Computer Communications 22 (1999) 885–897

Review

TCP/IP security threats and attack methods

B. Harris a, R. Hunt b,*
a
Enterprise Risk Services, Deloitte Touche Tohmatsu, Wellington, New Zealand
b
Department of Computer Science, University of Canterbury, Private Bag 4800, Christchurch, New Zealand
Received 29 June 1998; received in revised form 2 February 1999; accepted 2 February 1999

Abstract
The TCP/IP protocol suite is vulnerable to a variety of attacks ranging from password sniffing to denial of service. Software to carry out
most of these attacks is freely available on the Internet. These vulnerabilities—unless carefully controlled—can place the use of the Internet
or intranet at considerable risk. This article classifies a range of known attack methods focusing in particular on SYN flooding, IP spoofing,
TCP sequence number attack, TCP session hijacking, RST and FIN attacks and the Ping O’ Death. The article concludes with an examination
of the vulnerabilities of the common protocols carried by TCP/IP (including SMTP, Telnet, NTP, Finger, NFS, FTP, WWW and X windows)
and proposes configuration methods to limit their vulnerability. q 1999 Elsevier Science B.V. All rights reserved.
Keywords: SYN flooding; IP spoofing; TCP sequence number attack; TCP session hijacking; Ping O’ Death; TCP/IP service threats

1. Introduction diverse array of serious attacks. For example, 44%

The 1998 Computer Crime and Security Survey [1]
conducted by the Computer Security Institute (CSI) and
Federal Bureau of Investigation (FBI) reports a continuing
growth in US computer crime. The survey received
responses from 520 security practitioners covering a
cross-section of US corporations, government agencies,
financial institutions and universities. The following points
summarise a number of the most interesting results:
• 64% of respondents reported computer security breaches
in the twelve months prior to March 1998. This figure
represents an increase of 16% over the “1997 CSI/FBI
Computer Crime and Security Survey” results, in which
48% of respondents reported unauthorised use. The 1998
survey represents a 22% over the initial 1996 survey, in
which 42% acknowledged unauthorised use.
• Although 72% of respondents acknowledge suffering
financial losses from such security breaches, only 46%
were able to quantify their losses. The total financial
losses for the 241 organisations that could put a dollar
figure on them adds up to US$136 822 000. This figure
represents a 36% increase in reported losses over the
1997 figure of US$100 115 555.
• Security breaches detected by respondents include a
* Corresponding author. Tel.: 1 64-3-3642347; fax: 1 64-3-3642999.
E-mail addresses:
reported unauthorised access by employees, 25%
reported denial of service attacks, 24% reported system
penetration from the outside, 18% reported theft of
proprietary information, 15% reported incidents of finan-
cial fraud, and 14% reported sabotage of data or
networks.
• The most serious financial losses occurred through
unauthorised access by insiders (18 respondents reported
a total of US$50 565 000 in losses), theft of proprietary
information (20 respondents reported a total of
US$33 545 000 in losses), telecommunications fraud
(32 respondents reported a total of US$17 256 000 in
losses) and financial fraud (29 respondents reported a
total of US$11 239 000 in losses).
• The number of organisations that cited their Internet
connection as a frequent point of attack rose from 47%
in 1997 to 54% in 1998. This represents a 17% increase
over the initial 1996 figure of 37%. Significantly, the
number of respondents citing their Internet connection
as a frequent point of attack is now equal to the number
of respondents citing internal systems as a frequent point
of attack. In the past, internal systems have been consid-
ered the greatest threat, however, it is not the internal
threat that has diminished, but simply that the threat
from outside, e.g. Internet connections, has increased.
Although these statistics are helpful when analysing

[email protected] (B. Harris); [email protected] attack trends and for determining where threats lie, they
bury.ac.nz (R. Hunt) do not provide an understanding of the attacks themselves.
0140-3664/99/$ - see front matter q 1999 Elsevier Science B.V. All rights reserved.
PII: S0140-366 4(99)00064-X
886 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897

It is essential that attack methods are understood, especially • Information Theft: Using knowledge of certain Internet
when developing security policies and procedures that services, such as NFS, hackers can spoof the host authen-
address the right problems in the most effective and efficient tication mechanism to gain access to sensitive informa-
ways. tion. If a hacker has access to a valid password, then
The following points introduce a few of the most depending on the level of access it provides, sensitive
common attacks [2] used by both internal and external organisational information and data may be at risk.
attackers: Computer Weekly reported findings by the CSI which
indicated that information theft rose 260% from 1985
• Password Guessing: It is relatively easy to obtain a pass-
to 1993. Of 8932 attacks, 7860 were successful, but
word cracking program such as “Crack”. 2 These
only 19 were reported [4]. A properly configured firewall
programs use standard and non standard dictionaries,
can help prevent unauthorised access by providing coun-
and simply try to guess an account’s password. Usually,
termeasures such as strong authentication or network
such programs find at least 10% of the passwords chosen
encryption.
by users [2]. Educating users as to the correct selection
• Denial of Service: This is a class of attack designed to
and use of passwords is the most effective solution.
prevent the use of computers and networks by legitimate
• Password Sniffing: The Computer Emergency Response
users. Some attacks, such as “Ping O’ Death”, can
Team (CERT) Co-ordination Centre estimates that in
completely shut down or disable equipment and services.
1994 more than 100 000 systems were the victim of pass-
For example, it is possible to send ICMP redirect
word sniffers. These programs are usually placed once a
messages to a host or router telling it to stop sending
hacker gains entry to a system. The programs monitor all
IP datagrams to all or part of a network. More common
IP traffic, gathering the first 128 or so bytes of every
are flooding attacks, e.g. SYN flooding, which overloads
Telnet or FTP session. The best defence is to employ
a computer or network so that it spends all of its time
one-time password schemes.
responding to illegitimate messages and requests. Solu-
• IP Spoofing: There are a number of IP spoofing attacks
tions include placing services on separate hosts so if one
which take advantage of the information contained
is flooded the others will continue to function, or using a
within the IP packet header. For example the Christmas
properly configured firewall to filter out dangerous proto-
Day attack on Tsutomu Shimomura 3 involved forging
cols, such as ICMP redirect messages.
the source address of the IP packets so they looked as
• Information Destruction: In some cases an attacker’s
if they were generated from within Shimomura’s
intentions may be purely malicious where the aim of
network. Another IP attack involves loose source routing
their attack is the destruction of an organisation’s infor-
of IP packets. The attacker manipulates the IP header’s
mation. Related to this is unauthorised data modification,
source routing option to change the path the packets
for example an attacker may wish to confuse experimen-
should take. Properly configured firewalls capable of
tal results, or alter the number of units sent to a customer.
packet filtering provide the best means of defence against
Obviously, the reasons behind such attacks are complex-
these types of attacks [3].
they may be driven by revenge, corporate rivalry, or just
Some attacks such as password sniffing and IP spoofing plain delinquency. It is easy to think of many situations
are much easier for an attacker who is internal to the orga- in which an organisation could suffer such attacks.
nisation as these attacks require access to the IP datagrams.
The following sections look at the vulnerabilities
It is difficult (even impossible) to do this on the Internet
exploited by attackers, and focuses on the TCP/IP protocol,
unless the attacker controls a routing node. Although these
and on the applications that it underlies.
attacks are only practical due to the presence of a vulner-
ability, it is important to consider the reasons behind their
launch so that risks can be fully understood. The following 2. Threats to the TCP/IP protocol
points describe a few of the reasons an attack may be
conducted: This section describes a number of common attacks
which exploit the limitations and inherent vulnerabilities
2
in the TCP and IP protocols.
“CRACK” is available at ftp://ftp.cert.org/pub/tools/crack.
3
On Christmas Day, 1994, a hacker launched a sophisticated “IP spoof- • SYN flooding
ing” attack against the home computer of a computer security expert, • IP Spoofing
Tsutomu Shimomura, a researcher at the federally financed San Diego • Sequence number attack
Supercomputer Center in California. Over a two week period Shimomura
pursued and eventually tracked the hacker to computers on which Shimo-
• TCP session hijacking
mura’s stolen files were found. The hacker was finally identified as federal • RST and FIN denial of service attack
fugitive Kevin Mitnick, and subsequently arrested on February 15, 1995 by • Ping O’ Death
FBI agents. The following WWW-addresses provide links to a great deal of
interesting information regarding the Christmas Day attack and Kevin These attacks were chosen because software to launch
Mitnick; http://www.gulker.com/ra/hack/ and http://www.mitnick.com/. them (including source code) is freely available on the
 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
Fig. 1. TCP SYN flood attack.
Internet. They are also the most common and practical
attacks used by attackers on the inside and outside of
organisations networks.
2.1. SYN flooding
2.1.1. Description
SYN flooding occurs when a server receives more incom-
plete connection requests than it can handle [5]. In 1996
both 2600 4 and Phrack 5, two of the largest and most well-
known of the underground hacker magazines, released
source code that automated this attack.
Under normal conditions hosts that wish to exchange data
over a TCP connection must initiate the session using a 3
step process known as the 3-way handshake. The SYN flood
attack is based on preventing the completion of the 3-way
handshake—in particular the server’s reception of the TCP
ACK flag.
Unlike a normal TCP connection request, the SYN flood
attack withholds the final ACK packet which leaves a
server’s port in a half-open state. The attack succeeds
because the number of half-open connections that can be
supported per TCP port is limited. When the number of half-
open connections is exceeded the server will reject all
subsequent incoming connection requests until the existing
requests time out, usually after 75 s creating a denial-of-
service condition.
To initiate the SYN flood attack, the attacking host sends
a number of SYN requests to the target TCP port (e.g. the
Telnet daemon) to fill up its concurrent connection request
(or backlog) queue—the exact number depends upon the
operating system (see [6]). This allows a server (i.e. listen-
ing port) to queue concurrent connection requests for later
processing. To achieve this the details of each pending
connection request are stored in a memory structure.
4
The 2600 WWW-site is available at http://www.2600.com/.
5
The Phrack WWW-site is available at http://www.phrack.com/.
887
Obviously, this queue must be bounded otherwise an
attacker could make unlimited connection requests to a
TCP port and consume all of the server’s memory
resources—which in itself would constitute a denial-of-
service attack!
The attacking host must ensure that the source IP-address
is spoofed to be that of a routable but unreachable host, as
the target host will be sending its response to this address. IP
(by way of ICMP) will inform TCP that the host is unreach-
able, however, TCP considers these errors to be transient
and leaves their resolution up to IP (reroute the packets,
etc)—in effect ignoring them. The IP destination address
must be unreachable because the attacker does not want any
host to receive the SYN/ACKs sent by the target host, as this
would elicit an RST from that host and defeat the attack.
Fig. 1 shows the steps involved in launching a TCP SYN
flood attack. To begin (step 1) the attacking host sends a
multitude of SYN requests to the target to fill its backlog
queue with pending connections. Once the target receives
this request it responds with SYN/ACKs (step 2) to what it
believes is the source of the incoming SYNs. Once the back-
log queue is full all further requests to the TCP port will be
ignored until the original requests begin to time out and
reset—normally after 75 s. After each time out (step 3)
the server port sends a RST to the unreachable client. At
this point the attacker must repeat the process again (from
step 1) to maintain the denial-of-service attack.
To make this attack more difficult to detect and respond
to, the software randomises the source address of the IP
packets sent by the attacking host. Thus, the target host
receives packets that appear to be from all over the Internet,
assuring the attackers anonymity.
2.1.2. Countermeasure
There are several ways of reducing the effectiveness of
the SYN flood attack. The first relies on ISPs being respon-
sible enough to block IP packets with non-internal addresses
from leaving their network and reaching the Internet. There-
fore, an attacker would have to send packets with an official
IP source address which in most cases would lead back
(through audit logs) to the owner of the account that the
attack was being launched from. This lack of anonymity
would deter most attackers, although skilled and determined
attackers would use accounts that had been compromised or
they could launch attacks through sites that do not regulate
Internet traffic.
Other preventative methods require changes to the
network aspects of the operating system, or the addition of
intrusion detection tools. For example a list of connection
requests could be kept with details of their source address,
TTL (Time to Live), sequence numbers, windows size etc.
These variables could then be analysed for suspicious activ-
ity, which, if detected, would result in an RST being sent to
allow new connections to be made. Other solutions rely on
increasing the size of the backlog queue and randomly drop-
ping half-open connection requests when the queue is full.
888 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
Fig. 2. TCP 3-way handshake and data transfer.
2.2. IP spoofing, TCP sequence number prediction, and TCP
session hijack
2.2.1. IP spoofing
IP spoofing is an attack in which the attacker imperso-
nates a host (or a legitimate user) at the IP layer. In most
cases the objective is to attack the trust-relationship between
two hosts, this relationship depends upon the source IP
address to correctly authenticate a host. The attack is only
possible if the target host has a trust-relationship with at
least one other host. The most popular trust-relationship is
provided by the .rhosts file found on Unix operating
systems, although many others exist, e.g. the Unix files
hosts.allow, hosts.equiv, etc. The .rhosts file allows a user
to build a set of trusted hosts applicable only to themselves.
For example, suppose that the t ray/.rhosts file on the host
huia.canterbury.ac.nz contained the lines:
kaka.canterbury.ac.nz
matata.canterbury.ac.nz
This .rhosts file would allow an account named ray on
kaka or on matata to rlogin into ray’s account on huia with-
out typing a password!
In itself IP spoofing is quite simple, all the attacker has to
do is generate an IP datagram with a forged source address.
This is done by creating an IP datagram from scratch using
RAW-Sockets. 6 The target host has no way of determining
that an IP datagram has been spoofed, all it has to rely on is
the IP source address. On its own, IP spoofing is mostly
limited to providing anonymity for an attacker launching
attacks against the IP layer, e.g. SYN flooding, ICMP redir-
ects, ping flooding, etc. Therefore, to complete the attack
against trust-relationships described above, the attacker
must combine IP spoofing with TCP sequence number
prediction—this provides the attacker with a delivery
mechanism for sending application data to the target host.
6
The term “Raw-Sockets” refers to the ability in 4.2BSD derived socket
implementations to access the network layer instead of the transport layer.
For example, the programmer could directly format the fields within the IP
datagram to generate ICMP echo requests (i.e. Ping).
2.2.2. TCP sequence number prediction
TCP sequence number prediction is used by attackers to
attack TCP sessions, and takes advantage of the fact that
TCP is a sequenced data delivery protocol. TCP segments
are encapsulated within IP datagrams, and as a result there is
no guarantee that the datagrams will follow the same route
and therefore arrive in the order they were sent. Also
network errors may require datagrams to be resent. The
TCP protocol uses sequence numbers to ensure that the
application layer receives data in the same order that it
was sent. Although this is a simple and effective method
of ensuring a sequenced data stream, it unfortunately intro-
duces a vulnerability. If an attacker can guess the correct
sequence number they can then generate their own TCP
segments that will be accepted by the target host’s TCP
layer.
There are really two variations on this attack depending
upon how early the TCP session is attacked. Fig. 2 shows the
three steps of a normal the TCP 3-way handshake, if
successful both the client and server proceed to step 4 and
can exchange data. The attacker can choose to attack the
TCP handshake to take advantage of a trust relationship—
often referred to as IP spoofing but to avoid ambiguity will
be known here as TCP spoofing. Alternatively the attacker
can wait until step 4 to take over a legitimate TCP session—
referred to as TCP session hijacking. Full technical discus-
sions regarding TCP sequence number prediction and TCP
session hijacking can be found in [7–10].
There are two ways to carry out TCP spoofing attacks;
• Non-Blind Spoofing: In this case the attacker is on the
same network path as the spoofed and target hosts (e.g.
Ethernet 10Base-T LAN) and has direct access to the IP
datagrams which contain the TCP segments. Therefore,
sequence number prediction is trivial because the
attacker simply uses a protocol analyser to capture the
TCP segments and obtain the required sequence number.
• Blind Spoofing: Is more difficult because the attacker is
not on the same network path as the spoofed and target
hosts, therefore direct access to the IP datagrams and
TCP segments is not possible. Instead the attacker must
attempt to guess the correct initial TCP sequence
number, the success of which depends upon the mechan-
ism being used to generate it. There are three mechan-
isms in common use:
• 64K rule: this is the simplest mechanism and surpris-
ingly is still used, or can be found on hosts running
older operating systems (e.g. OSF, SunOS). Most
spoofing programs still provide support to take advan-
tage of this rule. The rule is implemented as follows:
increase the initial sequence counter every second
with a constant (normally 128 000).
if there is a connection initiated, increase the sequence
counter with another constant (normally 64 000).
Obviously, such a mechanism is very easy to
 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
Fig. 3. Example of a blind spoofing attack.
predict, especially as the sequence counter is only
altered once per second—a very large period in
network time!
• time related generation: is a very popular and simple
mechanism which allows the sequence number
generator to generate time dependant values. The
number generator is seeded at boot time, and is
increased on a regular basis (e.g. ms) by an x number
of time-units. Note that time-units on computers are
not necessarily perfect, nor are all time-units of equal
length, depending on how they are measured and on
the load of the computer, etc. This variability
increases the difficulty of predicting a correct
sequence number.
• pseudo-random generation: in an effort to foil the
prediction of initial sequence numbers newer operat-
ing systems are using pseudo-random number genera-
tors to generate the values—which makes prediction
nearly impossible.
889
In both cases the attacker must ensure that the spoofed
host is unreachable, otherwise it will receive a SYN/ACK
(see step 2 in Fig. 2) from the target host in response to the
attacker’s spoofed connection request. However, the
spoofed host has no knowledge of initiating a connection
request and will send an RST to the target host which will
abort the connection and defeat the attack. The attacker
normally has two options to deal with this problem, either
to wait until the spoofed host is unreachable because of
maintenance, or take it off-line with a denial-of-service
attack such as a SYN flood. Fig. 3 depicts a blind spoofing
attack.
From the attacker’s perspective blind spoofing is difficult
because all replies from the target host are sent to the
spoofed host. Therefore, the attacker cannot determine
directly the success or failure of their attack. However,
there are ways for attackers to turn a blind spoof into a
non-blind spoof. This is achieved by using source routed
IP datagrams [11], or by directly effecting the routing tables
890 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
Fig. 4. Example of a TCP session hijack.
of intermediary gateways and routers. Source routing 7 is a
feature (an option) of the IP protocol which allows the
sender to specify a route for an IP datagram to follow.
The route is recorded in the IP header and the receiver
uses the reverse of this to send replies. Therefore, an
attacker could send source routed IP datagrams appearing
to come from the spoofed host and including a route that
sends replies back past the attacker. This is one reason why
it is important to drop source routed IP datagrams, espe-
cially those originating from untrusted networks.
In addition to source routing, it is also possible to change
the routing tables of gateways and routers by sending
spoofed routing packets using protocols, such as, RIP,
BGP4, etc. As with source routed IP datagrams it is impor-
tant to ensure that gateways and routers ignore or respond
7
Source routing allows the sender to specify the route of an IP datagram.
Two forms are provided; strict and loose source routing. Strict source
routing allows the sender to specify the exact path that the IP datagram
must follow. Loose source routing allows the sender to specify a list of IP
addresses that the datagram must traverse, but the datagram can also pass
through other routers between any two addresses in the list.
sensibly to the routing information they receive. In most
cases though the Internet routes are stable enough so that
all routing packets can be ignored.
2.2.3. TCP session hijacking
The final attack, based on IP spoofing and TCP sequence
number prediction, is TCP session hijacking which can be
carried out against any TCP based application, e.g. Telnet,
rlogin, FTP, etc. The only requirement is that the attacker
has access to the IP datagrams sent between the target and
spoofed hosts as this is necessary to obtain the correct
sequence number. Once the attacker has a sequence number,
a TCP segment can be sent, effectively taking over the
connection—all further packets sent by the spoofed host
will be ignored by the target host because the sequence
numbers will be incorrect. An example of TCP session
hijacking is shown in Fig. 4.
Generally, TCP hijacking is used to take over a Telnet
session. Telnet is a particularly easy protocol to hijack
because it simply passes a stream of bytes between the client
and the server. All the attacker has to do is to insert their
commands (as a sequence of bytes) into the spoofed TCP
 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
data segments. The server will reassemble the TCP
segments into command strings which will then be executed
as though the legitimate user had typed them. The only
evidence of this attack is that the legitimate user’s Telnet
session hangs because it never receives conformation of the
segments it sends, and will simply continue to resend them.
After a few seconds the user will probably attribute the
inactivity to “Murphy’s Law” and begin a new session.
TCP session hijacking has a number of benefits over other
attacks, such as sniffing IP datagrams for passwords, espe-
cially when advanced identification and authentication
techniques are in use. For example it is pointless to sniff
one-time passwords, or responses to challenges issued by
cryptographic authentication mechanisms, e.g. S/Key,
SecureID, Lockout, etc. However, because all of these
advanced authentication techniques happen at connection
time, no protection is afforded by them after this point.
Therefore, the attacker simply hijacks a legitimate connec-
tion to gain entry to a system. This has the added advantage
of appearing to the operating systems security mechanisms
as the legitimate user!
2.2.3.1. Countermeasure. Again, the simplest and most
effective defence against IP spoofing, TCP spoofing, and
TCP session hijacking lies with those organisations
providing access to the Internet. If all of these
organisations were responsible enough to prevent IP
datagrams with source addresses originating from outside
their networks from reaching the Internet, the attacks
described above could not be carried out.
Unfortunately, there are many organisations that provide
unregulated Internet access. Therefore other means for
protecting against spoofing and hijacking attacks must be
used. The simplest and most effective is for an organisation
to block all the IP datagrams from the Internet that are
source routed, or that have source addresses originating
from the internal network. A properly configured firewall
can be used to enforce such a policy.
Also, trust relationships (e.g. .rhosts) between hosts
communicating across the Internet should never be
permitted, unless they are used in conjunction with strong
authentication and cryptography 8 —they are simply too
vulnerable! In fact, strong authentication and cryptography
should be used with all TCP services (e.g. such as Telnet,
FTP, etc) where it is possible that an untrusted user could
gain more than a very basic control over the operating
system hosting the service. For example, an anonymous
FTP server that provides read-only access to files can be
adequately protected by the security mechanisms in existing
operating systems, such as Unix, and Windows NT. It is also
important to assess the threat—for instance it is unlikely
that an attacker would go to the trouble of hijacking an
8
It is important to note that strong authentication and cryptography are
not mutually exclusive. For example SSL can provide session encryption
and strongly authenticate both the client and the server.
891
anonymous FTP session! However, providing remote FTP
access across the Internet to the superuser for uncontrolled
read and write access has far greater implications. In such a
case both strong authentication and cryptography are
required, because the risk to the operating system by allow-
ing such a connection would be too high.
It is essential to understand the possible threats and
vulnerabilities introduced by connecting to untrusted
networks so that the risks can be accurately assessed. It is
not enough to consider the risks posed by applications (e.g.
FTP, Telnet, WWW, etc.) alone—it is equally important to
understand the risks posed by the network protocols, such as
TCP, IP, and the many others outside the scope of this
section such as IPX/SPX, NETBUEI, SNA, etc.
2.3. RST and FIN attack
2.3.1. Description
As mentioned previously TCP packets have control flags
which indicate the status of a segment. There are two flags
in particular, RST and FIN, which can be used for denial-of-
service attacks. Under normal circumstances the RST flag is
used to reset a connection, while the FIN flag indicates that
no more data will be sent. As with TCP session hijacking,
the only requirement for this attack to be practical is that the
attacker must have access to the IP datagrams sent between
the target and spoofed hosts. This is necessary so that a
protocol analyser can be used to collect the IP datagrams
and obtain correct TCP sequence numbers.
For an RST or FIN to be accepted, the TCP segment need
only have the correct sequence number as the acknowledge-
ment number field (ANF) is not used (i.e. there is no ACK in
a RST segment). Therefore, the attacker simply analyses the
IP datagrams in the connection between the target and
spoofed hosts, and calculates (from the target host’s
ACKs) the sequence number that the target host would
expect the next TCP segment from the spoofed host to
contain. The attacker then generates a TCP segment with
the RST flag set and sends it in a spoofed IP datagram (i.e.
containing the spoofed host’s IP address in the source
address field), to the target host. On receipt, the target
host will close the connection with the spoofed host.
A very similar attack can be launched with the FIN flag,
which is the normal way that a TCP connection is closed.
The attacker uses a protocol analyser to predict the correct
sequence number, using it to construct a TCP segment with
the FIN flag set. This is then sent to the target host which
assumes that the spoofed host has no more data to send. Any
further TCP segments sent by the spoofed host are ignored
because the target host assumes that they are network errors.
The advantage of a FIN based attack is that TCP mandates
that on receiving a segment with the FIN flag set, the host
must reply with one of its own. From the attacker’s perspec-
tive, the beauty of this attack is that it can be 100% guar-
anteed to be successful!
892 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
2.3.2. Countermeasures
Normally, RST and FIN attacks are only applicable to the
internal networks of an organisation. The reason for this is
that an attacker needs to analyse the IP datagrams sent by
either the target or spoofed host to determine the correct
sequence number. For the attacks to be carried out on the
Internet the attacker would have to have access to an Inter-
net routing node at some point between the hosts being
attacked—for most attackers access to such resources is
impossible.
Denial-of-service attacks can prove to be particularly
malicious. Take for example a critical online database that
has an HTML interface which allows users to enter data. A
malicious attacker could continually interrupt the commit
phase (i.e. where the data is sent from the WWW-browser to
the WWW-server) to prevent users from completing their
work, or to corrupt the database. As a further example
consider a WWW server that provides information to
users. Here an attacker could indiscriminately close connec-
tions during downloads causing many browsers to hang.
These attacks would cause a great deal of confusion and
be particularly difficult to resolve, i.e. is it a software,
network, or hardware fault? Assuming the attacker does
not wish to be caught they would stop their attack once an
investigation was initiated and resume it once the investiga-
tion had finished—the infuriating, unpredictable, intermit-
tent fault!
Unfortunately, configuring routers and gateways on the
internal network to block such attacks is difficult, and often
impracticable because of the distributed nature of user
groups and information resources. In such environments
there is little that can be done to protect against such
denial-of-service attacks.
2.4. Ping O’ death
2.4.1. Description
The Ping program tests whether a host is reachable by
sending it an ICMP echo request message and receiving an
ICMP echo in reply. Ping also measures the round—trip
time to the host, which provides an indication as to how
distant the host is, and is helpful for determining whether
the intervening network is congested.
IP datagrams can be a maximum size of 65 535 (2 16 2 1)
octets, which includes the header length (typically 20 octets
if no IP options are specified). Datagrams that are larger
than the maximum size that the underlying link layer can
handle—the Maximum Transmission Unit (MTU)—are
fragmented into smaller datagrams which are then reas-
sembled by the receiver. For Ethernet based networks the
MTU is typically 1500 octets, while on the Internet the
MTU is usually 576 octets.
The ICMP echo request resides within the IP datagram,
and consists of eight octets of ICMP header information
(RFC-792 [12]]) followed by the number of data octets in
the “Ping” request. Hence the maximum allowable size of
the data area is 65 535 2 20 2 8 ˆ 65 507 octets.
What makes the “Ping O’ Death” attack possible is the
ability to send an echo request datagram with more than
65 507 octets of data, and because of the way IP fragmenta-
tion is performed. IP fragmentation relies on an offset value
in each fragment to determine the order in which the indi-
vidual fragments should be reassembled. Thus on the last
fragment, it is possible to combine a valid offset with a
suitable fragment size such that (offset 1 size) . 65 535.
Since operating systems typically do not process the data-
gram until they have reassembled all the fragments, there
exists the possibility of overflowing internal variables, and
buffers which can lead to system crashes, reboots, kernel
dumps, etc.
Unfortunately, “Ping O’ Death” is easy to exploit, espe-
cially for those that have operating systems that allow users
to send Pings of illegal size, such as Windows 95, Windows
NT, and Linux. The following command is all that is needed
to launch the attack from Windows 95:
. ping-l 65510 your.host.ip.address
Windows 95 will reply with “Request Timed Out”, which
means that the Ping was not answered, either because the
remote host has correctly ignored the illegal Ping; or
because it is now “dead”—it is that simple!
2.4.2. Countermeasure
Once it has been determined that hosts are at risk, the best
solution is to obtain patches for the operating systems
involved. Fortunately, the “Ping O’ Death” attack is now
mainly of historical interest as most operating systems
released since 1996 are immune 9, or have patches freely
available. The attack is only possible because of insufficient
error handling within the effected operating systems, not
because of vulnerabilities inherent in the IP protocol itself.
However, if patches are not available a quick solution is
to block Ping at the firewall. Unfortunately, blocking Ping
messages also prevents legitimate use and may prevent
certain applications from functioning properly. A better
solution than blocking all Pings is to block only fragmented
Pings. This allows common and legitimate 64-byte Pings
through on most systems, while blocking those that are
larger than the MTU.
Although the focus here is on Ping, it is important to
consider that this attack is in theory applicable to any proto-
col that relies on IPv4 datagrams but which cannot deal with
those larger than 2 16 2 1 octets. Thus, it is possible that
protocols such as TCP, UDP, and even IPX could be
effected. The only completely effective solution is to secure
the operating system against buffer overflows, and variables
containing illegal values, when reconstructing IP fragments.
9
An unofficial WWW-site providing information, and a list of affected
(including available patches) and unaffected operating systems is available
at http://www.sophist.demon.co.uk/ping/index.html.
 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
3. Threats to standard TCP/IP services
TCP/IP supports the operation of a number of well known
services (i.e. applications). Traditionally each of these
services have been associated with one or more vulnerabil-
ities. Only applications that are commonly available on a
number of operating systems, including Unix, and Windows
NT, are described here.
The intention is not to provide a detailed discussion about
all applications that exist and have potentially exploitable
vulnerabilities. Instead the following sections are intended
to provide an overview of the types of problems that are
common to applications not included here, and to provide
examples of the threats and vulnerabilities that those imple-
menting Internet, Intranet, and Extranet networks should be
aware of. For complete and detailed information about
many other applications and their vulnerabilities the reader
should consult [13–15].
3.1. Simple mail transport protocol (SMTP)
3.1.1. Description
The SMTP [16,17] is used as the basis for most electronic
mail (email). Email is the most popular Internet service [18],
allowing people to communicate by exchanging electronic
messages globally. These messages take anywhere from a
few seconds to a couple of hours to be delivered. An added
attraction is the relatively low cost of sending large
messages. Combined, these benefits give users a convincing
argument for access to email, and thus the connection of
their systems to the Internet.
For a full and easy to read description of SMTP the reader
is urged to consult [11]. It must be noted that SMTP is a
developing protocol, and as such, new threats could evolve.
RFC 1425 [19] defines the framework for adding extensions
to SMTP.
3.1.2. Threats
SMTP used by itself is a fairly benign protocol, contain-
ing only eight basic commands. These are HELO, MAIL,
RCPT, DATA, QUIT, VRFY, NOOP, and TURN. There are
two security threats associated with these commands;
• Denial-of-service
• Information gathering
Denial-of-service attacks based on SMTP are aimed at
flooding a network or computer with large email messages
to prevent legitimate use. In most cases a computer is
affected because it cannot handle large messages e.g. . 1
Megabyte, or cannot handle the load created by receiving
large numbers of messages at the same time, or running out
of storage space.
For example the Computer Fraud and Security Journal
[20] reported that a disgruntled university student was
arrested for “mail bombing” the Monmouth University
computer system in New Jersey. The attack caused massive
893
disruption to the system for two days by generating 24 000
email messages, inundating the computers and paralysing
the network. To get the systems functioning again required
44 h of work, at an approximate cost of US$4400.
The second more subtle attack involves information gath-
ering designed to provide the hacker with useful information
about a computer system and its users. For instance the
VRFY command sometimes translates a users mail alias
into their login name. This can be used to identify the
more promising accounts to attack, with tools such as
CRACK.
Most problems arise when SMTP is implemented as a
large application, such as sendmail [21]. The threat comes
from bugs, which inherently manifest themselves within
large programs, and configuration problems such as giving
the application higher privilege. These problems enabled
one of the most famous Internet security incidents—the
Internet Worm [22] to take place.
Other problems also exist with email attachments, and
automated execution of encoded messages such as Multi-
purpose Internet Mail Extensions (MIME). MIME allows
specific actions to be encoded in email messages. These
actions can request files to be automatically retrieved and
returned to the message initiator.
MIME can also be used to transfer executable programs
and Postscript files, which can themselves perform danger-
ous actions. These existing security threats are very applic-
able to new, network oriented, programming paradigms
such as Java and ActiveX.
3.2. Telnet
3.2.1. Description
Telnet [23] is designed to enable communication between
any host, regardless of the operating system. Telnet provides
simple character based terminal access, and usually requires
the user to login with an account name and password.
3.2.2. Threats
The biggest threat comes during login when initiating the
Telnet session, as standard Telnet does not protect the trans-
mission of the user’s account name or password. Anyone
monitoring the Telnet login packets over the network can
capture this information.
As with any protocol each step is predictable, therefore a
packet sniffer can be configured to simply detect any Telnet
session and record the packets containing the account name
and password.
Other threats exist, for example the Telnet program itself
could have been compromised to record passwords and
account names. A description of such a case is available
in [24].
To protect against sniffing attacks a number of secure
versions of Telnet have been implemented [25,26]. These
versions of Telnet usually encrypt both the password and
894 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
session contents which prevents an attacker from obtaining
any useful information.
3.3. Network time protocol (NTP)
3.3.1. Description
The NTP [27] is used to synchronise the clocks of hosts
connected to the Internet. The correct time is generated by
extremely accurate atomic clocks which provide national
time synchronisation. Time updates are propagated through
a directed hierarchy of Internet hosts. The propagation path
must not contain any loops as this would cause erroneous
time transfers.
NTP provides accuracy of 10 ms or better; with such
accuracy comes the ability to match log files from different
systems. This has proved beneficial when matching audit
logs from different systems and allows an attacker’s actions
to be replayed. It also provides a mechanism for crypto-
graphic protocols to generate timestamps for authentication
purposes.
3.3.2. Threats
Attacks on NTP focus on altering a target’s sense of time.
If this succeeds, a time based authentication protocol can be
subverted by replaying a previous successful authentication
sequence. Protection against these attacks is provided in
newer versions of NTP which provide cryptographic
message authentication. NTP specifies that authentication
be carried out on a hop-by-hop basis. It is therefore possible
for an attacker to subvert a system on which the target’s
NTP daemon relies, and thus subvert the target system as
previously described. To ensure protection against this type
of attack all sources of NTP information authenticate their
sources, and so on back to the root NTP server.
3.4. Finger and whois
3.4.1. Description
The finger protocol (RFC 742) [28] provides information
on users of a specific host. Generally it is used to find out the
account name of a user and/or whether they are logged on.
In most cases the person using this command has no more
sinister motives than sending mail.
The Whois protocol [29] provides contact information
such as account name, telephone number and address. It is
useful for looking up people on systems when you do not
have there full name. For example typing “whois smith” will
return a list of people with “smith” in their name.
3.4.2. Threats
Finger can be used by hackers to collect useful informa-
tion, such as account names, and compile login profiles i.e.
the best time to attack the system is when the system admin-
istrator has finished for the day, or better still, on vacation.
Other useful information supplied can be the date a user last
logged in, and a users “plan” file which often contains useful
personal information. This information can be used to iden-
tify promising targets, and provide contextual information
to attackers for use with tools such as CRACK. The follow-
ing extract is from RFC 742 and expresses the philosophical
nature of finger. It reflects well the openness of early
networks and contrasts starkly with the more security
conscious 1990s.
To fulfil the basic intent of the Name/Finger
programs, the returned list should include at least
the full names of each user and the physical locations
of their terminals insofar as they can be determined.
Including the job name and idle time (number of
minutes since last typein, or since last job activity)
is also reasonable and useful.
The “Finger Bomb” is an interesting use of finger to
launch denial-of-service attacks against systems (Note:
this attack has been patched on newer finger services).
Some finger services allow the redirection of finger to
remote sites. To finger through several sites, an intruder
could use:
. finger username@hostA@hostB
The finger will go through host B then to host A. This
helps attackers to remain anonymous because host A will
see a finger coming from host B instead of the original host.
This technique has also been used to go through firewalls
that have not been properly configured. This can happen by
using the command:
. finger user@host@firewall
On vulnerable hosts a denial-of-service attack can be
launched by typing:
. finger@@@@@@@@@@@@@@@@@@@@hostA
The repeated @ causes the finger to recursively finger the
same machine repeatedly till the memory and hard drive
swap space fill up. This causes the machine to crash or
slow to an unusable speed.
The best countermeasure available to address the threat
from finger is to disable it entirely. If this is not possible then
finger should only be allowed to retrieve user information
from a sanitised database.
The whois protocol is susceptible to the same types of
abuse as the finger protocol, however it does not reveal
detailed information about users access habits.
3.5. Network file system (NFS)
3.5.1. Description
The NFS, RFC 1094 [30], protocol provides transparent
remote access to shared files across networks, and is
designed to be portable across different machines, operating
systems, network architectures, and transport protocols.
This portability is achieved through the use of Remote
Procedure Calls (RPC) [31].
To ensure robust NFS access in the event of system
 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
reboots and device failures (e.g. bridges and routers) the
NFS server is stateless, unlike the clients which retain
state. When an NFS server becomes unreachable its clients
continue to send requests until they receive a reply. Thus,
the client’s functioning is not adversely effected by the loss
of an NFS server.
3.5.2. Threats
All files and directories on an NFS server are identified by
unique strings known as file handles. A threat is introduced
if a client program obtains and retains a root file handle at
mount time, which is usually when the NFS server is re-
booted. This is possible due to the inadequacies NFS access
controls.
Once access to the file system has been achieved it is
possible to change file access controls, and create subver-
sive programs and place them in search paths so that the real
ones are not used e.g. trapdoor or password gathering
programs.
3.6. File transfer protocol (FTP)
3.6.1. Description
The FTP, RFC 959 [32], enables the transfer of character
and binary files across a network. The design philosophy
does not dictate a specific host, operating system or file
structure—it is completely independent.
An FTP server uses two TCP ports to transfer a file.
Control Connection is established on Port 21, and Data
Connection on Port 20. The FTP client is free to choose
any available port.
FTP has become the standard for publishing software,
data, and documents on the Internet. However Adobe Acro-
bat and Hyper Text Transfer Protocol (HTTP) using the
Hyper Text Markup Language (HTML) are becoming popu-
lar for documents.
3.6.2. Threats
The major threat to FTP comes from improperly managed
FTP services. For example if an organisation runs a public
FTP service but does not separate its sensitive organisa-
tional data, then with today’s network speeds it may be
possible to download all the sensitive data in a matter of
minutes. FTP services should be restricted to certain, well
managed, file areas.
FTP has been used to gain access to password and remote
host files by exploiting deficiencies in management of the
service. For example, if file areas are not controlled then the
user is able to change access controls to files. It may be
possible to insert false password or remote host files,
which can then be used to gain access to other hosts.
Like Telnet, the standard FTP protocol does not encrypt
passwords that are required for the user to login to a system,
so there is a high risk that the password can be compromised
by anyone listening into the network. FTP sites are also used
as promulgation points for pirated software.
895
3.7. World wide web (WWW)
3.7.1. Description
The WWW is made up of a collection of protocols speci-
fically designed for exchanging information over the Inter-
net. The original WWW protocols included Gopher, Wide
Area Information Servers (WAIS), and Archie, however,
the past four years have seen the introduction of the
Hyper Text Transfer Protocol that has revolutionised the
Internet. In fact, most laypersons associate the term
WWW exclusively with HTTP.
These protocols are generally used by clients to query
servers for specific files. HTTP also implements the client/
server model of document retrieval, in this case the client,
called a “browser”, is usually capable of multimedia
support. The server, referred to as a WWW-server, functions
in a similar manner to a standard file server, simply sending
the requested documents to the browser. However, WWW-
servers are also capable of running programs to create
HTML documents dynamically as they are requested, this
makes them very useful for maintaining documents in
dynamic environments. In fact HTTP was originally devel-
oped by physicists at CERN laboratories as a means of
exchanging papers pertaining to their research. These docu-
ments where constructed using HTML which is based on the
Standard Generalised Markup Language (SGML).
What makes HTML so attractive is that a document can
incorporate small programs that allow the content to
become dynamic. These programs, referred to as executable
content, can either be included as scripts within the docu-
ment (e.g. Java Script), or as compiled programs which are
loaded separately when the document is accessed (e.g. Java
and ActiveX).
3.7.2. Threats
There are four categories of web security threats:
• Alteration of the web site data
• Access to the web server operating system
• Eavesdropping browser–server traffic
• Impersonation of another web server
The first two currently present the greatest threats. Rogue
code can cause buffer overflow and exception conditions
that in turn provide access to the operating system. Intruders
can embed commands in web requests in such a way to trick
the web server into passing the command to the operating
system. It is therefore essential that all patches are installed
and only minimum system privileges are enabled.
More specifically transferred files can contain executable
content such as format tags which are used to identify the
program necessary to view or execute the files. Further,
firewalls and network guards must be configured to permit
outgoing HTTP connections. This means that unknown
programs contained in the HTML pages can be downloaded
onto a users computer and executed, effectively bypassing
896 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
the firewall and any security policy that attempts to control
the unauthorised use of untrusted software.
Fortunately, several solutions have emerged to deal with
this problem. The first limits the access that the software has
to system resources. For example, Java Script runs within the
environment created by the browser and does not have direct
access to system resources (e.g. hard disk, device drivers,
memory, etc). Similar constraints are also applied to Java
applets, although these can be relaxed to some extent by the
user [33]. The most dangerous executable content is Micro-
soft’s ActiveX, these programs, known as “controls”, are in
fact executable binaries (i.e. compiled Microsoft Windows
C11 programs). They are executed by the browser in the
same manner that a user runs a program. Because of this the
ActiveX control has the same access rights to system resources
as the user running the browser. For example, an ActiveX
control downloaded by a user with administrator privileges
would have full control of the computer, and possibly other
machines if connected to a network.
Use of SHTTP (Secure-HTTP) and SSL/TLS (Secure
Socket Layer/Transport Layer Security) allow client–
servers to negotiate acceptable levels of security for parti-
cular transactions [34]. To address the problem users have in
deciding whether executable content can be “trusted”, Nets-
cape and Microsoft have developed technologies based on
public key cryptography that allow Java applet and ActiveX
control code to be digitally signed. A browser that down-
loads a signed ActiveX control or Java applet can check the
signature against a list of trusted certificates. If signed
correctly the user can choose to execute the program with
confidence that it came from a trusted source. Browsers
from Netscape and Microsoft are pre-loaded with certifi-
cates from a number of well respected organisations. The
benefit of this technique is that an organisation can remove
all default certificates and install their own, effectively
restricting executable content to that developed by the orga-
nisation. This can be enforced because the above browsers
can be configured to enforce particular security policies.
Another solution provided by many of the newer firewalls
allows HTML tags (i.e. hyper-links) that load the executable
content to be disabled. Some firewalls can also be config-
ured to check the signatures of Java Applets and ActiveX
controls, and allow through only those signed by trusted
certificates. This has the added benefit of enforcing the
security policy at a central point, rather than delegating it
to the browser where it may be possible for a user to alter the
security policy locally.
In most cases the solution to the problem of executable
content is similar to FTP and other services. That is, services
should be run in an enclosed environment with only enough
privilege to perform their task.
3.8. X window system
3.8.1. Description
The X window system [35] is a client/server application
which enables multiple clients to use the bit-mapped display
managed by a server, which also manages the keyboard, and
mouse. The client is an application program which runs on a
host with the server or on a different host.
X windows requires a reliable, bi-directional stream
protocol such as TCP. Communication between client and
server consist of 8-bit bytes. On UNIX systems where the
server and client are on the same host, UNIX domain proto-
cols are used to reduce the overhead of the TCP protocol.
3.8.2. Threats
An application which connects to an X server is able to do
a multitude of things, e.g. read the keyboard, print the
screen, read mouse movements/button presses, simulate
key-presses, resize windows, etc. If an attacker can connect
to a server and read the keyboard, the user will be compro-
mised. It is possible for an attacker on the Internet to probe
for X servers, as X server ports are assigned as 6000 1 n,
where n is some small integer, usually 0.
The X windows system uses host based authentication.
The server takes the network source address of the connect-
ing application and compares it with a list of allowable
sources. However, there is no protection from an attacker
connecting from a trusted host.
Another protection mechanism makes use of a magic
cookie which is a secret byte string which the server and
application share. Processes cannot connect to a server
unless they contain this string. The problem is communicat-
ing the secret string between application and server over a
generally unsecured network.
A similar cryptographic challenge/response protection
mechanism exists, but suffers from the same key distribu-
tion problems as the magic cookie.
4. Summary
The TCP/IP suite was never intended to offer comprehen-
sive, scaleable security mechanisms, and it is the lack of
such mechanisms that underlie most of the problems with
IPv4 and TCP. However, many solutions have been
presented here and most are readily available without
great expense. For example, there is little expense in ensur-
ing that trust relationships (e.g. rlogin) do not exist, or in
applying patches (e.g. Ping) and keeping them up-to-date.
Perhaps the most important point is that all organisations
should act responsibly to prevent malicious traffic from
reaching the Internet. As discussed most attacks to the IP
and TCP (e.g. SYN flooding, IP spoofing, etc.) could be
averted by preventing IP datagrams leaving an organisa-
tion’s network if its source address did not originate from
within. Unfortunately, not all organisations are so responsi-
ble thus attacks which could be easily prevented are still
possible.
It has also been shown that many applications pose signif-
icant risks to organisations. Most problems are caused
 B. Harris, R. Hunt / Computer Communications 22 (1999) 885–897
through deficiencies in the implementation (e.g. buffer over-
flows, unhandled exceptions, etc.) Therefore, it is essential
that applications are kept up-to-date by applying patches or
service packs that address new exploitable vulnerabilities.
Other problems are caused by uneducated users or short-
comings in the organisations security policy. Also, it
remains to be seen what problems, and financial losses,
new WWW technologies (e.g. ActiveX controls, Java
applets) will inflict.
It is expected that IPSEC and IPv6 will solve many of the
problems associated with the existing TCP and IP imple-
mentations. However, deficiencies and errors in the imple-
mentation of applications, along with corrupt employees,
will continue to introduce new generations of threats and
vulnerabilities.
References
[1] CSI/FBI Computer Crime and Security Survey. Computer Security
Institute, 1998. Available athttp://www.gocsi.com/prelea11.htm.
[2] H. DeMaio, Internet Security: Connecting Without Fear. Info Security
News (Supplement), Published by M.I. Sobol, 1995.
[3] R. Hunt, Internet/Intranet firewall security-policy, architecture and
transaction services, Computer Communications 21 (13) (1998)
1107–1123.
[4] Computer Weekly, November 16, 1995.
[5] A. Rosen, Understanding and Defending Against SYN Attacks, in:
Proceedings of Discrete Mathematics and Theoretical Computer
Science Workshop on Network Threats, National Science Founda-
tion-Science and Technology Center Piscataway, NJ, December,
1996. (http://www.gocsi.com/prelea11.htm).
[6] Project Neptune. Phrack Magazine, Vol. 7, Issue 48, July, File 13.
1996. Available at http://www.phrack.com/Archives/phrack48.zip
[7] S. Bellovin, Security problems in the TCP/IP protocol suite, Compu-
ter Communication Review 19 (2) (1989) 32–48. Available at ftp://
ftp.research.att.com/dist/internet_security/ipext.ps.z
[8] R. Morris, A weakness in the 4.2BSD UNIX TCP/IP software,
Computing Science Technical Report 117, AT&T Bell Laboratories,
February 25, 1985. Available at ftp://netlib.att.com/netlib/research/
cstr/117.z
[9] L. Joncheray, A simple active attack against TCP, Proceedings of the
5th USENIX UNIX Security Symposium, Salt Lake City, Utah, June
5–7, 1995, pp. 7–19.
[10] IP Spoofing Demystified: Trust Relationship Exploitation. Phrack
Magazine, Vol. 7, Issue 48, June, File 14, 1996. Available at http://
www.phrack.com/Archives/phrack48.zip
[11] W. Stevens, TCP/IP Illustrated: The Protocols, Addison-Wesley,
Reading, MA, 1994.
[12] J. Postel, Internet Control Message Protocol, RFC 792, September, 1981.
897
[13] W. Cheswick, S. Bellovin, Firewalls and Internet Security—Repel-
ling the Wily Hacker, Addison-Wesley, Reading, MA, 1994.
[14] S. Garfinkel, G. Spafford, 2, Practical UNIX and Internet Security,
April, O’Reilly and Associates, Sebastopol, CA, 1996.
[15] C. Hare, K. Siyan, Internet Firewalls and Network Security, 2, New
Riders Publishing, Indianopolis, IN, 1996.
[16] R. Braden (Ed.), Requirements for Internet Hosts-application and
support, RFC 1123, October, 1989.
[17] J. Postel, Simple Mail Transfer Protocol, RFC 821, August, 1982.
[18] R. Caceres, P. Danzig, S. Jamin, D. Mitzel, Characteristics of wide-
area TCP/IP conversations, Computer Communication Review 21 (4)
(1991) 101–112.
[19] F. Klensin, T. Rose, E. Stefferud, D. Crocker, SMTP Service Exten-
sions, RFC 1425, February, 1993.
[20] Computer Fraud and Security Editorial, February, Elsevier, Amster-
dam, 1996 p. 3.
[21] B. Costales, E. Allman, N. Rickert, Sendmail, O’Reilly and Associ-
ates, Sebastopol, CA, 1993.
[22] E. Spafford, An analysis of the Internet worm, Proceedings of the
European Software Engineering Conference, September, 1989. Avail-
able at ftp://ftp.cs.purdue.edu/pub/spaf/security/IWorm.PS.Z
[23] J. Postel, J. Reynolds, Telnet Protocol Specification, RFC 854, May,
1983.
[24] D. Safford, D. Schales, D. Hess, The TAMU security package: An
ongoing response to Internet intruders in an academic environment,
Proceedings of the Fourth Usenix UNIX Security Symposium, Santa
Clara, CA, October, 1993, pp. 91–118. Available at http://www.ta-
mu.edu/pub/mirrors/net.tamu.edu/tamu-security-overview.ps.gz
[25] D. Borman, Telnet Authentication Option, RFC 1416, February,
1993.
[26] D. Safford, D. Hess, D. Schales, Secure RPC authentication (SRA) for
Telnet and FTP, Proceedings of the 4th Usenix UNIX Security
Symposium, Santa Clara, CA, October, 1993, pp. 63–67.
[27] D. Mills, Network Time Protocol (version 3) specification, implemen-
tation and analysis, RFC 1305, March, 1992.
[28] K. Harrenstien, Name/Finger Protocol, RFC 742, December 30, 1977.
[29] K.M. Harrenstien, V. White, Nicname/Whois. RFC 812, March 1,
1982.
[30] Sun Microsystems, NFS: Network File System Protocol Specification,
RFC 1094, March, 1989.
[31] RPC: Remote procedure call protocol specification: Version 2, RFC
1057, June, 1988.
[32] J. Postel, J. Reynolds, File Transport Protocol, RFC 959, October,
1985.
[33] A. Rubin, Blocking Java Applets at the Firewalls, Proceedings of
Discrete Mathematics and Theoretical Computer Science Workshop
on Network Threats, National Science Foundation, Science and Tech-
nology Center, Piscataway, NJ, December, 1996. (http://dimacs.rut-
gers.edu/Workshops/Threats/program.html).
[34] B.C. Soh, S. Young, Network system and world wide web security,
Computer Communications 20 (1998) 1431–1436.
[35] R. Sceifler, J. Gettys, X Window System, 3, Digital Press, Belford,
MA, 1992.