Moinul Zaber's presentation on TCP/IP security threats - Kent State ...

slateobservantNetworking and Communications

Oct 26, 2013 (3 years and 9 months ago)


Are you secured in the network ?: a
quick look at the TCP/IP protocols

Based on: A look back at “Security Problems in the
TCP/IP Protocol Suite” by Steven M. Bellovin, AT&T

Presented by :Moinul I Zaber,

Kent State University

What’s on Today!

A soft brief on the Network

Security Problems that we have inherited !

TCP sequence number Prediction

IP spoofing

Routing Threats

Application layer Threats : E
mails, Finger, FTP


Internet is a system of interconnected computers.

Layers of communication types and interfaces
connects them.

TCP/IP is the dominant Protocol

We will discuss some security problems inherent
to this layered protocol.

TCP is the process to process connectivity

IP is the source to destination connectivity

A brief on TCP/IP

TCP sequence Number Prediction

The normal TCP connection establishment sequence involves a 3
way handshake.
The client selects and transmits an initial sequence number ISN
, the server
acknowledges it and sends its own sequence number ISNs, and the client
acknowledges that.

That is, for a conversation to take place, C must first hear

ISNS, a more or less random number.

Suppose, though, that there was a way for an intruder X

predict ISNS. In that case, it could send the following sequence

to impersonate trusted host T:

So How to predict the sequence
number ?

The initial sequence number variable is
incremented by a constant amount once per
second and by half that amount each time a
connection is initiated.

Thus if one initiates a legitimate connection and
observes the

one can calculate the ISNs’ used on
the next connection attempt.

The real host T receives the Server S’s ack so Flooding/
DOS attack should be opted against T to S
>T message
should be lost.

Using ‘netstat’ could be a good option to get the
sequence number!

Defenses Against Syn Prediction

TCP sepcs requires that this variable be incremented approximately 250,000 times per
second. But unfortunately this does not help as RTT Could be easily guessed.

Randomizing the increment

of the sequence number.

IP Spoofing

spoofing (fooling, deceiving), an
impersonates someone else.

This allows him/her to exploit the access
privileges of the spoofed.

IP spoofing is the creation of TCP/IP packets with
somebody else's IP address in the header.

Routers use the destination IP address to forward
packets, but ignore the source IP address.

The source IP address is used only by the destination
machine, when it responds back to the source.

When an attacker spoofs someone’s IP address, the
victim’s reply goes back to that address.

Since the attacker does not receive packets back, this is
called a
way attack or blind spoofing.

To see the return packets, the attacker must

Misconception (IP spoofing)

• A common misconception is that via

spoofing you can surf the net, chat on line,

send/receive email while hiding your


This is not possible since the replies do

not go to you.

Basic types of IP spoofing attacks

Basic address change

Use of source routing to intercept


Exploitation of trust relationships on UNIX

Session Hijacking

IP session Hijacking

Here the user’s session is taken over.

Let user on Host A is carrying on a telnet session
with host G. Host H is ran by a naughty person.
He watches the traffic between A and G and runs
a tool which starts to impersonate A to G, and at
the same time tells A to shut up.

After a few seconds of this if the attack is
successful, the naughty person has hijacked

G knows nothing has happened.

Routing!! Routing


Source Routing

One way for an attacker to see return traffic from
a spoofing attack is for him to insert himself in
the path the traffic would normally take.

• Internet routing is normally dynamic, there is no
guarantee that the same route between 2 IPs is
always taken.

Source routing can be used to guarantee
that a
packet follows a set path Routing Information
Protocol Attacks

How does it work!

Loose source routing (LSR): The sender specifies a
of some IP addresses that a packet must go through
(it might go through more)

An attacker sends a packet to the destination with

a spoofed address but specifies LSR and puts his IP

address in the list.

Defenses against Source Routing

It is rather hard!

The best way to protect against source routing
spoofing is to simply disable source routing at
your routers.

Gateways into the local net can reject external
packets that claim to be from the local net. ( less
practical. What will happen to organizations that
has two trusted networks connected via a multi
organization backbone ?)

Warning!!!: fire walls don’t defend against insider

RIP attack

Routing Information Protocol (RIP) is used to
propagate routing information on local
networks, especially broadcast media.

Typically, the information received is

This allows an intruder to send bogus routing
information to a target host, and to each of
the gateways along the way, to impersonate a
particular host.

Defenses Against RIP attack

Easier to defend!

A paranoid gateway

one that filters packets
based on source or destination address

block any form of host spoofing( including TCP
sequence number attacks).


friends can also become a foe!

Internet control message protocol (ICMP) is
the basic network management tool.

ICMP attacks are rather difficult and rare!

ICMP redirect message (used by gateways to
advise hosts of better routes).

It can often be abused in the same way the
RIP can.

Intruder penetrating a secondary gateway
available to the target can do the harm.

Defenses against ICMP attacks

Easy! If a host is careful about checking that
message rally does refer to a particular
connection, most such attacks will not

Don’t worry! It’s never been real!

Application layer

Finger service : this server display useful
information about users.

Netstat, tracert,

mail: mail server provides no authentication
mechanisms. The door is wide open for faked