TCP/IP networking threats

12 minute read

Updated:

8. TCP/IP networking threats

Objectives

  • To review the layered network model and relevant protocols operating in the Internet and Transport layers
  • To consider how those protocols can be exploited to probe and attack systems

Network Protocol Stack

  • Idea of layering protocols on top of each other
  • Imagine the connection between application running on one machine to another. But that’s an illusion!
  • IRL, our traffic is going down through the layers on one machine, broken into pieces called TCP segments or UDP datagrams, and this is packaged as IP packets ethernet frames, and those travel along the wire, and Ethernet to a physical signal, travelling along the wire or airwaves, and eventually reaches our dest.
  • Its routing our traffic to correct destination. We go up through protocols back down again.

IP Packet Payloads

  • The particular to interesting inside and IP packet is a chunk of data that performs 3-4 protocols
  • TCP (Transmission Control Protocol)– gives reliable byte stream connection, using sequence numbers to order the segments, and they can be reordered in the correct order. And after ordering, if somethings missing can retransmit.
    • But is time consuming!!

  • UDP (User Datagram Protocol)– faster, but less reliable

    • No need for slow complicated handshake

  • ICMP (Internet Control Message Protocol) – all to do with control of the routing process and reporting an error back to the host

  • TCP UDP – M2M protocol – requires port no. and IP address. Port no located at particular service or app running on a machine, and there’s a traffic coming into that machine that might be for many diff apps

TCP & UDP Data Packaging

  • There’s a piece of app data- and first thing we do is to stick the header in the front of it. There’s different header provided by different protocols.
    • TCP/UDP header – port number for addressing scheme
  • Down one layer – is packaged as IP packet which adds an IP header of min 20 bytes.
    • IP header – IP addresses for source and destination- logical identifier for machines themselves
  • We go down to level of ethernet – another header in front of them, of 14 bytes.
    • Frame header – contains a MAC, aka physical address that addresses a specific network hardware
  • We are kind of sending a letter and adding envelope and diff addressing on each one

IPv4 Header

  • Screenshot 2020-02-25 at 6 39 48 pm

  • between 0 and 31 bit – one chunk of 32 bits. And below there is another 32-bit chunk, and so on.
  • Bottom is the data, and everything above the data is part of the header. && Options – info such as source route, record route. Used by network admin to check whether a path is working or not
    • Payload – identified if it is TCP segment or UDP datagram or ICMP msg
  • Source/ destination address- holds IP address’s source and destination
  • Identification – like a sequence number, together with source and destination with protocol – it identifies the packet uniquely
  • Flags in the flag section to identify fragmentation.
  • Fragment offset – reason why it’s there is you can have IP packet divided into chunks called fragments. It is coz it could be traversing a network which is not set up to handle the packet of that size. Protocol supports this by chunks, but those needs to be reassembled. it allows you to determine where in the original packet this fragment goes.
  • Time to live – like a counter. Determines how many hops you can go with this packet. Each time it goes to another hop, counter is decremented and if 0, can’t route it further. Will get ICMP error msg.
  • Checksum, which helps integrity checking and to see if sths corrupted the header, but there is nothing cryptographic!! – nothing to stop attacker to change the detail of the header and the checksum. Thing to note is there is NO real protection!!

Fragmentation

  • MTU – maximum transition unit – largest chunk of data that can traverse the network
    • If MTU is smaller than the packet size – gotta travel in fragments or block it
  • If you fragment it you can reassemble it bc
    1. All fragments from same packet has same id
    2. And it stores its offset to the original unfragmented packet
    3. And it knows if there are more fragments followed
  • This creates another opportunity for attacks – let’s say you have a packet that contains malicious. you might have detection system that scans it and looks at the payload – but if you divide it into a smaller packet, it won’t notice!! fragments aren’t detected unless you can scan after reassembly happens
  • Also, if there are bugs in the network stack in terms of how fragmentation is handled, you can exploit those and crack the machine

TCP Header

  • Screenshot 2020-02-25 at 6 41 28 pm
  • 32-bit chunks of header – each row is 32 bit chunk, and there’s app data in the bottom
  • But now there’s no need to identify the machine, hence no IP addresses, but we need to focus on services running on that machine using port number
  • Source and dest port –determine the service
  • Sequence number – counter
  • ACK number – sending ack to client, and count up to acknowledge the one that its received
  • !! fairly imp FLAGS
    • SYN, ACK – used in handshaking
    • RST, FIN - To terminate the connection
    • These flags can be attacked – each of them has a role in the protocol – those bits will be set to 1 to indicate that specific segment has specific roles. But attacker could change those bits and misuse the protocol – how does the implementation of the protocol on a machine deal with this abuse?
  • Checksum – but is not cryptographic at all. Can be altered
  • Reserved bit – not used for anything specific, but this means attacker could use them w/o affecting the use of that TCP segment. It will behave normally even if attacker changes this like a secret communication channel – can send 6 bit per TCP segment in that chunk w/o affecting it anyways. But they need to retrieve the value which needs rootkit which requires privileges

TCP Handshaking

  • Full duplex connection – can send data both ways. And it needs to be closed down the both sides- each side sends FIN and ACK, incrementing and sending back its own sequence number

Security Perspective

  • Thing to note about this protocol is that there is NO security – it was not designed in an env that security was concerned.
  • No guarantees of confidentiality, authenticity and integrity. Checksum isn’t secure checksums
  • So protocols can be abused
    • To conduct reconnaissance and to actively attack victims
  • What the attackers tryna do is use the advantage to protocol that was not anticipated by the designers

Intelligence Gathering

  • One of the goals of the attacker is to discover what’s there in the network. There are two ways for attackers to do this:

  • ICMP echo requests – or ‘ping sweep”

    • Ping a host to see if the host is alive. Specify an address and you get a reply
    • If no host – host unreachable from the router.
      • No host reply is important coz it can be used to inverse mapping of the network
    • Information disclosure and whether or not you can stop this to protect info about ur network
    • Q: But why should you not block it entirely? Be careful to not block everything
      • A: coz it also stops us from receiving notification about packets that it needs to be fragmented AND it would stop us from receiving notification that a server was down.
      • So, if I block echo rq and reply – the replies tell you that the machine is down if we block it all

  • TCP scans

    • It can tell you what’s running on that machine, using scanning.
    • Noisiest way– is to try to establish a connection but slow due to 3-way handshakes v obvious as there’s a pattern to establish
    • But you can just not complete a 3-way handshake, and do the half open connection – SYN scan
      • Not complete 3-way handshake
      • If there’s an open port that you wanna connect to, respond with SYN, ACK when its open to connection, RST value for closing
    • More efficient, but can be detected as you see the signatures of a lot of SYNs and RST – you can see the patterns Make it smarter by breaking into segments OR can also use doing UDP

Stealthier TCP scanning

  • ACK scan –sending back ACK, acknowledging the connection that came to you from the machine ur scanning. Doesn’t make sense if you don’t initiate the connection.
    • Bc ur not relying on the handshakes, all the firewalls won’t recognize
    • Specific response you get from opening and Closing ports -
    • Ull find signatures in logs
  • FIN scan
    • As if ur ending a connection
    • Specific type of response and signs you see in the log stealthier. Coz firewalls looking at the state, but it’ll miss it.
  • → but is not reliable coz it depends on how implementation of network protocol works– diff OS respond differently to these scans. But this itself is useful coz you detect the responses depend on diff types of segment you send– it’s like fingerprinting ur machine. Depending on the response you can tell if its Linux, windows, etc

Intelligence Gathering Tools

  • Traceroute -sends packets with increasing TTL – make one further hop. Since you get a response back when it hits 0. Collect it and map out each step of the journey- useful coz you can look at the steps and map where the routers could be
    • Info about network architecture - Last hop is the destination machine, second to last is the firewall, and third is an external router.
    • E.g. for us to get to google, it has to go from uni network ja.net google
  • OS fingerprinting – if you got a db of how TCP IP stack responds to packets, then you can use that to identify the OS that ur connected to
    • Useful coz it helps you to estimate how easily sequence number can be predicted – predicting this is what you wanna do if you wanna hijack session.

Types of Attack

  • Less imp - Packet sniffing - Places you can capture traffic is limited coz of the nature of architecture

1. Spoofing of Identity

  • U are making the network think it’s a diff machine – e.g. changing the source of the IP address
  • But you are flying blind – any response goes to the spoof address not to u. harder to attack coz ur not looking at the responses.
  • They could try Source routing – you can set desired spots and make sure it goes through these sources!!
    • Specify source routing so you can see the result coming to u. but this is usually blocked.
  • But you can just attack from a compromised host – you don’t want it to be traced back to u. so if uve already compromised another computer, you can just mount the attack from that machine coz it can’t get traced back.

2. Session Hijacking

  • Idea is you have a machine that ur victim is using which is connected to server, it will prompt to enter credential and it hijacks that connection after they logged in
    • So you wanna get access to account, without knowing the credentials.
  • Gotta DoS their machine so that it doesn’t connect to server anymore, and you hijack the session by spoofing the ip address of the victim and predicting sequence number of the next TCP segment– hard if you use good PNRGS!!!
  • Disadvantages – hard if you use good PRNG, AND attacker is flying blind
    • If you get the sequence number wrong – ull get ACK storm – lots of ACKs flying around
  • Hard to do but is possible

3. Denial of Service Attacks

  • Goal is to render a server unavailable to the users of that service. And many ways of doing it:
    • Focus on weaknesses in protocol –crashing the server by exploiting the weakness then there’s no need to worry about the overflowing volume
    • But usually brute force it and flood it – typical is to use botnet to simultaneously bombard the server with traffic- DDoS

Protocol abuse - Past Examples

  • Ping of death – can construct a ICMP echo rq, play around w the fragment setting – max value and size
    • When you try to reassemble it, it will exceed and overrun memory buffer
    • Weakness in the implementation of the protocol that is failing to check if the fragment setting was sensible
  • Teardrop – create bunch of fragments and overlap offsets, so when you reassemble it can make some system crash
    • Old 1997, but there are similar kind of attacks - in Linux kernel – sack(selective ack) packaged was handled wrong, so its possible to trigger a kernel panic. If you send malicious file

Overwhelming a server

  • Slowloris
    • DDoS where ur overwhelming server to request – pool of HTTP pool
    • Without botnet, one machine can take it down
      • Open as many http and send partial rq that never completes – there’s pool of thread that server can use, when the pool gets tied up, no more connection and nothing can be used
    • Was used to target Iranian gov to election
  • SYN Floods
    • Generate fake packets with SYN flags and spoofed source IP and bombard it w packets
    • Queue of half open connections that TCP stack maintain, which you can quickly fill, which will block others from accessing it
    • SYN cookies – avoid maintaining half open connection

A DDoS Attack Tool: TFN

  • image
  • Relying on the volume of traffic a large network traffic can issue
  1. Attacker installs a large number of compromised hosts aka zombies – botnets
    • Compromised by malware etc
  2. TFN master activates zombies using ICMP echo REPLY packets- reply coz you gotta make it look like a reply!! Which won’t be blocked. Ping might be.
  3. Once zombies are activated, each machine is directed to flood a particular victim, and what type of attack to mount.
    • flood victim with SYN packets, UDP etc

DDoS by Consent

  • Coordinated group of users agree to run the same software deliberately to DDOs a target site
  • Arose from activism - for political reasons
  • e.g. High Orbit Ion Cannon

The Future?

  • Much more worrying because of IoT – which shows billions of devices on the network, and that accessible
  • Poor security makes easier for botnets as a recruitment target
  • E.g.
    • Sept 2016, ‘Krebs on Security blog’
    • DDoSed with 620Gb/s which relied on a botnet comprised of IoT devices like video recorders, security cameras
    • Used Mirai

Mirai Botnet

  • Target in particular manufacturers of different devices
  • Used the fact that there are a large number of default accounts !! authentication, factory values
  • 380,000 devices for the botnet!!!!!!

Summary

  • Reviewed features of the TCP/IP stack that make it vulnerable to attack
  • Discussed how attackers can do network reconnaissance using ICMP, UDP or TCP-based scans
  • Seen how it is possible to spoof identity or even hijack an active TCP session
  • Considered various examples of DoS & DDoS

Leave a comment