PTITHCM

Nguyn Hng Sn

TCP/IP Security

THE TCP/IP PROTOCOL STACK

1. Application Layer
(HTTP, FTP, SMTP, SSH, POP3, TLS/SSL, DNS, etc.)
2. Transport Layer
(TCP, UDP, etc.)
3. Network Layer
(IP (IPv4, IPv6), ICMP, IGMP, etc.)
4. Link Layer
(Ethernet, WiFi, PPP, SLIP, etc.)

TCP packet format

Hot ng ca TCP

Byte stream
3-way handshake
TCP re-transmissions
TCP congestion control
TCP timers

SYN Flood
Nhn SYN+ACK segment, client khng chu gi li
ACK segment
Ngay khi kt ni n port cho trc ht timeout,
mt SYN request tip tc c gi n port

IP Spoofing (1/7)
Dng a ch IP ngun gi mo thit lp kt ni mt chiu vi host
xa thc thi m c.
Ch th: Hosts A, B v X, host X c kim sot bi k tn cng.
B chy server program cho php A thc thi lnh t xa
X mun m mt kt ni n B, mo nhn l A

IP Spoofing (2/7)
X (posing as A) > B : SY N
(sequence num : M)
B > A : SY N + ACK
(sequence num : N, acknowledgment num : M +1)

X (posing as A) > B : ACK

(guessed acknowledgment num : N + 1)

IP Spoofing (3/7)
Problem 1: As ability to communicate with B?
Problem 2: Xs ability to make a guess at the sequence?

IP Spoofing (4/7)
SYN ood attack trn A
X gi B mt s SYN packets (yu cu kt ni)
Khi B p ng X bng cc gi SYN+ACK, X gi RST packets cho B
X c th nhn mt s cc ch s tun t c to ra t b pht sinh s ngu nhin
ca B
Spoong Set: Tp nh cc s tun t khi u (ISN) m host nn nhn c th dng
k tip.
Flood my nn nhn vi cc Packet dng cc ISN trong spoong set.

10

IP Spoofing (5/7)
Kch thc ca Spoofing Set
Ty vo cht lng ca PRNG c dng ti host nn nhn
Michal Zalewski : Vi bng thng mng kh dng ngy nay, cc hacker c th tn cng
gi mo a ch IP thnh cng nu spoofing set cha khng qu 5000 s.
Vi s tun t 32 bit th spoong set nh th no? (4,294,967,296 s c th)

11

IP Spoofing (6/7)
Pseudo-random number generator c thit k km + Birthday paradox
Xc sut tn ti t nht mt cp sinh vin c cng ngy sinh nht trong lp c s s 20
sinh vin?
Birthday paradox: Given a group of 23 or more randomly chosen people, the
probability that at least two of them will have the same birthday is more than 50%
Mt spoong Set c kch thc k v t l xc sut mt s trong spoofing set c mt
gi tr c bit, xc sut c t nht hai s trong spoofing set s c cng gi tr c xc
nh bi cng thc:

12

IP Spoofing (7/7)
t = 232 ng vi s tun t 32 bit. Spoong set c k = 10 000.

Nu cht lng ca PRNG cng thp th p cng tng

13

Hijacking Attack

Mt attacker c th chn data segment vo mt kt ni TCP c thit

lp ?
14

Hijacking Attack
Attacker cn to v gi mt TCP segment c th chp nhn bi ch.

15

Hijacking Attack
Session hijacking lin quan 3 bc duy tr mt tn cng:
Tracking the session: hacker nhn dng session ang m v d
on ch s tun t ca gi k tip.

Desynchronizing the connection: hacker gi n my user hp l

TCP reset (RST) hay finish (FIN) packet h thng ca user kt thc
session.

Injecting the attackers packet: hacker gi n server gi TCP c

ch s tun t hp l, server chp nhn nh l gi k ca user hp
l ( ng session) trn cu ni TCP.
16

TCP Connection Hijacking

Setup
host A <------X------------------------->host B | A,B c
TCP connection ( v d A Telnet n B)
host S <------/ A,S trn cng subnet
TCP phn bit gi hp l hay khng da vo
SEQ/ACK numbers. B tin tng gi n t A ch
v c SEQ/ACK ng
17

TCP Connection Hijacking

S chn gi vo ng thi im (S as A->B), server B s chp
nhn v cp nht ACK numbers, A tip tc lm vic v gi
gi c n B.
Connection hijacking nguy him nh th no?

18

19

TCP Connection Killing

Setup
host A <------X------------------------->host B | A,B c TCP connection
host S <------/ A,S trn cng subnet
Using reset (RST)
Using close a connection (FIN)
Ch cn c sequence number hoc tng t

20

Sequence Number Guessing (1/2)

tn cng d on s tun t hacker phi nghe
ln (sniff)
Hacking tool phi on thnh cng sequence
number hay xc nh ISN.
Hacking tool pht sinh cc gi vi tun t m h
thng ch ang ch. Phi n sm hn cc gi hp
l hay ngn chn n.
21

Sequence Number Guessing (2/2)

Cc ISN: RFC 793 c t 32-bit

counter tng 1 sau 4

microseconds

Cc phin bn UNIX nh Free-BSD tng theo mt hng s

mi giy, v theo hng s khc cho kt ni mi.

22

Gii php (1/4)

Tham kho gii php: RFC793, RFC2385, RFC1948

Ch lu thng tin khi nhn segment bc th 3.

23

Gii php (2/4)

Cc phng php ngn chn SYN flood attack:
SYN Cookies: SYN cookies m bo khng gn ti nguyn cho n khi hon tt bt
tay 3 bc.
RST Cookies: server p ng client mt SYN vi SYN ACK sai. Client s pht ra RST
packet bo l c li. Lc ny server bit client l hp l v tip tc chp nhn kt ni
t client.
Micro Blocks: Micro blocks ngn chn SYN flood bng cch cp mt lng nh b
nh cho kt ni (c khi ch 16 byte).
Stack Tweaking: phng php lin quan n thay i TCP/IP stack ngn chn SYN
floods. Nh hy kt ni n hay gim tieout khi stack sp y.
24

Gii php (3/4)

Kim tra TCP RST segment
RST segment phi cha:

IP source, source port ca active TCP connection

IP destination v destination port ca active TCP connection

Sequence number ca RST segment phi trong phm vi received window

Ngn nga sniffing: ch yu l mt m, nh Internet Protocol Security (IPSec)

Secure Shell (SSH, encrypted Telnet), Secure Sockets Layer (SSL, cho HTTPS traffic).
Gim nguy c b truy xut, loi b remote access n cc h thng bn trong
Dng VPN cho remtote access (nu cn)

25

Gii php (4/4)

Cc OS mi dng pseudorandom number generators sao cho kh on
(tnh) ISN

Tuy nhin, ngu nhin dn n protocol problems nh duplicate

packets v ti sinh cc gi ca kt ni c, do server khng th phn bit
c.

Mt phng php: giao di s cho mi port v sequence number gia

tng ty vo mt hm:
ISN = M + F(localhost, localport, remotehost, remoteport).

26

Echo-Chargen Attack
Chargen (Character Generator) service l giao thc dng cho mc ch
kim th v o lng
Mt host kt ni n server h tr Chargen protocol, dng TCP hay UDP
port 19.
Khi TCP connection ny c m trn port 19, server gi mt s k t bt
k n hosts cho n khi host kt thc kt ni.

Vi UDP version, server gi gi UDP packet cha mt s ngu nhin (gia

0 v 512) k t mi khi nhn mt UDP t host gi n.

27

Smurf Attack
Smurf attack l loi denial-of-service attack, floods h thng nn nhn dng
spoofed broadcast ping Echo-Reply messages

28

Teardrop Attack

OS b nghn bi cc mnh do
khng bit cch ti lp

denial-of-service attacks.
Cc OS hin i cu hnh loi
b trng hp ny v reboot

29

Traffic Redirection
Nu mt router b xm nhp, n b iu khin qung co n cc lng ging: ti l con
ng ngn nht n mi ch.

30

HTTP flooding attacks

Request flooding attacks
Asymmetric attacks: Attacker pht ng cc session cha cng
ti request ln.
 Multiple Http get/post flood
 Faulty Application (Sql injections,Lockup database queries)
Slow request/response attacks
 Slowloris attack
 Http Fragmentation
 SlowPost
 Slow Reading
Vulnerability: Thread-based web server thng i ton b HTTP header
x l trc khi gii phng kt ni, Apache: timeout=300s
Gii php: X l l hng. Pht hin v ngn chn bng phn cng hay phn
mm chuyn trch
31

An ton cho cc ng dng Internet: APP

Layer
C ba hng:
authentication
condentiality
key management
Cc gii php an ton c cung cp cho cc lp trong chng giao thc:

Pretty Good Privacy (PGP),

Secure/Multipurpose Internet Mail
Extension (S/MIME)
S-HTTP, HTTPS (HTTP over Secure
Socket Layer ), SET (Secure Electronic
Transaction), Kerberos
32

An ton cho cc ng dng Internet :

Transport Layer

Transport Layer Security/Secure Sockets Layer

33

An ton cho cc ng dng Internet :

Network Layer

34

An ton cho cc ng dng Internet :

IPSec (1/2)
Authentication Header (AH) protocol
Encapsulation Security Payload (ESP) protocol

35

An ton cho cc ng dng Internet :

IPSec (2/2)

Transport Mode

Tunnel Mode

36

An ton cho cc ng dng Internet :

VPN (1/2)
VPN Forms: Remote Access, Site-to-Site

Hai thnh phn chnh: terminator, connection

37

An ton cho cc ng dng Internet :

VPN (2/2)
VPN Tunneling Technology:

IPSec with encryption

Point-to-Point Tunneling Protocol (PPTP)
Layer 2 Tunneling Protocol
PPP over SSL and PPP over SSH

38

An ton cho cc ng dng Internet :

Data link Layer

PPP Authentication/PPP Con dentiality

Remote Authentication Dial-In User Service (RADIUS)
Terminal Access Controller Access Control System (TACACS+)

39

NHN XT

40