Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing.

Published byPolly Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing."— Presentation transcript:

1 1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing r ARP attacks r Session hijacking r TCP session stealing

2 2 Security problems in r-services r rsh and rcp use the.rhosts file in your directory, which lists hosts and accounts to allows access from without a password.  Allowed by /etc/inetd r Example.rhosts file: red.cs.umass.edu brian *.cs.umass.edu brian *

3 3 Security problems in r-services r Now that we know a machine is running rsh, how can we pretend to be another machine to gain access? Attack Defense r Source routing r False routing table updates r Session hijacking r ICMP redirects r False ARP packets r TCP session stealing ignore source routes secure routing protocols ssh/ secure connection ? Publish ARP tables ssh/ secure connection

4 4 Security problems in r-services r Exploiting trusted relationships: C is a trusted host to S r Source routing: m IP source-route option m The responder includes the source-route on the reply packets. m Some/most OSs ignore source routes these days. r Open a TCP connection to rshd spoofing the address of a trusted host, but include yourself in the source route. C S X 1. C->S: spoofed packet (source-route; includes X) 2. replies

5 5 Session hijacking r Normal TCP operation from client, C, to server, S m C->S: SYN(ISN C ) m S->C: SYN(ISN S ), ACK(ISN C +1) m C->S: ACK(ISN S +1) m Client and Server exchange data m ISN number generation 4.2BSD: increments 128/sec 4.3BSD: increments 125000/sec SYN(ISN C ) SYN(ISN S ), ACK(ISN C +1 ) ACK(ISN S +1) Client CServer S

6 6 Session hijacking r Session hijacking: Find a machine, C, that’s down, guess the ISN. Usually in regular increments. m X->S: SYN(ISN X ) [spoofs C]S: rshd server m S->C: SYN(ISN S ), ACK(ISN X +1) m X->S: ACK(ISN S +1) [spoofs C; estimates ISN S ] m X->S: [ echo “* *” >> ~/.rhosts] [spoofs C] m X->S: RESET [spoofs C] m X rlogins from anywhere in the world. 1. ISN estimation: C 3. SYN(5000), ACK(1001) Trusted relationship X S 2. SYN(1000) 1: Disables C

7 7 Session hijacking 2. Session hijacking: C 4: SYN(ISN X ) (spoofs C) X S 5: SYN(ISN S ), ACK(ISN X +1) 6: ACK(ISN S +1) (spoofs C; estimates ISN S ) 3. Executes remote commands: C 8: RESET (spoofs C) X S 7: [echo “* *” >> ~/.rhosts] (spoofs C)

8 8 Disabling hosts: SYN Flooding DoS r Send lots of spoofed SYN packets to a victim host  Each SYN packet received causes a buffer to be allocated, and the limits of the listen() call to be reached. r Morris invented SYN flooding just to launch a session hijacking attack, later used against Yahoo!

9 9 Attacking routing to exploit rsh r Two types of routing: dynamic routing vs. static routing r Dynamic routing updates m OSPF: link-state algorithm m RIP: distance vector algorithm r Attacker injects a RIP update stating she has a path to host C m All subsequent packets to C will be routed to the attacker. m The attacker initiates connection to rshd of the server. (spoofing C) r Defense: uses secure routing protocols m Only accept authenticated updates. m Requires key management.

10 10 ICMP Attack r ICMP redirect: forces a machine to route through you. m Requires an existing connection m Open a spoofed connection to the host you want to attack. m Then send a spoofed ICMP redirect to the victim redirecting it to the gateway you’ve compromised. r Others m ICMP destination unreachable m Frequent ICMP source quenches

11 11 ARP Attacks r When a machines sends an ARP request out, you could answer that you own the address. m But in a race condition with the real machine. r Unfortunately, ARP will just accept replies without requests! r Just send a spoofed reply message saying your MAC address owns a certain IP address. m Repeat frequently so that cache doesn’t timeout r Messages are routed through you to sniff or modify.

12 12 ARP Spoofing - Countermeasures r “Publish” MAC address of router/default gateway and trusted hosts to prevent ARP spoof m Statically defining the IP to Ethernet address mapping Example: arp -s hostname 00:01:02:03:04:ab pub

13 13 TCP Session Stealing r Reference: “A Simple Active Attack Against TCP” by Laurent Joncheray. In Proceedings of 5th USENIX Unix Security Symposium. June 1995 r Active attack using desynchronized states m The attacker is in the path b/w the client and the server m The attacker can sniff all the packets and inject some spoofed packets m Steps: 1. The attacker sniffs the communication b/w the two. 2. The attacker disables the communication by desynchronizing the client and the server. 3. The attacker injects spoofed packets that acceptable for both ends.

14 14 TCP Session Stealing r Desynchronized state b/w client C and server S m Both in “Established state” m No data is being sent (stable state) m S_SEQ  C_ACK and C_SEQ  S_ACK r When S_ACK < C_SEQ < S_ACK + S_Wind: m The packet is accepted (buffered) but not sent to the user r When C_SEQ > S_ACK + S_Wind or C_SEQ < S_ACK : m The packet is dropped r In both cases, the ACK(S_ACK) is sent (ACK packet with S_SEQ, S_ACK)

15 15 TCP Session Stealing r In a desynchronized state, the attacker can send any acceptable data to the server m E.g. [echo myhost >> ~/.rhost] for rlogin C X S 1: C->S: C_SEQ, C_ACK C_SEQ, C_ACK 2: X->S (spoofing C): S_ACK, S_SEQ [echo myhost >> ~/.rhost] S_SEQ, S_ACK (dropped) (accepted) S_SEQ  C_ACK and C_SEQ  S_ACK

16 16 Desynchronization r Early desynchronization 1. C->S(Syn): C_Seq0; C: Syn_Sent 2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd ; C: Established (C_Seq0+1, S_Seq0+1) (before the packet C->S(Ack): S_Seq0+1) 3. X->S(spoofing C, Rst) 4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1) 5. S->C(Syn/Ack): S_Seq1, X_Seq0+1 6. X->S(spoofing C, Ack): S_Seq1+1 ; S: Established (S_Seq1+1, X_Seq0+1) C X S 1 2 3,4, 6

17 17 The Attack r Null data desynchronization 1. The attacker watches the session without interfering. 2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for telnet): nothing happens, server only changes the TCP Ack number 3. Now, when the client sends data, it is dropped by the server because it’s lower than the server’s window. 4. The attacker does the same with the client. r Defense: ssh connection, or IPsec

Download ppt "1 Lecture A.2: Security Problems in TCP/IP r Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin r R-services r Source-routing."

Similar presentations

Module X Session Hijacking

Module X Session Hijacking
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.

Sniffing, Spoofing, Hijacking This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added.
Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Network Architecture:

1 The Attack and Defense of Computers Dr. 許 富 皓. 2 Network Architecture:
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN2668 Routers and Switches Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
OSI Model Routing Connection-oriented/Connectionless Network Services.

OSI Model Routing Connection-oriented/Connectionless Network Services.
1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)

1 Figure 5-4: Drivers of Performance Requirements: Traffic Volume and Complexity of Filtering Performance Requirements Traffic Volume (Packets per Second)
CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)

CS426Fall 2010/Lecture 331 Computer Security CS 426 Lecture 33 Network Security (1)
1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.

1 CSCD 434 Lecture 3 NetworkProtocol Vulnerabilities Spring 2012.
Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.

Scanning and Spoofing Lesson 7. Scanning Ping Sweeps Port Scanners Vulnerability Scanning tools.

Similar presentations

Ads by Google