- Feb 7, 2014
- 1,540
- 1. 1
- 2. SECURITY PROBLEMS IN TCP/IP Reference: Security Problems in the TCP/IP Protocol Suite : by Steve Bellovin R-services Source-routing ARP attacks Session hijacking TCP session stealing 2
- 3. SECURITY PROBLEMS IN R-SERVICES rsh and rcp use the .rhosts file in your directory, which lists hosts and accounts to allows access from without a password. Allowed by /etc/inetd Example .rhosts file: red.cs.umass.edu brian *.cs.umass.edu brian * * 3
- 4. SECURITY PROBLEMS IN R-SERVICES Now that we know a machine is running rsh, how can we pretend to be another machine to gain access? Attack Defense Source routing ignore source routes False routing table updates secure routing protocols Session hijacking ssh/ secure connection ICMP redirects ? False ARP packets Publish ARP tables TCP session stealing ssh/ secure connection 4
- 5. SECURITY PROBLEMS IN R-SERVICES Exploiting trusted relationships: C is a trusted host to S Source routing: IP source-route option The responder includes the source-route on the reply packets. Some/most OSs ignore source routes these days. X 1. C->S: spoofed packet (source-route; includes X) 2. replies C S Open a TCP connection to rshd spoofing the address of a trusted host, but include yourself in the source route. 5
- 6. SESSION HIJACKING Normal TCP operation from client, C, to server, S C->S: SYN(ISNC) Client C Server S S->C: SYN(ISNS), ACK(ISNC+1) C->S: ACK(ISNS +1) SYN(ISNC) Client and Server exchange data ISN number generation SYN(ISNS), 4.2BSD: increments 128/sec ACK(ISNC+1 ) 4.3BSD: increments 125000/sec ACK(ISNS+1) 6
- 7. SESSION HIJACKING Session hijacking: Find a machine, C, that’s down, guess the ISN. Usually in regular increments. X->S: SYN(ISNX) [spoofs C] S: rshd server S->C: SYN(ISNS), ACK(ISNX +1) X->S: ACK(ISNS +1) [spoofs C; estimates ISNS] X->S: [ echo “* *” >> ~/.rhosts] [spoofs C] X->S: RESET [spoofs C] X rlogins from anywhere in the world. X 3. SYN(5000), ACK(1001) 1. ISN estimation: 1: Disables C 2. SYN(1000) C S Trusted relationship 7
- 8. SESSION HIJACKING 2. Session hijacking: X 6: ACK(ISNS +1) (spoofs C; estimates ISNS) 4: SYN(ISNX) (spoofs C) C S 5: SYN(ISNS), ACK(ISNX+1) 3. Executes remote commands: X 7: [echo “* *” >> ~/.rhosts] (spoofs C) 8: RESET (spoofs C) C S 8
- 9. DISABLING HOSTS: SYN FLOODING DOS Send lots of spoofed SYN packets to a victim host Each SYN packet received causes a buffer to be allocated, and the limits of the listen()call to be reached. Morris invented SYN flooding just to launch a session hijacking attack, later used against Yahoo! 9
- 10. ATTACKING ROUTING TO EXPLOIT RSH Two types of routing: dynamic routing vs. static routing Dynamic routing updates OSPF: link-state algorithm RIP: distance vector algorithm Attacker injects a RIP update stating she has a path to host C All subsequent packets to C will be routed to the attacker. The attacker initiates connection to rshd of the server. (spoofing C) Defense: uses secure routing protocols Only accept authenticated updates. Requires key management. 10
- 11. ICMP ATTACK ICMP redirect: forces a machine to route through you. Requires an existing connection Open a spoofed connection to the host you want to attack. Then send a spoofed ICMP redirect to the victim redirecting it to the gateway you’ve compromised. Others ICMP destination unreachable Frequent ICMP source quenches 11
- 12. ARP ATTACKS When a machines sends an ARP request out, you could answer that you own the address. But in a race condition with the real machine. Unfortunately, ARP will just accept replies without requests! Just send a spoofed reply message saying your MAC address owns a certain IP address. Repeat frequently so that cache doesn’t timeout Messages are routed through you to sniff or modify. 12
- 13. ARP SPOOFING - COUNTERMEASURES “Publish” MAC address of router/default gateway and trusted hosts to prevent ARP spoof Statically defining the IP to Ethernet address mapping Example: arp -s hostname 00:01:02:03:04:ab pub 13
- 14. TCP SESSION STEALING Reference: “A Simple Active Attack Against TCP” by Laurent Joncheray. In Proceedings of 5th USENIX Unix Security Symposium. June 1995 Active attack using desynchronized states The attacker is in the path b/w the client and the server The attacker can sniff all the packets and inject some spoofed packets Steps: 1. The attacker sniffs the communication b/w the two. 2. The attacker disables the communication by desynchronizing the client and the server. 3. The attacker injects spoofed packets that acceptable for both ends. 14
- 15. TCP SESSION STEALING Desynchronized state b/w client C and server S Both in “Established state” No data is being sent (stable state) S_SEQ C_ACK and C_SEQ S_ACK When S_ACK < C_SEQ < S_ACK + S_Wind: The packet is accepted (buffered) but not sent to the user When C_SEQ > S_ACK + S_Wind or C_SEQ < S_ACK : The packet is dropped In both cases, the ACK(S_ACK) is sent (ACK packet with S_SEQ, S_ACK) 15
- 16. TCP SESSION STEALING In a desynchronized state, the attacker can send any acceptable data to the server E.g. [echo myhost >> ~/.rhost] for rlogin X 2: X->S (spoofing C): S_ACK, S_SEQ 1: C->S: C_SEQ, C_ACK [echo myhost >> ~/.rhost] (accepted) (dropped) C S C_SEQ, C_ACK S_SEQ, S_ACK S_SEQ C_ACK and C_SEQ S_ACK 16
- 17. DESYNCHRONIZATION X 3,4, 6 2 Early desynchronization C S 1 1. C->S(Syn): C_Seq0 ; C: Syn_Sent 2. S->C(Syn/Ack): S_Seq0, C_Seq0+1 ; S: Syn_Rcvd ; C: Established (C_Seq0+1, S_Seq0+1) (before the packet C->S(Ack): S_Seq0+1) 3. X->S(spoofing C, Rst) 4. X->S(spoofing C, Syn): X_Seq0 ; the same port # used in (1) 5. S->C(Syn/Ack): S_Seq1, X_Seq0+1 6. X->S(spoofing C, Ack): S_Seq1+1 ; S: Established (S_Seq1+1, X_Seq0+1) 17
- 18. THE ATTACK Null data desynchronization 1. The attacker watches the session without interfering. 2. During a quiet period, the attacker sends a large amount of null data (IAC, NOP for telnet): nothing happens, server only changes the TCP Ack number 3. Now, when the client sends data, it is dropped by the server because it’s lower than the server’s window. 4. The attacker does the same with the client. Defense: ssh connection, or IPsec 18