Jonathan Stanton1Spring 2003 / Lecture 2Network IICS 184IP and TCP Protocol SecurityDepartment of Computer ScienceGeorge Washington UniversityJonathan Stanton2Spring 2003 / Lecture 2• Relevant reading:– Security Problems in the TCP/IP Protocol Suite by SteveBellovin. Computer Communications Review, Vol 19, No.2, pp 22-48, April 1989.– Sequence Integrity using Hash Chains by Matt Barrie.http://www.ee.usyd.edu.au/~mattb/2001/lectures/attacks.pdf– Bugtraq Mailing listhttp://online.securityfocus.com/popups/forums/bugtraq/faq.shtml– Vulnerability Database http://online.securityfocus.com/bid– Crypto-Gram Newsletter http://www.counterpane.com/crypto-gram.html– CERT Statistics http://www.cert.org/stats/cert_stats.htmlRelevant ReadingJonathan Stanton3Spring 2003 / Lecture 2What are Network SecurityRisks?• Information disclosure:– IP addresses and DNS names of machines, active ports,network topology.• Connection Capture (Man-in-the-middle)– TCP connection capture.– Modified DNS replies.• DOS– Network traffic DOS• Ping, SYN-flood, …Jonathan Stanton4Spring 2003 / Lecture 2In the News!• HTTP TRACE Cross Site Scripting flaw -- Standard,but almost unknown part of HTTP protocol allowscookie stealing and impersonation attacks!• Microsoft MSSQL remote buffer overflow takesdown Internet! (Bank of America ATMs, XPActivation servers, …)• Sprint DSL modems have a remotely accessibleadmin user with the password 1234! (Spaceballsreference anyone?)• Wireless router being used to steal money from anIsraeli Post Office (bank).Jonathan Stanton5Spring 2003 / Lecture 2Security Bug Classification• Network Security Bugs or Flaws can be divided intofive classes:– Algorithm (DES is flawed)– Protocol (SSH or TCP is flawed)– Environmental (NFS on Secure LAN vs. insecure LAN)– Implementation (OpenSSH v3.1, or FreeBSD 3.4 isflawed)– Conceptual (Telnet sends passwords in the clear)• We will rarely discuss the first class (that’s crypto101).• The focus is on understanding and noticing the latterfour.Jonathan Stanton6Spring 2003 / Lecture 2Protocol Flaws• TCP Sequence number generation and increment.• Routing:– Source Routing -- Universally disabled because of high security riskand low value.– RIP and other older routing protocols: generally lack anyauthentication or only provide source IP address authentication.•ICMP– mostly DOS or network mapping attacks.• DNS– Queries only protected by simple sequence number.– Cache poisoning possible.• Ethernet ARP (Address Resolution Protocol)– ARP spoofing is easy -- requests are broadcast.– ARP storms are possible -- convince other nodes that the way to reachan IP address is through the broadcast ethernet address…Jonathan Stanton7Spring 2003 / Lecture 2TCP Connection Initialization• Basic Algorithm:– C -> S: SYN(ISNc)– S -> C: SYN(ISNs), ACK(ISNc)– C -> S: ACK(ISNs)– C -> S: data or– S -> C: data• What is security critical about this?– Can ISNs be guessed?– Can packets be intercepted?Jonathan Stanton8Spring 2003 / Lecture 2Basic TCP Seq Attack• Assuming attacker X can guess ISNs, target is T.– X -> S: SYN(ISNx), SRC=T– S -> T: SYN(ISNs), ACK(ISNx)– X -> S: ACK(ISNs), SRC=T– X -> S: ACK(ISNs), SRC=T, bad data.– Does T notice the attack?• Yes, it will receive S -> T and notice that a bad connection is beingformed and will initiate a RST (reset) of the connection. So tosucceed the attack must use a currently disconnected T, must blockT from sending the packet, or must intercept the packet.– Does S notice the attack?• No. Everything looks normal as long as ACK(ISNs) is correct.Jonathan Stanton9Spring 2003 / Lecture 2Can you know ISNs?• Some old IP stacks incremented ISNs too slowly, soit was easy to calculate.• Even if incremented quickly (RFC requires 250,000times per second), still possible.– Send a ‘valid’ connection request to S, see what ISNs is.Then send attack packet with a larger ISNs based on RTTbetween X and S and a guess at processing delays. If youhave stable RTT latency, after only a few thousand triesyou will likely hit one that works. (Note: Attack gets easieras machines and networks get faster…)• Increment by “random” amount for each connection.– Requires cryptographic operations and a ‘secure’ key (timeof day at boot is not sufficient)Jonathan Stanton10Spring 2003 / Lecture 2Sequence numbers Part 2• Even with good Initial Sequence Numbers, thesequence numbers on each data packet also matter.• Normally, TCP increments the sequence numberwith each byte of data.• TCP accepts a packet if it’s SN is betweenSNb…SNb +WINDOW.• Otherwise it is rejected. So SN form a type ofauthentication.Jonathan Stanton11Spring 2003 / Lecture 2TCP Session Hijacking• Attack is a form of connection desynchronization.• Steps:– Attacker (X) listens to connection between A and B.– At certain time, attacker adds new packets to A and B sothat they will now think the current sequence number isdifferent from what the other one thinks.– X listens to both A and B’s packets, modifies them ifdesired, and resends them on with ‘corrected’ sequencenumbers.• Also results in ACK storm caused by each hostsending ACKs for “missing” packets caused bydesynchronized sequence numbers.Jonathan Stanton12Spring 2003 / Lecture 2TCP Hijacking “Early” attack• Specific attacks:– “Early” RST packet after 2nd step of TCP establishment.• A -> B: SYN(ISNa)• B -> A: ACK(ISNa + 1), SYN(ISNb)• Xa -> B: ACK(ISNb + 1), RST ; b now thinks a’s disconnected• Xa -> B: SYN(ISNxa) ; new connection between “a” and b• B -> A: ACK(ISNxa + 1), SYN(ISN’b) ; A ignores• Xa -> B: ACK(ISN’b + 1) ; now Xa is in the middleJonathan Stanton13Spring 2003 / Lecture 2TCP Hijacking “Null” attack• A -> B : ACK(SNb)• B -> A : ACK(SNa)• Xa -> B : ACK(SNb + 1) ; null one byte data …• Xa -> B : ACK(SNb + n) ; null one byte data• Total is n bytes data that B received thinking it wasfrom A but it was really from X. So B’s sequencenumber is now n larger then A thinks it should be.Jonathan Stanton14Spring 2003 / Lecture 2Denial of Service Attacks• SYN flooding– The attacker sends the initial SYN packet of a TCPconnection, but never completes it. It just keeps initiatingmore TCP connections. Target’s memory/kernel resourceshave to track all of the potential connections and getoverwhelmed.– Solved in