Lecture 5 in Powerpoint

Download Report

Transcript Lecture 5 in Powerpoint

General Classes of TCP/IP Problems



TCP timers exist as a part of connection-oriented
delivery
TCP sequence numbers exist as part of reliable
delivery
The two main groups where TCP/IP security
and/or Denial of Service problems occur from
– IP Spoofing
– TCP Sequence Prediction
1
Guarding against TCP/IP Problems




Unfortunately, the problems are inherent in the
protocol since the designers created it for trust
and delivery
Cryptography in the form of encryption and
authentication would cut down on spoofing
problems
Software Fixes such as TCP wrappers, disabling
BSD-r protocols, .rhosts files
Designing networks with good network
topologies and no inherent trust relationships
2
TCP Timers

Retransmission Timer
– Used when a host expects and ACK from the other side

Connection Timer
– The initial timer set when a connection is established
when a SYN is sent

2MSL
– The timer used to measure TIME_WAIT state

Persist Timer
– Timer used to keep window size information
exchanged

Keepalive Timer (Polling)
– Keeps an idle connection alive
3
General Class of Routing Problems


Primarily dealing with problems at the network
level
IP Source Routing
– An attacker can choose a desired IP

RIP
– Bogus routing information can be propagated to
networks

EGP
– Core gateways occasionally poll each other and uses
sequence numbers that must be echoed by other end

ICMP
– ICMP redirects to advise bogus routes
4
General Class of TCP Problems






IP Spoofing
TCP Sequence Guessing
Connection Hi-jacking
Simultaneous Open
SYN, SYN-FIN, SYN-ACK
Timing Problems - Desynchronized States
5
IP Spoofing



A remote host can trivially send spoofed IP
addresses to a victim host
This attack must be in conjunction with sequence
prediction since an incorrect sequence numbers
have the target host send RST segments
Difficult to defend against
6
TCP Sequence Prediction Problem




The ISN uses a global counter for the initial
number
The increment is usually 64
SYN = ISN + Increment
4.2 BSD implementations violate RFC protocol by
setting ISN = 1
7