1

Lecture 11:TCP/IP Security Problems

Why rlogin is evil Why source-routing is evil ARP attacks Blind spoofing IPSec TCP session stealing/hijacking

Morale of today’s story: use sshor IPSec to protect yourselfagainst most of these attack!

Related reading: “Security Problems in the

TCP/IP Protocol Suite”by Steve Bellovin

“A Simple Active AttackAgainst TCP” by LaurentJoncheray. In Proceedingsof 5th USENIX UnixSecurity Symposium. June1995

2

rsh and rcp are programs that allow you to login froma remote site without a password The .rhosts file in your home directory is an access control

list (ACL) Example .rhosts file:

The authentication check in rsh (and the other r-tools)is simply the IP address. Is it hard to spoof a particular IP address?

rsh: remote login without a password

red.cs.umass.edu brian

blue.cs.umass.edu brian

*.cs.umass.edu brian

* *

3

Exploiting rsh

• The best way to defend against rsh attacks is to not use it:• This unix features is allowed/disallowed in linux by /etc/inet.d scripts (see

unix hardening lecture)• Use ssh instead (but note that ssh has key distribution problems…)

• If we know a machine is running rsh, how can we pretend to be anothermachine to gain access?

Attack Source routing Falsified routing updates Blind spoofing ICMP redirects False ARP packets TCP session stealingLet’s go over each attack…

DefenseIgnore source routesSecure routing protocolsSSH/secure connectionIPsecPublish ARP tablesSSH/secure connection

4

Source routing attacks

Source routing is an IP option that lets the source list specificrouters on the path to the destination. Loose source routing: other routers ok as long as the list is visited

in order Strict source routing: no other routers may be visited on the path to

the destination The responder includes the source route on the reply packets.

The attack: open a TCP connection to the remote rshd spoofingthe address of a trusted host; the attacker includes itself in thesource route list. The attacker will see the reply packets before the machine that is

being spoofed. (two way traffic) Defense: Some/most OSes ignore source routes these days.

This routing ability replaced by “peer-to-peer overlay applications”but that’s a topic for a networking class…

5

Normal TCP Three-way Handshake

Client ServerSYN_flag, ISN=452

SYN_flag, ACK=453,ISN=34

ACK=35, data

6

Blind Spoofing

Client Server

Attacker

SYN_flag, ACK=902,ISN=137Reset!

SYN_flag

, ISN=9

01

(src=

clien

t)

ACK=

138,

“echo

‘* *’

>> .r

hosts

”

(src

=clie

nt)

7

Blind Spoofing

Normal TCP operation from client, C, to server, S. C→S: SYN_flag, ISN=x S→C: SYN_flag, ISN=y, ACK=x+1 C→S: ACK=y+1 Client and Server exchange data

Blind spoofing. Find a client machine that’s off. Guess the ISN ofthe server. Usually in regular increments. Use rsh to log in: X(as C)→S: SYN_flag, ISN=a [spoofs C] S→C: SYN_flag, ISN=b, ACK=a+1 X(as C)→S: ACK=b+1 [spoofs C] X(as C)→S: [ echo “* *” >> ~/.rhosts] [spoofs C] X(as C)→S: RESET [spoofs C] X now rlogins from anywhere in the world.

8

Blind Spoofing

If C is still up, then C will send a reset message to the serverthinking it’s an error.

So, either L use a network address that is not in use. Do a denial of service (DoS) attack on a machine so it can’t

answer. “Morris found that by impersonating a server port on C, and by

flooding that port with apparent connection requests, he couldgenerate queue overflows that would make it likely that the S→C message would be lost.”

This is SYN flooding...

9

An aside: SYN Flooding DoS

Pick a machine, any machine. Spoof packets to it (so you don’t get caught) Each packet is a the first hand of the 3-way handshake of TCP:

send a SYN packet. Send lots of SYN packets.

Each SYN packet received causes a buffer to be allocated, andthe limits of the listen()call to be reached.

Morris invented SYN flooding just to launch a blind spoofingattack; later used by others against Yahoo!

10

Attacking IP Routing to exploit rsh

Types of routing:1. dynamic intranet routing2. static intranet routing3. BGP routing4. Ad hoc wireless network

routing

Client

Server

Attacker

Attacking the routing cancause

attacker-in-the middleeavesdropping (passive)attacker-in-the-middlemodifications (active)Black holes in routing(DoS)Redirected floodingattacks (DoS)

11

Type 1: Dynamic Routing An attacker can falsify routing updates send between routers.

Attacker injects a RIP update stating she has a path to a particular(unused) host. (RIP is an example; any unicast protocol will do.)

All subsequent packets will be routed to her. She uses rsh to log into the machine.

This is also a DOS attack and a traffic redirection attack (for sniffing ormodification)

Similar attacks exist for interdomain routing protocols, like BGP.

Defense: Requires secure routing protocols to defend againstthis attack. Routers should accept only authenticated updates. Requires key management and pre-configuration among routers.

12

Type 2: Static routes (next few slides)

Review: When they receive a packet, how do hosts using IProute data? Static routing is largely based on subneting, ARP, and ICMP.

IP hosts are always on some specific subnet. They searchrouting tables looking for longest matching prefix.

This means, you find routes in this order:1. Matching host address (128.119.48.55)2. Matching subnet address (128.119.48.*)3. Matching network address (128.119.*)4. Default route (gateway router)

• This process tells the host what IP address is the next hop.• Now the host must determine the link layer address of the next

hop. How is that done in IP? …

13

Address Resolution Protocol (ARP) and ICMP

ARP is the interface between the Link layer and Network layer. Allows hosts to query who owns an IP address on the same LAN. Owner responds with hardware address. Allows changes to link layer to be independent of IP addressing. That’s why we can have IP on everything (wireless, radio waves, buses,

etc.)

ICMP is used for routing error messages “TTL expired” (that’s how traceroute works) “Host unreachable” “Echo request” (that’s how the ping program works)

Also used by default routers to redirect along quicker path.

14

On-the-same-LAN routing

223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

LAN

223.1.3.3

1. Route lookup determines it ison the same subnet.

2. Use ARP to determine whatlink layer address to send it to.

3. Give it to Link layer.

Who has223.1.3.2? I have it. My

eth addr is…

15

Through-the-gateway Routing

223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

LAN

223.1.3.3

1. Route lookup determines it’s on adifferent subnet.

Result: Go through default route.

2. Use ARP to determine link layeraddress of gateway.

3. Give it to Link layer.

Who has223.1.3.27?

I have it. Myeth addr is…

16

1. Route lookup determines destination ison different subnet.

2. Use ARP to determine link layeraddress of gateway.

3. Gateway uses routing tables todetermine next hop of 223.1.3.3

4. Gateway sends ICMP redirect tosource.

5. Future packets from source routeddirectly to 224.1.3.3 (with ARP lookup)

ICMP Redirect Routing

223.1.2.9

223.1.2.2

223.1.2.1

223.1.3.2223.1.3.1

223.1.3.27

LAN

223.1.3.3

Who has223.1.3.27?

I have it. Myeth addr is…Next time use

223.1.3.3!

17

ICMP Attack

The attack: send an ICMP redirect Forces a machine to route through the attacker.

Requires an existing connection Open a spoofed connection to the host you want to attack. Then send a spoofed ICNP redirect to the victim redirecting it to the

gateway machine you’ve compromised.

(Or send destination unreachable spoofed from the gateway.) (Or, constantly send ICMP source squelches.) Defense:

Ignore ICMP redirects (poor effiency) Authenticate end-points and encrypt traffic. One solution is a

VPN/IPsec between hosts and routers.

18

ARP Attacks

When a machines sends an ARP request out, attackers canreply, falsely stating they own the address. But this starts a race condition with the real machine.

Unfortunately, ARP will just accept replies without requests! Just send a spoofed reply message saying your MAC address

owns a certain IP address. Repeat frequently so that cache doesn’t timeout

Messages are routed through you to sniff or modify. some details: http://www.hut.fi/~slevijok/lahde.html

19

ARP Spoofing - Countermeasures

“Publish” MAC address of router/default gateway andtrusted hosts to prevent ARP spoof. Statically define the IP to Ethernet address mapping.

(“Publish” is a poor term: it’s not sent on the network) This prevents someone from fooling the host into sending

network traffic to a host masquerading as the router oranother host via an ARP spoof.

Here’s how you do it in linux:arp -s hostname 00:01:02:03:04:ab pub

20

TCP Session Stealing

A.k.a. IP splicing, TCP Hijacking Read a detailed account

“A Simple Active Attack Against TCP” by Laurent Joncheray.In Proceedings of 5th USENIX Unix Security Symposium.June 1995

Running code available as a plug-in to sniffit.

Defense: use ssh

21

Desynchronizing the client and server

Often during normal TCP operation, the client and serverbecome desynchronized.

E.g., sometimes the client will send a retransmission thatactually isn’t needed by the server.

The server will drop the incoming packets.

The attack: during a quiet period, the attacker sends a largeamount of null data. Specifically, the attacker sends as many bytes as there are in the

sender’s receive buffer.

22

The Attack

If the client receives packets that are a window-of-packetsahead of what it is expecting, the client will drop the unlookedfor data. (this is partly due to flow control)

Null data desynchronization First, the attacker watches the session without interfering. During a quiet period, the attacker sends a large amount of null

data. Specifically, the attacker sends as many bytes as there are in the

sender’s receive buffer. Each packet contains NOP bytes, normally used to pad the packets

for the purposes of checksums. Now, when the client sends data, it is dropped by the server

because it’s lower than the server’s window.

The attacker does the same with the client. Attacker is now a woman/man/bot in the middle!

23

Attacker-in-the-Middle

Data from the client can be re-packaged into a TCPpacket and sent to the server, so there is nonoticeable changes.

Attacker can insert commands into the remoteaccount. E.g. echo “mymachine.umass.edu mitnick” > .rhosts

However, commands entered by the attacker mightappear on a command line history.

Defense: ssh connection, or IPsec