Vulnerabilities in TCP/IP

Protocols
 Outline

• TCP/IP Layering
• Names and Addresses
• Security Considerations for
– Address Resolution Protocol
– Internet Protocol
– Transmission Control Protocol
– FTP,Telnet, SMTP

2
•
 TCP/IP Layering

3
•
 An Example

4
•
 Encapsulation
user data

HTTP
client
HTTP hdr

TCP
TCP hdr

IP
IP hdr

Ethernet
driver
Eth. hdr tr.

Ethernet

5
•
 Demultiplexing
HTTP …
DNS …
FTP
SNMP
SMTP demuxing based on
the port number
in the TCP or UDP
header
TCP UDP
IGMP
ICMP demuxing based on the
protocol id in the IP header
IP

RARP
demuxing based on frame type
ARP
in the Ethernet header
Ethernet
driver

6
•
 Names and Addresses

7
•
 IP Addresses

• Just to refresh!
• Every interface has a unique IP address
• 32 bits long, usually given in dotted decimal
notation
• 5 classes:
– class A: “0” + 7 bits net ID + 24 bits host ID
– class B: “10” + 14 bits net ID + 16 bits host ID
– class C: “110” + 21 bits net ID + 8 bits host ID
– class D: “1110” + 28 bits multicast group ID
– class E: “11110”, reserved for future use
8
•
 Subnet Addressing

• CIDR - classless Internet domain

routing
• Host ID portion is divided into a
subnet ID and a host ID
• e.g., class B address: “10” + 14 bit net
ID + 8 bit subnet ID + 8 bit host ID
• Hierarchical addressing

9
•
 Hardware (MAC) Addresses

• Every interface has a unique and fixed

hardware address too
• Used by the data link layer
• In case of Ethernet, it is 48 bits long
• Mapping between IP addresses and MAC
addresses are done by ARP

10
•
 Host Names

• Human readable, hierarchical names, such

as www.imsciences.edu.pk
• Every host may have several names
• Mapping between names and IP addresses
is done by the Domain Name System (DNS)

11
•
 Address Resolution Protocol

12
•
 ARP – Address Resolution
Protocol
• Mapping from IP addresses to MAC addresses
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp rep | sender IP: 140.252.13.5 | sender eth: 00:00:C0:C2:9B:26 13

•
 ARP Spoofing
• An ARP request can be responded by another
host
Request 08:00:20:03:F6:42 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13

arp req | target IP: 140.252.13.5 | target eth: ?

Reply
08:00:20:03:F6:42 00:34:CD:C2:9F:A0 00:00:C0:C2:9B:26
.1 .2 .3 .4 .5

140.252.13
14
• arp rep | sender IP: 140.252.13.5 | sender eth: 00:34:CD:C2:9F:A0
 ARP Spoofing
• Used for sniffing on switched LAN
Attacker 1. Configure IP
2. Send fake ARP forwarding
response to map 4. Sniff the
default router’s IP traffic from the
Victim to attacker’s MAC link
5. Packets are forwarded
Switch
from attacker’s machine
to actual default router
3. Victim sends Outside
traffic based on
poisoned ARP World
cache Default Router
15
•
 ARP Spoofing Prevention ?

• Cryptographic protection on the data is the

only way
– Not allow any untrusted node to read the
contents of your traffic

16
•
 Internet Protocol

17
•
 IP – Internet Protocol

• Provides an unreliable, connectionless datagram

delivery service to the upper layers
• Its main function is routing
• It is implemented in both end systems and
intermediate systems (routers)
• Routers maintain routing tables that define the
next hop router towards a given destination (host
or network)
• IP routing uses the routing table and the
information in the IP header (e.g., the destination
IP address) to route a packet

18
•
 IP Security Problems
• User data in IP packets is not protected in any
way
– Anyone who has access to a router can read and
modify the user data in the packets
• IP packets are not authenticated
– It is fairly easy to generate an IP packet with
an arbitrary source IP address
• Traffic analysis
– Even if user data was encrypted, one could
easily determine who is communicating with
whom by just observing the addressing
information in the IP headers

19
•
 IP Security Problems
• Information exchanged between routers to
maintain their routing tables is not
authenticated
– Correct routing table updates can be
modified or fake ones can be
disseminated
– This may screw up routing completely
leading to loops or partitions
– It may also facilitate eavesdropping,
modification, and monitoring of traffic
– It may cause congestion of links or
routers (i.e., denial of service) 20
•
 Transmission Control
Protocol

21
•
 TCP – Transmission Control
Protocol
• Provides a connection oriented, reliable,
byte stream service to the upper layers
• Connection oriented:
– Connection establishment phase prior to
data transfer
– State information (sequence numbers,
window size, etc.) is maintained at both
ends

22
•
 TCP- Reliability

• Positive acknowledgement scheme

(unacknowledged bytes are retransmitted
after a timeout)
• Checksum on both header and data
• Reordering of segments that are out of
order
• Detection of duplicate segments
• Flow control (sliding window mechanism)

23
•
 TCP Connection
Establishment
Client Server

SYNC Listening

Store data
SYNS, ACKC

Wait
ACKS

Connected
24
 TCP Sequence Numbers
• TCP uses ISN (Initial Sequence Number)
to order the incoming packets for a
connection
• Sequence numbers are 32 bits long
• The sequence number in a data segment
identifies the first byte in the segment
• Sequence numbers are initialized with a
“random” value during connection setup
• The RFC suggests that the ISN is
incremented by one at least every 4 s
25
•
 TCP SYN Attack
• An attacker can impersonate a trusted host
(e.g., in case of r commands, authentication is
based on source IP address solely)
– This can be done guessing the sequence number in
the ongoing communication
– The initial sequence numbers are intended to be
more or less random

26
•
 TCP SYN Attack
• In Berkeley implementations, the ISN is
incremented by a constant amount
– 128,000 once per second, and
– further 64,000 each time a connection is
initiated
• RFC 793 specifies that the 32-bit counter
be incremented by 1 about every 4 s
– the ISN cycles every 4.55 hours
• Whatever! It is not hopeless to guess the
next ISN to be used by a system
27
•
 Launching a SYN Attack

• The attacker first establishes a valid

connection with the target to know its
ISN.
• Next it impersonates itself as trusted host
T and sends the connection request with
ISNx
• The target sends the ACK with its ISNs to
the trusted host T
• The attacker after the expected time
sends the ACK with predicted ISNs’
28
•
 Launching a SYN Attack

attacker server trusted host (T)

SYN = ISNX, SRC_IP = T
SYN = ISNS, ACK(ISNX)
ACK(ISNS), SRC_IP = T

SRC_IP = T, nasty_data

29
•
 What about the ACK for T?

• If the ACK is received by the trusted host T

– It will reject it, as no request for a connection was made
by it
– RST will be sent and the server drops the connection
BUT!!!
• The attacker can either launch this attack when T
is down
• Or launch some sort of DoS attack on T
– So that it can’t reply

30
•
 TCP SYN Attack – How to
Guess ISNS?
attacker server
SYN = ISN
X

, A CK (ISN X)
SN S
SYN = I
SYN = IS
N X ’, SRC_IP
=T
t
SYN = IS
NS ’, ACK
(ISN )
X
ACK(ISN
S ’), SRC_
IP =T

– ISNS’ (Attacker’s ISN) depends on ISNS and

t
– t can be estimated from the round trip time
– Assume t can be estimated with 10 ms
precision

31
•
 TCP SYN Attack – How to
Guess ISNS?

• Attacker has an uncertainty of 1280

in the possible value for ISNS’
• Assume each trial takes 5 s
• The attacker has a reasonable
likelihood of succeeding in 6400 s and
a near-certainty within one day!

32
•
 How to Prevent it?

• Can be prevented by properly

configuring the firewall
– Do not allow any communication from
outside using the address of some
internal network

33
•
 TCP SYN Flood
• Attacker’s goal is to
overwhelm the C S
destination machine
with SYN packets SYNC1
with spoofed IP Listening
• This results in: SYNC2
– The server’s Store data
connection queue
filling up causing SYNC3
DoS Attack
– Or even if queue is SYNC4
large enough, all
ports will be busy
and the service SYNC5
could not be
provided by the
server

34
•
 How to Avoid TCP SYN Flood

• Decrease the wait time for half open

connection
• Do not store the connection information
• Use SYN cookies as sequence numbers
during connection setup
• SYN cookie is some function applied on
– Dest IP, Source IP, Port numbers, Time
and a secret number

35
•
 TCP Congestion Control

Source

Destination

• If packets are lost, assume congestion

– Reduce transmission rate by half, repeat
– If loss stops, increase rate very slowly
Design assumes routers blindly obey this policy

36
•
 TCP Congestion Control-
Competition
Source A Destination

Source B Destination

• Amiable source A yields to boisterous source B

– Both senders experience packet loss
– Source A backs off
– Source B disobeys protocol, gets better results!

37
•
 DoS-Denial of Service
Attacks
• Attempts to prevent the victim from being
able to establish connections
• Accomplished by involving the victim in
heavy processing
– like sending the TCP SYN packets to all
ports of the victim and avoiding new
connection establishment
• DoS attacks are much easier to accomplish
than gaining administrative access

38
•
 Exploiting Ping Command for
Smurf DoS Attack
1 ICMP Echo Req
3 ICMP Echo Reply
Src: Dos Target gateway
DoS Dest: Dos Target DoS
Dest: brdct addr Target
Source

• Send ping request to subnet-directed brdcst addr

with spoofed IP (ICMP Echo Req)
• Lots of responses:
– Every host on target network generates a ping reply
(ICMP Echo Reply) to victim
– Ping reply stream can overload victim
39
•
 Smurf DoS Attack
Prevention
• Have adequate bandwidth and redundant
paths
• Filter ICMP messages to reject external
packets to broadcast address
• Any other approach ?

40
•
 FTP – File Transfer Protocol
client

user
interface
user
server

protocol control connection protocol

interpreter (FTP commands and replies) interpreter

data data
data connection
transfer transfer
function function

file system file system

41
•
 FTP – File Transfer Protocol
• Typical FTP commands:
– RETR filename – retrieve (get) a file from the server
– STOR filename – store (put) a file on the server
– TYPE type – specify file type (e.g., A for ASCII)
– USER username – username on server
– PASS password – password on server
• FTP is a text (ASCII) based protocol
client server
% ftp ftp.imsciences.edu.pk
<TCP connection setup to port 21 of ftp.imsciences.edu.pk >
“220 ftp.imsciences.edu.pk FTP server (version 5.60) ready.”

Connected to ftp.imsciences.edu.pk.
Name: abc
“USER abc”
“331 Password required for user abc.”

Password: pswd
“PASS pswd”

“230 User abc logged in.”

…
42
•
 Problems with FTP

• FTP information exchange is in clear text

– The attacker can easily eavesdrop and get the
secret information
– The attacker can also know the software
version of FTP running to exploit the
vulnerabilities of that particular version

43
•
 FTP Bounce Scans
• FTP has a feature to open connection with victim
machine on the request from attacker machine
• Machine A (Attacker)
t rol can request to check for
the open ports
cononnthe target machine X (Victim)
TP ctio
F e
nn
co

FTP Server

Attacker Victim to be
scanned

• Newer version of FTP does not support this

forwarding feature
44
•
 Telnet
• Provides remote login service to users
• Works between hosts that use different
operating systems
• Uses option negotiation between client and server
to determine what features are supported by both
ends
Telnet client Telnet server login shell
kernel kernel

terminal pseudo-
TCP/IP TCP/IP
driver terminal
driver

TCP connection

user
45
•
 Telnet Session Example
• Single character at a time
client server
% telnet ahost.com.pk
<TCP connection setup to port 23 of ahost.com.pk>

Connected to ahost.epfl.ch.
Escape character is ‘^]’.
<Telnet option negotiation>

“UNIX(r) System V Release 4.0”

“Login:”

Login: s
“s”

Login: st
“t”
… …
Login: student
“t”

“Password:”

Password: c
“c”
… …
Password: imsciences123
“3”

<OS greetings and shell prompt, e.g., “%”>

… 46
•
 Problems with Telnet

• Information exchange is in clear text

– The attacker can easily eavesdrop and
get the information like username and
passwords
– The attacker can also know the version
to exploit the vulnerabilities of that
particular version

47
•
 SMTP – Simple Mail
Transfer Protocol
sending host

user mails to
agent be sent

user
local SMTP relay
MTA MTA

TCP connection SMTP

TCP port 25
relay
MTA

SMTP
receiving host

local SMTP relay

MTA MTA

user user
agent mailbox
48
• user
 SMTP

• SMTP is a text (ASCII) based protocol

• MTA transfers mail from the user to
the destination server
• MTA relays are used to relay the mail
from other clients
• MTAs use SMTP to talk to each other
• All the messages are spooled before
sending

49
•
 SMTP Message Flow
sending MTA (rivest.imsciences.edu.pk) receiving MTA (shamir.unet.com.pk)
<TCP connection establishment to port 25>
“HELO rivest.imsciences.edu.pk.”
“250 shamir.unet.com.pk Hello rivest.imsciences.edu.pk., pleased to meet you”
“MAIL from: student1@rivest.imsciences.edu.pk”
“250 student1@rivest.imsciences.edu.pk... Sender ok”
“RCPT to: student2@lca.epfl.ch”
“250 student2@lca.epfl.ch… Recipient ok”
“DATA”
“354 Enter mail, end with a “.” on a line by itself”
<message to be sent>
.
“250 Mail accepted”
“QUIT”
“221 shamir.unet.com.pk delivering mail”

50
•
 SMTP Security Problems

• Designed in an era where internet security

was not much of an issue
– No security at the base protocol
• Designed around the idea of “cooperation”
and “trust” between servers
– Susceptible to DoS attacks
• Simply flood a mail server with SMTP
connections or SMTP instructions.

51
•
 SMTP Security Problems
• SMTP does not provide any protection of e-
mail messages
– Does not ask sender to authenticate itself.
– Messages can be read and modified by any
of the MTAs involved
– Fake messages can easily be generated (e-
mail forgery)
– Does not check what and from whom it is
relaying the message

52
•
 SMTP Security Problems
Example
% telnet frogstar.hit.com.pk 25
Trying...
Connected to frogstar.hit.com.pk.
Escape character is ‘^[’.
220 frogstar.hit.com.pk ESMTP Sendmail 8.11.6/8.11.6;
Mon, 10 Feb 2003 14:23:21 +0100
helo abcd.com.pk
250 frogstar.hit.com.pk Hello [152.66.249.32], pleased to meet you
mail from: bill.gates@microsoft.com
250 2.1.0 bill.gates@microsoft.com... Sender ok
rcpt to: user@ebizlab.hit.com.pk
250 2.1.5 user@ebizlab.hit.com.pk... Recipient ok
data
354 Enter mail, end with "." on a line by itself
Your fake message goes here.
.
250 2.0.0 h1ADO5e21330 Message accepted for delivery
quit
221 frogstar.hit.com.pk closing connection
Connection closed by foreign host.
%
53
•
 Be Careful, Though!
Return-Path: <bill.gates@microsoft.com>
Received: from frogstar.hit.com.pk (root@frogstar.hit.com.pk
[152.66.248.44])
by shamir.ebizlab.hit.com.pk (8.12.7/8.12.7/Debian-2)
with ESMTP id h1ADSsxG022719
for <user@ebizlab.hit.com.pk>; Mon, 10 Feb 2003 14:28:54 +0100
Received: from abcd.com.pk ([152.66.249.32])
by frogstar.hit.com.pk (8.11.6/8.11.6) with SMTP id h1ADO5e21330
for user@ebizlab.hit.com.pk; Mon, 10 Feb 2003 14:25:41 +0100
Date: Mon, 10 Feb 2003 14:25:41 +0100
From: bill.gates@microsoft.com
Message-Id: <200302101325.h1ADO5e21330@frogstar.hit.com.pk>
To: undisclosed-recipients:;
X-Virus-Scanned: by amavis-dc
Status:

Your fake message goes here.

54
•
 Domain Name Server

55
•
 DNS – Domain Name Server
• The DNS is a distributed database that
provides mapping between hostnames and
IP addresses
• The DNS name space is hierarchical
– Top level domains: com, edu, gov, int, mil,
net, org, ae, …, pk, … zw
– Top level domains may contain second
level domains
e.g., edu within pk, co within uk, …
– Second level domains may contain third
level domains, etc.
56
•
 Domain Name Server

• Usually (not always) a name server knows

the IP address of the top level name
servers
• If a domain contains sub-domains, then the
name server knows the IP address of the
sub-domain name servers
• When a new host is added to a domain, the
administrator adds the (hostname, IP
address) mapping to the database of the
local name server
57
•
 DNS – Domain Name Server
cs.imsciences.edu.pk = ? cscs.imsciences.edu.pk
.imsc =?
local ience top level
application s . edu
name srv IP of ns in pk.pk = name srv
152.66.248.44 ?

IP
o fn I P of name srv
si ns in
15 n edu.p in pk
im k
2. sc
66 ien
.2 ce
48 s.e
.4 du name srv
4 . pk
in edu.pk

name srv
– A single DNS reply may include several in imsciences.edu.pk
(hostname, IP address) mappings (Resource
Records)
– Received information is cached by the name
server
58
•
 DNS spoofing
• The cache of a DNS name server is
poisoned with false information
• How to do it?
– Assume that the attacker wants
www.anything.com.pk to map to his own
IP address 152.66.249.32

59
•
 DNS Spoofing - Approach 1
• Attacker submits a DNS query
“www.anything.com.pk=?” to
ns.victim.com.pk
• A bit later it forges a DNS reply
“www.anything.com.pk=152.66.249.32”
• UDP makes forging easier but the
attacker must still predict the query
ID

60
•
 DNS Spoofing – Approach 2

• Attacker has access to ns.attacker.com.pk

– The attacker modifies its local name server
such that it responds a query
“www.attacker.com.pk=?” with
“www.anything.com.pk=152.66.249.32”
– The attacker then submits a query
“www.attacker.com.pk=?” to ns.victim.com.pk
– ns.victim.com.pk sends the query
“www.attacker.com.pk=?” to ns.attacker.com.pk
– ns.attacker.com.pk responds with
“www.anything.com.pk=152.66.249.32”

61
•