Friday, February 25, 2011


When TCP/IP was designed, there was no provision for security. Therefore, there was no automatic encryption, and neither was there encryption. The concern was only how to get data from one point to the other. The original Internet is small, and everyone trusted everyone else.
No automatic encryption means that data in packets are sent in cleartext. Anyone who captures this packet can see what's in it. It's like a postcard.

No authentication means that packets can have spoofed IP and MAC addresses and there is no way to verify them.

The designers did not implement security features because they did not expect that the mechanisms designed to handle service requests could also be used to expose servers to hijack attempts, compromise or mangling their data and services.

If asked, the vulnerability of TCP/IP is the lack of automatic encryption and authentication.

We'll now go through the different attacks starting from Layer 4. Layer 4 is vulnerable to things like SYN Flooding, Sequence Number Prediction and UDP Flooding.

A half-open connection is a three-way handshake with the missing third part. It lasts for a length of time (timeout) before it is torn down. Attackers may send many SYN requests to the victim using spoofed source IP addresses. The victim would reply to a spoofed location, and would allocate resources for each half-open connection until resources are exhausted.

Defense against SYN flooding can be to decrease the timeout, disable non-essential services, using IDS/IPS and to reduce the maximum number of half-open connections (thus using less RAM so it would not result in crashing).

Attackers can also hijack a connection through sequence number guessing. If they can predict the sequence number, then they can take over an existing TCP session. Packets from the victim would then be invalid as the sequence number would have been different by then. Sequence numbers can be predicted depending on the destination system.

The defense for sequence number prediction is to randomize the ISN.

Another attack is the UDP flooding in which millions of UDP packets are sent to the victim. The victim would not cope and would crash. As usual, the defense would be to implement IDS/IPS.

Now we move on to Layer 3 attacks. Layer 3 attacks focus mainly on the routing portion. Routers maintain a routing table to decide the route a packet goes to, and if we can attack that table, we can send packets to wrong destinations.

As RIP is not encrypted, hosts can sniff a router's routing updates as part of reconnaissance. RIPv1 also does not have an authentication mechanism, so hosts can query routers using RIP request packets. RIPv1 is also susceptible to forged routing updates and attackers can modify a network's routing table. This can be used to redirect an existing connection to somewhere else (for hijacking) or would be able to cause DoS due to wrong routing information. If the targeted system is a website, the victim may find themselves at a bogus site.

Defenses against RIP attacks may be to authenticate RIP packets, and to block updates about local networks. RIP packets can also be encrypted via an encryption suite such as IPSec.

ICMP's lack of authentication also makes it a candidate for abuse. ICMP messages such as forged redirects, unreachable or TTL-exceeded messages can cause a valid connection to be dropped. Using redirects, attackers can also cause hosts to use a bogus route to intercept or hijack a connection.

Redirects can be used to make unsolicited change to the host's routing tables, and the result is similar to a RIP attack. ICMP can also be used to perform DoS attacks either through the previously mentioned Unreachable and TTL-messages or even through sophisticated attacks like the Smurf attack.

A defense can be to disable processing of Redirects on hosts, disabling forwarding of Redirects on routers, and to check if ICMP messages from a host are consistent (ICMP-snooping).

Finally we go into the Layer 2 attacks. The most common Layer 2 attack is the ARP spoofing. The problem with ARP is that it allows Gratuitous ARPs which is essentially an ARP Reply sent without a ARP Request. Any system can create a Gratuitous ARP, and any system can spoof a reply to an ARP request.

If requested, the reply would overwrite an existing entry or add a new one if it does not exist. If not requested, an ARP Reply can only be used to modify an existing entry.

By providing a non-existent MAC address in the reply, or the wrong host, an attacker can perform a DoS or a MITM attack. The Gratuitous ARP must be sent continuously to make sure that the entry does not expire.

If Host A requests for Host B's MAC in an ARP reply, and no malice is involved, Host B would reply with his IP and MAC.

However, if Host B is offline, and Host C is up to mischief, then Host C would reply with Host B's IP but Host C's MAC. This would cause all packets for Host B to go to Host C as long as the ARP entry doesn't expire.

ARP Spoofing is simple and powerful, but it is limited to a local network. The attacker needs to be in the same LAN segment as the victim to perform this attack.

Defense for ARP can be to resolve through a centralized server, or to make switches perform ARP-snooping (verification of ARP requests/replies) and to enter the ARP entries manually.

Finally we go to the Physical attacks. Physical Attacks are usually tangible attacks such as cutting of a wire.

Defense for physical attacks would be to restrict access to important areas, to implement access schemes (e.g. card or PIN access), to lock up and hide equipment, and to implement surveillance (serves also as deterrence).

No comments :

Post a Comment