The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems: TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing. IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section. Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine

1. 1

2. SECURITY PROBLEMS IN TCP/IP
Reference: Security Problems in the TCP/IP Protocol Suite : by
Steve Bellovin
R-services
Source-routing
ARP attacks
Session hijacking
TCP session stealing
2

3. SECURITY PROBLEMS IN R-SERVICES
rsh and rcp use the .rhosts file in your directory, which lists hosts and accounts to
allows access from without a password.
Allowed by /etc/inetd
Example .rhosts file:
red.cs.umass.edu brian
*.cs.umass.edu brian
* *
3

4. SECURITY PROBLEMS IN R-SERVICES
Now that we know a machine is running rsh, how can we pretend to be
another machine to gain access?
Attack Defense
 Source routing ignore source routes
 False routing table updates secure routing protocols
 Session hijacking ssh/ secure connection
 ICMP redirects ?
 False ARP packets Publish ARP tables
 TCP session stealing ssh/ secure connection
4

5. SECURITY PROBLEMS IN R-SERVICES
Exploiting trusted relationships: C is a trusted host to S
Source routing:
 IP source-route option
 The responder includes the source-route on the reply packets.
 Some/most OSs ignore source routes these days.
X 1. C->S: spoofed packet
(source-route; includes X)
2. replies
C S
Open a TCP connection to rshd spoofing the address of a trusted host,
but include yourself in the source route.
5

6. SESSION HIJACKING
Normal TCP operation from client, C, to server, S
 C->S: SYN(ISNC)
Client C Server S
 S->C: SYN(ISNS), ACK(ISNC+1)
 C->S: ACK(ISNS +1) SYN(ISNC)
 Client and Server exchange data
 ISN number generation SYN(ISNS),
 4.2BSD: increments 128/sec ACK(ISNC+1
)
 4.3BSD: increments 125000/sec
ACK(ISNS+1)
6

7. SESSION HIJACKING
Session hijacking: Find a machine, C, that’s down, guess the ISN. Usually in regular
increments.
 X->S: SYN(ISNX) [spoofs C] S: rshd server
 S->C: SYN(ISNS), ACK(ISNX +1)
 X->S: ACK(ISNS +1) [spoofs C; estimates ISNS]
 X->S: [ echo “* *” >> ~/.rhosts] [spoofs C]
 X->S: RESET [spoofs C]
 X rlogins from anywhere in the world.
X 3. SYN(5000), ACK(1001)
1. ISN estimation: 1: Disables C
2. SYN(1000)
C S
Trusted relationship
7

8. SESSION HIJACKING
2. Session hijacking:
X
6: ACK(ISNS +1)
(spoofs C; estimates ISNS)
4: SYN(ISNX)
(spoofs C)
C S
5: SYN(ISNS), ACK(ISNX+1)
3. Executes remote commands:
X
7: [echo “* *” >> ~/.rhosts]
(spoofs C)
8: RESET
(spoofs C)
C S 8

9. DISABLING HOSTS: SYN FLOODING DOS
Send lots of spoofed SYN packets to a victim host
Each SYN packet received causes a buffer to be allocated, and the limits of the
listen()call to be reached.
Morris invented SYN flooding just to launch a session hijacking attack, later used
against Yahoo!
9

10. ATTACKING ROUTING TO EXPLOIT RSH
Two types of routing: dynamic routing vs. static routing
Dynamic routing updates
 OSPF: link-state algorithm
 RIP: distance vector algorithm
Attacker injects a RIP update stating she has a path to host C
 All subsequent packets to C will be routed to the attacker.
 The attacker initiates connection to rshd of the server. (spoofing C)
Defense: uses secure routing protocols
 Only accept authenticated updates.
 Requires key management.
10

11. ICMP ATTACK
ICMP redirect: forces a machine to route through you.
 Requires an existing connection
 Open a spoofed connection to the host you want to attack.
 Then send a spoofed ICMP redirect to the victim redirecting it to the gateway you’ve
compromised.
Others
 ICMP destination unreachable
 Frequent ICMP source quenches
11

12. ARP ATTACKS
When a machines sends an ARP request out, you could answer that you own the
address.
 But in a race condition with the real machine.
Unfortunately, ARP will just accept replies without requests!
Just send a spoofed reply message saying your MAC address owns a certain IP
address.
 Repeat frequently so that cache doesn’t timeout
Messages are routed through you to sniff or modify.
12

13. ARP SPOOFING - COUNTERMEASURES
“Publish” MAC address of router/default gateway and trusted hosts to prevent ARP spoof
 Statically defining the IP to Ethernet address mapping
Example:
arp -s hostname 00:01:02:03:04:ab pub
13

14. TCP SESSION STEALING
Reference: “A Simple Active Attack Against TCP” by Laurent Joncheray.
In Proceedings of 5th USENIX Unix Security Symposium. June 1995
Active attack using desynchronized states
 The attacker is in the path b/w the client and the server
 The attacker can sniff all the packets and inject some spoofed packets
 Steps:
1. The attacker sniffs the communication b/w the two.
2. The attacker disables the communication by desynchronizing the
client and the server.
3. The attacker injects spoofed packets that acceptable for both ends.
14

15. TCP SESSION STEALING
Desynchronized state b/w client C and server S
 Both in “Established state”
 No data is being sent (stable state)
 S_SEQ  C_ACK and C_SEQ  S_ACK
When S_ACK < C_SEQ < S_ACK + S_Wind:
 The packet is accepted (buffered) but not sent to the user
When C_SEQ > S_ACK + S_Wind or C_SEQ < S_ACK :
 The packet is dropped
In both cases, the ACK(S_ACK) is sent (ACK packet with S_SEQ,
S_ACK)
15

16. TCP SESSION STEALING
In a desynchronized state, the attacker can send any acceptable data to the server
 E.g. [echo myhost >> ~/.rhost] for rlogin
X 2: X->S (spoofing C): S_ACK, S_SEQ
1: C->S: C_SEQ, C_ACK
[echo myhost >> ~/.rhost]
(accepted)
(dropped)
C S
C_SEQ, C_ACK S_SEQ, S_ACK
S_SEQ  C_ACK and C_SEQ  S_ACK
16

17. DESYNCHRONIZATION
X 3,4, 6
2
Early desynchronization C S
1
1. C->S(Syn): C_Seq0 ; C: Syn_Sent
2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd
; C: Established (C_Seq0+1, S_Seq0+1)
(before the packet C->S(Ack): S_Seq0+1)
3. X->S(spoofing C, Rst)
4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1)
5. S->C(Syn/Ack): S_Seq1, X_Seq0+1
6. X->S(spoofing C, Ack): S_Seq1+1
; S: Established (S_Seq1+1, X_Seq0+1)
17

18. THE ATTACK
Null data desynchronization
1. The attacker watches the session without interfering.
2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for
telnet): nothing happens, server only changes the TCP Ack number
3. Now, when the client sends data, it is dropped by the server because it’s lower
than the server’s window.
4. The attacker does the same with the client.
Defense: ssh connection, or IPsec
18