240 likes | 410 Views
TCP & Security. Spring 2013 Slide Source : Introduction to network Security, Jacobson, CRC Press, 2008 [ DJ ] “Security Assessment of the Transmission Control Protocol (TCP)“: UK CPNI (Centre for the Protection of National Infrastructure) [ CPNI ]
E N D
TCP & Security Spring 2013 Slide Source: Introduction to network Security, Jacobson, CRC Press, 2008 [DJ] “Security Assessment of the Transmission Control Protocol (TCP)“: UK CPNI (Centre for the Protection of National Infrastructure) [CPNI] http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf “TCP/IP Security”: Chris Chambers, Justin Dolske, And JayaramanIyer [CDI] http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html Computer Security: Art and Science, Matt Bishop, Addison Wesley, 2003 [MB] Cryptography & Network Security, B. Forouzan, McGraw Hill, 2007 [BF]
TCP Attacks • Can be categorized • Header based • Takes advantage of various header fields • Protocol based • Takes advantage of different properties of TCP protocol • Goal of these attacks can be • Denial of service • Forgery • Probing
Header Based Denial of Service Attacks • Invalid flag combinations (all 0s or 1s) can lead to dropping connections [DJ] • PSH flag can be deliberately not set with large data or set with small data to cause resource exhaustion at sender and receiver side [CPNI] • Window size can be set to 0 and thus preventing the sender on other end to send anymore data [CPNI] • Intentional invalid checksums could cause packets to be dropped [DJ] • Intentional invalid checksums could bog down a stateful firewall that does not check checksums but keep up with connection states [CPNI] • Intentional invalid checksums could confuse a network IDS that does not check checksums [CPNI] • Land attack [MB]
Land Attack • LAND stands for Local Area Network Denial • sending a special poison spoofed packet to a computer, causing it to lock up resulting in Denial of Service. • Attackers spoofs IP address of victim such that source, destination ports and addresses are the same.
Header Based Forgery Attacks • Increasing the TCP window increases the sequence number space that will be considered “valid” for incoming segments. Thus, use of unnecessarily large TCP Window sizes increases TCP’s vulnerability to forgery attacks unnecessarily [CPNI]. • Window size should be limited to Window = 2 * Bandwidth * Delay • Increasing the window size any further will not improve the data transfer rate will rather increase the probability of guessing a valid sequencing no higher by the attacker high.
Header Based Probing Attacks • Sequence numbers can provide insight into • ongoing session [DJ] • number of hosts behind Network Device (such as NAT) [CPNI] • operating system [DJ] • Reaction to FIN probe can provide insight into operating system version [CPNI] • Window size can provide insight into operating system version [DJ] • Reponses to invalid header data can provide insight into operating system version [DJ] • Reaction to segment w/o ACK bit set, FIN, NULL, FIN+PSH+URG probe can provide insight into whether certain ports are open [CPNI] • Intentional invalid checksums can give away whether the responder is a host or a router/firewall/Network IDS [CPNI] • TCP port scanning attack [CPNI]
TCP Port Scanning • In port scanning an application (attacker) probe a server or host for open ports. • by administrators to verify security policies of their networks (nmap) • by attackers to identify running services on a host with the view to compromise it. • Connection attempts provide insight into what ports (applications) are active (active ones will complete handshake) • Mechanism • The simplest port scanners use the operating system's network functions. Attacker uses connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. • The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet. (Port scanning is hidden
Protocol Based Denial of Service Attacks • TCP state and timer exploitation [CDI, CPNI] • 3 way handshake exploitation • FIN-WAIT2 flooding [CPNI] • Simultaneous connection establishment exploitation [CDI] • Session Usurpation with SYN Guessing [DJ] • Session shutdown [DJ] • Congestion Control Exploitation [CPNI] • Buffer Exploitation [CPNI] • Automated Buffer Tuning Exploitation [CPNI] • Window size zero probe exploitation
TCP State and Timer Exploitation • TCP has several timers associated with its states. Some states does not have timers • Connection Establishment Timer • FIN_WAIT timer • TIME_WAIT timer • KEEP_ALIVE timer • KEEP_ALIVE timer can be used to stall connection when no data is sent (at least 2 hours) [CDI] • Absence of timers with certain states • Can keep host in some states “in certain conditions” indefinitely • Example: SYN+FIN bits can be set together to get host stalled in CLOSE_WAIT state with no time associated with it [CDI]
FIN-WAIT2 Flooding • Attacker establishes a large number of connections and when server tries to close them, it will not properly “close” them in its part leaving the server in FIN-WAIT-2 state
Simultaneous Connection Establishment Exploitation http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm
3 Way Handshake Exploitation: SYN Flood Attack http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html
Session Usurpation with SYN Guessing • Pre-conditions • Forged IP address • Return communication has to be visible (if not, it is called blind attack) • Situated in network OR traffic routed through such that sniffing (offline or inline) is possible • Expected SYN has to be used • SYN sniffing or guessing is needed • More successful when legitimate host is offline or brought offline
Session Shutdown • Requires attacker to be on the communication path in between hosts • Anatomy • Situate in the path of both sender and receiver • If not in path, can conduct “blind attacks” by guessing parameters • Monitor flow • Send RST to both end after connection establishment masquerading each end
Congestion ControlExploitation • Congestion window increases according to the number of ACKs received. Hence victim sender’s congestion window can be illegitimately increased (hence increased data transmission for the attacker) by • ACK Division Attack • sending multiple separate ACKs covering different segments of same data leading the sender to believe there is too much traffic overload • DupACK Forgery • sending multiple duplicate ACKs covering same data • Optimistic ACKing • by sending ACKs for data not yet received
Buffer Exploitation • Buffering requested large data • Requesting large data from victim server and then dropping/stalling the connection • Doing this numerous times exhausts server’s send buffer and denies service to legitimate connections • Buffering out of order data • Intentionally sending out of order segments repeatedly can tie up receiver's buffer
Automated Buffer Tuning Exploitation • Sending • Making connection with victim host to increase congestion window size (legitimately or illegitimately, like congestion control attack), which in turns increases its send buffer size • Tying up increased send buffer of victim by advertising zero window (like sockstress attack ) or not acknowledging data • Receiving • Sending out large amount of data to victim receiver will increase victims receive buffer size as it depends on data received in a roundtrip • Intentionally leaving empty space at the beginning of the buffer will prevent it from being purged and keep it occupied needlessly
Window Size Zero Probe Exploitation • One type of sockstress attack • Anatomy • Attacker sends a HTTP GET request for a large page and then sets window size to zero • Server keeps on sending zero probes • Probes are acknowledged by attacker but window size not cleared • Server is left hanging with data that consumes its local resources • http://tools.ietf.org/html/draft-ananth-tcpm-persist-01 • http://www.kb.cert.org/vuls/id/723308 • http://en.wikipedia.org/wiki/Sockstress http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html
Protocol Based Forgery Attacks • Session Hijacking • Situate in the path of victim and target • If not in path, can conduct “blind attacks” by guessing parameters • Monitor flow • Kill victim’s connection • Pose as victim to forge messages to target
General Countermeasures • Firewalls (Stateful) • Monitoring and controlling per user, per connection, per process • Monitoring flags, number of ACKs, nature of ACKs, number and state of SYN requests to filter • Setting limits on processes, hosts, networks, timers • Network IDS • Learning and applying patterns
Bottom Line “TCP is not (and is not intended to be) a secure protocol; If you need security, it should be provided above or below the TCP Layer” Steven Belovin
SSL/TLS [BF] • Secure Sockets Layer/Transport layer security • Application/Transport layer security • Web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP) • Can service any higher level application protocol • Usually used with HTTP to form HTTPS • Provides security for transport layer • Current Internet protocol version: TLS • Compatible with SSL 3.0
SSL Services • Provides confidentiality, integrity, authentication of endpoints (mutual authentication) • Symmetric cipher based message encryption for confidentiality • Message authentication code for integrity • Pubic key encryption-based key exchange • Certificate (X.509) based authentication