TCP IP Security Attacks Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu These slides are available on line at http www cse wustl edu jain cse571 07 Washington University in St Louis CSE571S 3 1 2007 Raj Jain Overview 1 TCP Segment Format Connection Setup Disconnect 2 IP Address Spoofing Covert Channel Fragment Attacks ARP DNS 3 TCP Flags Syn Flood Ping of Death Smurf Fin 4 UDP Flood Attack 5 Connection Hijacking 6 Application E Mail Web spoofing Washington University in St Louis CSE571S 3 2 2007 Raj Jain TCP Segment Format Source Port Destination Port Sequence Number Ack Number Data Offset Res Urg Ack Push Reset Syn Fin Window Checksum Urgent Pointer Options Padding Data Urgent Deliver immediately at destination Push Leave source immediately First data byte is ISN 1 Ack is next byte expected Expecting Ack to Ack window 1 next Washington University in St Louis CSE571S 3 3 2007 Raj Jain TCP Connection Setup Three way handshake Syn ISN 10 Syn Ack 33 ISN 22 Ack 44 Washington University in St Louis CSE571S 3 4 Start connection establishment timer half open connection 2007 Raj Jain TCP Disconnection Fin No more data Connection can be closed Four way handshake Fin Ack Fin Ack Washington University in St Louis CSE571S 3 5 2007 Raj Jain IP Address Spoofing Send requests to server with someone X s IP address The response is received at X and discarded Both X and server can be kept busy DoS attack SA V DA X Victim X Hacker Washington University in St Louis SA X DA V CSE571S 3 6 Victim V 2007 Raj Jain Covert Channel Loki a client server application Uses ICMP echo to send covert commands http xforce iss net xforce xfdb 1452 Timing Channel CPU load indicates a 0 or 1 Two processes on the same machine Storage Channel Print queue length large 1 small 0 Low Security Machine Washington University in St Louis High Security Machine CSE571S 3 7 2007 Raj Jain IP Fragment Attacks Fragments can overlap Final packets can be too large Washington University in St Louis CSE571S 3 8 2007 Raj Jain TCP Flags Invalid Combinations May cause recipient to crash or hang Washington University in St Louis CSE571S 3 9 2007 Raj Jain Syn Flood A sends Syn request with IP address of X to Server V V sends a syn ack to X X discards syn ack leaving an half open connection at V Many open connections exhausts resources at V DoS SA V DA X Syn Ack Victim X Hacker Washington University in St Louis SA X DA V Syn CSE571S 3 10 Victim V 2007 Raj Jain Ping of Death Send a ping with more than 64kB in the data field Most systems would crash hang or reboot Washington University in St Louis CSE571S 3 11 2007 Raj Jain Smurf Send a broadcast echo request with the V s source address All the echo replies will make V very busy Washington University in St Louis CSE571S 3 12 2007 Raj Jain Fin In the middle of conversation between X and V H sends a packet with Fin flag to V V closes the connection and disregards all further packets from X RST flag can be used similarly Washington University in St Louis CSE571S 3 13 2007 Raj Jain UDP Flood Attack Character Generator Chargen request results in a response with random characters being returned Used to diagnose lost packets on the path between two hosts Uses TCP UDP port 19 H can send a chargen request from X to V V can respond to X wasting their bandwidth Washington University in St Louis CSE571S 3 14 2007 Raj Jain Connection Hijacking H sends packets to server X which increments the sequence number at X All further packets from V are discarded at X Responses for packets from H are sent to V confusing him SA X DA V SN 22 Victim X Hacker SA X DA V SN 11 Victim V Washington University in St Louis CSE571S 3 15 2007 Raj Jain ARP Spoofing X tries to find the MAC address of Victim V Hacker H responds to ARP request pretending to be V All communication for V is captured by H Countermeasure Use static ARP X Victim V Does anyone know V Washington University in St Louis Hacker Yes V s address is H CSE571S 3 16 2007 Raj Jain DNS Spoofing DNS server is compromised to provide H s IP address for V s name Countermeasure What s IP address for x com Washington University in St Louis Compromised X DNS IP address for x com is H CSE571S 3 17 Hacker 2007 Raj Jain E Mail Spoofing From address is spoofed Malware attachment comes from a friendly address From God heavens com Washington University in St Louis CSE571S 3 18 2007 Raj Jain Web Spoofing The web site looks like another Southwest Airline http airlines ws southwest airline htm For every gov site there is a com net giving similar information For misspellings of popular businesses there are web sites Washington University in St Louis CSE571S 3 19 2007 Raj Jain Summary 1 TCP port numbers Sequence numbers ack flags 2 IP addresses are easy to spoof ARP and DNS are not secure 3 Flags Syn Flood Ping of Death Smurf Fin Connection Hijacking 4 UDP Flood Attack 5 Application addresses are not secure Washington University in St Louis CSE571S 3 20 2007 Raj Jain References 1 Gert De Laet and Gert Schauwers Network Security Fundamentals Cisco Press 2005 ISBN 1587051672 Washington University in St Louis CSE571S 3 21 2007 Raj Jain Lab Homework 3 This lab consists of using the following tools XP Keylogger http www bestvistadownloads com download t freexp keylogger download zhtdqdgn html Snort vulnerability scanner http www codecraftcanada com Snort Password dump Pwdump3 http www openwall com passwords microsoftwindows nt 2000 xp 2003 John the ripper Bruteforce password attack http www openwall com john Washington University in St Louis CSE571S 3 22 2007 Raj Jain Lab Homework 3 Cont If you have two computers you can install these programs on one computer and conduct these exercises Alternately you can remote desktop to CSE571XPC and conduct exercises 1 4 and then remote desktop to CSE571XPS and conduct exercise 5 Use your last name with spaces removed as your user name Washington University in St Louis CSE571S 3 23 2007 Raj Jain 1 Keylogger Delete all previous log files if any e program files xp keylogger logs Dtart xp keylogger Browse to www google com and search for your name Dtop keylogger CD to e program files xp keylogger logs Open the htm file in the browser Notedown the texts showns there on a paper and submit Delete the log e program files xp keylogger logs Washington University in St Louis CSE571S 3 24 2007 Raj Jain 2 Snort Delete all the previous logs if any e snort log new Start snort Go back to your machine Run smbdie to attack