presentation on tcp-ip vulnerabilities
DESCRIPTION
TCP/IP VulnerabilitiesAs usage of the Internet and TCP/IP protocols increases, their lack of built-in security has become more and more problematic. This paper describes a variety of basic flaws in TCP/IP protocols and their implementations, and discusses solutions and work-around to these problems. Primarily it also includes exploitation of various design and implementation vulnerability using standard tools.TRANSCRIPT
1
TCP/IP Vulnerability
Prepared By:
Mohit Kohli
11th June 2007
2
Section1:Introduction A Quick Review on:
TCP Transmission control Protocol IP Internet Protocol Packet structure
Flags Fragmentation
TCP Communication Mechanism
3
Introduction on TCP – PACKETS•TCP – Transmission Control Protocol (TCP) runs on top of IP, and provides a connection oriented service between the sender and the receiver.
•TCP provides guaranteed delivery, and ensures that the packets are delivered in sequence.
•The underlying network IP, is highly unreliable and does not provide any guarantee for TCP.
• In order to provide reliability between the sender and the receiver, TCP uses various mechanisms, such as sequence numbers, acknowledgments, 3-way handshakes and timers.
•In the TCP protocol, the important things in a packet are the essential IP packet headers, and various TCP specific headers and flags. These include: source port, destination port, header lengths, the sequence number, the ACK number, the checksum and various other flags.Here is a diagram to illustrate the basic format of a typical TCP packet:
4
IP Packet• IP - IPv4 is a datagram protocol
primarily responsible for addressing and routing packets between hosts.
• IPv4 is connectionless, which means
that it does not establish a connection before exchanging data, and unreliable, which means that it does not guarantee packet delivery .
• There are a lot of headers in the IP section of a packet. Some of the essential ones include: source address, destination address, TOS, TTL, packet ID, protocol (i.e TCP or UDP), IP version (4 obviously), packet length, the checksum, and the IP header lengths. These need to be set in every packet/datagram/segment sent, be it TCP, UDP or ICMP.
Packet Example:• 1,460 Data after TCP header (the payload)• 20 Typical TCP header size• 20 Typical IP header size• 14 Typical Ethernet header size• 4 CRC size• 1,518 Maximum Ethernet packet size
5
TCP Packet Component Example : Flags: 0x0010(ACK) ---00010000 Window Size :64512 Flags:0x0018 (PUS, ACK)----00011000 Window Size :65059
A checksum is a value which is computed which allows you to check the validity of something. Typically, checksums are used in data transmission contexts to detect if the data has been transmitted successfully. For example, the Cyclic Redundancy Check algorithms, CRC-8, CRC-16, and CRC-32, do fairly complex things to make the checksum sensitive to such problems
Ref on Transmission Control Protocol: http://www.faqs.org/ftp/rfc/pdf/rfc793.txt.pdf
Flags Structure
F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Reduced
6
Fragmentation
Fragmentation: Every packet-based network has an MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit.
Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network.
Example: If a 2,366 byte packet enters an Ethernet network with a
default MTU size, it must be fragmented into two packets. The first packet will: Be 1,500 bytes in length. 20 bytes will
be the IP header, 24 bytes will be the TCP header, and 1,456 bytes will be data.
Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments."
Have a Fragmentation Offset of 0. The second packet will: Be 910 bytes in length. 20 bytes will
be the IP header, 24 bytes will be the TCP header, and 866 bytes will be data.
Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment." Have a Fragmentation Offset of 182 (Note: 182 is 1456 divided by 8).
7
Contd… Three of these fields are involved in packet
fragmentation: Len, Offset and More bit. Fragmentation reduces TCP throughput and
increases network congestion.
Disable Path MTU Discovery process: Low MTU value could degrade network performance, since it increases Fragmentation. Fragmentation (3,600)
Len: Total Length of Fragment
Offset: distance from the first byte of the original datagram
More: Indicate if the fragment has more to follow
8
Captured TCP Packet structure
9
Captured UDP Packet structure
10
TCP Three-Way Handshake
A TCP connection is initialized through a three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and to exchange TCP window sizes. The following steps outline the process for the common situation when a client computer contacts a server computer:
1. The client sends a TCP segment to the server with an initial sequence number for the connection and a window size indicating the size of a buffer on the client to store incoming segments from the server.
2. The server sends back a TCP segment containing its chosen initial sequence number, an acknowledgment of the client’s sequence number, and a window size indicating the size of a buffer on the server to store incoming segments from the client.
3. The client sends a TCP segment to the server containing an acknowledgment of the
server’s sequence number.
TCP uses a similar handshake process to end a connection. This guarantees that both hosts have finished transmitting and that all data was received.
TCP connections have three main parts: connection establishment, data exchange, and connection termination
11
HTTP Elements•HTTP clients send HTTP requests that contain a method, or command, that indicates what the client wants
• HTTP Methods
•The HTTP Get Command
12
Sample HTTP Communications3 Way handshake communication for HTTP Application Protocol
13
Section 2: TCP/IP Vulnerability overlapping IP fragments Tear Drop Land SYN Attack Ping Flooding IP Spoofing
SYN Guessing Smurf Attack
Source Routing TCP Hijacking
Man-in-the-Middle Attack Countermeasures
14
overlapping IP fragments Linux and Microsoft has a serious bug in it's IP fragmentation moduleMore specifically, in the fragmentation reassembly code Explanation:When Linux reassembles IP fragments to form the original IP datagram, itruns in a loop, copying the payload from all the queued fragments into a newlyallocated buffer (which would then normally be passed to the IP layer proper).
If we find that the current fragment's offset is inside the end of aprevious fragment (overlap), we need to (try) align it correctly. Well, thisis fine and good, unless the payload of the current fragment happens to NOTcontain enough data to cover the realigning. In that case, `offset` will endup being larger then `end`.
Description:An IP fragment overlap vulnerability may exist on NT 3.5 and 4.0 systems without the hotfixes applied that will cause a lock up on these systems requiring a hard reset. This exploit modifies the code from the teardrop attack to incorporate the use of a SYN sequence bug. The attack will send two IP fragments, with the offset of the second fragment inside the prior packet's payload that overlaps but does not include enough payload to complete the datagram. Install the latest hotfixes provided by Microsoft.
Impact: Any systems that are vulnerable to this exploit may be 'brought down', requiring a reboot of the system.Root Cause: Insecure Design
15
1. Teardrop Attack IP requires a packet that is too large for the next router to
handle be divided into fragments. The attacker's IP puts a confusing offset value in the
second or later fragment. If the receiving operating system is not able to aggregate
the packets accordingly, it can crash the system. It is a UDP attack, which uses overlapping offset fields to
bring down hosts. The Unnamed Attack
Variation of Teardrop attack Fragments are not overlapping; instead there are
gaps incorporated Careful design of the algorithm for generating these
initial sequence numbers ensures that overlap in sequence number space between different incarnations of a connection is prevented.
Overlapping fragment attack. Hackers can also craft packets so that instead of overlapping, there will be gaps between various packets. These nonadjacent fragmented packets are similar to overlapping packets because they can crash or hang older operating systems that have not been patched.
16
Abnormal Fragmentation
Figure shows specially crafted packet with Abnormal Fragmentation.
17
Teardrop Attack Tool: Jolt2
Allows remote attackers to cause a
Denial of Service attack against
Windows based machines.
Causes the target machines to
consume 100% of the CPU time
processing illegal packets.
Not Windows-specific, many Cisco
routers and other gateways might
be vulnerable.
18
Teardrop Attack Tool: Bubonic.c
Bubonic.c is a DoS exploit that can be
run against Windows 2000 machines.
It works by randomly sending TCP
packets, with random settings, with the
goal of increasing the load of the
machine, so that it eventually crashes.
c: \> bubonic 12.23.23.2
10.0.0.1 100
The teardrop attack exploits
overlapping IP fragment and can crash
Windows 95, Windows NT, and
Windows 3.1machines.
19
2. Land
IP spoofing in combination with the opening of a TCP
connection.
Both IP addresses, source and destination are modified to be
the same, the address of the destination host.
This results in sending the packet back to itself, because the
addresses are the same.
20
3. SYN Attack The attacker sends bogus TCP SYN requests to a victim
server. The host allocates resources (memory sockets) for
the connection.
It prevents the server from responding to legitimate
requests.
This attack exploits the three-way handshake.
Malicious flooding by large volumes of TCP SYN packets to
the victim system with spoofed source IP addresses can
cause a DoS.
Windows Server 2003 systems that have enabled the
SynAttackProtect registry value are not vulnerable to many
of the attacks. Value set to 0 indicate no retransmission of
packet.
21
Contd… default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000
Professional. When this size is reached, the system will no longer accept incoming connection requests.
How to detect a SYN attack: # netstat -n -p TCPtcp 0 0 10.100.0.200:21 237.177.154.8:25882 SYN_RECV – tcp 0 0 10.100.0.200:21 236.15.133.204:2577 SYN_RECV – tcp 0 0 10.100.0.200:21 127.160.6.129:51748 SYN_RECV -
Number of Half open TCP Connection:# netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l 769
22
4. PING FLOODING (ICMP flooding) Ping of death is a denial of service (DoS) attack caused by an attacker purposely
sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation. It allows a single IP packet to be broken down into smaller segments. In 1996, attackers took advantage of that feature when they found that a packet broken down into fragments could add up to more than the allowed 65,536 bytes.
Hacking Tool: SSPing
SSPing program sends the victim's computer a series of highly fragmented, oversized ICMP data packets.
The computer receiving the data packets lock when it tries to put the fragments together.
The result is a memory overflow which in turn causes the machine to stop responding
23
Tool: PING FLOODING (Denial of Service Attack)
24
5. IP Spoofing Due to bad designing of the TCP/IP suite, it is almost trivial to spoof a packet
apparently originating from a host that is NOT you. The term 'IP spoofing' can be used to describe any process in which a person fakes, or "forges" a packet to look like it came from elsewhere, often a "trusted" host. The ability to spoof IP packets, and the fact that IPv4 does NOT check the validity of the source address and source port in a packet's headers is one of the MAIN vulnerabilities in the TCP/IP protocol suite.
It can be of two types ie Blind and Non-Blind. IP spoofing can be used in two main ways: to cause DoS, or to gain access to a
system as a "trusted" host. Blind Spoofing Challenge: Source Address, Source port, Destination Address,
Destination Port along with ISN bit.
25
Smurf Attack Uses IP Spoofing Vulnerability
The perpetrator generates a large amount
of ICMP echo (ping) traffic to a network
broadcast address with a spoofed source
IP set to a victim host.
The result will be a large number of ping
replies (ICMP Echo Reply) flooding back to
the innocent, spoofed host.
An amplified ping reply stream can
overwhelm the victim’s network connection.
The "smurf" attack's cousin is called
"fraggle", which uses a UDP echo.
Internet
ICMP Echo Request with source C and destination subnet B, but originating from A
26
Cond…Smurf Attack
Attacker
Internet
TargetICMP_ECHO_REQSource: TargetDestination: Receiving Network
ICMP_ECHO_REPLYSource: Receiving NetworkDestination: Target
Receiving Network
27
Sequence Guessing Attempt to hijack an existing TCP session by injecting
packets which pretend to come from one computer involved in the TCP session.
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN's will be unique.
For each connection there is a send sequence number and a receive sequence number. The initial send sequence number (ISS) is chosen by the data sending TCP, and the initial receive sequence number (IRS) is learned during the connection establishing procedure.
ISNs used must be hard to guess for those not involved in the connection
28
TCP/IP SEQUENCE NUMBER ANALYSIS
Sr. No Operating System Attack feasibility
1 Linux below 0.05%
2 Windows 2000 12.08%
3 Windows NT4 SP6a + hotfixes 15%
4 Windows 95 100%
5 FreeBSD 4.2 1.00%
6 OpenBSD-current 0.00%
7 HPUX11 100.00%
8 AIX 4.3 100.00%
Challenge in to generate unpredictable ISN
TCP/IP ISN generators used by a variety of operating systems.
One of the examples is inserting malicious contents or malicious RCPT TO fields into SMTP transaction in order to modify or intercept e-mails.
Guessing the right ISN from the entire 32- bit space (4,294,967,296 possibilities) is not feasible due to the excessive amount of bandwidth and time required.
But increasing bandwidth and processor speed will eventually make brute force guessing of 32-bit ISNs feasible for the average attacker.
Phase Space Analysis
http://lcamtuf.coredump.cx/oldtcp/tcpseq.htmlhttp://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm
x[t] = seq[t] - seq[t-1] y[t] = seq[t-1] - seq[t-2] z[t] = seq[t-2] - seq[t-3]
29
Reset Attack The packets required for a successful
Reset are based on the equation (2^32 / Initial Window Size).
Factor Responsible for Reset Attack: ISN prediction, as well as much larger TCP window selection
A larger window will provide greater transmission efficiency but also expand the opportunity for spoofed TCP Reset attacks
The 4-tuple consists of source IP address, TCP source port, destination IP address, and destination TCP port
Operating System
Initial Window Size
Packets Required
Windows 2000 5.00.2195 SP4
64512 66,576
Windows XP Home Edition SP1
64240 66,858
HP-UX 11 32768 131,071
Nokia IPSO 3.6-FCS6 16384 262,143
Cisco 12.2(8) 16384 262,143
Cisco 12.1(5) 16384 262,143
Cisco 12.0(7) 16384 262,143
Cisco 12.0(8) 16384 262,143
Windows 2000 5.00.2195 SP1
16384 262,143
Windows 2000 5.00.2195 SP3
16384 262,143
Linux 2.4.18 5840 735,439
Case Study on Reset Attack Case Study on
Reset Attack
Case Study on Reset Attack
30
31
5. Source Routing Another variant of IP spoofing makes use of a
rarely used IP option, "Source Routing" [Bellovin89]. Source routing allows the originating host to specify the path (route) that the receiver should use to reply to it. An attacker may take advantage of this by specifying a route that by-passes the real host, and instead directs replies to a path it can monitor (e.g., to itself or a local subnet). Although simple, this attack may not be as successful now, as routers are commonly configured to drop packets with source
routing enabled.
32
7. TCP Session Hijacking Connection hijacking exploits a "desynchronized state" in
TCP communication "TCP session hijacking is when a hacker takes over a
TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.“
A popular method is using IP Spoofing, ARP Posining and source-routed IP packets and sequence number
prediction Techniques.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".
A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.
33
Man-in-the-Middle Attack
Man-in-the-Middle Attack
Attacker Attacker
Sender (S)
ARP Poisoning
Target (C)
ARP Poisoning
Hacker (X)
•In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
•Attacker has performed ARP poisoning attack.
•Packets are forwarded to hacker machine first instead of Target Machine.
•Attacker exploit IP spoofing vulnerability of TCP/IP design.
•Another variant of Man-in-the-middle attack against two-factor authentication using Phishing
34
TCP Hijacking Tool: Hunt1) Connection management
* Setting what connections you are interested in.
* Detecting an ongoing connection (not only SYN started).
* Normal active hijacking with the detection of the ACK storm.
* ARP spoofed/Normal hijacking with the detection of successful ARP spoof.
* Synchronization of the true client with the server after hijacking (so that the connection don't have to be reset).
* Resetting connection.* Watching connection.
35
Countermeasures
Hardening the TCP/IP stack (SYN cookies or SynAttackProtect).Ref:http://www.securityfocus.com/infocus/1729
Applying latest patches as recommended by your vendor
Perimeter Network device like Firewall and border internet router should block IP-spoofed packets and can capable of defending against SYN attacks. With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the likelihood of your site's networks being used to initiate forged packets by filtering outgoing packets that have a source address different from that of your internal network.
Apply Anti-spoofing filtering on network device (TCP sequence prediction attacks can be effectively stopped by any router or firewall that is configured not to allow packets from an internal IP address to originate from an external interface.)
ISPs could prevent the transmission of fraudulently addressed packets.
Servers could be programmed to recognize a SYN source IP address that never completes its connections.
The last network defense against SYN floods is to distribute the flood against as many hosts or network devices as possible.