Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | gervase-richard |
View: | 237 times |
Download: | 4 times |
Contents
Vulnerabilities in IP protocol ICMP attacks Routing attacks TCP attacks
Sequence number prediction TCP SYN flooding Congestion control with a misbehaving
receiver
Historical perspectives
TCP/IP and their associated protocols were designed without any security consideration in mind.
“Security problems in the TCP/IP Protocol Suite” by S. M. Bellovin
This paper was written in 1989. It gave the security perspective on TCP/IP protocols in the early days.
It acted as a wakeup call for network researchers, listing many security vulnerabilities.
Vulnerabilities in IP protocol
Fundamental flaw in IP protocol is to use IP address as authentication.
IP source address can be easily spoofed.
It is easy for attackers to impersonate another host in the same network.
Basic attacks
How can the server know that the packet is originated from A?
Can B overhear? Can B impersonate A to the server? Can C impersonate A to the server?
2.0.0.0
1.0.0.01.1.1.1 1.1.1.2
2.1.1.1
1.1.1.3
A BC
Server
Internet
IP fragmentation attack
In the regular IP layer operations, a host stores fragmented packets until entire packets arrive.
Attack: send only one fragmented packet. Then the host will wait indefinitely, wasting memory to store them.
Countermeasure?
Smurf attack
Send a packet with a broadcast address to a network with source address as a victim’s address.
All hosts on the network will send reply packets to the victim.
This is called a reflector attack. In this case the reflector also performs traffic amplification.
ICMP attacks
ICMP is the basic network management tool of the TCP/IP protocol suite.
It poses potential threats for abuse. ICMP redirect message
Attacker sends false ICMP redirect message to a host to redirect traffic for a destination through another gateway.
ICMP destination unreachable DoS attack
ICMP TTL exceed DoS attack
Routing Attacks
Source routing attack Not possible today’s networks
Routing information protocol attack An attacker sends bogus routing
information to a target router to impersonate a particular router.
It is necessary to authenticate every routing information packets.
BGP routing attacks
TCP attacks: Sequence number prediction Normal TCP precedure
C → S: SYN(ISNc) S → C: SYN(ISNs). ACK(ISNc) C → S: ACK(ISNs) C → S: data and/or S → C: data
If an intruder X can predict ISNs, X can impersonate T: X → S: SYN(ISNx). SRC=T S → T: SYN(ISNs). ACK(ISNx) X → S: ACK(ISNs), SRC=T X → S: ACK(ISNs), SRC=T, nasty-data
How to decide ISN?
Are these good choices for next TCP ISN? Always start at the same ISN After each connection, increment ISN ISN = (c1+c2*(current time)) mod 232
Better choice for ISN? ISN = rand() function of C library? Current ISN = H(prev ISN)? ISN = DESK(counter++)?
TCP hijacking and poisoning
TCP hijacking If TCP sequence number is known,
attacker can inject malicious message into TCP stream.
TCP poisoning Inject random data into TCP stream to
shut down TCP connection Does sequence number need to be
known?
TCP SYN Flooding
Normal TCP precedure C → S: SYN(ISNc) S → C: SYN(ISNs). ACK(ISNc) C → S: ACK(ISNs) C → S: data and/or S → C: data
SYN flooding The server S needs to keep state after receiving
initial SYN packet. Attacker floods server with SYN packets, but
does not follow up with ACK packets to complete TCP handshake.
The server keeps state waiting for ACK, consequently exhausting resources.
SYN Flooding Dos Attack
It was the first serious DoS attack, single attacker could tie up server resources to prevent other clients from connecting to server.
SYN Flood Details
Why does server exhaust resources? Need to store requests for 511 seconds Server has finite-size queue for incomplete connections, usually
1024 entries Memory is cheap, why not store all requests?
With 160 bytes for syncache data structure, still consumes a lot of memory (736 bytes previously)
Why store any information at all? If SYN ACK dropped by network, server re-sends SYN ACK until
timeout or client sends ACK, otherwise legitimate clients will wait In some cases TCP options (performance enhancements) need to
be stored. Attacker could simply send ACK only if no information stored,
hope server will allocate resources for connection
Solution: TCP SYN Cookie
Server computes ISN based on the client’s addresses, which is called SYN cookie, and avoid to keep the client’s state. Server does not remember the cookie or any
other state info corresponding to the SYN. Client sends ACK. Server verifies ISN. If correct, it allocates
connection state. How to compute SYN cookie?
Cookie=H(SIP, CIP, Sport, Cport, skey), skey is a secrete number only known to the server.
“Defining Strategies to Protect Against TCP SYN Denial of Service Attacks,” http://www.cisco.com/en/US/tech/tk828/technologies_tech_note09186a00800f67d5.shtml
“SYN Cookies,” D. Bernstein, http://cr.yp.to/syncookies.html
Questions:
What if SYN segment has some relevant information to the client state such as TCP option?
What if attackers return valid ACK for each SYN ACK? This will cause the server to establish fully open TCP connections. This “completed handshake attack” can be
more difficult to defend than the classical SYN flooding attack.
Congestion control with a misbehaving receiver “TCP congestion control with a
misbehaving receiver”, Savage, Cardwell, Wetherall, and Anderson
Slow Start
Control parameters Awnd (advertised window by receiver) Cwnd (congestion window)
Determine how many segments can be sent without receiving ACKs..
Slow StartInitialize: cwnd = 1 MSS (max. segment size);Every time each ACK arrives:
cwnd = cwnd + 1 MSS until min(cwnd, awnd)
ACK Division Attack Upon receiving a segment, a receiver
divides an ACK into multiple ACKs. Then the sender increases the congestion window by SMSS (Sender Max Segment Size) for each ACK received
Fast retransmission If 4 consecutive ACKs(3 dupacks) are
received before timeout, then TCP does not wait for timeout and retransmit the segment immediately.
Fast recovery algorithm (avoiding initial slow start phase) 1. When the third duplicate ACK is received, Set ssthresh = cwnd / 2;
Retransmit the missing segment; cwnd = ssthresh + 3 segment size ;
2. Each time another duplicate ACK arrives, Increment cwnd by the segment size;
Transmit a new segment (if allowed by the new cwnd value);
3. When the next ACK arrives that acknowledges the new data,
cwnd = ssthresh ; cwnd = cwnd + 1 every roundtrip time ;
Duplicate ACK Spoofing
Fast retransmit and fast recovery should mitigate the effect of packet loss that is not due to congestion, but an attacker can exploit it to get more data
Send extra duplicate ACKs Sender sends 1 packet for
each duplicate ACK Preserves reliability
Optimistic ACKing Attack Receiver can send ACKs for data not yet
received, or even not yet sent Does not provide reliability