Attacks exploit weaknesses in systems. These weaknesses can be caused by poorly designed networks or by poor planning. A good practice is to prevent any unauthorized system or user from gaining access to the network where weaknesses in products and technologies can be exploited.
Spoofing attacks are well known on the Internet side of the world. Spoofing involves providing false information about a person or host's identity to obtain unauthorized access to a system. Spoofing can be done by simply generating packets with bogus source addresses or by exploiting a known behavior of a protocol's weakness. Some of the more common attacks are described in this section. Because
understanding the IP protocol suite is a key element in most attacks, this section describes the protocol suite along with the weaknesses of each protocol (such as TCP, ICMP, UDP, NNTP, HTTP, SMTP, FTP, NFS/NIS, and X Windows). A more thorough study of these protocol weaknesses can be found in
Firewalls and Internet Security: Repelling the Wily Hacker by William Cheswick and Steven Bellovin
(Addison-Wesley Press).
The TCP/IP Protocol
Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP
handles addressing, fragmentation, reassembly, and protocol demultiplexing. It is the foundation on which all other IP protocols (collectively referred to as the IP protocol suite) are built. As a
network-layer protocol, IP handles the addressing and controls information to allow data packets to move around the network (commonly referred to as IP routing). Figure
4-5 shows the IP header format.
Figure 4-5: The IP Header Format
that specifies the format of data and acknowledgments used in the transfer of data. TCP also specifies the procedures that the computers use to ensure that the data arrives reliably. TCP allows multiple
applications on a system to communicate concurrently because it handles all demultiplexing of the incoming traffic among the application programs. Figure 4-6 shows the TCP header format, which starts at the data portion immediately following the IP header.
Figure 4-6: The TCP Header Format
Six bits (flags) in the TCP header tell how to interpret other fields in the header. These flags are listed in Table 4-3.
Table 4-3: TCP Flags
Flag Meaning
URG Urgent pointer field is valid. ACK Acknowledgment field is valid. PSH This segment requests a push. RST Resets the connection.
SYN Synchronizes sequence numbers.
FIN Sender has reached the end of its byte stream.
The SYN and ACK flags are of interest in the following section. TCP/IP Connection Establishment
To establish a TCP/IP connection, a three-way handshake must occur between the two communicating machines. Each packet of the three-way handshake contains a sequence number; sequence numbers are unique to the connection between the two communicating machines. Figure 4-7 shows a sample
Figure 4-7: Establishing a TCP/IP Connection
The steps for establishing the initial TCP connection are as follows:
Step 1 The client initiates a TCP connection to the server. This packet has the SYN bit set. The client is
telling the server that the sequence number field is valid and should be checked. The client sets the sequence number field in the TCP header to its initial sequence number.
Step 2 The server responds by sending a packet to the client. This packet also has the SYN bit turned on;
the server's initial sequence number is the client's initial sequence number plus 1.
Step 3 The client acknowledges the server's initial sequence number by sending the server's initial
sequence number plus 1.
Step 4 The connection is established and data transfer takes place.
TCP uses a sequence number for every byte transferred and requires an acknowledgment of the bytes received from the other end on receipt. The request for acknowledgment enables TCP to guarantee reliable delivery. The receiving end uses the sequence numbers to ensure that the data is in proper order and to eliminate duplicate data bytes.
You can think of TCP sequence numbers as 32-bit counters. These counters range from 0 to
4,294,967,295. Every byte of data exchanged across a TCP connection (as well as certain flags) is
sequenced. The sequence number field in the TCP header contains the sequence number of the first byte of data in the TCP segment. The acknowledgment (ACK) field in the TCP header holds the value of next expected sequence number, and also acknowledges all data up through this ACK number minus 1.
TCP uses the concept of window advertisement for flow control. That is, TCP uses a sliding window to tell the other end how much data it can buffer. Because the window size is 16 bits, a receiving TCP can advertise up to a maximum of 65,535 bytes. Window advertisement can be thought of as an
advertisement from one TCP implementation to the other of how high acceptable sequence numbers can be.
Many TCP/IP implementations follow a predictable pattern for picking sequence numbers. When a host is bootstrapped, the initial sequence number is 1. The initial sequence number is incremented by 128,000 every second, which causes the 32-bit initial sequence number counter to wrap every 9.32 hours if no connections occur. However, each time a connection is initiated, the counter is incremented by 64,000. If sequence numbers were chosen at random when a connection arrived, no guarantees could be made that the sequence numbers would be different from a previous incarnation.
legitimate connections to a machine and track the sequence numbers used. TCP/IP Sequence Number Attack
When an attacker knows the pattern for a sequence number, it is fairly easy to impersonate another host. Figure 4-8 shows such a scenario.
Figure 4-8: TCP/IP Sequence Number Spoofing
The steps for impersonating a host are as follows:
Step 1 The intruder establishes a valid TCP connection to the server to figure out the sequence number
pattern.
Step 2 The intruder starts the attack by generating a TCP connection request using a spoofed source
address. Often, the intruder will pick a trusted host's address and initiate a DoS attack on that host to render it incapacitated.
Step 3 The server responds to the connection request. However, because the trusted host is under a DoS
attack, it cannot reply. If it actually could process the
SYN/ACK packet, it would consider it an error and send a reset for the TCP connection.
Step 4 The intruder waits a certain amount of time to ensure that the server has sent its reply and then
responds with the correctly guessed sequence number.
Step 5 If the intruder is correct in guessing the sequence number, the server is compromised and illegal
data transfer can begin.
Because the sequence numbers are not chosen randomly (or incremented randomly), this attack works---although it does take some skill to carry out. Steven M. Bellovin, coauthor of Firewalls and
Internet Security, describes a fix for TCP in RFC 1948 that involves partitioning the sequence number
space. Each connection has its own separate sequence number space. The sequence numbers ware still incremented as before, however, there is no obvious or implied relationship between the numbering in these spaces.
The best defense against spoofing is to enable packet filters at the entry and exit points of your networks. The external entry point filters should explicitly deny any inbound packets (packets coming in from the external Internet) that claim to originate from a host within the internal network. The internal exit point filters should permit only outbound packets (packets destined from the internal network to the Internet) that originate from a host within the internal network.
Session hijacking is a special case of TCP/IP spoofing, and the hijacking is much easier than sequence
number spoofing. An intruder monitors a session between two communicating hosts and injects traffic that appears to come from one of those hosts, effectively stealing the session from one of the hosts. The legitimate host is dropped from the connection and the intruder continues the session with the same access privileges as the legitimate host.
Session hijacking is very difficult to detect. The best defense is to use confidentiality security services and encrypt the data for securing sessions.
TCP SYN Attack
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN/ACK (synchronize acknowledge) packet. The destination host must then hear an ACK (acknowledge) of the SYN/ACK before the connection is established. This exchange is the TCP three-way handshake, described earlier in this chapter.
While waiting for the ACK to the SYN/ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly because the ACK is expected to arrive a few milliseconds after the SYN/ACK is sent.
The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN/ACK back to the random source address and adds an entry to the connection queue. Because the SYN/ACK is
destined for an incorrect or nonexistent host, the last part of the three-way handshake is never completed, and the entry remains in the connection queue until a timer expires---typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, an intruder can fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW service) to legitimate users.
There is no easy way to trace the originator of the attack because the IP address of the source is forged. In the network infrastructure, the attack can be constrained to a limited area if a router or firewall intercepts the TCP connection and proxies on behalf of the connection-initiating host to make sure that the connection is valid.
Note A proxy is a device that performs a function on behalf of another device. For example, if the
firewall proxies TCP connections on behalf of a Web server, then the firewall intercepts the TCP connections from a host trying to access the Web server and ensures that valid connection requests are made. After it validates the connection requests (usually by completing the connection by proxy), it initiates its own TCP connection request to the Web server on behalf of the host. The connection is established and normal data transfer between the client and server can start without further interference from the proxy. If a TCP SYN attack occurs, the proxy is attacked but it is not a critical device.
The land.c Attack
The land.c attack is used to launch DoS attacks against various TCP implementations. The land.c program sends a TCP SYN packet (a connection initiation), giving the target host's address as both the
source and destination and using the same port on the target host as both the source and destination. This can cause many operating systems to hang in some way.
In all cases, the TCP ports reached by the attack must be ports on which services are actually being
provided (such as the Telnet port on most systems). Because the attack requires spoofing the target's own address, systems behind effective antispoofing firewalls are safe.