List and explain the different TCP/IP vulnerabilities.

Following are the vulnerabilities in TCP/IP

1. ARP Spoofing:

• ARP spoofing is a type of attack in which a malicious actor sends falsified ARP
(Address Resolution Protocol) messages over a local area network.
• This results in the linking of an attacker’s MAC address with the IP address of a
legitimate computer or server on the network.
• Once the attacker’s MAC address is connected to an authentic IP address, the attacker
will begin receiving any data that is intended for that IP address.
• ARP spoofing can enable malicious parties to intercept, modify or even stop data in-
transit. ARP spoofing attacks can only occur on local area networks that utilize the
Address Resolution Protocol.

1. ARP Spoofing attack:

• The effects of ARP spoofing attacks can have serious implications for enterprises.
• In their most basic application, ARP spoofing attacks are used to steal sensitive
information. Beyond this, ARP spoofing attacks are often used to facilitate other
attacks such as:

1. Denial-of-service attacks:

DoS attacks often leverage ARP spoofing to link multiple IP addresses with a single
target’s MAC address. As a result, traffic that is intended for many different IP
addresses will be redirected to the target’s MAC address, overloading the target with
traffic.

2. Session hijacking:

Session hijacking attacks can use ARP spoofing to steal session IDs, granting
attacker’s access to private systems and data.

3. Man-in-the-middle attacks:
 MITM attacks can rely onARP spoofing to intercept and modify traffic between
victims.

2. Port scanning

• Port Scanning is one of the most popular techniques attackers use to discover services
that they can exploit to break into systems.
• All systems that are connected to a LAN or the Internet via a modem run services that
listen to well-known and not so well-known ports.
• By port scanning, the attacker can find the following information about the targeted
systems: what services are running, what users own those services, whether
anonymous logins are supported, and whether certain network services require
authentication.
• Port scanning is accomplished by sending a message to each port, one at a time. The
kind of response received indicates whether the port is used and can be probed for
further weaknesses.
• Port scanners are important to network security technicians because they can reveal
possible security vulnerabilities on the targeted system.

Port Scan Techniques

1.1 Address Resolution Protocol (ARP)

o ARP scans discover active devices on the local network segment by sending a
series of ARP broadcasts and incrementing the value for the target IP address
field in each broadcast packet.
o This type of scan will have every IP device on the network respond with its
own IP address in response. This scan will effectively map out an entire
network.

1.2 TCP connect

o The Vanilla TCP connect scan is the most basic scanning technique.
o The scan uses the connect system call of an operating system on a target
system to open a connection to every port that is open.
o The scan is extremely noisy and easily detectable. The targeted system logs
will show connection requests and error messages for the services that
accepted the connections.

1.3 TCP SYN

o The TCP SYN (Half Open) scans are called half open because the attacking
system doesn’t close the open connections.
o The attacking scanner will send a SYN packet to the target and wait for a
response. If the port is open, the target will send a SYN|ACK.
o If the port is closed, the target will send an RST.
o This type of scan is difficult to detect. The target system is in charge of closing
the open connections and the target, most likely, will not have the proper
logging set up to detect this type of scan.
 1.4 TCP FIN

o The TCP FIN scan has the ability to pass undetected through most firewalls,
packet filters, and scan detection programs.
o The attacking system sends FIN packets to the targeted system. The closed
ports will respond with an RST. The open ports will ignore the packets. The
attacking system will take note of which ports it received an RST on and
report on the ports that did not respond with an RST.

3. TCP syn flood attack

• TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits
part of the normal TCP three-way handshake to consume resources on the targeted
server and render it unresponsive.
• Essentially, with SYN flood DDoS, the offender sends TCP connection requests faster
than the targeted machine can process them, causing network saturation.

Attack description

• When a client and server establish a normal TCP “three-way handshake,” the
exchange looks like this:

1. Client requests connection by sending SYN (synchronize) message to the server.

2. Server acknowledges by sending SYN-ACK (synchronize-acknowledge) message
back to the client.
3. Client responds with an ACK (acknowledge) message, and the connection is
established.

• In a SYN flood attack, the attacker sends repeated SYN packets to every port on the
targeted server, often using a fake IP address.
• The server, unaware of the attack, receives multiple, apparently legitimate requests to
establish communication. It responds to each attempt with a SYN-ACK packet from
each open port.
• The malicious client either does not send the expected ACK, or—if the IP address is
spoofed—never receives the SYN-ACK in the first place. Either way, the server under
attack will wait for acknowledgement of its SYN-ACK packet for some time.
• During this time, the server cannot close down the connection by sending an RST
packet, and the connection stays open.
• Before the connection can time out, another SYN packet will arrive. This leaves an
increasingly large number of connections half-open – and indeed SYN Food attacks
are also referred to as “half-open” attacks.
• Eventually, as the server’s connection overflow tables fill, service to legitimate clients
will be denied, and the server may even malfunction or crash.
A normal connection between a user (Alice) and a server. The three-way handshake is
correctly performed.

SYN Flood. The attacker sends several packets but does not send the "ACK" back to the
server. The connections are hence half-opened and consuming server resources. Alice, a
legitimate user, tries to connect but the server refuses to open a connection resulting in a
denial of service.

4. IP spoofing

• IP address spoofing is one of the most frequently used spoofing attack methods. In an
IP address spoofing attack, an attacker sends IP packets from a false (or “spoofed”)
source address in order to disguise itself.
• Denial-of-service attacks often use IP spoofing to overload networks and devices with
packets that appear to be from legitimate source IP addresses.
• IP spoofing is the action of masking a computer IP address so that it looks like it is
authentic.
• During this masking process, the fake IP address sends what appears to be a
malevolent message coupled with an IP address that appears to be authentic and
trusted.
 • In IP spoofing, IP headers are masked through a form of Transmission Control
Protocol (TCP) in which spoofers discover and then manipulate vital information
contained in the IP header such as IP address and source and destination information.

Types of Spoofing attacks

Non-Blind Spoofing

• This type of attack takes place when the attacker is on the same subnet as the victim.
The sequence and acknowledgement numbers can be sniffed, eliminating the potential
difficulty of calculating them accurately.
• The biggest threat of spoofing in this instance would be session hijacking. This is
accomplished by corrupting the data stream of an established connection, then re-
establishing it based on correct sequence and acknowledgement numbers with the
attack machine.
• Using this technique, an attacker could effectively bypass any authentication
measures taken place to build the connection.

Blind Spoofing

• This is a more sophisticated attack, because the sequence and acknowledgement

numbers are unreachable.
• In order to circumvent this, several packets are sent to the target machine in order to
sample sequence numbers. While not the case today, machines in the past used basic
techniques for generating sequence numbers.
• It was relatively easy to discover the exact formula by studying packets and TCP
sessions. Today, most OSs implement random sequence number generation, making it
difficult to predict them accurately.
• If, however, the sequence number was compromised, data could be sent to the target.
Several years ago, many machines used host-based authentication services (i.e.
Rlogin). A properly crafted attack could add the requisite data to a system (i.e. a new
user account), blindly, enabling full access for the attacker who was impersonating a
trusted host.

Man In the Middle Attack

• Both types of spoofing are forms of a common security violation known as a man in
the middle (MITM) attack. In these attacks, a malicious party intercepts a legitimate
communication between two friendly parties.
• The malicious host then controls the flow of communication and can eliminate or alter
the information sent by one of the original participants without the knowledge of
either the original sender or the recipient.
• In this way, an attacker can fool a victim into disclosing confidential information by
“spoofing” the identity of the original sender, who is presumably trusted by the
recipient.

Denial of Service Attack

• IP spoofing is almost always used in what is currently one of the most difficult attacks
to defend against – denial of service attacks, or DoS.
 • Since crackers are concerned only with consuming bandwidth and resources, they
need not worry about properly completing handshakes and transactions.
• Rather, they wish to flood the victim with as many packets as possible in a short
amount of time. In order to prolong the effectiveness of the attack, they spoof source
IP addresses to make tracing and stopping the DoS as difficult as possible.
• When multiple compromised hosts are participating in the attack, all sending spoofed
traffic, it is very challenging to quickly block traffic.

5. DNS Spoofing

• The Domain Name System (DNS) is a system that associates domain names with IP
addresses.
• Devices that connect to the internet or other private networks rely on the DNS for
resolving URLs, email addresses and other human-readable domain names into their
corresponding IP addresses.
• In a DNS server spoofing attack, a malicious party modifies the DNS server in order
to reroute a specific domain name to a different IP address.
• In many cases, the new IP address will be for a server that is actually controlled by the
attacker and contains files infected with malware. DNS server spoofing attacks are
often used to spread computer worms and viruses.