Lecture 11:TCP/IP Security Problems

Why rlogin is evil

Why source-routing is evil
ARP attacks
Blind spoofing
IPSec
TCP session stealing/hijacking

Morale of todays story: use ssh

or IPSec to protect yourself
against most of these attack!

Related reading:

Security Problems in the

TCP/IP Protocol Suite
by Steve Bellovin
A Simple Active Attack
Against TCP by Laurent
Joncheray. In Proceedings
of 5th USENIX Unix
Security Symposium. June
1995

rsh: remote login without a password

rsh and rcp are programs that allow you to login from
a remote site without a password

The .rhosts file in your home directory is an access control

list (ACL)
red.cs.umass.edu brian
Example .rhosts file:
blue.cs.umass.edu brian
*.cs.umass.edu brian
* *

The authentication check in rsh (and the other r-tools)

is simply the IP address.

Is it hard to spoof a particular IP address?

Exploiting rsh
The best way to defend against rsh attacks is to not use it:
This unix features is allowed/disallowed in linux by /etc/inet.d scripts (see
unix hardening lecture)
Use ssh instead (but note that ssh has key distribution problems)

If we know a machine is running rsh, how can we pretend to be another

machine to gain access?

Attack
Source routing
Falsified routing updates
Blind spoofing
ICMP redirects
False ARP packets
TCP session stealing
Lets go over each attack

Defense
Ignore source routes
Secure routing protocols
SSH/secure connection
IPsec
Publish ARP tables
SSH/secure connection
3

Source routing attacks

Source routing is an IP option that lets the source list specific

routers on the path to the destination.

The attack: open a TCP connection to the remote rshd spoofing

the address of a trusted host; the attacker includes itself in the
source route list.

Loose source routing: other routers ok as long as the list is visited

in order
Strict source routing: no other routers may be visited on the path to
the destination
The responder includes the source route on the reply packets.

The attacker will see the reply packets before the machine that is
being spoofed. (two way traffic)

Defense: Some/most OSes ignore source routes these days.

This routing ability replaced by peer-to-peer overlay applications

but thats a topic for a networking class
4

Normal TCP Three-way Handshake

SYN_flag, ISN=452

Client

SYN_flag, ACK=453,ISN=34

Server

ACK=35, data

Attacker

Reset!

ec A
ho CK
* =1
(sr * > 38,
>.
c=
c li
r
en hos
t)
ts

Client
SY
N
(s _fla
rc
=c g, I
lie SN
nt
) =90
1

Blind Spoofing

SYN_flag, ACK=902,ISN=137

Server

Blind Spoofing

Normal TCP operation from client, C, to server, S.

CS: SYN_flag, ISN=x

SC: SYN_flag, ISN=y, ACK=x+1
CS: ACK=y+1
Client and Server exchange data

Blind spoofing. Find a client machine thats off. Guess the ISN of
the server. Usually in regular increments. Use rsh to log in:

X(as C)S: SYN_flag, ISN=a [spoofs C]

SC: SYN_flag, ISN=b, ACK=a+1
X(as C)S: ACK=b+1 [spoofs C]
X(as C)S: [ echo * * >> ~/.rhosts] [spoofs C]
X(as C)S: RESET [spoofs C]
X now rlogins from anywhere in the world.

Blind Spoofing

If C is still up, then C will send a reset message to the server

thinking its an error.
So, either L

use a network address that is not in use.

Do a denial of service (DoS) attack on a machine so it cant
answer.

Morris found that by impersonating a server port on C, and by

flooding that port with apparent connection requests, he could
generate queue overflows that would make it likely that the S
C message would be lost.

This is SYN flooding...

An aside: SYN Flooding DoS

Pick a machine, any machine.

Spoof packets to it (so you dont get caught)
Each packet is a the first hand of the 3-way handshake of TCP:
send a SYN packet.
Send lots of SYN packets.

Each SYN packet received causes a buffer to be allocated, and

the limits of the listen()call to be reached.

Morris invented SYN flooding just to launch a blind spoofing

attack; later used by others against Yahoo!

Attacking IP Routing to exploit rsh

Attacking the routing can

cause
attacker-in-the middle
eavesdropping (passive)
attacker-in-the-middle
modifications (active)
Black holes in routing
(DoS)
Redirected flooding
attacks (DoS)

Types of routing:
1.
2.
3.
4.

dynamic intranet routing

static intranet routing
BGP routing
Ad hoc wireless network
routing

Attacker
Server

Client
10

Type 1: Dynamic Routing

An attacker can falsify routing updates send between routers.

Attacker injects a RIP update stating she has a path to a particular

(unused) host. (RIP is an example; any unicast protocol will do.)
All subsequent packets will be routed to her.
She uses rsh to log into the machine.

This is also a DOS attack and a traffic redirection attack (for sniffing or
modification)

Similar attacks exist for interdomain routing protocols, like BGP.

Defense: Requires secure routing protocols to defend against

this attack.

Routers should accept only authenticated updates.

Requires key management and pre-configuration among routers.

11

Type 2: Static routes (next few slides)

Review: When they receive a packet, how do hosts using IP

route data?

Static routing is largely based on subneting, ARP, and ICMP.

IP hosts are always on some specific subnet. They search

routing tables looking for longest matching prefix.
This means, you find routes in this order:
1.
2.
3.
4.

Matching host address (128.119.48.55)

Matching subnet address (128.119.48.*)
Matching network address (128.119.*)
Default route (gateway router)

This process tells the host what IP address is the next hop.
Now the host must determine the link layer address of the next
hop. How is that done in IP?

12

Address Resolution Protocol (ARP) and ICMP

ARP is the interface between the Link layer and Network layer.

ICMP is used for routing error messages

Allows hosts to query who owns an IP address on the same LAN.

Owner responds with hardware address.
Allows changes to link layer to be independent of IP addressing.
Thats why we can have IP on everything (wireless, radio waves, buses,
etc.)

TTL expired (thats how traceroute works)

Host unreachable
Echo request (thats how the ping program works)

Also used by default routers to redirect along quicker path.

13

On-the-same-LAN routing
1. Route lookup determines it is
on the same subnet.
2. Use ARP to determine what
link layer address to send it to.

223.1.2.1
223.1.2.9

3. Give it to Link layer.

223.1.3.27
Who has
223.1.3.2?

223.1.3.3

223.1.3.1

223.1.2.2

LAN

I have it. My
eth addr is

223.1.3.2

14

Through-the-gateway Routing
1. Route lookup determines its on a
different subnet.
Result: Go through default route.
I have it. My
eth addr is

2. Use ARP to determine link layer

address of gateway.

223.1.2.1
223.1.2.9

3. Give it to Link layer.

223.1.3.27
Who has
223.1.3.27?

223.1.3.3

223.1.3.1

223.1.2.2

LAN

223.1.3.2

15

ICMP Redirect Routing

1. Route lookup determines destination is
on different subnet.
2. Use ARP to determine link layer
address of gateway.
3. Gateway uses routing tables to
determine next hop of 223.1.3.3
INext
havetime
it. My
use
eth223.1.3.3!
addr is

4. Gateway sends ICMP redirect to

source.
5. Future packets from source routed
directly to 224.1.3.3 (with ARP lookup)

223.1.2.9
223.1.3.27
Who has
223.1.3.27?

223.1.3.3

223.1.2.1

223.1.3.1

223.1.2.2

LAN

223.1.3.2
16

ICMP Attack

The attack: send an ICMP redirect

Forces a machine to route through the attacker.

Requires an existing connection

Open a spoofed connection to the host you want to attack.
Then send a spoofed ICNP redirect to the victim redirecting it to the
gateway machine youve compromised.

(Or send destination unreachable spoofed from the gateway.)

(Or, constantly send ICMP source squelches.)
Defense:

Ignore ICMP redirects (poor effiency)

Authenticate end-points and encrypt traffic. One solution is a
VPN/IPsec between hosts and routers.

17

ARP Attacks

When a machines sends an ARP request out, attackers can

reply, falsely stating they own the address.

Unfortunately, ARP will just accept replies without requests!

Just send a spoofed reply message saying your MAC address
owns a certain IP address.

But this starts a race condition with the real machine.

Repeat frequently so that cache doesnt timeout

Messages are routed through you to sniff or modify.

some details: http://www.hut.fi/~slevijok/lahde.html

18

ARP Spoofing - Countermeasures

Publish MAC address of router/default gateway and

trusted hosts to prevent ARP spoof.

Statically define the IP to Ethernet address mapping.

(Publish is a poor term: its not sent on the network)
This prevents someone from fooling the host into sending
network traffic to a host masquerading as the router or
another host via an ARP spoof.
Heres how you do it in linux:
arp -s hostname 00:01:02:03:04:ab pub

19

TCP Session Stealing

A.k.a. IP splicing, TCP Hijacking

Read a detailed account

A Simple Active Attack Against TCP by Laurent Joncheray.
In Proceedings of 5th USENIX Unix Security Symposium.
June 1995

Running code available as a plug-in to sniffit.

Defense: use ssh

20

Desynchronizing the client and server

Often during normal TCP operation, the client and server

become desynchronized.

E.g., sometimes the client will send a retransmission that

actually isnt needed by the server.
The server will drop the incoming packets.

The attack: during a quiet period, the attacker sends a large

amount of null data.

Specifically, the attacker sends as many bytes as there are in the

senders receive buffer.

21

The Attack

If the client receives packets that are a window-of-packets

ahead of what it is expecting, the client will drop the unlooked
for data. (this is partly due to flow control)
Null data desynchronization

First, the attacker watches the session without interfering.

During a quiet period, the attacker sends a large amount of null
data.
Specifically, the attacker sends as many bytes as there are in the
senders receive buffer.
Each packet contains NOP bytes, normally used to pad the packets
for the purposes of checksums.
Now, when the client sends data, it is dropped by the server
because its lower than the servers window.
The attacker does the same with the client.

Attacker is now a woman/man/bot in the middle!

22

Attacker-in-the-Middle

Data from the client can be re-packaged into a TCP

packet and sent to the server, so there is no
noticeable changes.

Attacker can insert commands into the remote

account. E.g.

echo mymachine.umass.edu mitnick > .rhosts

However, commands entered by the attacker might

appear on a command line history.
Defense: ssh connection, or IPsec

23