success of SYN flooding attacks depends on frequency of
SYN segments reaching at server side.
Neither ⇑ backlog nor ⇓ SYN-RECEIVED timer will work.
Attackers usually send SYN flood messages from set of
unreachable IPs.
If the backlog (half-open connections queue) is filling very
fast, why not we firstly ping the client before sending any
reply.
Prakhar Bansal, MNNIT Allahabad 34 / 45
TCP Vulnerabilities and IP Spoofing
35. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My Observation
TCP Three-way Handshake
Figure: Redefinition of TCP three-way handshake
Prakhar Bansal, MNNIT Allahabad 35 / 45
TCP Vulnerabilities and IP Spoofing
36. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My Observation
TCP Three-way Handshake II
SYN-cookie limitation can be removed by using separate cookie.
Client sends SYN segment to server.
Server reply with ‘SY N/ACK/cookieserver ’.
cookieserver is based on client IP address, port address,
current time and other information.
Once it reaches to client, client acknowledges server by
sending ‘ACK/cookieserver ’.
Server authenticates its cookie and validates client.
Prakhar Bansal, MNNIT Allahabad 36 / 45
TCP Vulnerabilities and IP Spoofing
37. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My Observation
TCP Three-way Handshake
Figure: Redefinition of TCP three-way handshake
Prakhar Bansal, MNNIT Allahabad 37 / 45
TCP Vulnerabilities and IP Spoofing
38. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
My Observation
TCP Three-way Handshake III
In Linux OS, SYN-cookie mechanism is disabled by default
but it can be enabled via changing value of variable
sysctl.net.ipv4.tcp syncookie to 1, in /etc/sysctl.conf file.
Prakhar Bansal, MNNIT Allahabad 38 / 45
TCP Vulnerabilities and IP Spoofing
39. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP I
ARP Protocol
ARP is a stateless protocol.
ARP protocol accepts any ARP reply and updates its ARP
table as soon as any ARP reply is received.
We can add new data structure along with existing ARP table.
This data structure is a dynamic list which records all the
outstanding ARP requests.
When a ARP reply came, we check this list whether we have
sent any such query or not.
Further confirm this ARP reply by asking few neighbors.
We can originate RARP for the MAC address received in ARP
response.
Prakhar Bansal, MNNIT Allahabad 39 / 45
TCP Vulnerabilities and IP Spoofing
40. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
ARP
ARP Protocol
Figure: Redefinition of ARP protocol
Prakhar Bansal, MNNIT Allahabad 40 / 45
TCP Vulnerabilities and IP Spoofing
41. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Conclusion
Recent network attacks has shown how vulnerable our
networks are.
Flooding, IP spoofing and denial of service attacks are
becoming a significant threats.
Ingress filtering was suggested but not yet completely
implemented by alL ISPs.
LOT protocol is best but needed to be installed on mostly all
gateways on network.
All gateways shares a secret key first through a vulnerable
network, this can dangerous.
LOT tunnels can’t pass over Network Address Translators
(NATs). However NAT devices do not prevent LOT and LOT
tunnels will be formed.
Prakhar Bansal, MNNIT Allahabad 41 / 45
TCP Vulnerabilities and IP Spoofing
42. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Conclusion
Now, the world is changing. The face of network
communication is changing rapidly.
Now use of smart-phones and embedded systems is increasing
rapidly.
Cloud computing and mobile computing are attackers future
targets.
Security in cloud computing is still a major issue. There is a
need of reliable, scalable and fault-tolerant clouds both on
system and mobile.
Protocols are not much sophisticated and thus vulnerable to
attacks.
The research in developing sophisticated network protocols is
still a very important area and full of challenges, thrust for
future research.
Prakhar Bansal, MNNIT Allahabad 42 / 45
TCP Vulnerabilities and IP Spoofing
43. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
References I
“Prolexic Quarterly Global DDoS Attack Report,” Quarter 3,
2012.
“2012 Norton Cybersecurity Report,”
“Government to warn businesses about cyber crime threat,”
BBC, 5 september 2012.
Ross Anderson and Chris Bardon, “Measuring the cost of
cybercrime,”
Huang, T. and Bai, G., “Method against ARP spoofing baseed
on improved protocol mechanism,”
“ARP Guard,” in https://www.arp-guard.com/info.
Prakhar Bansal, MNNIT Allahabad 43 / 45
TCP Vulnerabilities and IP Spoofing
44. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
References II
Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP
Spoofing and Flooding Attacks,” vol. 15 of 6, ACM
Transactions on Information and System Security, July 2012.
Postel, J., “Internet Protocol, The Protocol Specification, RFC
791,” DARPA Internet Program.
Prakhar Bansal, MNNIT Allahabad 44 / 45
TCP Vulnerabilities and IP Spoofing
45. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References
Thankyou
Questions ?
Prakhar Bansal, MNNIT Allahabad 45 / 45
TCP Vulnerabilities and IP Spoofing