Your SlideShare is downloading. ×
Report on TCP vulnerabilities
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Report on TCP vulnerabilities


Published on

Please read and write ur reviews in comments.

Please read and write ur reviews in comments.

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. TCP Vulnerabilities and IP Spoofing: Current Challenges and Future Prospects Colloquium Report Submitted in Partial Fulfillment of the Requirements for the Degree of Masters of Technology Submitted by Prakhar Bansal Registration No. - 2011CS29 Computer Science and Engineering DepartmentMotilal Nehru National Institute of Technology Allahabad, Allahabad -211004, India October 2012
  • 2. Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Related Research Work . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 TCP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1 TCP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 Establishing a TCP Connection . . . . . . . . . . . . . . . . 7 4.3 Closing a TCP Connection . . . . . . . . . . . . . . . . . . . 7 4.4 SYN Flooding Attack . . . . . . . . . . . . . . . . . . . . . . 8 5 ARP Cache Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 12 5.1 ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2 Theory of Operation . . . . . . . . . . . . . . . . . . . . . . 14 5.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 14 6 LOT: Light-weight Opportunistic Plug and Play Secure Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1 Communication Model . . . . . . . . . . . . . . . . . . . . . 16 6.2 Handshake among Gateways . . . . . . . . . . . . . . . . . . 18 6.3 LOT Packet Structure . . . . . . . . . . . . . . . . . . . . . 21 7 Observation and Discussion . . . . . . . . . . . . . . . . . . . . . . 21 7.1 Redefinition of TCP Three-way Handshake . . . . . . . . . . 21 7.2 Redefinition of ARP Protocol . . . . . . . . . . . . . . . . . 24 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Bibliography 27 1
  • 3. List of Figures 1 TCP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3 Sequence states of client side TCP . . . . . . . . . . . . . . . . . . . 9 4 Sequence states of server side TCP . . . . . . . . . . . . . . . . . . 9 5 ARP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Huang solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7 LOT communication model . . . . . . . . . . . . . . . . . . . . . . 17 8 Phase 1: hello phase . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9 Phase 1: network block validation phase . . . . . . . . . . . . . . . 20 10 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 22 11 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 23 12 Redefinition of ARP protocol . . . . . . . . . . . . . . . . . . . . . 24 2
  • 4. Abstract With the invent of computer systems, the need of communication becomesessential. Standard communication protocols are developed to provide communi-cation over computer networks. Protocols are predefined formal systematic rulesrequired for an effective communication. Billions of people are interconnected withInternet via these protocols. But what if these protocols are themselves vulnerableto various types of attacks. Attacks from hacktivist groups like ‘Anonymous’ are increasing day by day.Moreover the arsenal of hacking groups is growing rapidly. Today the attacks aremore dangerous and concentrated, packets/second rate has been increased andattacks are more distributed [1]. There is also a significant growth in frequencyof attacks mainly distributed denial of service attacks (DDoS attacks) and IPspoofing attacks. There is 50% increase in DDoS attacks in the first quarter of2012 in comparison to same quarter last year [2]. According to Norton cybercrime report 2012, cybercrime costs $110 billionglobally out of which $8 billion to India [3]. Today all countries are spending huge percentage of their GDP to improve cybersecurity. In this fiscal year 2012-13, India spent 37.7 crores on cyber security [4].United States has proposed $800 million for cyber security in next 2013 fiscalbudget [4]. Attackers are able to perform cyber attacks due to vulnerabilities in existingprotocol structure. If we focus on these protocols then need of government spend-ing on cyber security would be less. This report focuses on vulnerabilities in protocols, mainly Transmission Con-trol Protocol (TCP) and Address Resolution Protocol (ARP), exploiting probableattacks and there counter measures. At last report discusses LOT, light weightopportunistic plug and play secure tunneling protocol to be deployed at networkgateways in order to defend against IP spoofing and flooding attacks.
  • 5. 1 IntroductionCyber security is becoming a major challenge to todays computing world. Ac-cording to ‘Norton cybercrime report 2012’, there are 556 million victims/year,1.5+ million victims/day and 18 victims/second affected by cybercrime. 2 out of3 on-line adults have been victim of cybercrime in their lifetime. The global pricetag of cybercrime has reached up to $110 billions, $197 average cost/victim. cyber-crime costs USA $21 billion, $46 billion to China, $8 billion to Brazil, $2 billion toRussia, Australia and Mexico each, and $8 billion to India. More than 42 millionpeople in India have been victimized by cybercrime in last 12 months [3]. Accord-ing to BBC report, UK businesses lose around £21 billion a year to cybercrime [5].According to report published by international research scientists from Universityof Cambridge, ‘Measuring the cost of cybercrime’ on 18 June, 2012, governmentshould spend more on policing the Internet rather than spending on security andcatching cyber criminals [6]. Recent attacks are more sophisticated and distributed in nature. Websites forDepartment of Justice and the FBI were attacked by Anonymous on Jan 19, 2012in response to the shut down of the file sharing website Megaupload and bill StopOnline Piracy Act (SOPA). Anonymous used “Low Orbit Ion Cannon”(LOIC) toattack supporters of SOPA on January 19, 2012. Group claimed this to be theirlargest attack with over 5,635 people participating in the DDoS attack via LOIC[anonymous archives]. Attacks that exploits TCP vulnerabilities exceeds in largenumber in past. Anonymous attacks on facebook on October 12, 2012, which leadsfacebook to shutdown in Europe. Group also attacks on many Indian websitesincluding website for supreme court of India and other national political parties inresponse to Internet censorship. May be their intention is right, but this exploitshow vulnerable our protocols are. Transmission Control Protocol (TCP) is an end-to-end, connection oriented,reliable transport layer protocol. TCP is designed to support multiple networkapplications and provides reliable interprocess communication between processesin host computers in interconnected computer networks. Cerf and Kahn, firstlydescribes the concepts of TCP [7]. But TCP and many other protocols are vul-nerable to attacks leading billions of people on stake. Virtually all applicationsuse the concepts of TCP and are therefore on risk. Researches are still going onsecurity problems of core protocols [8]. 1
  • 6. 2 Problem StatementTo design a reliable, scalable and secure network. The network which no one canspoof, no one can flood and no one can hack. The need of secure, scalable and reliable communication network becomes veryimportant today. The network which no one can spoof, no one can flood or no onecan hack is very big challenge. Leon Panetta, Defense Secretary, USA said thatnext 9/11 attacks could be cyber attacks on 12th October, 2012. Protocol vulnerabilities is one of the long standing major challenge in networkcommunication. Recent report from Prolexic states that their is a 88 % increase inattacks since last year [9]. The attacks from groups like ‘Anonymous’ are increasingday by day. Although intention of anonymous may seem to be good but their wayto make our network down is wrong. These attacks shows that how vulnerable ournetwork protocols are. The focus of this report is to study the vulnerabilities in TCP and ARP protocoland to discuss a solution suggested by Yossi Gilad and Amir Hergberg to installLOT protocol on network gateways.3 Related Research WorkTCP is based on concepts firstly described by Cerf and Kahn [7]. In September1981, Defense Advanced Research Projects Agency (DARPA) proposed Transmis-sion Control Protocol as a transport layer protocol in RFC 793 which standardizesthe basic mechanism and policies of TCP. RFC 1122 provides clarifications anderrata for the original [8]. RFC 4987 published on August 2007 contains the discussion on TCP SYNflooding attacks [10]. In 1994 Bill Cheswick and Steve Bellovin [bellovin 94] dis-covered the weaknesses in TCP implementations [11]. SYN flooding attack arefirstly highlighted in Phrack magazine in 1996 [12]. Kevin Mitnick, exploits DDoS attack known as Mitnick-Shimomura attackfirstly [13]. In February 2000, mafiaboy, 15 years old Michael launched ‘ProjectRivolta’, which took down the websites of four giants yahoo, CNN, ebay, dell andamazon, and threatens the entire world about TCP SYN flooding attacks. In april 1989, article entitled ‘Security problems in the TCP/IP protocol suite’by S.M. Bellovin, AT & T Bell Labs, exploits various vulnerabilities in TCP [14]. 2
  • 7. In 2002, Lemon proposed ‘syn-cache’ approach which aims to reduce amount ofstate information maintained for connections in the SYN-RECEIVED state, andallocates full Transmission Control Block (TCB), data structure usually in kernelwhich is used to store all the information related to TCP connection [7], only afterconnection has transited to ESTABLISHED state [15]. In 1996, Bernstein proposed ‘syn-cookie’ approach which eliminates the needof maintaining state information at server side in SYN-RECEIVED state. It usesthe encrypted cookie based on information of client in establishing the three-wayhandshake [16]. In 2002, Zquete describes mechanism for improving the functionality of SYNcookies [17]. Ingress filtering is proposed in RFC 2267 to stop IP spoofing and related workis done by Baker and Savola in 2004 [18]. Ingress filtering technique ensures that packets that are coming are originatedfrom same network from which they claimed [18]. However, Beverly and Bauer in2005 found that lack of ingress filtering on ISP’s are still quite common [19]. F. Gont proposed the minor extensions in TCP in his draft, ‘Survey of SecurityHardening Methods for Transmission Control Protocol (TCP) Implementations’,published on March 13, 2012 [8]. Yanyan Li and Keyu Jiang, in paper, ‘Prospect for the future Internet – Astudy based on TCP/IP vulnerabilities’, discusses ARP cache poisoning and SYNflooding attack [20]. S. Gavaskar, R. Surendiran and E. Ramaraj proposed Three Counters Algo-rithm in 2010 [21] for SYN flooding attacks. Dommetry in 2000 proposed tunneling protocol mechanisms [22]. Savage,Snorean and Dean suggests packet marking techniques in early 2000’s [23]. Yossi Gilad and Amir Herzberg from Bar-Ilan university presented LOT, alightweight opportunistic plug and play secure tunneling protocol to be deployedat network gateways. Tunnels are formed when LOT is installed on gateways. LOTtunnels allow allows gateways to discard packets that are spoofed IP addresses.LOT helps to mitigate attacks such as DNS poisoning, network scans, floodingattacks and denial of service (dos) attacks [24]. 3
  • 8. 4 TCP VulnerabilitiesTransmission Control Protocol (TCP) is deployed as a standard interprocess com-munication among the communicating hosts in the networks. TCP is describedin RFC 793 [7]. TCP is a connection- oriented, end-to-end reliable protocol de-signed support communication between pairs of processes in distinct host comput-ers which are interconnected via communication network. From the day it wasproposed and till date, it was updated, modified via several RFCs and drafts butstill it is vulnerable to various network attacks. During the last thirty years many vulnerabilities have been identified in TCPprotocol implementations, which is the core platform for most of the current ap-plications [14]. TCP has been gone through levels of modifications, it is beingupdated and modified from time to time, but still it is vulnerable to several at-tacks.4.1 TCP HeaderTCP segments are sent as internet datagrams. TCP header follows IP header andcontains information only for TCP protocol. IP header carries information aboutsource and destination host addresses. The minimum TCP header size should be20 bytes with no options and no data. segment.size >= 20 If a segmment doesn’t pass this check, it will be eventually dropped. • Source Port Number: 16-bit source port address. • Destination Port Number: 16-bit destination port address. Researches [25] has shown that port numbers on the server and client must be distinct. For the client to communicate they must know the server port number, so the server port number is actually open. • Sequence Number: 32-bit number. If SYN bit is not set, sequence number of the first data octet in the segment. If SYN bit is set, sequence number is initial sequence number (ISN) and first data octet is ISN+1. 4
  • 9. Figure 1: TCP header [7] Attackers can exploit various attacks via predicting sequence numbers. Mor- ris in 1985 was first to descricbe sequence number prediction attacks. 1995, Kevin Mitnick attack on Shimomura exploits this vulnerability. RFC 6528 entitled ‘Defending against sequence number attacks’ discusses this in great detail [26].• Acknowledgement Number: 32-bit number. If ACK bit is set, acknowledgement number is sequence number of next seg- ment which sender of acknowledgement is expecting.• Data Offset: 4-bit number, indicates where data begins in TCP header.• Reserved: 3-bits reserved for future needs. These bits must be 0.• Control bits: 8-bits. The combinations of control bits can cause malfunc- tion of some implementations. Sometimes any unusual combination can lead system to crash [27] [28]. – NS bit: Nonce Sum, is an optional addition to Explicit Congestion Noti- fication (ECN) that protects against accidental or malicious concealment 5
  • 10. of marked packets from the TCP sender. It improves the robustness of congestion control by preventing receivers from exploiting ECN to gain an unfair share of network bandwidth. It is defined in RFC 3540 [29]. – CWR bit: via Congestion Window Reduced (CWR) flag, data sender can inform the data receiver that the congestion window has been re- duced. It is defined in RFC 3168 and studied by Ramakrishnan [30]. – ECE bit: via an ECN-Echo (ECE) flag, data receiver can inform the data sender when a CE, Congestion Experienced (CE) packet has been received. Explicit Congestion Notification (ECN) is a addition in IP suggested in RFC 3168. [30] – URG bit: Urgent Pointer field significant. SIGURG is deliverd to corresponding process. – ACK bit: Acknowledgment field significant – PSH bit: Push bit, indicates that receiver should pass the data to the upper layer as soon as it reads PUSH bit is set. – RST bit: is used to request the abnormal close of a TCP connection. – SYN bit: is used for synchronization of sequence numbers in 3-way handshake procedure. Four different types of vulnerabilities can exploit use of SYN bit: SYN-flooding attacks, connection forging attacks, connection flooding attacks, and connection reset attacks. – FIN bit: is used for connection termination. It generates the signal to remote host indicating end of data transfer from generating side. Various resource exhaustion attacks can be done in connection termination phase of TCP.• Window Size: 16-bit number, advertises how many bytes of data the remote peer is allowed to send before a new advertisement is made.• Checksum: The checksum field is the 16 bit one’s complement of the one’s complement sum of all 16 bit words in the header and text. Segments with invalid checksum, if flooded on host computer could not cre- ate state information at the firewall. [31] describes the exploitation of TCP checksum for performing firewall evasion and DoS attacks. 6
  • 11. • Urgent Pointer: 16-bit field. tells the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set [7]. [32] originally describes TCP urgent pointer could be exploited for DoS attacks, which are dangerous enough to lead the system crash. • Options: These are of variable length. Options may lie in the end of TCP header. • Padding: These are of variable length. Paddings are composed of zeros embedded to ensure the boundary between header and data. • Data: The usable data which hosts actually wants to communicate.4.2 Establishing a TCP ConnectionThe process on client host which wants to send data to server host which is on somecommunication network first inform the client TCP. Server must be in LISTENstate at some known port on some host whose address also must be known. Thethree-way handshake procedure is used for establishing the connection.4.3 Closing a TCP ConnectionTCP connection can be terminated in three cases: • Local user initiates by telling its TCP to close the connection. Local user creates FIN segment and place it on outgoing segment queue. Now, TCP accepts no further sends. and enters in FIN-WAIT-1 state. How- ever, receives are allowed in this state. All segments sent before FIN will be retransmitted until acknowledged. When another TCP sends the FIN of its own, first TCP acknowledge it. TCBs will be deleted by both the TCPs. • Remote TCP initiates by sending a control signal FIN. TCP can receive a FIN segment from remote network, receiving TCP ac- knowledge it. State is transited to CLOSE-WAIT. Local user after finishing its own data to be sent, send FIN and TLBs will be deleted after receiving ACK of FIN. 7
  • 12. Figure 2: Three-way handshake • Both users close simultaneously. Both users send FIN segment at the same time. When all the data segments preceding these segments are processed and acknowledged, both TCP send ACK of FIN they received. On receiving these ACKs, both delete TCBs.4.4 SYN Flooding Attack4.4.1 Theory of OperationBill Cheswick and Steve Bellovin in 1994 discovered TCP SYN flooding vulner-ability [11] [10]. Kevin Mitnicks Shimomura attack [13] in 1995 and attacks onISPs mail servers in 1996 caused TCP SYN flooding well known [10]. TCP uses ‘three-way handshake’ for connection establishment between two 8
  • 13. Figure 3: Sequence states of client side TCP [7] 9Figure 4: Sequence states of server side TCP [7]
  • 14. distinct computing systems. According to RFC 793 [7], server side TCP that isin LISTEN state, when receives a SYN segment from client side TCP, it wouldbe transited to SYN-RECEIVED state. It must maintain the record of initialsequence number (ISN) of client and other information in the Transmission controlblock (TCB), and respond to client with SYN and ACK [7]. TCB is the datastructure within the kernel of system used to store all information correspondingto TCP connection [7]. SYN flooding attack is to exhaust the memory at attacked system by sendinglarge number of SYN requests with spoofed IP addresses so that real users cannot access the server [8]. Large number of SYN segments from forged IP addressesexhaust the memory needed for storing TCBs. The main point is that attackerdon’t want to establish the three-way handshake at all. He will use forged sourceIP address for SYN segments typically, concealing his own IP address. Server sends back acknowledgement and its own SYN segment telling its ownISN in response of SYN segment generated by attacker. If the forged IP addresscorresponds to some reachable system then this reachable system responds withRST segment which cause the connection to abort because its states are different.However, if forged IP address is unreachable no reply will come and server will keepsending SYN/ACK segment for each request until timeout occurs and connectionaborts. The success of SYN flooding attack also lies on three things: [10] • Barrage Size Barrage size must be large enough to lead the port queue full and reach the backlog. Backlog is number of connections pending in half-open state. • Frequency For a effective SYN flooding attacks new SYN segments must needs to be send before TCBs of previous segments began to reclaimed. • IP Addresses The success of SYN flooding attack lies in unreachable and large set of IP addresses called ‘Botnet’. Attackers usually ping the IP addresses before using them for attack via sending ICMP echo request and if ICMP echo response come back, then that IP will not be used to perform attack. 10
  • 15. 4.4.2 Countermeasures • Filtering Ingress filtering defined in RFC 2267 is suggested for preventing attacker to use set of wide range of forged IP addresses [18]. Ingress filtering ensures that the packet arrives from the same network from which it claims to be. This is the best way without needing any modification in TCP. • Increasing Backlog Increasing the backlog implies increasing the capacity to hold number of half-open connections is an easy way to deal with SYN flooding attack. But Lemon has shown that this can have serious negative affect on the system state as generally data structures and algorithms are inefficient to deal with increased backlog [15]. This is needed to be note here that experiments with increased backlog with efficient data structures and algorithms are not studied yet [10]. • Reducing SYN-RECEIVED Timer Reducing the SYN-RECEIVED timer leads to claim the TCBs early. How- ever, this may leads some legitimate users not to create connection. • Recycling the Oldest Half-Open TCB This implies that once the entire backlog is exhausted, incoming SYNs over- write the oldest half-open TCB entry. But this may lead to disconnect pre- viously established legitimate connections. • SYN Cache SYN cache approach reduces amount of state information maintained for connections in the SYN-RECEIVED states and allocates full Transmission control block (TCB) only after the connection has been transited to the ESTABLISHED state. Hosts implementing a SYN cache have some secret bits that they select from incoming SYN segments. The secret bits are hashed along with the IP addresses and TCP ports of the segment, and the hash value determines the location in a global hash table where the incomplete TCB is stored. There is a limit for each hash value, and when this limit is reached, the oldest entry is dropped [16]. • SYN Cookies 11
  • 16. SYN cookies allocates no state at all for connections in SYN-RECEIVED state. This technique encodes most of the information required to complete the three-way handshake into the sequence number of SYN/ACK segment transmitted. Thus no TCB reserved at site. If SYN was not spoofed, then the acknowledgement number and other fields in ACK that completes handshake used and put into the TCB [15]. Drawbacks: – It provides the limited number of space in the sequence number field and it is very difficult to encode all the information in initial segment. for ex; support for selective acknowledgement (SACK). – If the SYN/ACK segment sent is lost then normal TCP will retransmit it after timeout as their is a state information at site, but if SYN cookies are enabled there will be no state and re-transmission is impossible. – Yanyan Li and Keyu Jiang [20] suggests one more drawback that is ACK flooding attack.5 ARP Cache Poisoning Attack5.1 ARP ProtocolThe Address Resolution Protocol (ARP) was originally published in RFC 826 byDavid C. Plummer from MIT in 1982 [33]. To communicate with the host on anetwork we must know the 48-bit ethernet address (MAC address) of the host.ARP protocol maps network addresses (IP) to ethernet addresses (MAC). Hostwhich wants to know the physical address of target host, broadcasts ARP requeston the network. ARP request actually asks ‘any one who has this IP address,reply with your MAC address’. The host with the given IP unicast ARP reply.The request generating host caches the <IP, MAC> pairing in its ARP table.ARP cache is a data structure for storing IP addresses with corresponding MACaddresses. ARP cache entries expires after some time (in most implementations20 minutes). 12
  • 17. Figure 5: ARP header [33] 13
  • 18. 5.2 Theory of OperationARP protocol is a stateless protocol. When an ARP reply is received, the hostupdates its ARP cache even if the host had not issued a corresponding ARPrequest. It means ARP reply is not needed to be authenticated. Most importantpoint is that this false ARP reply is reflected in ARP cache as soon as host receivesit. However, some implementations check that whether ARP table has some entryfor this IP address before or not. Once the host updates its ARP table, the attackeralso gets the packets intended for some other system.5.3 Countermeasures • Huang T. and Bai G. in 2008 in their paper, ‘Method against ARP spoof- ing based in improved protocol mechanism’ suggests state in ARP protocol. When the ARP request is sent the state of the the ARP protocol changes to REQUEST-SENT from INITIAL with a timer activated. When ARP reply comes the state of the ARP changes to RESPONSE-RECEIVED and then the cache is updated. If reply doesnt arrives and times out then, it backs to INITIAL state [34]. Figure 6: Huang solution [34] DISCUSSION: This procedure will prevent host from ARP spoofing through instantaneous ARP reply. However, when host is in REQUEST-SENT state, it is vulnerable to attacks. • Some firewall and router manufactures have procedure in their products to detect the ARP spoofing attacks and tell the user but its not enough. soft- 14
  • 19. wares like arp-guard are in market to recognize changes in the ARP tables and send these changes to the management system. arp-guard system analyzes and processes the sensor network messages [35]. • Vipul Roy and Rohit Tripathi in 2005 suggests the use of combinations of dig- ital signatures and one-time passwords based on hash chains [36]. However, use of cryptography makes this complex. • Seung Yeob Nam in 2010 proposed voting-based resolution mechanism to prevent ARP attacks. This suggests host before updating its own table, firstly asks other neighboring hosts about the MAC address of respective host in their ARP table [7].6 LOT: Light-weight Opportunistic Plug and Play Secure Tunneling ProtocolAccording to latest Prolexic Quarterly Global DDoS Attack Report, Quarter 3,2012, there is a significant increase of 88 % in total number of Distributed Denialof Service (DDoS) attacks in comparison from last year. The duration of attackis also tremendously increased to 33 hours from 19 hours. Also, there is 230 %increase in average attack bandwidth in comparison to last year. China remains atnumber 1 attack originating country with total 68.08 % of whole share and 8973autonomous system network [9]. Hacking activist group ‘Anonymous’ attacks are also increased significantlyfrom the past few years. This shows the weaknesses in the architecture of ournetwork. LOT is a light-weight opportunistic plug and play secure tunneling protocol forsecure and forging free communication. LOT is needed to be installed at communi-cating network gateways. Once installed one gateway would establish an efficienttunnel for secure communication with another gateway. Another participatinggateway will be detected automatically [24]. LOT tunnels provides efficient solution for IP spoofing and discards packetsthat are originated from forged IP addresses. Thus this makes network free fromdenial of service and flooding attacks. LOT gateways implements local and remote quotas for particular network. In 15
  • 20. this way it prevents from packet floods from specific network. Moreover attackoriginated network would be hindered itself. Furthermore, LOT uses near source filtering, which allows gateways morespecifically LOT gateways to block certain types of packets permanently or tem-porarily. This can be done by manual or automatic configuration based on somelearning mechanism (if congestion is greater than certain limit and it is due tolarge number of SYN segments, let them not allow to come). This prevents fromnetwork scans and attacks like DNS reflection. LOT has congestion detection mechanism between gateways. If a packet droprate is higher in between tunnels then there might be congestion in the network.We can take appropriate action afterwards. This helps mitigating denial of serviceattacks. RFC 2267, suggests the use of ingress filtering by all the ISPs in the world.Ingress filtering enables us to check whether the packet comes from same networkfrom which it claims to be from [18]. Advanced Network Architecture Group doesa survey in 2011, according to this most of the ISPs have not yet installed ingressfiltering mostly in developing countries. Lack of ingress filtering support and IPspoofing is very high. LOT installed gateway adds a pseudo random tag to each packet it sent to otherLOT gateway. Another communicating gateway discards the packet without thetag or if mismatch occurs. It indicates that it is not originated from the samenetwork block from which it pretends to be. Thus LOT prevents us from forgedpackets and defends against many denial of service attacks. LOT is practical, requires no coordination between gateways, plug and playprotocol [24]. The code prototype is available online at url: ‘’.6.1 Communication ModelAs RFC 791 ’Internet Protocol’ by Jon Postel in September 1981 tells IP addresshas address space {0, 1}32 [37], LOT protocol states that every entity in networkhas address space S of {0, 1}l . Each d ∈ S is an address. Network block addressspace B, where B ⊆ S, is in address space of S if, ∃P, a prefix, P∈ {0, 1}l , l’<land ∀d, if d ∈ B, then it also holds d ∈ S and d has a prefix P. It is similar toCIDR notation [24]. 16
  • 21. Network entities are either LOT gateways or hosts behind the network blocks.Each and every entity e is associated with a single network block N B(e) ⊆ S. Any host must belong to single address and must belong to network block|N B(h) = 1|. Figure 7: LOT communication model [24] Two network entities e1 and e2 are said to be peer iff, • N B(e1 ) ⊂ N B(e2 ) and N B(e1 ) N B(G) N B(e2 ) means, for eg; entities A, C are peers. • N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and N B(e1 ) N B(G) or N B(e2 ) N B(G) for eg; entities F, G and A, D are peers. Network entities send and receive messages via source address ‘src’ and desti-nation address dst. When a message is sent from source ‘src’ towards destination‘dst’, it reaches to next peer entity and so on till it reaches to destina-tion. 17
  • 22. 6.2 Handshake among GatewaysLOT uses stateless handshake procedure for establishment of tunnel between gate-ways. If there are more than one gateways between two network blocks, individualtunnel is established between them and for each LOT tunnel it is required tohandshake first. Handshake between two gateways consists of two phases: • Hello Phase: Once gateway find another gateway it checks the potential to establish a LOT tunnel. Gateway identifies the network block behind gateway. • Network Block Validation: Network block is behind the gateway. In this phase each gateway has to prove that it can intercept packets sent to network block behind it. After handshake gateway receives a proof from other gateway that validationis done successfully and tunnel is established.6.2.1 Hello PhaseLet’s take two gateways, hosts in network blocks associated to them wants tocommunicates. Gateway A forwards any arbitrary packet from host A behindit, to host B which belongs to some network block which is not associated withgateway A, say gateway B. This triggers LOT on originating gateway. Gateway begins handshake by sending hello message to host B. This messageis intercepted by another gateway on the network, gateway B and it responds.To reduce the possibility of LOT overhead, Hello requests are sent with very lowprobability. Hello request consists of current time, description of network block behindgateway and a cryptographic cookie - cookie A, generated by gateway A. Cookieis generated by pseudo-random function computed over ‘destination address’ and‘current time’. Network block belongs to some address space {0, 1}l . A networkblock is described by (baseaddr,l). When gateway B intercepts hello request, it sends reply with possibility q ≈1. Hello response generated by gateway B contains description of network blockassociated, cookie A and time A. The hello reply is authenticated by gateway Ascookie. 18
  • 23. Figure 8: Phase 1: hello phase [24] Cookie A sent back in response allows gateway A to keep no state and rest state-less. This stateless approach make sure that no resources are allocated at senderside makes it free from resource exhaustion attacks, like in three-way handshakeit may occur [7].6.2.2 Network Block ValidationNetwork block is validated by gateway, say gateway A to ensure that whether othergateway , say gateway B can intercept the traffic sent corresponding to its networkblock. Validation process is done in several iterations, each iteration validates onehost selected randomly on the network block. However for the sake of reducingoverhead, protocol validates only a portion of the addresses and not the entirenetwork block. The most important benefit here is that it maintains no state at sending sidewhen validating a network block and also it send at most a single packet in responsefor every packet received. This prevents it from DoS attacks. 19
  • 24. Figure 9: Phase 1: network block validation phase [24] Design:Each gateway knows network blocks associated with other gateways. Gatewaysis network validation phase must be agreed on n, number of iterations. To dealwith the possibility of DoS attacks the global constant on maximum iterationsis set as nmax . Each gateway sends one packet to a random address from targetnetwork block. Since there could be at most 2 ∗ nmax packets that can be sent outin nmax iterations. This creates limit on number of packets that can be sent. Toavoid network load problem to initiates handshake, handshakes are initiated withprobability 1/2nmax . The packet contains a random cookie as challenge, if gateway corresponds tosame network block it can intercept the packet otherwise not. Pseudo-randombased function is used to derive destination address and cookie. Response ofprevious challenge is included in the next challenge. When gateway receives achallenge intercepts a challenge it checks its own cookie by reconstructing it on itssite. In order to reconstruct gateway uses its secret key and the parameters used 20
  • 25. to create the cookie, extracted from response such as time. After gateway successfully checks the validity of the response, it chooses a newrandom destination address in remote network and sends a new challenge. In orderto get validated the new challenge, gateway also echoes previous cookie and time,iteration number i and maximum number of iterations agreed upon. This process of challenge and response is repeated n times.6.3 LOT Packet StructureIn order to encapsulates LOT in a packet, there is a significant modification in IPheader and data. Some of the major changes in original packets are as follows: • IP flags: DF and MF flags are always unset in IP Header as LOT does not allow packet fragmentation within the LOT tunnel. • Protocol Type (Transport Layer Protocol): To indicate that the packet is encapsulated using LOT, this field is modified. LOT gateways can pass not only encapsulated packet but also non-encapsulated packet. • LOT Header: A LOT header is attached with the packet. The most signif- icant bit of LOT header is outgoing periodic tag. Field for reconstruction of the original packet including IP flags and transport protocol. Field that allow receiving-end gateway to reconstruct the session key.7 Observation and Discussion7.1 Redefinition of TCP Three-way HandshakeWhile studying TCP protocol, I observed few things in three-way handshake.These things are as follows: • The success of flooding attacks depends on frequency of SYN segments reach- ing at server side. Neither increasing backlog nor shortening acknowledge- ment waiting time at receiver side, will work as these could resist original user to establish a connection. 21
  • 26. Figure 10: Redefinition of TCP three-way handshake Attackers usually send SYN flood messages from set of unreachable IPs. If IPs are reachable then that system will reply with RST segment and connection will be aborted. If the backlog is filling fast, why not we firstly ping the client before sending any reply. Pinging will ensure the IPs are atleast some existing system and not wasting our resources. So, I suggest to start pinging the IPs if the backlog is filling fast. We can set some threshold for it.• The SYN-cookie mechanism can be further improved so that there would be no need for maintaining state and allocating the memory. Hence, there is no need of TCBs. Client sends ‘SY N ’ to server. Server reply with ‘SY N/ACK/cookieserver ’. Server generates its cookie cookieserver via client IP address, port address and client request time and current time at server. Once it reaches to client, client accepts segment and send ‘ACK/cookieclient /cookieserver ’ to server. Server authenticates its cookie and validates client. All communication is done like this, no need maintaining any state. 22
  • 27. Figure 11: Redefinition of TCP three-way handshake 23
  • 28. • When there occurs a time-out when SYN/ACK is lost. Client should send the SYN packet again after time-out. Now, server treats it as a brand new request and creates a new cookie based on client details. • In Linux, SYN-cookie mechanism is disabled by default but it can be en- abled via changing value of variable to 1, in /etc/sysctl.conf file.7.2 Redefinition of ARP ProtocolARP is a stateless protocol. It maintains no state of ARP queries and replies.The problem with ARP protocol is that it accepts any ARP reply and updates itsARP table as soon as any ARP reply received. Figure 12: Redefinition of ARP protocol • The probable solution of this problem is to maintain a new data-structure along with existing ARP table. This data-structure is a dynamic list which records all the ARP requests we send. 24
  • 29. When a ARP reply came, before making any changes to ARP table we can check this list of outstanding requests. If we have sent any corresponding request asking MAC address for this IP, then we will confirm this ARP reply by asking few neighbors. According to their response we can decide whether to add it or not in ARP table. • We can furthermore improve ARP protocol via originating Reverse Address Resolution Protocol (RARP) for the MAC address comes in ARP response. If only one reply came and it matches its fine. But if more than one reply came, more than one IPs then there is something wrong and response can be discarded. But this can discard real user too.8 ConclusionRecent network attacks has shown how vulnerable our networks are. Flooding,IP spoofing, cache poisoning attacks and denial of service attacks are becoming asignificant threat. There is a tremendous increase in percentage of attacks frompast few years. The duration of attacks is also increased significantly. The band-width of attack is also increased. It means this is becoming a serious challenge tomitigate these. Ingress filtering was suggested but not yet completely implemented by all ISPs.TCP SYN cache is good for reducing TCP SYN flooding attacks but it is very com-plex due to cryptographic implementations. It requires to maintain some state.TCP cookies can not retransmit the packet if it is lost as there is no state infor-mation. Huang suggestion for maintaining the state in ARP, somewhat good butstill vulnerable. LOT protocol is best but it requires LOT protocol to be installed on mostlygateways on network. All gateways shares a secret key first through vulnerablenetwork, this can be dangerous. LOT tunnels cannot pass over Network AddressTranslators (NATs). However NAT devices do not prevent LOT. It means on NATtunnels will be formed to and from the NAT device. Now, the world is changing. The face of network communication is changingrapidly. Now use of smart-phones and embedded systems is increasing rapidly.Now, transactions are now done on smartphones. Smartphones technology is notyet matured. Cloud computing and mobile computing are attackers future targets. 25
  • 30. Security in cloud computing is still a major issue. There is a need of reliable,scalable and fault-tolerant clouds both on system and mobile. Protocols are notmuch sophisticated and thus vulnerable to attacks. The research in developing sophisticated network protocols and applications isstill very important area. So, the field is full of challenges and thrust for futureresearch. 26
  • 31. Bibliography [1] “Prolexic Quarterly Global DDoS Attack Report,” Quater 4, 2011. [2] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 1, 2012. [3] “2012 Norton Cybersecurity Report,” [4] Department of Information Technology in, Ministry of Communications and Information Technology, 2012-13. [5] “Government to warn businesses about cyber crime threat,” BBC, 5 september 2012. [6] Ross Anderson and Chris Bardon, “Measuring the cost of cybercrime,” [7] Postel, J, “Transmission Control Protocol, RFC 793,” Defense Advanced Research Projects Agency, September, 1981. [8] F. Gont, “Survey of Security Hardening Methods for Transmission Control Protocol (TCP) Implementations,” Internet Draft, March 2012. [9] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 3, 2012.[10] Eddy, W, “TCP SYN Flooding Attacks and Common Mitigations, RFC 4987,” Net- work Working Group, August, 2007.[11] Bennahum, D, “PANIX ATTACK,”[12] daemon9, route, and infinity, “Project Neptune,” vol. 7, , July, 1996.[13] Shimomura, T. , “Technical details of the attack described by Markoff in NYT,” in, Message posted in USENETs newsgroup, 1995. 27
  • 32. [14] S. M. Bellovin , “Security problems in the TCP/IP protocol suite,” vol. 19, ACM SIGCOMM Computer Communication, April, 1989.[15] Lemon, “SYN cookies,” in, read on 5 October, 2012.[16] Bernstein, D., “Resisting SYN flood DoS attacks with a SYN cache,” Proceedings of the BSDCon 2002 Conference, 2002.[17] Zquete, A., “Improving the functionality of SYN cookies,” 6th IFIP Communications and Multimedia Security Conference (CMS 2002), 2002.[18] P. Ferguson, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” RFC 2267, January 1998.[19] Beverly, R and Bauer, S., “The Spoofer Project: Inferring the extent of source address filtering on the Internet,” Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005.[20] Li, Yanyan and Keyu Jiang, “Prospect of the Future Internet – A Study Based on TCP/IP vulnerabilities,” IEEE International Conference on Computing, Measure- menrt, Control and Sensor Network, 2012.[21] S.Gavaskar, R.Surendiran and Dr.E.Ramaraj, “ Three Counter Defense Mechanism for TCP SYN Flooding Attacks,” vol. 6, International Journal of Computer Appli- cations (0975 – 8887), September 2010.[22] Dommety, G., “ Key and sequence number extensions to GRE. RFC 2890,” The Internet Society.[23] Savage, S. and Wetherall, D, “Practical network support for IP traceback,” Proceed- ings of the ACM SIGCOMM Conference on Internet Measurement, 2000.[24] Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP Spoofing and Flood- ing Attacks,” vol. 15 of 6, ACM Transactions on Information and System Security, July 2012.[25] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks,” TCP Maintenance and Minor Extensions (tcpm) , July 7, 2011.[26] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks, RFC 6528,” TCP Maintenance and Minor Extensions (tcpm) , February 2012. 28
  • 33. [27] Postel, J., “ TCP and IP bake off, RFC 1025,” September 1987.[28] Braden, B., “ Extending TCP for Transactions – Concepts, RFC 1379,” November 1992.[29] Spring, N., Wetherall, D., Ely, D., “Robust Explicit Congestion Notification (ECN) Signaling with Nonces. RFC 3540,” 2003.[30] Ramakrishnan, K., Floyd, S., and D. Black, “The Addition of Explicit Congestion Notification (ECN) to IP, RFC 3168,” September, 2001.[31] Ely, D., “Firewall spotting and networks analisys with a broken CRC,” in, Phrack Magazine, Volume 0x0b, Is- sue 0x3c, Phile 0x0c of 0x10., 2002.[32] Windows 95/NT DoS, “Post to the bugtraq mailing-list,” in, , .[33] David C. Plummer, “n Ethernet Address Resolution Protocol – or – Converting Net- work Protocol Addresses to 48-bit Ethernet Address for Transmission on Ethernet Hardware RFC 826,”[34] Huang, T. and Bai, G., “Method against ARP spoofing baseed on improved protocol mechanism,”[35] “ARP Guard,” in[36] Vipul Goyal and Rohit Tripathy, “An Efficient Solution to the ARP Cache Poisoning Problem,” Springer-Verlag Berlin Heidelberg 2005.[37] Postel, J., “Internet Protocol, The Protocol Specification, RFC 791,” DARPA In- ternet Program. 29