1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing.

Slides:



Advertisements
Similar presentations
Module X Session Hijacking
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Network Architecture:
COEN 252: Computer Forensics Router Investigation.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
OSI Model Routing Connection-oriented/Connectionless Network Services.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.
Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 12: Routing.
PA3: Router Junxian (Jim) Huang EECS 489 W11 /
Security. Security Threats  Impersonation  Pretend to be someone else to gain access to information or services  Lack of secrecy  Eavesdrop on data.
CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 – Network Security.
Chapter 4 TCP/IP Overview Connecting People To Information.
CHAPTER 10 Session Hijacking. INTRODUCTION The act of taking over a connection of some sort, for examples, network connection, a modem connection or other.
TCP/IP TCP/IP LAYERED PROTOCOL TCP/IP'S APPLICATION LAYER TRANSPORT LAYER NETWORK LAYER NETWORK ACCESS LAYER (DATA LINK LAYER)
TCP/IP Vulnerabilities
CS426Network Security1 Computer Security CS 426 Network Security (1)
TCP/IP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.
CIS 450 – Network Security Chapter 5 – Session Hijacking.
CHAPTER 9 Sniffing.
CS526Topic 18: Network Security1 Information Security CS 526 Network Security (1)
Chapter 8 Phase3: Gaining Access Using Network Attacks
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Network Architecture:
NETWORK ATTACKS Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Security Problems in the TCP/IP Protocol Suite S.M. Bellovin Presented By, Sammer Zai Computer Vision and Pattern Recognition Laboratory, Hanyang.
TCP Security Vulnerabilities Phil Cayton CSE
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
Telecommunications Networking II Lecture 41d Denial-of-Service Attacks.
RIP Routing Protocol. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
or call for office visit,
Transport Layer1 TCP Connection Management Recall: TCP sender, receiver establish “connection” before exchanging data segments r initialize TCP variables:
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Presentation on ip spoofing BY
TCP Sliding Windows For each TCP connection each hosts keep two Sliding Windows, send sliding window, and receive sliding window to make sure the correct.
An Introduction To ARP Spoofing & Other Attacks
Introduction to Information Security
Port Scanning James Tate II
General Classes of TCP/IP Problems
or call for office visit, or call Kathy Cheek,
or call for office visit,
Outline Basics of network security Definitions Sample attacks
Introduction to Network Security
Port Scanning (based on nmap tool)
Troubleshooting IP Communications
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
Internet Control Message Protocol (ICMP)
TCP/IP Networking An Example
Outline Basics of network security Definitions Sample attacks
– Chapter 3 – Device Security (B)
Threats in Networks Jagdish S. Gangolly School of Business
Mitnick Attack.
IIT Indore © Neminath Hubballi
Network Protocol Vulnerabilities
Outline Basics of network security Definitions Sample attacks
Attacks on TCP.
Presentation transcript:

1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing r ARP attacks r Session hijacking r TCP session stealing

2 Security problems in r-services r rsh and rcp use the.rhosts file in your directory, which lists hosts and accounts to allows access from without a password.  Allowed by /etc/inetd r Example.rhosts file: red.cs.umass.edu brian *.cs.umass.edu brian *

3 Security problems in r-services r Now that we know a machine is running rsh, how can we pretend to be another machine to gain access? Attack Defense r Source routing r False routing table updates r Session hijacking r ICMP redirects r False ARP packets r TCP session stealing ignore source routes secure routing protocols ssh/ secure connection ? Publish ARP tables ssh/ secure connection

4 Security problems in r-services r Exploiting trusted relationships: C is a trusted host to S r Source routing: m IP source-route option m The responder includes the source-route on the reply packets. m Some/most OSs ignore source routes these days. r Open a TCP connection to rshd spoofing the address of a trusted host, but include yourself in the source route. C S X 1. C->S: spoofed packet (source-route; includes X) 2. replies

5 Session hijacking r Normal TCP operation from client, C, to server, S m C->S: SYN(ISN C ) m S->C: SYN(ISN S ), ACK(ISN C +1) m C->S: ACK(ISN S +1) m Client and Server exchange data m ISN number generation 4.2BSD: increments 128/sec 4.3BSD: increments /sec SYN(ISN C ) SYN(ISN S ), ACK(ISN C +1 ) ACK(ISN S +1) Client CServer S

6 Session hijacking r Session hijacking: Find a machine, C, that’s down, guess the ISN. Usually in regular increments. m X->S: SYN(ISN X ) [spoofs C]S: rshd server m S->C: SYN(ISN S ), ACK(ISN X +1) m X->S: ACK(ISN S +1) [spoofs C; estimates ISN S ] m X->S: [ echo “* *” >> ~/.rhosts] [spoofs C] m X->S: RESET [spoofs C] m X rlogins from anywhere in the world. 1. ISN estimation: C 3. SYN(5000), ACK(1001) Trusted relationship X S 2. SYN(1000) 1: Disables C

7 Session hijacking 2. Session hijacking: C 4: SYN(ISN X ) (spoofs C) X S 5: SYN(ISN S ), ACK(ISN X +1) 6: ACK(ISN S +1) (spoofs C; estimates ISN S ) 3. Executes remote commands: C 8: RESET (spoofs C) X S 7: [echo “* *” >> ~/.rhosts] (spoofs C)

8 Disabling hosts: SYN Flooding DoS r Send lots of spoofed SYN packets to a victim host  Each SYN packet received causes a buffer to be allocated, and the limits of the listen() call to be reached. r Morris invented SYN flooding just to launch a session hijacking attack, later used against Yahoo!

9 Attacking routing to exploit rsh r Two types of routing: dynamic routing vs. static routing r Dynamic routing updates m OSPF: link-state algorithm m RIP: distance vector algorithm r Attacker injects a RIP update stating she has a path to host C m All subsequent packets to C will be routed to the attacker. m The attacker initiates connection to rshd of the server. (spoofing C) r Defense: uses secure routing protocols m Only accept authenticated updates. m Requires key management.

10 ICMP Attack r ICMP redirect: forces a machine to route through you. m Requires an existing connection m Open a spoofed connection to the host you want to attack. m Then send a spoofed ICMP redirect to the victim redirecting it to the gateway you’ve compromised. r Others m ICMP destination unreachable m Frequent ICMP source quenches

11 ARP Attacks r When a machines sends an ARP request out, you could answer that you own the address. m But in a race condition with the real machine. r Unfortunately, ARP will just accept replies without requests! r Just send a spoofed reply message saying your MAC address owns a certain IP address. m Repeat frequently so that cache doesn’t timeout r Messages are routed through you to sniff or modify.

12 ARP Spoofing - Countermeasures r “Publish” MAC address of router/default gateway and trusted hosts to prevent ARP spoof m Statically defining the IP to Ethernet address mapping Example: arp -s hostname 00:01:02:03:04:ab pub

13 TCP Session Stealing r Reference: “A Simple Active Attack Against TCP” by Laurent Joncheray. In Proceedings of 5th USENIX Unix Security Symposium. June 1995 r Active attack using desynchronized states m The attacker is in the path b/w the client and the server m The attacker can sniff all the packets and inject some spoofed packets m Steps: 1. The attacker sniffs the communication b/w the two. 2. The attacker disables the communication by desynchronizing the client and the server. 3. The attacker injects spoofed packets that acceptable for both ends.

14 TCP Session Stealing r Desynchronized state b/w client C and server S m Both in “Established state” m No data is being sent (stable state) m S_SEQ  C_ACK and C_SEQ  S_ACK r When S_ACK < C_SEQ < S_ACK + S_Wind: m The packet is accepted (buffered) but not sent to the user r When C_SEQ > S_ACK + S_Wind or C_SEQ < S_ACK : m The packet is dropped r In both cases, the ACK(S_ACK) is sent (ACK packet with S_SEQ, S_ACK)

15 TCP Session Stealing r In a desynchronized state, the attacker can send any acceptable data to the server m E.g. [echo myhost >> ~/.rhost] for rlogin C X S 1: C->S: C_SEQ, C_ACK C_SEQ, C_ACK 2: X->S (spoofing C): S_ACK, S_SEQ [echo myhost >> ~/.rhost] S_SEQ, S_ACK (dropped) (accepted) S_SEQ  C_ACK and C_SEQ  S_ACK

16 Desynchronization r Early desynchronization 1. C->S(Syn): C_Seq0; C: Syn_Sent 2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd ; C: Established (C_Seq0+1, S_Seq0+1) (before the packet C->S(Ack): S_Seq0+1) 3. X->S(spoofing C, Rst) 4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1) 5. S->C(Syn/Ack): S_Seq1, X_Seq X->S(spoofing C, Ack): S_Seq1+1 ; S: Established (S_Seq1+1, X_Seq0+1) C X S 1 2 3,4, 6

17 The Attack r Null data desynchronization 1. The attacker watches the session without interfering. 2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for telnet): nothing happens, server only changes the TCP Ack number 3. Now, when the client sends data, it is dropped by the server because it’s lower than the server’s window. 4. The attacker does the same with the client. r Defense: ssh connection, or IPsec

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.