TCP/IP Vulnera Vulnerability bility
Prepared By: Mohit Kohli 11th June 2007
Section1:Introduction
A Quick Review on:
TCP Transmission control Protocol
IP Internet Protocol
Packet structure
Flags
Fragmentation
TCP Communication Mechanism
Introduction on TCP – PACKETS •TCP – Transmission Control Protocol (TCP) runs on top of IP, and provides a connection oriented service between the sender and the receiver. •TCP provides guaranteed delivery, and ensures that the packets are delivered in sequence. •The underlying network IP, is highly unreliable and does not provide any guarantee for TCP. • In order to provide reliability between the sender and the receiver, TCP uses various mechanisms, such as sequence numbers, acknowledgments, 3-way handshakes and timers. •In the TCP protocol, the important things in a packet are the essential IP packet headers, and various TCP specific headers and flags. These include: source port, destination port, header lengths, the sequence number, the ACK number, the checksum and various other flags. Here is a diagram to illustrate the basic format of a typical TCP packet:
IP Packet •
IP - IPv4 is a datagram protocol primarily responsible for addressing and routing packets between hosts.
•
IPv4 is connection connectionless, less, which means that it does not establish a connection before exchanging data, and unreliable, which means that it does not guarantee packet delivery .
•
There are a lot of headers in the IP section of a packet. Some of the essential ones include: source address, destination address, TOS, TTL, packet ID, protocol (i.e TCP or UDP), IP version (4 obviously), packet length, the checksum, and the IP header lengths. These need to be set in every packet/datagram/segment packet/datagram/s egment sent, be it TCP, UDP or ICMP.
Packet Example:
• 1,460 payload) • 20 • 20 • 14 •4 • 1,518
Data after TCP header (the Typical TCP header size Typical IP header size Typical Ethernet header size CRC size Maximum Ethernet packet size
TCP Packet Component
Flags Structure F : FIN - Finish; end of session S : SYN - Synchronize; indicates request to start session R : RST - Reset; drop a connection P : PUSH - Push; packet is sent immediately A : ACK - Acknowledgement U : URG - Urgent E : ECE - Explicit Congestion Notification Echo W : CWR - Congestion Window Window Reduced
Example :
Flags: 0x0010(ACK) ---00010000 Window Size :64512 Flags:0x0018 (PUS, ACK)---00011000 Window Size :65059
A checksum is a value which is computed which allows you to check the validity of something. Typically, checksums are used in data transmission contexts to detect if the data has been transmitted succes successfully. sfully. For example, the Cyclic Redundanc Redundancy y Check algorithms, CRC-8, CRC-16, and CRC-32, do fairly complex things to make the checksum sensitive to such problems
Ref on Transmission Control Protocol: http://www.faqs.org/ftp/rfc/pdf/rfc793. http://www.faqs.org/ftp/rfc/pdf/rfc793.txt.pdf txt.pdf
Fragmentation
Fragmentation: Every packet-based network has an
MTU (Maximum Transmission Unit) size. The MTU is the size of the largest packet which that network can transmit. Packets larger than the allowable MTU must be divided into multiple smaller packets, or fragments, to enable them to traverse the network. Example: If a 2,366 byte packet enters an Ethernet network with a default MTU size, it must be fragmented into two packets. The first packet will: Be 1,500 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 1,456 bytes will be data. Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 1 to mean "More Fragments." Have a Fragmentation Offset of 0. The second packet will: Be 910 bytes in length. 20 bytes will be the IP header, 24 bytes will be the TCP header, and 866 bytes will be data. Have the DF bit equal to 0 to mean "May Fragment" and the MF bit equal to 0 to mean "Last Fragment." Have a Fragmentation Offset of 182 (Note: 182 is 1456 divided by 8).
Contd…
Three of these fields are involved in packet fragmentation: Len, Offset and More bit.
Fragmentation reduces TCP throughput and increases network congestion.
Disable Path MTU Discovery process: Low MTU value could degrade network performance, since it increases Fragmentation.
Fragmentation (3,600) Len: Total Length of Fragment Offset: distance from the first byte of
the original datagram More: Indicate if the fragment has
more to follow
Captured TCP Packet structure
Captured UDP Packet structure
TCP Three-Way Handshake
A TCP connection is initialized through a three-way handshake. The purpose of the three-way handshake is to synchronize the sequence number and acknowledgment numbers of both sides of the connection and to exchange TCP window sizes. The following steps outline the process for the common situation when a client computer contacts a server computer:
1. The client sends a TCP segment to the server with an initial sequence number for the connection and a window size indicating the size of a buffer on the client to store incoming segments from the server.
2. The server sends back a TCP segment containing its chosen initial sequence number, an acknowledgment of the client’s sequence number, and a window size indicating the size of a buffer on the server to store incoming segments from the client.
3. The client sends a TCP segment to the server containing an acknowledgment of the server’s sequence number.
TCP uses a similar handshake process to end a connection. This guarantees that both hosts have finished transmitting and that all data was received. TCP connections have three main parts: connection establishment, data exchange, and connection termination
HTTP Elements •HTTP clients send HTTP requests that contain a method, or command, that indicates what the client wants
• HTTP Methods
•The HTTP Get Command
Sample HTTP Communications 3 Way handshake communication for HTTP Application Protocol
Section 2: TCP/IP Vulnerability
overlapping IP fragments Tear Drop Land SYN Attack Ping Flooding IP Spoofing
Source Routing TCP Hijacking
SYN Guessing Smurf Attack
Man-in-the-Middle Attack
Countermeasures
overlapping IP fragments Description: Description:An An
IP fragment overlap vulnerability may exist on NT 3.5 and 4.0 systems without the hotfixes applied that will cause a lock up on these systems requiring a hard reset. This exploit modifies the code from the teardrop attack to incorporate the use of a SYN sequence bug. The attack will send two IP fragments, with the offset of the second fragment inside the prior packet's payload that overlaps but does not include enough payload to complete the datagram. Install the latest hotfixes provided by Microsoft. Impact:
Any systems that are vulnerable to this exploit may be 'brought down', requiring a reboot of the system. Root Cause: Insecure Design
Linux and Microsoft has a serious bug in it's i t's IP fragmentation module More specifically, in the fragmentation reassembly code Explanation: When Linux reassembles IP fragments to form the original IP datagram, it runs in a loop, copying the payload from all the queued fragments fragments into a newly allocated buffer (which would then normally be passed to the IP layer proper). If we find that the current fragment's offset offset is inside the end of a previous fragment (overlap), we need to (try) align it correctly. correctly. Well, this is fine and good, unless the payload of the current fragment happens to NOT contain enough data to cover the realigning. In that case, `offset` will end up being larger then `end`.
1.
Teardrop Attack
IP requires a packet that is too large for the next router to handle be divided into fragments.
The attacker's IP puts a confusing offset value in the second or later fragment.
If the receiving operating system is not able to aggregate the packets accordingly, it can crash the system.
It is a UDP attack, which uses overlapping offset fields to bring down hosts.
The Unnamed Attack
Variation of Teardrop attack Fragments are not overlapping; instead there are gaps incorporated
Overlapping fragment attack.
Careful design of the algorithm for generating these Hackers can also craft packets so that initial sequence numbers ensures that overlap in sequence number space between different incarnations of instead of overlapping, there will be gaps between various packets. These a connection is prevented. nonadjacent fragmented packets are similar to overlapping packets because they can crash or hang older operating systems that have not been patched.
Abnormal Fragmentation
Figure shows specially crafted packet with Abnormal Fragmentation.
Teardrop Attack Tool: Jolt2
Allows remote attackers to cause a Denial of Service attack against Windows based machines.
Causes the target machines to consume 100% of the CPU time processing processin g illegal packets.
Not Windows-specific, many Cisco routers and other gateways might be vulnerable.
Teardrop Attack Tool: Bubonic.c
Bubonic.c is a DoS exploit that can be run against Windows 2000 machines.
It works by randomly sending TCP packets, with random settings, with the goal of increasing the load of the machine, so that it eventually crashes.
c: \> bubonic 12.23.23.2 10.0.0.1 100
The teardrop attack exploits overlapping IP fragment and can crash Windows 95, Windows NT, and Windows 3.1machines.
1.
Land IP spoofing in combination with the opening of a TCP connection.
Both IP addresses, source and destination are modified to be the same, same, the address of the destination host.
This results in sending the packet back to itself, because the addresses are the same.
•
SYN Attack The attacker sends bogus TCP SYN requests to a victim server. The host allocates al locates resources (memory sockets) for the connection.
It prevents the server from responding to legitimate requests.
This attack exploits the three-way handshake.
Malicious flooding by large volumes of TCP SYN packets to the victim system with spoofed source IP addresses can cause a DoS.
Windows Server 2003 systems that have enabled the SynAttackProtect registry value are not vulnerable to many of the attacks. Value set to 0 indicate no retransmission of packet.
Contd…
default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000 Professional. When this size is reached, the system will no longer accept incoming connection requests.
How to detect a SYN attack:
# netstat -n -p TCP tcp 0 0 10.100.0.200:21 237.177.154.8:25882 SYN_RECV – tcp 0 0 10.100.0.200:21 236.15.133.204:2577 SYN_RECV – tcp 0 0 10.100.0.200:21 127.160.6.129:51748 SYN_RECV
Number of Half open TCP Connection:
# netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l 769
•
PING FLOODING (ICMP flooding) Ping of death is a denial of service (DoS) attack caused by an attacker purposely sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of the features of TCP/IP is fragmentation. It allows a single IP packet to be broken down into smaller segments. In 1996, attackers took advantage of that feature when they found that a packet broken down into fragments could add up to more than the allowed 65,536 bytes. Hacking Tool: SSPing
SSPing program sends the victim's computer a series of highly fragmented, oversized ICMP data packets.
The computer receiving the data packets lock when it tries to put the fragments together.
The result is a memory overflow which in turn causes the machine to stop responding
Tool: PING FLOODING (Denial of Service Attack)
1.
IP Spoofing
Due to bad designing of the TCP/IP suite, it is almost trivial to spoof a packet apparently originating from a host that is NOT you. The term 'IP spoofing' can be used to describe any process in which a person fakes, or "forges" a packet to look like it came from elsewhere, often a "trusted" host. The ability to spoof IP packets, and the fact that IPv4 does NOT check the validity of the source address and source port in a packet's headers is one of the MAIN vulnerabilities in the TCP/IP protocol suite.
It can be of two types ie Blind and Non-Blind.
IP spoofing can be used in two main ways: to cause DoS, or to gain access to a system as a "trusted" host.
Blind Spoofing Challenge: Source Address, Source port, Destination Address, Destination Port along with ISN bit.
Smurf Attack Uses IP Spoofing Vulnerability
The perpetrator generates a large amount of ICMP echo (ping) traffic to a network broadcast address with a spoofed source
Internet
IP set to a victim host.
The result will be a large number of ping replies (ICMP Echo Reply) flooding back to the innocent, spoofed host.
An amplified ping reply stream can overwhelm the victim’s network connection.
The "smurf" attack's cousin is called "fraggle", which uses a UDP echo.
ICMP Echo Request with source C and destination subnet B, but originating from A
Cond…Smurf Attack Receiving Network
Attacker ICMP_ECHO_REQ Source: Target Destination: Receiving Network
Internet
Target
ICMP_ECHO_REPLY Source: Receiving Network Destination: Target
Sequence Guessing
Attempt to hijack an existing TCP session by injecting packets which pretend to come from one computer involved in the TCP session.
When new connections are created, an initial sequence number (ISN) generator is employed which selects a new 32 bit ISN. The generator is bound to a (possibly fictitious) 32 bit clock whose low order bit is incremented roughly every 4 microseconds. Thus, the ISN cycles approximately every 4.55 hours. Since we assume that segments will stay in the network no more than t han the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55 hours we can reasonably assume that ISN's will be unique.
For each connection there is a send sequence number and a receive sequence number. The initial send sequence number (ISS) is chosen by the data sending TCP, and the initial receive sequence number (IRS) is learned during the connection establishing procedure.
ISNs used must be hard to guess for those not involved in the connection
TCP/IP SEQUENCE NUMBER ANALYSIS
Challenge in to generate unpredictable ISN
TCP/IP ISN generators used by a variety of operating systems. One of the examples is inserting malicious contents or malicious RCPT TO fields into in to SMTP transaction in order to modify or intercept e-mails.
Guessing the right ISN from the entire 32bit space (4,294,967,296 possibilities) is not feasible due to the excessive amount of bandwidth and time required. But increasing bandwidth and processor speed will eventually make brute force guessing of 32-bit ISNs feasible for the average attacker.
Phase Space Analysis Sr. No
Operating System
Attack feasibility
1
Linux
2
Win dows 2000
3
Win do dows NT4 SP6a + hotfixes
4
Win dows 95
100%
5
FreeBSD 4.2
1.00%
6
OpenBSD-current
0.00%
7
HPUX11
100.00%
8
AIX 4.3
100.00%
x[t] = seq[t] - seq[t-1] y[t] = seq[t-1] - seq[t-2] z[t] = seq[t-2] - seq[t-3] http://lcamtuf.coredump.cx/oldtcp/tcpseq.html http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm
below 0.05% 12.08% 15%
Reset Attack
The packets required for a successful Reset are based on the equation (2^32 / Initial Window Size). Factor Responsible for Reset Attack: ISN prediction, as well as much larger TCP window selection A larger window will provide greater transmission efficiency but also expand the opportunity for spoofed TCP Reset attacks The 4-tuple consists of source IP address, TCP source port, destination IP address, and destination TCP port
Operating System Windows 2000 5.00.2195 SP4 Windows XP Home Edition SP1 HP-UX 11 Nokia IPSO 3.6-FCS6 Cisco 12.2(8) Cisco 12.1(5) Cisco 12.0(7) Cisco 12.0(8)
Case Study on Reset Attack
Windows 2000 5.00.2195 SP1 Case Study on Reset Attack
Windows 2000 5.00.2195 SP3 Linux 2.4.18
Initial Window Size
Packets Requ ired
Case Study on Reset Attack
1. Source Routing
Another variant of IP spoofing makes use of a rarely used IP option, "Source Routing" [Bellovin89]. Source routing allows the originating host to specify the path (route) that the receiver should use to reply to it. An attacker may take advantage of this by specifying a route that by-passes the real host, and instead directs replies to a path it can monitor (e.g., to itself or a local subnet). Although simple, this attack may not be as successful now, as routers are commonly configured to drop packets with source routing enabled.
1. TCP Session Hijacking
Connection hijacking exploits a "desynchronized state" in TCP communication "TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine.“ A popular method is using IP Spoofing, ARP Posining and source-routed IP packets and sequence number prediction Techniques.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack". A common component of such an attack is to execute a denial-of-service (DoS) attack against one end-point to stop it from responding. This attack can be either against the machine to force it to crash, or against the network connection to force heavy packet loss.
Man-in-the-Middle Attack •In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient. In this way, an attacker can fool a victim into disclosing confidential information by “spoofing” the identity of the original sender, who is presumably trusted by the recipient.
Attacker
Attacker
Sender (S) (S)
Target (C)
ARP Poisoning
Man-in-the-Middle Man-in-the-M iddle Attack
•Attacker has performed ARP poisoning attack. •Packets are forwarded to hacker machine first instead of Target Machine. •Attacker exploit IP spoofing vulnerability of TCP/IP design. •Another variant of Man-in-the-middle attack against two-factor authentication using Phishing
Hacker (X) Hacker (X)
ARP Poisoning
TCP Hijacking Tool: Hunt 1) Connection management * Setting what connections you are interested in. * Detecting an ongoing connection (not only SYN started). * Normal active hijacking with the detection of the ACK storm. * ARP spoofed/Normal hijacking with the detection of successful ARP spoof. * Synchronization of the true client with the server after hijacking (so that the connection don't have to be reset). * Resetting connection. * Watching connection.
Countermeasures
Hardening the TCP/IP stack (SYN cookies or SynAttackProtect).Ref:http://www.securityfocus.com/infocus/1729
Applying latest patches as recommended by your vendor
Perimeter Network device like Firewall and border internet router should block IP-spoofed packets and can capable of defending defending against SYN attacks. With the current current IP protocol technology, it is impossible to eliminate IP-spoofed IP -spoofed packets. However, However, you can reduce the likelihood of your site's networks being used to initiat e forged packets by filtering outgoing packets that have a source address different from that of your internal network.
Apply Anti-spoofing filtering on network device (TCP sequence prediction attacks can be effectively stopped by any router or firewall that t hat is configured not to allow packets from an internal IP address to originate from an external interface.)
ISPs could prevent the transmission of fraudulently addressed packets.
Servers could be programmed to recognize a SYN source IP address that never completes its connections connections.. The last network defense against SYN floods is to distribute the flood against as many hosts or network devices as possible.
