A Look Back At Security Problems In The
TCP/IP Protocol Suite
Jielin Li
Original Paper: Security Problems In The
TCP/IP Protocol Suite
•
•
Bellovin takes a critical look at each of the components of the TCP/IP
protocol suite.
– From the network layer (e.g. routing) to the application layer.
He discusses (potentially) exploitable flaws in each, and – where possible –
defenses against them.
1
Original Paper: Security Problems In The
TCP/IP Protocol Suite
•
•
A review for his old paper: "Security Problems in the TCP/IP Protocol Suit”
in Computer Communication Review, Vol. 19, No. 2, in April, 1989
The review’s purpose:
– Where the author’s focus and predictions were accurate
– Where the author was wrong
– Where the dangers have yet to happen
– A general review on security problems in tcp/ip protocol
2
Background of the Original Paper
•
•
In April 1989 (when this paper was published) there were between 80k and
130k hosts on the internet.
– There were 162 Million as of 07/2002…
In November 1988, the the Morris worm infected 10% of the internet (some
6000 hosts) causing an estimated $98 Million in damage.
3
What was discussed in this paper?
•
•
•
•
•
•
TCP Sequence Number Prediction
Routing Problems
The Authentication Server
Non-inherently Flawed Application Protocol
Trivial Attacks
Comprehensive Defense
4
1. TCP Sequence Number Prediction
•
The normal TCP
connection
establishment sequence
involves 3-way
handshake. The client
selects and transmits an
initial sequence number
ISNc. The server
acknowledges it and
sends its own sequence
number ISNs, and the
client acknowledges that.
Client
Server
5
First described by Morris, If an intruder find a way to predict
ISNs and send the following sequence to impersonate
trusted host T…
Intruder
X
Server
Host T
6
How to predict the random ISN?
–The ISN is incremented by a constant amount once per second
–By half of that amount each time a connection is initiated
•The host T will receive the reply message and attempt to reset the
connection. By impersonating a server port on T, and by flooding that
port with apparent connection requests, attacker could generate queue
over-flows that would make it likely that the server-to-client message
would be lost.
•The author mischaracterized Morris’s paper. He anticipated DoS
attacks that started occurring in 1996.
7
Sequence A variant: exploit the network statistics
(netstat) service
•In computing, network statistics (netstat) is a command-line tool that displays
network connections (both incoming and outgoing), routing tables, and a
number of network interface (network interface controller or software-defined
network interface) and network protocol statistics
•If netstat is available on the target host, it may supply the necessary sequence
number information on another port
8
Defense
•
•
•
•
Improve the relatively coarse rate of change of the initial sequence number
variable, and the granularity
The instability of the Internet also play a role
Randomizing the increment
Using a cryptographic algorithm
9
2. Routing
•
•
In the author’s words, routing attack is the only attack he “discussed in this
paper that hasn’t been seen in the wild”. But now that’s no longer the case.
Abuse of the routing mechanisms and protocols is probably the simplest
protocol-based attack available. There are a variety of ways to do this,
depending on the exact routing protocols. A number of the attacks are
described in the paper:
 Source routing
 Routing information protocol attacks
 Exterior Gateway Protocol
 The Internet Control Message Protocol
10
2.1. Source Routing
•
Giving a packet an explicit path to follow to a destination.
– If the target uses the inverse of the supplied route as the return path, it
permits address spoofing.
– Note that even if the target ignores the inverse path, if you can predict
an ISN, you can still address spoof.
11
2.1. Source Routing
•
•
•
•
If available, the easiest mechanism to abuse is IP source routing.
Assume the target host uses the reverse of the source route provided in a
TCP open request for return traffic
Then the attacker can pick any IP address, including that of a trusted
machine on the target’s local network.
Any facilities available to such machine become available to the attacker.
12
2.1. Source Routing
•
Defense
– A simple method
– The best but unpractical idea: the gateways into the local net to reject
external packets that claim to be form the local net
– The most common configuration today： reject source-routed packets
at border routers whether or not they fill other firewall related roles.
13
2.2. Routing Information Protocol Attack
•
The Routing
Information Protocol
(RIP) is a standard for
exchanging routing
information among
gateways and hosts.
Typically the
information received is
unchecked.
14
2.2. Routing Information Protocol Attack
•
Two attack modes are discussed:
– Host impersonation – diverting packets for a specific host to
compromise schemes which use source address for authentication.
– “Man-In-The-Middle” – diverting packets for inspection and forwarding
them on via source-routing.
15
2.2. Routing Information Protocol Attack
•
Intruder sends bogus routing information to a target host, and to each of the
gateways along the way, to impersonate a particular host. The most likely
attack of this sort would be to claim a route to a particular unused host,
rather than to a network; this would cause all packets destined for that host
to be sent to the intruder's machine. Once this is done, protocols that rely on
address-based authentication are effectively compromised.
16
2.2. Routing Information Protocol Attack
• RIP has fallen out of fashion, but is still run on some
medium sized networks.
• Author’s comment:
•
•
Routing protocols for eavesdropping and/or packed modification has been
identified as one of the two major threat to the internet. Defense against
routing attacks is still considered a research problem.
Routing attacks have happened frequently. The most famous case, the “AS
7007” incident on April 25, 1997, an ISP started advertising that it had the
best routes to most of the internet.
17
2.2. Routing Information Protocol Attack
• Defenses
•
Skepticism
– Make RIP to be more skeptical about the routes it accepts
•
Cryptographic Authentication
– For a broadcast protocol like RIP, this requires pervasive PKI.
18
2.2. Routing Information Protocol Attack
•
The author’s look back:
– Original paper is one of the earliest papers which mentioned the routing
attack.
– “AS 7007” incident
– Are malicious routing attacks happening? Yes.
– RIP has fallen out of fashion, but is still run on some medium sized
networks.
19
2.3 Exterior Gateway Protocol
•
The Exterior Gateway Protocol (EGP) is intended for communications
between the core gateways and so-called exterior gateways
20
2.3 Exterior Gateway Protocol
• Attacks:
– Claim reachability for some network where the real gateway is down
– Impersonate a second exterior gateway for the same autonomous
system
– A sequence number attack
21
2.4. The Internet Control Message Protocol
•
The Internet Control Message Protocol (ICMP) is the basic network
management tool of the TCP/IP protocol suite
22
2.4. The Internet Control Message Protocol
• Dangers
– Target the ICMP Redirect message
– Be used for targeted denial of service attacks
• Defense
– Check if a message really does refer to a particular connection
– Restrict route changes to the specified connection, do not update global
routing tables due to redirect messages
23
3. The Authentication Server
•
•
•
Many hosts run an authentication server – which will, given a port, return
the effective user id of the process attached to that port.
Authentication Server is a server that wishes to know the identity of its client
may contact the client host's Authentication Server, and ask it for
information about the user owning a particular connection
This request involves a second TCP connection – so it can help prevent ISN
and source routing attacks.
24
3. The Authentication Server
•
•
•
•
Not all hosts are competent to run authentication servers
The authentication message itself can be compromised by routing table
attacks
If the target host is down, a variant on the TCP sequence number attack
may be used
Defense
– A more secure means of validation, such as the Needham-Schroeder
algorithm. TCP by itself is inadequate.
– Essentially – don’t trust ident for anything important
25
4. Application Protocols
•
The author reviewed some protocols which can be susceptible to abuse,
although they are not inherently flawed, including:
– The “Finger” service
– Electronic mail
– The Domain name system(DNS)
– The file transfer protocol(FTP)
26
4.1. The finger service
•
•
In the “Good Old Days” when everyone was running Unix – you could
gather information on a user by fingering the user at their host.
Additionally, if you fingered a host it would report all currently logged in
users.
$ finger dberger@rage.oubliette.org
Login: dberger
Name: Dan Berger
Directory: /home/dberger
Shell: /bin/bash2
On since Sat Feb 8 17:38 (PST) on :0 (messages off)
On since Tue Feb 11 12:13 (PST) on pts/3 from walkabout.cs.ucr.edu
Mail last read Tue Feb 11 12:18 2003 (PST)
No Plan.
27
4.1. The finger service
•
Many systems implement
a finger service. It will
display useful information
about users, such as their
full names, phone
numbers, ofce numbers,
etc. Unfortunately, such
data provides useful grist
for the mill of a password
cracker
28
4.1. The finger service
•
Proposed Defense
– Simple: Turn the service off.
– In general, this turns out to be a good idea:
1. If you don’t need a service, disable it.
2. What isn’t running can’t be exploited.
29
4.2. Electronic Mail
POP
•
•
•
The Post Office Protocol (POP) allows a remote user to retrieve mail stored
on a central server machine.
POP, then POP2, and now POP3 are all similar – they provide a lineoriented protocol for simple mailbox retrieval.
They are all plain-text protocols, and pass authentication secrets over a
typically unprotected channel.
30
4.2. Electronic Mail
POP
A single command
contains both the
user name and the
password
One-time password
Split the user name
and password into
two commands
31
4.3. The Domain Name System
•
•
•
It’s interesting that DNS gets such a “just another service” treatment.
– Recall that in 1989 the internet was a bunch of islands of connectivity.
– The need for pervasive DNS really came with the web.
The author concerns himself primarily with information leakage from DNS –
by transferring a zone file, you can,
– Learn the relative size of an organization
– potentially learn something about it’s intranet topology
– Extract a list of “interesting” looking targets.
Remember – this is several years before the notion of firewall was common
place.
32
4.3. The Domain Name System
Sequence
number
attack
Authentication
Spy on the
Internet
traffic
33
4.4. The File Transfer Protocol
•
FTP itself is not flawed. However, a few aspects of the implementation merit
some care.
– FTP authentication
– Anonymous FTP
34
4.4. The File Transfer Protocol
•
Like nearly all protocols of it’s day, FTP transmits authentication secrets in
plaintext over an insecure channel.
•
Bellovin mentions one-time passwords:
– Systems like SKEY, SecureID, and others
– A user was issued a device/program for generating the next password
given a challenge.
35
5. Trivial Attack: Ethernet
•
Local Network, notably Ethernet networks, are vulnerable to eavesdropping
and host-spoofing.
– If the local network uses the Address Resolution Protocol(APR)
– Launch DoS attacks by triggering broadcast storm
– For a short time it was said that fibre optic (rather than copper) removed
this vulnerability, but that was quickly recanted when a simple device to
tap fibre was demonstrated.
36
5. Trivial Attack:
•
•
The trivial file transfer protocol
– Permit file transfers without any attempt at authentication
Reserved Ports
– Berkeley-based TCPs and UDPs have the notion of “a privileged port”,
which the author regarded as a bad idea.
– Suffice to say that since the first non-Unix machine appeared on the
Internet, relying on privileged ports (lower than 1024) for any form of
authentication or security is a Bad Idea™
37
6. Comprehensive Defence
•
The author mentioned some broad spectrum defense techniques, including:
– Authentication
– Encryption
– Trusted system
38
6.1. Authentication
•
Many intrusions succeed only because the target host uses te IP source
address for authentication, so some form of cryptographic authentication is
needed, one is Needham-Schroeder algorithm, which requires that each
participating host share a key with an authentication server
•
Be careful to use the session key to encrypt the entire conversation
39
6.1. Authentication
• Author’s comments: The best-known Needham-Schroeder
algorithm, was found to be vulnerable in 1996 to a new flaw.
• Vulnerability Status: 2003
– Most connections are still unauthenticated.
– SSL provides authentication based on centralized trust.
40
6.2. Encryption
•
•
•
Link-level encryption encrypting each packet as it leaves the host computer
is an excellent method of guard against disclosure of information and
physical intrusion, but it has some weaknesses:
– Broadcast packets are difficult to secure;
– link-level encryption is not end-to-end
End-to-end encryption, above the TCP level, may be used to secure any
conversation, regardless of the number of hops or the quality of the links
End-to-end encryption is vulnerable to denial of service attacks, since
fraudulently-injected packets can pass the TCP checksum tests and make it
to the application.
41
6.3. Trusted System
•
The So-called Rainbow Books (available on-line[6]) prescribe stratified
security requirements for U.S. government systems.
•
Systems are rated in terms of increasing trust from D to A1
•
The military security model:
– A subject can read an object if its label has a higher or equal hierarchical level
and if all of the object’s non-hierarchical components are included in the subject’s
label
42
6.3. Trusted System
•
Apply this model to the TCP/IP protocol suite: When a process creates a
TCP connection, that connection is given the process's a label
• Author’s comment: Two technical points are worth noting.
– First, routing attacks could be mitigated by maintenance of
separate routing tables (by multi-level secure routers)
– Second, what forms of authentication are acceptable would
depend on detailed knowledge of what sorts of hosts were
connected to what sorts of network
43
7. Conclusion
•
Hosts should not give away knowledge gratuitously.
•
Network control mechanisms are dangerous and must be guarded.
44