Lecture 11:TCP/IP Security Problems
Why rlogin is evil
Why source-routing is evil
ARP attacks
Blind spoofing
IPSec
TCP session stealing/hijacking
Morale of todays story: use ssh
or IPSec to protect yourself
against most of these attack!
Related reading:
Security Problems in the
TCP/IP Protocol Suite
by Steve Bellovin
A Simple Active Attack
Against TCP by Laurent
Joncheray. In Proceedings
of 5th USENIX Unix
Security Symposium. June
1995
�rsh: remote login without a password
rsh and rcp are programs that allow you to login from
a remote site without a password
The .rhosts file in your home directory is an access control
list (ACL)
red.cs.umass.edu brian
Example .rhosts file:
blue.cs.umass.edu brian
*.cs.umass.edu brian
* *
The authentication check in rsh (and the other r-tools)
is simply the IP address.
Is it hard to spoof a particular IP address?
�Exploiting rsh
The best way to defend against rsh attacks is to not use it:
This unix features is allowed/disallowed in linux by /etc/inet.d scripts (see
unix hardening lecture)
Use ssh instead (but note that ssh has key distribution problems)
If we know a machine is running rsh, how can we pretend to be another
machine to gain access?
Attack
Source routing
Falsified routing updates
Blind spoofing
ICMP redirects
False ARP packets
TCP session stealing
Lets go over each attack
Defense
Ignore source routes
Secure routing protocols
SSH/secure connection
IPsec
Publish ARP tables
SSH/secure connection
3
�Source routing attacks
Source routing is an IP option that lets the source list specific
routers on the path to the destination.
The attack: open a TCP connection to the remote rshd spoofing
the address of a trusted host; the attacker includes itself in the
source route list.
Loose source routing: other routers ok as long as the list is visited
in order
Strict source routing: no other routers may be visited on the path to
the destination
The responder includes the source route on the reply packets.
The attacker will see the reply packets before the machine that is
being spoofed. (two way traffic)
Defense: Some/most OSes ignore source routes these days.
This routing ability replaced by peer-to-peer overlay applications
but thats a topic for a networking class
4
�Normal TCP Three-way Handshake
SYN_flag, ISN=452
Client
SYN_flag, ACK=453,ISN=34
Server
ACK=35, data
�Attacker
Reset!
ec A
ho CK
* =1
(sr * > 38,
>.
c=
c li
r
en hos
t)
ts
Client
SY
N
(s _fla
rc
=c g, I
lie SN
nt
) =90
1
Blind Spoofing
SYN_flag, ACK=902,ISN=137
Server
�Blind Spoofing
Normal TCP operation from client, C, to server, S.
CS: SYN_flag, ISN=x
SC: SYN_flag, ISN=y, ACK=x+1
CS: ACK=y+1
Client and Server exchange data
Blind spoofing. Find a client machine thats off. Guess the ISN of
the server. Usually in regular increments. Use rsh to log in:
X(as C)S: SYN_flag, ISN=a [spoofs C]
SC: SYN_flag, ISN=b, ACK=a+1
X(as C)S: ACK=b+1 [spoofs C]
X(as C)S: [ echo * * >> ~/.rhosts] [spoofs C]
X(as C)S: RESET [spoofs C]
X now rlogins from anywhere in the world.
�Blind Spoofing
If C is still up, then C will send a reset message to the server
thinking its an error.
So, either L
use a network address that is not in use.
Do a denial of service (DoS) attack on a machine so it cant
answer.
Morris found that by impersonating a server port on C, and by
flooding that port with apparent connection requests, he could
generate queue overflows that would make it likely that the S
C message would be lost.
This is SYN flooding...
�An aside: SYN Flooding DoS
Pick a machine, any machine.
Spoof packets to it (so you dont get caught)
Each packet is a the first hand of the 3-way handshake of TCP:
send a SYN packet.
Send lots of SYN packets.
Each SYN packet received causes a buffer to be allocated, and
the limits of the listen()call to be reached.
Morris invented SYN flooding just to launch a blind spoofing
attack; later used by others against Yahoo!
�Attacking IP Routing to exploit rsh
Attacking the routing can
cause
attacker-in-the middle
eavesdropping (passive)
attacker-in-the-middle
modifications (active)
Black holes in routing
(DoS)
Redirected flooding
attacks (DoS)
Types of routing:
1.
2.
3.
4.
dynamic intranet routing
static intranet routing
BGP routing
Ad hoc wireless network
routing
Attacker
Server
Client
10
�Type 1: Dynamic Routing
An attacker can falsify routing updates send between routers.
Attacker injects a RIP update stating she has a path to a particular
(unused) host. (RIP is an example; any unicast protocol will do.)
All subsequent packets will be routed to her.
She uses rsh to log into the machine.
This is also a DOS attack and a traffic redirection attack (for sniffing or
modification)
Similar attacks exist for interdomain routing protocols, like BGP.
Defense: Requires secure routing protocols to defend against
this attack.
Routers should accept only authenticated updates.
Requires key management and pre-configuration among routers.
11
�Type 2: Static routes (next few slides)
Review: When they receive a packet, how do hosts using IP
route data?
Static routing is largely based on subneting, ARP, and ICMP.
IP hosts are always on some specific subnet. They search
routing tables looking for longest matching prefix.
This means, you find routes in this order:
1.
2.
3.
4.
Matching host address (128.119.48.55)
Matching subnet address (128.119.48.*)
Matching network address (128.119.*)
Default route (gateway router)
This process tells the host what IP address is the next hop.
Now the host must determine the link layer address of the next
hop. How is that done in IP?
12
�Address Resolution Protocol (ARP) and ICMP
ARP is the interface between the Link layer and Network layer.
ICMP is used for routing error messages
Allows hosts to query who owns an IP address on the same LAN.
Owner responds with hardware address.
Allows changes to link layer to be independent of IP addressing.
Thats why we can have IP on everything (wireless, radio waves, buses,
etc.)
TTL expired (thats how traceroute works)
Host unreachable
Echo request (thats how the ping program works)
Also used by default routers to redirect along quicker path.
13
�On-the-same-LAN routing
1. Route lookup determines it is
on the same subnet.
2. Use ARP to determine what
link layer address to send it to.
223.1.2.1
223.1.2.9
3. Give it to Link layer.
223.1.3.27
Who has
223.1.3.2?
223.1.3.3
223.1.3.1
223.1.2.2
LAN
I have it. My
eth addr is
223.1.3.2
14
�Through-the-gateway Routing
1. Route lookup determines its on a
different subnet.
Result: Go through default route.
I have it. My
eth addr is
2. Use ARP to determine link layer
address of gateway.
223.1.2.1
223.1.2.9
3. Give it to Link layer.
223.1.3.27
Who has
223.1.3.27?
223.1.3.3
223.1.3.1
223.1.2.2
LAN
223.1.3.2
15
�ICMP Redirect Routing
1. Route lookup determines destination is
on different subnet.
2. Use ARP to determine link layer
address of gateway.
3. Gateway uses routing tables to
determine next hop of 223.1.3.3
INext
havetime
it. My
use
eth223.1.3.3!
addr is
4. Gateway sends ICMP redirect to
source.
5. Future packets from source routed
directly to 224.1.3.3 (with ARP lookup)
223.1.2.9
223.1.3.27
Who has
223.1.3.27?
223.1.3.3
223.1.2.1
223.1.3.1
223.1.2.2
LAN
223.1.3.2
16
�ICMP Attack
The attack: send an ICMP redirect
Forces a machine to route through the attacker.
Requires an existing connection
Open a spoofed connection to the host you want to attack.
Then send a spoofed ICNP redirect to the victim redirecting it to the
gateway machine youve compromised.
(Or send destination unreachable spoofed from the gateway.)
(Or, constantly send ICMP source squelches.)
Defense:
Ignore ICMP redirects (poor effiency)
Authenticate end-points and encrypt traffic. One solution is a
VPN/IPsec between hosts and routers.
17
�ARP Attacks
When a machines sends an ARP request out, attackers can
reply, falsely stating they own the address.
Unfortunately, ARP will just accept replies without requests!
Just send a spoofed reply message saying your MAC address
owns a certain IP address.
But this starts a race condition with the real machine.
Repeat frequently so that cache doesnt timeout
Messages are routed through you to sniff or modify.
some details: http://www.hut.fi/~slevijok/lahde.html
18
�ARP Spoofing - Countermeasures
Publish MAC address of router/default gateway and
trusted hosts to prevent ARP spoof.
Statically define the IP to Ethernet address mapping.
(Publish is a poor term: its not sent on the network)
This prevents someone from fooling the host into sending
network traffic to a host masquerading as the router or
another host via an ARP spoof.
Heres how you do it in linux:
arp -s hostname 00:01:02:03:04:ab pub
19
�TCP Session Stealing
A.k.a. IP splicing, TCP Hijacking
Read a detailed account
A Simple Active Attack Against TCP by Laurent Joncheray.
In Proceedings of 5th USENIX Unix Security Symposium.
June 1995
Running code available as a plug-in to sniffit.
Defense: use ssh
20
�Desynchronizing the client and server
Often during normal TCP operation, the client and server
become desynchronized.
E.g., sometimes the client will send a retransmission that
actually isnt needed by the server.
The server will drop the incoming packets.
The attack: during a quiet period, the attacker sends a large
amount of null data.
Specifically, the attacker sends as many bytes as there are in the
senders receive buffer.
21
�The Attack
If the client receives packets that are a window-of-packets
ahead of what it is expecting, the client will drop the unlooked
for data. (this is partly due to flow control)
Null data desynchronization
First, the attacker watches the session without interfering.
During a quiet period, the attacker sends a large amount of null
data.
Specifically, the attacker sends as many bytes as there are in the
senders receive buffer.
Each packet contains NOP bytes, normally used to pad the packets
for the purposes of checksums.
Now, when the client sends data, it is dropped by the server
because its lower than the servers window.
The attacker does the same with the client.
Attacker is now a woman/man/bot in the middle!
22
�Attacker-in-the-Middle
Data from the client can be re-packaged into a TCP
packet and sent to the server, so there is no
noticeable changes.
Attacker can insert commands into the remote
account. E.g.
echo mymachine.umass.edu mitnick > .rhosts
However, commands entered by the attacker might
appear on a command line history.
Defense: ssh connection, or IPsec
23
