Security Problems in TCP-IP

7/31/2019 Security Problems in TCP-IP

1/18

1


2/18

SECURITY PROBLEMS IN TCP/IP

2


3/18

SECURITY PROBLEMS IN R-SERVICES

red.cs.umass.edu brian

*.cs.umass.edu brian

* *

3


4/18


4

Source routing

False routing table updates

Session hijacking

ICMP redirects

False ARP packets

TCP session stealing

ignore source routes

secure routing protocols

ssh/ secure connection?

Publish ARP tables

ssh/ secure connection


5/18


IP source-route option

The responder includes the source-route on the reply packets.

Some/most OSs ignore source routes these days.

5

C S

X 1. C->S: spoofed packet(source-route; includes X)

2. replies


6/18

SESSION HIJACKING

C->S: SYN(ISNC) S->C: SYN(ISNS), ACK(ISNC+1)

C->S: ACK(ISNS +1)

Client and Server exchange data

ISN number generation

4.2BSD: increments 128/sec

4.3BSD: increments 125000/sec

6

SYN(ISNC)

SYN(ISNS),ACK(ISNC+1

)ACK(ISNS+1)

Client C Server S


7/18

SESSION HIJACKING

X->S: SYN(ISNX) [spoofs C] S: rshd server

S->C: SYN(ISNS), ACK(ISNX +1)

X->S: ACK(ISNS +1) [spoofs C; estimates ISNS]

X->S: [ echo * * >> ~/.rhosts] [spoofs C]

X->S: RESET [spoofs C]

X rlogins from anywhere in the world.

7

C

3. SYN(5000), ACK(1001)

Trusted relationship

X

S2. SYN(1000)

1: Disables C


8/18

SESSION HIJACKING

8

C

4: SYN(ISNX)

(spoofs C)

X

S5: SYN(ISNS), ACK(ISNX+1)

6: ACK(ISNS +1)(spoofs C; estimates ISNS)

3. Executes remote commands:

C

8: RESET(spoofs C)

X

S

7: [echo * * >> ~/.rhosts](spoofs C)


9/18

DISABLING HOSTS: SYN FLOODING DOS

listen()

9


10/18

ATTACKING ROUTING TO EXPLOIT RSH

OSPF: link-state algorithm

RIP: distance vector algorithm

All subsequent packets to C will be routed to the attacker. The attacker initiates connection to rshd of the server. (spoofing C)

Only accept authenticated updates.

Requires key management.

10


11/18

ICMP ATTACK

Requires an existing connection

Open a spoofed connection to the host you want to attack.

Then send a spoofed ICMP redirect to the victim redirecting it to the gateway youve

compromised.

ICMP destination unreachable

Frequent ICMP source quenches

11


12/18

ARP ATTACKS

But in a race condition with the real machine.

Repeat frequently so that cache doesnt timeout

12


13/18

ARP SPOOFING - COUNTERMEASURES

Statically defining the IP to Ethernet address mapping

arp -s hostname 00:01:02:03:04:ab pub

13


14/18

TCP SESSION STEALING

The attacker is in the path b/w the client and the server

The attacker can sniff all the packets and inject some spoofed packets

Steps:1. The attacker sniffs the communication b/w the two.

2. The attacker disables the communication by desynchronizing the

client and the server.

3. The attacker injects spoofed packets that acceptable for both ends.

14


15/18


Both in Established state

No data is being sent (stable state)

S_SEQ C_ACK and C_SEQ S_ACK

The packet is accepted (buffered) but not sent to the user

The packet is dropped

15


16/18


E.g. [echo myhost >> ~/.rhost] for rlogin

16

C

X

S

1: C->S: C_SEQ, C_ACK

C_SEQ, C_ACK

2: X->S (spoofing C): S_ACK, S_SEQ[echo myhost >> ~/.rhost]

S_SEQ, S_ACK

(dropped)

(accepted)

S_SEQ C_ACK and C_SEQ S_ACK


17/18

DESYNCHRONIZATION

1. C->S(Syn): C_Seq0 ; C: Syn_Sent

2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd

; C: Established(C_Seq0+1, S_Seq0+1)

(before the packet C->S(Ack): S_Seq0+1)

3. X->S(spoofing C, Rst)

4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1)

5. S->C(Syn/Ack): S_Seq1, X_Seq0+1

6. X->S(spoofing C, Ack): S_Seq1+1; S: Established(S_Seq1+1, X_Seq0+1)

17

C

X

S1

2

3,4, 6


18/18

THE ATTACK

1. The attacker watches the session without interfering.

2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for

telnet): nothing happens, server only changes the TCP Ack number

3. Now, when the client sends data, it is dropped by the server because its lower

than the servers window.

4. The attacker does the same with the client.

18

Security Problems in TCP-IP

Documents

Transcript of Security Problems in TCP-IP