ITD 2323TCP/IP – SecurityChapter #4 Prepared By: Suhaimi (R). Sulaiman
TCP/IP – SecurityOverview • The TCP/IP protocols, the basis for today's Internet, lack even the most basic mechanisms for security, such as authentication or encryption. • As usage of the Internet and TCP/IP protocols increases, their lack of built-in security has become more and more problematic. • This chapter describes a variety of basic flaws in TCP/IP protocols and their implementations, and discusses solutions and work-around to these problems. • Also covered is the new IPv6, the next-generation Internet protocol that, among other goals, seeks to fix many of the current flaws in the current Internet IPv4 protocol. • Security in protocols and applications not essential to TCP/IP (such as HTTP, FTP, and SMTP) are not discussed in this chapter.
TCP/IP – SecurityIntroduction • In the early 1980's, specifications were finished for the TCP and IP protocols. • These two protocols could be considered the most important in the world today - they are the basis of the Internet. • Over the past decade, the Internet has grown from a small network connecting a small community of researchers to its present state - a gigantic global network connecting people of all types. • The huge success of the Internet has, for the most part, been quite beneficial. • The Internet has evolved from a specialized project to a general-purpose tool. However, the growth of the Internet has created problems with security. • The TCP and IP protocols were designed when the Internet was small, and users generally trusted each other.
TCP/IP – SecurityIntroduction • The protocols lack many features that are desirable or needed on an insecure network. • In this chapter, we present a number of problems that arise with using TCP/IP on today's network, solutions or work-around for these problems, and how the protocols for tomorrow's Internet, such as IPv6, will help eliminate these problems. • TCP/IP is the backbone of the internet today. • Comprised of two protocols, TCP and IP, the TCP/IP protocol suite is one of the most widely used.
TCP/IP – SecurityNetwork Protocols • Protocol suites are collections of protocols that enable network communication from one host through the network to another host. • A protocol is a formal description of a set of rules and conventions that govern a particular aspect of how devices on a network communicate. • Protocols determine the format, timing, sequencing, and error control in data communication. • Without protocols, the computer cannot make or rebuild the stream of incoming bits from another computer into the original format. • L,M,N: Layers is our model of computer communications • Peer to Peer (P2P) communications
TCP/IP – SecurityOSI Model • The early development of networks was disorganized in many ways. • The early 1980s saw tremendous increases in the number and size of networks. • As companies realized the advantages of using networking technology, networks were added or expanded almost as rapidly as new network technologies were introduced and security issues related to this expansion also expand dynamically over time. Most security issues deals with user applications Interception & Modification of transmission protocol Intrusion level occur at this layer
TCP/IP – SecurityInternet Protocol • The Internet Protocol (or IP as it generally known), is the network layer of the Internet. • IP provides a connection-less service. The job of IP is to route and send a packet to the packet's destination. • IP provides no guarantee whatsoever, for the packets it tries to deliver. • The IP packets are usually termed ‘Datagram's’. • The ‘Datagram's’ go through a series of routers before they reach the destination. • At each node that the ‘Datagram's’ passes through, the node determines the next hop for the datagram and routes it to the next hop. • Since the network is dynamic, it is possible that two ‘Datagram's’ from the same source take different paths to make it to the destination.
TCP/IP – SecurityInternet Protocol ‘IP’ (Concept) • Since the network has variable delays, it is not guaranteed that the ‘Datagram's’ will be received in sequence. • IP only tries for a best-effort delivery. • It does not take care of lost packets; this is left to the higher layer protocols. • There is no state maintained between two ‘Datagram's’ ; in other words, IP is connection-less. • The IP Header is shown in figure below. The Version is currently set to 4. In order to distinguish it from the new version IPv6, IP is also referred to as IPv4.
TCP/IP – SecurityTransmission Control Protocol ‘TCP’ (Concept) • Transmission Control Protocol (TCP) runs on top of IP, and provides a connection oriented service between the sender and the receiver. • TCP provides guaranteed delivery, and ensures that the packets are delivered in sequence. • The underlying network IP, is highly unreliable and does not provide any guarantee for TCP. • In order to provide reliability between the sender and the receiver, TCP uses various mechanisms, such as sequence numbers, acknowledgments, 3-way handshakes and timers. • A TCP connection is identified by the 4-tuple • Ports are the actual end-points of the TCP connection.
TCP/IP – SecurityProblems in TCP/IP Protocol Suite • When TCP/IP was designed in the early 1980's, security was not a primary concern. • However, in the years since their inception, the lack of security in the TCP/IP protocols has become more of a problem. • The widespread use and availability of the TCP/IP protocol suite has exposed its weaknesses. • Presented here are a number of well-known vulnerabilities of both TCP/IP itself, and of some protocols commonly used along with TCP/IP (such as DNS). • TCP "SYN" attacks • IP Spoofing • Sequence Guessing • Source Routing • Connecting Hijacking • Routing (RIP) attacks • ICMP attacks • DNS attacks
TCP/IP – SecurityTCP “SYN” Attacks • In an Internet environment, high message latency and loss are not uncommon, resulting in messages that arrive late or in nonsequential order. • The TCP half of TCP/IP uses sequence numbers so that it can ensure data is given to the user in the correct order, regardless of when the data is actually received. • These sequence numbers are initially established during the opening phase of a TCP connection, in the three-way handshake. • SYN attacks (also known as SYN Flooding) take advantage of a flaw in how most hosts implement this three-way handshake
TCP/IP – SecurityTCP “SYN” Attacks (Cont..) • When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds. • This is to allow successful connections even with long network delays. • The problem with doing this is that many implementations can only keep track of a very limited number of connections. • A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. • By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. • This ability to effectively remove a host from the network for at least 75 seconds can be used solely as a denial-of-service attack, or it can be used as a tool to implement other attacks, like IP Spoofing.
TCP/IP – SecurityIP Spoofing • IP Spoofing is an attack where an attacker pretends to be sending data from an IP address other than its own • The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet it does no authentication. • Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet (called "spoofing" an address) could get unauthorized privileges. • However, there are two catches. The first catch is that all communication is likely to be one-way. • The remote host will send all replies to the spoofed source address -- not to the host actually doing the spoofing. • So, an attacker using IP spoofing is unlikely to see output from the remote system.
TCP/IP – SecurityIP Spoofing (Cont..) • The second catch is that an attacker needs to use the correct TCP sequence numbers if they plan on establishing a TCP connection with the attacked host. • The final ACK in a three-way handshake must contain the other host's ISN, otherwise the connection cannot complete. • ISN in the SYN+ACK packet is sent to the real host, an attacker must get this ISN by some other method. • If the attacker could eavesdrop on the packets send from the other host, he could see the ISN. • Similarly, if the attacker was unable to eavesdrop, but could somehow guess the other host's ISN, he can complete the connection and conduct a one way conversation. • Unfortunately for the TCP/IP community, methods to overcome both challenges in IP Spoofing have been developed.
TCP/IP – SecuritySequence Guessing • The sequence number used in TCP connections is a 32 bit number, so it would seem that the odds of guessing the correct ISN are exceedingly low. • However, if the ISN for a connection is assigned in a predictable way, it becomes relatively easy to guess. • This flaw in TCP/IP implementations was recognized as far back as 1985 • By first establishing a real connection to the victim, the attacker can determine the current state of the system's counter. • The attacker then knows that the next ISN to be assigned by the victim is quite likely to be the predetermined ISN, plus 64. • The attacker has an even higher chance of correctly guessing the ISN if he sends a number of spoofed IP frames, each with a different, but likely, ISN.
TCP/IP – SecuritySequence Guessing (Cont..) • When the host receiving spoofed packets completes its part of the three-way handshake, it will send a SYN&ACK to the spoofed host. • This host will reject the SYN&ACK, because it never started a connection and the attacker's connection will be aborted. • To avoid this, the attacker can use the aforementioned SYN attack to swamp the host it is imitating. • The attacker then has free reign to finish with his attack.
TCP/IP – SecuritySource Routing • What is source routing? • Source routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. • Another variant of IP spoofing makes use of a rarely used IP option. • Although simple, this attack may not be as successful now, as routers are commonly configured to drop packets with source routing enabled.
TCP/IP – SecurityConnecting Hijacking • An interesting variant on IP spoofing allows a host to insert itself in the middle of a connection between two hosts connection hijacking. • IP spoofing alone may not bypass additional security, such as authentication by the Unix password mechanism, Kerberos, or one-time password systems like SKEY. • But with this attack, an attacker can allow normal authentication to proceed between the two hosts, and then seize control of the connection. • An attacker can then inject forged packets with the correct sequence numbers to the connections • The key to this attack is creating the desynchronized state. • Two possible ways to do this: • During the three-way handshakes. • In the middle of an established connection.
TCP/IP – SecurityRouting ‘RIP’ Attacks • Although it is not strictly a component of TCP/IP, the Routing Information Protocol ("RIP") is often an essential component in a TCP/IP network. • RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. • Like TCP/IP, RIP has no built in authentication, and the information provided in a RIP packet is often used without verifying it. • Attacks are different from those of other common attacks because RIP attacks change where data goes to, not where it came from. • For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. • All packets sent out from that network would then be routed through X, where they could be modified or examined. • An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine instead.
TCP/IP – SecurityICMP Attacks • The Internet Control Message Protocol ("ICMP") is used by the IP layer to send one-way informational messages to a host. • One of the most common uses of ICMP is the "ping" utility. This utility sends an ICMP "Echo Request" to a host, and waits for that host to send back an ICMP "Echo Reply" message. • Other messages in ICMP are of similar complexity; that is, they are all quite simple. • It's not surprising that there is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets • Denial of service attacks primarily use either the ICMP "Time exceeded" or "Destination unreachable" messages. • The "Time exceeded" message indicates that the Time-To-Live field in the IP header has expired; this can normally be caused by routing loops or trying to reach a host that is extremely distant.
TCP/IP – SecurityICMP Attacks (Cont..) • "Destination unreachable" messages can have several meanings, but all basically indicate that packets cannot successfully be sent to the desired host. • Both of these ICMP messages can cause a host to immediately drop a connection (this is the desired result if the ICMP message is legitimate). • An attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or both of the communicating hosts. Their connection will then be broken. • ICMP messages can also be used to intercept packets. • The ICMP "Redirect" message is commonly used by gateways when a host has mistakenly assumed the destination is not on the local network. • If an attacker forges an ICMP "Redirect" message, it can cause another host to send packets for certain connections through the attacker's host.
TCP/IP – SecurityDNS Attacks • The Domain Name Service ("DNS") is a protocol widely used on the Internet. • DNS is primarily used to map hostnames to IP addresses, but it can also be used to do the reverse mapping IP addresses to hostnames. • An attacker can use the latter property to fool name-based authentication. • For example, an administrator at myadds.com.my may decide to allow only local connections. • This is often specified by name, such as "allow *.myadds.my," rather than by IP address. • Name-based authentication is easier to read, and allows easier administration if a domain contains multiple ranges of IP addresses. • When a connection is established with myadds.com.my, uses DNS to convert the source IP address on the connection to a name, which is then checked using whatever form of name-based authentication the administrators have installed.
TCP/IP – SecurityDNS Attacks • If an attacker has access to their local DNS server, they can cause DNS queries on their IP address. • So, an attacker who knows that myadds.com.my trusts connections from within *. myadds.my can alter his DNS server.
TCP/IP – SecuritySolution to Problems : Firewall • A firewall can be a powerful tool in the prevention of would-be spoofers. • Putting aside the proxy-services normally offered by firewalls, we concentrate on the benefits derived from packet filtering techniques. • The important part about firewalls from an IP spoofing perspective is that they clearly delineate outside the firewall from inside the firewall. • Everything inside must go through the 'inside' port on the firewall, and everything outside must come in through the 'outside' port. • This means that the packet filtering done in the firewall can drop suspicious packets! • Suppose the filter sees a packet come from the outside that claims to have a source inside the firewall. • It's a spoofed packet, and should be dropped • It's claiming to come from inside, but it's coming from outside
TCP/IP – SecuritySolution to Problems : Firewall • Likewise, if some packet attempts to leave the firewall claiming to be from anywhere other than inside the known subnet, it can be dropped immediately as well. • In a sense, this sort of filtering partitions the Internet into little zones, none of which can spoof each other. However, even with this sort of filtering going on, spoofing within the subnet cannot be prevented.