TCP/IP Vulnerabilities

ECE 478/578 Computer and Network Security

Project

Submitted by
Rudhrakumar Venkatesan venkatru@ece.orst.edu
Shashidhar Lakkavalli lakkavsh@ece.orst.edu

Abstract
TCP/IP is a set of protocols developed to allow cooperating computers to share resources
across a network. The TCP/IP protocol suite, which is very widely used today, has a large
number of serious security flaws inherent in the protocols, regardless of the correctness of any
implementations. We describe a variety of attacks based on these flaws.
The Attack methods in TCP/IP Networks, which we will be trying to explore in this
paper, are
(i)

Sniffing - A Passive attack using Sniffer Programs those trap the packets.

(ii)

Denial of Service on Swap space, Bandwidth, RAM, Caches.

(iii)

Spoofing, hijacking - Redirection of TCP Stream through Active Attacks.

(iv)

Sequence Number Prediction Attacks.

We will also be studying some sniffer programs, spoofing & hijacking tools & their

impact on the network. We also explore the various methods of detection, prevention and
recovery from such attacks.

Contents
1 Introduction
1.1 TCP/IP
1.2 Attacks

2 Passive Attacks
2.1 Sniffing
2.1.1 Protocols Vulnerable to Sniffing
2.1.2 Methods for sniffing
2.1.3 Prevention of Vulnerabilities
2.1.4 Encryption Tools
2.1.5 Sniffing Programs

3 Active Attacks
3.1 Spoofing & Hijacking
3.1.1 IP Spoofing
3.1.2 Hijacking
3.1.3 How Its Done
3.1.3.1
Connection Killing
3.1.3.2
Connection Hijacking
3.1.4 Impact
3.1.5 Solutions
3.2 Sequence Number Guessing
3.2.1 Details Of Attack
3.2.2 Solutions
3.3 Denial Of Service
3.3.1 Some Basic Targets for an Attack
3.3.2 The Attacks
3.3.3 Protecting a system against DOS Attack

4 Conclusion
5 Reference

1 Introduction
The TCP/IP protocol suite is the most widely used communication standard on the
Internet. Despite that, there are a number of serious security flaws inherent in the protocols.
Flaws even arise due to the bad implementation and improper configuration of the Applications
using these protocol suites. The attacks are classified into Active attacks and passive attacks
depending on the behaviour of the attacker. Sniffing is the most common form of passive attack
and so we will be discussing about it in detail, where as there are many prominent forms of
active attacks and we will be considering spoofing, hijacking, sequence number prediction and
Denail of service attacks into discussion.

1.1 TCP/IP
TCP provides a full duplex reliable stream connection between two end points. A
connection is uniquely defined by the quadruple (IP address of sender, TCP port number of the
sender, IP address of the receiver, TCP port number of the receiver). Every byte that is sent by a
host is marked with a sequence number (32 bits integer) and is acknowledged by the receiver
using this sequence number. The sequence number for the first byte sent is computed during the
connection opening. It changes for any new connection based on rules designed to avoid reuse of
the same sequence number for two different sessions of a TCP connection.
1.2 Attacks
In security, the word attack has taken on very specific connotations. For example, you
might here of researchers trying to "attack a cryptosystem". The word is often used in the
abstract sense rather than in any physical sense. This academic circles, this word is often used in
preference to other synonyms such as crack or break.
A passive attack (like sniffer)is one that can take place by eavedropping. An active
attack(Like Hijacking) is one that requires interaction, such as injecting something into the data
stream or change, delete, reroute, add, forge or divert data. All attacks are divided into these two
categories.

2. Passive Attacks
2.1 Sniffing
Packet sniffing is the act of intercepting and reading any or all network traffic that is
being transmitted across a shared network communication channel. Sniffing programs are of 2
two forms. Commercial packet sniffers are used to help maintain networks. Underground packet
sniffers are used to break into computers.

2.1.1 Protocols vulnerable to sniffing?

Following is a sampling of typical protocols that are sniffed, especially for passwords.
Telnet and rlogin
Sniffing can capture the keystrokes as the user types them, including the user name and
password.
http
The default version of HTTP has numerous holes. Many web sites use "Basic" authentication,
which sends passwords across the wire in plain-text. Many web sites use another technique
which prompts the user for a username and password, which are also sent across the network in
plain-text. Data sent in clear-text.
snmp
Almost all SNMP traffic is SNMPv1, which has no good security. SNMP passwords (called
community-strings) are sent across the wire in the clear.
nntp
Passwords sent in the clear. Data sent in clear
pop
Passwords sent in the clear. Data sent in clear
FTP
Passwords sent in the clear. Data sent in clear
imap
Passwords sent in the clear. Data sent in clear

Fig 1.0 Sniffing Program in Action

2.1.2 Methods for sniffing

The network interface card (NIC) hardware in a networked computer receives every piece
of network traffic that is transmitted across the physical network. Ordinarily the network device
driver software will process only incoming traffic which contains the address of its host
computer, or broadcast packets which are meant for all computers on a network. However certain
network adapter hardware can be configured to operate in an altered state where the network
device driver processes all traffic transmitted across the network, whether addressed to the host
computer or not.
Monitoring network traffic requires both hardware and software mechanisms working together.
The monitoring process begins with the NIC, with the packets being captured by the device
driver software. Both the hardware and the software components of the NIC need to provide
mechanisms for capturing the raw packets. After the network traffic is processed by the NIC,
software mechanisms are needed to filter the captured data. Finally, a mechanism is required to
extract and reconstruct the data portion of the captured packets, and to display what you get in a
readable format.
2.1.3 Prevention of vulnerabilities
Most of the systems have secure alternatives. However most sites do not implement these
solutions, and are consequently vulnerable to this sort of attack. The remaining of the
vulnerabilities are caused by faulty implementation of protocols. Examples of faulty protocol
implementation include Windows NT's password hashing algorithm. TELNET packets bound for
an Windows NT server, for example, can be intercepted and decrypted by someone knowing the
password hashing weakness
Some of the methods of preventing sniffing are :
1. Authentication schemes such as MD4 and MD5, KERBEROS, DESLOGIN, s/key, and SSH
are available to prevent the clear text transmission of user names and passwords across a
network. Public key encryption programs such as PGP are available to encrypt electronic
mail (E-mail) to prevent the contents from being read.
2. Sniffer programs running in promiscous mode can be found out by identifying the sessions
currently running on the machine. In Unix machines, Ifconfig a reveals all programs
running in promisuous mode. Ultrix can possibly detect someone running a sniffer by using
the commands pfstat and pfconfig. pfconfig allows you to set who can run a sniffer pfstat
shows you if the interface is in promiscuous mode.
3. Often a sniffer log becomes so large that the file space is all used up. On a high volume
network, a sniffer will create a large load on the machine. These sometimes trigger enough
alarms that the administrator will discover a sniffer.
4. Secure Socket Layer : SSL is built into all popular web browsers and web servers. It allows
encrypted web surfing, and is almost always used in e-commerce when users enter their
credit card information.

5. To detect a sniffing device that only collects data and does not respond to any of the
information, requires physically checking all your ethernet connections by walking around
and checking the ethernet connections individually.
6. Active hubs send to each system only packets intended for it rendering promiscuous sniffing.
7. Using interfaces that will not allow processes to run in promiscuous mode and thus prevent
sniffing.
2.1.4 Encryption Tools
Deslogin
SwIPe
Netlock
Kerberos
One time password techniques
2.1.5 Tools to detect packet sniffers
Antisniff
Check Promiscuous Mode
Neped
Sentinet
2.1.6 Sniffing programs
Ethereal
Network Associates Sniffer
BlackICE Pro
CiAll
Tcpdump(Unix)

3. Active Attacks
3.1 Spoofing & Hijacking
Passive attacks using sniffers are becoming more and more frequent on the Internet. The
attacker obtains a user id and password that allows him to logon as
that user. In order to prevent such attacks people have been using identification schemes such as
one-time password [SKEY] or ticketing identification [Kerberos]. Though they prevent password
sniffing on an unsecure network these methods are still vulnerable to an active attack as long as
they neither encrypt nor sign the data stream. Still many people are complacent believing that

active attacks are very difficult and hence a lesser risk. But we can implement a IP hijack and
successfully spoof the system with an active attack which can be done with
the same resources as for a passive sniffing attack.
3.1.1 IP spoofing
To gain access, intruders create packets with spoofed source IP addresses. This exploits
applications that use authentication based on IP addresses and leads to unauthorized user and
possibly root access on the targeted system. It is possible to route packets through filtering-router
firewalls if they are not configured to filter incoming packets whose source address is in the local
domain. It is possible to spoof even if no reply packets can reach the attacker. Examples of
configurations that are potentially vulnerable include - routers to external networks that support
multiple internal interfaces - routers with two interfaces that support subnetting on the internal
network - proxy firewalls where the proxy applications use the source IP address for
authentication.
3.1.2 Hijacking
Once the intruders have root access on a system, they can hijack existing terminal and
login connections from any user on the system. In taking over the existing connections, intruders
can bypass one-time passwords and other strong authentication schemes by tapping the
connection after the authentication is complete. For example, a legitimate user connects to a
remote site through a login or terminal session; the intruder hijacks the connection after the user
has completed the authentication to the remote location; the remote site is now compromised.
Spoofing is classified into
Non-blind spoofing Using the spoofing to interfer with a connection that sends packets along
your subnet.
Blind spoofing Using the spoofing to interfer with a connection (or creating one), that does not
send packets along your cable.
The concept of non-blind spoofing(NBS) is pretty simple. Because packets travel within
your reach, you can get the current sequence and acknowledge (SEQ/ACK) numbers on the
connection. NBS is thus a very easy and accurate method of attack, but limited to connections
going over your subnet. In spoofing documentation these attacks are sometimes ommited,
because they are mostly 'denial-of-service' attacks, or because people don't realise the advantage
a spoof (in particulary a hijack) can have above simple password sniffing. Spoofing in generally
is refered to as a verry high level of attack. This refers to blind spoofing (BlS).
3.1.3 How It's Done
3.1.3.1 Connection Killing
Setup
host A <------X------------------------->host B | A,B have a TCP connection running
host S <------/ A,S on same subnet

a. Using reset (RST)

Concept
TCP packets have flags which indicate the status of the packet, like RST. That is a flag
used to reset a connection. To be accepted, only the sequence number has to be correct (there is
no ACK in a RST packet). So we are going to wait for packets in a connection between A and B.
Assume we wait for packets to A. We will calculate (from B's packets) the sequence number for
A's packets (from B's ACK's), and fire a bogus RST packet from S (faking to be A) to B.
b. Closing a connection (FIN)
Concept
An other flag is FIN and says: "no more data from sender". This flag is used when
closing a connection down the normal legit way. So if there was a way to make a packet that is
accepted by one of the two hosts, this host would believe the 'sender' didn't have any data left.
Following (real) packets would be ignored as they are considered bogus. That's it, because we
can sniff the current SEQ/ACK of the connection we can pretend to be either host A or B, and
provide the other host with CORRECT packetinformation, and an evil FIN flag. The beauty of it
all is, that after a FIN is send the other host always replies with one if it is accepted, so we have a
way to verify our killing, and can be 100% sure of success (if for some reason we missed a SEQ
or ACK, we can just resend). RST killing is more popular and is prefered.
3.1.3.2 Connection Hijacking
Setup
host A <------X------------------------->host B | A,B have a TCP connection running (TELNET)
host S <------/ A,S on same subnet
Concept
Assume a TELNET from A (client) to B (server). TCP separates good and bogus packets
by their SEQ/ACK numbers i.e. B trusts the packets from A because of its correct SEQ/ACK
numbers. So if there was a way to mess up A's SEQ/ACK, B would stop believing A's real
packets. We could then impersonate to be A, but using correct SEQ/ACK numbers (that is
numbers correct for B). We would now have taken over the connection (host A is confused, B
thinks nothings wrong, and S sends 'correct' data to B). This is called 'Hijacking' a connection.
To mess up A's SEQ/ACK numbers we simply insert a data packet into the stream at the right
time (S as A->B), the server B would accept this data, and update ACK numbers, A would
continue to send it's old SEQ numbers, as it's unaware of our spoofed data.
Takeover phase 1: Stealing connection. Sending Spoofed clean-up data... Waiting for spoof to be
confirmed... Phase 1 ended.
Takeover phase 2: Getting on track with SEQ/ACK's again Server SEQ: C34A680B (hex) ACK:
5C8223F5 (hex) Phase 2 ended.
Takeover phase 3: Sending MY data. Sending evil data. Waiting for evil data to be confirmed...
Phase 3 ended.

3.1.4. Impact
Current intruder activity in spoofing source IP addresses can lead to unauthorized remote
root access to systems behind a filtering-router firewall. After gaining root access and taking
over existing terminal and login connections, intruders can gain access to remote hosts.
3.1.5 Solutions
A. Detection
IP spoofing
1. If you monitor packets using network-monitoring software such as netlog, look for a packet
on your external interface that has both its source and destination IP addresses in your local
domain. If you find one, you are currently under attack.
2. Another way to detect IP spoofing is to compare the process accounting logs between
systems on your internal network. If the IP spoofing attack has succeeded on one of your
systems, you may get a log entry on the victim machine showing a remote access; on the
apparent source machine, there will be no corresponding entry for initiating that remote
access.
Hijacking
1. When the intruder attaches to an existing terminal or login connection, users may detect
unusual activity, such as commands appearing on their terminal that they did not type or a
blank window that will no longer respond to their commands. Encourage your users to
inform you of any such activity.
2. In addition, pay particular attention to connections that have been idle for a long time. Once
the attack is completed, it is difficult to detect. However, the intruders may leave remnants of
their tools. For example, you may find a kernel streams module designed to tap into existing
TCP connections.
B. Prevention
IP spoofing
The best method of preventing the IP spoofing problem is to install a filtering router that
restricts the input to your external interface (known as an input filter) by not allowing a packet
through if it has a source address from your internal network. In addition, you should filter
outgoing packets that have a source address different from your internal network in order to
prevent a source IP spoofing attack originating from your site. If your vendor's router does not
support filtering on the inbound side of the interface or if there will be a delay in incorporating
the feature into your system, you may filter the spoofed IP packets by using a second router
between your external interface and your outside connection. Configure this router to block, on
the outgoing interface connected to your original router, all packets that have a source address in
your internal network. For this purpose, you can use a filtering router or a UNIX system with
two interfaces that supports packet filtering. Disabling source routing at the router does not
protect you from this attack, but it is still good security practice to do so.

Hijacking
There is no specific way to prevent users from hijacking other than preventing intruders
from gaining root access in the first place. If you have experienced a root compromise, you have
to do a recovery.

3.2 Sequence Number Guessing

3.2.1 Details of the Attack
If TCP sequence numbers are predictable, a hacker can forge a connection from another
machine. The hacker doesn't need to see the packets from the server; the server believes the
hacker is the trusted client. This is easily done on any Internet machines where the hacker has
full privileges: Macs, Windows etc.
Lets assume that the attacker, in this case X, has been able to spoof the IPaddress of
client A. Spoofing attacks are also discussed in this paper(3.1).
Sequence number guessing is related with the 3-way handshake used in the TCP.
Suppose client machine A wants to talk to remote server B. It sends the following message:
A-B: SYN, ISNa
That is, it sends a packet with the SYN ("synchronize sequence number") bit set and an
initial sequence number ISNa.
B replies with
B-A: SYN, ISNb, ACK(ISNa)
In addition to sending its own initial sequence number, it acknowledges A's. The actual numeric
value ISNa also appears in the message.
A concludes the handshake by sending
A-B: ACK(ISNb)
The initial sequence numbers are intended to be more or less random. RFC 793 specifies
that the 32-bit counter be incremented by 1 in the low-order position about every 4
microseconds. Instead, some unix versions like Free-BSD increment it by a constant every
second, and by another constant for each new connection. Thus, if a connection is opened to a
machine, then guessing the sequence number for the next connection is not very tough. And this
leads to the source of attack.
Suppose X is the attacker. X first opens a real connection to its target. This gives ISNb.
It then impersonates A and sends
Ax-B: SYN, ISNx where "Ax" denotes a packet sent by X pretending to be A.
B's response to X's original SYN
B-A: SYN, ISNb', ACK(ISNx) the legitimate A, about which more anon.
X never sees that message but can still send Ax-B: ACK(ISNb') using the predicted value for
ISNb'.

If X had guessed the sequence number right B's server thinks it has a legitimate
connection with A, when in fact X is sending the packets. X can't see the output from this
session, but it can execute commands as more or less any user
There is a minor difficulty here. If A sees B's message, it will realize that B is
acknowledging something it never sent, and will send a RST packet in response to tear down the
connection.
3.2.2 Solution
The problem encountered above is because the attacker was able to guess the initial
sequence number. By having the initial sequence number a random number, the sequence attack
can be avoided. But, this leads to protocol problems like duplicate packets and reincarnations of
packets of the old connection at the server, due to which the server will not be able to distinguish
if the packets were from the current session or from the previous connection. One way to avoid
this is to allot sequence number space to each port, and the sequence numbers are incremented
according to the following relationship
ISN = M + F(localhost, localport, remotehost, remoteport).
It is important that F not be computable from the outside, or an attacker could still guess
at sequence numbers from the initial sequence number used for some other connection. If F is a
cryptographic hash function of the connection-id and some secret data, then it is a good source of
a unpredictable random number. Hash techniques like MD5 is a good choice, since the code is
widely available. The secret data can either be a true random number [10], or it can be the
combination of some per-host secret and the boot time of the machine. The boot time is included
to ensure that the secret is changed on occasion. Other data, such as the host's IP address and
name, may be included in the hash as well.

3.3 Denial of service

Denial of service is about without permission knocking off services, for example through
crashing the whole system. This kind of attacks are easy to launch and it is hard to protect a
system against them.
Such attacks are motivated typically due to Sub-cultural status, To gain access, Revenge,
Political reasons, Economical reasons or Nastiness.
3.3.1 Some basic targets for an attack
a. Swap Space
Most systems have several hundred Mbytes of swap space to service client requests. The
swap space is typical used for forked child processes which have a short life time. The swap
space will therefore almost never in a normal cause be used heavily. A denial of service could be
based on a method that tries to fill up the swap space.
b. Bandwidth
If the bandwidth is to high the network will be useless. Most denial of service attack
influence the bandwidth in some way.

c. Kernel Tables
Overflow in the kernel tables will cause serious problems on the system. The kernel have a
kernelmap limit, if the system reach this limit it can not allocate more kernel memory and must
be rebooted. The kernel memory is not only used for RAM, CPU:s, screens and so on, it it also
used for ordinaries processes. Meaning that any system can be crashed and with a mean
algorithm pretty fast. In Solaris 2.X the amount of kernel memory the system is usingit is
measured and reported with the sar command , but for SunOS 4.X there is no such command. So
in SunOS 4.X we don't even can get a warning.
d. RAM
A denial of service attack that allocates a large amount of RAM can make a great deal of
problems. NFS and mail servers are actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at a NFS server is trivial. The normal
NFS client will do a great deal of caching, but a NFS client can be anything including the
program you wrote yourself.
3.3.2 The Attacks
(A). Taking Advantage Of Finger
Most fingerd installations support redirections to an other host.
Ex: $finger @system.two.com@system.one.com
In this example the finger will go through system.one.com and on to system.two.com. As far as
system.two.com knows it is system.one.com who is fingering. So this method can be used for
hiding, but also for a very dirty denial of service attack.
Foe eg in :
$
finger
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack.
All those @ signs will get finger to finger host.we.attack again and again and again... The effect
on host.we.attack is powerful and the result is high bandwidth, short free memory and a hard
disk with less free space, due to all child processes.
The solution is to install a fingerd which don't support redirections, for example GNU finger.
(B). Freezing Up X-Windows
If a host accepts a telnet session to the X-Windows port, somewhere between 6000 and
6025(In most cases 6000) it could be used to freeze up the X-Windows system. This can be made
with multiple telnet connections to the port or with a program which sends multiple
XOpenDisplay() to the port. The same thing can happen to Motif or Open Windows. The
solution is to deny connections to the X-Windows port.
(C). Attacking With Lynx Clients
A World Wide Web server will fork an httpd process as a respond to a request from a
client, typical Netscape or Mosaic. The process lasts for less than one second and the load will
therefore never show up if someone uses ps. In most causes it is therefore very safe to launch a
denial of service attack that makes use of multiple WWW clients, typical lynx clients. But the
netstat command could be used to detect the attack. Some httpd:s (for example http-gw) will
have problems besides the normal high bandwidth, low memory. And the attack can in those
cases get the server to loop.

(D). Malicious Use Of Telnet Under Solaris 2.4

If the attacker makes a telnet connections to the Solaris 2.4 host and quits using: Ex:
Control-} quit then will inetd keep going "forever". The solution is to install the proper patch.
(E). How To Disable Services
Most Unix systems disable a service after N sessions have been open in a given time.
Well most systems have a reasonable default (lets say 800 - 1000), but not some SunOS systems
that have the default set to 48... The solutions is to set the number to something reasonable.
(F). Malicious Use Of UDP Services
It is simple to get UDP services (echo, time, daytime, chargen) to loop, due to trivial IPspoofing. The effect can be high bandwidth that causes the network to become useless. In the
example the header claim that the packet came from 127.0.0.1 (loopback) and the target is the
echo port at system.we.attack. As far as system.we.attack knows is 127.0.0.1 system.we.attack
and the loop has been establish.
Ex: from-IP=127.0.0.1 to-IP=system.we.attack Packet type:UDP from UDP port 7 to UDP port 7
SunOS 4.1.3. is known to boot if a packet with incorrect information in the header is sent to it.
This is the cause if the ip_options indicate a wrong size of the packet. The solution is to install
the proper patch.
(G). ICMP Redirect Attacks
Gateways uses ICMP redirect to tell the system to override routing tables, that is telling
the system to take a better way. To be able to misuse ICMP redirection we must know an
existing connection. If we have found a connection we can make the route lose it connectivity or
we could send false messages to the host if the connection we have found don't use cryptation.
Ex: (false messages to send) DESTINATION UNREACHABLE TIME TO LIVE EXCEEDED
PARAMETER PROBLEM PACKET TOO BIG
The effect of such messages is a reset of the connection. The solution could be to turn ICMP
redirects off, not much proper use of the service.
(H). Broadcast Storms
This is a very popular method in networks there all of the hosts are acting as gateways.
There are many versions of the attack, but the basic method is to send a lot of packets to all hosts
in the network with a destination that don't exist. Each host will try to forward each packet so the
packets will bounce around for a long time. And if new packets keep coming the network will
soon be in trouble. Services that can be misused as tools in this kind of attack is for example
ping, finger and sendmail. But most services can be misused in some way or another.
(I). Email Bombing And Spamming
In a email bombing attack the attacker will repeatedly send identical email messages to
an address. The effect on the target is high bandwidth, a hard disk with less space and so on...
Email spamming is about sending mail to all (or rather many) of the users of a system. The point
of using spamming instead of bombing is that some users will try to send a replay and if the
address is false will the mail bounce back. In that cause have one mail transformed to three
mails. The effect on the bandwidth is obvious. There is no way to prevent email bombing or
spamming. However have a look at CERT:s paper "Email bombing and spamming".

(J). The Dot Dot Bug

Windows NT file sharing system is vulnerable to the under Windows 95 famous dot dot
bug (dot dot like ..). Meaning that anyone can crash the system. If someone sends a "DIR ..\" to
the workstation will a STOP messages appear on the screen on the Windows NT computer. Note
that it applies to version 3.50 and 3.51 for both workstation and server version. The solution is to
install the proper patch.
(K). Hostile Applets
A hostile applet is any applet that attempts to use your system in an inappropriate
manner. The problems in the java language could be sorted in two main groups: 1) Problems due
to bugs. 2) Problems due to features in the language. In group one we have for example the java
bytecode verifier bug, which makes is possible for an applet to execute any command that the
user can execute. Meaning that any attack methods described, could be executed through an
applet. If you need a high level of security you should use some sort of firewall for protection
against java. As a user you could have java disable.
(L). Virus
Computer virus is written for the purpose of spreading and destroying systems. Virus is
still the most common and famous denial of service attack method. It is a misunderstanding that
virus writing is hard. If you know assembly language and have source code for a couple of virus
it is easy. Several automatic toolkits for virus construction could also be found, for example: *
Genvir. * VCS (Virus Construction Set). * VCL (Virus Construction Laboratory). * PS-MPC
(Phalcon/Skism - Mass Produced Code Generator). * IVP (Instant Virus Production Kit). * G2
(G Squared). PS-MPC and VCL is known to be the best and can help the novice programmer to
learn how to write virus. An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well known and should easily
be catch by any scanner.
(M). Anonymous Ftp Abuse
If an anonymous FTP archive have a writable area it could be misused for a denial of
service attack. We can fill up the hard disk. Also can a host can be made temporarily unusable by
massive numbers of FTP requests. Novells Netware FTP server is known to get short of memory
if multiple ftp sessions connects to it.
(N). Syn Flooding
A SYN packet is the first portion of the TCP "Three-Way Handshake". It basically says,
"Hey, over here... I want to connect to you." When a TCP/IP stack receives a SYN pacet, it
responds with a SYN/ACK. which says "OK, you can connect to me, just let me make sure it's
you." At this point, it is waiting for an ACK, which says "Yeah, it's really me!". Now,if the
source address in the SYN packet does not exist, but has a path to it in place, that SYN/ACK will
never be answered with an ACK, and the TCP/IP stack will wait forever for that packet (actually
until a certain amount of time has passed which is implementation-dependent). If a whole bunch
of those faked SYN packets are received simultaneously, the connection queue of the target
machine will he filled. The connection queue is the number of half-open (SYN_RECEIVED)
connections the kernel will allow on a port before it starts dropping further connection requests

to that port. For each Operating System there is a standard default, which may be configurable by
the superuser.
(O). Crashing Systems With Ping Flooding
If someone can ping a machine from a Windows 95 machine, it is possible to reboot or
freeze your machine. The attacker simply writes: ping -l 65510 address.to.the.machine And the
machine will freeze or reboot. It even works for for kernel 2.0.7 up to version 2.0.20. and 2.1.1.
for Linux (crash). AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash). OSF/1, 3.2C, Solaris 2.4 x86
(reboot).
(P). Malicious Use Of Subnet Mask Reply Message
The subnet mask reply message is used under the reboot, but some hosts are known to
accept the message any time without any check. If so all communication to or from the host us
turned off, it's dead. The host should not accept the message any time but under the reboot.
3.3.3 Protecting A System Against Denial Of Service Attacks
You can not make your system totally secured against denial of service, but the following
methods can reduce the risk.
(A). Security Patches
Always install the proper security patches. Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often is somewhat temporary.
(B). Port Scanning
Check which services you have. Scan the ports with sprobe or some other port scanner.
You should do this regualy to see that anyone don't have installed a service that you don't want
on the system. Disable every service that you don't need, could for example be rexd, fingerd,
systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen, tftp, exec, ufs, daytime, time. Any
combination of echo, time, daytime and chargen is possible to get to loop. There is however no
need to turn discard off. The discard service will just read a packet and discard it, so if you turn
off it you will get more sensitive to denial of service and not the opposite.
(C). Check For The Attacks
Check for the possible attacks. Perform a stress test your system with several services and
look at the effect.
(D). Extra Security Systems
The basic that you always should install is a logdaemon and a wrapper. A firewall could
also be very good, but expensive. Note that you should be very careful if building your own
firewall or you might open up new and very bad security holes, but it is a very easy if you have
some basic knowledge. It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be found on the web.
(E). Monitoring Security
Also monitor security regularly, for example through examining system log files, history
files. Even in a system without any extra security systems could several tools be found for
monitoring, for example: - uptime - showmount - ps - netstat - finger

(F). Keeping Up To Date

It is very important to keep up to date with security problems.

4. Conclusion
In this paper, we considered the most common passive and active attacks possible on
TCP/IP protocol suite. Several attack methods, their impact, detection, prevention and solutions
were discussed. In the course of the discussion, we see that most of the vulnerabilities are due to
bad implementation and improper configuration of the network applications. The user can
employ the use of vulnerability detection and prevention tools to minimize the possibility of
attacks on user machines and applications. The IETF has considered the TCP/IP protocol suite
vulnerabilities and the upcoming versions of TCP and IP is expected to minimize them.

5. References
[1]. Security Problems in the TCP/IP Protocol Suite
Bellovin, Steven M.; 1989;
[2]. A Simple Active Attack Against TCP
Joncheray, Laurent; 1995;
[3]. IP Hijacking
Laurant Joucheray; April 24, 1995;
[4]. Sequence Number Attacks
Rik Farrow; December 1994 ;
[5]. A Weakness in the 4.2BSD Unix TCP/IP Software
Morris, Robert T; 1985;
[6]. Hacking Lexicon
http://www.robertgraham.com/pubs/hacking-dict.html
[7]. Some TCP/IP Vulnerabilities
http://staff.washington.edu/dittrich/talks/agora/
[8]. The Hawks security links
http://www.dbnet.ece.ntua.gr/~george/security/
[9]. INTRODUCTION TO DENIAL OF SERVICE
http://www.attrition.org/~modify/texts/denial_of_service/denial_of_service.txt
[10]. TCP/IP Security
http://www.security.promo.ru/english/block.html