Attacks & Defense Mechanisms For TCP/ IP Based Protocols: January 2014
Attacks & Defense Mechanisms For TCP/ IP Based Protocols: January 2014
Attacks & Defense Mechanisms For TCP/ IP Based Protocols: January 2014
net/publication/260877113
CITATIONS READS
2 6,118
2 authors, including:
Jatinderkumar R. Saini
Symbiosis Institute of Computer Studies and Research
164 PUBLICATIONS 726 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Jatinderkumar R. Saini on 19 March 2014.
Abstract - TCP/IP protocol suite is the most widely used headers are critical and maintain specific set of
communication protocol and has become the de facto information needed for functional & administrative
standard for internet based communications. It is a set of reasons for that particular layer.
robust protocols originally designed to provide reliable
communication services that allow co-operating computers to
share resources across networks.
The networking of resources also brought in many
potential threats to the network community like
unauthorized access to private information, malicious break-
in to other organizations’ systems, to make them unusable or
unreliable, due to some inherent security problems in the
underlying protocols as their development was based upon
the concept of implicit trust between the communicating
systems.
Due to the design faults and faulty implementations of
TCP / IP protocol suite several vulnerabilities have been
reported. Different types of network based attacks have been
Fig.1. TCP/IP Protocol Stack
identified which adopt the computer networks as
transportation mechanism to carry out the intrusion or
attack the communication system itself. Some of such attacks
are sniffing, spoofing, denial of service, session hijacking,
traffic redirection, authentication and routing attacks.
Several tools and defence mechanisms have been developed
to identify, analyse and mitigate such attacks. We describe
some of these attacks against TCP/IP suite, analysis tools and
various defence mechanisms.
I. INTRODUCTION
TCP/IP suite is a collection of network based Fig.1. (a) TCP/IP Protocols
communication protocols that provide and support various
kinds of services running over the network. It establishes, Internet Protocol (IP) – IP (Internet Protocol) is the
maintains and terminates connections between the end workhorse protocol of the TCP/IP protocol suite, which
points and provides full-duplex end to end connectivity. It provides an unreliable, connectionless datagram delivery
also formats data, addresses, routes the data packets over service. All TCP, UDP (User Datagram Protocol), ICMP
the network and ensures they are delivered to the recipient (Internet Control Message Protocol) and IGMP (Internet
[1] [2]. Two main components of the TCP/IP protocol Group Management Protocol) data are transmitted as IP
suite are Transmission Control Protocol TCP and Internet datagrams.
Protocol IP. IP stands for the Internet Protocol that deals with routing
1.1 TCP/IP Protocol Hierarchy packets of data from one computer to another or from one
TCP/IP protocol suite is designed through a highly router to another till they reach the destination [3]. Neither
structured and layered approach, with each layer does it engage in handshaking process nor does it provide
responsible for a different facet of communications. This flow control, error detection and control. Hence it does not
hierarchical architecture, as shown in fig. 1 & 1(a) makes provide any reliable connection between the hosts on a
it possible for each layer to provide a unique set of network. The structure of IP header is as shown in fig 2.
functions. Data encapsulation is achieved by various The IP header contains important information like source
headers among different layers like IP header, TCP header IP address, destination IP Address etc. which help in
or application headers as seen in fig. 1 & 1(a). These routing the packet around the networks.
Copyright © 2014 IJEIR, All right reserved
17
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668
The TCP header contains the port numbers that are used
to uniquely identify the process at the sending and
receiving sides as TCP at the sending side is responsible
for ensuring that the data segment is received at a specific
port on the receiving side and properly acknowledged.
Every byte that is sent by a host is marked with a sequence
number and is acknowledged by the receiver using this
sequence number. The sequence number is essential in
keeping the sending and receiving datagram in proper
order. There are six flag bits with the TCP header, namely
Fig.2. IP Header URG, ACK, PSH, RST, SYN and FIN which play specific
roles in the connection establishment, connection
User Datagram Protocol (UDP) - is a transport layer termination or other control purposes. For maintaining
protocol, but it does not offer much more functionality proper flow control, the size of the communication
other than port addressing. The checksum field in UDP window is advertised between the communicating
header provides only a limited ability for error checking. partners. Before actually transmitting data segments TCP
The header of UDP is shown in Fig 3. follows the process of 3-way handshaking which ensures
reliable transmission of the packets. Each packet sent is
properly acknowledged [4].
The packets are routed by the router to the destination. easily by the attacker is done by sending the victim
Upon receipt the recipient uses the IP address of the machine a large packet with user names or file names
source to reply to the packet. Since the source address is larger than 256 characters long. Email delivery processes
spoofed, the recipient will reply to the spoofed address and are also a popularly exploited mechanism for deploying
not to the original sender who had deliberately changed his this type of excessively long file or user name attack.
IP address in the original packet. Since the address has 2.1.1.7. SYN Attacks - A SYN attack occurs when an
been changed intentionally it will be difficult to trace back attacker exploits the use of the buffer space during the
to the attacker. Using this concept the following types of Transmission Control Protocol (TCP) session initialization
attacks are normally carried out. - three-way handshake. The receiving machine (usually a
2.1.1 Denial of Services Attacks (DoS) server) can maintain multiple concurrent conversations all
Using the above trick the attacker can send a large established using the same small “in-process” buffer pool.
number of packets to the victim [6]. As he will not receive
any packet from the victim, all the replies will be directed
towards the spoofed IP addresses and causes the victim to
go out of services. Using DoS an attacker can disrupt the
normal functioning of the network and carry out the
following attacks:-
2.1.1.1 Storage Consumption Attacks – The attacker
tries to consume all the available local storage space on
the target machine to slowly bring it to a grinding halt. A Fig.6. A SYN Attack
simple trick of sending emails with very large attachments
can be used for launching this type of DoS. Multiple large To instigate such attack an attacker simply floods the
DVD VOB files and uncompressed JPEG or BMP target system’s queue with connection requests, but when
(bitmap) images of very high resolution are common file the target system replies with a SYN-ACK
types used to accomplish such attacks. acknowledgement packet the attacker simply ignores it
2.1.1.2. Subnet Mask Corruption Attacks – The (fig 6) rather than replying with an ACK packet which the
attacker may send a message which causes the target target will be waiting for. By not responding deliberately
machine to reset its subnet mask and so disrupt the target’s to the SYN-ACK sent by the server he leaves the
subnet routing. connections half opened. Thus the target system will “time
2.1.1.3. Connection Resources Consumption Attacks out” as it will keep waiting for the proper response. The
– By sending very large numbers of erroneous requests for server will be unable to respond to further connection
TCP session establishment an attacker can consume all of request because of exhaustion of resources and denial of
the target’s available connection resources thereby service takes place [7]. The target will generally assume
resulting in the target being unable to service any new that either its SYN-ACK packet or the attacker’s ACK
authentic connection requests. reply packets have been lost in transit and so it will reissue
2.1.1.4. Buffer Overflow Attacks – A buffer overflow its SYN-ACK packet.
attack occurs when a process receives much more data After some time the target system will become unstable,
than expected and if it has no programmed routine to deal hang, crash or become unusable. As a result the target
with this excessive amount of data, it may act in system will have to be rebooted. Once rebooted; the attack
unexpected ways that an attacker can exploit. There are will continue afresh for as long as the attacker wants or
numerous variations and forms of buffer overflow attack until the network administrator discovers that they are
that have been formulated over the years, with the most being attacked and take appropriate steps to counteract it.
common of all being the “Ping of Death”. 2.1.1.8. Smurf Attacks – Here a combination of IP
2.1.1.5. Ping of Death Attacks - The Ping of Death Address Spoofing and ICMP flooding are used to saturate
attack is also referred to as the “Large Packet Ping a target network with traffic so that the normal traffic is
Attack”. The attacker initiates a “ping of death” attack by disrupted thereby causing a Denial of Service (DoS)
using network utility PING of Internet Control Message attack. Smurf attacks consist of the source site, the bounce
Protocol (ICMP) to “ping” the target with an illegally site and the target site.
modified and very large IP datagram. This will result in First the attacker selects a bounce site (usually a very
overfilling of the target system’s buffers causing the target large network). The attacker then modifies a PING packet
to reboot or hang. PING can be configured to send the so that it contains the address of the target site as the PING
“illegal” IP datagram packets in bursts or as a continual packet’s source address.
stream. In the case of a continual stream the target will be Now the attacker sends the spoofed PING packet to the
immediately under attack once it reboots and will thus broadcast address of the target site. As a result the bounce
hang or reboot continually until something is done to stop site will broadcast the spoofed packet to all devices
it receiving the attacker’s packets. configured to receive messages from that broadcast
2.1.1.6. Long File or User Name Attacks – Another address. The bounce site network devices receiving this
basic buffer overflow attack that can be initiated very misinformation will not know that it is false information
and so they will automatically respond to the ping request hackers some clues. Since UDP is unreliable hence neither
with a reply to the intended victim target site. UDP packets nor the ICMP messages are guaranteed to
As a result the target site is overwhelmed by a large arrive.
number of erroneous replies from the bounce site. This
oversaturation of ping replies will consume all of the III. DEFENDING MECHANISMS
target site’s “in-process” buffer resources and hang or
reboot the system. Some simple prevention mechanisms like password
protecting the system to avoid unauthorized use have
2.1.2. Defeating the Network Security – These attacks
become widely popular.
are aimed against IP based authentication environments,
where the internal machines are configured to trust 3.1 Firewalls - Firewalls are systems designed to prevent
communication from internal IP addresses. No login or unauthorized access to or from a network. A firewall is a
passwords are required for access [8]. By spoofing the dedicated appliance or software running on a system
connection an attacker can get unauthorized access to a which inspects network traffic passing through it and
victim machine without authentication. denies or permits passage based on a set of rules. Firewalls
can be implemented in both hardware and software or a
2.1.3. Man- in-the-middle Attack - It is based upon
combination of both. Firewalls can be of the following
hijacking an authenticated network session between two
types:-
hosts. The attacker implants itself after they have finished
the authentication steps. The attacker can spoof the IP Packet filter:- It inspects each packet entering or
address of a victim that was authenticated by other host or leaving the network and rejects or accepts based on
server and gets packets that pass between these hosts [9]. defined rules. It is effective and transparent but difficult to
The attacker uses IP address of two hosts to receive and configure. IP spoofing can be easily done for packet filter
send packets firewalls.
2.2 TCP Sequence Number Prediction Application Gateway:- Decision to allow or disallow
It is possible for the attacker to predict the sequence depends upon specific application for e.g. ftp, Telnet etc. It
numbers based upon the ISNs which are being used for is very effective but imposes performance degradation.
Sending and Acknowledging between two genuinely Circuit-level Gateway:- It applies security mechanism
communicating hosts. Based upon this technique, the when a TCP or UDP connection is established. After the
sessions can be hijacked by the attacker. connection establishment no further checking is done and
2.3 Port Scanning packets could flow between hosts.
It is not a technique used directly to perform an attack. Proxy server:- It sits between the client and server. A
Instead, its goal is to discover an exploitable client requires some services such as a file, connection
communication channel and then launch the real attack. web page or other resources available on a different
The reason for doing port scanning is that some vulnerable server. The proxy server validates the request with its filter
services may not use a fixed port number. rules and after the request is validated by the filter, the
There are several ways to detect a potential proxy provides the resources by connecting to the relevant
communication channel. For a listening TCP server, the servers and requesting services on behalf of clients. Some
most basic approach is to try to make a real connection. of the commonly used firewalls are :-
Another method is SYN scanning, which sends a SYN Netfilter: It is an open source, firewall written in C that
packet to the victim as if it will create a real connection. supports different IPV4 protocols and can be used with
As already discussed in TCP three-way handshake, a command line interface [10].
SYN_ACK packet will indicate an active server and a IPFilter: is an open source firewall that supports both
RST message tells a port with no listener. IPv4 and IPv6. It works on different types of operating
These two methods above have obvious disadvantages. systems like AIX, BSD/OS, and some other flavours of
The first one is easy to be audited and the last one will not BSD and Solaris [11].
work with some firewalls or packet filters specially 3.2. A virtual private network (VPN) – A VPN is a
designed to block SYN packets to non-permitted ports. private network that uses a public network such as internet
Other way of port scanning is by TCP FIN scanning. to connect remote sites or users together. Instead of using
Instead of sending SYN probes in SYN scanning, this a dedicated, real world connection such as leased line
method adopts FIN packet, then it waits for RST packet VPN uses “virtual” connections routed through the
from a closed port. In case of an active listener, it will just internet from the company’s private network to the remote
discard this FIN packet silently without sending anything site. It is implemented as an additional logical layer on top
back. of an existing larger network.
UDP is a connectionless protocol. Its simplicity makes 3.3. Authentication - Computer Security authentication
port scanning actually more difficult as there is no three- means verifying the identity of a user logging onto a
way handshake as in TCP, so UDP server will not network. Authentication is the process of determining
acknowledge any probe packet. On the other hand, for a whether the person is genuinely the person whose identity
closed port, no UDP error message is returned. Most hosts he or she is claiming to be. In other words authentication
send ICMP “port unreachable” message as a reply to the is the process of verification of the identity of a user. It is
packets sent to an unused UDP port. This may give typically based on:
Copyright © 2014 IJEIR, All right reserved
20
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668
Something user knows: Passwords or PINs. monitors the entire network traffic from the device and
Something user has: This could be a key or a token or a would alert the user or administrator whenever suspicious
smart card or a disk or some other device. activities are observed.
Something user is: It includes biometric authentication 3.4.5. Signature based Intrusion Detection System:-
such as fingerprints, voice recognition, retina or iris A Signature based Intrusion Detection System will
scans. monitor packets on the network and compare them against
Authentication procedures can be categorized as follows: a database of signature or attributes from known malicious
3.3.1. Two-party authentication:- In two-party threats.
authentication there are two ways 3.4.6. Anomaly based Intrusion Detection System:-
One way authentication -The client authenticates with An IDS which is anomaly based will monitor the network
server by giving username and password. If it is correct traffic and compare it against an established baseline. This
then client is allowed to login to the server. baseline generally contains what is normal traffic for the
Two way authentication - In two way authentication network, what sort of bandwidth is generally used what
the client authenticates with server by giving username protocols are used, what ports and devices generally
and password. Similarly the server authenticates with connect to each other and it would alert an administrator
client by giving username and password. If it is correct when traffic detected is different or having an anomaly
then it is assured that the client is communicating with with the baseline.
the correct server. 3.4.7 Some commonly used IDS are :-
3.3.2. Third party authentication:- In third party Firestorm: It is a Cross platform Network Intrusion
authentication there is a third party security server. The Detection System that uses libpcap to capture, analyse and
clients communicate with security server by giving detect any malicious patterns in network traffic for
username and password. The security-server authenticates different protocols [12]. It uses anomaly detection method
the client if the username and password are correct. and fully supports Snort [13] rules.
Similarly on the other side the server authenticates with Prelude: Is a hybrid IDS, that uses several sensors in
security-server by giving username and password. After the network to capture and detect any malicious packet. It
both the client and server are authenticated the client and can work on Linux, BSD and some other operating
server exchange keys for securely transmitting the data. systems [14].
After that the data is transferred in a secure way. Dragon: Dragon is a commercial host & network
3.3.3. Single sign on: Users can access several network intrusion detection system, which uses rule and signature
resources by logging on once to a security server. based detection techniques and has extensive libraries
3.4. Intrusion Detection System (IDS) – An intrusion [15].
detection system is a software / hardware designed to 3.5. Intrusion Prevention System (IPS)
detect some unwanted attempts to access, manipulate An Intrusion Prevention System (IPS) uses rule based
and/or disable computer system. These attempts are detection technique for detecting malicious traffic and
generally generated from a network such as internet. It preventing attacks. IPS is the advancement of intrusion
monitors network and/or system activities for malicious detection system IDS.
activities or policy violations. It is the process of 3.6 Some popular IDS being used are :-
monitoring the events occurring in a system or networks. Snort: It is an open source IDS that works on
It also analyzes them for violations of security policies. application layer and network layer. It can detect and
Intrusion Detection system can be of the following types:- prevent different attacks like buffer overflow, denial of
3.4.1. Network intrusion detection system (NIDS):- service attack, port scan, SMB probes and some other
NIDS is an independent platform which examines network attacks.
traffic and monitors multiple hosts. It gains access to Suricata: It is an open source network intrusion
network traffic by connecting to a hub or network switch detection and prevention system that works on rule based
which is configured for port mirroring or network tap. and anomaly based detection concepts. It works on
3.4.2. Protocol-based intrusion detection system application and network layers [16].
(PIDS):- PIDS is an intrusion detection system which is 3.7. Some commonly used mitigating techniques against
typically installed on a web server and is used in the IP Spoofing include use of encrypted session in router,
monitoring and analysis of the communications protocol in using Access Control List for applying the security
use by the computing system. policies, application of defence mechanisms of upper
3.4.3. Application protocol-based intrusion detection layers [17].
system (APIDS):- APIDS is an intrusion detection 3.8 Counteracting Ping of Death Attack – Techniques
system that focuses its monitoring and analysis on a like changing the LAN IP address, use of filtering devices
specific application protocol or protocols in use by the such as routers and dedicated firewall to drop all incoming
system. (ICMP) packets are commonly used to defend against such
3.4.4. Host based intrusion detection system attacks.
(HIDS):- Host based intrusion detection system are run 3.9. Mitigating Smurf Attack – For countering a smurf
on individual hosts or devices on the network. A HIDS the commonly used techniques include “state-full”
Copyright © 2014 IJEIR, All right reserved
21
International Journal of Engineering Innovation & Research
Volume 3, Issue 1, ISSN: 2277 – 5668
inspection at firewall and to deny external ICMP traffic Nmap: It is a free open source tool used for network
access to the internal network. discovery, port scanning and security auditing of the target
3.10. Countermeasures for Long File or User Name network [23]. It can also be used to do finger printing of
Attacks – Such attacks can be countered by configuring operating system and network device.
the network filtering device to automatically drop the Netcat: It allows reading and writing of data to network
traffic which contains file names and user names that are connections using the TCP/IP protocol. Packet can be
more than 255 character long. constructed and dispatched using Netcat. Malformed
3.11. SYN Attack Countermeasures - Identifying the packets can be crafted for testing the protocol responses
source IP Addresses of the attack packets and then using a [24].
firewall or router to block all traffic from this source. hping: It is a command line open source TCP/IP packet
assembler analysis tool. It supports multiple protocols
IV. TCP/IP SECURITY TOOLS including ICMP, TCP, UDP and RAW-IP protocols [25].
AUTHOR’S PROFILE
Alok Pandey
is Senior Systems manager and faculty member at B.I.T. (MESRA),
Jaipur Campus. His qualifications include B.E.(EEE), MBA. He has also
done MCSE, RHCE, CCNA, IBM Certified E-Commerce and diploma in
Cyber law. He has a rich industrial working experience of more than 17
years and also a teaching experience of about 9 years in the areas of Data
Communication and Computer Networks, Information Security, E-
Commerce, Systems Management, ERP etc. He is also a member of CSI,
IAENG and ISOC. His research interests include Computer Networks
and Network Security.