TCP Vulnerabilities

852 views
718 views

Published on

This slide shows vulnerabilities in Tcp and Arp protocol and suggests use of LOT protocol on network gateways.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
852
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

TCP Vulnerabilities

  1. 1. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References TCP Vulnerabilities and IP Spoofing: Current Challenges and Future Prospects Prakhar Bansal Registration No. - 2011CS29 Computer Science and Engineering Department Motilal Nehru National Institute of Technology Allahabad, Allahabad, India November 5, 2012Prakhar Bansal, MNNIT Allahabad 1 / 45TCP Vulnerabilities and IP Spoofing
  2. 2. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References 1 Motivation 2 Problem Statement 3 TCP Vulnerabilities 4 ARP Cache Poisoning Attack 5 LOT: Lightweight Opportunistic Plug and Play Secure Tunneling Protocol 6 Observation 7 Conclusion 8 ReferencesPrakhar Bansal, MNNIT Allahabad 2 / 45TCP Vulnerabilities and IP Spoofing
  3. 3. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesWhy?MotivationPrakhar Bansal, MNNIT Allahabad 3 / 45TCP Vulnerabilities and IP Spoofing
  4. 4. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesWhy?MotivationPrakhar Bansal, MNNIT Allahabad 4 / 45TCP Vulnerabilities and IP Spoofing
  5. 5. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesProlexic Attack Report [1] # of DDoS attacks 88% ⇑ average attack duration ⇑ up to 33 hours average attack bandwidth ⇑ packets/second rate ⇑ top-most DDoS attacks originating country ChinaPrakhar Bansal, MNNIT Allahabad 5 / 45TCP Vulnerabilities and IP Spoofing
  6. 6. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesNorton Cyber Crime Report 2012 [2] According to report, cybercrime affects 556 million victims/year 2 out-of 3 online adults in their lifetime 42 million+ people in India in last 12 months Global price tag has reached up to $110 billions $197 average cost/victimPrakhar Bansal, MNNIT Allahabad 6 / 45TCP Vulnerabilities and IP Spoofing
  7. 7. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesCybercrime global cost Figure: Cybercrime global cost [2]Prakhar Bansal, MNNIT Allahabad 7 / 45TCP Vulnerabilities and IP Spoofing
  8. 8. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesGovernment Budgets and Recent Reports UK businesses lose around £21 billion a year [3] India spent 37.7 crores this year US has proposed $800 million for next fiscal year 2013-14 Government should spend more on policing the Internet [4]Prakhar Bansal, MNNIT Allahabad 8 / 45TCP Vulnerabilities and IP Spoofing
  9. 9. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesRecent Anonymous Attacks IPrakhar Bansal, MNNIT Allahabad 9 / 45TCP Vulnerabilities and IP Spoofing
  10. 10. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesRecent Anonymous Attacks II On Jan 19, 2012, group attacked US Department of Justice and FBI in protest of SOPA. Group claimed this to be a largest attack with over 5635 bot-nets. Attacks on facebook on October 12, 2012, which leads facebook to shutdown in Europe.Prakhar Bansal, MNNIT Allahabad 10 / 45TCP Vulnerabilities and IP Spoofing
  11. 11. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesRecent Anonymous Attacks III Attacked on many Indian websites including website for Supreme court of India and other national political parties in response to Internet censorship. Took down UK governments websites on April, 2012, in protest against government surveillance policies.Prakhar Bansal, MNNIT Allahabad 11 / 45TCP Vulnerabilities and IP Spoofing
  12. 12. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesProblem Statement ‘To design a reliable, scalable and secure network. The network which no one can spoof, no one can flood and no one can hack.’ Protocol vulnerabilities is one of the long standing major challenge in networks communications. Reports and attacks discussed, shows how vulnerable our network protocols are.Prakhar Bansal, MNNIT Allahabad 12 / 45TCP Vulnerabilities and IP Spoofing
  13. 13. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesTCP VulnerabilitiesThree-way Handshake Figure: Three-way handshakePrakhar Bansal, MNNIT Allahabad 13 / 45TCP Vulnerabilities and IP Spoofing
  14. 14. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesEstablishing & Closing a TCP ConnectionSequence States at Client TCP Figure: Sequence of states at client TCPPrakhar Bansal, MNNIT Allahabad 14 / 45TCP Vulnerabilities and IP Spoofing
  15. 15. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesEstablishing & Closing a TCP ConnectionSequence States at Server TCP Figure: Sequence of states at server TCPPrakhar Bansal, MNNIT Allahabad 15 / 45TCP Vulnerabilities and IP Spoofing
  16. 16. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesTCP SYN Flooding AttackTheory of Operation Server TCP, in LISTEN state transited to SYN-RECEIVED state, when receives a SYN segment. Server TCP maintains Transmission Control Block (TCB). SYN flooding attacks tries to exhaust the memory at attacked system. The success of SYN flooding attack lies in: packet-size, frequency, and distinct, distributed and unreachable IP addresses.Prakhar Bansal, MNNIT Allahabad 16 / 45TCP Vulnerabilities and IP Spoofing
  17. 17. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesTCP SYN Flooding Attack ICountermeasures Filtering Increasing Backlog Reducing SYN-RECEIVED Timer Recycling the oldest half-open TCB SYN cache SYN cookies SYN cookies limitationsPrakhar Bansal, MNNIT Allahabad 17 / 45TCP Vulnerabilities and IP Spoofing
  18. 18. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesARP Cache Poisoning AttackAbout ARP David C. Plummer originally published in RFC 826. To communicate with host on network we must know 48-bit ethernet address (MAC address) of the host. Host broadcasts ARP query on the network. The host with given IP unicasts ARP reply. Each node in a network maintains a data structure named ARP cache for storing < IP, M AC > pairing. ARP cache entries expires after some time.Prakhar Bansal, MNNIT Allahabad 18 / 45TCP Vulnerabilities and IP Spoofing
  19. 19. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesARP Cache Poisoning AttackTheory of Operation ARP protocol is stateless protocol. Host updates its ARP cache by any ARP query. The false ARP is reply is reflected in ARP cache as soon as host receives it. Once host updates its ARP cache, the attacker also gets the packets intended for some other system.Prakhar Bansal, MNNIT Allahabad 19 / 45TCP Vulnerabilities and IP Spoofing
  20. 20. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesARP Cache Poisoning Attack ICountermeasures Huang in 2008, suggests to add state in ARP protocol [5]. Figure: Huang solution [5]Prakhar Bansal, MNNIT Allahabad 20 / 45TCP Vulnerabilities and IP Spoofing
  21. 21. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesARP Cache Poisoning Attack ICountermeasures Seung Yeob Nam in 2010 proposed voting-based resolution mechanism to prevent ARP attacks. Suggests host firstly asks other neighboring hosts about this IP and MAC before updating table. Some firewall and router manufacturers have procedure in their products to detect the ARP spoofing attacks. Softwares like arp-guard recognizes the changes in ARP tables and report these to managing system [6].Prakhar Bansal, MNNIT Allahabad 21 / 45TCP Vulnerabilities and IP Spoofing
  22. 22. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesLOTAbout LOT LOT is needed to be installed at communicating network gateways [7]. Once installed one gateway would establish an efficient tunnel for secure communication with another gateway. The working code prototype is available online at url: ‘http://lighttunneling.sourceforge.net’Prakhar Bansal, MNNIT Allahabad 22 / 45TCP Vulnerabilities and IP Spoofing
  23. 23. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesLOTLOT Features Local and remote quotas Filtering Congestion detection Ingress filtering solution: adds a pseudo random tag to each packet occurs.Prakhar Bansal, MNNIT Allahabad 23 / 45TCP Vulnerabilities and IP Spoofing
  24. 24. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesLOTCommunication Model As IP address has address space {0, 1}32 [8], According to LOT protocol, every entity in network has address space S of {0, 1}l . A set N B ⊆ S is a network block, if ∃P, a prefix, P∈ {0, 1}l , l < l. Network hosts and LOT gateways all are network entities NB(e). Each host entity e must be associated with single network block |NB (h) = 1 |. Gateway entity may be associated with a larger network block.Prakhar Bansal, MNNIT Allahabad 24 / 45TCP Vulnerabilities and IP Spoofing
  25. 25. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesLOTCommunication Model Figure: Communication model [7]Prakhar Bansal, MNNIT Allahabad 25 / 45TCP Vulnerabilities and IP Spoofing
  26. 26. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesLOTCommunication Model Network entities communicate via sending messages to next peers. Next peers are decided as follows: Two entities e1 , e2 are said to be peers if and only if; N B(e1 ) ⊂ N B(e2 ) and N B(e1 ) N B(G) N B(e2 ) means, for eg; entities A, C are peers. N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and N B(e1 ) N B(G) or N B(e2 ) N B(G) for eg; entities F, G are peers.Prakhar Bansal, MNNIT Allahabad 26 / 45TCP Vulnerabilities and IP Spoofing
  27. 27. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesHandshake Between GatewaysPhase 1: Hello Phase I HOSTA , ∈ some N B1 behind GWA sends a packet to HOSTB in some another N B2 not associated GWA . It identifies gateway GWB associated with N B(HOSTB ). GWA begins handshake by sending a hello request message to HOSTB . Hello request message contains, details of N B(HOSTA ) associated with GWA , and cookie cookieA .Prakhar Bansal, MNNIT Allahabad 27 / 45TCP Vulnerabilities and IP Spoofing
  28. 28. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesHandshake Between GatewaysPhase 1: Hello Phase II GWB intercepts the hello request message and replies with response message. Hello response message contains, details of NB(HOSTB ) associated with GWB , cookieA , and for optimization, cookieB .Prakhar Bansal, MNNIT Allahabad 28 / 45TCP Vulnerabilities and IP Spoofing
  29. 29. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesHandshake Between GatewaysPhase 1: Hello Phase III Figure: Phase 1: hello phasePrakhar Bansal, MNNIT Allahabad 29 / 45TCP Vulnerabilities and IP Spoofing
  30. 30. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesHandshake Between GatewaysPhase 2: Network Block Validation I GWA checks GWB ∈ N B(HOSTB ) or not and, GWB checks whether GWA ∈ N B(HOSTA ) or not. It consists of n iterations. GWA sends packet with cookie to any random host in N B(GWB ). If GWB is associated with same NB then it should be able to intercept it. Cookie is based on N B(GWB ), current time at GWA , current iteration number and agreed upon iterations.Prakhar Bansal, MNNIT Allahabad 30 / 45TCP Vulnerabilities and IP Spoofing
  31. 31. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesHandshake Between GatewaysPhase 2: Network Block Validation II GWB , after intercepting correctly, sends back challenge to random host associated with GWA with response. This response contains two cookies, and arguments needed for GWA to regenerate cookie. GWA extracts its cookie and matches it after regenerating. And GWA ∈ N B(HOSTA ) then it intercepts challenge. Now, GWA selects any other random host from N B(HOSTB ). This process is repeated till n times. To avoid DDoS attacks, ηmax is set as a global constant and n ≤ ηmax .Prakhar Bansal, MNNIT Allahabad 31 / 45TCP Vulnerabilities and IP Spoofing
  32. 32. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesHandshake Between GatewaysPhase 2: Network Block Validation Figure: Phase 2: network block validationPrakhar Bansal, MNNIT Allahabad 32 / 45TCP Vulnerabilities and IP Spoofing
  33. 33. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesLOTLOT Packet Structure IP header is modified significantly in order to encapsulate LOT. IP flags: DF/MF flags are always unset as no packet fragmentation within the LOT tunnel. Protocol Type: To indicate that the packet is encapsulated using LOT, this field is modified. LOT Header: A LOT header is attached with the packet. It contains: Tag, Fields for reconstruction of the original packet including IP flags and transport protocol. Fields that allow receiving-end gateway to reconstruct the session key.Prakhar Bansal, MNNIT Allahabad 33 / 45TCP Vulnerabilities and IP Spoofing
  34. 34. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesMy ObservationTCP Three-way Handshake I While studying TCP protocol, I observed few things in three-way handshake. The success of SYN flooding attacks depends on frequency of SYN segments reaching at server side. Neither ⇑ backlog nor ⇓ SYN-RECEIVED timer will work. Attackers usually send SYN flood messages from set of unreachable IPs. If the backlog (half-open connections queue) is filling very fast, why not we firstly ping the client before sending any reply.Prakhar Bansal, MNNIT Allahabad 34 / 45TCP Vulnerabilities and IP Spoofing
  35. 35. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesMy ObservationTCP Three-way Handshake Figure: Redefinition of TCP three-way handshakePrakhar Bansal, MNNIT Allahabad 35 / 45TCP Vulnerabilities and IP Spoofing
  36. 36. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesMy ObservationTCP Three-way Handshake II SYN-cookie limitation can be removed by using separate cookie. Client sends SYN segment to server. Server reply with ‘SY N/ACK/cookieserver ’. cookieserver is based on client IP address, port address, current time and other information. Once it reaches to client, client acknowledges server by sending ‘ACK/cookieserver ’. Server authenticates its cookie and validates client.Prakhar Bansal, MNNIT Allahabad 36 / 45TCP Vulnerabilities and IP Spoofing
  37. 37. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesMy ObservationTCP Three-way Handshake Figure: Redefinition of TCP three-way handshakePrakhar Bansal, MNNIT Allahabad 37 / 45TCP Vulnerabilities and IP Spoofing
  38. 38. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesMy ObservationTCP Three-way Handshake III In Linux OS, SYN-cookie mechanism is disabled by default but it can be enabled via changing value of variable sysctl.net.ipv4.tcp syncookie to 1, in /etc/sysctl.conf file.Prakhar Bansal, MNNIT Allahabad 38 / 45TCP Vulnerabilities and IP Spoofing
  39. 39. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesARP IARP Protocol ARP is a stateless protocol. ARP protocol accepts any ARP reply and updates its ARP table as soon as any ARP reply is received. We can add new data structure along with existing ARP table. This data structure is a dynamic list which records all the outstanding ARP requests. When a ARP reply came, we check this list whether we have sent any such query or not. Further confirm this ARP reply by asking few neighbors. We can originate RARP for the MAC address received in ARP response.Prakhar Bansal, MNNIT Allahabad 39 / 45TCP Vulnerabilities and IP Spoofing
  40. 40. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesARPARP Protocol Figure: Redefinition of ARP protocolPrakhar Bansal, MNNIT Allahabad 40 / 45TCP Vulnerabilities and IP Spoofing
  41. 41. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesConclusion Recent network attacks has shown how vulnerable our networks are. Flooding, IP spoofing and denial of service attacks are becoming a significant threats. Ingress filtering was suggested but not yet completely implemented by alL ISPs. LOT protocol is best but needed to be installed on mostly all gateways on network. All gateways shares a secret key first through a vulnerable network, this can dangerous. LOT tunnels can’t pass over Network Address Translators (NATs). However NAT devices do not prevent LOT and LOT tunnels will be formed.Prakhar Bansal, MNNIT Allahabad 41 / 45TCP Vulnerabilities and IP Spoofing
  42. 42. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesConclusion Now, the world is changing. The face of network communication is changing rapidly. Now use of smart-phones and embedded systems is increasing rapidly. Cloud computing and mobile computing are attackers future targets. Security in cloud computing is still a major issue. There is a need of reliable, scalable and fault-tolerant clouds both on system and mobile. Protocols are not much sophisticated and thus vulnerable to attacks. The research in developing sophisticated network protocols is still a very important area and full of challenges, thrust for future research.Prakhar Bansal, MNNIT Allahabad 42 / 45TCP Vulnerabilities and IP Spoofing
  43. 43. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesReferences I “Prolexic Quarterly Global DDoS Attack Report,” Quarter 3, 2012. “2012 Norton Cybersecurity Report,” “Government to warn businesses about cyber crime threat,” BBC, 5 september 2012. Ross Anderson and Chris Bardon, “Measuring the cost of cybercrime,” Huang, T. and Bai, G., “Method against ARP spoofing baseed on improved protocol mechanism,” “ARP Guard,” in https://www.arp-guard.com/info.Prakhar Bansal, MNNIT Allahabad 43 / 45TCP Vulnerabilities and IP Spoofing
  44. 44. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion ReferencesReferences II Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP Spoofing and Flooding Attacks,” vol. 15 of 6, ACM Transactions on Information and System Security, July 2012. Postel, J., “Internet Protocol, The Protocol Specification, RFC 791,” DARPA Internet Program.Prakhar Bansal, MNNIT Allahabad 44 / 45TCP Vulnerabilities and IP Spoofing
  45. 45. Motivation Problem Statement TCP Vulnerabilities ARP LOT Observation Conclusion References Thankyou Questions ?Prakhar Bansal, MNNIT Allahabad 45 / 45TCP Vulnerabilities and IP Spoofing

×