TCP/IP security threats and attack methods

1. TCP/IP security threats and attack methods Presented by HaythamAbdulhamid

2. Overview • The most serious financial losses occurred through • Unauthorized access by insiders18 respondents reported a total of US$50 565 000 in losses, • Theft of proprietary information (20 respondents reported a total of US$33 545 000 in losses), • Telecommunications fraud (32 respondents reported a total of US$17 256 000 in losses) and • Financial fraud (29 respondents reported a total of US$11 239 000 in losses).

3. Threats to the TCP/IP protocol Common attacks which exploit the limitations and inherent vulnerabilities in the TCP and IP protocols. • SYN flooding • IP Spoofing • Sequence number attack • TCP session hijacking • RST and FIN denial of service attack • Ping O’ Death

4. SYN Flooding • Attacker sends many connection requests with spoofed source addresses • Victim allocates resources for each request • New thread, connection state maintained until timeout • Fixed bound on half-open connections • Once resources exhausted, requests from legitimate clients are denied • This is a classic denial of service attack • Common pattern: it costs nothing to TCP initiator to send a connection request, but TCP responder must spawn a thread for each request - asymmetry!

5. Distributed DoS (DDoS) Hard to find BadGuy • Originator of attack compromised the handlers • Originator not active when DDOS attack occurs Can try to find agents • Source IP address in packets is not reliable • Need to examine traffic at many points, modify traffic, or modify routers SYN flood is a form of denial-of-service attack

6. Protection from Flooding • Packet Filtering, Block the IP packets by the ISP. • Increases the size of the backlog queue. • Keep your firewall and OS up to date.

7. IP Spoofing • A technique used to gain unauthorized access to computers,

8. Types of Spoofing attacks • 1. Non-Blind Spoofing • Takes place when the attacker is on the same subnet as the victim. This allows the attacker to sniff packets making the next sequence number available to him. • 2. Blind Spoofing • Usually the attacker does not have access to the reply. • The sequence and acknowledgement numbers from • the victim are unreachable. In order to avoid this, • several packets are sent to the victim machine in order • to sample sequence numbers.

10. How to Prevent Spoofing Attacks 1. Avoid using the source address authentication. Implement cryptographic authentication system wide. 2. Disable all the r* commands, remove all .rhosts files and empty out the /etc/hosts.equiv file. This will force all users to use other means of remote access. 3. Configure your network to reject packets from the net that claim to originate from a local address. This is most commonly done with a router. 4. If you allow outside connections from trusted hosts, enable encryption sessions at the router.

11. TCP and IP spoofing Tools 1. Mendax for Linux is an easy-to-use tool for TCP sequence number prediction and rshd spoofing. 2. spoofit.h is a nicely commented library for including IP spoofing functionality into your programs. 3. Ipspoof is a TCP and IP spoofing utility. 4. Hunt is a sniffer which also offers many spoofing functions. 5. Dsniff is a collection of tools for network auditing and interception of network traffic.

12. Resources 1- IP Spoofing: An Introduction. Symantec.com. http://www.securityfocus.com/infocus/1674 2- IP spoofing, webopedia.com http://www.webopedia.com/TERM/I/IP_spoofing.html 3- IP Spoofing. http://linuxgazette.net/issue63/sharma.html 4-TCP/IP security threats and attack methods http://www.sciencedirect.com/science/article/pii/S014036649900064X

13. Thanks Questions?