Lecture 02-04 TCPIP

CT-541 Network Security
TCP/IP Security
Lecture 2/3/4
Dr. Muhammad Mubashir Khan

mmkhan@neduet.edu.pk
December 2017
Department of Computer Science & IT, NED University of Engineering & Technology
OSI Model
TCP/IP Layers
A conceptual model 7. Application layer

that characterizes and Layer 4
standardizes the
communication
6. Presentation layer Application
functions of a Layer
telecommunication or 5. Session layer
computing system
without regard to their
underlying internal
4. Transport layer Layer 3
Transport Layer
structure and
technology. 3. Network layer Layer 2
Internet Layer
2. Data link layer Layer 1

Link Layer
1. Physical layer
Dr. Muhammad Mubashir Khan, Department of Computer Science & IT, NED University of Engineering & Technology
TCP/IP
• Set of communications protocols used on the Internet and
similar computer networks
• Commonly known as TCP/IP because TCP and IP are its two
main protocols
• Provides end-to-end data communication specifying how
data should be packetized,
addressed, transmitted, routed
and received.
• Organized into four
abstraction layers
Encapsulation of application data descending

through the layers described in RFC 1122
Link Layer: TCP/IP Layer 1
• Corresponds to OSI Layer 1 and 2
• The link layer has the networking scope of the local network
connection to which a host is attached.
• The data link layer provides the functional and procedural
means to transfer data between network entities and might
provide the means to detect and possibly correct errors that
may occur in the physical layer.
• Performs data link functions such as adding a packet header
to prepare it for transmission, then actually transmit the
frame over a physical medium.
• Main Protocols: ARP, PPP, OSPF, MAC (Ethernet, DSL, ISDN)…
• Translation of IP Addresses to Data Link (MAC Addresses) is
performed using ARP at this layer.
Internet Layer: TCP/IP Layer 2
• Responsible for sending packets across potentially
multiple networks.
• Routing is performed at this layer: Sending data from
the source network to the destination network
• Main protocols: IP (IPv4, IPv6), ICMP, IPSec etc.
• IP performs:
1. Host Addressing & Identification
2. Packet Routing (from one network router to another)
• ICMP is used by routers to send error messages, for
example, that
– a requested service is not available or
– a host or router could not be reached
Transport layer: TCP/IP Layer 3
• Provides end-to-end services that are independent
of the structure of user data and the logistics of
exchanging information for any particular specific
purpose.
• End-to-end message transmission is either
connection-oriented, implemented in TCP, or
connectionless, implemented in UDP.
• Provides process-specific transmission channels for
applications, by establishing the concept of ports.
Application Layer: TCP/IP Layer 4
• Includes protocols for providing user services or
exchanging application data over the network
connections established by the lower level protocols
• Important Protocols: HTTP, SMTP, FTP, …
• Data coded according to application layer protocols are
encapsulated into transport layer protocol units (such
as TCP or UDP messages), which in turn use lower layer
protocols to effect actual data transfer.
• Corresponds 5th 6th and 7th layer of OSI Model
• Possible Attack: DoS for example, The attack over-
exercises specific functions or features of a website
with the intention to disable those functions or
features.
Exploiting Vulnerabilities in TCP/IP
• ARP Cache Poisoning (Layer 1)
• ICMP Redirect Attack (Layer 2)
• SYN Flooding Attack (Layer 3)
ARP Spoofing / Cache Poisoning
ARP Cache Poisoning Attack
• ARP Address Resolution Protocol
– Resolves mapping between MAC Address and IP Address
• ARP Cache: Once resolved, mapping is cached and
there is no need to repeat ARP
• How it works:
– When another host's IP address is known, and its MAC
address is needed, a broadcast packet (ARP request) is
sent out on the local network.
– The destination machine with the IP address in the ARP
request then responds with an ARP reply, which contains
the MAC address for that IP
ARP Vulnerabilities
• ARP is a stateless protocol
– no information is retained by either sender or receiver.
– Hence, no expectation of acknowledgment
• Network hosts will automatically cache any ARP replies
they receive, regardless of whether network hosts
requested them.
• Even ARP entries which have not yet expired will be
overwritten when a new ARP reply packet is received.
• There is no method in the ARP protocol by which a host
can authenticate the peer from which the packet
originated.
• This behavior is the vulnerability which allows ARP
spoofing or ARP-Cache Poisoning to occur.
• Because ARP is stateless, cache can be easily
poisoned by maliciously crafted ARP messages
resulting the ARP cache poisoning attack)
• Also called ARP spoofing or ARP poison routing
• Possible consequences
1. DoS attack against a victim by associating a non-
existent MAC address to the IP-address of victims
default gateway
2. Attackers can redirect the traffic to and from the victim
to another machine, etc. …
• Attacker’s Aim: is to associate the attacker's MAC
address with the IP address of another host, such as
the default gateway, causing any traffic meant for
that IP address to be sent to the attacker instead.
Home work
• Perform a practical demo of ARP cache poisoning
on Ubuntu VM’s using Netwox, Netwag and
Wireshark tools.
• Write a brief report on it by suggesting possible
solutions (existing or may be your own).
Attack Scenario 1: Cache Poisoning
Add a Non-existent MAC and IP Address in ARP Cache
Add a non-
existent IP and
MAC address
Victim VM2 VM1 VM3
Attacker
Attack Scenario 2: DoS Attack
Associate Non-existent MAC to an existing IP Address
Associates IP of
VM3 to a non-
existing MAC
Victim VM2 VM1 VM3
Attacker
Attack Scenario 3:
Redirect all traffic between VM2 & VM3 to Attacker Machine
VM1 Associates VM1 Associates

IP of VM2 to IP of VM3 to
VM1’s MAC VM1’s MAC
Ping VM2
Victim Ping VM3 Victim

VM2 VM1 VM3
Attacker
All traffic from VM2 to VM3 and vice-versa will go

through VM1
Useful Commands
• To view ARP cache
arp
• Poison ARP cache on a machine 10.0.2.5 with a fake
MAC (0:a:a:a:a:a) and IP (192.168.181.199)
netwox 72 --ips ”10.0.2.5" --device "Eth0" --src-eth
0:a:a:a:a:a --src-ip 192.168.181.199
– (Note: use this command with sudo)
• To enable a machine to forward traffic through itself
(set value of ip_forward to 1)
– Check the value by command
sysctl -a | grep net.ipv4.ip_forward
– Set the value by command
sysctl -w net.ipv4.ip_forward=1
– Again verify the value by command
sysctl -a | grep net.ipv4.ip_forward
ICMP Redirect Attack
ICMP
• The Internet Control Message Protocol (ICMP) is one of
the main protocols of the TCP/IP at Layer 2.
• It is used by network devices, like routers, to send error
messages
– For example, a requested service is not available or a host or
router could not be reached.
• ICMP differs from TCP and UDP
– it is not typically used to exchange data between systems,
– it is not regularly employed by end-user network applications
(with the exception of some diagnostic tools like ping and
traceroute).
• ping utility is implemented using the ICMP "Echo
request" and "Echo reply" messages.
ICMP datagram structure
ICMP Header
calculated from the

ICMP header and
data for error
checking
ICMP Data
Includes the entire IPv4 header, plus the first eight bytes of data from the IPv4 packet
that caused the error message.
ICMP Type/Code description
Types of ICMP Control Messages
• Echo request/reply used by ping utility to test reachability of
a host
• Source Quench requests that the sender decrease the rate of
messages sent to a router or host.
• Redirect requests data packets be sent on an alternative
route.
• Time Exceeded is generated by a gateway to inform the
source of a discarded datagram due to the time to live field
reaching zero.
• Timestamp is used for time synchronization.
• Timestamp Reply replies to a Timestamp message.
• Address mask request/reply is normally sent by a host to a
router in order to obtain an appropriate subnet mask.
• Destination unreachable is generated by the host or its
inbound gateway to inform the client that the destination is
unreachable for some reason.
ICMP Redirect
• Redirect requests data packets be sent on an alternative route.
• ICMP Redirect is a mechanism for routers to convey routing
information to hosts.
• The message informs a host to update its routing information (to
send packets on an alternative route).
ICMP Redirect
• If a host tries to send data through
a router (R1) and R1 sends the
data on another router (R2) and
– a direct path from the host to R2 is
available (that is, the host and R2 are
on the same Ethernet segment),
then
– R1 will send a redirect message to
inform the host that the best route
for the destination is via R2.
– The host should then send packets
for the destination directly to R2.
ICMP Redirect Attacks
• ICMP is also used by routers to provide up-to-date
routing information to hosts, which in turn update
their routing tables accordingly
• Vulnerability: No authentication in ICMP!
– Because of lack of validation attackers may trick hosts to
modify their routing table by sending spoofed ICMP
messages
• The attacker can send a spoofed ICMP redirect
message to a victim, which can cause the victim’s
routing information to be modified.
• In Linux, the routing information can be displayed
using the command route
ICMP Redirect Attack Model
Tools for ICMP Redirect Attack
• Netwox tool 86 could be used to attack the routing
table by associating a new/fake/malicious gateway
address in the original route
netwox 86 --device "Eth0" --filter "src host
192.168.181.142" --gw 192.168.181.141 --code 1 --
src-ip 192.168.181.2
– Here VM1(192.168.181.141) use Netwox 86 to attack
the route table of VM2(192.168.181.142) and
associates itself as a new gateway using the original default
gateway(192.168.181.2)
• When there comes out an ICMP request packet from
VM2 this tool will spoof the ICMP redirect packet from
VM3 and send it to the victim to tell him that the new
gateway is VM1
Tools for ICMP Redirect Attack
• Defense: UBUNTU has a “secure_redirects” mechanism
that only accepts ICMP redirect messages for gateways
listed in default gateway list
– To check secure redirects status
sysctl -a | grep secure_redirects
– ICMP redirects are enabled by default on Linux.
• We need to set the secure redirects to 0 on the victim
machine
– sysctl -w net.ipv4.conf.all.secure_redirects=0
– sysctl -w
net.ipv4.conf.default.secure_redirects=0
– sysctl -w net.ipv4.conf.eth0.secure_redirects=0
– sysctl -w net.ipv4.conf.lo.secure_redirects=0
Outcome
• ICMP redirect packets are successfully sent to victim
machine VM2 with the message (New nexthop:
VM1_ip_address)
• Wireshark could also be used to monitor the
situation
Other ICMP Attacks
• Smurf attack: a DDoS attack in which large numbers
of ICMP packets (with the intended victim's spoofed
source IP) are broadcast to a computer network
using an IP broadcast address.
Other ICMP Attacks
• Ping of death: is a type of attack on a computer
system that involves sending a malformed or
otherwise malicious ping to a computer.
• When the target computer reassembles the
malformed packet, a buffer overflow can occur,
causing a system crash and potentially allowing the
injection of malicious code.
SYN Flooding Attack
Normal TCP Connection
A normal connection between a user
(Alice) and a server.
The three-way handshake is correctly

performed as follows:
1. The client requests a connection by

sending a SYN (synchronize)
message to the server.
2. The server acknowledges this
request by sending SYN-ACK back to
the client.
3. The client responds with an ACK,
and the connection is established.
SYN Flooding (DoS)
The attacker sends several
packets but does not send the
"ACK" back to the server.
The connections are hence

half-opened and consuming
server resources.
Alice, a legitimate user, tries

to connect but the server
refuses to open a connection
resulting in a denial of service.
SYN Flooding Attack
• Attackers can flood the victim’s connection queue that is used
for half-opened connections, i.e. the connections that has
finished SYN, SYN-ACK, but has not yet got a final ACK back.
Default value of queue size is 1024 for systems with more than 128Mb of memory, and 128 for
low memory machines.
• When this queue is full, the victim cannot take any more
connection.
• The size of the queue has a system-wide setting.
• The application that uses this queue, for example ftp, can also
specify its size.
• In Linux, we can check the system queue size setting using the
following command:
sysctl -q net.ipv4.tcp_max_syn_backlog
SYN Flooding Attack
• We can use command "netstat -na" to check the
usage of the queue, i.e., the number of half-opened
connection associated with a listening port.
• The state for such connections is SYN-RECV.
• If the 3-way handshake is finished, the state of the
connections will be ESTABLISHED.
• While the attack is ongoing, run the "netstat -na"
command on the victim machine, and compare the
result with that before the attack.
• You should describe in report how you know
whether the attack is successful or not.
SYN Cookie Defense
• SYN cookie is a defense mechanism to counter the
SYN flooding attack.
• Using SYN cookies allows a server to avoid dropping
connections when the SYN queue fills up.
– Instead, the server behaves as if the SYN queue had
been enlarged.
– The server sends back the appropriate SYN+ACK
response to the client but discards the SYN queue entry.
• If the server then receives a subsequent ACK
response from the client, the server is able to
reconstruct the SYN queue entry using information
encoded in the TCP sequence number.
Unsuccessful SYN Flooding Attack
• If your attack seems unsuccessful, one thing that you
can investigate is whether the SYN cookie mechanism
is turned on.
• The mechanism will kick in if the machine detects that
it is under the SYN flooding attack.
• You can use the sysctl command to turn on/off the SYN
cookie mechanism:
# sysctl -a | grep cookie (Display the SYN cookie flag)
# sysctl -w net.ipv4.tcp_syncookies=0 (turn off SYN
cookie)
# sysctl -w net.ipv4.tcp_syncookies=1 (turn on SYN
cookie)
SYN Flooding Attack
• Run your attacks with the SYN cookie mechanism
on and off, and compare the results.
• In your report, describe why the SYN cookie can
effectively protect the machine against the SYN
flooding attack.
SYN Flooding Attack
• Experimenting with the SYN flood attack command
provided by Netwox is fairly straightforward.
• WireShark can be used on the target machine to
record incoming SYN messages and outgoing SYN-
ACK messages.
• After the command was issued from the attacker,
WireShark can be inundated with packets showing
response to all of the SYN requests. (may cause
problem for the experimenter!!!)
Attack Scenario
• Create three Virtual Machines
• For example
– VM1: 192.168.181.141 (Attacker)
– VM2: 192.168.181.142 (Victim)
– VM3: 192.168.181.143
Useful commands
• On Attacker VM (i.e. VM1)
– sudo netwox 76 --dst-ip
192.168.181.142 --dst-port 80
– sudo netwox 76 --dst-ip
192.168.181.142 --dst-port 53
(port 53 is TCP/UDP port used by DNS)
• On Victim VM (i.e. VM2)
– netstat -aon | grep 80 | more
– netstat -an | grep :80 | grep -i syn | wc -l
TCP RST Attacks on telnet and ssh Connections
telnet
• telnet and SSH are application layer protocols of
TCP/IP protocol suite
• telnet provides access to a command-line interface
(usually, of an operating system) on a remote host,
including most network equipment and operating
systems with a configuration utility.
• telnet establishes a connection to TCP port 23.
• Because of serious security concerns when using
telnet over an open network such as the Internet,
its use for this purpose has waned significantly in
favor of SSH.
SSH
• SSH is a cryptographic network protocol for
operating network services securely over an
unsecured network.
• It provides a secure channel over an unsecured
network in a client-server architecture, connecting
an SSH client application with an SSH server.
• Common applications include remote command-
line login and remote command execution, but any
network service can be secured with SSH.
• SSH establishes a connection to TCP port 22.
TCP RST (reset)
• In a stream of packets of a TCP connection, each packet
contains a TCP header.
• Each of these headers contains a bit known as the
"reset" (RST) flag.
• In most packets RST flag is set to 0 and has no effect
• If RST flag is set to 1, it indicates to the receiving
computer that the computer should immediately stop
using the TCP connection;
– i.e. it should not send anymore packets using the
connection's identifying numbers, called ports, and discard
any further packets it receives with headers indicating they
belong to that connection.
• A TCP reset basically kills a TCP connection instantly.
Usefulness of TCP RST (reset)
• When used as designed, this can be a useful tool.
• One common application is the scenario where a computer
(computer A) crashes while a TCP connection is in progress.
• The computer on the other end (computer B) will continue to
send TCP packets since it does not know that computer A has
crashed.
• When computer A reboots, it will then receive packets from
the old pre-crash connection.
• Computer A has no context for these packets and no way of
knowing what to do with them, so it might send a TCP reset
to computer B.
• This reset lets computer B know that the connection is no
longer working.
• The user on computer B can now try another connection or
take other action.
Forging TCP RST (reset)
• In the normal case, the TCP reset bit is sent by a computer
that was one of the connection endpoints.
• It is possible for a 3rd computer to monitor the TCP packets
on the connection and then send a "forged" packet containing
a TCP reset to one or both endpoints.
• The headers in the forged packet must indicate, falsely, that it
came from an endpoint, not the forger.
• This information includes the endpoint IP addresses and port
numbers.
• Every field in the IP and TCP headers must be set to a
convincing forged value for the fake reset to trick the
endpoint into closing the TCP connection.
• Properly formatted forged TCP resets can be a very effective
way to disrupt any TCP connection that the forger can
monitor.
TCP RST Attack Scenario
• The TCP RST Attack can terminate an established TCP
connection between two victims.
• For example, if there is an established telnet
connection (TCP) between two users A and B,
– attackers can spoof a RST packet from A to B, breaking this
existing connection.
– To succeed in this attack, attackers need to correctly
construct the TCP RST packet.
• In this attack, you need to launch a TCP RST attack to
break an existing telnet connection between A and B
• You may try the same attack on an SSH connection.
• In the attack scenario you may assume that the
attackers and the victims are on the same LAN, i.e.,
attackers can observe the TCP traffic between A and B.
Attack Scenario and Tools
• Open 3 Virtual Machines.
– VM1: 192.168.181.141 (Attacker)
– VM2: 192.168.181.142 (Victim)
– VM3: 192.168.181.143
• On VM2 - telnet 192.168.181.143
• Then launch the following attack from VM1
- netwox 78 --device "Eth0" --filter "dst host
192.168.181.143 and dst port 23" --ips
"192.168.181.142”
• The verification of successful attack is that the
telnet from VM2 to VM3 will be closed
Attack Scenario and Tools
• Now on VM2 - ssh 192.168.181.143
• Then launch the following attack from VM1
- netwox 78 --device "Eth0" --filter "dst host
192.168.181.143 and dst port 22" --ips
"192.168.181.142”
• The verification of successful attack is that the ssh
from VM2 to VM3 will be closed
Acknowledgement
• SEED Project led by Prof. Wenliang Du,
Syracuse University
Assignments
Visit Course homepage for assignments
https://sites.google.com/site/mcitnetworksecurity
Get in touch
Course homepage
https://sites.google.com/site/mcitnetworksecurity
Contact me
mmkhan@neduet.edu.pk

Lecture 02-04 TCPIP

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Lecture 02-04 TCPIP

Uploaded by

Copyright:

Available Formats

CT-541 Network Security

Dr. Muhammad Mubashir Khan

A conceptual model 7. Application layer

2. Data link layer Layer 1

Encapsulation of application data descending

Victim VM2 VM1 VM3

Victim VM2 VM1 VM3

VM1 Associates VM1 Associates

Victim Ping VM3 Victim

All traffic from VM2 to VM3 and vice-versa will go

calculated from the

The three-way handshake is correctly

1. The client requests a connection by

The connections are hence

Alice, a legitimate user, tries

Visit Course homepage for assignments

You might also like