1 / 28

Loopholes in TCP/IP

Loopholes in TCP/IP . By N Ranjith Kumar. Contents. TCP/IP protocol suite TCP State diagram Loop Holes in TCP/IP Suite. Transmission Control Protocol. TCP runs on IP, & connection oriented service Brief about TCP state machine Four tuple <dest_ip_add, dest_port, src_ip_add, src_port>

noel
Download Presentation

Loopholes in TCP/IP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Loopholes in TCP/IP By N Ranjith Kumar

  2. Contents • TCP/IP protocol suite • TCP State diagram • Loop Holes in TCP/IP Suite Loopholes in TCP/IP

  3. Transmission Control Protocol • TCP runs on IP, & connection oriented service • Brief about TCP state machine • Four tuple • <dest_ip_add, dest_port, src_ip_add, src_port> • TCP Sequence Numbers • TCP Doesn’t make any assumptions about the underlying network Loopholes in TCP/IP

  4. TCP Sequence Numbers • TCP runs on IP, and IP doesn’t guarantee delivery of packets. • Sequence number is important component of TCP segments • Every byte of data that TCP sends is given a sequence number. • ISN - Initial Sequence Number • 32-bit sequence number • Not starts at 0 • 3-way Handshake protocol • Receiver window size is also exchanged during the initial connection phase • Accepts packets out of sequence. Loopholes in TCP/IP

  5. 3-Way Handshake C S SYNC Listening Store data SYNS, ACKC Wait ACKS Connected Loopholes in TCP/IP

  6. TCP Timers • Connection Establishment Timer • FIN_WAIT timer • TIME_WAIT timer • KEEP_ALIVE timer TCP State Machine Loopholes in TCP/IP

  7. TCP state diagram Loopholes in TCP/IP

  8. Simultaneous connection establishment • ftp • Two ports • Control commands • Data • Control connection is established • Data connection is initiated by server [ only protocol in which server initiated connection] • DoS – steps [ client is malicious ] • S sends a SYN to C, and makes a transition to SYN_SENT state. S also starts the CONNECTION ESTABLISHMENT timer. • C receives the SYN, and responds back with another SYN. • When S receives the SYN from C, it assumes that this is a case of a simultaneous open connection. So, it sends out SYN_ACK to C, switches off the connection establishment timer, and transitions to the state SYN_RCVD. • C receives the SYN_ACK from S, but does not send a reply. • Since, S is expecting a SYN_ACK in the SYN_RCVD state, and there is no timer, S gets stalled in SYN_RCVD state Loopholes in TCP/IP

  9. Problems in TCP/IP Suite • TCP “SYN” Attacks • IP Spoofing • Sequence Guessing • Source Routing • Session Hijacking • Desynchronization during connection establishment • Desynchronization in middle of connection • RIP (Routing Information Protocol) Attacks • ICMP Attacks • DNS Attacks • The lack of unique identifiers Loopholes in TCP/IP

  10. TCP/IP basic data structures • There are three data structures associated with the connection establishment. • Socket • protocols used, address info, state info, queues, buffers, flags • inpcb (Internet Protocol Control Block Structure ) • ip address info, header info, flags, options etc.. • Tcpcb ( TCP Control Block Structure) – • sequence information, timer information, flow control status, and out-of-band data etc.., This total size generally will exceed 280 bytes Loopholes in TCP/IP

  11. TCP “SYN” Attacks • TCP Half open connections. • Buffers are allocated for each half open connection. • Destination should keep track of half-open connection in a request queue for 75seconds. • Limited queue lengths !! • Each half open connection is in buffer for 75Sec, in this period of time if the queue is exhausted, then normal legitimate requests are terminated. • Doing this flooding with huge number of sources on a victim system will cause Denial-of-Service. • Synflooding.c Loopholes in TCP/IP

  12. SYN Flooding C S SYNC1 Listening SYNC2 Store data SYNC3 SYNC4 SYNC5 Loopholes in TCP/IP

  13. IP Spoofing • IP Spoofing is an attack where an attacker pretends to be sending data from an IP address other than its own. • Communication is likely to be one-way. • an attacker needs to use the correct TCP sequence numbers if they plan on establishing a TCP connection with the attacked host • Sequence Guessing • Intruder is able to guess sequence numbers • I -> S : SYN(ISNI), SRC = C • S -> C : ACK(ISNI), SYN(ISNS) • I -> S : ACK(ISNS), SRC = C • Intruder doesn’t get the data send to the client • But the intruder can execute some commands on server !! Loopholes in TCP/IP

  14. IP Spoofing • ISN Prediction • Berkeley systems allow ISN to increment a constant amount for a period. • After some legitimate connection, we can get the ISN for that connection and can try to predict the ISN for the other connection • Overcoming ISN Prediction • Increasing change rate of ISN • Random element of ISN Loopholes in TCP/IP

  15. IP Spoofing • Source Routing • Source routing allows the originating host to specify the path (route) that the receiver should use to reply to it • An attacker may take advantage of this by specifying a route that by-passes the real host, and instead directs replies to a path it can monitor • Eg: • B -> A : reply via “C, D, E” // Legitimate • B -> A : reply via “C, D, X” • Solution: • The router which are available now, will not use the source routing. And they drop the packets which are come with source routing. Loopholes in TCP/IP

  16. IP Spoofing • How can someone sends packet with another address? • Nobody checks !! • Even if any one checks how can it know that this is fake address • From a list of known fake address • Filtering • Ingress Filtering • Feature Filtering • IP spoofing alone may not bypass additional security, such as authentication by the Unix password mechanism, Kerberos, or one-time password systems like SKEY. Loopholes in TCP/IP

  17. Connection Hijacking • Connection hijacking exploits a "desynchronized state" in TCP communication. • When the sequence number in a received packet is not the same as the expected sequence number, the connection is said to be "desynchronized." • If the received packet is outside of the current window, it will be discarded. • Desynchronization during connection establishment • Desynchronization in the middle of a connection Loopholes in TCP/IP

  18. Connection Hijacking X A B Packet a Ignored Packet a’ Packet b Ignored Packet b’ Loopholes in TCP/IP

  19. Joy of Routing!! • Abuse of routing mechanism and protocols is probably the simplest protocol based attack available • Some of these attacks only work because TCP/IP only relies on address authentication • RIP Attacks – Routing Information Protocol • ICMP Attacks – Internet Connection Management Protocol. Loopholes in TCP/IP

  20. RIP Attacks • RIP (Routing Information Protocol) • Propagates routing information on local networks • Typically received information is unchecked! • Simplest attack • Sending faked routing information • …claim the route to an unused machine • From that protocols with address-based authentication are compromised Loopholes in TCP/IP

  21. RIP Attacks • More serious attack • Claiming a route to an active host • All packets will be routed to intruders machine • Packets can be altered and resent to the intended destination using “source routing” • Intruder can listen passwords and usernames, without a notice of intended user Intruder claims route to server Intruder Server Resent packets to intended host Sending fake RIP packets Client Loopholes in TCP/IP

  22. RIP Attacks - Defenses • Checking new routes more skeptical before accepting • Authenticate RIP packets • Any router that receives RIP data will broadcast it • GOOD logging would be a good first step Loopholes in TCP/IP

  23. ICMP Attacks • ICMP (Internet Control Message Protocol) • Basic network management tool of the TCP/IP protocol suite • ICMP attacks are more difficult • The ICMP Redirect message • Only useable for a existing connection • No general change of routing table • Only first gateway on the path is allowed to send redirect messages Loopholes in TCP/IP

  24. ICMP - Attacks • Again careful checking • Route changes should only be made for existing connection • The global route table should not be changed on ICMP redirect messages Loopholes in TCP/IP

  25. More attacks ..! • DNS Attacks • Lack of Unique Identifiers Loopholes in TCP/IP

  26. Conclusion • TCP/IP, as it exists today, has a general lack of security. • The above examples are some flaws, there are some tools to exploit them, how ever there are defenses are also there for them • Not wide spread!! • You may use tools !! But the other one, with whom you are making communication may not be .!! Loopholes in TCP/IP

  27. References • http://www.linuxsecurity.com/resource_files • Analysis of DoS on TCP by Christoph L. Schuba et al. in 1997. • A look back at the “security problems in TCP/IP” by S.M. Bellovin in 2004 • Security Problems in TCP/IP by S.M Bellovin in 1990. Loopholes in TCP/IP

  28. Thank you • About Me: N Ranjith Kumar, M Tech Student nrk@sit.iitkgp.ernet.in School of Information Technology IIT Kharagpur http://sit.iitkgp.ernet.in/~nrk Loopholes in TCP/IP

More Related