Presentation on TCPIP-Vulnerabilities and Countermeasures
As usage of the Internet and TCP/IP protocols increases, their lack of Built-in security has become more and more Problematic.This paper describes a variety of basic flaws in TCP/IP Protocols and their implementations, and discuss solutions and work-around to these problems.Primarily it also includes exploitation of various design and implementation vulnerability using standard tools.
Teardrop
Some implementations of the TCP/IP IP fragmentation re-assembly code do not properly handle overlapping IP fragments. Teardrop is a widely available attack tool that exploits this vulnerability.
Land Exploit
Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination--i.e., spoofed).
SYN FLOODING
- SYN attack floods a targeted system with a series of SYN packets.
- Each packet causes the targeted system to issue a SYN-ACK response, while the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue.
- SYN-ACKs are moved of the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the TCP three-way handshake
PING FLOODING (ICMP flooding)
An attacker sends a large ping packet to the victim's machine. Most OS do not know what to do with a packet that is larger than the maximum size, it causes the OS to hang or crash.
IP Spoofing
IP Spoofing is an attack where an attacker pretends to be sending data from an IP address other than its own. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet (called "spoofing" an address) could get unauthorized privileges.
IP Spoofing (Blind Attack)
Due to bad designing of the TCP/IP suite, it is almost trivial to spoof a packet apparently originating from a host that is NOT you. The term 'IP spoofing' can be used to describe any process in which a person fakes, or "forges" a packet to look like it came from elsewhere, often a "trusted" host. The ability to spoof IP packets, and the fact that IPv4 does NOT check the validity of the source address and source port in a packet's headers is one of the MAIN vulnerabilities in the TCP/IP protocol suite.
The probability of guessing the sequence number i.e. Attack Feasibility is outlined in below matrix:
Sr. No
|
Operating System
|
Attack feasibility
|
1
|
Linux
|
0.05%
|
2
|
Windows 2000
|
12.08%
|
3
|
Windows NT4 SP6a + hotfixes
|
15%
|
4
|
Windows 95
|
100%
|
5
|
FreeBSD 4.2 1
|
4.2 1.00%
|
6
|
OpenBSD-current
|
0.00%
|
7
|
HPUX11
|
100.00%
|
8
|
AIX 4.3
|
100.00%
|
ISN Attack Feasibility
TCP Session Hijacking (Active Attack)
Tools like Juggernaut (1.02 patch) and hunt are making these once sophisticated attacks very easy.
TCP session hijacking is the term used to describe an attacker hijacking an
already established connection, usually allowing them to execute commands as the actual connected user.
It is due to slight design errors in the TCP/IP suite that this kind of attacks
is possible, making it almost trivial for the attacker who has seized access to
the connection to execute commands as the legitimate user.
There are a few various types of TCP session hijacking techniques, but a very
commonly used one, and arguably the most popular of TCP hijacking techniques is the "Man-in-the-middle" attack.
ATTACKS: TCP SESSION HIJACKING - MAN-IN-THE-MIDDLE ATTACK
The "man-in-the-middle" attack is a common method of taking over a TCP
connection between two hosts, and allows the attacker who has gained access to the connection to execute commands as the client host.
This is done by active passive sniffing of the network for packets travelling
which are related to the target session, modifying them, and injecting them back into the Network so that the two connected hosts cannot easily tell that any modification of the packets has been done.
ARP spoofing therefore is sending out ARP replies (nobody has necessarily asked for it, the attacker just sends one) with a spoofed source address from the IP address you want the hosts to believe you are Here is a small diagram of what would be happening during a Man-In-the-Middle session hijacking attack, assuming that the ARP poisoning attack had already taken place:
There are many such attack depicted in attached presentation [In-depth Presentation on TCP/IP Vulnerability]
Defenses/Counter-measures
As a network is only as secure as its weakest link.However, in mitigating DoS or DDoS attacks, it requires good network design to be able to control the point of entry or the gateway. As for mitigating new attacks, it is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution from suppliers to be applied to the devices. Applying all known patches and fixes to all devices in the network to prevent known attacks is necessary. Finally, it is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies .
- Hardening the TCP/IP stack (SYN cookies or SynAttackProtect)
- Applying latest patches as recommended by your vendor
- Perimeter Network device like Firewall and border internet router should block IP- spoofed packets and can capable of defending against SYN attacks. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets.However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network.
- Apply Anti-spoofing filtering on network device (TCP sequence prediction attacks can be effectively stopped by any router or firewall that is configured not to allow packets from an internal IP address to originate from an external interface.)
- ISPs could prevent the transmission of fraudulently addressed packets.
- Servers could be programmed to recognize a SYN source IP address that never completes its connections.
- The last network defense against SYN floods is to distribute the flood against as many hosts or network devices as possible.
