TCP/IP Security Threats and Attack Methods - Report Example

? CHAPTER INTRODUCTION 1 What is TCP/IP? In simple terms, an organization of digitalized messaging formats and how they should be propagated to and fro within computers and other methods of telecommunication is generally known as a ‘communication protocol’. Now, various communication protocols are amalgamated together to form a set through which networks such as the ‘Internet’ function. The ‘Internet Protocol Suite’ is one such set of communication protocols and is popularly known as TCP/IP. The name, ‘TCP/IP’ is derived from two of the most integral protocols within the suite and stands for: the Transmission Control Protocol (TCP) and the Internet Protocol (IP). The position of the TCP within the Internet Protocol Suite is limited to its ‘Transport layer’. The provision of a cloud of bytes from a specific computer’s program to another computer’s program is the advantage that TCP enjoys over other protocols. Prominent applications linked with the internet, such as the World Wide Web, email service, remote administration and transferring of files all rely heavily upon the TCP. In places where the reliability factor of the data stream service is not so relevant as compared to other features such as reduced latency, it is common to witness the use of User Datagram Protocol (UDP). IP is the key protocol which can be found within the Internet Layer of the Internet protocol suite and its functions include using addresses of different hosts to transmit datagrams from a source to its destination. Now the TCP/IP model which was created in 1970 by Defense Advanced Research Projects Agency (DARPA) an agency of the United states department of defense, provides some basic guidelines and utilization of network protocols which make computers able to use a network for their communication. Other than showing how the data should be formatted and addressed while providing end-to-end connectivity, the TCP/IP not only directs the process through which it should be transmitted, but also how it should be routed as well as received at its destination. The TCP/IP has a system of four abstraction layers which begin with the link layer, followed by the internet layer, the transport layer, and ending with the application layer. LAYERS IN THE TCP/ IP MODEL Like any other networking protocol, the TCP/IP networking model consists of layers, where each is generally responsible for a specific purpose of communication. The TCP/IP is a 4-layer system and each layer beginning from the lowest level is briefly described below. Link Layer According to Stevens (1) the Link Layer is known by various other names, including Data-Link Layer as well as Network interface Layer. The device driver in an operating system as well as the network interface card which has been inserted for it into the computer, all come under the link layer (Stevens, 1). All hardware details such as the physical connection with the cables are controlled by these two elements. Internet Layer Stevens (1) explains the Internet layer (also known as the network layer) as controlling how packets are moved from one place to another within a network. The process of transferring data from one network to another is known as ‘routing’ and this process take place in the internet layer. Stevens (1) states that the network layer in the TCP/IP protocol suite is provided by 3 distinct protocols known as the IP (Internet Protocol), ICMP (Internet Control Message Protocol), and IGMP (Internet Group Management Protocol). Transport Layer The job of the transport layer is to select two hosts within the application layer and inculcate a reliable flow of data between them (Stevens, 1). Two transport protocols are used within the TCP/IP protocol which are known as TCP (Transmission Control Protocol) and UDP (User Datagram Protocol). There are several jobs of the transport layer and one of them includes making divisions in the data received from applications in order to shape them into desired amounts and pass on to the network layer. Noticing and appreciating incoming packets is another function of the transport layer, as well as making sure the senders of the packets also acknowledge the delivery sent. The reliability of this process by the transport layer takes off the pressure from the application layer which ignores such details. However the application layer receives a much simpler option from the UDP. Transfer of datagrams (another name for packets of data) is carried out starting from one host to the other, however no guarantee is provided regarding the receiving of the datagrams. It is the job of the application layer to insert any desired level of reliability. Application Layer According to Stevens (2) the application layer is the highest level amongst fellow layers and deals with particular applications. Various TCP/IP applications are involved here, such as For the purpose of remote login, ‘Telnet’ is used FTP, the File Transfer Protocol SMTP, the Simple Mail Transfer protocol, for electronic mail SNMP, the Simple Network Management Protocol CHAPTER # 2: CRITICAL REVIEW 2.1 The attack methods used against the TCP/IP? There are several issues which have troubled the TCP/IP system in the past as well as in the present. In this chapter, we will talk about the obstacles faced by TCP/IP and how they can be overcome through the preventive measures which offer the best of solutions. 2.1.1 Issues with Routing One of the most common issues of protocol based attacks are the ones meddling with routing mechanisms and protocols themselves. Various ways exist for accomplishing this, if the details of the specific routing protocols becomes available. Few of the attacks related to the field of routing are only successful incase source address-based authentication is carried out by the remote host. The error of ‘denial of service’ achieved through misjudging routing tables on a host or gateway, is one of the main obstacles which can be brought by the attacks mentioned below. 2.1.1.1 Source Routing Source routing is amongst the few mechanisms which can be tampered with most effortlessly. For example if a TCP open request for return traffic, has a source route being utilized reversely by a certain target host, the path needs to be consistent in order to deliver the replies to the originator. This permits attackers to select any IP source address of their choice, no matter even if it is a trusted machine located on the local network of the target. The attacker can access whichever facilities available to machines on such a network. 2.1.1.1.1 Preventive measures for the Source Routing Whenever information regarding source routing is present, it is an easier option to ignore all pre-authorized connections. Beginning with an analysis of the source route and accepting it only on the condition that trusted gateways were provided could be another alternative to ignoring all pre-authorized connections. This is so because the delivery of the packet to the authentic destination host becomes highly certain once trusted gateways are posted. The r –utilities have introduced newer versions where source-routed connections are rejected all together (Steven, 6). However they leave a flaw open, since even after rejecting the connection attempt, they do permit ACK packets to return; which allows attackers to perform a sequence number attack. As a protective measure source routed packets are rejected at border routers and this style has been adopted as a common configuration nowadays. 2.1.1.2 Routing Information Protocol Attacks Steven (6) explains that a protocol is used to deliver routing information over a local network, and is known as the Routing Information Protocol. Steven (6) provides broadcast media as an example to support his previous claim. Since usually there is no checking put in place regarding the information received, this gives an attacker an opportunity to pretend as a certain host, by selecting a target and bombarding it with bogus information and doing the same to each and every gateway intercepted throughout this path. An example of such an attack could be stealing the packets of a certain unused host, by selecting it and accessing the route to it. After this attack, protocols which depend on address-based authentication become vulnerable. Greater damage could be incurred through this procedure as well, considering if the attacker gets access to the route of an active host, where sensitive information is being carried out. The packets intended to be received by that host, would be diverted towards the attacker’s machine. This flaw could result in the exposing of passwords towards extremely sensitive data. 2.1.1.2.1 Preventive measures for the Routing Information Protocol Attacks In comparison to source-routing attacks, it is more easier to defend against RIP attacks, assuming that they share some defenses. One of the ways of dealing with RIP issues is to introduce ‘paranoid gateway’ into the mix. According to Steven (7) all kinds of host spoofing, even TCP sequence number attacks can be defended against through paranoid gateways since they use either source or destination address to confirm the path of the packets. However other methods of defenses against RIP issues are also in use. One way is to disregard any packets whose source address cannot be verified or is found to be fake. According to Steven (7) very few ISPs follow this technique even after various recommendations. Furthermore, Steven (7) suggest the TTL Security Hack to be another defensive method, since off-link packets lessen the TTL on contact with any router, therefore sending on-link packets with a TTL of 255 helps this issue. 2.1.1.3 The Internet Control Message Protocol Steven (8) states that the TCP/IP protocol suite have a few basic network management tools and the Internet Control Message Protocol (ICMP) was one of them. The ICMP Redirect message is the easiest target since hosts are notified of desired routes by gateways through this message. To explain further, Steven (8) gives an example, that rather than accessing the primary gateway leading toward a target host, an attacker penetrates a secondary gateway and installs an incorrect route towards trusted host T through the secondary gateway. He can then send an incorrect TCP open packet (under the guise of a correct packet) to the target host and give the impression that it is from T. A usual response from the target to a provocation of this kind would be to allow routing its own open packet through the primary gateway which is secure up till now. Before this procedure of routing through primary gateway is completed, a diversion can be made toward the bogus connection under the impression that it’s from the primary gateway. Since the legitimacy of this control message would seem authentic due to the packet, therefore routing diversion would be created. In order to spoof Host T over here the target host will not just need to do this procedure with , if its per-connection cached routes but also towards its global routing tables. 2.1.1.3.1 Preventive measures for the Internet Control Message Protocol One of the most straightforward ways to prevent a large number of attacks is if hosts are careful enough to trust only those messages which refer to specific connections. If it is ensured that the ICMP packet contains a realistic sequence number in the number of packet returned, this can solve the issue as far as TCP is concerned. However such checks do not work so well with UDP as well. Preventive measures against redirect attack are more worthy of attention for the serious damage they can cause. Steven (9) considers that the ICMP Redirect messages should not cause modifications in the global routing table, which explains that the best bet is that changes in routes to the specified connections should be restricted. Last but not the least, it should also be given a thought whether ICMP redirects should even be carried out in front of the environment of the current era. Only local networks which have multiple gateways can run ICMP Redirects. A good point is witnessed here nonetheless that maintaining accurate local routing information is comparatively easy with this configuration. If the journey of the Redirect messages passes through core gateways and further onto local exterior gateways it would be better since local gateways would receive a large amount of knowledge of the Internet this way. 2.1.2 SYN flooding Harris and Hunt (887) explain that when the incoming incomplete connection requests are more for the servers to be able to comfortably handle, SYN flooding occurs. The 3-way handshake is the name of the 3 step process which is required when under normal circumstances a TCP connection is to be utilized for the exchange of data between hosts. When the server’s reception of the TCP ACK flag is upset, it is the main aspect which halts the completion of a 3 way handshake, and this is the working of an SYN flood attack. When the last ACK packet is about to leave the port of a server in a half-open state, it is the SYN Flood attack which withholds it here, and this is uncommon in a TCP connection request. Since individual TCP ports can support a lot of half-open connections, whenever the number of half-open connections is limited, an SYN flood attack becomes successful. Until the requests which are in pending time out, all the connection requests that are received thereafter to the server will be disallowed, whenever the amount of half open connections becomes too much. After 75 seconds however, a denial-of service condition is created and all requests are erased. A lot of SYN requests are needed to be received at the TCP port which is being targeted by the attacking host in order to initiate the SYN flood attack. The Telnet daemon is one such TCP port, and this procedure is carried out by the attacker host who wished to exhaust all of the simultaneous connection requests (backlog) queue of the TCP port. What this exhaustion does is that it permits lining up of connection request to a server at a later time for initiation. This is possible through a memory structure which stores the details of each connection request that lies in pending. Unless this queue is stopped an attacker could be given the opportunity to initiate as many connection requests upon a TCP port as he wishes and eventually the entire memory pool of the server can be compromised- this usually leads to a denial-of service attack! Since the target host will be sending its response to a source IP-address, it is the working of the attacker host to upset this address to resemble it like a routable but unreachable host. ICMP has dictated IP in this regard to notify TCP of the unreachable status of the intended host, however TCP will reroute such packets back to IP since according to TCP such issues are temporary and ignores them. Lastly in order to successfully carry out the attack, it is pertinent that no other host receive the SYN/ACKs incoming through the target host, and this is only possible if the IP destination address is unreachable. 2.1.2.1 Preventive measures for the SYN Flooding The SYN Flood attack can be defeated in a number of ways. One of the foremost is the job of the ISPs who can avoid this problem all together by identifying all IP packets which lack internal addresses and prohibit them from being connected to the internet. This would diminish chances of anonymity as attackers would have no choice but to use a prominent IP source address to send packets and this would trace the owner’s identity immediately. There are other prevention steps as well, and changing the network options of the operating system or activating tools used for any intrusion detection can also be used. One of the ways to do this could be by noting down details of the source address used by connection requests, such as the TTL, sequence numbers and sizes of windows, etc. Keeping an eye on such aspects would notify if something was wrong, and result in the making of new connections by sending an RST. Other methods pertain to increasing sizes of the remaining connection requests and ridding connection requests which are half-open whenever the queue has reached its full limit. 2.1.3 IP Spoofing, TCP Sequence number prediction, TCP session hijacking 2.1.3.1 IP Spoofing Whenever an attacker pretends to be a host or fakes to be a legitimate user, such an attack is known as IP spoofing and is carried out at the IP layer. In order to make this attack work a trust-relationship needs to be present between a target host and any other host. A file known as the ‘.rhosts’ is one of the widely used for building trust-relationship and is usually spotted on operating systems running Unix. Generation of an IP datagram with a tampered source address is all an attacker really needs to do to successfully perform IP spoofing. Harris and Hunt (888) explain that if RAW-Sockets are used an IP datagram can be created. Judging that an IP datagram has become compromised is not possible by the target host as he only has the IP source address to rely on. Attacks on the IP layer such as SYN flooding, ICMP redirects and ping flooding amongst many others are the kinds of attacks where an attacker can be supported with an anonymous identity thanks to IP spoofing. Once an attacker has combined IP spoofing with TCP sequence number prediction he can attack trust-relationships which would give the attacker the ability to send application data to the target host. 2.1.3.2 TCP Sequence number prediction Knowing the facts that TCP is a sequenced data delivery protocol and that IP datagrams contain TCP segments within them, attackers are able to compromise TCP Sessions through the use of the TCP sequence number prediction. The assumed benefit of the TCP protocol was that it utilized sequence numbers which maintains the order of the data sent to the application layer, and thus this maintains a uniform and disciplined stream of data transfer. However the vulnerability which was overlooked here was that if sequence numbers could be predicted by attackers they implement their own TCP segments which could intrude into the TCP layer of the target host. Figure. 1 ? ? In a normal, TCP 3-way handshake an exchange of data can place between clients and servers by following the steps shown in the Fig. 2 above. According to Harris and Hunt (888) TCP spoofing attacks can be carried out in two ways; Non-Blind Spoofing: Knowing that IP datagrams contain TCP segments, access to IP datagrams gives the attacker access to sequence numbers as well when he lies on the same network path as the host he has spoofed as well as the target hosts. Blind Spoofing: In this scenario since the attacker does not lie on the same network path as the host he has spoofed as well as the target hosts therefore getting sequence numbers is not so easy for the attacker. Therefore the TCP sequence number can only be revealed to the attacker through wild guessing. 2.1.3.3 TCP session hijacking A connection can be taken over with the help of sending a successful TCP segment, but this requires that attacker reserves a sequence number. Once a connection is under the control of an attacker, he can make sure that the target host ignores all the packets sent by the spoofed host because the attacker has tampered with the correct sequence numbers. From an attacker’s perspective a telnet session is the most prone to TCP hijacking because all telnet does is pass data streams between clients and their servers. This makes the hijacking easier for the attacker since inserting desired commands into the spoofed TCP data segments is all this is required to be done. The server is fooled into executing the TCP segment as if a legitimate user is typing commands. 2.1.3.4 Preventive measures for all the 3 issues above As discussed above, if organizations kept a watchful eye over the internet access they provided issues such a IP spoofing, TCP spoofing, as well as TCP session hijacking would not materialize. If only IP datagrams with non- internal source addresses could be stopped right at their networks from having access to the Internet the attacks mentioned above can be completely avoided. However since Internet access is generally left unregulated therefore other methods of protection against such threats have been provided in this section. Until or unless extremely strong authentication and cryptography has been put in place all trust relationships should be banned including files such as the .rhosts as hosts communicating over the internet open a lot of doors towards attacks. Then again firewalls should be put in place which effectively monitor which IP datagrams have access to the internet. Internal source addresses should be kept within a network and away from the internet, and the outer source addresses should be kept away from the networks, vice versa. 2.1.4 Ping O’ Death The transmission of delivering an ICMP echo request message and receiving an ICMP echo vice versa is the procedure through which the activity of a host is identified by a Ping program. The Ping O’ Death attack occurs due to two factors; when more than 65 507 octets of data are sent through an echo request datagram and when IP fragmentation is carried out in a specific way. Through IP fragmentation it is possible to send more than 65 507 octets of data which causes internal overflow of the variables and result in system crashes, reboots, kernel dumps among other issues. It is quite simple to initiate this attack since only the following command from Windows 95: . ping-l 65510 your.host.ip.address is needed to launch it on the mentioned operating system. 2.1.4.1 Preventive measures for the Ping O’ Death According to Harris and Hunt (892) patching the operating system is the best defense against this form of attack, and has been carried out in all the systems which were introduced into the markets after 1996. In case a shortage of patches is observed, another defense which can be used against the Ping O’ Death is blocking it with the help of a firewall. However it is advised to block only specific pings such as the fragmented pings otherwise the functioning of certain applications could be altered if some specific ping messages such as 64-byte Pings are blocked. 2.1.5 Threats to standard TCP/IP services A number of highly popular application include TCP/IP to support their operations. It’s natural to expect that such services would carry certain vulnerabilities with them as well. The applications mentioned in this section belong to only two operating systems at the moment and they are Unix, and Windows NT. This section would educate about the problems that could be confronted by those making use of the Internet, Intranet, and Extranet networks and how to protect themselves against such threats. 2.1.5.1 Telnet Harris and Hunt (893) describe Telnet as an application which is not limited to the concern of the operating system used when initiating communication between any host. Users can utilize Telnet through logging in with their username and password as it is constituted over a character based terminal access. 2.1.5.1.1 Threats to Telnet The line of threats start immediately from the moment a user tries to login with the telnet. At the start of a new session, it is easier for attackers to pick sensitive information such as the username and password if they are monitoring the network and the telnet login packets sent over it. This is a serious flaw as telnet does not offer security to the transmission of login details of a user. A common feature in nearly all protocols is their predictability, which can be manipulated by an attacker by intercepting packets which contain sensitive information during a telnet session. Harris and Hunt (893) argue that if this threat right at the time login was not enough, another can be described as the corruption of the telnet program entirely by an attacker, which can note down sensitive information of users. 2.1.5.1.2 Solution of Telnet threats However Harris and Hunt (893) condole by informing us that secure versions of telnet are also present in the market to protect us from sniffing attacks. Such versions are better since they implement encryption on all of the sensitive information generated and processed over a specific telnet session and this makes the attacker helpless when sniffing information. 2.1.5.2 Fingers Harris and Hunt (894) further state that whenever information regarding users of a certain host is needed an application can be used to provide this information and is known as the finger protocol. It doesn’t seem to be too threatening since the basic use of the finger protocol is usually to determine the account names of user and their login behavior, ultimately resulting in the motive of sending mails to others. 2.1.5.2.1 Threats of Fingers The threats that the finger protocol poses is that it can provide attackers a route to record sensitive information, like account names and record login profiles. The benefit for the attacker to be aware of the login profiles is that he would know when the system administrator is unavailable so that he can perform an attack. Login profiles would inform any reader about the occasions of login and any personal files of the user’s which contain their sensitive information. One of the most threatening harms caused by this application is where denial-of-service attacks can be initiated against systems through the use of the “Finger Bomb”. Real harm can be caused as it has been known in the past that specific finger services redirect users to remote sites and eventually give them remote access of your computer. 2.1.5.2.2 Solution to the threats of Fingers There is no other way to fully protect oneself against this menace other than to disable the finger completely. If this cannot be done then the rights of finger should be restricted to only being able to receive the information which is incoming through secure databases. 2.1.5.3 Network file system (NFS) Harris and Hunt (894) state that crystal clear remote access can be provided to files which are shared over a network through the use of the NFS protocol as it is compatible with a wide number of machines, operating systems and network frameworks, as well as transport protocols. Harris and Hunt (894) explain that the Remote Procedure Calls is the feature used to achieve this compatibility with all the above mentioned different machine aspects. An added advantage of the NFS server is that it is stateless, which is uncommon with other clients as they retain state. This quality makes sure that an NFS access is provided if there are system reboots and or device failures. 2.1.5.3.1 Threats to the Network file system (NFS) File handles are the unique strings which identify all the files as well as directories on an NFS server. A usual occurring whenever NFS Servers are rebooted is that one or more root file handle gets intercepted by any client program and this usually happens at mount time. The incompetence of the NFS access controls is to be blamed behind this security lapse. Subversive programs such as the ‘trapdoor’ can be created and kept in search paths to avoid the real ones from being used, if file access controls are changed which becomes possible whenever the file system has been taken over. 2.1.5.3.2 Solution to the threats to the Network file system (NFS) The only solution which seems to be available is that as long as they do not receive a reply, clients of an NFS server will not stop sending requests in case an NFS server becomes unreachable. In this way even if an NFS server malfunctions, the functioning of the client is not upset. CHAPTER # 3: CONCLUSION It is quite clear that whatever issues and security breaches faced by the TCP/IP suite was due to the ineffectiveness of their security mechanisms. However it should not be forgotten, that provisions of fully secure and solid security mechanism were never offered by the TCP/IP suite so such flaws should have been expected. Nonetheless this report has provided various solutions that can be utilized without being too expensive on the pocket of the common user. The lack of expense can be explained through these facts that trust relationships are bogus and updating patches is a solution to rid TCP/IP of its problems in many occasions without any major expenses. Another important tip is for organizations to protect themselves by making sure ill-intentioned traffic does not get access to the internet. It has been reflected upon before that attacks such as SYN flooding and IP spoofing affect the IP and TCP and could be avoided by identifying the departure of IP datagrams whose source address are not in-sync with their networks. It is the inefficiency of such organizations that they fail to implement such basic rules an fall prey to such easily avoidable attacks before they strike. If patches are applied frequently to keep applications updated various vulnerabilities can be saved from being exploited. Lack of awareness regarding the ethics of using such systems, as well as weak implementations of the security policies are the main causes why organizations as well as home users fall prey to this menace. As far as the future is concerned, only time will tell how much damage can be caused by the latest WWW technologies such as the ActiveX controls as well as Java applets. Various TCP and IP implementations hope that their problems will be solved through the IPSEC and IPv6 in future. Nonetheless it is quite expected that weak implementation of applications as well as ill intentions of corrupt employees will not let the vulnerabilities expected in future to end anytime soon. WORK CITED PAGE Stevens, W. Tcp Ip Illustrated. Reading  MA: Addison-Wesley, 1994. Print. Steven, B. A Look Back at “Security Problems in the TCP/IP Protocol Suite”. AT&T Labs.Research. n.d Harris, B., and R. Hunt. “Tcp/Ip Security Threats and Attack Methods.” Computer Communications 22 (1999): 885-897. Web. 14 Oct. 2011. Read More