“Security Flaws in TCP/IP”

SYN Dorothy Code Protocols

Resources

♦ A network is made of people, protocols, resources

and code

1

Protocols ♦ Protocols help network cohesion ♦ Protocols help network expansion ♦ Protocols help network insecurity – Protocol design – Protocol implementation – Protocol deployment

Attacks on TCP/IP ♦ Many modes protocol attacks – Passive attacks • Packet sniffing

– Blind attacks • Spoofing

– Active attacks • Session hijacking

2

Packet sniffing ♦ What is a sniffing/sniffer? ♦ What does it sniff? ♦ Why do people use sniffers? – Snoop for usernames:passwords – Intrusion detection & traffic logging – Performance & fault analysis ♦ How does it work? – Shared media – Promiscuous mode

Packet sniffing ♦ Access to wire ♦ ARP ♦Broadcast out an ARP claiming to be the

router. ♦ARP request just to the victim's MAC address, claiming to be the router, ♦ARP to the router's MAC address claiming to be the victim. ♦ ICMP Redirect ♦ ICMP Router Advertisement ♦ telnet, ftp, rlogin, IMAP, POP

3

Anatomy of a sniffer Logging/Editing

Packets

Decode Buffer Capture Driver Media

♦ ♦ ♦ ♦ ♦

Media- Usually Ethernet card, special hardware is possible Capture Driver- library to capture and filter traffic Buffer- Store frames, either fill-buffered or round -robin Decode- Make it human readable Logging/editing- Store captured packets for further analysis

Sniffing for sniffers ♦ Methods to detect a sniffer? – Query the interfaces with ifconfig on CD-ROM # ifconfig -a eth0 Link encap:Ethernet HWaddr 00:AA:AA:AA:AA:AA inet addr:0.0.0.0 Bcast:0.0.0.55 Mask:255.255.255.0 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:595017 errors:0 dropped:0 overruns:0 frame:0 TX packets:113401 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 Interrupt:10 Base address:0xb800

– Ping, ARP requests – Reverse DNS lookups – Honey pot

4

Avoid being sniffed ♦ End to end encryption ♦ Tools:

– Kerberose 5 – Smart cards

READS Internet

sshd

WRITES

strace

PLAIN TEXT

SSL SSH (dsniff) VPN PGP/S-MIME

ALICE

– – – –

strace -p _pid_of_sshd -f -e trace=read,write -e read=6 -e write=4

♦ Compromised end node!

Sniffers and Anti Sniffers ♦ Sniffers – – – – – –

Sniffit Hunt Dsniff Snort Ethereal Tcpdump

♦ Anti Sniffers – – – – –

Antisniff CPM (Check Promiscuous Mode) NEPED (Network Promiscuous Ethernet Detector) Sentinel ifstatus

5

Spoofing Jay, is that you buddy?

Conan

Jay

Co na n, m ym an .W ass up !!

Trust relationship: ♦ Conan trusts Jay ♦ r-services are disastrous ♦ Knowing who’s who of the trust department:

Letterman

♦ showmount ♦ Finger ♦ .rhosts

♦ Address/host based authentication ♦ IP Spoof – Sequence number prediction

♦ ARP Spoofs – False MAC advertisement

♦ DNS Spoofs – DNS poisoning, false advertisement

Sequence number prediction ♦ 3-way handshake

C -> S:SYN(ISN C) S -> C:SYN(ISN S) , ACK(ISN C) C -> S:ACK(ISN S) C -> S:data and / or S -> C :data ♦ Intruder X impersonating trusted host T X -> S:SYN(ISN X) , SRC = T S -> T:SYN(ISN S) , ACK(ISN X) X -> S:ACK(ISN S) , SRC = T X -> S:ACK(ISN S) , SRC = T , nasty - data

6

Sequence number prediction ♦ How to predict the random ISN? – Its not really random – ISN is incremented by a constant amount once per second, and by half that amount each time a connection is initiated. X -> S:SYN(ISN X) S -> X:SYN(ISN S) , ACK(ISN X) …(1) X -> S:SYN(ISN X) , SRC = T …(2) – ISN S can be uniquely determined by the time between the origination of message (1) and the receipt at the server of message (1). – RTT between X and S!

Session hijacking Jay

Client

Server

Internet

Eve

♦ Sniff Client’s packets to get SEQ/ACK values ♦ Eve sends null data as Client (IAC NOP, CR\LF) ♦ SEQ/ACK match, Server accepts data, adjust SEQ/ACK

accordingly ♦ Eve’s and Server ’s SEQ, ACK are in sync ♦ Client’s, Server ’s SEQ, ACK are out of sync ♦ Connection is effectively hijacked ♦ Same can be done to the client

7

Resources ♦ Routing: – Routers, Switches, Hubs, Gateways ♦ End points: – Daemons – Web servers – Services ♦ Attacks against resources – Denial of service – Vandalism

Denial of Service ♦ Simple elevator DoS ♦ Anything with limited resources is a victim ♦ Classics: – Chargen port | Echo port – Ping of death – SNY Flood – fork() ♦ Distributed Denial of Service

8

Distributed DoS zombie zombie

zombie

zombie

zombie

Internet

master

Attacker Victim

♦ ♦ ♦ ♦

Attacker compromises zombies and master(s) Zombies wait for signal from master Master wait for signal from attacker Attacker fire a signal that creates a chain reaction

DDoS Tools ♦ Trinoo: – Attacker uses TCP, masters use UDP and authentication – UDP Flood

♦ TFN, TFN2K: – Attacker invokes master, master uses ICMP_ECHO_REPLY – UDP, ICMP, SYN Flood, Smurf

♦ Stacheldraht (barbed wire): – Attacker uses encrypted TCP channel, masters use TCP, ICMP_ECHOREPLY – Trinoo + TFN + Encryption + Automatic Update

♦ Shaft, mstream

9

Defense against DDoS ♦ Cure for common cold. ♦ Prevent root compromises. ♦ Tune IDS to monitor control messages. ♦ Traffic volume monitoring.

FIN

10