Transcript slides - The Fengs

TCP Security Vulnerabilities
Phil Cayton
CSE 581
2002
Papers Reviewed
1. C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A.
Sundaram, D. Zamboni, "Analysis of a Denial of
Service Attack on TCP"
2. S. Bellovin, "Security Problems in the TCP/IP
Protocol Suite"
3. S. Bellovin, "Defending against sequence
number attacks"
4. S. Bellovin, "Packets Found on an Internet"
5. R. Morris, "A Weakness in the 4.2BSD Unix
TCP/IP Software"
Topics
•
•
•
•
•
•
SYN Flooding
Sequence Number Prediction
Source Routing Attacks
Routing Information Protocol Attacks
Internet Control Message Protocol Attacks
Comprehensive Defenses
SYN Flooding
– Attacker sends many connection requests w/ spoofed source
addresses to victim
– Victim allocates resources for each request
• Finite # half-open connection requests supported
• Connection requests exist for TIMEOUT period
– Once resources exhausted, all other requests rejected
Normal connection est.
Syn Flooding attack
SYN Flooding Defenses
– System Configuration Improvements
• Reduce timeout period
• Increase length of backlog queue to support more connections
• Disable non-essential services to make a smaller target
– Router Configuration Improvements
• Configure router external interfaces to block packets with
source addresses from internal network
• Configure router internal interfaces to block packets to outside
that have source addresses from outside the internal network
– Cryptographically sign IP source addresses of all packets
• Does not prevent SYN Floods
• Allows for tracing of flood attack back to source
• Possible deterrent?
SYN Flooding Defenses
• Firewall as a Relay
– Firewall answers on behalf
of Destination
– Once connection
established, firewall
predicts seq # and
establishes 2nd connection
to Destination
– Disadvantage: Adds delay
for every packet
SYN Flooding Defenses
• Firewall as a Semi-transparent Gateway
– Forges the 3rd handshake (ack) from the client to the destination
– This moves connection out of backlog queue, freeing resources
– If this is attack, no “real” ack will happen
• Destination will send RST packet terminating connection
– If this is actual connection request the eventual ack will be ignored
as a duplicate
– Disadvantages:
• Large # illegitimate open connections if system under attack
• Must very carefully choose timeout periods
SYN Flooding Defenses
Attack w/ semitransparent gateway
Legit connection w/ semitransparent gateway
SYN Flooding Defenses
• Active Monitor
– Program that promiscuously monitors and injects
network traffic to/from machines it is protecting
– Monitors net for SYN packets not acknowledged after a
certain period of time
– If it detects problems with a half-open connection it can
• Send RST packets to the sender to release destination resources
• Complete the TCP connections by sending the ACK message
– Similar to Semi-Transparent gateways
Sequence Number Prediction
• Normal connection establishment
CS:SYN(ISNC )
SC:SYN(ISNS ) ,ACK(ISNC )
CS:ACK(ISNS )
CS:data
and / or
SC:data
Sequence Number Prediction
• Attack
– Predict the correct sequence number the
destination machine will use
• Not impossible – initiate legitimate connection and
then extrapolate next sequence from known
granularity & rate of change
– Spoof dest. machine
XS:SYN(ISNX ) ,SRC = T
ST:SYN(ISNS ) ,ACK(ISNX )
XS:ACK(ISNS ) ,SRC = T
XS:ACK(ISNS ) ,SRC = T,nasty - data
Sequence Number Prediction
• What about the ACK back to the fake
source machine?
– Bring it down
– SYN Flood it until it throws away packets and
will ignore the ACK
Sequence Number Prediction
• Defenses
– Randomize the ISN increment
– ISN determined by cryptographic hash function
on some secret data
– Only trust hosts on the same physical net
• Train gateways to reject packets that claim, but do
not, come from directly connected networks
Source Routing Attacks
• Attack
– If destination hosts use reverse of source route provided in TCP
open request to return traffic
• Fake the source address of a packet
• Pretend to be a trusted machine on the net
• Defenses
– Train gateways to reject external packets that claim to be from the
local net
• Can backfire if Trusted net  backbone  trusted net
– Reject pre-authorized connections if source routing info present
– Only accept if only trusted gateways listed in source routing info
Routing Information Protocol
(RIP) Attacks
• Attack
– Intruder sends bogus routing information to a
target and each of the gateways along the route
• Impersonates an unused host
– Diverts traffic for that host to the intruder’s machine
• Impersonates a used host
– All traffic to that host routed to the intruder’s machine
– Intruder inspects packets & resends to host w/ source
routing
– Allows capturing of unencrypted passwords, data, etc
Routing Information Protocol
(RIP) Attacks
• Defenses
– Paranoid gateway
• Filters packets based on source and/or destination addresses
– Don’t accept new routes to local networks
• Messes with fault-tolerance but detects intrusion attempts
– Authenticate RIP packets
• Difficult in a broadcast protocol
• Only allows for authentication of prior sender and doesn’t
address information from a deceived gateway upstream
Internet Control Message
Protocol (ICMP) Attacks
• Attack
– Targeted Denial of Service (DoS)
• Attacker sends ICMP Redirect message to give a bogus route
• Attacker sends Destination Unreachable or TTL exceeded
messages to reset existing connections
• Attacker sends fraudulent Subnet Mask Reply messages
– Blocks communication with target
• Defenses
– Verify ICMP packet contains a plausible sequence #
– Dont modify Global Route Table due to ICMP Redirect
messages
– Disallow ICMP Redirects?
– Check to see if multiple ICMPs from a host agree
Comprehensive Defenses
• Authentication
– Preauthorize connections using session keys
• DNS provides structure/redundancy to support this
• Must use encrypted key distribution request/response
• Encryption
– Link-level Encryption
• Encrypt each packet as it leaves the host
• Doesn’t work well for broadcast packets
• Not end-to end, so must have trusted gateways
– Multi-point Link Encryption
• Physical device. Interfaces w/ Key distribution Center for keys
– Application Level End-to-End Encryption
• Lots of overhead, many more correspondent pairs at this level
Comprehensive Defenses
• Trusted Systems
–
–
–
–
Reject all source-address authenticated packets
Turn off netstat/finger services
Encode TCP IP Security headers with the processes security level
Only allow connection requests to succeed if at appropriate
security level
– Only allow packet transfers over links at or above security level
– Does not prevent captured traces used against targets
– Does not protect against RIP spoofing
Summary
• Turn off non-essential services that give away information
– Finger, Netstat, etc
• Increase memory of machines & length of backlog queue
• Use an Active Monitor to try and minimize damage
• Randomize sequence # increment and/or cryptographically
determine ISN
Discussion