Intro Summary
HTTPS is a protocol that is intended to provide secure authentic communication between
the browser and the web server.
 The client knows the identity of (the owner of?) the server it is connected to.
 A third party cannot eavesdrop on connection between browser and server, nor
modify/inject messages between browser and server.
It is not necessarily the case that meeting these requirements means that the website is
secure.
 What are we trying to protect? Is information sent to and/or from the webpage
critical, ... ?
 What are threats are we concerned about? Is there a concern that attacker might:
eavesdrop on messages, modify/inject messages, compromise the server hosting the
website, ... ?
An asset is any entity of interest that may be the subject of a threat.
 The information on my website is an asset.
A threat is a potential for violation of security, eg.
 An attacker masquerades as my website.
 Denial of Service (DoS) attack on my website.
A vulnerability is a flaw or security weakness in an asset that has the potential to be
exploited by a threat.
 TCP/IP and HTTP does not provide authentication.
 TCP three-way handshake vulnerable to SYN flood, leads to DoS.
A countermeasure is an action or process that mitigates vulnerabilities and prevents and/or
reduces threats.
 HTTPS can provide for authentication of websites by browser.
 SYN-cache, SYN-cookies or firewalls helps prevent SYN flooding.
Packets sent across the internet contain ‘headers’ (simplified):
Physical
Network
Transport
Application
 Physical header: data related to physical link (MAC address, etc.).
 Network header: source and destination IP addresses.
 Transport header: data related to the connection (ports) and used to help manage
fault-tolerance (out of sequence packets, etc.).
1
 Application data of the application that is running over the connection.
HTTP is a stateless protocol: at the server-side the protocol keeps no record of past/current
client interactions. If state is required then the server (web) application and/or the client
application must manage this information.
Three-way handshake to establish a TCP connection:
 Msg 1 Source → Destination : SYN(x)
 Msg 2 Destination → Source : SYN(y), ACK(x + 1)
 Msg 3 Source → Destination : ACK(y + 1)
TCP/IP Spoofing I
In IPV4 there is no authentication of the IP addresses/network data.
Attacker first initiates a legitimate connection and observes the current server sequence
number from Server.
 Msgα1 Attacker → Server : SYN(x)
 Msgα2 Server → Attacker : SYN(y), ACK(x + 1)
 Msgα3 Attacker → Server : ACK(y + 1)
Attacker immediately initiates another connection with server, masquerading as a nonexistent/spoofed IP number A .
 Msgβ1 A[Attacker] → Server : SYN(x′)
 Msgβ2 Server → A : SYN(y′), ACK(x′ + 1)
 Msgβ3 A[Attacker] → Server : ACK(y′ + 1)
The server ACK (and y′) may be lost (not delivered to attacker), but the attacker can predict
the value of y′ based on their previous connection and establish the connection
TCP/IP Spoofing II
If connected, the legitimate owner of the spoofed address may respond by terminating a
connection it did not initiate:
 Msgβ1 A[Attacker] → Server SYN(x)
 Msgβ2 Server → A SYN(y), ACK(x + 1)
 Msgβ3 A[Attacker] → Server ACK(y + 1)
 Msgβ3 A → Server RST
2
The attacker must either use a non-existent IP address or ensure that the legitimate owner
cannot respond. The latter is done by either breaking/blocking A’s connection or synflooding A.
TCP/IP does not provide (strong) authentication of host.
SYN-Flooding
There’s a limit on number of concurrent ‘half-open’ TCP connections per port. When limit is
reached, TCP discards all new incoming connection requests. Limit varies.
Half-open connections time-out (after around 75 seconds).
The attack:
 Attacker floods destination server with opening messages, flooding available
connections and denying valid connections.
 Attacker makes sure that SYNs are sent faster than half-open connections expire.
 IP numbers are non-existent/randomly generated.
 Source of attack not apparent since IP address is spoofed.
Distributed Denial of Service (DDOS): attacker uses a large number of compromised systems
(zombies) to carry out a distributed version of above.
Avoiding SYN Flooding Attacks
 Reduce the timeout period to a short time, eg 10 seconds to make it harder to
maintain the attack window; may deny legitimate access.
 Increase the number of half-open connections allowed. Increases resource
requirements
 Disable non-essential services in order to reduce the number of ports that can be
attacked.
 Synkill is an active monitor that inspects packet source IP address against good/bad
lists of IP addresses. Behaviour during 3-way handshake influences list membership.
 Use a firewall (in between public network and server) to throttle the number of
packets permitted.
 Use SYN-cache, SYN-cookies.
3
TCP/IP Vulnerabilities: some other attacks
 Sniping Attacker gets sequence numbers from packets and sends an RST packet to
close connection.
 Hijacking Attacker snipes one end of a connection and takes over talking to the other
side.
 Packet Sniffing Read contents of packet (eg user id/password)
 Echo Service (Port 7) Send packet to target IP spoofed from same IP; host may spend
all its resources in a loop echoing itself (fixed in most implementations).
 DNS Spoofing Typically weak authentication between name servers: convince local
name server that a domain name points to some IP address
 Probing
 Attempt connection to target host/port; RST reply means port is closed,
probably. Target may log the probe.
 As above, but attacker does not reply with a SYN/ACK; less likely that target
will log your probe.
 FIN scanning. Send a FIN packet; if port is closed then target sends a RST. If
open then target drops FIN. Less likely to be logged.
4