tcp vulnerabilities

Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References

TCP Vulnerabilities and IP Spoofing:Current Challenges and Future Prospects

Prakhar BansalRegistration No. - 2011CS29

Computer Science and Engineering DepartmentMotilal Nehru National Institute of Technology Allahabad,

Allahabad, India

November 5, 2012Prakhar Bansal, MNNIT Allahabad 1 / 45

TCP Vulnerabilities and IP Spoofing


1 Motivation

2 Problem Statement

3 TCP Vulnerabilities

4 ARP Cache Poisoning Attack

5 LOT: Lightweight Opportunistic Plug and Play SecureTunneling Protocol

6 Observation

7 Conclusion

8 References

Prakhar Bansal, MNNIT Allahabad 2 / 45



Why?Motivation




Prolexic Attack Report [1]

# of DDoS attacks 88% ⇑average attack duration ⇑ up to 33 hours

average attack bandwidth ⇑packets/second rate ⇑top-most DDoS attacks originating country China




Norton Cyber Crime Report 2012 [2]

According to report, cybercrime affects

556 million victims/year2 out-of 3 online adults in their lifetime42 million+ people in India in last 12 monthsGlobal price tag has reached up to $110 billions$197 average cost/victim




Cybercrime global cost

Figure: Cybercrime global cost [2]Prakhar Bansal, MNNIT Allahabad 7 / 45



Government Budgets and Recent Reports

UK businesses lose around £21 billion a year [3]India spent 37.7 crores this yearUS has proposed $800 million for next fiscal year 2013-14Government should spend more on policing the Internet [4]




Recent Anonymous Attacks I




Recent Anonymous Attacks II

On Jan 19, 2012, group attacked US Department of Justiceand FBI in protest of SOPA.

Group claimed this to be a largest attack with over 5635bot-nets.

Attacks on facebook on October 12, 2012, which leadsfacebook to shutdown in Europe.




Recent Anonymous Attacks III

Attacked on many Indian websites including website forSupreme court of India and other national political parties inresponse to Internet censorship.

Took down UK governments websites on April, 2012, inprotest against government surveillance policies.




Problem Statement

‘To design a reliable, scalable and secure network. The networkwhich no one can spoof, no one can flood and no one can hack.’

Protocol vulnerabilities is one of the long standing majorchallenge in networks communications.

Reports and attacks discussed, shows how vulnerable ournetwork protocols are.




TCP VulnerabilitiesThree-way Handshake

Figure: Three-way handshake




Establishing & Closing a TCP ConnectionSequence States at Client TCP

Figure: Sequence of states at client TCP




Establishing & Closing a TCP ConnectionSequence States at Server TCP

Figure: Sequence of states at server TCP




TCP SYN Flooding AttackTheory of Operation

Server TCP, in LISTEN state transited to SYN-RECEIVEDstate, when receives a SYN segment.

Server TCP maintains Transmission Control Block (TCB).

SYN flooding attacks tries to exhaust the memory at attackedsystem.

The success of SYN flooding attack lies in:

packet-size,frequency, anddistinct, distributed and unreachable IP addresses.




TCP SYN Flooding Attack ICountermeasures

Filtering

Increasing Backlog

Reducing SYN-RECEIVED Timer

Recycling the oldest half-open TCB

SYN cache

SYN cookiesSYN cookies limitations




ARP Cache Poisoning AttackAbout ARP

David C. Plummer originally published in RFC 826.

To communicate with host on network we must know 48-bitethernet address (MAC address) of the host.

Host broadcasts ARP query on the network.

The host with given IP unicasts ARP reply.

Each node in a network maintains a data structure namedARP cache for storing < IP,MAC > pairing.

ARP cache entries expires after some time.




ARP Cache Poisoning AttackTheory of Operation

ARP protocol is stateless protocol.

Host updates its ARP cache by any ARP query.

The false ARP is reply is reflected in ARP cache as soon ashost receives it.

Once host updates its ARP cache, the attacker also gets thepackets intended for some other system.




ARP Cache Poisoning Attack ICountermeasures

Huang in 2008, suggests to add state in ARP protocol [5].

Figure: Huang solution [5]




ARP Cache Poisoning Attack ICountermeasures

Seung Yeob Nam in 2010 proposed voting-based resolutionmechanism to prevent ARP attacks.

Suggests host firstly asks other neighboring hosts about thisIP and MAC before updating table.

Some firewall and router manufacturers have procedure intheir products to detect the ARP spoofing attacks.

Softwares like arp-guard recognizes the changes in ARP tablesand report these to managing system [6].




LOTAbout LOT

LOT is needed to be installed at communicating networkgateways [7].

Once installed one gateway would establish an efficient tunnelfor secure communication with another gateway.

The working code prototype is available online at url:‘http://lighttunneling.sourceforge.net’




LOTLOT Features

Local and remote quotas

Filtering

Congestion detection

Ingress filtering solution: adds a pseudo random tag toeach packet occurs.




LOTCommunication Model

As IP address has address space {0, 1}32 [8],According to LOT protocol, every entity in network hasaddress space S of {0, 1}l.A set NB ⊆ S is a network block, if ∃P, a prefix, P∈ {0, 1}l′ ,l′ < l.Network hosts and LOT gateways all are network entitiesNB(e).Each host entity e must be associated with single networkblock |NB(h) = 1 |.Gateway entity may be associated with a larger network block.





Figure: Communication model [7]





Network entities communicate via sending messages to nextpeers.Next peers are decided as follows:Two entities e1 , e2 are said to be peers if and only if;

NB(e1) ⊂ NB(e2) andNB(e1) * NB(G) * NB(e2) means,for eg; entities A, C are peers.NB(e2) * NB(e1), NB(e1) * NB(e2) andNB(e1) * NB(G) or NB(e2) * NB(G)for eg; entities F, G are peers.




Handshake Between GatewaysPhase 1: Hello Phase I

HOSTA, ∈ some NB1 behind GWA sends a packet toHOSTB in some another NB2 not associated GWA.

It identifies gateway GWB associated with NB(HOSTB).

GWA begins handshake by sending a hello request message toHOSTB.

Hello request message contains,

details of NB(HOSTA) associated with GWA, andcookie cookieA.




Handshake Between GatewaysPhase 1: Hello Phase II

GWB intercepts the hello request message and replies withresponse message.

Hello response message contains,

details of NB(HOSTB) associated with GWB ,cookieA, andfor optimization, cookieB .




Handshake Between GatewaysPhase 1: Hello Phase III

Figure: Phase 1: hello phase




Handshake Between GatewaysPhase 2: Network Block Validation I

GWA checks GWB ∈ NB(HOSTB) or not and,GWB checks whether GWA ∈ NB(HOSTA) or not.It consists of n iterations.GWA sends packet with cookie to any random host inNB(GWB).If GWB is associated with same NB then it should be able tointercept it.Cookie is based on NB(GWB), current time at GWA,current iteration number and agreed upon iterations.




Handshake Between GatewaysPhase 2: Network Block Validation II

GWB, after intercepting correctly, sends back challenge torandom host associated with GWA with response.This response contains two cookies, and arguments needed forGWA to regenerate cookie.GWA extracts its cookie and matches it after regenerating.And GWA ∈ NB(HOSTA) then it intercepts challenge.Now, GWA selects any other random host fromNB(HOSTB).This process is repeated till n times.To avoid DDoS attacks, ηmax is set as a global constant andn ≤ ηmax.




Handshake Between GatewaysPhase 2: Network Block Validation

Figure: Phase 2: network block validationPrakhar Bansal, MNNIT Allahabad 32 / 45



LOTLOT Packet Structure

IP header is modified significantly in order to encapsulate LOT.

IP flags: DF/MF flags are always unset as no packetfragmentation within the LOT tunnel.Protocol Type: To indicate that the packet is encapsulatedusing LOT, this field is modified.LOT Header: A LOT header is attached with the packet. Itcontains:

Tag,Fields for reconstruction of the original packet including IPflags and transport protocol.Fields that allow receiving-end gateway to reconstruct thesession key.




My ObservationTCP Three-way Handshake I

While studying TCP protocol, I observed few things in three-wayhandshake.

The success of SYN flooding attacks depends on frequency ofSYN segments reaching at server side.

Neither ⇑ backlog nor ⇓ SYN-RECEIVED timer will work.

Attackers usually send SYN flood messages from set ofunreachable IPs.

If the backlog (half-open connections queue) is filling veryfast, why not we firstly ping the client before sending anyreply.




My ObservationTCP Three-way Handshake

Figure: Redefinition of TCP three-way handshake




My ObservationTCP Three-way Handshake II

SYN-cookie limitation can be removed by using separate cookie.

Client sends SYN segment to server.

Server reply with ‘SY N/ACK/cookieserver’.

cookieserver is based on client IP address, port address,current time and other information.

Once it reaches to client, client acknowledges server bysending ‘ACK/cookieserver’.

Server authenticates its cookie and validates client.




My ObservationTCP Three-way Handshake

Figure: Redefinition of TCP three-way handshake




My ObservationTCP Three-way Handshake III

In Linux OS, SYN-cookie mechanism is disabled by defaultbut it can be enabled via changing value of variablesysctl.net.ipv4.tcp syncookie to 1, in /etc/sysctl.conf file.




ARP IARP Protocol

ARP is a stateless protocol.

ARP protocol accepts any ARP reply and updates its ARPtable as soon as any ARP reply is received.

We can add new data structure along with existing ARP table.

This data structure is a dynamic list which records all theoutstanding ARP requests.

When a ARP reply came, we check this list whether we havesent any such query or not.

Further confirm this ARP reply by asking few neighbors.

We can originate RARP for the MAC address received in ARPresponse.




ARPARP Protocol

Figure: Redefinition of ARP protocol




Conclusion

Recent network attacks has shown how vulnerable ournetworks are.Flooding, IP spoofing and denial of service attacks arebecoming a significant threats.Ingress filtering was suggested but not yet completelyimplemented by alL ISPs.LOT protocol is best but needed to be installed on mostly allgateways on network.All gateways shares a secret key first through a vulnerablenetwork, this can dangerous.LOT tunnels can’t pass over Network Address Translators(NATs). However NAT devices do not prevent LOT and LOTtunnels will be formed.




Conclusion

Now, the world is changing. The face of networkcommunication is changing rapidly.Now use of smart-phones and embedded systems is increasingrapidly.Cloud computing and mobile computing are attackers futuretargets.Security in cloud computing is still a major issue. There is aneed of reliable, scalable and fault-tolerant clouds both onsystem and mobile.Protocols are not much sophisticated and thus vulnerable toattacks.The research in developing sophisticated network protocols isstill a very important area and full of challenges, thrust forfuture research.




References I

“Prolexic Quarterly Global DDoS Attack Report,” Quarter 3,2012.

“2012 Norton Cybersecurity Report,”

“Government to warn businesses about cyber crime threat,”BBC, 5 september 2012.

Ross Anderson and Chris Bardon, “Measuring the cost ofcybercrime,”

Huang, T. and Bai, G., “Method against ARP spoofing baseedon improved protocol mechanism,”

“ARP Guard,” in https://www.arp-guard.com/info.




References II

Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IPSpoofing and Flooding Attacks,” vol. 15 of 6, ACMTransactions on Information and System Security, July 2012.

Postel, J., “Internet Protocol, The Protocol Specification, RFC791,” DARPA Internet Program.




Thankyou

Questions ?



tcp vulnerabilities

Documents

protocol vulnerabilities

ip spoong

tcp connectionsequence

server tcp figure

client tcp figure

motivationprakhar bansal

referencesprakhar bansal

mnnit allahabad10