310 likes | 377 Views
TCP Vulnerabilities. Dr. Neminath Hubballi. Outline. Transport layer services Connection oriented TCP service Ack -Storm attack Implications Detection Congestion control Misbehaving receiver Implications / Attacks Mitigation. IP. Network Interface 3. Network Interface 1.
E N D
TCP Vulnerabilities Dr. NeminathHubballi IIT Indore (c) Neminath Hubballi
Outline • Transport layer services • Connection oriented TCP service • Ack-Storm attack • Implications • Detection • Congestion control • Misbehaving receiver • Implications / Attacks • Mitigation IIT Indore (c) Neminath Hubballi
IP Network Interface 3 Network Interface 1 Network Interface 2 The Layers Put together RTP App. SMTP HTTP DNS Transport TCP UDP TCP/UDP Provides a network independent platform IP provides independence from underlying networks Internet (e.g., Ethernet driver) (e.g., PPP driver) IIT Indore (c) Neminath Hubballi 3
Multiplexing and Demultiplexing Recall: segment - unit of data exchanged between transport layer entities aka TPDU: transport protocol data unit M M application transport network M M application transport network application transport network H n Demultiplexing: delivering received segments to correct app layer processes receiver P3 P4 application-layer data segment header P1 P2 segment H t M segment IIT Indore (c) Neminath Hubballi 4
TCP segment structure 32bits source port # dest port # sequence number acknowledgement number head len not used rcvr window size U A P R S F checksum ptr urgent data Options (variable length) application data (variable length) URG: urgent data (generally not used) counting by bytes of data (not segments!) ACK: ACK # valid PSH: push data now (generally not used) # bytes rcvr willing to accept RST, SYN, FIN: connection estab (setup, teardown commands) Internet checksum (as in UDP) IIT Indore (c) Neminath Hubballi 5
TCP Connection Setup Three-step Connection Establishment IIT Indore (c) Neminath Hubballi 6
TCP Connection Teardown Four-step Connection Release IIT Indore (c) Neminath Hubballi 7
TCP Acknowledgement Storm Attack • Source: • ``TCP Ack Storm DoS Attacks” Authors: Raz Abramov and Amir Herzberg. IFIP Security Conference 2011. • ``TCP Ack Storm DoS Attacks ” Authors: Raz Abramov and Amir Herzberg. Computers & Security Journal Vol 33, Year 2013 • Man-in-the-Middle Attack v/s Weakling in the Middle Attack • Amplification attack IIT Indore (c) Neminath Hubballi
Attacker Server Client SYN SEQ=529 SYN Seq=2449, ACK=530 SEQ=530, ACK =2450 SEQ=2450, ACK =531, LEN=10 SEQ=531, ACK =2450, LEN=10 SEQ=531, ACK =2461 SEQ=2450, ACK =541 SEQ=531, ACK =2461 SEQ=2450, ACK =541
Weakling in the Middle Courtesy: TCP Ack Storm DoS Attacks” Authors: Raz Abramov and Amir Herzberg. IFIP Security Conference 2011 IIT Indore (c) Neminath Hubballi
Principles of Congestion Control Congestion: informally: “too many sources sending too much data too fast for network to handle” different from flow control (receiver overload)! manifestations: lostpackets (buffer overflow at routers) longdelays (queuing in router buffers) a top-10 problem! IIT Indore (c) Neminath Hubballi 11
Congestion Control in TCP Additive Increase Multiplicative Decrease IIT Indore (c) Neminath Hubballi 13
TCP Vulnerabilities with Misbehaving Receiver Source: ``TCP Congestion Control with a Misbehaving Receiver”, Authors: Stefan Savage, Neal Cardwell, David Wetherall, Tom Anderson, ACM Computer Communications Review 1999 Few slides are adopted from a presentation of authors IIT Indore (c) Neminath Hubballi
Attack #1: ACK Division • The Attack: • When you receive a data segment with N bytes • Divide corresponding ACK into M pieces, where M N • Each separate ACK covers one of M distinct pieces of received data IIT Indore (c) Neminath Hubballi
Attack #1: ACK Division Data 1000 Bytes ACK 1 ACK 2 ACK 3 Source: ``TCP Congestion Control with a Misbehaving Receiver”, Authors: Stefan Savage, Neal Cardwell, David Wetherall, Tom Anderson ACM Computer Communications Review 1999 IIT Indore (c) Neminath Hubballi
Attack #1: ACK Division Source: ``TCP Congestion Control with a Misbehaving Receiver”, Authors: Stefan Savage, Neal Cardwell, David Wetherall, Tom Anderson ACM Computer Communications Review 1999 This attack can convince a TCP sender to send all of its data in send buffer in a single burst. IIT Indore (c) Neminath Hubballi
Mitigating ACK Division • Change congestion control to work on byte granularity • Increment the cwnd proportional to the amount of data acknowledged • Increment the cwnd only when entire segment sent is acknowledged IIT Indore (c) Neminath Hubballi
Attack #2: DupACK Spoofing • TCP uses two algorithms, fast retransmit and fast recovery, to decrease the effects of packet loss • Quoted from RFC 2581 Set cwndto ssthreshplus 3*SMSS. This artificially “inflates” the congestion window by the number of segments (3) that have left the network and which the receiver has buffered. … For each additional duplicate ACK received, increment cwndby SMSS. This artificially inflates the cwnd in order to reflect the additional segment that has left the network. IIT Indore (c) Neminath Hubballi
Attack #2: DupACK Spoofing • The Attack • When you receive a data segment, send lots of ACKs for the last sequence # received (at a start of a connection, this would be for the SYN segment) IIT Indore (c) Neminath Hubballi
Attack #2: DupACK Spoofing • The first four ACKs for the same sequence # cause the sender to retransmit the first segment. • However, cwnd is increased by SMSS for each additional duplicate, for a total of 4 segments • Since duplicate ACKs are indistinguishable, this attack is also valid. Sample time line for DupACK attack. IIT Indore (c) Neminath Hubballi
Mitigating DupACK Spoofing Two additional fields in TCP header Add a nonce to the segment When receiver sends a DupACK – it must include the nonce For every DupACK with new nonce – increment the cwnd by 1 SMSS IIT Indore (c) Neminath Hubballi
Attack #3: Optimistic ACKing • Since TCP’s cwnd growth is a function of RTT (exponential during slow start, linear during congestion avoidance), sender-receiver pairs with shorter RTT will transfer data more quickly • Hence, it’s possible for a receiver to emulate a shorter RTT by sending ACKs optimistically for data it has not received yet IIT Indore (c) Neminath Hubballi
Attack #3: Optimistic ACKing • The Attack: • When you receive a data segment, send lots of ACKs anticipating data that will be sent by the sender • This attack does not preserve end-to-end reliability, e.g. if a packet is lost, it’s unrecoverable IIT Indore (c) Neminath Hubballi
Attack #3: Optimistic ACKing • What makes Optimistic ACKing more dangerous • After reaching to bottleneck rate, a receiver sends ACKs in spite of losses • By concealing losses, it eliminates the only congestion signal available to sender • A malicious attacker can conceal all losses and leads the sender to increase cwnd indefinitely IIT Indore (c) Neminath Hubballi
Attack #3: Optimistic ACKing • Since senders generally send full-sized segments, it’s easy for a receiver to guess the correct sequence # to use in ACKs, but this accuracy is not mandatory • If an ACK arrives for the data that has not yet been sent, this is generally ignored by sender – allowing the receiver to be more aggressive Sample time line for Optimistic ACKing attack. IIT Indore (c) Neminath Hubballi
Solution to Optimistic ACKing • Again a nonce based solution • Include a nonce in TCP segment • Cumulative acknowledgement includes cumulative sum of nonce values IIT Indore (c) Neminath Hubballi
Example to this solution • The fourth data segment is lost and a third ACK attempts to conceal this loss by ACKing a later segment • But the ACK will be refused since it cannot provide the correct nonce sum (149) Sample time line for a transfer using a cumulative nonce IIT Indore (c) Neminath Hubballi
TCP Shrew Attack Exploits TCP retransmission timeout mechanism Create Denial of Service (DoS) attack Throughput is reduced IIT Indore (c) Neminath Hubballi