Some insights about the recent TCP DoS (Denial of Service) vulnerabilities Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference.

Slides:



Advertisements
Similar presentations
73rd IETF meeting, November 16-21, 2008
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
IS333, Ch. 26: TCP Victor Norman Calvin College 1.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
Fernando Gont project carried out on behalf of UK CPNI
TCP/IP Protocol Suite 1 Chapter 13 Upon completion you will be able to: Stream Control Transmission Protocol Be able to name and understand the services.
Results of a security assessment of the TCP and IP protocols and common implementation strategies Fernando Gont project carried out on behalf of UK CPNI.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Results of a Security Assessment of the TCP and IP Protocols and Common Implementation Strategies Fernando Gont project carried out on behalf of the UK.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
UNIT 07 Process – to – Process Delivery: UDP,TCP and SCTP
TDC365 Spring 2001John Kristoff - DePaul University1 Internetworking Technologies Transmission Control Protocol (TCP)
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168) Limited Transmit (RFC 3042)
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
ITIS 6167/8167: Network and Information Security Weichao Wang.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #8 Explicit Congestion Notification (RFC 3168) Limited Transmit.
TCP. Learning objectives Reliable Transport in TCP TCP flow and Congestion Control.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
TCP/IP Basics A review for firewall configuration.
Networking. Protocol Stack Generally speaking, sending an message is equivalent to copying a file from sender to receiver.
Process-to-Process Delivery:
Chapter 16 Stream Control Transmission Protocol (SCTP)
Presentation on Osi & TCP/IP MODEL
Chapter 5 Transport layer With special emphasis on Transmission Control Protocol (TCP)
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 2.5 Internetworking Chapter 25 (Transport Protocols, UDP and TCP, Protocol Port Numbers)
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Routers and Routing Basics CCNA 2 Chapter 10.
Transport Layer: TCP and UDP. Overview of TCP/IP protocols Comparing TCP and UDP TCP connection: establishment, data transfer, and termination Allocation.
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
Chapter 22 Q and A Victor Norman CS 332 Spring 2014.
23.1 Chapter 23 Process-to-Process Delivery: UDP, TCP, and SCTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
HighSpeed TCP for High Bandwidth-Delay Product Networks Raj Kettimuthu.
DoS Suite and Raw Socket Programming Group 16 Thomas Losier Paul Obame Group 16 Thomas Losier Paul Obame.
Copyright © Lopamudra Roychoudhuri
Networking Basics CCNA 1 Chapter 11.
Lecture 4 Overview. Ethernet Data Link Layer protocol Ethernet (IEEE 802.3) is widely used Supported by a variety of physical layer implementations Multi-access.
Chapter 24 Transport Control Protocol (TCP) Layer 4 protocol Responsible for reliable end-to-end transmission Provides illusion of reliable network to.
1 CS 4396 Computer Networks Lab TCP – Part II. 2 Flow Control Congestion Control Retransmission Timeout TCP:
DoS/DDoS attack and defense
Stream Control Transmission Protocol
TCP continued. Discussion – TCP Throughput TCP will most likely generate the saw tooth type of traffic. – A rough estimate is that the congestion window.
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Stream Control Transmission.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
UDP : User Datagram Protocol 백 일 우
Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Day 13 Intro to MANs and WANs. MANs Cover a larger distance than LANs –Typically multiple buildings, office park Usually in the shape of a ring –Typically.
Computer Networks 1000-Transport layer, TCP Gergely Windisch v spring.
19 March 2003Page 1 BGP Vulnerabilities Draft March 19, 2003 Sandra Murphy
Ch23 Ameera Almasoud 1 Based on Data Communications and Networking, 4th Edition. by Behrouz A. Forouzan, McGraw-Hill Companies, Inc., 2007.
Chapter 9: Transport Layer
Fast Retransmit For sliding windows flow control we waited for a timer to expire before beginning retransmission of a packet TCP uses an additional mechanism.
Instructor Materials Chapter 9: Transport Layer
Internet Networking recitation #9
Outline Basics of network security Definitions Sample attacks
PART 5 Transport Layer Computer Networks.
TCP Transport layer Er. Vikram Dhiman LPU.
TCP for DNS security considerations
The IP, TCP, UDP protocols
Internet Networking recitation #10
project carried out on behalf of
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

Some insights about the recent TCP DoS (Denial of Service) vulnerabilities Fernando Gont project carried out on behalf of UK CPNI HACK.LU 09 Conference October 28-30, Luxembourg

Agenda Overview of the project caried out on behalf of UK CPNI Disclosure process of our results The recent TCP DoS (Denial of Service) vulnerabilities Disclosure process of the “Sockstress” vulnerabilities Disclosure process Co-operation with vendors Conclusions

Overview (or “what we did, and why we did what we did”)

Problem Statement Many vulnerabilities have been found in a number of implementations of the TCP & IP protocols, and in the protocols themselves. Documentation of these issues and of possible mitigations has been spread among a number of vulnerability reports and a variety of online documents. Some of this documentation proposes counter-measures for these issues without analyzing their interoperability implications on the protocols. (See e.g., Silbersack’s presentation at BSDCan 2006). The efforts of the security community never resulted in changes in the corresponding IETF specifications, and sometimes not even in the protocol implementations. As a result,  New implementations of the protocols re-implement vulnerabilities found in older implementations.  New protocols re-implement mechanisms or policies with “known” security implications (e.g., Router Header Type 0 in IPv6 vs. IPv4 source routing).

Project Overview During the last few years, CPNI – formerly NISCC – embarked itself in a project to fill this gap. The goal was to produce a set of documents that would serve as a security roadmap for the TCP and IP protocols. The resulting document are::   TCP.pdf TCP.pdf This set of documents would be updated in response to the feedback received from the comunity. Finally, we planned to take the results of this project to the IETF, so that the relevant specifications could be modified where needed. Both documents have already been adopted by the IETF:  draft-ietf-opsec-ip-security  draft-ietf-tcpm-tcp-security

Disclosure process of our results (“who got what, and when?”)

Results of our project The IP security document was released in August 2008, after review from vendors. The resutls of our TCP security project was shared with main vendors and operators during (and publicly released in February 2009). We didn’t hear much from vendors. For the most part, we got feedback from colleagues (via “would you take a look at this?”), and some gubernamental organizations. By mid 2008 vendors didn’t seem to to be concerned about the contents of our document. But later in

The new (?) TCP DoS attacks (“the sky is falling.... but we cannot tell you why”) Source: news.softpedia.com

The new TCP DoS attacks Some (supposedly) new and killer attacks had been discovered by Outpost24. The attacks received a lot of press. And there were many claims about their impact. The information provided by Outpost24 was really scarce, and some of it simply didn’t make sense What followed: More press, some panic, speculation by the comunity. At some point, some vendors and CSIRTs that were aware about our efforts on TCP & IP security came back to us (“What is this all about?”) So we concentrated on the aforementioned issues, and developed and provided specific advice to vendors. – it was the only advice that they had.

Summary of the vulnerabilities For the most part, the vulnerabilities are:  Connection-flooding attacks (naphta and FIN-WAIT-2 flooding attacks)  TCP send buffer attacks (Netkill and closed windows)  TCP receive buffer attacks No countermeasures were proposed as part of the Outpost 24 report to vendors and CSIRTs.. Outpost24 did find some pathological behavior of some stacks, e.g., when transiting through the FIN-WAIT-2 state, though.

Some insights on the recent TCP DoS vulnerabilities (our view of these issues)

Connection-flooding attacks (Naphta and FIN-WAIT-2)

Connection-flooding attacks (Naphta) The creation and maintenance of a TCP connection requires system memory to maintain shared state between the local and the remote TCPs. Given that system memory is a limited resource, this can be exploited to perform a DoS attack (this attack vector has been referred to as “Naphta”. See CERT Advisory CA ). In order to avoid wasting his own resources, an attacker can bypass the kernel implementation of TCP, and simply craft the required packets to establish a TCP connection with the remote endpoint, without tying his own resources. Outpost24 stated that in order to exploit the attack, they had to introduce the concept of “client-side cookies”.  This is not needed: Simply fire the SYNs, and respond with an ACK all the SYN/ACKS that you receive (KISS principle).

Mitigating Naphta Key problem: an actual attack does not necessarily differ from a high-load scenario Possible counter-measures:  Enforce per-user and pre-process limits  Enforce limits on the number of ongoing connections from a single system/prefix at the application-layer  Enforce limits on the number of ongoing connections from a single system/prefix at a firewall

A typical connection-termination scenario: Problems that may potentially arise due to the FIN-WAIT-2 state  There’s no limit on the amount of time a connection can stay in the FIN-WAIT-2 state  At the point a TCP gets into the FIN-WAIT-2 state there’s no user- space controlling process FIN-WAIT-2 flooding attack

Countermeasures for FIN-WAIT-2 flooding Enforce a limit on the duration of the FIN-WAIT-2 state. E.g., Linux 2.4 enforces a limit of 60 seconds. Once that limit is reached, the connection is aborted. The counter-measures for the Naptha attack still apply. However, the fact that this attack aims at leaving lots of connections in the FIN-WAIT-2 state will usually prevent an application from enforcing limits on the number of ongoing connections. Applications should be modified so that they retain control of the connection for most states. This can be achieved with a conbination of the shutdown(), setsockopt(), and close(). TCP should also enforce limits on the number of ongoing connections with no controlling process.

TCP send buffer

The TCP send buffer keeps a copy of those data that have been accepted by TCP for delivery to the remote TCP end-point. It is possible to exploit the TCP send buffer for a memory exhaustion attack:  Send an application request to the target system, but never acknowledge the response (Netkill).  Send an application request, but close the receive window.

Netkill The amount of data that are allowed for delivery to the remote TCP end-point is governed by the TCP sliding-window mechanism. The TCP window prevents a fast sender from overwhelming a slow consumer application. When the advertised window is zero, the window is said to be closed. The TCP sender polls the receiver from time to time to find out if the window has opened (persist timer). However, there’s no limit on the amount of time that the window can be closed. Easy to exploit for memory exhaustion: just send an applicattion-request to the remote end-point, and close the receive window.

Netkill (countermeasures) Problem: it’s very hard to infer attack from the behavior of a single connection. Possible counter-measures:  Measure connection progress at the application-layer  Do not use an unnecessarily large socket send buffer  Enforce per-user and pre-process limits  Enforce limits on the number of ongoing connections from a single system/prefix at the application-layer  Enforce limits on the number of ongoing connections from a single system/prefix at a firewall When dropping connection, these are possible parameters that may provide hints for selecting the target connection:  Large amount of data queued in the TCP retransmission buffer  Only a small amount of data successfully transferred to the remote endpoint

Closed windows The amount of data that are allowed for delivery to the remote TCP end-point is governed by the TCP sliding-window mechanism. The TCP window prevents a fast sender from overwhelming a slow consumer application. When the advertised window is zero, the window is said to be closed. The TCP sender polls the receiver from time to time to find out if the window has opened (persist timer). However, there’s no limit on the amount of time that the window can be closed. Easy to exploit for memory exhaustion: just send an applicattion-request to the remote end-point, and close the receive window.

Closed windows (countermeasures) Problem: it’s very hard to infer attack from the behavior of a single connection. It has been proposed that TCP should impose a limit on the amount of time that a window can be closed. However, this counter-measure is trivial to circumvent: just open the window a bit from time to time. Possible counter-measures:  Measure connection progress at the application-layer  Do not use an unnecessarily large socket send buffer  Enforce per-user and pre-process limits  Enforce limits on the number of ongoing connections from a single system/prefix at the application-layer  Enforce limits on the number of ongoing connections from a single system/prefix at a firewall

TCP reassembly buffer

When out-of-order data are received, a “hole” momentarily exists in the data stream which must be filled before the received data can be delivered to the application making use of TCP’s services. This mechanism can be exploited in at least two ways:  Create lots of connections, and send a large amount of data on each of those connections to the receiving TCP, leaving a hole in the data stream so that those data cannot be delivered to the application.  Same as above, but send e.g., chunks of one byte of data, separated by holes of e.g., one byte, targeting the overhead needed to hold and link each of these chunks of data.

Countermeasures for the receive buffer TCP implementations should enforce limits on the amount of out-of-order data that are queued at any time. TCP implementations should enforce limits on the maximum number of “holes” that are allowed for each connection. If necessary, out-of-order data could be discarded, with no effect on interoperability. This has a performance penalty, though.

Cooperation with vendors (too frequently, an oxymoron) Oxymoron (NOUN): A rhetorical figure in which incongruous or contradictory terms are combined.

What one would expect from vendors You provide advice to them on possible security problems in their product. You delay publication of your work so that they have enough time to fix their products before going public. They fix their products before the isues become public  Good for the vendors  Good for their customers They credit your work (possibly in their vulnerability asvisories). Unfortunately, the process usually fails in this last step…

Case 1: Microsoft Microsoft had received draft versions of our document during I personally delivered the document to key people at Microsoft. However, when MS was released by Microsoft, there was no credit to our work. Microsoft’s response to my query was: “As it was not reported directly here, we were never tracking you paper as a part of this case. We also did not credit any other ICASI members or CERT-FI who were also providing guidance for mitigation and workarounds to enable users to protect themselves.”, and… “As your documents discuss the TCP/IP protocol and did not discuss any specific issues with Microsoft products, there is nothing actionable for us to triage or investigate.”

Case 2: Cisco Systems Cisco had received draft versions of our document during I personally delivered the document to key people at Microsoft. However, when cisco-sa tcp24 was released by Microsoft, there was no credit to our work. Cisco’s response to my query was: “Thank-you for contacting Cisco about your concerns in the recent TCP Security Advisory, cisco-sa tcp24. Yes, we reviewed your research paper in the August 2008 timeframe and at that time had no concerns about the publication. Our advisory was in direct response to what was being coordinated by CERT-FI across industry and the existence of the proof-of- concept tool delivered to us by Outpost24“

Conclusions

Conclusions and Further Work Working on TCP/IPv4 security in probably didn’t have much glamour. However, this was something that needed to be done. Still in 2009, there’s lots of work to do to improve the available TCP implementations. We’re aware of some efforts in the vendor community to improve the security/resiliency of TCP. Not sure what the end result will be. There are efforts in the IETF to update the specifications where necessary. However, there’s also some resistance by some participants to update/fix the specs (talk about politics). – Get involved! Your feedback really matters.

Questions?

Acknowledgements UK CPNI, for their continued support HACK.LU organizers, and Fred in particuar, for their support in this conference. Fernando Gont

Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.