threats to tcp/ip security...the fact that the information and tools needed to penetrate the...
TRANSCRIPT
Threats to TCP/IP Security
This report was prepared by Chris Rodgers (now Allied Telesyn) as a special projectfor COSC in 2001
1. Introduction
1.1 Security Technologies
With the rapid growth of interest in the Internet, network security has become a majorconcern for companies throughout the world. The fact that the information and toolsneeded to penetrate the security of corporate networks are widely available hasincreased that concern.
Because of this increased focus on network security, network administrators oftenspend more effort protecting their networks than on actual network setup andadministration. New tools that probe for system vulnerabilities, such as IIS (InternetSecurity Scanner) assist in these efforts, but these tools only point out areas ofweakness instead of providing a means to protect networks. Thus, as a networkadministrator, you must constantly try to keep abreast of the large number of securityissues confronting you in today's world. This section describes many of the securityissues that arise when connecting a private network to the Internet.
1.2 Security Issues when Connecting to the Internet
When connecting a private network to the Internet, you are physically connectingyour network to more than hundreds of thousands of unknown networks and all theirusers. Although such connections open the door to many useful applications andprovide great opportunities for information sharing, most private networks containsome information that should not be shared with outside users on the Internet. The keyquestions behind most Internet security issues:
• How do you protect confidential information?
• How do you protect your network and its resources from malicious users andaccidents that originate outside your network?
1.3 Protecting Confidential Information
Confidential information can reside in two states on a network. It can reside onphysical storage media, such as a hard drive or memory, or it can reside in transitacross the physical network wire in the form of packets. These two information statespresent multiple opportunities for attacks from users on your internal network, as wellas those users on the Internet. We are primarily concerned with the second state,which involves network security issues. The following are five common methods ofattack that present opportunities to compromise the information on your network:
• Network packet sniffers
• IP spoofing
• Password attacks
• Man-in-the-middle attacks
When protecting your information from these attacks, your concern is to prevent thetheft, destruction, corruption, and introduction of information that can causeirreparable damage to sensitive and confidential information. This section describes
these common methods of attack and provides examples of how your information canbe compromised.
1.3.1 Network Packet Sniffers
Because networked computers communicate serially (one information piece is sentafter another), large information pieces are broken into smaller pieces. (Theinformation stream would be broken into smaller pieces even if networkscommunicated in parallel. The overriding reason for breaking streams into networkpackets is that computers have limited intermediate buffers.) These smaller pieces arecalled network packets. Several network applications distribute network packets inclear text; that is, the information sent across the network is not encrypted.(Encryption is the transformation, or scrambling, of a message into an unreadableformat by using a mathematical algorithm.) Because the network packets are notencrypted, they can be processed and understood by any application that can pickthem up off the network and process them.
A network protocol specifies how packets are identified and labeled, which enables acomputer to determine whether a packet is intended for it. Because the specificationsfor network protocols, such as TCP/IP, are widely published, a third party can easilyinterpret the network packets and develop a packet sniffer. (The real threat todayresults from the numerous freeware and shareware packet sniffers that are available,which do not require the user to understand anything about the underlying protocols.)A packet sniffer is a software application that uses a network adapter card inpromiscuous mode (a mode in which the network adapter card sends all packetsreceived on the physical network wire to an application for processing) to capture allnetwork packets that are sent across a local-area network.
Because several network applications distribute network packets in clear text, a packetsniffer can provide its user with meaningful and often sensitive information, such asuser account names and passwords. If you use networked databases, a packet sniffercan provide an attacker with information that is queried from the database, as well asthe user account names and passwords used to access the database. One seriousproblem with acquiring user account names and passwords is that users often reusetheir login names and passwords across multiple applications. In addition, manynetwork administrators use packet sniffers to diagnose and fix network-relatedproblems.
Many users employ a single password for access to all accounts and applications. If anapplication is run in client/server mode and authentication information is sent acrossthe network in clear text, then it is likely that this same authentication information canbe used to gain access to other corporate resources. Because attackers know and usehuman characteristics (attack methods known collectively as social engineeringattacks), such as using a single password for multiple accounts, they are oftensuccessful in gaining access to sensitive information.
1.3.2 IP Spoofing
An IP spoofing attack occurs when an attacker outside your network pretends to be atrusted computer either by using an IP address that is within the range of IP addressesfor your network or by using an authorised external IP address that you trust and towhich you wish to provide access to specified resources on your network. There are anumber of IP spoofing attacks which take advantage of the information containedwithin the IP packet header. For example the Christmas Day attack on Tsutomu
Shimomura1 involved forging the source address of the IP packets so they looked as ifthey were generated from within Shimomura’s network. Another IP attack involvesloose source routing of IP packets. The attacker manipulates the IP header’s sourcerouting option to change the path the packets should take. Properly configuredfirewalls capable of packet filtering provide the best means of defence against thesetypes of attack.
Normally, an IP spoofing attack is limited to the injection of data or commands intoan existing stream of data passed between a client and server application or a peer-to-peer network connection. To enable bidirectional communication, the attacker mustchange all routing tables to point to the spoofed IP address. Another approach theattacker could take is to simply not worry about receiving any response from theapplications. If an attacker is attempting to get a system to mail themselves a sensitivefile, application responses are unimportant.
However, if an attacker manages to change the routing tables to point to the spoofedIP address, he can receive all the network packets that are addressed to the spoofedaddress and reply just as any trusted user can. Like packet sniffers, IP spoofing is notrestricted to people who are external to the network.
1.3.3 Password Attacks
Password attacks can be implemented using several different methods, includingbrute-force attacks, Trojan horse programs (discussed later in the section), IPspoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield useraccounts and passwords, password attacks usually refer to repeated attempts toidentify a user account and/or password; these repeated attempts are called brute-forceattacks.
Often a brute-force attack is performed using a program that runs across the networkand attempts to log in to a shared resource, such as a server. When an attackersuccessfully gains access to a resource, they have the same rights as the user whoseaccount has been compromised to gain access to that resource. If this account hassufficient privileges, the attacker can create a back door for future access, withoutconcern for any status and password changes to the compromised user account. Anoutside intruder can use password and IP spoofing attacks to copy information, and aninternal user can easily place sensitive information on an external computer or share adrive on the network with other users.
For example, an internal user could place a file on an external FTP server withoutever leaving their desk. The user could also e-mail an attachment that containssensitive information to an external user.
1.3.4 Man-in-the-Middle Attacks
A man-in-the-middle attack requires that the attacker have access to network packetsthat come across the networks. An example of such a configuration could be someonewho is working for your Internet service provider (ISP), who can gain access to allnetwork packets transferred between your network and any other network. Such
1 On Christmas Day, 1994, a hacker launched a sophisticated “IP spoofing” attack against the home computer of a computer
security expert, Tsutomu Shimomura, a researcher at the federally financed San Diego Supercomputer Center in California.Over a two-week period Shimomura eventually tracked the hacker to computers on which Shimomura's stolen files werefound. The hacker was finally identified as federal fugitive Kevin Mitnick, and subsequently arrested by FBI agents. Thefollowing WWW-addresses provide links to a great deal of interesting information regarding the Christmas Day attack andKevin Mitnick; www.gulker.com/ra/hack and www.mitnick.com
attacks are often implemented using network packet sniffers and routing and transportprotocols. The possible uses of such attacks are theft of information, hijacking of anongoing session to gain access to your internal network resources, traffic analysis toderive information about your network and its users, denial of service, corruption oftransmitted data, and introduction of new information into network sessions.
1.4 Protecting Your Network: Maintaining Internal Network System Integrity
Although protecting your information may be your highest priority, protecting theintegrity of your network is critical in your ability to protect the information itcontains. A breach in the integrity of your network can be extremely costly in timeand effort, and it can open multiple avenues for continued attacks. This section coversthe five methods of attack that are commonly used to compromise the integrity ofyour network:
• Network packet sniffers
• IP spoofing
• Password attacks
• Denial-of-service attacks
• Application layer attacks
When considering what to protect within your network, you are concerned withmaintaining the integrity of the physical network, your network software, any othernetwork resources, and your reputation. This integrity involves the verifiable identityof computers and users, proper operation of the services that your network provides,and optimal network performance; all these concerns are important in maintaining aproductive network environment. This section describes the previously mentionedattacks and provide examples of how they can be used to compromise your network'sintegrity.
1.4.1 Network Packet Sniffers
As mentioned earlier, network packet sniffers can yield critical system information,such as user account information and passwords. When an attacker obtains the correctaccount information, they have the run of your network. In a worst-case scenario, anattacker gains access to a system-level user account, which the attacker uses to createa new account that can be used at any time as a back door to get into your networkand its resources. The attacker can modify system-critical files, such as the passwordfor the system administrator account, the list of services and permissions on fileservers, and the login information for other computers that contain confidentialinformation.
Packet sniffers provide information about the topology of your network that manyattackers find useful. This information, such as what computers run which services,how many computers are on your network, which computers have access to others,and so on can be deduced from the information contained within the network packetsthat are distributed across your network as part of necessary daily operations.
In addition, a network packet sniffer can be modified to interject new information orchange existing information in a network packet. By doing so, the attacker can causenetwork connections to shut down prematurely, as well as change critical informationwithin the packet. Imagine what could happen if an attacker modified the information
being transmitted to your accounting system. The effects of such attacks can bedifficult to detect and very costly to correct.
1.4.2 IP Spoofing
IP spoofing can yield access to user accounts and passwords, and it can also be usedin other ways. For example, an attacker can emulate one of your internal users in waysthat prove embarrassing for your organisation; the attacker could send e-mailmessages to business partners that appear to have originated from someone withinyour organisation. Such attacks are easier when an attacker has a user account andpassword, but they are possible by combining simple spoofing attacks withknowledge of messaging protocols.
1.4.3 Password Attacks
Just as with packet sniffers and IP spoofing attacks, a brute-force password attack canprovide access to accounts that can be used to modify critical network files andservices. An example that compromises your network's integrity is an attackermodifying the routing tables for your network. By doing so, the attacker ensures thatall network packets are routed to them before they are transmitted to their finaldestination. In such a case, an attacker can monitor all network traffic, effectivelybecoming a man in the middle.
1.4.4 Denial-of-Service Attacks
Denial-of-service attacks are different from most other attacks because they are nottargeted at gaining access to your network or the information on your network. Theseattacks focus on making a service unavailable for normal use, which is typicallyaccomplished by exhausting some resource limitation on the network or within anoperating system or application.
When involving specific HTTP or FTP network server applications, these attacks canfocus on acquiring and keeping open all the available connections supported by thatserver, effectively locking out valid users of the server or service. Denial-of-serviceattacks can also be implemented using common Internet protocols, such as TCP andInternet Control Message Protocol (ICMP). Most denial-of-service attacks exploit aweakness in the overall architecture of the system being attacked rather than asoftware bug or security hole. However, some attacks compromise the performance ofyour network by flooding the network with undesired, and often useless, networkpackets and by providing false information about the status of network resources.
1.4.5 Application-Layer Attacks
Application-layer attacks can be implemented using several different methods. One ofthe most common methods is exploiting well-known weaknesses in softwarecommonly found on servers, such as sendmail, PostScript, and FTP. By exploitingthese weaknesses, attackers can gain access to a computer with the permissions of theaccount running the application, which is usually a privileged system-level account.
Trojan horse program attacks are implemented using programs that an attackersubstitutes for common programs. These programs may provide all the functionalitythat the normal program provides, but also include other features that are known to theattacker, such as monitoring login attempts to capture user account and passwordinformation. These programs can capture sensitive information and distribute it backto the attacker. They can also modify application functionality, such as applying a
blind carbon copy to all e-mail messages so that the attacker can read all of yourorganisation's e-mail.
One of the oldest forms of application-layer attacks is a Trojan horse program thatdisplays a screen, banner, or prompt that the user believes is the valid login sequence.The program then captures the information that the user types in and stores or e-mailsit to the attacker. Next, the program either forwards the information to the normallogin process (normally impossible on modern systems) or simply sends an expectederror to the user (for example, Bad Username/Password Combination), exits, andstarts the normal login sequence. The user, believing that they have incorrectlyentered the password (a common mistake experienced by everyone), retypes theinformation and is allowed access.
One of the newest forms of application-layer attacks exploits the openness of severaltechnologies such as HTML and web browsers. These attacks, which include Javaapplets and ActiveX controls, involve passing harmful programs across the networkand loading them through a user's browser.
Users of ActiveX controls may be lulled into a false sense of security by theAuthenticode technology promoted by Microsoft. However, attackers have alreadydiscovered how to utilise properly signed and bug-free ActiveX controls to makethem act as Trojan horses. This technique uses VBScript to direct the controls toperform their dirty work, such as overwriting files and executing other programs.
These new forms of attack are different in two respects:
• They are initiated not by the attacker but by the user who selects the HTMLpage that contains the harmful applet or script stored using the <OBJECT>,<APPLET>, or <SCRIPT> tags.
• Their attacks are no longer restricted to certain hardware platforms andoperating systems because of the portability of the programming languagesinvolved.
2. Threats to the TCP/IP Protocol
This section describes a number of common attacks which exploit the limitations andinherent vulnerabilities in the TCP and IP protocols.
• SYN flooding
• IP Spoofing
• Sequence number attack
• TCP session hijacking
• Denial of service attacks
These attacks were chosen because software to launch them (including source code) isfreely available on the Internet. They are also the most common and practical attacksused by attackers on the inside and outside of organisations networks.
2.1 SYN Flooding
Description
SYN flooding occurs when a server receives more incomplete connection requeststhan it can handle. In 1996 both 26002 and Phrack3, two of the largest and most well-known of the underground hacker magazines, released source code that automatedthis attack.
Under normal conditions hosts that wish to exchange data over a TCP connectionmust initiate the session using a 3 step process known as the 3-way handshake. TheSYN flood attack is based on preventing the completion of the 3-way handshake — inparticular the server’s reception of the TCP ACK flag.
Unlike a normal TCP connection request, the SYN flood attack withholds the finalACK packet which leaves a server’s port in a half-open state. The attack succeedsbecause the number of half-open connections that can be supported per TCP port islimited. When the number of half-open connections is exceeded the server will rejectall subsequent incoming connection requests until the existing requests time out,usually after 75 seconds — creating a denial-of-service condition.
To initiate the SYN flood attack, the attacking host sends a number of SYN requeststo the target TCP port (e.g. the Telnet daemon) to fill up its concurrent connectionrequest (or backlog) queue — the exact number depends upon the operating system(see [Phrack, 1996a]). This allows a server (i.e. listening port) to queue concurrentconnection requests for later processing. To achieve this the details of each pendingconnection request are stored in a memory structure. Obviously, this queue must bebounded otherwise an attacker could make unlimited connection requests to a TCPport and consume all of the server’s memory resources — which in itself wouldconstitute a denial-of-service attack!
The attacking host must ensure that the source IP-address is spoofed to be that of aroutable but unreachable host, as the target host will be sending its response to thisaddress. IP (by way of ICMP) will inform TCP that the host is unreachable, however,TCP considers these errors to be transient and leaves their resolution up to IP (reroutethe packets, etc) — in effect ignoring them. The IP destination address must beunreachable because the attacker does not want any host to receive the SYN/ACKssent by the target host, as this would elicit an RST from that host and defeat theattack.
Figure 1 shows the steps involved in launching a TCP SYN flood attack. To begin(step 1) the attacking host sends a multitude of SYN requests to the target to fill itsbacklog queue with pending connections. Once the target receives this request itresponds with SYN/ACKs (step 2) to what it believes is the source of the incomingSYNs. Once the backlog queue is full all further requests to the TCP port will beignored until the original requests begin to time out and reset — normally after 75seconds. After each time out (step 3) the server port sends a RST to the unreachableclient. At this point the attacker must repeat the process again (from step 1) tomaintain the denial-of-service attack.
To make this attack more difficult to detect and respond to, the software randomisesthe source address of the IP packets sent by the attacking host. Thus, the target hostreceives packets that appear to be from all over the Internet, assuring the attackersanonymity.
2 The 2600 WWW-site is available at http://www.2600.com/3 The Phrack WWW-site is available at http://www.phrack.com/
step 1
host(c l ient )
host(server)
A BSYN
TCPflags
Key
AattackerBtargetCunreachable
A BSYN
A BSYN
A BSYN
A BSYN
A BSYN
e.g. MicrosoftWindows NT 4.0backlog, b = 6
C BSYN / ACKstep 2
C BSYN / ACK
b
step 3 C BRST
b
Figure 1 TCP SYN flood attack
Countermeasure
There are several ways of reducing the effectiveness of the SYN flood attack. Thefirst relies on ISPs being responsible enough to block IP packets with non-internaladdresses from leaving their network and reaching the Internet. Therefore, an attackerwould have to send packets with an official IP source address which in most caseswould lead back (through audit logs) to the owner of the account that the attack wasbeing launched from. This lack of anonymity would deter most attackers, althoughskilled and determined attackers would use accounts that had been compromised orthey could launch attacks through sites that do not regulate Internet traffic.
Other preventative methods require changes to the network aspects of the operatingsystem, or the addition of intrusion detection tools. For example a list of connectionrequests could be kept with details of their source address, TTL (Time to Live),sequence numbers, windows size etc. These variables could then be analysed forsuspicious activity, which, if detected, would result in an RST being sent to allow newconnections to be made. Other solutions rely on increasing the size of the backlogqueue and randomly dropping half-open connection requests when the queue is full.
2.2 IP Spoofing, TCP Sequence Number Prediction, and TCP Session Hijack
2.2.1 IP Spoofing
IP spoofing is an attack in which the attacker impersonates a host (or a legitimateuser) at the IP layer. In most cases the objective is to attack the trust-relationshipbetween two hosts, this relationship depends upon the source IP address to correctlyauthenticate a host. The attack is only possible if the target host has a trust-relationship with at least one other host. The most popular trust-relationship isprovided by the .rhosts file found on Unix operating systems, although many othersexist, e.g. the Unix files hosts.allow, hosts.equiv, etc. The .rhosts file allows a user tobuild a set of trusted hosts applicable only to themselves. For example, suppose thatthe ~ray/.rhosts file on the host huia.canterbury.ac.nz contained the lines:
kaka.canterbury.ac.nz
matata.canterbury.ac.nz
This .rhosts file would allow an account named ray on kaka or on matata to rlogininto ray’s account on huia without typing a password!
In itself IP spoofing is quite simple, all the attacker has to do is generate an IPdatagram with a forged source address. This is done by creating an IP datagram fromscratch using RAW-Sockets4. The target host has no way of determining that an IPdatagram has been spoofed, all it has to rely on is the IP source address. On its own,IP spoofing is mostly limited to providing anonymity for an attacker launching attacksagainst the IP layer, e.g. SYN flooding, ICMP redirects, ping flooding, etc. Therefore,to complete the attack against trust-relationships described above, the attacker mustcombine IP spoofing with TCP sequence number prediction — this provides theattacker with a delivery mechanism for sending application data to the target host.
2.2.2 TCP Sequence Number Prediction
TCP sequence number prediction is used by attackers to attack TCP sessions, andtakes advantage of the fact that TCP is a sequenced data delivery protocol. TCPsegments are encapsulated within IP datagrams, and as a result there is no guaranteethat the datagrams will follow the same route and therefore arrive in the order theywere sent. Also network errors may require datagrams to be resent. The TCP protocoluses sequence numbers to ensure that the application layer receives data in the sameorder that it was sent. Although this is a simple and effective method of ensuring asequenced data stream, it unfortunately introduces a vulnerability. If an attacker canguess the correct sequence number they can then generate their own TCP segmentsthat will be accepted by the target host’s TCP layer.
There are really two variations on this attack depending upon how early the TCPsession is attacked. Figure 2 shows the three steps of a normal the TCP 3-wayhandshake, if successful both the client and server proceed to step 4 and can exchangedata. The attacker can choose to attack the TCP handshake to take advantage of a trustrelationship — often referred to as IP spoofing but to avoid ambiguity will be knownhere as TCP spoofing. Alternatively the attacker can wait until step 4 to take over alegitimate TCP session — referred to as TCP session hijacking. Full technicaldiscussions regarding TCP sequence number prediction and TCP session hijackingcan be found in [Bellovin, 1989] [Morris, 1985], [Joncheray, 1995] and [Phrack,1996b].
step 1
step 2
step 3
host(c l ient )
host(server)
A
A
A
B
B
B
SYN
SYN / ACK
ACK
TCPflags
step 4 A BData
and / or
A BData
repeated during data transfer
Figure 2 TCP 3-way handshake and data transfer
There are two ways to carry out TCP spoofing attacks;
4 The term “Raw-Sockets” refers to the ability in 4.2BSD derived socket implementations to access the network layer instead of
the transport layer. For example, the programmer could directly format the fields within the IP datagram to generate ICMPecho requests (i.e. Ping).
• Non-Blind Spoofing – In this case the attacker is on the same network path asthe spoofed and target hosts (e.g. Ethernet 10Base-T LAN) and has directaccess to the IP datagrams which contain the TCP segments. Therefore,sequence number prediction is trivial because the attacker simply uses aprotocol analyser to capture the TCP segments and obtain the requiredsequence number.
• Blind Spoofing – Is more difficult because the attacker is not on the samenetwork path as the spoofed and target hosts, therefore direct access to the IPdatagrams and TCP segments is not possible. Instead the attacker must attemptto guess the correct initial TCP sequence number, the success of whichdepends upon the mechanism being used to generate it. There are threemechanisms in common use:
64K rule – this is the simplest mechanism and surprisingly is still used,or can be found on hosts running older operating systems (e.g. OSF,SunOS). Most spoofing programs still provide support to takeadvantage of this rule. The rule is implemented as follows:
− increase the initial sequence counter every second with aconstant (normally 128,000).
− If there is a connection initiated, increase the sequencecounter with another constant (normally 64,000).
Obviously, such a mechanism is very easy to predict, especially asthe sequence counter is only altered once per second - a very largeperiod in network time!
time related generation – is a very popular and simple mechanismwhich allows the sequence number generator to generate timedependant values. The number generator is seeded at boot time, and isincreased on a regular basis (e.g. µsec) by an x number of time-units.Note that time-units on computers are not necessarily perfect, nor areall time-units of equal length, depending on how they are measuredand on the load of the computer, etc. This variability increases thedifficulty of predicting a correct sequence number.
pseudo-random generation – in an effort to foil the prediction of initialsequence numbers newer operating systems are using pseudo-randomnumber generators to generate the values — which makes predictionnearly impossible.
In both cases the attacker must ensure that the spoofed host is unreachable, otherwiseit will receive a SYN/ACK (see step 2 in figure 2) from the target host in response tothe attacker’s spoofed connection request. However, the spoofed host has noknowledge of initiating a connection request and will send an RST to the target hostwhich will abort the connection and defeat the attack. The attacker normally has twooptions to deal with this problem, either to wait until the spoofed host is unreachablebecause of maintenance, or take it off-line with a denial-of-service attack such as aSYN flood. Figure 3 shows a blind spoofing attack.
From the attacker’s perspective blind spoofing is difficult because all replies from thetarget host are sent to the spoofed host. Therefore, the attacker can not determinedirectly the success or failure of their attack. However, there are ways for attackers to
turn a blind spoof into a non-blind spoof. This is achieved by using source routed IPdatagrams [Stevens, 1994], or by directly effecting the routing tables of intermediarygateways and routers. Source routing5 is a feature (an option) of the IP protocol whichallows the sender to specify a route for an IP datagram to follow. The route isrecorded in the IP header and the receiver uses the reverse of this to send replies.Therefore, an attacker could send source routed IP datagrams appearing to come fromthe spoofed host and including a route that sends replies back past the attacker. This isone reason why it is important to drop source routed IP datagrams, especially thoseoriginating from untrusted networks.
In addition to source routing, it is also possible to change the routing tables ofgateways and routers by sending spoofed routing packets using protocols, such as,RIP, BGP4, etc. As with source routed IP datagrams it is important to ensure thatgateways and routers ignore or respond sensibly to the routing information theyreceive. In most cases though the Internet routes are stable enough so that all routingpackets can be ignored.
2.2.3 TCP Session Hijacking
The final attack, based on IP spoofing and TCP sequence number prediction, is TCPsession hijacking which can be carried out against any TCP based application, e.g.Telnet, rlogin, FTP, etc. The only requirement is that the attacker has access to the IPdatagrams sent between the target and spoofed hosts as this is necessary to obtain thecorrect sequence number. Once the attacker has a sequence number, a TCP segmentcan be sent, effectively taking over the connection — all further packets sent by thespoofed host will be ignored by the target host because the sequence numbers will beincorrect. An example of TCP session hijacking is shown in Figure 4.
Generally, TCP hijacking is used to take over a Telnet session. Telnet is a particularlyeasy protocol to hijack because it simply passes a stream of bytes between the clientand server. All the attacker has to do is to insert their commands (as a sequence ofbytes) into the spoofed TCP data segments. The server will reassemble the TCPsegments into command strings which will then be executed as though the legitimateuser had typed them. The only evidence of this attack is that the legitimate user’sTelnet session hangs because it never receives conformation of the segments it sends,and will simply continue to resend them. After a few seconds the user will probablyattribute the inactivity to “Murphy’s Law” and begin a new session.
TCP session hijacking has a number of benefits over other attacks, such as sniffing IPdatagrams for passwords, especially when advanced identification and authenticationtechniques are in use. For example it is pointless to sniff one-time passwords, orresponses to challenges issued by cryptographic authentication mechanisms, e.g.S/Key, SecureID, Lockout, etc. However, because all of these advancedauthentication techniques happen at connection time, no protection is afforded bythem after this point. Therefore, the attacker simply hijacks a legitimate connection togain entry to a system. This has the added advantage of appearing to the operatingsystems security mechanisms as the legitimate user!
5Source routing allows the sender to specify the route of an IP datagram. Two forms are provided; strict and loose source routing.
Strict source routing allows the sender to specify the exact path that the IP datagram must follow. Loose source routing allowsthe sender to specify a list of IP addresses that the datagram must traverse, but the datagram can also pass through otherrouters between any two addresses in the list.
Spoofed host(IP: 200.17.12.3)
Attack host(IP: 192.10.10.2)
Target host(IP: 210.101.82.1)
SY N:
2 000,
n/ a
SY N
/
AC K:
6587,
2 001
AC K:
2 001,
6587
AC K:
2 001,
6588
AC K:
2 001,
6586
AC K:
2 001,
6589
ignored
ignored
ignored
accepted
AC K:
6588,
2 002
D AT A
/
AC K:
2 002 ,
6589
AC K:
6589,
2 003
The target host sends a SYN/ACK response to the initial SYN segment, but this is never received by the attacking host. Therefore, the attacker may have to send multiple ACKs to cover a range of possible sequence numbers depending on the accuracy of their prediction.
start of 3-way handshake
end of 3-way handshake
At this point the attacker does not know if a successful handshake has been completed, nor which (if any) sequence number was correct. Therefore, all TCP data segments must be resent based on the sequence number used for each of the previous ACKs.
Any TCP segments that are received with the wrong sequence number are simply ignored.
time, t t t
At this point forward the spoofed host must be unreachably. If the spoofed host receives TCP segments that it does not expect, such as SYN/ACK, it will reply with a RST. On receipt of the RST the target host will terminate the connection - defeating the attack.
IP: 200.17.12.3
IP: 192.10.10.2
IP: 210.101.82.1
Spoofed host
Target host
Attack host
IP Network(e.g. Internet)
RSTX
Key
Label Construction
ACK Acknowledgment flagSYN Synchronise Sequence Numbers flagDATA indicates that the transmission contains data (informative only)n/a indicates that the field is not valid [ ] content of optional; its presence depends on the state of the TCP connection
:
[ DATA / ] [ SYN / ] [ ACK ] : value of sequence number field , value of acknowledgment number
brackets is
Figure 3 Example of a blind spoofing attack
Spoofed hostIP: 200.17.12.3
Attack hostIP: 192.10.10.2
Target hostIP: 210.101.82.1
SY N:
2 000,
n/ a
SY N
/
AC K:
6587,
2 001
AC K:
2 001,
6588
The attacking host will normally wait until any identification and authentication takes place before hijacking the session.
start of 3-way handshake
end of 3-way handshake
Any further TCP segments sent by the hijacked host will be ignored by the target host because they have incorrect sequence numbers. The hijacked host will assume they have been lost and will continue re-sending them.
The TCP session has been successfully hijacked once the attacker’s TCP data segments are received by the target host and it sends an ACK.
time, t t t
IP: 200.17.12.3
IP: 192.10.10.2
Spoofed host
IP: 210.101.82.1
Target host
Attack host
D AT A
/
AC K:
2 002 ,
6588
AC K:
6588,
2 008Dat a
/
AC K:
2 008,
6589
D AT A
/
AC K:
2 008,
6589
AC K:
6589,
2 01
5
ignored
Dat a
/
AC K:
2 01
4,
6589
ignored
D AT A
/
AC K:
2 007,
6588
The attacker uses a protocol analyser to capture IP traffic, and can therefore determine the TCP connection’s state and its sequence numbers.
Key
Label Construction
ACK Acknowledgment flagSYN Synchronise Sequence Numbers flagDATA indicates that the transmission contains data (informative only)n/a indicates that the field is not valid [ ] content of optional; its presence depends on the state of the TCP connection
:
[ DATA / ] [ SYN / ] [ ACK ] : value of sequence number field , value of acknowledgment number
brackets is
Figure 4 Example of a TCP session hijack
Countermeasure
Again, the simplest and most effective defence against IP spoofing, TCP spoofing,and TCP session hijacking lies with those organisations providing access to theInternet. If all of these organisations were responsible enough to prevent IP datagramswith source addresses originating from outside their networks from reaching theInternet, the attacks described above could not be carried out.
Unfortunately, there are many organisations that provide unregulated Internet access.Therefore other means for protecting against spoofing and hijacking attacks must beused. The simplest and most effective is for an organisation to block all IP datagramsfrom the Internet that are source routed, or that have source addresses originatingfrom the internal network. A properly configured firewall can be used to enforce sucha policy.
Also, trust relationships (e.g. .rhosts) between hosts communicating across theInternet should never be permitted, unless they are used in conjunction with strongauthentication and cryptography6 — they are simply too vulnerable! In fact, strongauthentication and cryptography should be used with all TCP services (e.g. such asTelnet, FTP, etc) where it is possible that an untrusted user could gain more than avery basic control over the operating system hosting the service. For example, ananonymous FTP server that provides read-only access to files can be adequatelyprotected by the security mechanisms in existing operating systems, such as Unix, andWindows NT. It is also important to assess the threat — for instance it is unlikely thatan attacker would go to the trouble of hijacking an anonymous FTP session!However, providing remote FTP access across the Internet to the superuser foruncontrolled read and write access has far greater implications. In such a case bothstrong authentication and cryptography are required, because the risk to the operatingsystem by allowing such a connection would be too high.
It is essential to understand the possible threats and vulnerabilities introduced byconnecting to untrusted networks so that the risks can be accurately assessed. It is notenough to consider the risks posed by applications (e.g. FTP, Telnet, WWW, etc.)alone — it is equally important to understand the risks posed by the networkprotocols, such as TCP, IP, and the many others outside the scope of this section suchas IPX/SPX, NETBUEI, SNA, etc.
2.3 Denial of Service (DOS) Attacks
While there are many different methods, the sole intention of a DOS attack is thedeliberate interference with another party's online sessions. Although DOS attacks arenot particularly new, it is the wide release of programs and their ready availability thatare cause for great concern. These attacks are almost entirely TCP/IP–based and focusgreatly on Windows products. Further there are no real remedies carefullyorchestrated DOS attacks.
DOS attacks can be used to indiscriminately close connections during downloadscausing browsers to hang. These attacks would cause a great deal of confusion and beparticularly difficult to resolve, i.e. is it a software, network, or hardware fault?
Unfortunately, configuring routers on the internal network to block such attacks isdifficult, and often impracticable because of the distributed nature of user groups andinformation resources. In such environments there is little that can be done to protectagainst such DOS attacks.
Ping o’ Death Attacks
The Ping program tests whether a host is reachable by sending it an ICMP echorequest message and receiving an ICMP echo in reply. Ping also measures the round-trip time to the host, which provides an indication as to how distant the host is, and ishelpful for determining whether the intervening network is congested.
IP datagrams can be a maximum size of 65,535 (216-1) octets, which includes theheader length (typically 20 octets if no IP options are specified). Datagrams that arelarger than the maximum size that the underlying link layer can handle — theMaximum Transmission Unit (MTU) — are fragmented into smaller datagrams which
6It is important to note that strong authentication and cryptography are not mutually exclusive. For example SSL can provide
session encryption and strongly authenticate both the client and server.
are then reassembled by the receiver. For Ethernet based networks the MTU istypically 1500 octets, while on the Internet the MTU is usually 576 octets.
The ICMP echo request resides within the IP datagram, and consists of eight octets ofICMP header information (RFC-792 [Postel, 1981]) followed by the number of dataoctets in the Ping request. Hence the maximum allowable size of the data area is 65,535– 20 - 8 = 65507 octets.
What makes the Ping o’ Death attack possible is the ability to send an echo requestdatagram with more than 65507 octets of data, and because of the way IPfragmentation is performed. IP fragmentation relies on an offset value in eachfragment to determine the order in which the individual fragments should bereassembled. Thus on the last fragment, it is possible to combine a valid offset with asuitable fragment size such that (offset + size) > 65535. Since operating systemstypically do not process the datagram until they have reassembled all the fragments,there exists the possibility of overflowing internal variables, and buffers which canlead to system crashes, reboots, kernel dumps, etc.
Vulnerable Systems
Unfortunately, “Ping O’ Death” is easy to exploit, especially for those that haveoperating systems that allow users to send Pings of illegal size, such as Windows95/98, Windows NT, and Linux. The following command is all that is needed tolaunch the attack from Windows 95/98:
> ping -l 65510 your.host.ip.address
Windows 95/98 will reply with “Request Timed Out”, which means that the Ping wasnot answered, either because the remote host has correctly ignored the illegal Ping; orbecause it is now “dead” — it is that simple!
Once it has been determined that hosts are at risk, the best solution is to obtain patchesfor the operating systems involved. Fortunately, the “Ping O’ Death” attack is nowmainly of historical interest as most operating systems released since 1996 areimmune, or have patches freely available. The attack is only possible because ofinsufficient error handling within the effected operating systems, not because ofvulnerabilities inherent in the IP protocol itself.
However, if patches are not available a quick solution is to block Ping at the firewall.Unfortunately, blocking Ping messages also prevents legitimate use and may preventcertain applications from functioning properly. A better solution than blocking allPings is to block only fragmented Pings. This allows common and legitimate 64-bytePings through on most systems, while blocking those that are larger than the MTU.
Although the focus here is on Ping, it is important to consider that this attack is intheory applicable to any protocol that relies on IPv4 datagrams but which cannot dealwith those larger than 216-1 octets. Thus, it is possible that protocols such as TCP,UDP, and even IPX could be effected. The only completely effective solution is tosecure the operating system against buffer overflows, and variables containing illegalvalues, when reconstructing IP fragments.
TCP FIN and RST bit Attacks
TCP packets have control flags which indicate the status of a segment. There are twoflags in particular, RST and FIN, which can be used for DOS attacks. Under normalcircumstances the RST flag is used to reset a connection, while the FIN flag indicates
that no more data will be sent. As with TCP session hijacking, the only requirementfor this attack to be practical is that the attacker must have access to the IP datagramssent between the target and spoofed hosts. This is necessary so that a protocolanalyser can be used to collect the IP datagrams and obtain correct TCP sequencenumbers.
For an RST or FIN to be accepted, the TCP segment need only have the correctsequence number as the acknowledgement number field is not used (i.e. there is noACK in a RST segment). Therefore, the attacker simply analyses the IP datagrams inthe connection between the target and spoofed hosts, and calculates (from the targethost’s ACKs) the sequence number that the target host would expect the next TCPsegment from the spoofed host to contain. The attacker then generates a TCP segmentwith the RST flag set and sends it in a spoofed IP datagram (i.e. containing thespoofed host’s IP address in the source address field), to the target host. On receipt,the target host will close the connection with the spoofed host.
A very similar attack can be launched with the FIN flag, which is the normal way thata TCP connection is closed. The attacker uses a protocol analyser to predict thecorrect sequence number, using it to construct a TCP segment with the FIN flag set.This is then sent to the target host which assumes that the spoofed host has no moredata to send. Any further TCP segments sent by the spoofed host are ignored becausethe target host assumes that they are network errors. The advantage of a FIN basedattack is that TCP mandates that on receiving a segment with the FIN flag set, the hostmust reply with one of its own. From the attacker’s perspective, the beauty of thisattack is that it can be 100% guaranteed to be successful!
Normally, RST and FIN attacks are only applicable to the internal networks of anorganisation. The reason for this is that an attacker needs to analyse the IP datagramssent by either the target or spoofed host to determine the correct sequence number.For the attacks to be carried out on the Internet the attacker would have to have accessto an Internet routing node at some point between the hosts being attacked — for mostattackers access to such resources is impossible.
Smurf Attack
The smurf attack, named after its exploit program is a network-level attack in which alarge number of ICMP echo (pings) are sent to broadcast addresses, all of it having aspoofed source address of a victim. If the routing device delivering traffic to thosebroadcast addresses performs the IP broadcast to layer 2 broadcast function, mosthosts on that IP network will take the ICMP echo request and reply to it with an echoreply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines to reply toeach packet.
Vulnerable Systems
This will affect almost all machines which are not behind a firewall or router whichfilter ICMP packets of this nature correctly. For most, the level of prevention is basedon how their Internet Service Provider and/or system administrators have configuredtheir firewalls and routers.
Tear Drop Attack
The Tear Drop attack, named after its exploit programs involves the attacker sendingoverlapping packets to the victim. When their machine attempts to re-construct thepackets the victim's machine hangs.
Vulnerable Systems
This will affect almost all W95, W98 and NT machines not properly patched.
Land Attack
The Land attack involves sending spoofed packet(s) with the SYN flag set to thevictim's machine on any open port that is listening. If the packet(s) contain the samedestination and source IP address as the host, the victim's machine can hang or reboot.
In addition, most systems experience a total freeze up, where as CTRL-ALT-DELfails to work, the mouse and keyboard become non operational and the only methodof correction is to reboot via a reset button on the system or by turning the machineoff.
Vulnerable Systems
This will affect almost all W95, W98 and Windows NT, systems that are not properlypatched and allow NetBios over TCP/IP.
In addition, machines running services such as HTTP, FTP etc that do not filterpacket(s), that contain the same source/destination IP address, can still be vulnerableto attack through those ports. This attack can be prevented for open/listening ports byfiltering inbound packets containing the same source/destination IP address at therouter or firewall level.
Bonk Attack
The Bonk attack is a modified version of Tear Drop attack and involves the sending ofcorrupt UDP packets to port 53 (DNS).
Vulnerable Systems
This will affect almost all W95, W98 and NT machines whether or not they arecurrently patched for the original Tear Drop attack.
Boink Attack
The Boink attack is a modified version of the original Tear Drop and Bonk attacksagain involving the sending of corrupt UDP packets but to multiple ports and not justPort 53
Vulnerable Systems
This will affect almost all W95, W98 and NT machines whether or not they arecurrently patched for the original Tear Drop attack.
Coke Attack
The Coke attack involves sending vast amounts of garbage to a host running theWINS (Windows Internet Name Service) service. Depending on the victim's loggingconfiguration, it is possible for the attacker to perform a DOS attack, since eachtransmitted packet of garbage will result in an error message being generated to thelog, thus diminishing the victim's system performance as well as the available drivespace.
Vulnerable Systems
This will affect NT machines running the WINS service. Properly configuredfirewalls and/or routers to block packets directed to the WINS service that originatefrom untrusted networks.
Snork Attack
The Snork attack involves an attacker with minimal resources to cause a remote NTsystem to consume 100% CPU usage for an indefinite period of time. In addition, theSnork attack allows the attacker to utilise a very large amount of bandwidth on aremote NT network by inducing vulnerable systems to engage in a continuous bounceof packets between all combinations of systems.
Vulnerable Systems
This will affect all unpatched Windows NT machines. If the systems do not make useof any NT applications which rely upon legitimate traffic passing between UDP ports135 on a source and destination machine, this DOS attack can be prevented byproperly configuring the firewall and/or routers to block UDP packets with adestination port of 135 and a source port of 7,19, or 135 that originate from outside ofthe trusted network.
WinArp/Poink
The WinArp/Poink DOS attack involves sending large numbers of ARP packets(usually with spoofed MAC addresses) to the victims machine when on the sameLAN.
Click/WinNewk-X/Smack/Bloop Attack
The Click/WinNewk/WinNewk-X attack involves the attacker sending ICMP error(usually ICMP unreachable) messages to either the victim or a server the victim isconnected to and thus killing the host's connection.
Vulnerable Systems
This will affect almost all machines which are not behind a firewall or router whichfilter ICMP packets of this nature correctly. For most, the level of prevention is basedon how their ISP and/or system administrators have configured their firewalls androuters, however should the attack be focused at the server the host is using, thenprevention solely depends on how that server filters packets of this nature.
Unlike the Click attack, Smack and Bloop do not attempt to disconnect targetconnections, but rather attempt to flood the victim, which result in poor performancefrom other applications resulting from CPU resources usage. In addition to this, boththe Smack and Bloop attacks allow the attacker to spoof the source addresses.
NT Stop Attack
The NT Stop attack involves the attacker sending a size specified in a SMB logonrequest (used in Microsoft Windows Networking) that does not match the sizeactually present. The result of this attack generally includes memory corruptioncausing one of the following errors: STOP 0x0000000A or STOP 0x00000050, whichin turn causes a system reboot and/or the system to hang.
Vulnerable Systems
All unpatched Windows NT 4.0 systems.
Trojan Horse Attack - Back Orifice
Back Orifice is a tool consisting of two main pieces - a client and a server application.The client application, running on one machine, can be used to monitor and control asecond machine running the server application. The operations that the clientapplication can perform on the target machine (e.g., the machine running the serverapplication) include the following:
• Execute any application on the target machine.
• Log keystrokes from the target machine.
• Restart the target machine.
• Lockup the target machine.
• View the contents of any file on the target machine.
• Transfer files to and from the target machine.
• Display the screen saver password of the current user of the target machineincluding the cached passwords for the current user.
Potentially, the tool can be used by an attacker to compromise the security of aWindows 95 or Windows 98 and to steal secret documents, destroy data, etc. Withouta firewall this program is very vulnerable to attack.
Vulnerable Systems
All unprotected Windows 95/98 systems.
2.4 What to do if you are attacked
The following procedures should be followed:
• Record the time of the attack.
• Record your own IP address at the time of attack.
• Record the attackers IP address if possible.
• Never fight back by attacking the attacker.
• If you are using a dialin, disconnect and reconnect to your ISP.
• Find out what domain the attacker's IP address is in.
• Contact your ISP or CERT for help.
Send email listing the details of the incident to administrative personnel in both theattacker's ISP as well as your own ISP. Administrative contacts may include:
3. Threats to Standard TCP/IP Services
TCP/IP supports the operation of a number of well-known services (i.e. applications).Traditionally each of these services have been associated with one or more
vulnerabilities. Only applications that are commonly available on a number ofoperating systems, including Unix, and Windows NT, are described here.
The intention is not to provide a detailed discussion about all applications that existand have potentially exploitable vulnerabilities. Instead the following sections areintended to provide an overview of the types of problems that are common toapplications not included here, and to provide examples of the threats andvulnerabilities that those implementing Internet, Intranet, and Extranet networksshould be aware of. For complete and detailed information about many otherapplications and their vulnerabilities the reader should consult [Cheswick, 1994][Garfinkel, 1996] and [Hare, 1996].
3.1 Simple Mail Transport Protocol (SMTP)
Description
The Simple Mail Transport Protocol (SMTP) [Braden, 1989] [Postel, 1982] is used asthe basis for most electronic mail (email). Email is the most popular Internet service[Caceres, 1991], allowing people to communicate by exchanging electronic messagesglobally. These messages take anywhere from a few seconds to a couple of hours tobe delivered. An added attraction is the relatively low cost of sending large messages.Combined, these benefits give users a convincing argument for access to email, andthus the connection of their systems to the Internet.
For a full and easy to read description of SMTP the reader is urged to consult[Stevens, 1994]. It must be noted that SMTP is a developing protocol, and as such,new threats could evolve. RFC 1425 [Klensin, 1993] defines the framework foradding extensions to SMTP.
Threats
SMTP used by itself is a fairly benign protocol, containing only eight basiccommands. These are HELO, MAIL, RCPT, DATA, QUIT, VRFY, NOOP, andTURN. There are two security threats associated with these commands;
• Denial-of-Service
• Information gathering
Denial-of-service attacks based on SMTP are aimed at flooding a network orcomputer with large email messages to prevent legitimate use. In most cases acomputer is affected because it cannot handle large messages e.g. > 1 Megabyte, orcannot handle the load created by receiving large numbers of messages at the sametime, or running out of storage space.
For example the Computer Fraud and Security Journal [CFS, 1996a] reported that adisgruntled university student was arrested for “mail bombing” the MonmouthUniversity computer system in New Jersey. The attack caused massive disruption tothe system for two days by generating 24,000 email messages, inundating thecomputers and paralysing the network. To get the systems functioning again required44 hours of work, at an approximate cost of US$4,400.
The second more subtle attack involves information gathering designed to provide thehacker with useful information about a computer system and its users. For instancethe VRFY command sometimes translates a users mail alias into their login name.
This can be used to identify the more promising accounts to attack, with tools such asCRACK.
Most problems arise when SMTP is implemented as a large application, such assendmail [Costales, 1993]. The threat comes from bugs, which inherently manifestthemselves within large programs, and configuration problems such as giving theapplication higher privilege. These problems enabled one of the most famous Internetsecurity incidents — the Internet Worm [Spafford, 1989] to take place.
Other problems also exist with email attachments, and automated execution ofencoded messages such as Multipurpose Internet Mail Extensions (MIME). MIMEallows specific actions to be encoded in email messages. These actions can requestfiles to be automatically retrieved and returned to the message initiator.
MIME can also be used to transfer executable programs and Postscript files, whichcan themselves perform dangerous actions. These existing security threats are veryapplicable to new, network oriented, programming paradigms such as Java andActiveX.
3.2 Telnet
Description
Telnet [Postel, 1983] is designed to enable communication between any host,regardless of the operating system. Telnet provides simple character based terminalaccess, and usually requires the user to login with an account name and password.
Threats
The biggest threat comes during login when initiating the Telnet session, as standardTelnet does not protect the transmission of the user’s account name or password.Anyone monitoring the Telnet login packets over the network can capture thisinformation.
As with any protocol each step is predictable, therefore a packet sniffer can beconfigured to simply detect any Telnet session and record the packets containing theaccount name and password.
Other threats exist, for example the Telnet program itself could have beencompromised to record passwords and account names. A description of such a case isavailable in [Safford, 1993a].
To protect against sniffing attacks a number of secure versions of Telnet have beenimplemented [Borman, 1993] [Safford, 1993b]. These versions of Telnet usuallyencrypt both the password and session contents which prevents an attacker fromobtaining any useful information.
3.3 Network Time Protocol (NTP)
Description
The Network Time Protocol (NTP) [Mills, 1992] is used to synchronise the clocks ofhosts connected to the Internet. The correct time is generated by extremely accurateatomic clocks which provide national time synchronisation. Time updates arepropagated through a directed hierarchy of Internet hosts. The propagation path mustnot contain any loops as this would cause erroneous time transfers.
NTP provides accuracy of 10ms or better; with such accuracy comes the ability tomatch log files from different systems. This has proved beneficial when matching
audit logs from different systems and allows an attacker’s actions to be replayed. Italso provides a mechanism for cryptographic protocols to generate timestamps forauthentication purposes.
Threats
Attacks on NTP focus on altering a target’s sense of time. If this succeeds, a timebased authentication protocol can be subverted by replaying a previous successfulauthentication sequence. Protection against these attacks is provided in newer versionsof NTP which provide cryptographic message authentication. NTP specifies thatauthentication be carried out on a hop-by-hop basis. It is therefore possible for anattacker to subvert a system on which the target’s NTP daemon relies, and thussubvert the target system as previously described. To ensure protection against thistype of attack all sources of NTP information authenticate their sources, and so onback to the root NTP server.
3.4 Finger and Whois
Description
The finger protocol (RFC 742) [Harrenstien, 1977] provides information on users of aspecific host. Generally it is used to find out the account name of a user and/orwhether they are logged on. In most cases the person using this command has no moresinister motives than sending mail.
The Whois protocol [Harrenstien, 1982] provides contact information such as accountname, telephone number and address. It is useful for looking up people on systemswhen you do not have there full name. For example typing “whois smith” will return alist of people with “smith” in there name.
Threats
Finger can be used by hackers to collect useful information, such as account names,and compile login profiles i.e. the best time to attack the system is when the systemadministrator has finished for the day, or better still, on vacation. Other usefulinformation supplied can be the date a user last logged in, and a users “.plan” filewhich often contains useful personal information. This information can be used toidentify promising targets, and provide contextual information to attackers for usewith tools such as CRACK. The following extract is from RFC 742 and expresses thephilosophical nature of finger. It reflects well the openness of early networks andcontrasts starkly with the more security conscious 1990’s.
“To fulfil the basic intent of the Name/Finger programs, the returnedlist should include at least the full names of each user and the physicallocations of their terminals insofar as they can be determined.Including the job name and idle time (number of minutes since lasttypein, or since last job activity) is also reasonable and useful.”
The “Finger Bomb” is an interesting use of finger to launch denial-of-service attacksagainst systems (Note: this attack has been patched on newer finger services). Somefinger services allow the redirection of finger to remote sites. To finger throughseveral sites, an intruder could use:
>finger username@hostA@hostB
The finger will go through host B then to host A. This helps attackers to remainanonymous because host A will see a finger coming from host B instead of the
original host. This technique has also been used to go through firewalls that have notbeen properly configured. This can happen by using the command:
>finger user@host@firewall
On vulnerable hosts a denial-of-service attack can be launched by typing:
>finger username@@@@@@@@@@@@@@@@@@@@@hostA
The repeated @ causes the finger to recursively finger the same machine repeatedlytill the memory and hard drive swap space fill up. This causes the machine to crash orslow to an unusable speed.
The best countermeasure available to address the threat from finger is to disable itentirely. If this is not possible then finger should only be allowed to retrieve userinformation from a sanitised database.
The whois protocol is susceptible to the same types of abuse as the finger protocol,however it does not reveal detailed information about users access habits.
3.5 Network File System (NFS)
Description
The Network File System (NFS), RFC 1094 [Sun Microsystems, 1989], protocolprovides transparent remote access to shared files across networks, and is designed tobe portable across different machines, operating systems, network architectures, andtransport protocols. This portability is achieved through the use of Remote ProcedureCalls (RPC) [Sun Microsystems, 1988].
To ensure robust NFS access in the event of system reboots and device failures (e.g.bridges and routers) the NFS server is stateless, unlike the clients which retain state.When an NFS server becomes unreachable its clients continue to send requests untilthey receive a reply. Thus, the client’s functioning is not adversely effected by theloss of an NFS server.
Threats
All files and directories on an NFS server are identified by unique strings known asfile handles. A threat is introduced if a client program obtains and retains a root filehandle at mount time, which is usually when the NFS server is re-booted. This ispossible due to the inadequacies NFS access controls.
Once access to the file system has been achieved it is possible to change file accesscontrols, and create subversive programs and place them in search paths so that thereal ones are not used e.g. trapdoor or password gathering programs.
3.6 File Transfer Protocol (FTP)
Description
The File Transfer Protocol (FTP), RFC 959 [Postel, 1985], enables the transfer ofcharacter and binary files across a network. The design philosophy does not dictate aspecific host, operating system or file structure - it is completely independent.
An FTP server uses two TCP ports to transfer a file. Control Connection is establishedon Port 21, and Data Connection on Port 20. The FTP client is free to choose anyavailable port.
FTP has become the standard for publishing software, data, and documents on theInternet. However Adobe Acrobat and Hyper Text Transfer Protocol (HTTP) usingthe Hyper Text Markup Language (HTML) are becoming popular for documents.
Threats
The major threat to FTP comes from improperly managed FTP services. For exampleif an organisation runs a public FTP service but does not separate its sensitiveorganisational data, then with today’s network speeds it may be possible to downloadall the sensitive data in a matter of minutes. FTP services should be restricted tocertain, well managed, file areas.
FTP has been used to gain access to password and remote host files by exploitingdeficiencies in management of the service. For example, if file areas are not controlledthen the user is able to change access controls to files. It may be possible to insertfalse password or remote host files, which can then be used to gain access to otherhosts.
Like Telnet, the standard FTP protocol does not encrypt passwords that are requiredfor the user to login to a system, so there is a high risk that the password can becompromised by anyone listening into the network. FTP sites are also used aspromulgation points for pirated software.
3.7 World Wide Web (WWW)
Description
The World Wide Web (WWW) is made up of a collection of protocols specificallydesigned for exchanging information over the Internet. The original WWW protocolsincluded Gopher, Wide Area Information Servers (WAIS), and Archie, however, thepast four years have seen the introduction of the HyperText Transfer Protocol that hasrevolutionised the Internet. In fact, most laypersons associate the term WWWexclusively with HTTP.
These protocols are generally used by clients to query servers for specific files. HTTPalso implements the client/server model of document retrieval, in this case the client,called a “browser”, is usually capable of multimedia support. The server, referred toas a WWW-server, functions in a similar manner to a standard file server, simplysending the requested documents to the browser. However, WWW-servers are alsocapable of running programs to create HTML documents dynamically as they arerequested, this makes them very useful for maintaining documents in dynamicenvironments. In fact HTTP was originally developed by physicists at CERNlaboratories as a means of exchanging papers pertaining to their research. Thesedocuments where constructed using HyperText Markup Language (HTML) which isbased on the Standard Generalised Markup Language (SGML).
What makes HTML so attractive is that a document can incorporate small programsthat allow the content to become dynamic. These programs, referred to as executablecontent, can either be included as scripts within the document (e.g. Java Script), or ascompiled programs which are loaded separately when the document is accessed (e.g.Java and ActiveX).
Threats
There are four categories of web security threats:
- Alteration of the web site data
- Access to the web server operating system
- Eavesdropping browser-server traffic
- Impersonation of another web server
The first two currently present the greatest threats. Rogue code can cause bufferoverflow and exception conditions that in turn provide access to the operating system.Intruders can embed commands in web requests in such a way to trick the web serverinto passing the command to the operating system. It is therefore essential that allpatches are installed and only minimum system privileges are enabled.
More specifically transferred files can contain executable content such as format tagswhich are used to identify the program necessary to view or execute the files. Further,firewalls and network guards must be configured to permit outgoing HTTPconnections. This means that unknown programs contained in HTML pages can bedownloaded onto a users computer and executed, effectively bypassing the firewalland any security policy that attempts to control the unauthorised use of untrustedsoftware.
Fortunately, several solutions have emerged to deal with this problem. The first limitsthe access that the software has to system resources. For example, Java Script runswithin the environment created by the browser and does not have direct access tosystem resources (e.g. hard disk, device drivers, memory, etc). Similar constraints arealso applied to Java applets, although these can be relaxed to some extent by the user[Rubin, 1996]. The most dangerous executable content is Microsoft’s ActiveX, theseprograms, known as “controls”, are in fact executable binaries (i.e. compiledMicrosoft Windows C++ programs). They are executed by the browser in the samemanner that a user runs a program. Because of this the ActiveX control has the sameaccess rights to system resources as the user running the browser. For example, anActiveX control downloaded by a user with administrator privileges would have fullcontrol of the computer, and possibly other machines if connected to a network.
Use of SHTTP (Secure-HTTP) and SSL/TLS (Secure Socket Layer/Transport LayerSecurity) allow client-servers to negotiate acceptable levels of security for particulartransactions [Soh, 1998]. To address the problem users have in deciding whetherexecutable content can be “trusted”, Netscape and Microsoft have developedtechnologies based on public key cryptography that allow Java applet and ActiveXcontrol code to be digitally signed. A browser that downloads a signed ActiveXcontrol or Java applet can check the signature against a list of trusted certificates. Ifsigned correctly the user can choose to execute the program with confidence that itcame from a trusted source. Browsers from Netscape and Microsoft are pre-loadedwith certificates from a number of well respected organisations. The benefit of thistechnique is that an organisation can remove all default certificates and install theirown, effectively restricting executable content to that developed by the organisation.This can be enforced because the above browsers can be configured to enforceparticular security policies.
Another solution provided by many of the newer firewalls allows HTML tags (i.e.hyper-links) that load the executable content to be disabled. Some firewalls can alsobe configured to check the signatures of Java Applets and ActiveX controls, and allowthrough only those signed by trusted certificates. This has the added benefit ofenforcing the security policy at a central point, rather than delegating it to the browserwhere it may be possible for a user to alter the security policy locally.
In most cases the solution to the problem of executable content is similar to FTP andother services. That is, services should be run in an enclosed environment with onlyenough privilege to perform their task.
3.8 X Window System
Description
The X window system [Scheifler, 1992] is a client/server application which enablesmultiple clients to use the bit-mapped display managed by a server, which alsomanages the keyboard, and mouse. The client is an application program which runs ona host with the server or on a different host.
X windows requires a reliable, bi-directional stream protocol such as TCP.Communication between client and server consist of 8-bit bytes. On UNIX systemswhere the server and client are on the same host, UNIX domain protocols are used toreduce the overhead of the TCP protocol.
Threats
An application which connects to an X server is able to do a multitude of things, e.g.read the keyboard, print the screen, read mouse movements/button presses, simulatekey-presses, resize windows etc. If an attacker can connect to a server and read thekeyboard, the user will be compromised. It is possible for an attacker on the Internetto probe for X servers, as X server ports are assigned as 6000 + n, where n is somesmall integer, usually 0.
The X windows system uses host based authentication. The server takes the networksource address of the connecting application and compares it with a list of allowablesources. However, there is no protection from an attacker connecting from a trustedhost.
Another protection mechanism makes use of a magic cookie; this is a secret bytestring which the server and application share. Processes can not connect to a serverunless they contain this string. The problem is communicating the secret stringbetween application and server over a generally unsecured network.
A similar cryptographic challenge/response protection mechanism exists, but suffersfrom the same key distribution problems as the magic cookie.
4. Summary
The TCP/IP suite was never intended to offer comprehensive, scaleable securitymechanisms, and it is the lack of such mechanisms that underlie most of the problemswith IPv4 and TCP. However, many solutions have been presented here and most arereadily available without great expense. For example, there is little expense inensuring that trust relationships (e.g. .rlogin) do not exist, or in applying patches (e.g.Ping) and keeping them up-to-date.
Perhaps the most important point is that all organisations should act responsibly toprevent malicious traffic from reaching the Internet. As discussed most attacks to theIP and TCP (e.g. SYN flooding, IP spoofing, etc.) could be averted by preventing IPdatagrams leaving an organisation’s network if its source address did not originatefrom within. Unfortunately, not all organisations are so responsible thus attacks whichcould be easily prevented are still possible.
It has also been shown that many applications pose significant risks to organisations.Most problems are caused through deficiencies in the implementation (e.g. bufferoverflows, unhandled exceptions, etc.) Therefore, it is essential that applications arekept up-to-date by applying patches or service packs that address new exploitablevulnerabilities. Other problems are cause by uneducated users or shortcomings in theorganisations security policy. Also, it remains to be seen what problems, and financiallosses, new WWW technologies (e.g. ActiveX controls, Java applets) will inflict.
It is expected that IPSEC and IPv6 will solve many of the problems associated withexisting TCP and IP implementations. However, deficiencies and errors in theimplementation of applications, along with corrupt employees, will continue tointroduce new generations of threats and vulnerabilities.
5. References[Bellovin, 1989] Bellovin, S. 1989. Security Problems in the TCP/IP Protocol Suite. Computer
Communication Review, Vol. 19, No. 2, April, pp. 32–48.
Available at ftp://ftp.research.att.com/dist/internet_security/ipext.ps.z
[Borman, 1993] Borman, D. 1993. Telnet Authentication Option. RFC 1416, February.
[Braden, 1989] Braden, R (Ed.) 1989. Requirements for Internet Hosts - application and support. RFC1123, October.
[Caceres et al., 1991] Caceres, R; Danzig, P; Jamin, S; and Mitzel, D. 1991. Characteristics of Wide-Area TCP/IP Conversations. Computer Communication Review, Vol. 21, No. 4, September, pp.101–112.
[Cheswick et al., 1994] Cheswick, W; and Bellovin, S. 1994. Firewalls and Internet Security –Repelling the Wily Hacker. Addison-Wesley Publishing Company.
[Costales et al., 1993] Costales, B; Allman, E; and Rickert, N. 1993. Sendmail. O’Reilly andAssociates Inc.
[Garfinkel, 1996] Garfinkel, S; and Spafford, G. 1996. Practical UNIX and Internet Security. O’Reilly& Associates Inc., 2nd Edition, April.
[Hare et al., 1996] Hare, C; and Siyan, K. 1996. Internet Firewalls and Network Security. New RidersPublishing, 2nd Edition.
[Harrenstien, 1977] Harrenstien, K. 1977. Name/Finger Protocol. RFC 742, December 30.
[Harrenstien, 1982] Harrenstien, K; and White, V. 1982. Nicname/Whois. RFC 812, March 1.
[Hunt, 1998] Hunt, R Internet/Intranet firewall security - policy, architecture and transaction services,Computer Communications Vol 21 No 13 1998 pp. 1107-1123.
[Joncheray, 1995] Joncheray, L. 1995. A Simple Active Attack Against TCP. Proceedings of the FifthUSENIX UNIX Security Symposium, Salt Lake City, Utah, June 5–7, pp. 7–19.
[Klensin, 1993] Klensin, F; Rose, T; Stefferud, E; and Crocker, D. 1993. SMTP Service Extensions.RFC 1425, February.
[Mills, 1992] Mills, D. 1992. Network Time Protocol (version 3) specification, implementation andanalysis. RFC 1305, March.
[Morris, 1985] Morris, R. 1985. A Weakness in the 4.2BSD UNIX TCP/IP Software. ComputingScience Technical Report 117, AT&T Bell Laboratories, February 25.
Available at ftp://netlib.att.com/netlib/research/cstr/117.z
[Phrack, 1996a] 1996. Project Neptune. Phrack Magazine, Vol. 7, Issue 48, July, File 13.
Available at www.phrack.com/Archives/phrack48.zip
[Phrack, 1996b] 1996. IP Spoofing Demystified: Trust Relationship Exploitation. Phrack Magazine,Vol. 7, Issue 48, June, File 14.
Available at www.phrack.com/Archives/phrack48.zip
[Postel, 1981] Postel, J. 1981. Internet Control Message Protocol. RFC 792, September.
[Postel, 1982] Postel, J. 1982. Simple Mail Transfer Protocol. RFC 821, August.
[Postel, 1983] Postel, J; and Reynolds, J. 1983. Telnet Protocol Specification. RFC 854, May.
[Postel, 1985] Postel, J; and Reynolds, J. 1985. File Transport Protocol. RFC 959, October.
[Rosen, 1996] Rosen, A. Understanding and Defending Against SYN Attacks. Proc. of DiscreteMathematics and Theoretical Computer Science Workshop on Network Threats, National ScienceFoundation - Science and Technology Center Piscataway , NJ December, 1996.(http://dimacs.rutgers.edu/Workshops/Threats/program.html)
[Rubin, 1996] Rubin, A. Blocking Java Applets at the Firewalls. Proc. of Discrete Mathematics andTheoretical Computer Science Workshop on Network Threats, National Science Foundation - Scienceand Technology Center Piscataway , NJ December, 1996.(http://dimacs.rutgers.edu/Workshops/Threats/program.html)
[Safford et al., 1993a] Safford, D; Schales, D; and Hess, D. 1993. The TAMU Security Package: AnOngoing Response to Internet Intruders in an Academic Environment. Proceedings of the FourthUsenix UNIX Security Symposium, Santa Clara, CA, October, pp. 91–118.
Available at www.tamu.edu/pub/mirrors/net.tamu.edu/tamu-security-overview.ps.gz
[Safford et al., 1993b] Safford, D; Hess, D; and Schales, D. 1993. Secure RPC authentication (SRA)for Telnet and FTP. Proceedings of the Fourth Usenix UNIX Security Symposium, Santa Clara,CA, October, pp. 63–67.
[Scheifler et al., 1992] Sceifler, R; and Gettys, J. 1992. X Window System. Digital Press, 3rd Edition.
[Soh et al, 1998] Soh B.C., Young S., Network system and world wide web security, ComputerCommunications Vol No 20 1998 pp. 1431-1436.
[Spafford, 1989] Spafford, E. 1989. An analysis of the Internet worm. Proceedings of the EuropeanSoftware Engineering Conference, September.
Available at ftp://ftp.cs.purdue.edu/pub/spaf/security/IWorm.PS.Z
[Stevens, 1994] Stevens, W. 1994. TCP/IP Illustrated: the protocols. Addison-Wesley PublishingCompany.
[Sun Microsystems, 1988] 1988. RPC: Remote procedure call protocol specification: Version 2. RFC1057, June.
[Sun Microsystems, 1989] Sun Microsystems. 1989. NFS: Network File System ProtocolSpecification. RFC 1094, March.
Appendix A - Common Hacks in Australia and New Zealand
It seems some Australian and New Zealand companies believe that remoteness fromthe rest of the world somehow makes us of a lesser interest to hackers. This belief hasled to some of the most lax security in the world. Statistics show that Australia andNew Zealand suffer twice the rate of successful attacks seen in the USA.
SMTP Mail Server attacks
Too many companies believe it is safe to pinhole port 25 through to a mail server ontheir internal network. The mail server or better still a mail server relay should alwaysbe located in the DMZ. If you do not have a DMZ get one! (If you are using POP mailthis warning does not apply.)
U-Turn attack
Telecommuter and branch sites with both local Internet access and corporate VPNaccess can expose companies to U-turn attacks in which intruders gain access to thenetwork behind the remote-site VPN and then use the VPN tunnel as the conduit intothe trusted corporate intranet. This attack can be simply prevented by directing alltraffic through the VPN including Internet traffic.
NAT Breaches (Most common on ADSL links)
While NAT can be breached using IP spoofing it is usually much simpler to hack theADSL router/modem itself. Web sites exist that detail how to obtain managementcontrol of specific brands of ADSL routers and modems and then detail fully how toopen the device to the hacker. An early example of such a web site ishttp://security.sdsc.edu/self-help/alcatel/alcatel-bugs.html Alcatel now claims to haveaddressed these issues. While most ADSL manufacturers are focused on cost, speedof performance and ease of setup they expect customers using ADSL modem androuters to deploy proper firewalls.
Wireless Network Hijacking
One customer recently audited had over 30 instances of breaches to their wirelessnetwork. The breaches were apparently made to make free use of their Internetaccess! Amazingly they had not enabled any of the security features built into theirwireless solution. Not even the default WEP security architecture.
Firewall Bypass
This one was more of an accident that a hack. We discovered a medical institutionwhere the firewall had been unintentionally bypassed by an ISDN modem.
Web site and associated application breach
Within three weeks of installing a firewall this customer had their accounting packagewell and truly compromised. While they had located their web server in the DMZ(good decision) they had also hosted their e-commerce database on the same server(bad decision). We understand that the cost of this hack was severe.
What gets stolen or destroyed in an attack
Hacking attacks range from benign to total business destruction. Some businessesnever recover from a hacking attack. Hacks may be performed by disgruntled staff,script kiddies and professional full time hackers.
Some of the commonest hacking activities:
• Changing levels of trust/rights on servers• Mail server hijacking for SPAM• Internet access hijacking• Trojan Horse attacks• Compromised servers• Changed records for staff and customers• Denial of service• Scams e.g. www.interneteraser.com/error.html