Download - Protocol Perils
-
8/3/2019 Protocol Perils
1/77
1
Protocol perils
Hacking the stack
-
8/3/2019 Protocol Perils
2/77
2
Course announcement
Topics in Cryptography Tom Shrimpton (teshrim at cs . pdx . edu)
http://www.cs.pdx.edu/~teshrim/spring06/info-510.html
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.html -
8/3/2019 Protocol Perils
3/77
3
Hacking the stack
Protocol attacks at all layers Data-link layer
Network layer
Transport layer
Application layer
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.html -
8/3/2019 Protocol Perils
4/77
4
Data-link layer hacks
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.html -
8/3/2019 Protocol Perils
5/77
5
Sniffing
Gathering packets from the local network Passive (wired network with a hub or a wireless network)
Turn on promiscuous mode on NIC
Make NIC accept all data-link layer frames not just its own
Software
Snort (www.snort.org)
tcpdump/ethereal
Sniffit (reptile.rug.ac.be/~coder/sniffit/sniffit.html)
Dsniff (www.monkey.org/~dugsong/dsniff)
Active (wired network built with a switch) Harder (switch prevents data frames from being broadcast)
How can someone sniff switched traffic?
http://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.cs.pdx.edu/~teshrim/spring06/info-510.htmlhttp://www.snort.org/http://www.monkey.org/~dugsong/dsniffhttp://www.monkey.org/~dugsong/dsniffhttp://www.snort.org/ -
8/3/2019 Protocol Perils
6/77
6
Active Sniffing
Fool the switch into sending the packets to the sniffer MAC Flooding
Send a flood of traffic with random MAC addresses
Fill up the switchs memory
Switches will then forward packets to all links on the switch Dsniff program Macof
ARP spoofing
Send fake ARP replies to change the victims ARP table
Dsniff program Arpspoof
Attacker configures his or her system to forward any traffic it
receives to the router.
Any traffic from the target machine is sent to the attackers machine
before being transferred to the local network.
-
8/3/2019 Protocol Perils
7/77
7
Spoofing ARP Messages
-
8/3/2019 Protocol Perils
8/77
8
Question
How do you detect a sniffer on your machine?
Answer
Check to see if your network interface is in promiscuous modeifconfig a => look for PROMISC
-
8/3/2019 Protocol Perils
9/77
9
Question
How do you detect a sniffer on your network?
Answer
Send a TCP SYN packet to sniffer with bogus MAC address
-
8/3/2019 Protocol Perils
10/77
10
802.11 vulnerabilities
802.11 MAC layerNodes are identified with a globally unique 12 byte address.
No mechanism for verifying the correctness of the identity
Implicit trust in a speaker's source address.
-
8/3/2019 Protocol Perils
11/77
11
802.11 deauthentication attack
802.11 clients Authenticate with one or more access
points (AP)
Associate with the AP that they will
route through.
Either end-point can requestdeauthentication from each other.
Attacker spoofs this message to interrupt
data flow
Forces authentication to be
reestablished.
Deauthenticat
ion
-
8/3/2019 Protocol Perils
12/77
12
802.11 disassociation attack
Similar to Deauthentication attack.
Either end-point can request
disassociation from each other.
Attacker spoofs this message to interrupt
data flow
Forces association to be reestablished.
More attacking messages are required
to get same effect of deauthentication
message Disassociation
Disassociation
-
8/3/2019 Protocol Perils
13/77
13
802.11 power saving attack
Clients can turn off radio to conserveenergy.
Client tells AP that it is entering
sleep.
AP tells client when to wake up fortraffic.
AP will buffer data and send traffic
indication map (TIM) to client
periodically.
Client wakes up to receive each TIM
and then retrieve data if available.
Client Attacker AP
EnteringSleep
ManagementResponse
TIM
Client Sleeps
Client Wakes
Client Sleeps
TIMClient Wakes
Client Sleeps
TIMClient Wakes
Client Sleeps
Retrieve Data
-
8/3/2019 Protocol Perils
14/77
14
802.11 power saving attack
Messages are sent in the clear.
Attacker can spoof management
packet and prevent synchronization.
Attacker can spoof client polling and
discard data. Attacker can spoof TIM and convince
client there is no data.
Client Attacker AP
EnteringSleep
ManagementResponse
Client Sleeps
TIMClient Wakes
ManagementResponse
Retrieve Data
Client Sleeps
TIM
-
8/3/2019 Protocol Perils
15/77
15
802.11 carrier sense attacks
Hidden terminals prevent perfect collision detection. Physical and Virtual carrier-sense mechanisms used to
control channel access.
Both of these mechanisms can be exploited.
-
8/3/2019 Protocol Perils
16/77
16
802.11 physical carrier-sense attack
Before transmitting frame, node must wait at least asmall interval of time (SIFS for 802.11 ACKs)
Attacker jams channel towards end of SIFS to force all to
back-off (CSMA)
SIFS is 20s for 802.11b Requires 50,000 packets per second to disable all access.
Expensive for attacker
-
8/3/2019 Protocol Perils
17/77
17
802.11 virtual carrier-sense attack
Each 802.11 frame carries a maximum number of s to reserve channel Specified in NAV
Max value is 32767, or about 32ms.
Attacker persistently reserves channel for maximum duration
Only sends for short time during reservation
Jams all access with only 30 transmissions a second
Not all 802.11 hardware obeys NAV (a bug that saves 802.11 from this attack)
-
8/3/2019 Protocol Perils
18/77
18
Other data-link layer attacks
WEP Wired equivalent privacy
Initial security scheme for 802.11
Can be broken in under 1 minute
J. Walker, "IEEE 802.11 Wireless LANs Unsafe at any key size; Ananalysis of the WEP encapsulation"
-
8/3/2019 Protocol Perils
19/77
19
Network layer hacks
-
8/3/2019 Protocol Perils
20/77
20
IP spoofing
Host fills in its own address in sending packets Implicitly trusted not to forge the entry
Leads to all sorts of problems
Chapter 3 lecture notes
IP spoofing scenario using .rhosts and predictable TCP ISN Establish a blind connection with a remote host
-
8/3/2019 Protocol Perils
21/77
21
Reflector attacks
Occur at all layers (not just network layer) However, most rely on IP spoofing
A reflector is any IP host that will return a packet or more if senta packet. Reflector cannot easily locate the initiator because of IP spoofing.
Examples: Web servers: return SYN ACKS or RSTs in response to SYN or other
TCP packets.
DNS servers: return query replies in response to query requests.
Routers: return ICMP Time Exceeded in response to TTL expiry or Host
Unreachable messages in response to unroutable IP addresses
-
8/3/2019 Protocol Perils
22/77
22
-
8/3/2019 Protocol Perils
23/77
23
ICMP reflectors
ICMP echo Widely used for ping
Smurf attacks
Repeatedly send ICMP ping to broadcast IP address of network that
can receive and respond to directed broadcast (smurf amplifier) Use the victims IP address as the source IP
Victims bandwidth is filled with response packets
Attacks and software
Smurf (ICMP), Fraggle (UDP), and Papasmurf (ICMP and UDP)
www.packetstormsecurity.org/new-exploits/
List of Smurf Amplifiers: www.netscan.org
http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
24/77
24
ICMP reflectors
Other ICMP candidates Timestamp Address mask
Router solicitation
Information request/reply Source quench
Host unreachable
Time exceeded
Parameter problem Redirect.
Need fragmentation.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
25/77
25
Routing attacks
Attack Intruder sends bogus routing information to a target and each
of the gateways along the route
Impersonates an unused host
Diverts traffic for that host to the intruders machine
Used to monitor dark IP addresses
Impersonates a used host
All traffic to that host routed to the intruders machine
Intruder inspects packets & resends to host w/ source routing
Allows capturing of unencrypted passwords, data, etc
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
26/77
26
Routing attacks
BGP Routing Fault Example: ISP mistakenly announced routes to 3000+ prefixes
(destinations) it did not own.
Other ISPs adopt these routes and blackholed traffic to those
sites.
Slides courtesy of Dan Massey
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
27/77
27
Routing attacks
Internet c.gtld-servers.netrrc00monitor
192.26.92.30
originates route to192.26.92/24
Invalid BGP routes exist in everyones table.
These can include routes to root/gTLD servers
One example observed on 4/16/01:
ISPs announce new path
3 lasted 20 minutes
1 lasted 3 hours
Slides courtesy of Dan Massey
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
28/77
28
Routing attacks
BGP routing can direct packets to
false server.
Detected false BGP routes to
root/gTLD severs at major global
ISPs.
Routes lasted up to hours, but were
errors and faulty site did not reply.
Any response from false server
would be believed.
NANOG 25/ICDCS 2003 -protecting BGP routes to DNS
servers
Bell LabsCaching Server
Root serverSpoofed
Root server
Internet Routing
Slides courtesy of Dan Massey
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
29/77
29
Routing attacks
Defenses Filtering based on prior information
Messes with fault-tolerance but detects intrusion attempts
Authentication of advertisements
S-BGP
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
30/77
30
Routing attacks
Spoofing with Source Routing Impersonate system A
Attacker creates packets from system A to B, with the
attackers address in the source route.
Packet sent to system B, but any replies are sent to theattackers machine.
Attacker does not forward them to system A because the connection
would be reset.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
31/77
31
ICMP redirect hacks
Targeted Denial of Service (DoS)
Attacker sends ICMP Redirect message to give a bogus route
Attacker sends Destination Unreachable or TTL exceeded messages to
reset existing connections
Attacker sends fraudulent Subnet Mask Reply messages
Blocks communication with target
Defenses
Verify ICMP packet contains a plausible sequence #
Dont modify Global Route Table due to ICMP Redirect messages
Disallow ICMP Redirects?
Check to see if multiple ICMPs from a host agree
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
32/77
32
NIDS avoidance
NIDS: Network Intrusion Detection System Passively monitor network looking for attacks
Signature analysis done across packets
Challenges
Accuracy: false positives and false negatives
Performance: forensic value of information
Fundamental problem Deployed on a different box
Potentially on a different network
Result
NIDS could see a different stream of packets than host Protocol implementation ambiguities
Different protocol stacks have different behavior
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
33/77
33
NIDS avoidance
Insertion IDS thinks packets are valid; end system rejects these
Evasion
end system accepts packets that IDS rejects
Denial of Service
resource exhaustion
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
34/77
34
NIDS avoidance
Confuse the NIDS Invalid MAC addresses?
Invalid headers
Permissive in receiving, frugal in sending?
Bad IP checksum will be dropped?
IP options
IP TTL ambiguity
Packet received or not?
Packet too large for downstream link?
Source-routed packets
Will destination reject such packets?
Fragment time-out
Will other parts of fragment still be at destination?
Overlapping fragments
Which data will be used?
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
35/77
35
NIDS avoidance
Exhaust resources on NIDS CPU, Memory, Network Bandwidth
Fragmentation Send large numbers of fragments
CPU: data structure attack
Memory: space attack Can lead to DOS (teardrop, jolt2)
Fragrouter
Automatically fragment all packets
Accepts IP packets routed from another system and fragments these
packets according to various schemes Generate large numbers of false positives
Separating script kiddies from sophisticated hackers
Separating wheat from chaff
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
36/77
36
Transport layer hacks
http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
37/77
37
TCP session reset and hijacking attacks
Problem
TCP stacks with predictable sequence numbers
See Chapter 3 lecture notes on TCP ISN selection and the Mitnick attack
TCP reset attacks
Uses similar approach to terminate an existing connection
Send a spoofed TCP RST with guessed sequence numbers
BGP session reset
TCP hijacking
Attacker inserts itself into path
Already on the path or via ARP spoofing
Sniff to find sequence numbers of victim connection
Attacker takes over existing connection using spoofed packets and
dropping packets of one of the end-points
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
38/77
38
TCP session hijacking
Problem
Attacker not along path ofhijacked connection
Attacker sends system Bpackets with system As IPaddress
System A notices a mismatchin TCP sequence numbers
Sends ACK packets toresynchronize the numbers.
Continual retransmission ofACK packets is known as anACK storm.
Most hijacking tools cannot
cope with the ACK storm andthe connection will bedropped.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/ -
8/3/2019 Protocol Perils
39/77
39
TCP session hijacking
Hunt (www.packetstormsecurity.org/sniffers/hunt ) 2 methods to keep session alive
Use ARP spoofing to keep connection from being dropped
Attempt to resynchronize the connection
Send a message to system A saying: msg from root: power failure try
to type 88 characters, (where 88 is the number of chars. that the attackertyped during the hijacking)
Increments the sequence number of system As TCP stack to where it
should be.
Two new ARP spoof messages are then sent, restoring the correct MAC
addresses.
http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.netscan.org/http://www.packetstormsecurity.org/sniffers/hunthttp://www.packetstormsecurity.org/sniffers/hunthttp://www.packetstormsecurity.org/sniffers/hunt -
8/3/2019 Protocol Perils
40/77
40
-
8/3/2019 Protocol Perils
41/77
41
TCP SYN flooding
Attacker sends many connection requests w/ spoofed source
addresses to victim Victim allocates resources for each request
Finite # half-open connection requests supported
Connection requests exist for TIMEOUT period
Once resources exhausted, all other requests rejected
Normal connection est. Syn Flooding attack
-
8/3/2019 Protocol Perils
42/77
42
TCP SYN flooding defenses
System Configuration Improvements Reduce timeout period
Increase length of backlog queue to support more connections
Disable non-essential services to make a smaller target
Router Configuration Improvements
Configure router external interfaces to block packets with sourceaddresses from internal network
Configure router internal interfaces to block packets to outside that havesource addresses from outside the internal network
TCP SYN cookies
Make handshake stateless on server end Server makes ISN a function of a secret nonce it keeps and pieces of the
SYN connection ID
Only create TCB and establish connection upon verifying clients ACK
-
8/3/2019 Protocol Perils
43/77
43
TCP SYN flooding defenses
Firewall as a Relay
Firewall answers on behalf of
Destination
Disadvantages
Adds delay and overhead
Pushes problem to firewall
-
8/3/2019 Protocol Perils
44/77
44
TCP SYN flooding defenses
Firewall as a Semi-transparent Gateway Firewall forges the 3rd handshake (ack) from the client to the destination This moves connection out of backlog queue, freeing resources
Sends RST packet if no subsequent ACK received from client
Eventual ACK from a good client will be ignored as a duplicate
Disadvantages:
Large # illegitimate open connections if system under attack
Must very carefully choose timeout periods
-
8/3/2019 Protocol Perils
45/77
45
TCP SYN flooding defenses
Attack w/ semi-transparent
gateway
Legit connection w/ semi-
transparent gateway
-
8/3/2019 Protocol Perils
46/77
46
TCP congestion control avoidance
Attempt to trick sender into ignoring congestion control
ACK division Receiver can acknowledge every byte in segment with a separate ACK
Leads Sender to grow cwnd faster than normal.
Solution to ACK division
Modify congestion control to guarantee segment-level granularity Only increment MSS when a valid ACK arrives for the entire segment.
Bunch ofacks
Burst 1 RTT later
-
8/3/2019 Protocol Perils
47/77
47
TCP congestion control avoidance
Duplicate Ack Spoofing Receiver sends multiple acks/sequence #
no way to tell what segment is being acked
Causes sender to enter fast-recovery mode and inflate cwnd
Solution to Duplicate Ack Spoofing
Add new fields to TCP headers. nonce & nonce-reply random values sent with segments and replies Only increment cwnd for ACKs with previously unseen nonces
Burst of dup acks
Sender enters
Fast Recoveryand bursts 1 RTTlater
-
8/3/2019 Protocol Perils
48/77
48
TCP congestion control avoidance
Optimistic ACKing
Send acks for segments not yet received
Decrease perceived RTT, affecting CW growth.
Segment acks
Segs arrive
-
8/3/2019 Protocol Perils
49/77
49
TCP congestion control avoidance
Solution to optimistic acking:
Cumulative Nonce
Sender sends random number
(nonce) with each packet
Segment size slightly
randomized Receiver sends cumulative sum
of nonces
if receiver detects loss, it sends
back the last nonce it received
Requires modifications to stack
-
8/3/2019 Protocol Perils
50/77
50
TCP congestion control attacks
The shrew attack
Use knowledge of TCP congestion control to shut out a
victim
Time packet bursts to disable victims retransmissions and
force exponential back-off
-
8/3/2019 Protocol Perils
51/77
51
TCP reflectors
TCP stack can be made to reflect via
SYN ACK by sending an initial SYN with spoofed IP address
Filtering leads to no-remote access.
RST by sending a FIN.
Countermeasures problematic Filter out SYN ACKs
Leads to disabling access to services
Filter out RST
Results in clogging of stale connections state
-
8/3/2019 Protocol Perils
52/77
52
NIDS avoidance
TCP tricks to confuse or disable NIDS TCP Options fields
Will packet be accepted?
Will option be processed?
Destination might be configured to drop weird options
Old TCP timestamps (PAWS) Destination might be configured to drop
TCP RSTs with weird sequence numbers Is connection reset?
TCP handshake time-out Will TCB still be at destination?
TCP stream reassembly with overlapping segments Rewrite old data or not?
-
8/3/2019 Protocol Perils
53/77
53
Application layer hacks
fi
-
8/3/2019 Protocol Perils
54/77
54
DNS spoofing
Problem
No authentication of responses
Any DNS response is generally believed.
No attempt to distinguish valid data from invalid.
Responses can contain entries that should not be trusted but are
Responses are cached
Just one false root server could disrupt the entire DNS.
Attacks Inject bogus DNS responses
Attach additional bogus entries in valid DNS responses (especially for
internal names)
ApplicationRemote Name Server
(?)
Local Name Server
(Trusted)Resolver
*Firewall
DNS fi
-
8/3/2019 Protocol Perils
55/77
55
DNS spoofing
DNS spoofing
-
8/3/2019 Protocol Perils
56/77
56
DNS spoofing
Caching
DNS Server
Sanjoys
Laptop
www.darpa.mil A?
www.darpa.mil
A 128.9.128.127
Root DNS Server
mil DNS Server
darpa.mil DNS Server
Dans
Laptop
Easy to observe UDP DNS query sent to
well known server on well known port.
www.darpa.mil
A 192.5.18.19
First response wins. Second response is
silently dropped on the floor.
DNS h i i
-
8/3/2019 Protocol Perils
57/77
57
DNS cache poisoning
ns.attacker.com
Bell Labs
Caching Server
Remote attacker
Query
www.attacker.com
Response
www.attacker.com A 128.9.128.127
attacker.com NS ns.attacker.comattacker.com NS www.google.com
ns.attacker.com A 128.9.128.2
www.google.com A 128.9.128.127
Any Bell Labs Laptop
Query www.google.com
www.google.com
= 128.9.128.127
DNS h i i
-
8/3/2019 Protocol Perils
58/77
58
DNS cache poisoning
Defenses
DNS Proxy
Filter
Drop malformed packets
Verify
Does the answer, really answer the query made?
Was the answer received from the appropriate server?
Proxy performs checks on the answers from outside DNS servers
A th ti ti DNS R
-
8/3/2019 Protocol Perils
59/77
59
Authenticating DNS Responses
Attack fundamental problem
Resolver cant distinguish between valid and invalid data in a response.
Add source authentication
Verify the data received in a response is equal to the data entered by the
zone administrator.
Each DNS zone signs its data using a private key. Query for a particular record returns:
The requested resource record set.
A signature (SIG) of the requested resource record set.
Resolver authenticates response using public key.
Public key is pre-configured or learned via a sequence of key records in the
DNS heirarchy.
Secure DNS Query and Response
-
8/3/2019 Protocol Perils
60/77
60
Secure DNS Query and Response
Caching DNS Server
End-user
www.darpa.mil
www.darpa.mil =
192.5.18.195
Plus (RSA) signature by darpa.mil
Attacker can not forge this answerwithout the darpa.mil private key.
Authoritative DNS Servers
Challenge: add signatures to the protocol
manage DNS public keys
M i th iddl tt k
-
8/3/2019 Protocol Perils
61/77
61
Man-in-the-middle attacks
Web proxying
Attacker runs webmitm feature on Dsniff and uses DNS spoofing Use DNS spoofing to have all HTTP and HTTPS traffic go to webmitm
Target connects to attackers machine and SSL connection is established.
Attackers system establishes a SSL connection with the server the target isattempting to access.
Webmitm acts as proxy with two connections From the targets system to the attackers machine
From the attackers machine to the actual server the target was trying to reach
Note: the target receives attackers certificate, not the certificate of theserver the target is trying to reach.
User receives warning about a certificate that is not signed by a trustedcertificate authority (Who pays attention to those?)
Webmitm displays the contents of the SSL session on the attackers screen
SSH proxying Similar to above with sshmitm (another Dsniff feature)
M i th iddl tt k
-
8/3/2019 Protocol Perils
62/77
62
Man-in-the-middle attacks
Di t ib t d D i l f S i
-
8/3/2019 Protocol Perils
63/77
63
Distributed Denial-of-Service
Take control of large numbers of machines (zombies)
Use collection of zombies (Botnet) to knock out target
service
Example: TFN2K
www.packetstormsecurity.nl/groups/mixter/index2.html
Di t ib t d D i l f S i
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
64/77
64
Distributed Denial of Service
DNS DoS attacks
DNS root server attack
DDoS attack disabling 9 of the 13 DNS root servers (10/2002)
Bringing down all 13 root servers is frequently mentioned as a worst
case scenario that would cripple the Internet.
Local DNS name server attack
Send large set of valid queries to victim
Use arbitrary names to thrash cache
Solution: Provide filtering in name servers so as to only serve
recursive queries from local addresses
P k t f d th
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
65/77
65
Packet of death
Send a malformed packet. Different platforms may be
susceptible to different types of malformed packets.
These packets have structures that the TCP/IP stacks
cannot anticipate, causing the system to crash.
Malformed packet suites available at:www.packetstormsecurity.org/DoS
Application la er reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
66/77
66
Application layer reflectors
DNS
Reflector sending DNS reply in response to a spoofed DNS
request.
Victim can configure its local DNS servers so as to filter out
unknown DNS server responses.
If the victim is an authoritative name server
Attacker queries a large number of local DNS servers which in turn
recursively query the Victim.
Victim server gets bombarded due to multiple queries.
Application layer reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
67/77
67
Application layer reflectors
HTTP proxies
HTTP proxy caches provide a way that an HTTP client can manipulate a
proxy server into initiating a connection to a victim web server.
HTTP proxy servers act as reflectors for the DDOS attacks.
Limitations
Proxies can be configured to serve a restricted set of clients. Not enough proxies to constitute a large pool of possible reflectors.
Connection between slave and the reflector cannot be spoofed unless the
reflecting proxy has predictable sequence numbers
Logging helps in identifying the slaves location.
Definitely a major threat if proxies running on stacks with predictable
sequence numbers are widely deployed.
Application layer reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
68/77
68
Application layer reflectors
Gnutella
Provides a push facility that instructs the server to connect to a given
IP address and port in order to deliver the Gnutella item.
Gnutella connection to the IP host is separated from the initial client
making it impossible to trace back to the slave.
Fix Modify the protocol to include path information with push directives
Gnutella could be a major problem for DDOS reflector attacks.
Application layer reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
69/77
69
Application layer reflectors
SNMP (UDP-based request/reply)
Sites that fail to block off-site access to SNMP provide a
large number of reflectors.
SNMP attack is sourced at port 161.
Filtering out the external SNMP messages leads to majorproblem for service providers.
Configure the filter to receive SNMP messages from interested hosts
Game protocols
Quake Qstat (UDP) Counter-strike clients (UDP)
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
70/77
70
NIDS avoidance
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
71/77
71
NIDS avoidance
Confuse NIDS at application-layer
Addition of interpreted characters (^H)
How does OS interpret?
References
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
72/77
72
References
C. Schuba, I. Krsul, M. Kuhn, E. Spafford, A. Sundaram, D.
Zamboni, "Analysis of a Denial of Service Attack on TCP" S. Bellovin, "Security Problems in the TCP/IP Protocol Suite"
S. Bellovin, "Defending against sequence number attacks"
S. Bellovin, "Packets Found on an Internet"
R. Morris, "A Weakness in the 4.2BSD Unix TCP/IPSoftware
B. Cheswick, S. Bellovin, A DNS Filter and Switch forPacket-filtering Gateways.
S. Savage, N. Cardwell, D. Wetherall, T. Anderson, TCPCongestion Control with a Misbehaving Receiver.
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
73/77
73
Extra slides
TCP for Transactions (T/TCP) reflectors
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
74/77
74
TCP for Transactions (T/TCP) reflectors
Spoof initial SYN packet with acceptable seq. no.
Make an expensive request.
Factors that limit the T/TCP attack
T/TCP server will begin in slow start.
Unless the servers stack has predictable seq. no. Amenable to stateless packet filtering.
T/TCP is not widely deployed.
IP Address Spoofing
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
75/77
75
IP Address Spoofing
Used to disguise the IP address of a system.
Three ways an IP address can be spoofed: changing the
IP address, undermining UNIX r-commands, and
spoofing with source routing
Changing the IP address: The attacker can either
reconfigure the whole system to have a different IP
address or use a tool (Nmap or Dsniff) to change thesource address of outgoing packets. Limitation: the
attacker cannot receive any responses.
Undermining UNIX r Commands:
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
76/77
76
Undermining UNIX r-Commands:
Attacker finds two computers with a trust relationship
Send a bunch of TCP SYN packets to target and see how the initial
sequence numbers change
A DoS attack is sent to other system
Attacker initializes a connection with target system, using the IP
address of the other system
Target system sends TCP SYN and ACK packets to other system,which is dead
Attacker estimates initial sequence number of other system and
sends TCP ACK packet back
If initial sequence numbers match, attacker has successfully gained
one-way access to the target.
Undermining UNIX r-Commands
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html -
8/3/2019 Protocol Perils
77/77
Undermining UNIX r Commands
http://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.htmlhttp://www.packetstormsecurity.nl/groups/mixter/index2.html