Attacking the TCP Reassembly
Plane of Network Forensics Tools
G´erard Wagener12 Thomas Engel1
1University of Luxembourg - SECAN LAB
Definitions and terminology
A PCAP filecontains network packets
Analyst is the person that is analyzing a PCAP file An attacker is the person that tries to lure the analyst
A4-tupleis (source IP, source port, destination IP, destination port)
A TCP session
Starts with the TCP ESTABLISHED state Ends with the TCP CLOSED state
TCP reassembly 1 2 3 3 1 2 4 5 6 7 8 9 Stream P1 P2 P3 P4 P5 S Y N A C K A C K A C K F IN 4 5 6 7 8 9 TCP header TCP payload byte (S ource IP , S ource P ort , D est in at ion I P, Dest ina tion P or t)
TCP reassembly isnotnew . . . and some attacks still work . . . TCP Reassembly Attacks for Network Intrusion Detection Systems
Tools
Fragrouter → NIDS benchmark
Attack countermeasures
Traffic Normalization → remove ambiguities
Reference
Nidsbench, describes NIDS tests and attacks A lot of IDS approaches are neglected in Network Forensics
Targetedtools
Tcpflow Tcptrace
Wireshark Tcpick
Usedtools
Tcpdump User Mode Linux Fragrouter
Iptables Socat Nc
Error Tcptrace Tcpflow Tcpick
Invalid read s=4 5 0 0 occ.
Invalid read s=1 2 11 0 occ.
Definitely lost 345 0 16 bytes
Possibly lost 49152 0 0 bytes
Invalid fd 36196 0 0 occ.
Definition
Most of the forensics tools have their own TCP/IP implementation
TCP/IP implementations are often incomplete or defective Example
IP fragmentation is not implemented
The implementation is vulnerable to fragment attacks The TCP implementation does not completely respect the standard TCP state machine
Attack requirements
An attacker must control his/her TCP/IP stack
Change behavior i.e. force fragmentation, fake checksums
Possible solutions
Forge TCP/IP packets with tools like scapy and hping
Problems
A lot of work for forging only one connection
Connections with their payloads must be known in advance Interfering with the TCP stack
Concurrency problems, race conditions with the regular TCP/IP stack
Attacker setup UML switch tap0 UML switch tap1 Target Attacker 10.0.0.2 eth0:10.0.0.3 eth1:10.0.1.1 10.0.1.2 Router/fragrouter tcpdump
Constraints
Attacker and target need to be on different subnets
Cause: Fragrouter eats ARP responses from the attacker
On the router UML, /proc/sys/net/ipv4/ip forward must be 0
Avoid race conditions between attacker TCP/IP stack and fragrouter
Methodology
At the router UML
Launch fragrouter with an attack on eth0
Launch fragrouter with IP forwarding on eth1 → return packets tcpdump -n -s0 -w packets.cap
At the target UML
nc -l -p 2000 > receive.dat
At the attacker UML
cat data.dat | nc target 2000
Was the attack successful? → diff data.dat receive.dat
Fragrouter attacks
Attacks are named after the command line switches Check capture process → B1 is regular IP forwarding Ordered 16-byte fragments, fwd-overwriting → F7 3-whs, bad TCP checksum FIN/RST, ordered 1-byte segments → T1
Results
Attack Tcpflow Wireshark Tcptrace Tcpick
B1 √ √ √ √
T1 × × × ×
T5 × × × ×
F7 × √ × ×
IPv61 × √ √ ×
In Wireshark was used the follow TCP stream feature √
packets were correctly reassembled
× packets were not at all/wrongly reassembled
Definition
This attacks target errors not directly to the TCP reassembly code butother implementation flaws.
Example
Stream identifier Resource management
Incomplete knowledge of the reassembly tool like network topology
PCAP bomb
Problem
A vulnerable reassembly tool assumes that: A TCP session is a 4-tuple
Consequences
Different streams are mixed in one file
Offset between streams due to random ISN (Initial Sequence Number)
Target
Fill analyst’s hard disk
PCAP bomb SYN 1 SYN 2 3 ACK FIN ISN1 SYN 1 SYN 2 3 ACK FIN ISN2 1 2 3 ? ? ? 1 2 3 ISN 2 - ISN1 Stream (Source IP, Source Port, Destination IP, Destination Port)
TCP header TCP payload byte
PCAP bomb Proof of concept Shell tcpdump -i lo -s0 -w pcap-bomb.cap i=1235 while [ 1 ]; do j=0 while [ $j -lt 5 ]; do
cat req.txt | socat - tcp:localhost:80, sourceport=$i,reuseaddr sleep 1 let j=$j+1 done let i=i$i+1 done
PCAP bomb
On average each flow has a size of 2GB.
Tune attack: Write a small PCAP program that maximize ISN difference
Problem
A vulnerable reassembly tool assumes that: A TCP session is identified by a 4-tuple Target
Hide intended web request i.e. rootkit download How the attack works
Send dummy data ( or just establish a TCP connection ) Download the real data using the same source port
Proof of Concept Shell
$ tcpdump -i lo -s0 -w hidden-stream.cap
$ cat empty.txt | socat - tcp:localhost:80,sourceport=1235, reuseaddr
$ cat req.txt | socat - tcp:localhost:80,sourceport=1235, reuseaddr
Notes
empty.txt is an empty file
req.txt contains an HTTP request to download a file
Problem
TCP reassembly tools assume that information is transmitted in thepayloadof TCP packets (not covering covert channel)
Areas to hide data
TCP options Ethernet padding Sequence numbers
Old attacking technique
Modify ethernet padding, choose sequence numbers etc
Network forensic tools should do
Statistical analysis of those areas
Automated analysis of those areas (test of 0 bytes) Simple solution: Perl / Python scripts based on libpcap.
Problem
How does the reassembly tool knows how the packets are handled by the recipient?
Attack
Forge a stream and replay it
Use the tool tcprewrite to modify recorded TCP packets Use perl scripts to modify the fields tcprewrite does not want to modify
Use tcpreplay to send the TCP packets
Tune the attack: Modify TTL such that the packets do not reach the target (old technique but network forensic tools forget about it)
Case study
Experiment: Comparing reassembled streams
Launch multiple TCP reassembly tools on a PCAP file and compare the generated files
Used tools Tcpflow Tcptrace Tcpick
Experiment: Comparing reassembled streams Data capture Shell tcpdump -s1500 -w test.cap Table: Results Number of TCP packets 41609423
Number of capture length differences 23781098
Streams generated by Tcptrace 66395
Streams generated by Tcpick 66151
Streams generated by Tcpflow 37022
Checking input data 1/2
Inspect the header information of the parameters that is passed to the PCAP callback function
Ensure that caplen = len
Tools that do not explicitly notify the analyst3 tcpflow, tcptrace, tcpick
Checking input data 2/2
Example
#!/usr/bin/perl
use Net::Pcap qw /pcap open offline pcap loop/; sub process packet{
my($user data, $header, $packet) = @ ; print $header->caplen.” ”.$header->len.”\n”; }
my $pcap = pcap open offline($pcapFile, \$err) or die ”Cannot open pcap file: cause: $err\n”; pcapi loop($pcap, -1, \&process packet, ”)
Countermeasures
Choose the right capture location (e.g. TTL attack) Before analyzing a capture, know how the capture has been performed
Filter out spoofed packed with a packet filter
Traffic normalization/scrubing before the capture takes place
Reassemble fragments
Discard packets with wrong checksums Discard packets with wrong TTL
TCP reassembly is often seen as a trivialtask Two attacks families were presented
Attacks on the TCP reassembly implementation
Network Intrusion Detection benchmarks were done to test popular TCP reassembly tools
TCP reassembly design attacks were presented
PCAP bomb
Hiding entire streams
Stream illusions aiming to deceive the analyst
Attack mitigation techniques and a case study were presented
Lack of user notification of anomalies needed for network
forensics
TCP reassembly attacks still work and some more effort is required for improving network forensic tools
Questions
? Acknowledgments
Hereby I want to thank
You
