45
A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

Embed Size (px)

Citation preview

Page 1: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

A Look Back At Security Problems In The TCP/IP Protocol Suite

Jielin Li

Page 2: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

Original Paper: Security Problems In The TCP/IP Protocol Suite

• Bellovin takes a critical look at each of the components of the TCP/IP protocol suite.– From the network layer (e.g. routing) to the application layer.

• He discusses (potentially) exploitable flaws in each, and – where possible – defenses against them.

2

Page 3: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

Original Paper: Security Problems In The TCP/IP Protocol Suite

• A review for his old paper: "Security Problems in the TCP/IP Protocol Suit” in Computer Communication Review, Vol. 19, No. 2, in April, 1989

• The review’s purpose: – Where the author’s focus and predictions were accurate– Where the author was wrong– Where the dangers have yet to happen– A general review on security problems in tcp/ip protocol

3

Page 4: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

Background of the Original Paper

• In April 1989 (when this paper was published) there were between 80k and 130k hosts on the internet.– There were 162 Million as of 07/2002…

• In November 1988, the the Morris worm infected 10% of the internet (some 6000 hosts) causing an estimated $98 Million in damage.

4

Page 5: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

What was discussed in this paper?

• TCP Sequence Number Prediction• Routing Problems• The Authentication Server• Non-inherently Flawed Application Protocol• Trivial Attacks• Comprehensive Defense

5

Page 6: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

1. TCP Sequence Number Prediction

• The normal TCP connection establishment sequence involves 3-way handshake. The client selects and transmits an initial sequence number ISNc. The server acknowledges it and sends its own sequence number ISNs, and the client acknowledges that.

6

ServerServerClientClient

SYN(ISNc)

SYN(ISNs), ACK(ISNc)

ACK(ISNs)

Data…

Page 7: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

First described by Morris, If an intruder find a way to predict ISNs and send the following sequence to impersonate trusted host T…

7

ServerServerIntruder X

Intruder X

SYN(ISNx), SRC=T

ACK(ISNs), SRC=T

ACK(ISNs), SRC=T

Host THost T

SYN(ISNs), ACK(ISN

x)

Page 8: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

How to predict the random ISN?–The ISN is incremented by a constant amount once per second–By half of that amount each time a connection is initiated

•The host T will receive the reply message and attempt to reset the connection. By impersonating a server port on T, and by flooding that port with apparent connection requests, attacker could generate queue over-flows that would make it likely that the server-to-client message would be lost.•The author mischaracterized Morris’s paper. He anticipated DoS attacks that started occurring in 1996.

8

Page 9: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

Sequence A variant: exploit the network statistics (netstat) service•In computing, network statistics (netstat) is a command-line tool that displays network connections (both incoming and outgoing), routing tables, and a number of network interface (network interface controller or software-defined network interface) and network protocol statistics•If netstat is available on the target host, it may supply the necessary sequence number information on another port

9

Page 10: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

Defense

• Improve the relatively coarse rate of change of the initial sequence number variable, and the granularity

• The instability of the Internet also play a role• Randomizing the increment• Using a cryptographic algorithm

10

Page 11: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2. Routing

• In the author’s words, routing attack is the only attack he “discussed in this paper that hasn’t been seen in the wild”. But now that’s no longer the case.

• Abuse of the routing mechanisms and protocols is probably the simplest protocol-based attack available. There are a variety of ways to do this, depending on the exact routing protocols. A number of the attacks are described in the paper: Source routing Routing information protocol attacks Exterior Gateway Protocol The Internet Control Message Protocol

11

Page 12: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.1. Source Routing

• Giving a packet an explicit path to follow to a destination.– If the target uses the inverse of the supplied route as the

return path, it permits address spoofing.– Note that even if the target ignores the inverse path, if you can

predict an ISN, you can still address spoof.

12

Page 13: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.1. Source Routing

• If available, the easiest mechanism to abuse is IP source routing. • Assume the target host uses the reverse of the source route

provided in a TCP open request for return traffic • Then the attacker can pick any IP address, including that of a

trusted machine on the target’s local network.• Any facilities available to such machine become available to the

attacker.

13

Page 14: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.1. Source Routing

• Defense– A simple method – The best but unpractical idea: the gateways into the local net

to reject external packets that claim to be form the local net – The most common configuration today : reject source-routed

packets at border routers whether or not they fill other firewall related roles.

14

Page 15: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.2. Routing Information Protocol Attack

• The Routing Information Protocol (RIP) is a standard for exchanging routing information among gateways and hosts. Typically the information received is unchecked.

15

Page 16: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.2. Routing Information Protocol Attack

• Two attack modes are discussed:– Host impersonation – diverting packets for a specific host to

compromise schemes which use source address for authentication.

– “Man-In-The-Middle” – diverting packets for inspection and forwarding them on via source-routing.

16

Page 17: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.2. Routing Information Protocol Attack

• Intruder sends bogus routing information to a target host, and to each of the gateways along the way, to impersonate a particular host. The most likely attack of this sort would be to claim a route to a particular unused host, rather than to a network; this would cause all packets destined for that host to be sent to the intruder's machine. Once this is done, protocols that rely on address-based authentication are effectively compromised.

17

Page 18: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.2. Routing Information Protocol Attack

• RIP has fallen out of fashion, but is still run on some medium sized networks.

• Author’s comment:• Routing protocols for eavesdropping and/or packed modification

has been identified as one of the two major threat to the internet. Defense against routing attacks is still considered a research problem.

• Routing attacks have happened frequently. The most famous case, the “AS 7007” incident on April 25, 1997, an ISP started advertising that it had the best routes to most of the internet.

18

Page 19: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.2. Routing Information Protocol Attack

• Defenses

• Skepticism

– Make RIP to be more skeptical about the routes it accepts

• Cryptographic Authentication

– For a broadcast protocol like RIP, this requires pervasive PKI.

19

Page 20: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.2. Routing Information Protocol Attack

• The author’s look back:

– Original paper is one of the earliest papers which mentioned

the routing attack.

– “AS 7007” incident

– Are malicious routing attacks happening? Yes.

– RIP has fallen out of fashion, but is still run on some medium

sized networks.

20

Page 21: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.3 Exterior Gateway Protocol

• The Exterior Gateway Protocol (EGP) is intended for communications between the core gateways and so-called exterior gateways

21

Page 22: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.3 Exterior Gateway Protocol

• Attacks:

– Claim reachability for some network where the real gateway is

down

– Impersonate a second exterior gateway for the same

autonomous system

– A sequence number attack

22

Page 23: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.4. The Internet Control Message Protocol

• The Internet Control Message Protocol (ICMP) is the basic network management tool of the TCP/IP protocol suite

23

Page 24: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

2.4. The Internet Control Message Protocol

• Dangers

– Target the ICMP Redirect message

– Be used for targeted denial of service attacks

• Defense

– Check if a message really does refer to a particular connection

– Restrict route changes to the specified connection, do not

update global routing tables due to redirect messages

24

Page 25: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

3. The Authentication Server

• Many hosts run an authentication server – which will, given a port, return the effective user id of the process attached to that port.

• Authentication Server is a server that wishes to know the identity of its client may contact the client host's Authentication Server, and ask it for information about the user owning a particular connection

• This request involves a second TCP connection – so it can help prevent ISN and source routing attacks.

25

Page 26: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

3. The Authentication Server

• Not all hosts are competent to run authentication servers• The authentication message itself can be compromised by routing

table attacks• If the target host is down, a variant on the TCP sequence number

attack may be used• Defense

– A more secure means of validation, such as the Needham-Schroeder algorithm. TCP by itself is inadequate.

– Essentially – don’t trust ident for anything important

26

Page 27: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4. Application Protocols

• The author reviewed some protocols which can be susceptible to abuse, although they are not inherently flawed, including:

– The “Finger” service

– Electronic mail

– The Domain name system(DNS)

– The file transfer protocol(FTP)

27

Page 28: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.1. The finger service

• In the “Good Old Days” when everyone was running Unix – you could gather information on a user by fingering the user at their host.

• Additionally, if you fingered a host it would report all currently logged in users.

$ finger [email protected]

Login: dberger Name: Dan Berger

Directory: /home/dberger Shell: /bin/bash2

On since Sat Feb 8 17:38 (PST) on :0 (messages off)

On since Tue Feb 11 12:13 (PST) on pts/3 from walkabout.cs.ucr.edu

Mail last read Tue Feb 11 12:18 2003 (PST)

No Plan.

28

Page 29: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.1. The finger service

• Many systems implement a finger service. It will display useful information about users, such as their full names, phone numbers, ofce numbers, etc. Unfortunately, such data provides useful grist for the mill of a password cracker

29

Page 30: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.1. The finger service

• Proposed Defense– Simple: Turn the service off.– In general, this turns out to be a good idea:

1. If you don’t need a service, disable it.2. What isn’t running can’t be exploited.

30

Page 31: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.2. Electronic MailPOP

• The Post Office Protocol (POP) allows a remote user to retrieve mail stored on a central server machine.

• POP, then POP2, and now POP3 are all similar – they provide a line-oriented protocol for simple mailbox retrieval.

• They are all plain-text protocols, and pass authentication secrets over a typically unprotected channel.

31

Page 32: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.2. Electronic MailPOP

32

Page 33: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.3. The Domain Name System

• It’s interesting that DNS gets such a “just another service” treatment.– Recall that in 1989 the internet was a bunch of islands of

connectivity.– The need for pervasive DNS really came with the web.

• The author concerns himself primarily with information leakage from DNS – by transferring a zone file, you can,– Learn the relative size of an organization– potentially learn something about it’s intranet topology– Extract a list of “interesting” looking targets.

• Remember – this is several years before the notion of firewall was common place.

33

Page 34: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.3. The Domain Name System

34

Page 35: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.4. The File Transfer Protocol

• FTP itself is not flawed. However, a few aspects of the

implementation merit some care.

– FTP authentication

– Anonymous FTP

35

Page 36: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

4.4. The File Transfer Protocol

• Like nearly all protocols of it’s day, FTP transmits authentication

secrets in plaintext over an insecure channel.

• Bellovin mentions one-time passwords:

– Systems like SKEY, SecureID, and others

– A user was issued a device/program for generating the next

password given a challenge.

36

Page 37: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

5. Trivial Attack: Ethernet

• Local Network, notably Ethernet networks, are vulnerable to eavesdropping and host-spoofing.– If the local network uses the Address Resolution Protocol(APR)– Launch DoS attacks by triggering broadcast storm– For a short time it was said that fibre optic (rather than copper)

removed this vulnerability, but that was quickly recanted when a simple device to tap fibre was demonstrated.

37

Page 38: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

5. Trivial Attack:

• The trivial file transfer protocol– Permit file transfers without any attempt at authentication

• Reserved Ports– Berkeley-based TCPs and UDPs have the notion of “a privileged

port”, which the author regarded as a bad idea.– Suffice to say that since the first non-Unix machine appeared

on the Internet, relying on privileged ports (lower than 1024) for any form of authentication or security is a Bad Idea™

38

Page 39: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

6. Comprehensive Defence

• The author mentioned some broad spectrum defense techniques,

including:

– Authentication

– Encryption

– Trusted system

39

Page 40: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

6.1. Authentication

• Many intrusions succeed only because the target host uses te IP

source address for authentication, so some form of cryptographic

authentication is needed, one is Needham-Schroeder algorithm,

which requires that each participating host share a key with an

authentication server

• Be careful to use the session key to encrypt the entire

conversation

40

Page 41: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

6.1. Authentication

• Author’s comments: The best-known Needham-

Schroeder algorithm, was found to be vulnerable in

1996 to a new flaw.

• Vulnerability Status: 2003

– Most connections are still unauthenticated.

– SSL provides authentication based on centralized trust.

41

Page 42: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

6.2. Encryption

• Link-level encryption encrypting each packet as it leaves the host computer is an excellent method of guard against disclosure of information and physical intrusion, but it has some weaknesses:– Broadcast packets are difficult to secure;– link-level encryption is not end-to-end

• End-to-end encryption, above the TCP level, may be used to secure any conversation, regardless of the number of hops or the quality of the links

• End-to-end encryption is vulnerable to denial of service attacks, since fraudulently-injected packets can pass the TCP checksum tests and make it to the application.

42

Page 43: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

6.3. Trusted System

• The So-called Rainbow Books (available on-line[6]) prescribe

stratified security requirements for U.S. government systems.

• Systems are rated in terms of increasing trust from D to A1

• The military security model:

– A subject can read an object if its label has a higher or equal

hierarchical level and if all of the object’s non-hierarchical components

are included in the subject’s label

43

Page 44: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

6.3. Trusted System

• Apply this model to the TCP/IP protocol suite: When a process creates a TCP connection, that connection is given the process's a label

• Author’s comment: Two technical points are worth noting. – First, routing attacks could be mitigated by

maintenance of separate routing tables (by multi-level secure routers)

– Second, what forms of authentication are acceptable would depend on detailed knowledge of what sorts of hosts were connected to what sorts of network

44

Page 45: A Look Back At Security Problems In The TCP/IP Protocol Suite Jielin Li

7. Conclusion

• Hosts should not give away knowledge gratuitously.

• Network control mechanisms are dangerous and must be guarded.

45