Security problems in the tcp ip protocol suite
This presentation is the property of its rightful owner.
Sponsored Links
1 / 42

Security Problems in the TCP/IP Protocol Suite PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Security Problems in the TCP/IP Protocol Suite. Presented by: Sandra Daniels, Jos é Nieves, Debbie Rasnick, Gary Tusing. Article by: S. M. Bellovin AT&T Bell Laboratories April, 1989. TCP/IP Protocol Suite. Widely used Developed under DOD Serious security flaws. Topics to be Discussed.

Download Presentation

Security Problems in the TCP/IP Protocol Suite

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Security problems in the tcp ip protocol suite

Security Problems in theTCP/IP Protocol Suite

Presented by:

Sandra Daniels, José Nieves, Debbie Rasnick, Gary Tusing

Security problems in the tcp ip protocol suite

Article by: S. M. Bellovin

AT&T Bell Laboratories

April, 1989

Tcp ip protocol suite

TCP/IP Protocol Suite

  • Widely used

  • Developed under DOD

  • Serious security flaws

Topics to be discussed

Topics to be Discussed

  • Problems and defenses

    • Handshake sequence numbers

    • Routing

    • Authentication

    • Service protocols

  • Comprehensive defenses

  • Conclusion

Tcp sequence number

TCP Sequence Number

TCP Handshake

  • C → S: SYN (ISNc)

  • S → C: SYN (ISNs), ACK (ISNc)

  • C → S: ACK (ISNs)

  • C → S: data


  • S → C: data



  • ISNs variable incremented by constant (once per second) and by half that amount each time a connection is initiated. ISNs a number precisely the round-trip between the client and server

  • ISNs predictable, can be guessed by intruder

  • No authentication except IP address



  • ISNs not true random number

  • Easy to calculate or predict

  • Can be used to spoof trusted host

  • Easy and cheap for Intruder



  • Don’t use netstat protocol

  • Generate ISNs some other way


    Use cryptographic algorithm with key

  • Randomize increments instead of basing them on predictable or measurable factor


Defenses cont

Defenses (cont.)

  • USE DES to generate ISNs

  • Good Logging

  • Alerting mechanisms



Routing mechanisms can be abused

Denial of Service – confusing routing tables

Source Routing

Reverse the TCP route on a request (if one is used).

The attacker may be able to identify an IP address and network in the source domain, the first step gaining control of a host


Hard to defend


Local net rejects all external packets claiming to be from the local net (not practical and extreme)

Analyze source route and accept it only if trusted gateways are listed (again, hardly practical)


Rip attacks


RIP – Routing Information Protocol (widely used)

Routing information received is often unchallenged

Intruder can send bogus routing information and thus re-direct packets to a non-trusted entity, network, or host (impersonating)

Hard to authenticate RIP packets

Bogus routing information disseminates to other routers


Establishing a “paranoid” gateway

One that filters packets based on source or destination address only, not on the route

Would have to make RIP more skeptical of the routes that the router is willing to accept

RIP Attacks

Security problems in the tcp ip protocol suite


Protocol for communications between core routers

Impersonation of a real gateway when such is down is not hard with this routing protocol

Broadcast a route directing others to an offline router, while impersonating that router


Always make exterior gateways be on the core network so that attacker has a harder time impersonating the offline router


Security problems in the tcp ip protocol suite


The Internet Control Message Protocol is used for echo requests from remote hosts (connectivity)

ICMP attacks are difficult because of ICMP packet’s simplicity

Yet, ICMP packets can be used to:

Redirect routes (such as with RIP)

DoS attacks


Again, “paranoia”

Restrict routing changes to specified connections, not in response to ICMP Redirect messages

Check that an ICMP packet is tied up to a particular connection only


Authentication server

Authentication Server

  • Used instead of address-based authentication

  • Nothing more than a Trusted Host that will mediate our connections and establish trusted identities

  • Should not rely solely on TCP/IP for authentication; should use some other algorithm

Services within the suite

Services Withinthe Suite

  • Finger

  • Email

    • POP

    • PCMAIL

  • DNS

  • FTP

  • SNMP

  • Remote Booting



  • Problem: Gives away too much information to hackers

  • Solution: Disable service

Security problems in the tcp ip protocol suite


  • Problem: Conventional passwords are vulnerable

  • Solution: One-time passwords using cryptographic key



  • Problem: Same as POP, but also supports password-change command with unencrypted passwords

  • Solution?

Security problems in the tcp ip protocol suite


  • Problem: Sequence number attack leading to spying on traffic/capturing passwords

  • Solution: Run domain servers on highly secure machines and use authentication on domain server responses

Dns cont

DNS cont…

  • Problem: Recursive zone transfer requests to download entire database

  • Solution: Employ “refused” error code for any requests from unidentified servers

  • Also, Kerberos tickets can be used to authenticate DNS queries

Security problems in the tcp ip protocol suite


  • Problem: Use of simple passwords for authentication

  • Solution: One-time passwords

  • Problem: Anonymous FTP

  • Solution: Be careful with sensitive data (such as encrypted passwords)

Security problems in the tcp ip protocol suite


  • Problem: In the wrong hands, can divulge too much information

  • Solution: Protect this service (through authentication)

Remote booting

Remote Booting

  • Problem: Boot process can be subverted and new kernel with altered protection mechanism can be substituted

  • Solution: Ensure boot machine uses random number for UDP source port and use 4-byte transaction ID

Trivial attacks

Trivial Attacks

  • ARP

  • TFTP

  • Reserved Ports

Comprehensive defenses

Comprehensive Defenses

  • Authentication

  • Encryption

  • Trusted Systems



  • One of the overall problems is TCP/IP reliance on IP source address for authentication

  • Too easy to spoof IP address

  • Needs some form of cryptographic authentication

  • Needham-Schroeder algorithm

Needham schroeder algorithm

Needham-Schroeder algorithm

  • Relies on each host sharing a key with an authentication server

  • Versions exists for both private-key and public-key cryptosystems

  • Host wanting to communicate request key from authentication server & passes a sealed version along to destination

  • At conclusion of dialog, each side has verified id of other

Needham schroeder algorithm1

Needham-Schroeder algorithm

  • Allows pre-authenticated connections that are safe

  • DNS provides ideal base for authentication systems

  • Key distribution responses must be authenticated and/or encrypted



  • Can defend against most problems

  • Disadvantages:

    • Expensive

    • Slow

    • Hard to administer

    • Uncommon in civilian sector



  • Two types:

    • Link Level including

    • Multi-points link encryption

    • End-to-end encryption

  • Major benefits

    • Implied authentication they provide

    • Provide privacy

  • Link level encryption

    Link Level Encryption

    • Encrypting each packet as it leaves the host

    • Excellent to protect confidentiality

    • Works well against physical intrusion

    • Weaknesses:

      • Broadcast packets are difficult to secure

      • Implies trust of gateways

    Blacker front end bfe

    Blacker Front End(BFE)

    • A multi-point link encryption device for TCP/IP

    • Looks to host as an X.25 DDN interface

    • Sits between host and actual DDN line

    • Receives call with new destination, contacts Access Control Center for permission and Key Distribution Center for cryptographic keys

    Security problems in the tcp ip protocol suite


    • If local host is denied permission to talk to remote host, appropriate diagnostic code is returned

    • Special Emergency Mode when link to KDS or ACC is not working

    • Permission checking can protect against DNS attacks

    • Totally unauthorized host does not receive sensitive data

    Security problems in the tcp ip protocol suite


    • Also translates original “Red” IP address to encrypted “Black” address using a translation table supplied by ACC

    • Foils traffic analysis which are bane of all multi-point link encryption

    End to end encryption

    End-to-end encryption

    • Above the TCP level

    • To secure conversations regardless of number of hops

    • Or quality of links

    • Appropriate for centralized network management applications

    • Key distribution/management greater problem (more pairs involved)

    End to end encryption1

    End-to-end encryption

    • Encryption and decryption done before initiation or after termination of TCP processing, host level software must handle translations resulting in extra overhead for each conversation

    • Vulnerable to denial of service attacks

    Trusted systems

    Trusted Systems

    • Hosted and routers rated B2 or higher immune to attacks described here

    • C2 level systems are susceptible

    • B1 are vulnerable to some but not all attacks



    1. Relying on IP source address for Authentication is dangerous

    2. Second broad class of problems deals with sequence number attacks (unpredictable and unseen)

    3. Hosts should not be giving away information gratuitously (finger and netstat)

    4. Intelligent use of default routes

    5. Use verifiable point-to-point routing protocols instead of broadcast-based routing

    6. Network control mechanisms must be guarded

  • Login