TCP/IP Vulnerability

Prepared By:
Mohit Kohli
11th June 2007

1
Section1:Introduction
 A Quick Review on:
 TCP Transmission control Protocol
 IP Internet Protocol
 Packet structure
 Flags
 Fragmentation
 TCP Communication Mechanism

Tech Mahindra 2
 Introduction on TCP – PACKETS
•TCP – Transmission Control Protocol (TCP) runs on top of
IP, and provides a connection oriented service between the
sender and the receiver.

•TCP provides guaranteed delivery, and ensures that the

packets are delivered in sequence.

•The underlying network IP, is highly unreliable and does not

provide any guarantee for TCP.

• In order to provide reliability between the sender and the

receiver, TCP uses various mechanisms, such as sequence
numbers, acknowledgments, 3-way handshakes and timers.

•In the TCP protocol, the important things in a packet are

the essential IP packet headers, and various TCP specific
headers and flags. These include:
source port, destination port, header lengths, the sequence
number, the ACK number, the checksum and various other
flags.
Here is a diagram to illustrate the basic format of a typical
TCP packet:

Tech Mahindra 3
IP Packet
• IP - IPv4 is a datagram protocol
primarily responsible for addressing
and routing packets between hosts.
• IPv4 is connectionless, which means
that it does not establish a connection
before exchanging data, and
unreliable, which means that it does
not guarantee packet delivery .
• There are a lot of headers in the IP
section of a packet. Some of the
essential ones include: source address,
destination address, TOS, TTL, packet
ID, protocol (i.e TCP or UDP), IP
version (4 obviously), packet length, Packet Example:
the checksum, and the IP header • 1,460 Data after TCP header (the
lengths. These need to be set in every
packet/datagram/segment sent, be it payload)
TCP, UDP or ICMP. • 20 Typical TCP header size
• 20 Typical IP header size
• 14 Typical Ethernet header size
•4 CRC size
• 1,518 Maximum Ethernet packet size

Tech Mahindra 4
 TCP Packet Component
 Flags Structure  Example :
 Flags: 0x0010(ACK) ---00010000
F : FIN - Finish; end of session  Window Size :64512
S : SYN - Synchronize; indicates request to start session  Flags:0x0018 (PUS, ACK)----
R : RST - Reset; drop a connection 00011000
P : PUSH - Push; packet is sent immediately  Window Size :65059
A : ACK - Acknowledgement
U : URG - Urgent
E : ECE - Explicit Congestion Notification Echo
W : CWR - Congestion Window Reduced

 A checksum is a value which is computed which allows you to check the validity of something.
Typically, checksums are used in data transmission contexts to detect if the data has been
transmitted successfully.
For example, the Cyclic Redundancy Check algorithms, CRC-8, CRC-16, and CRC-32, do fairly
complex things to make the checksum sensitive to such problems

Ref on Transmission Control Protocol: http://www.faqs.org/ftp/rfc/pdf/rfc793.txt.pdf

Tech Mahindra 5
Fragmentation
 Fragmentation: Every packet-based network has an
MTU (Maximum Transmission Unit) size. The MTU is the
size of the largest packet which that network can
transmit.
 Packets larger than the allowable MTU must be
divided into multiple smaller packets, or fragments, to
enable them to traverse the network.

 Example:
 If a 2,366 byte packet enters an Ethernet network with a
default MTU size, it must be fragmented into two packets.
 The first packet will: Be 1,500 bytes in length. 20 bytes will
be the IP header, 24 bytes will be the TCP header, and 1,456
bytes will be data.
 Have the DF bit equal to 0 to mean "May Fragment" and the
MF bit equal to 1 to mean "More Fragments."
 Have a Fragmentation Offset of 0.
 The second packet will: Be 910 bytes in length. 20 bytes will
be the IP header, 24 bytes will be the TCP header, and 866
bytes will be data.
 Have the DF bit equal to 0 to mean "May Fragment" and the
MF bit equal to 0 to mean "Last Fragment." Have a
Fragmentation Offset of 182 (Note: 182 is 1456 divided by
8).

Tech Mahindra 6
Contd…
 Three of these fields are involved in packet

fragmentation: Len, Offset and More bit.

 Fragmentation reduces TCP throughput and

increases network congestion.

 Disable Path MTU Discovery process: Low MTU

value could degrade network performance, since it
increases Fragmentation.
Fragmentation (3,600)

Len: Total Length of Fragment

Offset: distance from the first byte of

the original datagram

More: Indicate if the fragment has

more to follow

Tech Mahindra 7
Captured TCP Packet structure

Tech Mahindra 8
Captured UDP Packet structure

Tech Mahindra 9
TCP Three-Way Handshake

 A TCP connection is initialized through a three-way handshake. The purpose of the

three-way handshake is to synchronize the sequence number and acknowledgment
numbers of both sides of the connection and to exchange TCP window sizes. The
following steps outline the process for the common situation when a client computer
contacts a server computer:

 1. The client sends a TCP segment to the server with an initial sequence number for
the connection and a window size indicating the size of a buffer on the client to
store incoming segments from the server.

 2. The server sends back a TCP segment containing its chosen initial sequence
number, an acknowledgment of the client’s sequence number, and a window size
indicating the size of a buffer on the server to store incoming segments from the
client.

 3. The client sends a TCP segment to the server containing an acknowledgment of
the server’s sequence number.

 TCP uses a similar handshake process to end a connection. This guarantees that
both hosts have finished transmitting and that all data was received.
 TCP connections have three main parts: connection establishment, data exchange,
and connection termination

Tech Mahindra 10
 HTTP Elements
•HTTP clients send HTTP requests that contain a •The HTTP Get Command
method, or command, that indicates what the
client wants

• HTTP Methods

Tech Mahindra 11
Sample HTTP Communications
3 Way handshake communication for HTTP Application Protocol

Tech Mahindra 12
Section 2: TCP/IP Vulnerability
 overlapping IP fragments
 Tear Drop
 Land
 SYN Attack
 Ping Flooding
 IP Spoofing
 SYN Guessing
 Smurf Attack
 Source Routing
 TCP Hijacking
 Man-in-the-Middle Attack
 Countermeasures

Tech Mahindra 13
 overlapping IP fragments
Description:An IP fragment overlap
vulnerability may exist on NT 3.5 and 4.0
systems without the hotfixes applied that
will cause a lock up on these systems
requiring a hard reset. This exploit modifies
the code from the teardrop attack to
incorporate the use of a SYN sequence bug.
The attack will send two IP fragments, with
the offset of the second fragment inside
the prior packet's payload that overlaps but
does not include enough payload to
complete the datagram.
Install the latest hotfixes provided by
Microsoft.
Impact: Any systems that are vulnerable
to this exploit may be 'brought down',
requiring a reboot of the system.
Root Cause: Insecure Design
Tech Mahindra
Linux and Microsoft has a serious bug in it's
IP fragmentation module
More specifically, in the fragmentation
reassembly code
Explanation:
When Linux reassembles IP fragments to
form the original IP datagram, it
runs in a loop, copying the payload from all
the queued fragments into a newly
allocated buffer (which would then normally
be passed to the IP layer proper).
If we find that the current fragment's offset
is inside the end of a
previous fragment (overlap), we need to
(try) align it correctly. Well, this
is fine and good, unless the payload of the
current fragment happens to NOT
contain enough data to cover the realigning.
In that case, `offset` will end
up being larger then `end`.
14
1. Teardrop Attack
 IP requires a packet that is too large for the next router
to handle be divided into fragments.
 The attacker's IP puts a confusing offset value in the
second or later fragment.
 If the receiving operating system is not able to aggregate
the packets accordingly, it can crash the system.
 It is a UDP attack, which uses overlapping offset fields to
bring down hosts.
 The Unnamed Attack
 Variation of Teardrop attack
 Fragments are not overlapping; instead there are gaps
incorporated Overlapping fragment attack.
 Careful design of the algorithm for generating these
initial sequence numbers ensures that overlap in Hackers can also craft packets so that
sequence number space between different incarnations of instead of overlapping, there will be gaps
a connection is prevented. between various packets. These
nonadjacent fragmented packets are
similar to overlapping packets because
they can crash or hang older operating
systems that have not been patched.

Tech Mahindra 15
Abnormal Fragmentation

 Figure shows specially crafted

packet with Abnormal
Fragmentation.

Tech Mahindra 16
Teardrop Attack Tool: Jolt2

 Allows remote attackers to cause a

Denial of Service attack against
Windows based machines.
 Causes the target machines to
consume 100% of the CPU time
processing illegal packets.
 Not Windows-specific, many Cisco
routers and other gateways might
be vulnerable.

Tech Mahindra 17
Teardrop Attack Tool: Bubonic.c
 Bubonic.c is a DoS exploit that can be
run against Windows 2000 machines.
 It works by randomly sending TCP
packets, with random settings, with
the goal of increasing the load of the
machine, so that it eventually crashes.
 c: \> bubonic 12.23.23.2
10.0.0.1 100
 The teardrop attack exploits
overlapping IP fragment and can crash
Windows 95, Windows NT, and
Windows 3.1machines.

Tech Mahindra 18
1. Land

 IP spoofing in combination with the opening of a TCP

connection.
 Both IP addresses, source and destination are modified to be
the same, the address of the destination host.
 This results in sending the packet back to itself, because the
addresses are the same.

Tech Mahindra 19
 • SYN Attack
 The attacker sends bogus TCP SYN requests to a victim
server. The host allocates resources (memory sockets) for
the connection.
 It prevents the server from responding to legitimate
requests.
 This attack exploits the three-way handshake.
 Malicious flooding by large volumes of TCP SYN packets to
the victim system with spoofed source IP addresses can
cause a DoS.
 Windows Server 2003 systems that have enabled the
SynAttackProtect registry value are not vulnerable to many
of the attacks. Value set to 0 indicate no retransmission of
packet.

Tech Mahindra 20
Contd…
 default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000
Professional. When this size is reached, the system will no longer accept
incoming connection requests.

 How to detect a SYN attack:

# netstat -n -p TCP
tcp 0 0 10.100.0.200:21 237.177.154.8:25882 SYN_RECV –
tcp 0 0 10.100.0.200:21 236.15.133.204:2577 SYN_RECV –
tcp 0 0 10.100.0.200:21 127.160.6.129:51748 SYN_RECV -

 Number of Half open TCP Connection:

# netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l
769

Tech Mahindra 21
• PING FLOODING (ICMP flooding)
 Ping of death is a denial of service (DoS) attack caused by an attacker purposely
sending an IP packet larger than the 65,536 bytes allowed by the IP protocol. One of
the features of TCP/IP is fragmentation. It allows a single IP packet to be broken
down into smaller segments. In 1996, attackers took advantage of that feature when
they found that a packet broken down into fragments could add up to more than the
allowed 65,536 bytes.


Hacking Tool: SSPing
 SSPing program sends the victim's computer a series of highly fragmented,
oversized ICMP data packets.
 The computer receiving the data packets lock when it tries to put the fragments
together.
 The result is a memory overflow which in turn causes the machine to stop
responding

Tech Mahindra 22
Tool: PING FLOODING (Denial of Service
Attack)

Tech Mahindra 23
1. IP Spoofing
 Due to bad designing of the TCP/IP suite, it is almost trivial to spoof a packet
apparently originating from a host that is NOT you. The term 'IP spoofing' can be
used to describe any process in which a person fakes, or "forges" a packet to look
like it came from elsewhere, often a "trusted" host. The ability to spoof IP packets,
and the fact that IPv4 does NOT check the validity of the source address and source
port in a packet's headers is one of the MAIN vulnerabilities in the TCP/IP protocol
suite.
 It can be of two types ie Blind and Non-Blind.
 IP spoofing can be used in two main ways: to cause DoS, or to gain access to a
system as a "trusted" host.
 Blind Spoofing Challenge: Source Address, Source port, Destination Address,
Destination Port along with ISN bit.

Tech Mahindra 24
Smurf Attack Uses IP Spoofing
Vulnerability
 The perpetrator generates a large amount
of ICMP echo (ping) traffic to a network
broadcast address with a spoofed source Internet
IP set to a victim host.
 The result will be a large number of ping
replies (ICMP Echo Reply) flooding back to
the innocent, spoofed host.
 An amplified ping reply stream can
overwhelm the victim’s network connection.
 The "smurf" attack's cousin is called
"fraggle", which uses a UDP echo.

ICMP Echo Request with source C and

destination subnet B, but originating
from A

Tech Mahindra 25
Cond…Smurf Attack
Receiving Network
Attacker
ICMP_ECHO_REQ Target
Source: Target
Destination: Receiving Network

ICMP_ECHO_REPLY
Internet
Source: Receiving Network
Destination: Target

Tech Mahindra 26
Sequence Guessing
 Attempt to hijack an existing TCP session by injecting
packets which pretend to come from one computer
involved in the TCP session.

 When new connections are created, an initial sequence

number (ISN) generator is employed which selects a new
32 bit ISN. The generator is bound to a (possibly fictitious)
32 bit clock whose low order bit is incremented roughly
every 4 microseconds. Thus, the ISN cycles approximately
every 4.55 hours. Since we assume that segments will
stay in the network no more than the Maximum Segment
Lifetime (MSL) and that the MSL is less than 4.55 hours
we can reasonably assume that ISN's will be unique.

 For each connection there is a send sequence number

and a receive sequence number. The initial send
sequence number (ISS) is chosen by the data sending
TCP, and the initial receive sequence number (IRS) is
learned during the connection establishing procedure.

 ISNs used must be hard to guess for those not involved in

the connection

Tech Mahindra 27
 TCP/IP SEQUENCE NUMBER ANALYSIS
 Challenge in to generate unpredictable
ISN Phase Space Analysis
 TCP/IP ISN generators used by a variety Sr. No Operating System Attack
of operating systems. feasibility
1 Linux below 0.05%
 One of the examples is inserting malicious 2 Windows 2000 12.08%
3 Windows NT4 SP6a + hotfixes 15%
contents or malicious RCPT TO fields into
4 Windows 95 100%

SMTP transaction in order to modify or 5 FreeBSD 4.2 1.00%

intercept e-mails. 6 OpenBSD-current 0.00%

 Guessing the right ISN from the entire 32-
bit space (4,294,967,296 possibilities) is
not feasible due to the excessive amount
of bandwidth and time required.
 But increasing bandwidth and processor
speed will eventually make brute force
guessing of 32-bit ISNs feasible for the
7 HPUX11 100.00%
8 AIX 4.3 100.00%
x[t] = seq[t] - seq[t-1]
y[t] = seq[t-1] - seq[t-2]
z[t] = seq[t-2] - seq[t-3]
http://lcamtuf.coredump.cx/oldtcp/tcpseq.html
http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm

average attacker.

Tech Mahindra 28
Reset Attack
 The packets required for a successful Reset
Operating Initial Window Packets
are based on the equation (2^32 / Initial
System Size Requ
Window Size).
ired
 Factor Responsible for Reset Attack: ISN
prediction, as well as much larger TCP Windows 2000 5.00.2195 64512 66,576
window selection SP4
 A larger window will provide greater Windows XP Home 64240 66,858
transmission efficiency but also expand Edition SP1
the opportunity for spoofed TCP Reset HP-UX 11 32768 131,071
attacks
Nokia IPSO 3.6-FCS6 16384 262,143
 The 4-tuple consists of source IP address,
TCP source port, destination IP address, Cisco 12.2(8) 16384 262,143
and destination TCP port Cisco 12.1(5) 16384 262,143
Cisco 12.0(7) 16384 262,143
Cisco 12.0(8) 16384 262,143
Windows 2000 5.00.2195 16384 262,143
Case Study on SP1

Reset Attack Case Study on

Windows 2000 5.00.2195 16384 262,143
Reset Attack SP3
Linux 2.4.18 5840 735,439

Tech Mahindra 29
1. Source Routing
 Another variant of IP spoofing makes use of a
rarely used IP option, "Source Routing"
[Bellovin89]. Source routing allows the
originating host to specify the path (route) that
the receiver should use to reply to it. An
attacker may take advantage of this by
specifying a route that by-passes the real
host, and instead directs replies to a path it
can monitor (e.g., to itself or a local subnet).
Although simple, this attack may not be as
successful now, as routers are commonly
configured to drop packets with source routing

enabled.

Tech Mahindra 30
1. TCP Session Hijacking
 Connection hijacking exploits a "desynchronized state" in
TCP communication
 "TCP session hijacking is when a hacker takes over a
TCP session between two machines. Since most
authentication only occurs at the start of a TCP session,
this allows the hacker to gain access to a machine.“
 A popular method is using IP Spoofing, ARP Posining and
source-routed IP packets and sequence number

prediction Techniques.
 A hacker can also be "inline" between B and C using a
sniffing program to watch the conversation. This is known
as a "man-in-the-middle attack".
 A common component of such an attack is to execute a
denial-of-service (DoS) attack against one end-point to
stop it from responding. This attack can be either against
the machine to force it to crash, or against the network
connection to force heavy packet loss.

Tech Mahindra 31
Man-in-the-Middle Attack
•In these attacks, a malicious party intercepts a
legitimate communication between two friendly Attacker Attacker
parties. The malicious host then controls the flow
of communication and can eliminate or alter the
information sent by one of the original participants Sender (S) Target (C)
without the knowledge of either the original
sender or the recipient. In this way, an attacker
Man-in-the-Middle Attack
can fool a victim into disclosing confidential ARP Poisoning ARP Poisoning
information by “spoofing” the identity of the
original sender, who is presumably trusted by the
recipient.
•Attacker has performed ARP poisoning attack.
•Packets are forwarded to hacker machine first
instead of Target Machine.
•Attacker exploit IP spoofing vulnerability of
TCP/IP design.
Hacker (X)
•Another variant of Man-in-the-middle attack
against two-factor authentication using Phishing

Tech Mahindra 32
TCP Hijacking Tool: Hunt
1) Connection management

* Setting what connections you are

interested in.
* Detecting an ongoing connection
(not only SYN started).
* Normal active hijacking with the
detection of the ACK storm.
* ARP spoofed/Normal hijacking with
the detection of successful ARP
spoof.
* Synchronization of the true client
with the server after hijacking (so
that the connection don't have to
be reset).
* Resetting connection.
* Watching connection.

Tech Mahindra 33
Countermeasures
 Hardening the TCP/IP stack (SYN cookies or
SynAttackProtect).Ref:http://www.securityfocus.com/infocus/1729
 Applying latest patches as recommended by your vendor
 Perimeter Network device like Firewall and border internet router should block IP-spoofed
packets and can capable of defending against SYN attacks. With the current IP protocol
technology, it is impossible to eliminate IP-spoofed packets. However, you can reduce the
likelihood of your site's networks being used to initiate forged packets by filtering outgoing
packets that have a source address different from that of your internal network.
 Apply Anti-spoofing filtering on network device (TCP sequence prediction attacks can be
effectively stopped by any router or firewall that is configured not to allow packets from an
internal IP address to originate from an external interface.)
 ISPs could prevent the transmission of fraudulently addressed packets.
 Servers could be programmed to recognize a SYN source IP address that never completes
its connections.
 The last network defense against SYN floods is to distribute the flood against as many
hosts or network devices as possible.

Tech Mahindra 34