TCP IP Security Attacks Raj Jain Washington University in Saint Louis Saint Louis MO 63130 Jain cse wustl edu These slides are available on line at http www cse wustl edu jain cse571 09 Washington University in St Louis CSE571S 3 1 2009 Raj Jain Overview 1 TCP Segment Format Connection Setup Disconnect 2 IP Address Spoofing Covert Channel Fragment Attacks ARP DNS 3 TCP Flags Syn Flood Ping of Death Smurf Fin 4 UDP Flood Attack 5 Connection Hijacking 6 Application E Mail Web spoofing Washington University in St Louis CSE571S 3 2 2009 Raj Jain TCP Segment Format Source Port Destination Port Sequence Number Ack Number Data Offset Res Urg Ack Push Reset Syn Fin Window Checksum Urgent Pointer Options Padding Data Urgent Deliver immediately at destination Push Leave source immediately First data byte is ISN 1 Ack is next byte expected Expecting Ack to Ack window 1 next Washington University in St Louis CSE571S 3 3 2009 Raj Jain TCP Connection Setup Three way handshake Syn ISN 10 Syn Ack 33 ISN 22 Ack 44 Washington University in St Louis CSE571S 3 4 Start connection establishment timer half open connection 2009 Raj Jain TCP Disconnection Fin No more data Connection can be closed Four way handshake Fin Ack Fin Ack Washington University in St Louis CSE571S 3 5 2009 Raj Jain IP Address Spoofing Send requests to server with someone X s IP address The response is received at X and discarded Both X and server can be kept busy DoS attack SA V DA X Victim X Hacker Washington University in St Louis SA X DA V CSE571S 3 6 Victim V 2009 Raj Jain Covert Channel Loki a client server application Uses ICMP echo to send covert commands http xforce iss net xforce xfdb 1452 Timing Channel CPU load indicates a 0 or 1 Two processes on the same machine Storage Channel Print queue length large 1 small 0 Low Security Machine Washington University in St Louis High Security Machine CSE571S 3 7 2009 Raj Jain IP Fragment Attacks Fragments can overlap Final packets can be too large Washington University in St Louis CSE571S 3 8 2009 Raj Jain TCP Flags Invalid Combinations May cause recipient to crash or hang Washington University in St Louis CSE571S 3 9 2009 Raj Jain Syn Flood A sends Syn request with IP address of X to Server V V sends a syn ack to X X discards syn ack leaving an half open connection at V Many open connections exhausts resources at V DoS SA V DA X Syn Ack Victim X Hacker Washington University in St Louis SA X DA V Syn CSE571S 3 10 Victim V 2009 Raj Jain Ping of Death Send a ping with more than 64kB in the data field Most systems would crash hang or reboot Washington University in St Louis CSE571S 3 11 2009 Raj Jain Smurf Send a broadcast echo request with the V s source address All the echo replies will make V very busy Washington University in St Louis CSE571S 3 12 2009 Raj Jain Fin In the middle of conversation between X and V H sends a packet with Fin flag to V V closes the connection and disregards all further packets from X RST flag can be used similarly SA V DA X Fin Ack Victim X Hacker Washington University in St Louis SA X DA V Fin CSE571S 3 13 Victim V 2009 Raj Jain UDP Flood Attack Character Generator Chargen request results in a response with random characters being returned Used to diagnose lost packets on the path between two hosts Uses TCP UDP port 19 H can send a chargen request from X to V V can respond to X wasting their bandwidth SA V DA X Char Victim X Hacker SA X DA V Chargen Victim V Washington University in St Louis CSE571S 3 14 2009 Raj Jain Connection Hijacking H sends packets to server V which increments the sequence number for connection from X All further packets from X are discarded at V Responses for packets from H are sent to V confusing him SA X DA V SN 22 Victim X Hacker H SA X DA V SN 110 Victim V Washington University in St Louis CSE571S 3 15 2009 Raj Jain ARP Spoofing X tries to find the MAC address of Victim V Hacker H responds to ARP request pretending to be V All communication for V is captured by H Hacker may flood fraudulent ARP requests and replies Countermeasure Use static ARP X Victim V Does anyone know V Washington University in St Louis Hacker H Yes V s address is H CSE571S 3 16 2009 Raj Jain DNS Spoofing DNS server is compromised to provide H s IP address for V Virus can modify hosts files Access router modified to point to poisoned DNS Pharming Phishing security patch from www microsoft com 128 252 160 33 download DNS zone transfer Ask DNS for all domain names and addresses Allows attackers to footprint Compromised X Hacker DNS What s IP address IP address for for v com v com is H Washington University in St Louis CSE571S 3 17 2009 Raj Jain E Mail Spoofing From address is spoofed Malware attachment comes from a friendly address From God heavens com Washington University in St Louis CSE571S 3 18 2009 Raj Jain Web Spoofing The web site looks like another Southwest Airline http airlines ws southwest airline htm For every gov site there is a com net giving similar information nsf com tsa com whitehouse com For misspellings of popular businesses there are web sites microshoft com Washington University in St Louis CSE571S 3 19 2009 Raj Jain Summary 1 TCP port numbers Sequence numbers ack flags 2 IP addresses are easy to spoof ARP and DNS are not secure 3 Flags Syn Flood Fin 4 Ping of Death Smurf Connection Hijacking 5 UDP Flood Attack 6 Application addresses are not secure Washington University in St Louis CSE571S 3 20 2009 Raj Jain References 1 Jan L Harrington Network Security Morgan Kaufmann 2005 ISBN 0123116333 2 Gert De Laet and Gert Schauwers Network Security Fundamentals Cisco Press 2005 ISBN 1587051672 Washington University in St Louis CSE571S 3 21 2009 Raj Jain Lab Homework 3 This lab consists of using the following tools XP Keylogger http www bestvistadownloads com download t free xpkeylogger download zhtdqdgn html SMBdie A tool to crash windows server described at http www windowsecurity com articles SMBDie Crashing Windows Servers with Ease html download from http packetstormsecurity org 0208 exploits SMBdie zip Snort vulnerability scanner http www codecraftcanada com Snort Password dump Pwdump3 http www openwall com passwords dl pwdump pwdump3v2 zip John the ripper Brute force password attack http www openwall com john Washington University in St Louis CSE571S 3 22 2009 Raj Jain Lab Homework 3 Cont If you have two computers you can install these programs on one computer and conduct these exercises Alternately you can remote desktop to