tcp security vulnerabilities phil cayton cse 581 2002
TRANSCRIPT
TCP Security Vulnerabilities
Phil Cayton
CSE 581
2002
Papers Reviewed
1. C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D. Zamboni, "Analysis of a Denial of Service Attack on TCP"
2. S. Bellovin, "Security Problems in the TCP/IP Protocol Suite"
3. S. Bellovin, "Defending against sequence number attacks"
4. S. Bellovin, "Packets Found on an Internet"5. R. Morris, "A Weakness in the 4.2BSD Unix
TCP/IP Software"
Topics
• SYN Flooding
• Sequence Number Prediction
• Source Routing Attacks
• Routing Information Protocol Attacks
• Internet Control Message Protocol Attacks
• Comprehensive Defenses
SYN Flooding– Attacker sends many connection requests w/ spoofed source
addresses to victim
– Victim allocates resources for each request
• Finite # half-open connection requests supported
• Connection requests exist for TIMEOUT period
– Once resources exhausted, all other requests rejected
Normal connection est. Syn Flooding attack
SYN Flooding Defenses– System Configuration Improvements
• Reduce timeout period• Increase length of backlog queue to support more connections• Disable non-essential services to make a smaller target
– Router Configuration Improvements• Configure router external interfaces to block packets with source
addresses from internal network• Configure router internal interfaces to block packets to outside
that have source addresses from outside the internal network– Cryptographically sign IP source addresses of all packets
• Does not prevent SYN Floods• Allows for tracing of flood attack back to source• Possible deterrent?
SYN Flooding Defenses
• Firewall as a Relay– Firewall answers on behalf
of Destination
– Once connection established, firewall predicts seq # and establishes 2nd connection to Destination
– Disadvantage: Adds delay for every packet
SYN Flooding Defenses
• Firewall as a Semi-transparent Gateway– Forges the 3rd handshake (ack) from the client to the destination
– This moves connection out of backlog queue, freeing resources
– If this is attack, no “real” ack will happen
• Destination will send RST packet terminating connection
– If this is actual connection request the eventual ack will be ignored as a duplicate
– Disadvantages:
• Large # illegitimate open connections if system under attack
• Must very carefully choose timeout periods
SYN Flooding Defenses
Attack w/ semi-transparent gateway
Legit connection w/ semi-transparent gateway
SYN Flooding Defenses
• Active Monitor– Program that promiscuously monitors and injects
network traffic to/from machines it is protecting
– Monitors net for SYN packets not acknowledged after a certain period of time
– If it detects problems with a half-open connection it can• Send RST packets to the sender to release destination
resources
• Complete the TCP connections by sending the ACK message
– Similar to Semi-Transparent gateways
Sequence Number Prediction
• Normal connection establishmentCS:SYN(ISNC )
SC:SYN(ISNS ) ,ACK(ISNC )
CS:ACK(ISNS )
CS:data
and / or
SC:data
Sequence Number Prediction• Attack
– Predict the correct sequence number the destination machine will use
• Not impossible – initiate legitimate connection and then extrapolate next sequence from known granularity & rate of change
– Spoof dest. machine XS:SYN(ISNX ) ,SRC T
ST:SYN(ISNS ) ,ACK(ISNX )
XS:ACK(ISNS ) ,SRC T
XS:ACK(ISNS ) ,SRC T,nasty data
Sequence Number Prediction
• What about the ACK back to the fake source machine?– Bring it down – SYN Flood it until it throws away packets and
will ignore the ACK
Sequence Number Prediction
• Defenses– Randomize the ISN increment– ISN determined by cryptographic hash function
on some secret data– Only trust hosts on the same physical net
• Train gateways to reject packets that claim, but do not, come from directly connected networks
Source Routing Attacks• Attack
– If destination hosts use reverse of source route provided in TCP open request to return traffic
• Fake the source address of a packet• Pretend to be a trusted machine on the net
• Defenses– Train gateways to reject external packets that claim to be from the
local net • Can backfire if Trusted net backbone trusted net
– Reject pre-authorized connections if source routing info present– Only accept if only trusted gateways listed in source routing info
Routing Information Protocol (RIP) Attacks
• Attack– Intruder sends bogus routing information to a
target and each of the gateways along the route• Impersonates an unused host
– Diverts traffic for that host to the intruder’s machine
• Impersonates a used host– All traffic to that host routed to the intruder’s machine– Intruder inspects packets & resends to host w/ source
routing– Allows capturing of unencrypted passwords, data, etc
Routing Information Protocol (RIP) Attacks
• Defenses– Paranoid gateway
• Filters packets based on source and/or destination addresses
– Don’t accept new routes to local networks• Messes with fault-tolerance but detects intrusion attempts
– Authenticate RIP packets• Difficult in a broadcast protocol
• Only allows for authentication of prior sender and doesn’t address information from a deceived gateway upstream
Internet Control Message Protocol (ICMP) Attacks
• Attack– Targeted Denial of Service (DoS)
• Attacker sends ICMP Redirect message to give a bogus route• Attacker sends Destination Unreachable or TTL exceeded messages to reset
existing connections• Attacker sends fraudulent Subnet Mask Reply messages
– Blocks communication with target
• Defenses– Verify ICMP packet contains a plausible sequence #– Dont modify Global Route Table due to ICMP Redirect messages– Disallow ICMP Redirects?– Check to see if multiple ICMPs from a host agree
Comprehensive Defenses• Authentication
– Preauthorize connections using session keys• DNS provides structure/redundancy to support this• Must use encrypted key distribution request/response
• Encryption– Link-level Encryption
• Encrypt each packet as it leaves the host• Doesn’t work well for broadcast packets• Not end-to end, so must have trusted gateways
– Multi-point Link Encryption• Physical device. Interfaces w/ Key distribution Center for keys
– Application Level End-to-End Encryption• Lots of overhead, many more correspondent pairs at this level
Comprehensive Defenses
• Trusted Systems– Reject all source-address authenticated packets
– Turn off netstat/finger services
– Encode TCP IP Security headers with the processes security level
– Only allow connection requests to succeed if at appropriate security level
– Only allow packet transfers over links at or above security level
– Does not prevent captured traces used against targets
– Does not protect against RIP spoofing
Summary
• Turn off non-essential services that give away information– Finger, Netstat, etc
• Increase memory of machines & length of backlog queue
• Use an Active Monitor to try and minimize damage
• Randomize sequence # increment and/or cryptographically determine ISN
Discussion
?