internet holes — part 10: udp viruses
TRANSCRIPT
June 1996 Network Security
launched as a companion product to WebScan, an anti-virus scanner for Web browsers. Together, the two products provide client/ server protection against Internet-borne viruses. WebScan is compatible with leading network firewalls and Internet gateways. The product provides protection against virus-infected SMTf? FTP and HTTP traffic on a TCP/IP network. The protection can be updated each month with McAfee’s virus signature updates, which provide protection against the estimated 200 new viruses
that are discovered each month. The product resides independent of the network firewall and utilizes a dual-homed architecture system for increased security, Dual-homed architectures, which utilize two network interface cards, provide an added barrier to potentially infected traffic. All network traffic is scanned between the cards, alerting administrators of any detected viruses. The system, claim McAfee is immune from hosting external hackers and crackers. Only the network administrator has access to the system, and this
access is granted utilizing a one-time password key that generates a random password on each use. The system is completely transparent to users and requires no user training or IP address management. It also has a packet-filtering scanning engine that quickly scans all incoming and outgoing traffic and maximizes network performance.
For further information, con tact Caroline Kuipers, McAfee Associates on: +44 7 344 304730.
Internet Holes - Part 10: UDP Viruses Fred Cohen
The Internet is now the world’s most popular network and it is full of potential vulnerabilitles. In this series of articles, we explore the vulnerabilitles of the Internet and what you can do to mitigate them.
The Internet Protocol (IP) suite’ includes two widely used protocols designed to provide application-level access to services. One of them is the Transmission Control Protocol (TCP)* which is designed to provide reliable end-to-end terminal sessions to the application layer, and the other one is called User Datagram Protocol (UDP)3 which is designed, in essence, to simulate an application- level version of IF!
UDP packets have the following format:
0 1
0123456789012345
I 101110101 IHL IType of Service
P +-+-+-+-+-+-+-+-+-+-*-i-+-+-+-*-
I Identification
6789012345678901
I Total Length I t-+-+-+-t-t-+-f-f-+-+-+-+-+-+-+-+
IFlags 1 Fragment Offset I h +-+-+-+-+-+-+-+-+-+-f-+-+-+-*-t-+-*-+-+-+-+-+-+-~-~-+-+-~-*-+-~-+-+
e I Time to Live ~0~0~0~1~0~0~0~1~ Header Checksum I a +-+-+-+-+-+-+-+-+-+-*-~-~-*-+-+-+-*-+-~-+-+-+-+-+-+-+-+-+-+-+-+-*
d I Source Address I e *-+-f-+-~-+-*-*-+-+-*-*-~-+-+-+-+-+-+-~-+-*-+-*-+-~-+-+-+-+-+-~-~-+
r I Destination Address I *-+-+-+-+-~-+-+-+-+-+-+-*-~-+-*-+-+-*-~-+-+-~-*-+-~-*-~-~-~-~-+-+
I Options . . . I Padding I
‘Internet Standard 5 - Internet ‘Internet Standard 7 - Protocol. J. Postel, September 1981, Transmission Control Protocol. J.
31nternet Standard 6 - User
Pastel. September 1981, Datagram Protocol. J. Postel, August 1980.
01996 Elsevier Science Ltd
Network Security June 7996
--+-+-+-+-+-+-+-+-+-*-*-+-+-+-+-+-+-*-*-+-*-+-+-+-+-+-*-*-* -+-+-+-+
* I Source Port I Destination Port I D *_+-*-+- +*+*+++***+****++**+**+**+*** _ - - _ - - _ - - - - - _ _ _ - - _ - _ - _ _ - - - - _
p I Length I Checksum I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Data
+-+-+-+-+-+-+-+-+-+-+-*-+-+-+-*-*-*-*-*-*-*-+-*-+-*-*-*-*-+-*-*-+
Whenever a UDP packet shows up at an Internet router, unless specifically configured otherwise, the router will try to route the packet to the destination address specified in the IP header. Each UDP packet stands on its own as far as the IP protocol is concerned, and there are no reliability features associated with these packets. It is the responsibility of the application programs using these packets to provide any desired reliability, The first field (0100) indicates that this is an IP version 4 packet, while the field containing 00010001 is the indicator for a UDP packet.
The UDP portion of the packet includes a Source Port and Destination Port. The Destination Port is used to identify which application program the packet is to be sent to for processing, while the Source Port and the Source Address provide the return address for the application to use when sending response packets, assuming any response is called for. The Length and Checksum fields are used to determine the number of data bytes in the packet and to verify that random noise if transmission hasn‘t corrupted the packet in transit.Neither of these items provide any
protection against malicious modification. The Data area contains the data sent to the application program for its use.
The rest of this article is about UDP packets that reproduce, and are therefore computer viruses in the Internet environment.
UDP virus examples
Let’s start with a simple example of a UDP virus. From now on, we will eliminate unnecessary detail from the packets:
0 1 2 3
01234567890123456789012345678901
h *-+-+-+-+-+-*-*-+-+-+-*-*-*-+-+-+-*-+-+-*-+-+-*-*-+-*-*-+-+-+-+-*
e I I 17 . . . I a +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+_+-+_+_+-+_+_+-+-+
d I 127.0.0.1 I
e +-*-+-*-*-*-*-*-+-*-*-+-*-+-*-+-+-+-*-*-+-*-+-*-+-+-+-+-*-+-*-*-+
L.1 Victim's IP Address I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-f-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I . . . I --+-+-f-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+_+-+
* I 7 I 7 I
D +-+-+-+-+-+-+-+-+-+-+-*-*-+-*-+-+-+-*-+-+-+-~_+_+_+_+_+_~_+-+_+-+
p I . . . I . . . I +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-~-+-+-+-+-+-~-~-+_+_+_~
I . . . I +-+-+-+-f-f-+-+-+-+-f-f-f-+-+-C-f-+-f-C-~-+-~_+_~-+_+-*_+-+-+-+-~
8 01996 Elsevier Science Ltd
June 1996 Network Security
In this case, the source and detination ports are both 7, and the source and destination IP addresses are 127.0.0.1 and the victim’s IP address. UDP Port 7 is normally the echo service.The function of this service is to transmit whatever data was sent to it back to the source. In this case, the source is identified as IP address 127.0.0.1 - also known as localhost. This special IP address is called the loopback address of the machine sending the packet because it is used for a computer to send IP messages to itself. When this packet is recieved, a copy of the packet will be sent to port 7 of IP address 127.0.0.1, the echo port of the victim’s computer.
an Ethernet, this will likely crash one or both computers and disable the Internet until they crash. In a lower speed line, it will dominate the communications media, widely denying services. But if we want to be more certain of this, we might add something else to the packet. For example, if we set the Type of Service field to Network Control, Low Delay, High Throughput, High Reliability by setting its value to all 1 s we will force these packets to over-ride other packets in the path between the two victims.
ripe breading ground for these protocol-level viruses in the Internet, and that pattern is not very complicated. All of the services return a result regardless of their input, eliminating any syntactic or semantic restriction that could prevent the infinite loop, and all of them either produce more or the same amount of output as they require input to produce that output.
Another way to think about this is to consider that these services form loops without
Since this packet was from port 7 of the victim’s computer, it will, in turn, send a copy of the packet to itself, and off we go.The result is an infinite stream of echo packets sent from the victim’s computer to itself. In demonstrations, this has been shown to cause the victim’s computer to crash.
It turns out that the echo service is not the only UDP service with this sort of a problem. Another example is the daytime service on UDP port 13. The daytime service ignores the data part of the packet sent to it and returns a packet containing the time of day as determined by the clock on the computer providing the service. This is used, among other things, to synchronize clocks for cross matching audit entries between two systems. Here’s an example:
negative feedback mechanisms. A loop without negative feedback either remains stable or grows without bound due to positive feedback, and any perterbation on a stable loop tends to create positive feedback.
To put this concept into practice, let’s identify other UDP services that are likely to provide environments for protocol viruses.
Here’s my short list:
This particular service (echo) is an accident waiting to happen. In the following examples, we have removed more unnecessary details:
11: systat From Port: 7
Dest Port: 13
From IP: Victim-l
Dest IP: Victim-2
17: quote of the day
19: chargen
From Port: 7
Dest Port: 7
This is the most complicated example yet. In this case, two different ports on two different systems are used to create the virus. Port 13 on Victim-2 ignores the input and produces a daytime packet, while Port 7 on Victim-l sends a copy of that packet back to Port 13 on Victim-2 to close the loop.
37: time
From IP: Victim-l 43: whois Dest IP: Victim-2
In this simple extension of the previous attack, two hosts are targetted to send an infinite stream of packets between each other. The only difference between the previous example and this one is that instead of using the loopback address, we use the address of a second victim. On a high speed line, such as
513: who
550: new-rwho
Prevention and limitations
Environmental factors
There is a pattern to the environments that provide
The easiest way to prevent UDP viruses is to turn off all UDP services not in use and block UDP services at routers, firewalls and other IP filters.
01996 Elsevier Science Ltd 9
Network Security June 7996
Fortunately, the services listed above can be eliminated in most systems without undue harm.
Another form of protection is provided by eliminating outside packets with inside addresses (see the previous Internet Holes article on preventing IP address forgery for further details). This eliminates all of the outside attacks that pit one internal machine against another, Similarly, packet filters could be configured to prevent packets from known viral ports to other known viral ports. For example, we could refuse packets to port 7 from ports 7, 11, 13, 17, 19, 37, 43, 513, and 550 as a start.
Unfortunately, there are some limits on prevention, One limit is that most systems within a LAN don’t have the sort of filtering capability needed to defend against these attacks and most systems that run IP have some of these services enabled by default. This means that almost any insider could easily deny services with such an attack. For example, if a logging server were used to keep log files, this attack could be used to crash the logging server as a prelude to other break-ins.
Another limitation is that the Harvest Web server sometimes used UDP port 7 to determine whether or not to update a cached Web file.
This means that any server that provides Web caching has to make UDP port 7 available for this service to work properly.
A final limitation is that an insider could set up their own UDP service (e-g, on port 1025) and use this service to crash the computer they are logged into.
Summary
UDP viruses are a denial of service threat to anyone using the IP protocol, but they are a threat that can be managed with relative ease given proper technology and knowledge.
E-mail Security - An Oxymoron? A. Padgett Peterson, RE.
Of all the Internet services, the most prolific is E-mail. Millions of messages are sent daily with the expectation of accuracy, fast delivery, and confidentiality. This lemming-like trust is so pervasive that many, faced with the reality of E-mail, become incensed that the truth falls far short of such trust.
So the first question is what is E-mail? Simply it is a logical extension of the Internet itself whose so/e purpose is to be “available”. For those familiar with the CIA triangle of security, this means that no (or very little) consideration is given to confidentiality or integrity, the purpose of the Internet is to deliver the mail (packets), not to decide what to deliver or if it should be delivered, but just to deliver.
As a point of fact there is even a Request For Comment
(RFC) - the architectural base of the Internet - devoted to the subject: RFC 1281 “Guidelines to the Secure Operation of the Internet”.
One of the shorter RFCs, since essentially it says, “There is no security on the Internet” and that all security is the responsibility of the user. Further, of all of the protocols available, the “Simple Mail Transfer Protocol” or more commonly just ‘SMTP” is the easiest to forge.
Source is easily hidden
Dating from 1982, the RFCs (821 and 822) make this abundantly clear:
“An important feature of SMTP is its capability to relay mail across transport service environments. A transport service provides an interprocess communication environment (IPCE). An IPCE may cover one network, several networks, or a subset of a network. It is important to realize that transport systems (or IPCEs) are not one-to-one with networks. A process can communicate directly with another process through any mutually known IPCE. Mail is an application or use of interprocess communication. Mail can be communicated
10 01996 Elsevier Science Ltd