1 / 23

TCP & Security

TCP & Security. Spring 2013 Slide Source : Introduction to network Security, Jacobson, CRC Press, 2008 [ DJ ] “Security Assessment of the Transmission Control Protocol (TCP)“: UK CPNI (Centre for the Protection of National Infrastructure) [ CPNI ]

tejano
Download Presentation

TCP & Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. TCP & Security Spring 2013 Slide Source: Introduction to network Security, Jacobson, CRC Press, 2008 [DJ] “Security Assessment of the Transmission Control Protocol (TCP)“: UK CPNI (Centre for the Protection of National Infrastructure) [CPNI] http://www.gont.com.ar/papers/tn-03-09-security-assessment-TCP.pdf “TCP/IP Security”: Chris Chambers, Justin Dolske, And JayaramanIyer [CDI] http://www.linuxsecurity.com/resource_files/documentation/tcpip-security.html Computer Security: Art and Science, Matt Bishop, Addison Wesley, 2003 [MB] Cryptography & Network Security, B. Forouzan, McGraw Hill, 2007 [BF]

  2. TCP Attacks • Can be categorized • Header based • Takes advantage of various header fields • Protocol based • Takes advantage of different properties of TCP protocol • Goal of these attacks can be • Denial of service • Forgery • Probing

  3. Header Based Denial of Service Attacks • Invalid flag combinations (all 0s or 1s) can lead to dropping connections [DJ] • PSH flag can be deliberately not set with large data or set with small data to cause resource exhaustion at sender and receiver side [CPNI] • Window size can be set to 0 and thus preventing the sender on other end to send anymore data [CPNI] • Intentional invalid checksums could cause packets to be dropped [DJ] • Intentional invalid checksums could bog down a stateful firewall that does not check checksums but keep up with connection states [CPNI] • Intentional invalid checksums could confuse a network IDS that does not check checksums [CPNI] • Land attack [MB]

  4. Land Attack • LAND stands for Local Area Network Denial • sending a special poison spoofed packet to a computer, causing it to lock up resulting in Denial of Service. • Attackers spoofs IP address of victim such that source, destination ports and addresses are the same.

  5. Header Based Forgery Attacks • Increasing the TCP window increases the sequence number space that will be considered “valid” for incoming segments. Thus, use of unnecessarily large TCP Window sizes increases TCP’s vulnerability to forgery attacks unnecessarily [CPNI]. • Window size should be limited to Window = 2 * Bandwidth * Delay • Increasing the window size any further will not improve the data transfer rate will rather increase the probability of guessing a valid sequencing no higher by the attacker high.

  6. Header Based Probing Attacks • Sequence numbers can provide insight into • ongoing session [DJ] • number of hosts behind Network Device (such as NAT) [CPNI] • operating system [DJ] • Reaction to FIN probe can provide insight into operating system version [CPNI] • Window size can provide insight into operating system version [DJ] • Reponses to invalid header data can provide insight into operating system version [DJ] • Reaction to segment w/o ACK bit set, FIN, NULL, FIN+PSH+URG probe can provide insight into whether certain ports are open [CPNI] • Intentional invalid checksums can give away whether the responder is a host or a router/firewall/Network IDS [CPNI] • TCP port scanning attack [CPNI]

  7. TCP Port Scanning • In port scanning an application (attacker) probe a server or host for open ports. • by administrators to verify security policies of their networks (nmap) • by attackers to identify running services on a host with the view to compromise it. • Connection attempts provide insight into what ports (applications) are active (active ones will complete handshake) • Mechanism • The simplest port scanners use the operating system's network functions. Attacker uses connect() system call. If a port is open, the operating system completes the TCP three-way handshake, and the port scanner immediately closes the connection. • The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the connection before the handshake is completed. If the port is closed but unfiltered, the target will instantly respond with a RST packet. (Port scanning is hidden

  8. Protocol Based Denial of Service Attacks • TCP state and timer exploitation [CDI, CPNI] • 3 way handshake exploitation • FIN-WAIT2 flooding [CPNI] • Simultaneous connection establishment exploitation [CDI] • Session Usurpation with SYN Guessing [DJ] • Session shutdown [DJ] • Congestion Control Exploitation [CPNI] • Buffer Exploitation [CPNI] • Automated Buffer Tuning Exploitation [CPNI] • Window size zero probe exploitation

  9. TCP State and Timer Exploitation • TCP has several timers associated with its states. Some states does not have timers • Connection Establishment Timer • FIN_WAIT timer • TIME_WAIT timer • KEEP_ALIVE timer • KEEP_ALIVE timer can be used to stall connection when no data is sent (at least 2 hours) [CDI] • Absence of timers with certain states • Can keep host in some states “in certain conditions” indefinitely • Example: SYN+FIN bits can be set together to get host stalled in CLOSE_WAIT state with no time associated with it [CDI]

  10. FIN-WAIT2 Flooding • Attacker establishes a large number of connections and when server tries to close them, it will not properly “close” them in its part leaving the server in FIN-WAIT-2 state

  11. Simultaneous Connection Establishment Exploitation http://www.tcpipguide.com/free/t_TCPConnectionEstablishmentProcessTheThreeWayHandsh-4.htm

  12. 3 Way Handshake Exploitation: SYN Flood Attack http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_9-4/syn_flooding_attacks.html

  13. Session Usurpation with SYN Guessing • Pre-conditions • Forged IP address • Return communication has to be visible (if not, it is called blind attack) • Situated in network OR traffic routed through such that sniffing (offline or inline) is possible • Expected SYN has to be used • SYN sniffing or guessing is needed • More successful when legitimate host is offline or brought offline

  14. Session Shutdown • Requires attacker to be on the communication path in between hosts • Anatomy • Situate in the path of both sender and receiver • If not in path, can conduct “blind attacks” by guessing parameters • Monitor flow • Send RST to both end after connection establishment masquerading each end

  15. Congestion ControlExploitation • Congestion window increases according to the number of ACKs received. Hence victim sender’s congestion window can be illegitimately increased (hence increased data transmission for the attacker) by • ACK Division Attack • sending multiple separate ACKs covering different segments of same data leading the sender to believe there is too much traffic overload • DupACK Forgery • sending multiple duplicate ACKs covering same data • Optimistic ACKing • by sending ACKs for data not yet received

  16. Buffer Exploitation • Buffering requested large data • Requesting large data from victim server and then dropping/stalling the connection • Doing this numerous times exhausts server’s send buffer and denies service to legitimate connections • Buffering out of order data • Intentionally sending out of order segments repeatedly can tie up receiver's buffer

  17. Automated Buffer Tuning Exploitation • Sending • Making connection with victim host to increase congestion window size (legitimately or illegitimately, like congestion control attack), which in turns increases its send buffer size • Tying up increased send buffer of victim by advertising zero window (like sockstress attack ) or not acknowledging data • Receiving • Sending out large amount of data to victim receiver will increase victims receive buffer size as it depends on data received in a roundtrip • Intentionally leaving empty space at the beginning of the buffer will prevent it from being purged and keep it occupied needlessly

  18. Window Size Zero Probe Exploitation • One type of sockstress attack • Anatomy • Attacker sends a HTTP GET request for a large page and then sets window size to zero • Server keeps on sending zero probes • Probes are acknowledged by attacker but window size not cleared • Server is left hanging with data that consumes its local resources • http://tools.ietf.org/html/draft-ananth-tcpm-persist-01 • http://www.kb.cert.org/vuls/id/723308 • http://en.wikipedia.org/wiki/Sockstress http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html

  19. Protocol Based Forgery Attacks • Session Hijacking • Situate in the path of victim and target • If not in path, can conduct “blind attacks” by guessing parameters • Monitor flow • Kill victim’s connection • Pose as victim to forge messages to target

  20. General Countermeasures • Firewalls (Stateful) • Monitoring and controlling per user, per connection, per process • Monitoring flags, number of ACKs, nature of ACKs, number and state of SYN requests to filter • Setting limits on processes, hosts, networks, timers • Network IDS • Learning and applying patterns

  21. Bottom Line “TCP is not (and is not intended to be) a secure protocol; If you need security, it should be provided above or below the TCP Layer” Steven Belovin

  22. SSL/TLS [BF] • Secure Sockets Layer/Transport layer security • Application/Transport layer security • Web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP) • Can service any higher level application protocol • Usually used with HTTP to form HTTPS • Provides security for transport layer • Current Internet protocol version: TLS • Compatible with SSL 3.0

  23. SSL Services • Provides confidentiality, integrity, authentication of endpoints (mutual authentication) • Symmetric cipher based message encryption for confidentiality • Message authentication code for integrity • Pubic key encryption-based key exchange • Certificate (X.509) based authentication

More Related