Attacks on IP Networks

Everybody knows that IP came from research sponsored by DARPA. One of the goals was to make IP robust in the presence of attacks where nodes of the network suddenly cease to exist. So does this make IP a good protocol for secure communication today? No. There was very little to no consideration of the problems of hostile users of the network.

References

Secure Internet Programming: Home Page

IP Spoofing Information - AIS, UNC-CH

Webmonkey: backend: Living with Insecurities

Practical UNIX and Internet Security, 2nd Edition

http://java.sun.com/docs/white/langenv/Security.doc.html

Sniffing

IP packets (both header and data) are sent in plaintext. This means that applications which don't do their own encryption of data are vulnerable to sniffers. When login/passwords are sent by protocols such as telnet, ftp, rlogin, etc, they are unprotected.

A sniffer program or device operates by putting the NIC into promiscuous mode. The NIC then takes every frame sent on the network and makes it available to the sniffer software. In UNIX superuser privilege is required to put the NIC into promiscuous mode, though if you have console access gaining super user privilege is trivial. In Windows there is no hurdle at all.

Attacks by sniffing depend on getting to the data link layer frames. This in turn depends on the data link layer used, the media, and the speed.

LANs

The fact that Ethernet and Token Ring technologies use a broadcast design leaves users of IP in a LAN vulnerable. Copper media are easier to tap and sniff than fiber optic, but note that an open environment such as a university or a comapny campus is likely to have ready-made tap points available (i.e. the network ports).

Telephone lines and PPP

Less vulnerable due to the fact that the link is point-to-point, so only one user at a time can be sniffed.

IP over cable TV

Anybody with access to the cable can watch the frames go by. Usually designed in a tree, so the higher up the tree you can tap, the more users you can monitor.

Wireless

Inherently broadcast so sniffing just means being within range.

IP Spoofing

Root causes of problem

Most will forward packets with bad source addresses. A bad source address is one which is on the same "side" as the destination address.

TCP sequence numbers are very easy to guess.

Scenario

Bad guy sends a request packet to a sensitive service like rsh with a forged source IP address. The forged address is that of a machine the victim machine trusts, call it X. This is where the router forwarding bogus packets comes in. The trusted host X is likely on the same side of the router as the victim machine.

The victim machine responds to the forged request by sending packets to X. X is confused as it did not make a request to which it is now getting responses. Bad guy distracts X with some ill-formed packets.

Bad guy continues talking with victim machine "in the blind" to do some evil thing through the sensitive service. This is where the guessable sequence number comes in, since the bad guy can't see the responses from the victim, it must guess at what they contain. The sequence number is the only real unknown, and it is easy to guess.

Solutions

Routers don't forward bogus packets (those with bogus source addresses).

TCP sequence numbers are made harder to guess. This problem was first pointed out publicly in 1985.

Don't do authentication based on IP address (like rsh does).

Denial of Service

Attacks which bog a server down give it no time to do its real work. Security doesn't have to be breached, as characteristics of the protocols or
protocol implementations may be exploited.

ICMP flooding

The general idea is to send many requests via ICMP to a machine. Depending on how ICMP messages are handled, this may cripple a host. Think about a ping flood attack. Every host running a TCP/IP stack is required to respond to ECHO REQUESTs. What request rate is sufficient to keep the machine so busy responding to these so that it is unavailable otherwise?