Vulnerabilities in TCP/IP

Protocols
 Outline

• TCP/IP Layering
• Names and Addresses
• Security Considerations for
– Address Resolution Protocol
– Internet Protocol
– Transmission Control Protocol
– FTP,Telnet, SMTP

• 2
 TCP/IP Layering

• 3
 An Example

• 4
 Encapsulation
user data

HTTP
HTTP
client
client
HTTP hdr

TCP
TCP
TCP hdr

IP
IP
IP hdr

Ethernet
Ethernet
driver
driver
Eth. hdr tr.

Ethernet

• 5
 Demultiplexing
HTTP …
DNS …
FTP
SNMP
SMTP demuxing based on
the port number
in the TCP or UDP
header
TCP
TCP UDP
UDP
IGMP
IGMP
ICMP
ICMP demuxing based on the
protocol id in the IP header
IP
IP

RARP
RARP
demuxing based on frame type
ARP
ARP in the Ethernet header
Ethernet
Ethernet
driver
driver

• 6
 Names and Addresses

• 7
 IP Addresses

• Just to refresh!
• Every interface has a unique IP address
• 32 bits long, usually given in dotted
decimal notation
• 5 classes:
– class A: “0” + 7 bits net ID + 24 bits host ID
– class B: “10” + 14 bits net ID + 16 bits host
ID
– class C: “110” + 21 bits net ID + 8 bits host
ID
– class D: “1110” + 28 bits multicast group ID
• – class E: “11110”, reserved for future use
8
 Subnet Addressing

• CIDR - classless Internet domain

routing
• Host ID portion is divided into a
subnet ID and a host ID
• e.g., class B address: “10” + 14 bit
net ID + 8 bit subnet ID + 8 bit
host ID
• Hierarchical addressing
• 9
 Hardware (MAC) Addresses

• Every interface has a unique and fixed

hardware address too
• Used by the data link layer
• In case of Ethernet, it is 48 bits long
• Mapping between IP addresses and MAC
addresses are done by ARP

• 10
 Host Names

• Human readable, hierarchical names,

such as www.imsciences.edu.pk
• Every host may have several names
• Mapping between names and IP
addresses is done by the Domain Name
System (DNS)

• 11
 Address Resolution
Protocol

• 12
 ARP – Address Resolution
Protocol
• Mapping from IP addresses to MAC
addresses
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

•
arp rep | sender IP: 140.252.13.5 | sender eth: 00:00:C0:C2:9B:26 13
 ARP Spoofing
• An ARP request can be responded by
another host
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

• arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0 14

 ARP Spoofing
• Used for sniffing on switched LAN
Attacker 1. Configure IP
2. Send fake ARP forwarding
response to map 4. Sniff the
default router’s IP traffic from the
Victim to attacker’s MAC link

Switch 5. Packets are forwarded

from attacker’s machine
to actual default router
3. Victim sends Outside
traffic based on
poisoned ARP World
cache Default Router
• 15
 ARP Spoofing Prevention ?

• Cryptographic protection on the data is

the only way
– Not allow any untrusted node to read the
contents of your traffic

• 16
 Internet Protocol

• 17
 IP – Internet Protocol
• Provides an unreliable, connectionless
datagram delivery service to the upper layers
• Its main function is routing
• It is implemented in both end systems and
intermediate systems (routers)
• Routers maintain routing tables that define the
next hop router towards a given destination
(host or network)
• IP routing uses the routing table and the
information in the IP header (e.g., the
destination IP address) to route a packet

• 18
 IP Security Problems
• User data in IP packets is not protected in any
way
– Anyone who has access to a router can read
and modify the user data in the packets
• IP packets are not authenticated
– It is fairly easy to generate an IP packet with
an arbitrary source IP address
• Traffic analysis
– Even if user data was encrypted, one could
easily determine who is communicating with
whom by just observing the addressing
information in the IP headers

• 19
 IP Security Problems
• Information exchanged between routers
to maintain their routing tables is not
authenticated
– Correct routing table updates can be
modified or fake ones can be
disseminated
– This may screw up routing completely
leading to loops or partitions
– It may also facilitate eavesdropping,
modification, and monitoring of traffic
– It may cause congestion of links or
routers (i.e., denial of service)
• 20
 Transmission Control
Protocol

• 21
 TCP – Transmission Control
Protocol
• Provides a connection oriented, reliable,
byte stream service to the upper layers
• Connection oriented:
– Connection establishment phase prior
to data transfer
– State information (sequence
numbers, window size, etc.) is
maintained at both ends

• 22
 TCP- Reliability

• Positive acknowledgement scheme

(unacknowledged bytes are
retransmitted after a timeout)
• Checksum on both header and data
• Reordering of segments that are out of
order
• Detection of duplicate segments
• Flow control (sliding window
mechanism)
• 23
 TCP Connection
Establishment
Client Server

SYNC Listening

Store data
SYNS, ACKC

Wait
ACKS

Connected
24
 TCP Sequence Numbers
• TCP uses ISN (Initial Sequence Number)
to order the incoming packets for a
connection
• Sequence numbers are 32 bits long
• The sequence number in a data
segment identifies the first byte in the
segment
• Sequence numbers are initialized with a
“random” value during connection setup
• The RFC suggests that the ISN is
incremented by one at least every 4 s
• 25
 TCP SYN Attack
• An attacker can impersonate a trusted
host (e.g., in case of r commands,
authentication is based on source IP
address solely)
– This can be done guessing the sequence
number in the ongoing communication
– The initial sequence numbers are intended to
be more or less random

• 26
 TCP SYN Attack
• In Berkeley implementations, the ISN is
incremented by a constant amount
– 128,000 once per second, and
– further 64,000 each time a connection
is initiated
• RFC 793 specifies that the 32-bit counter
be incremented by 1 about every 4 s
– the ISN cycles every 4.55 hours
• Whatever! It is not hopeless to guess the
next ISN to be used by a system

• 27
 Launching a SYN Attack

• The attacker first establishes a valid

connection with the target to know its
ISN.
• Next it impersonates itself as trusted
host T and sends the connection
request with ISNx
• The target sends the ACK with its ISNs to
the trusted host T
• The attacker after the expected time
sends the ACK with predicted ISNs’
• 28
 Launching a SYN Attack

attacker server trusted host (T)

SYN = ISNX, SRC_IP = T
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data

• 29
 What about the ACK for T?

• If the ACK is received by the trusted host T

– It will reject it, as no request for a connection was
made by it
– RST will be sent and the server drops the connection

BUT!!!
• The attacker can either launch this attack
when T is down
• Or launch some sort of DoS attack on T
– So that it can’t reply

• 30
 TCP SYN Attack – How to
Guess ISNS?
attacker server
SYN = ISN
X

, A CK (ISN X)
I SN S
SYN =
SYN = I S
NX ’, SRC t
_I P = T SYN = I S
NS ’, ACK
(I S N )
X
ACK(ISN
’), SRC_
S
IP =T

– ISNS’ (Attacker’s ISN) depends on ISNS and

t
– t can be estimated from the round trip
time
– Assume t can be estimated with 10 ms
precision
• 31
 TCP SYN Attack – How to
Guess ISNS?

• Attacker has an uncertainty of

1280 in the possible value for ISNS’
• Assume each trial takes 5 s
• The attacker has a reasonable
likelihood of succeeding in 6400 s
and a near-certainty within one
day!

• 32
 How to Prevent it?

• Can be prevented by properly

configuring the firewall
– Do not allow any communication from
outside using the address of some
internal network

• 33
 TCP SYN Flood
• Attacker’s goal is
to overwhelm the C S
destination
machine with SYN SYNC1
packets with Listening
spoofed IP
SYNC2
• This results in:
Store data
– The server’s
connection queue SYNC3
filling up causing
DoS Attack
SYNC4
– Or even if queue
is large enough,
all ports will be SYNC5
busy and the
service could not
be provided by
the server
• 34
 How to Avoid TCP SYN
Flood
• Decrease the wait time for half open
connection
• Do not store the connection information
• Use SYN cookies as sequence numbers
during connection setup
• SYN cookie is some function applied on
– Dest IP, Source IP, Port numbers, Time
and a secret number

• 35
 TCP Congestion Control

Source

Destination

• If packets are lost, assume congestion

– Reduce transmission rate by half, repeat
– If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy

• 36
 TCP Congestion Control-
Competition
Source A Destination

Source B Destination

• Amiable source A yields to boisterous source B

– Both senders experience packet loss
– Source A backs off
– Source B disobeys protocol, gets better
results!
• 37
 DoS-Denial of Service
Attacks
• Attempts to prevent the victim from
being able to establish connections
• Accomplished by involving the victim in
heavy processing
– like sending the TCP SYN packets to
all ports of the victim and avoiding
new connection establishment
• DoS attacks are much easier to
accomplish than gaining administrative
access

• 38
 Exploiting Ping Command for
Smurf DoS Attack
1 ICMP Echo Req
3 ICMP Echo Reply
Src: Dos Target gateway
DoS Dest: Dos Target DoS
Dest: brdct addr Target
Source

• Send ping request to subnet-directed brdcst

addr with spoofed IP (ICMP Echo Req)
• Lots of responses:
– Every host on target network generates a ping reply
(ICMP Echo Reply) to victim
– Ping reply stream can overload victim

• 39
 Smurf DoS Attack
Prevention
• Have adequate bandwidth and
redundant paths
• Filter ICMP messages to reject external
packets to broadcast address
• Any other approach ?

• 40
 FTP – File Transfer Protocol
client

user
user
interface
interface
user
server

protocol
protocol control connection protocol
protocol
interpreter
interpreter (FTP commands and replies) interpreter
interpreter

data
data data
data
data connection
transfer
transfer transfer
transfer
function
function function
function

file system file system

• 41
 FTP – File Transfer Protocol
• Typical FTP commands:
– RETR filename – retrieve (get) a file from the server
– STOR filename – store (put) a file on the server
– TYPE type – specify file type (e.g., A for ASCII)
– USER username – username on server
– PASS password – password on server
• FTP is a text (ASCII) based protocol
client server
% ftp ftp.imsciences.edu.pk
<TCP connection setup to port 21 of ftp.imsciences.edu.pk >
“220 ftp.imsciences.edu.pk FTP server (version 5.60) ready.”

Connected to ftp.imsciences.edu.pk.
Name: abc
“USER abc”
“331 Password required for user abc.”

Password: pswd
“PASS pswd”

“230 User abc logged in.”

…
• 42
 Problems with FTP

• FTP information exchange is in clear text

– The attacker can easily eavesdrop and get
the secret information
– The attacker can also know the software
version of FTP running to exploit the
vulnerabilities of that particular version

• 43
 FTP Bounce Scans
• FTP has a feature to open connection with
victim machine on the request from attacker
machine
• Machine A (Attacker)
l can request to check for
tr o
the open Pports
c ionon the target machine X
on
t
(Victim)FTonnec
c
FTP Server

Attacker Victim to be
scanned

• • Newer version of FTP does not support 44

 Telnet
• Provides remote login service to users
• Works between hosts that use different
operating systems
• Uses option negotiation between client and
server to determine what features are
supported by both ends
Telnet
Telnetclient Telnet
client Telnetserver
server login
loginshell
shell
kernel kernel

terminal
terminal pseudo-
pseudo-
TCP/IP
TCP/IP TCP/IP
TCP/IP
driver
driver terminal
terminal
driver
driver

TCP connection

user

• 45
 Telnet Session Example
• Single character at a time
client server
% telnet ahost.com.pk
<TCP connection setup to port 23 of ahost.com.pk>

Connected to ahost.epfl.ch.
Escape character is ‘^]’.
<Telnet option negotiation>

“UNIX(r) System V Release 4.0”

“Login:”

Login: s
“s”

Login: st
“t”
… …
Login: student
“t”

“Password:”

Password: c
“c”
… …
Password: imsciences123
“3”

<OS greetings and shell prompt, e.g., “%”>

…
• 46
 Problems with Telnet

• Information exchange is in clear text

– The attacker can easily eavesdrop
and get the information like username
and passwords
– The attacker can also know the
version to exploit the vulnerabilities
of that particular version

• 47
 SMTP – Simple Mail
Transfer Protocol
sending host

user
user mails to
agent
agent be sent

user
local
local SMTP relay
relay
MTA
MTA MTA
MTA

TCP connection SMTP

TCP port 25
relay
relay
MTA
MTA

SMTP
receiving host

local
local SMTP relay
relay
MTA
MTA MTA
MTA

user
user user
agent
agent mailbox
• user
48
 SMTP

• SMTP is a text (ASCII) based protocol

• MTA transfers mail from the user to
the destination server
• MTA relays are used to relay the
mail from other clients
• MTAs use SMTP to talk to each other
• All the messages are spooled before
sending

• 49
 SMTP Message Flow
sending MTA (rivest.imsciences.edu.pk) receiving MTA (shamir.unet.com.pk)
<TCP connection establishment to port 25>
“HELO rivest.imsciences.edu.pk.”
“250 shamir.unet.com.pk Hello rivest.imsciences.edu.pk., pleased to meet you”
“MAIL from: [email protected]”
“250 [email protected]... Sender ok”
“RCPT to: [email protected]”
“250 [email protected]… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>
.
“250 Mail accepted”
“QUIT”
“221 shamir.unet.com.pk delivering mail”

• 50
 SMTP Security Problems
• Designed in an era where internet
security was not much of an issue
– No security at the base protocol
• Designed around the idea of
“cooperation” and “trust” between
servers
– Susceptible to DoS attacks
• Simply flood a mail server with SMTP
connections or SMTP instructions.

• 51
 SMTP Security Problems
• SMTP does not provide any protection of
e-mail messages
– Does not ask sender to authenticate
itself.
– Messages can be read and modified by
any of the MTAs involved
– Fake messages can easily be generated
(e-mail forgery)
– Does not check what and from whom it
is relaying the message
• 52
 SMTP Security Problems
Example
% telnet frogstar.hit.com.pk 25
Trying...
Connected to frogstar.hit.com.pk.
Escape character is ‘^[’.
220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6;
Mon, 10 Feb 2003 14:23:21 +0100
helo abcd.com.pk
250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you
mail from: [email protected]
250 2.1.0 [email protected]... Sender ok
rcpt to: [email protected]
250 2.1.5 [email protected]... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Your fake message goes here.
.
250 2.0.0 h1ADO5e21330 Message accepted for delivery
quit
221 frogstar.hit.com.pk closing connection
Connection closed by foreign host.
%

• 53
 Be Careful, Though!
Return-Path: <[email protected]>
Received: from frogstar.hit.com.pk ([email protected]
[152.66.248.44])
by shamir.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2)
with ESMTP id h1ADSsxG022719
for <[email protected]>; Mon, 10 Feb 2003 14:28:54 +0100
Received: from abcd.com.pk ([152.66.249.32])
by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330
for [email protected]; Mon, 10 Feb 2003 14:25:41 +0100
Date: Mon, 10 Feb 2003 14:25:41 +0100
From: [email protected]
Message-Id: <[email protected]>
To: undisclosed-recipients:;
X-Virus-Scanned: by amavis-dc
Status:

Your fake message goes here.

• 54
 Domain Name Server

• 55
 DNS – Domain Name
Server
• The DNS is a distributed database that
provides mapping between hostnames
and IP addresses
• The DNS name space is hierarchical
– Top level domains: com, edu, gov, int,
mil, net, org, ae, …, pk, … zw
– Top level domains may contain
second level domains
e.g., edu within pk, co within uk, …
– Second level domains may contain
third level domains, etc.
• 56
 Domain Name Server

• Usually (not always) a name server

knows the IP address of the top level
name servers
• If a domain contains sub-domains, then
the name server knows the IP address
of the sub-domain name servers
• When a new host is added to a domain,
the administrator adds the (hostname,
IP address) mapping to the database of
the local name server

• 57
 DNS – Domain Name
Server
cs.imsciences.edu.pk = ? cs.imsciences.edu.pk = ?
local
local c s . im top
toplevel
level
application
application sIP
cieofncns in pk
152.66.248.44 name
namesrvsrv es . ed name
namesrv
srv
u. p k =
?
IP I P of
of ns in name
ns
in e d u. pk namesrv srv
15 i ms ininpk
pk
2. c i en
66 ce
.2 s .e
48 du
.4 . pk name
namesrv
srv
4
ininedu.pk
edu.pk

name
namesrv
– A single DNS reply may include several srv
ininimsciences.edu.pk
imsciences.edu.pk
(hostname, IP address) mappings (Resource
Records)
– Received information is cached by the name
server
• 58
 DNS spoofing
• The cache of a DNS name server is
poisoned with false information
• How to do it?
– Assume that the attacker wants
www.anything.com.pk to map to his
own IP address 152.66.249.32

• 59
 DNS Spoofing - Approach 1
• Attacker submits a DNS query
“www.anything.com.pk=?” to
ns.victim.com.pk
• A bit later it forges a DNS reply
“www.anything.com.pk=152.66.24
9.32”
• UDP makes forging easier but the
attacker must still predict the
query ID

• 60
 DNS Spoofing – Approach
2
• Attacker has access to
ns.attacker.com.pk
– The attacker modifies its local name server
such that it responds a query
“www.attacker.com.pk=?” with
“www.anything.com.pk=152.66.249.32”
– The attacker then submits a query
“www.attacker.com.pk=?” to
ns.victim.com.pk
– ns.victim.com.pk sends the query
“www.attacker.com.pk=?” to
ns.attacker.com.pk
• – ns.attacker.com.pk responds with 61