TCP/IP Vulnerability

Prepared By: Mohit Kohli 11th June 2007

1

Section1:Introduction

A Quick Review on:
  

TCP Transmission control Protocol IP Internet Protocol Packet structure
 

Flags Fragmentation

TCP Communication Mechanism

2

Introduction on TCP – PACKETS
•TCP – Transmission Control Protocol (TCP) runs on top of
IP, and provides a connection oriented service between the sender and the receiver. •TCP provides guaranteed delivery, and ensures that the packets are delivered in sequence. •The underlying network IP, is highly unreliable and does not provide any guarantee for TCP. • In order to provide reliability between the sender and the receiver, TCP uses various mechanisms, such as sequence numbers, acknowledgments, 3-way handshakes and timers. •In the TCP protocol, the important things in a packet are the essential IP packet headers, and various TCP specific headers and flags. These include: source port, destination port, header lengths, the sequence number, the ACK number, the checksum and various other flags. Here is a diagram to illustrate the basic format of a typical TCP packet:

3

IP Packet

IP - IPv4 is a datagram protocol primarily responsible for addressing and routing packets between hosts. IPv4 is connectionless, which means that it does not establish a connection before exchanging data, and unreliable, which means that it does not guarantee packet delivery . There are a lot of headers in the IP section of a packet. Some of the essential ones include: source address, destination address, TOS, TTL, packet ID, protocol (i.e TCP or UDP), IP version (4 obviously), packet length, the checksum, and the IP header lengths. These need to be set in every packet/datagram/segment sent, be it TCP, UDP or ICMP.

Packet Example:

• 1,460 payload) • 20 • 20 • 14 •4 • 1,518

Data after TCP header (the Typical TCP header size Typical IP header size Typical Ethernet header size CRC size Maximum Ethernet packet size

4

TCP Packet Component

Flags Structure
F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced

    

Example : Flags: 0x0010(ACK) ---00010000 Window Size :64512 Flags:0x0018 (PUS, ACK)---00011000 Window Size :65059

 A checksum is a value which is computed which allows you to check the validity of something. Typically, checksums are used in data transmission contexts to detect if the data has been transmitted successfully. For example, the Cyclic Redundancy Check algorithms, CRC-8, CRC-16, and CRC-32, do fairly complex things to make the checksum sensitive to such problems Ref on Transmission Control Protocol: http://www.faqs.org/ftp/rfc/pdf/rfc793.txt.pdf

5

Fragmentation
 

Fragmentation: Every packet-based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit. Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.
Example: If a 2,366 byte packet enters an Ethernet network with a default MTU size, it must be fragmented into two packets. The first packet will: Be 1,500 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 1,456 bytes will be data. Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments." Have a Fragmentation Offset of 0. The second packet will: Be 910 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 866 bytes will be data. Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment." Have a Fragmentation Offset of 182 (Note: 182 is 1456 divided by 8).

  

  

6

Contd…

Three of these fields are involved in packet fragmentation: Len, Offset and More bit.

Fragmentation reduces TCP throughput and increases network congestion. Disable Path MTU Discovery process: Low MTU value could degrade network performance, since it increases Fragmentation.

Fragmentation (3,600)
Len: Total Length of Fragment Offset: distance from the first byte of the original datagram More: Indicate if the fragment has more to follow

7

Captured TCP Packet structure

8

Captured UDP Packet structure

9

TCP Three-Way Handshake

A TCP connection is initialized through a three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and to exchange TCP window sizes. The following steps outline the process for the common situation when a client computer contacts a server computer: 1. The client sends a TCP segment to the server with an initial sequence number for the connection and a window size indicating the size of a buffer on the client to store incoming segments from the server. 2. The server sends back a TCP segment containing its chosen initial sequence number, an acknowledgment of the client’s sequence number, and a window size indicating the size of a buffer on the server to store incoming segments from the client. 3. The client sends a TCP segment to the server containing an acknowledgment of the server’s sequence number. TCP uses a similar handshake process to end a connection. This guarantees that both hosts have finished transmitting and that all data was received. TCP connections have three main parts: connection establishment, data exchange, and connection termination

 

 

10

HTTP Elements
•HTTP clients send HTTP requests that contain a method, or command, that indicates what the client wants •The HTTP Get Command

• HTTP Methods

11

Sample HTTP Communications
3 Way handshake communication for HTTP Application Protocol

12

Section 2: TCP/IP Vulnerability
     

overlapping IP fragments Tear Drop Land SYN Attack Ping Flooding IP Spoofing
 

SYN Guessing Smurf Attack

  

Source Routing TCP Hijacking

Man-in-the-Middle Attack

Countermeasures

13

overlapping IP fragments
Description:An IP fragment overlap vulnerability may exist on NT 3.5 and 4.0 systems without the hotfixes applied that will cause a lock up on these systems requiring a hard reset. This exploit modifies the code from the teardrop attack to incorporate the use of a SYN sequence bug. The attack will send two IP fragments, with the offset of the second fragment inside the prior packet's payload that overlaps but does not include enough payload to complete the datagram. Install the latest hotfixes provided by Microsoft. Impact: Any systems that are vulnerable to this exploit may be 'brought down', requiring a reboot of the system. Root Cause: Insecure Design Linux and Microsoft has a serious bug in it's IP fragmentation module More specifically, in the fragmentation reassembly code Explanation: When Linux reassembles IP fragments to form the original IP datagram, it runs in a loop, copying the payload from all the queued fragments into a newly allocated buffer (which would then normally be passed to the IP layer proper). If we find that the current fragment's offset is inside the end of a previous fragment (overlap), we need to (try) align it correctly. Well, this is fine and good, unless the payload of the current fragment happens to NOT contain enough data to cover the realigning. In that case, `offset` will end up being larger then `end`.

14

1.
 

Teardrop Attack
IP requires a packet that is too large for the next router to handle be divided into fragments. The attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system is not able to aggregate the packets accordingly, it can crash the system. It is a UDP attack, which uses overlapping offset fields to bring down hosts. The Unnamed Attack
 

Variation of Teardrop attack

Fragments are not overlapping; instead there are gaps incorporated Careful design of the algorithm for generating these initial sequence numbers ensures that overlap in sequence number space between different incarnations of a connection is prevented.

Overlapping fragment attack.
Hackers can also craft packets so that instead of overlapping, there will be gaps between various packets. These nonadjacent fragmented packets are similar to overlapping packets because they can crash or hang older operating systems that have not been patched.

15

Abnormal Fragmentation

Figure shows specially crafted packet with Abnormal Fragmentation.

16

Teardrop Attack Tool: Jolt2

Allows remote attackers to cause a Denial of Service attack against Windows based machines.

Causes the target machines to consume 100% of the CPU time processing illegal packets.

Not Windows-specific, many Cisco routers and other gateways might be vulnerable.

17

Teardrop Attack Tool: Bubonic.c

Bubonic.c is a DoS exploit that can be run against Windows 2000 machines. It works by randomly sending TCP packets, with random settings, with the goal of increasing the load of the machine, so that it eventually crashes. c: \> bubonic 12.23.23.2 10.0.0.1 100 The teardrop attack exploits overlapping IP fragment and can crash Windows 95, Windows NT, and Windows 3.1machines.

18

1.

Land
IP spoofing in combination with the opening of a TCP connection.

Both IP addresses, source and destination are modified to be the same, the address of the destination host.

This results in sending the packet back to itself, because the addresses are the same.

19


SYN Attack
The attacker sends bogus TCP SYN requests to a victim server. The host allocates resources (memory sockets) for the connection. It prevents the server from responding to legitimate requests. This attack exploits the three-way handshake. Malicious flooding by large volumes of TCP SYN packets to the victim system with spoofed source IP addresses can cause a DoS. Windows Server 2003 systems that have enabled the SynAttackProtect registry value are not vulnerable to many of the attacks. Value set to 0 indicate no retransmission of packet.

 

20

Contd…

default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000 Professional. When this size is reached, the system will no longer accept incoming connection requests.

How to detect a SYN attack: # netstat -n -p TCP tcp 0 0 10.100.0.200:21 237.177.154.8:25882 SYN_RECV – tcp 0 0 10.100.0.200:21 236.15.133.204:2577 SYN_RECV – tcp 0 0 10.100.0.200:21 127.160.6.129:51748 SYN_RECV Number of Half open TCP Connection: # netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l 769

21


PING FLOODING (ICMP flooding)
Ping of death is a denial of service (DoS) attack caused by an attacker purposely sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation. It allows a single IP packet to be broken down into smaller segments. In 1996, attackers took advantage of that feature when they found that a packet broken down into fragments could add up to more than the allowed 65,536 bytes.
Hacking Tool: SSPing

SSPing program sends the victim's computer a series of highly fragmented, oversized ICMP data packets. The computer receiving the data packets lock when it tries to put the fragments together. The result is a memory overflow which in turn causes the machine to stop responding

22

Tool: PING FLOODING (Denial of Service
Attack)

23

1.

IP Spoofing
Due to bad designing of the TCP/IP suite, it is almost trivial to spoof a packet apparently originating from a host that is NOT you. The term 'IP spoofing' can be used to describe any process in which a person fakes, or "forges" a packet to look like it came from elsewhere, often a "trusted" host. The ability to spoof IP packets, and the fact that IPv4 does NOT check the validity of the source address and source port in a packet's headers is one of the MAIN vulnerabilities in the TCP/IP protocol suite. It can be of two types ie Blind and Non-Blind. IP spoofing can be used in two main ways: to cause DoS, or to gain access to a system as a "trusted" host. Blind Spoofing Challenge: Source Address, Source port, Destination Address, Destination Port along with ISN bit.

 

24

Smurf Attack Uses IP Spoofing Vulnerability

The perpetrator generates a large amount of ICMP echo (ping) traffic to a network broadcast address with a spoofed source IP set to a victim host. The result will be a large number of ping replies (ICMP Echo Reply) flooding back to the innocent, spoofed host. An amplified ping reply stream can overwhelm the victim’s network connection. The "smurf" attack's cousin is called "fraggle", which uses a UDP echo.

Internet

ICMP Echo Request with source C and destination subnet B, but originating from A

25

Cond…Smurf Attack
Receiving Network Attacker ICMP_ECHO_REQ Source: Target Destination: Receiving Network Target

Internet

ICMP_ECHO_REPLY Source: Receiving Network Destination: Target

26

Sequence Guessing

Attempt to hijack an existing TCP session by injecting packets which pretend to come from one computer involved in the TCP session. When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN's will be unique. For each connection there is a send sequence number and a receive sequence number. The initial send sequence number (ISS) is chosen by the data sending TCP, and the initial receive sequence number (IRS) is learned during the connection establishing procedure. ISNs used must be hard to guess for those not involved in the connection

27

TCP/IP SEQUENCE NUMBER ANALYSIS
 Challenge in to generate unpredictable ISN  TCP/IP ISN generators used by a variety of operating systems.  One of the examples is inserting malicious contents or malicious RCPT TO fields into SMTP transaction in order to modify or intercept e-mails.  Guessing the right ISN from the entire 32bit space (4,294,967,296 possibilities) is not feasible due to the excessive amount of bandwidth and time required.  But increasing bandwidth and processor speed will eventually make brute force guessing of 32-bit ISNs feasible for the average attacker.

Phase Space Analysis
Sr. No
1 2 3 4 5 6 7 8 Linux Windows 2000 Windows NT4 SP6a + hotfixes Windows 95 FreeBSD 4.2 OpenBSD-current HPUX11 AIX 4.3

Operating System

Attack feasibility
below 0.05% 12.08% 15% 100% 1.00% 0.00% 100.00% 100.00%

x[t] = seq[t] - seq[t-1] y[t] = seq[t-1] - seq[t-2] z[t] = seq[t-2] - seq[t-3]
http://lcamtuf.coredump.cx/oldtcp/tcpseq.html http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm

28

Reset Attack
 

The packets required for a successful Reset are based on the equation (2^32 / Initial Window Size). Factor Responsible for Reset Attack: ISN prediction, as well as much larger TCP window selection A larger window will provide greater transmission efficiency but also expand the opportunity for spoofed TCP Reset attacks The 4-tuple consists of source IP address, TCP source port, destination IP address, and destination TCP port

Operating System
Windows 2000 5.00.2195 SP4 Windows XP Home Edition SP1 HP-UX 11 Nokia IPSO 3.6-FCS6 Cisco 12.2(8) Cisco 12.1(5) Cisco 12.0(7) Cisco 12.0(8)

Initial Window Size
64512 64240 32768 16384 16384 16384 16384 16384 16384 16384 5840

Packets Requ ired
66,576 66,858 131,071 262,143 262,143 262,143 262,143 262,143 262,143 262,143 735,439

Case Study on Reset Attack

Windows 2000 5.00.2195 SP1
Case Study on Reset Attack

Windows 2000 5.00.2195 SP3 Linux 2.4.18

29

Case Study on Reset Attack

30

1. Source Routing

Another variant of IP spoofing makes use of a rarely used IP option, "Source Routing" [Bellovin89]. Source routing allows the originating host to specify the path (route) that the receiver should use to reply to it. An attacker may take advantage of this by specifying a route that by-passes the real host, and instead directs replies to a path it can monitor (e.g., to itself or a local subnet). Although simple, this attack may not be as successful now, as routers are commonly configured to drop packets with source routing enabled.

31

1. TCP Session Hijacking
 

Connection hijacking exploits a "desynchronized state" in TCP communication "TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.“ A popular method is using IP Spoofing, ARP Posining and source-routed IP packets and sequence number prediction Techniques.

A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack". A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.

32

Man-in-the-Middle Attack
•In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient. •Attacker has performed ARP poisoning attack. •Packets are forwarded to hacker machine first instead of Target Machine. •Attacker exploit IP spoofing vulnerability of TCP/IP design. •Another variant of Man-in-the-middle attack against two-factor authentication using Phishing
Attacker Attacker
Sender (S) Target (C)

ARP Poisoning

Man-in-the-Middle Attack

ARP Poisoning

Hacker (X)

33

TCP Hijacking Tool: Hunt
1) Connection management * Setting what connections you are interested in. * Detecting an ongoing connection (not only SYN started). * Normal active hijacking with the detection of the ACK storm. * ARP spoofed/Normal hijacking with the detection of successful ARP spoof. * Synchronization of the true client with the server after hijacking (so that the connection don't have to be reset). * Resetting connection. * Watching connection.

34

Countermeasures

Hardening the TCP/IP stack (SYN cookies or SynAttackProtect).Ref:http://www.securityfocus.com/infocus/1729 Applying latest patches as recommended by your vendor Perimeter Network device like Firewall and border internet router should block IP-spoofed packets and can capable of defending against SYN attacks. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network. Apply Anti-spoofing filtering on network device (TCP sequence prediction attacks can be effectively stopped by any router or firewall that is configured not to allow packets from an internal IP address to originate from an external interface.) ISPs could prevent the transmission of fraudulently addressed packets. Servers could be programmed to recognize a SYN source IP address that never completes its connections. The last network defense against SYN floods is to distribute the flood against as many hosts or network devices as possible.

 

 

35

Sign up to vote on this title
UsefulNot useful