Internet Security Attacks at the Basic Levels

Marco de Vivo Gabriela O. de Vivo G e r m i n a l Isern

[email protected] [email protected] [email protected]
Apartado Postal 68274
Caracas, Vene~aela.
GIRAS U.C.V. I

fidence in the policies defined for the CCaTe~ (as

planned) management, of an environment. Thus, as
Abstract strange as it may appear, it is possible to have a weak
The Internet put the rest of the world at the reach of security p o l i c y even when using a very sound
our computers. In the same way it also made our mechanism of protection. As an example, imagine a
computers reachable by the rest of the world. Good user who systematically selects as her password (a
news and bad news!. Over the last decade, the Internet strong protectio~ mechanism) the same as her login
has been subject to widespread security attacks. Besides name (a very weak security policy indeed!T).
the classical terms, new ones had to be found in order The cases analyzed in this paper are mainly related to
to designate a large collection of threats: Worms, faulty protection mechanisms: bad design, wrong im-
break-ins, hackers, crackers, hijacking, phrackers, plementations and poor integration are at the base of
spoofing, man-in-the-middle, password-sniffing, de- most of the attacks, including those directed to exploit
nial-of-service, and so on. wrong security decisions.
Since the Intemet was born of academic efforts to Active vs. Passive attacks:
share information, it never strove for high security A successful attack is usually achieved through several
measures. In fact in some of its components, security active or passive sub-attacks. In active attacks, the in-
was consciously traded for easiness in sharing. trader interacts with the target system and tries to in-
Although the advent of electronic commerce has fluence its behavior. These attacks involve some modi-
pushed for "real security" in the Interact, there is yet a fication of the data stream or the creation of a false
huge amount of users (including scientists) very stream. In passive attacks, the intruder just collects in-
vulnerable to attacks, mostly because they are not formation related to (usually proceeding from) the se-
aware of the nature (and ease) of the attacks and still lected victim, and, normally 1, no alteration of the data
believe that a "good" password is all they need to be is involved. Passive attacks are in the nature of eaves-
concerned about. dropping on, or monitoring of, transmissions (e.g.,
We wrote this paper aiming for a better understanding sniffing devices and keystrokes capturing programs).
of the subject. In the paper we report some of the Fundamental attacks:
major actual known attacks. Besides the description of Almost all attack strategies end with what we will call
each attack (the what), we also discuss the way they a fundamental attack.
are carried on (the how) and, when possible, the related The goal of a fundamental attack is to allow an in-
means of prevention, detection and/or defense. trnder gaining entrance to the victim's system either as
a regular user or (mostly) as the superuser. There are
Keywords: TCP/IP, Client-Server, Ethernet, basically three forms of fundamental attacks:
• Password guessing or capturing. Password guessing
Sniffing, One-Time Password, Kerberos, ICMP, Ping,
Covert Channel, Spoofing, RIP, DNS, Denial of is also known as password cracking [ 4].
• Exploiting security flaws (security holes).
Service, Hijacking.
• Exploiting bugs in Operating System and Network
software (security holes).
I. Introduction.
We won't cover password guessing or classical secu-
lthough the terms Protection and Security rity holes because they are thoroughly studied and well

A ate used interchangeably in the related litera-

ture, it is worth noting that, strictly speak-
ing, they designate different subjects.
Protection [ 1 ] refers to a m e c h a n i s m for controlling
the access of programs or users to a set of resources.
documented elsewhere. Instead, a specific passive at-
tack (sniffing) and several chosen a c t i v e attacks
will be analyzed in detail.

Security, on the other hand, refers to a measure of con- 1 Data streams protected by Quantum Cryptography cannot be
eavesdropped unnoticeably [2, 3].
The presentation of the selected attacks is arranged
nearly following the TCP/IP layered approach. APPLICATION
We wrote this paper in an effort to provide information
WWW, e-mail, etc.
about how intrusions occur. Unfornmately users and
system administrators are often unaware of the extent
end dangerousness of the threats beyond the most well
TRANSPORT
known banal attacks. Moreover, even experienced com- TCP, UDP
puter advisers, usually get into trouble when asked
with questions of the pattern: '...but how, exactly, do
NETWORK
hackers break into systems?...'. IP
We really hope that the paper will h e l p readers build a
solid understanding of the above mentioned issues, as HOST-to-NETWORK
well as better estimating their own risks and security ARP, RARP, Hardware Interface.
requirements.
Figure 1. TCP/IP protocol suite.
2. About TCP/IP.
• The t r a n s p o r t layer: The transport layer is designed
In order to fully understand the issues discussed in this to provide a data stream between communicating ap-
paper, some basic knowledge of TCP/IP is needed. In plications on source and destination hosts (computers).
this section several fundamental concepts and defini- When an application lamning on the source host needs
tions, related to TCP/IP, are presentetL Additional in- to communicate with its mate on the destination host,
formation can be found in [$, 6, 7]. Expert readers it just gives the message to the transport layer's soft-
are invited to skip to the next section. ware, which in turn uses IP to send it to the target
TCP/IP is a protocol suite conceived to allow comput- host in form of data units (packets) known as rkm-
ers of different characteristics (software and hardware), grams. This layer also deals with flow control, conges-
to communicate with each other. An internet is a col- tion control, and with the creation of end points.
lection of networks that all use the same protocol Two end-to-end protocols have been defined in this
suite. The Intemet (note uppercase I) is based on layer: T C P and U D P.
TCP/IP. TCP provides a r e l i a b l e flow of data to communicat-
A protocol suite is normally the combination of differ- ing applications. It does so, even though the service it
ent protocols at various layers. TCP/IP is usually con- uses to forward packets (IP) is unreliable. Reliability
sidered a 4-layer system, as shown in F i g u r e 1. is achieved by the use of timers, counters, acknowl-
edgments and re-transmission.
* The h o s t - t o - n e t w o r k layer. This layer, also called UDP, on the other hand, just provides the primary
link layer, dim link layer or network interface layer, mechanism that application programs use to send data-
handles the details of the communication media. It is grams (units of information) to other application pro-
related to issues like device drivers, Ethernet, token grams. The same as TCP does, it uses the underlying
ring, interface cards, etc. IP protocol to transport a message from one machine
to another, but unlike TCP it provides the same unre-
• The n e t w o r k layer: The network (also called inter- l i a b l e , connectionless datagramdelivery semantics as
net) layer is the glue that holds the whole arcbitecmre IP. It does not use acknowledgments, nor orders in-
together. It deals with the movement of packets around coming messages, and it does not control the rate at
the network, and defines an official packet format and which information flows between the machines either.
protocol calledlP (Internet Protocol). Thus UDP messages can be lost, duplicated or arrive
IP offers a connectionless, unreliable service, called out of order. Any desired reliability must be added by
datagram service. This means it does it best job of the application layer. Nevertheless, UDP is a better
moving packets from sources to t'mal destinations, but interface than IP to applications because it adds the
there are no guarantees. IP also specifies an addressing ability to distinguish among multiple destinations
scheme based on the so called Internet addresses or IP within a given host computer.
addresres. Every interface on an interact must have a
unique IP address. • The a p p l i c a t i o n layer: This layer contains all the
Network layer is also related to issues like packet rout- higher level protocols. Almost every TCP/IP imple-
ing and congestion avoidance. mentation provides many common applications:
Teluet, a virtual terminal protocol for remote login.
FTP, for the transferring of data between machines.
 SMTP, for electrouic mail. domain-based naming scheme, and used by TCP/IP
It is worth noting that most networking applications applications to map between host names and IP ad-
are written as two complementary programs: The dresses. An example will help to understand the whole
client and the server. The purpose of the application is mechanism: Suppose that hosts A and B in F i g u r e 2
for the server to provide some defined service for are assigned the IP addresses 191.191.3.120 and
clients. 193.193.3.176 respectively. Suppose also that their
host names are: ihosta.netl.com and hostb.net2.com.
• Routers: Since an interact is a collection of net- Now, if a client application running on host A
works, some special-purpose hardware is needed for (hosta.netl.com) needs to use a server application on
interconnecting them: routers (some computers can act host B (hostb.net2.com), it must use the DNS first to
as routers also). When an IP packet is sent from a obtain the IP address of host B. This is done as fol-
source host, it usually does not reach directly the target lows: The client application invokes a special program
host. Instead, it is handled by several intermediate (also rnnning on host A, of course) called the resolver
routers running IP software. Each router, in turn, for- and passes to it the string 'hostb.net2.com' as an ar-
wards the packet (following the routing information gument. Next, the resolver search its related files for
stored in it) until the destination host is reached. So in the IP address of a name server, and, once found, uses
most cases, packets will require multiple hops to make it to query the name server about 'hostb.net2.com'.
the journey. The name server searches its portion of the data base,
The source and destination hosts are called end sys- and, if necessary, queries other name servers until the
tems. The application layer and the transport layer use desired IP address (193.193.3.176) is obtained. This
end-to-end protocols since they are needed only on the address is sent back to the resolver which in turn re-
end systems. By contrast IP is a hop-by-hop protocol turns it to the invoking client. At this point the con-
became it is used (see F i g u r e 2) on the two end sys- nection can be established.
tems and e v e r y intermediate system (router).
Computer A Computer B
• I P addresses and DNS: Each machine (hosts and REQUEST
routers) on an internet must have at least a distinctly CLIENTS SERVERS
different address so that information destined for it can
be successfully delivered. This address scheme is con- i • REPLY
trolled by IP. An IP address is 32 bits long (in IP ver-
sion 4) and consists of two parts: the network portion
(used to describe the network on which the host re-
sides) and the host portion (used to identify the particu-
lar hos0. Those machines connected to multiple net-
works have a different IP address on each network.
IP addresses rareusually written in dotted decimal nota-
tion. In this format each of the 4 bytes is written in s TCP (3
decimal from 0 to 255. Thus the hexadecimal ___Mdres_ s
C1C103B0 is represented as 193.193.3.176. S ! !
IP S
ii i
When the IP on a source host receives a unit of data to
be forwarded, it adds (as is done at each layer) informa- I , I I I
tion to the data by prefixing a ~ to it. This header NETWORK
(IP header) includes the IP address of the source host
F i g u r e 2. Two hosts c o ~ e c t e d ruing TCP/IP.
and the IP address of the destination host. In this way,
every intermediate system knows exactly the final des-
• Ports and Sockets: As shown in Figure 2, many
tination of the packet (needed for muting) and the ad-
different applications can be using TCP or UDP at any
dress of the originating host (needed when reporting
one time. Several instances of a client on host A could
problems with the packet).
be interacting with the same server application on host
Now, since IP addresses can be difficult to remember,
B, and several independent client-server sessions be-
each device is generally assigned a host name (ASCII
tween the two hosts could be running simultaneously
string). Nevertheless, as IP itself only understands bi-
as well. To achieve this multiplexing, TCP (UDP) de-
nary addresses, some mechanism is required to convert
fines the concept of protocol port:. A protocol port is
the ASCII strings to network (IP) addresses and vice
an abstract destination point identified by a 16-bit
versa (when needed). DNS, the Domain Name System,
positive integer (port number).
is a distributed database implementing a hierarchical,
When TCP (UDP) receives from the application layer
data to be transmitted, it adds information to the data header cont,~ns the proper address of the destination
by prefixing a header to it. This header (TCP or UDP machine. Only the machine with the matching address
header) includes the number of the destination port on is supposed to accept the frame. A machine (more
the machine to which the data is sent, as well as the precisely, a network interface) that is accepting all
source port number (optional in UDP) on the source frames, no matter what the frame header says, is said
machine to which replies should be addressed. to be in promiscuous mode.
Now, as every application using TCP must be associ- Because, in a normal networking environment, account
ated with a port number, to communicate with a re- and password information is passed along ethemet in
mote application (foreign port) a sender needs to know clear-text, it is not hard for intruders, once they obtain
b o t h the IP address of the destination machine and root (superuser's privileges), to put a machine's net-
the port number assigned to the application within that work interface into promiscuous mode and by sniffing,
machine. The pair (IP address, port number) is called a compromise all the machines on the net. Besides,
socket and represents an end point of a TCP connec- sniffing leads to loss of privacy of several kinds of in-
tion. To obtain TCP service, a connection must be formation like financial account numbers, private data
explicitly established between a socket on the sending (e.g., e-mails), and low-level protocol information
machine and a socket on the receiving machine. TCP (e.g., IP addresses and TCP sequence numbers) among
connections are thus identified by its two end points, others.
that is (socket1, socket2).
Where can sniffers be fomld:
3. Attacks related to the link Even though sniffers are among the main causes of
mass break-ins on the Interact today, they are also
layer. invaluable tools for network troubleshooting. For this
reason there are several implementations widely
3.1. Sniffing. available (as shareware and freeware) through the
lnternet:
Perhaps the best known source of general information
about sniffers is the ISS S n i f f e r F A Q [8]. Let's TCPDump ftp://ftp.ee.lbl.gov
examine some of the items treated in that FAQ 2
(Frequently Asked Questions): EthDump ftp://ftp.germany.eu.net
/pub/networking/inet/ethernet/
.What is sniffing:
Packetman, lnterman,
S n i f f i n g is the use of a network interface to receive Etherman, Loadn~, ftp://ftp,cs.curtin.edu.au
data not intended for the machine in which the interface NetMan /pub/netman/
resides [ 9 ]. A variety of types of machines need to
have this capability. A bridge, for example, usually
All these sniffers are provided to assist in the debug-
has t w o network interfaces that normally receive all
ging of network problems. They can also be helpful in
frames traveling on the media on one interface and re- the study of protocols and in the gathering of (network
transmit s o m e of these frames on the other interface.
related) statistical data. Whatever their use, access to
them should be restricted to system administrators as
Computer networks are often based on shared commu-
well as to selected personnel.
nication channels. It is simply too expensive to dedi-
cate local loops to the switch (hub) fox each pair of
Detecting sniffilag attacks:
communicating computers. Sharing means that com-
puters can receive information that was intended for When a dedicated device (in contrast to a program run-
ning on a network's known host) is used for sniffing,
other machines. Hence, this kind of networks is par-
detection requires physically checking all the ethemet
ticularly suitable for sniffing.
connections. Otherwise, vdministrators must check
Ethernet is a very popular way of connecting
computers through shared communication channels. (when possible) for interfaces working in promiscuous
mode (it can be done with the help of commands like
Ethcmet protocol works by sending packet information
(frames) to all the hosts on the same circuit. The frame ifconfig and programs like cpm). If sniffing is en-
abled by linking it into the kernel, there are several
commands that could also be helpful (e.g., pfstat and
2 Although the following discussion is mostly connected pfconfig).
with ethernet, this kind of attack can be directed to other Often a sniffer log becomes so large that the file space
'multiple access' protocols (and even to non-broadcast ones) is all used up, besides, on a high volume network a
as well. sniffer will create a large load on the machine. These
facts can also lead to the discovery of sniffers. use of a u t h e n t i c a t i o n servers 3. A n authentication
Regarding PC's with non-Unix systems, observe that server (AS) knows the passwords of all users and
except for special cases (e.g., Java, C G I programs, stores these in a centralized database. In addition an AS
etc.), command execution is not allowed but from the shares a unique secret key with each server.
console, therefore remote intruders can not turn a PC The protocol is roughly as follows:
machine into a sniffer without inside assistance. 1) When a service is needed, the client sends a request
to the authentication server.
Preventing and neutraliTin=~ sniffing attacks: 2) The AS uses the known dient's password and the
• Network segmentation: A network segment consists secret key related to the service to create an encrypted
of a set of machines sharing low-level devices and message containing an also (differently) encrypted
wiring and seeing the same set of data on their network service-granting ticket.
interfaces. Repeaters and passive hubs do not limit the 3) The message is sent back to the client which de-
flow of data arriving to any of its interfaces. They just crypts it, extracts the ticket, and presents it to a suit-
copy the incoming bits and retransmit them to the able server.
wires on the other interfaces. S w i t c h e s , a c t i v e 4) The server tries to decrypt and authenticate the
hubs, and bridges, however, do limit the flow of ticket. If succeeds, the requested service is granted.
data, thus allowing the prevention of sniffing on un- * Non-promiscuous interfaces: Installing interface cards
trustworthy machines. that do not support promiscuous mode, will prevent
• Encryption: The use of encryption renders data use- PC's (usually IBM compatibles) from sniffing.
less to intruders. There are several related packages
available. However, this solution is neither universal 4. Attacks related to the network
nor absolute. In fact, there is a tradeoff between how
much information is encrypted and how standard the
and transport layers.
solution is. If too much of the flowing information is
encrypted (e.g., even protocol information) then, pro- 4.1. I C M P Tunneling.
prietary networking protocols must be used (thus pre-
cluding standard internetworking). If, by contrast, only Firewalls. Ping, and ICMp:
application level encryption is used, then a significant Roughly speaking a f i r e w a l l is a computer, software,
amount of sensible data (mostly related to network and or both, used to restrict and monitor usage of a com-
operating system protocols) is still available to intrud- puter or network. Firewalls are normally used to con-
ers, nevertheless, the two most popular eneryption- trol the interface between a subnetwork and the
based security solutions P G P [ 101 and S S L [ 11 ] me Interact.
both designed to guarantee the secrecy, integrity and The Interuet Control Message Protocol ( I C M P ) is an
authenticity ofdst_o related to the application level adjunct to the IP layer. It is a couneetionless protocol
only (e.g., e-mails, transactions, etc.). used to carry error or control messages between the IP
° Special administration of account information: software on one machine (host or router) and the IP
S / k e y [ 12] and other one-time password technology software on another. ICMP packets are encapsulated
make sniff'rag account information almost useless. inside IP datagrams. Although each ICMP message
Passwords never go over the network but rather are has its own format, they all begin with the same three
used to create (on both connecting sides) matching fields (first 4 bytes ,of the header): TYPE, CODE, and
strings of bytes. CHECKSUM. There are 15 different types of ICMP
Usually, the server presents a challenge to the connect- messages.
ing user (or client) who, using the challenge informa- The p i n g command sends an ICMP echo request mes-
tion and the real password, either calculates or selects sage (type 8) to a specified destination. Any machine
(from a previously defined list) a new string and sends that receives an echo request, formulates an ICMP
it back to the server. The string is then entered into the echo reply message (type 0) and returns it to the origi-
server's comparing algorithm, and if a match is ob- nal sender. Both the request and the reply can include
tained, the connection is allowed to continue. Neither an optional data field. Thus ping can be used to test
challenges nor strings are used twice. whether a desfnation is reachable and responding.
A well-known alternative to one-time passwords is
I
K e r b e r o s [13]. Kerberos is a system that allows
workstations to authenticate themselves to services 3 Strictly speaking, Kerberos uses a special server program
running on servers without ever sending a password in for key distribution. 'The program performs two logical
functions: authentication server and ticket-granting server.
clear text over the network. Kerberos is based on the In this basic description we are using the term authentication
server to designate both logical servers as a whole.
 trust to another host, then any user who has the same
Covert channels: username (login name) on both machines can log in
Since ping traffic is ubiquitous to almost every (or execute remote commands) from the trusted host to
TCP/IP based network and subnetwork, many firewalls the trusting one w i t h o u t presenting a password.
and networks consider this traffic to be benign and will Trust can also be extended to different users from se-
allow it to pass through, unmolested. However, that lected hosts, and eventually to a n y user from a n y
practice can be insecure. Ignoring the obvious threat of host!!. The trusted usemames and hostnames are main-
a denial-of-service attack, use of ping traffic can open rained in two types of special files (UNIX): . r h o s t s
up covert channels through the networks in which it is and hosts.equiv. Any authorized user of a host A,
allowed. can create in i t s o w n directory (on A) a t-de named
Remember that ICMP echo packets also have the op- .rhosts containing the combinations of usenmme and
lion to include a data section. Although the payload is hosmame that may connect to i t s account on A. By
often timing information, there is no check by any de- contrast, only o n e hosts.equiv file (/etc/hosts.equiv)
vice as to the content of the data. So, as it turns out, may exist on each host. If present, it contains a list of
this amount of data can also be arbitrary in content as trusted hosts. Any user of any host in the list may ac-
well. Therein lies the covert ehannd. cess an account with the same usemame on the trust-
A tool exploiting this covert channel [14] canbe used ing host without presenting a password.
as a backdoor into a system by providing an unavowed It is worth noting that besides rlogin (the login
method of getting commands executed on a target ma- command from a r e m o t e host), several other com-
chine. It can be used as a way to clandestinely collect mands use the truaed host scheme (e.g., rcp, rdist,
information from a machine. It can be used as a covert rsh.) They are known collectively as r* commands.
method of user-machine or user-user communication. Although trusted host is a very useful and convenient
scheme, its actual implementation is quite vulnerable
Detection and preventiola: to attacks because an authentication mechanism based
If ICMP echo traffic is allowed, then this channel ex- soldy on IP addresses is used. In fact, when any of the
ists. Even with extensive firewalling and packet-filter- r* commands is invoked from a remote machine, the
ing mechanisms in place, this channel can go com- receiving host cheeks if the IP address of the sender
pletely undetected for the duration of its existence. matches an authorized (trusted) host. If so, the com-
A surplus of ICMP echo reply packets with a garbled mand is executed. Otherwise, either permission for ex-
payload can be ready indication that the channel is in ecution is denied or a p a s s w o r d (and a l o g i n if the
use, but since these packets are usually not monitored, originating user is not equivalent to the remote user) is
some triggering event must happen first. (are) prompted for on the remote machine.
Restricting ICMP echo traffic to be accepted from 1P Spoofing attacks exploit this weak form of au-
trusted hosts is useless with a connectionless protocol thentication. In this type of attack, an intruder mas-
such as ICMP. Forged traffic (with spoofed IP ad- querades her host e v i l . c o r n as f r i e n d . e o m a ma-
dresses) containing hidden data in the echo request chine (uslmlly internal) trusted by the host tar-
messages can still reach the target host which in turn g e t . c o m . The intruder does this by substituting the
will send legitimate ICMP echo reply messages to the IP address of the trusted machine, friend.corn, for the
spoofed host (where they will be dropped silently). IP address of her host, e v i l . t o m , in all of the outgo-
While the possibility exists for a smart packet filter to ing packets. The machine being attacked, tm'-
check the payload field and ensure that it o n l y con- g e t . e o m , then believes that the intruder is, in fact,
tains legal information, such a filter for ICMP is not the machine that it trusts, friend.corn, and gives it
in wide usage, and could still be open to deceiving. access.
The only sure way to destroy this channel is to deny
a l l ICMP echo traffic into the (to be protected) net- 5.1.1. ARP S p o o f i n g 4.
work, a very impractical requirement, though.
A RP, the Address Resolution Protocol, provides a
5. Attacks related to the network mapping between two different forms of addresses: 32-
bit IP (virtual) addresses used by the network layer, and
and transport layers. whatever type of physical address (e.g., Ethemet) the
associated data link uses. An Ethernet dynamic ARP
5.1. IP Spoofing.
4 ARP is considered as part of the link layer. However, we
The term trusted host was coined by the developers of included ARP spoofing in this section because of its strong
the UNIX networking software. If one host extends relation with attacks to the IP based trusting mechanism.
(which has become a TCP/IP Intemet protocol stan- hosts from vulnerable subnets should be considered.
dard) is specified in RFC 826 [ 1 $1.
The protocol works roughly as follows: When an IP Detecting an ARP Spoof:
datagram is to be sent, either the destination host (the A host may attempt to detect illegitimate use of its IP
one owning the t a r g e t IP address) is in the same address by checking, for every ARP request received, if
physical subnet, or a gateway must be used as the first the sender IP address matches its own. Besides, hosts
hop. In any case, a physical Ethemet address is needed can be arranged to send out an ARP request for their
(the destination host Ethernet address or the gateway own IP address both on system startup and periodically
Ethernet address) to send the Ethemet frame encapsulat- thereafter. Eventual ARP replies would indicate an
ing the IP packet. So, the A R P cache of the source ARP spoof.
machine is consulted looking for an entry associating A server may also attempt to detect an ARP spoof by
the target (host or gateway) IP with an Ethemet ad- one of its clients, This can be done by querying
dress. If there is a miss, a special Ethernet frame (an R A R P (Reverse Address Resolution Protocol)
A R P request) is broada~ed to every host on the servers to eross-check the IP-to-hardware address as-
network. The ARP request contains the source sociation contained in each ARP reply received. RARP
Ethemet and IP addresses, and the IP address of the tar- servers, maintain a database of hardware ~ s e s end
get. Every machine receiving the request can extract the associated IP addresses.
the sender's IP-to-physical address binding, and update
its cache. Additionally, the destination machine replies $.1.2. Routers and Route Spoofing.
with a n A R P r e p l y , containing its IP address and the
corresponding hardware address. When the ARP reply On the Internet, both hosts and routers constantly take
is received by the source machine, its cache is updated part in routing decisions. The destination IP address of
and the datagram that forced the ARP reqnest-reply to every datagram (or fragment) arriving to a machine's
be exchanged can finally be sent. network layer, is checked to decide whether the data-
Since the entries in an ARP cache usually expire after gram should be routed to an interface in the same
a few minutes, several attacks, aiming to forge or (sub)network (including direct deliveries to the ma-
tamper with the IP-to-hardware address associations, chine itself) or forwarded to the next-hop router.
are possible. An attacker can simply use a machine as- Attacks aiming to forge or tamper with routing tables
signed the same IP address as a machine currently not are the basis of R o u t e Spoofing. Route spoofing
working. The machine to be impersonated can be can be achieved in several ways, all of which involve
turned off, or disconnected from the network, or sim- getting Intemet machines to misdirect non-locally
ply having its legitimate IP address changed by the at- delivered IP dat0grams.
tacker. Then, after waiting a few minutes for the expi-
ration of the original entry in the cache, the intruder ICMP-Based Route Spoofing:
will be finally able to mount the def'mitive attack
which is usually directed to a trusting server. An ICMP redirect error message is sent by a router
A thorough discussion on ARP spoofing (and on IP to the sender of an IP datagram when the datagra~
spoofing in general) can be found in [ 16 ]. should have been sent to a different router [ 17]. The
datagram itself does not need to be re-sent because the
Preventing an ARP Spot,f: router sending the [CMP redirect has already forwarded
As a basic precaution, trusting machines should load the datagram to the right router. As a machine receiv-
the hardware address of trusted machines as p e r m a - ing an ICMP redirect message typically updates its
n e n t entries in thcix ARP cache. Permanent entries do routing table, route spoofing can be achieved just by
not expire after a few minutes, and can be manually sending illegitimate redirect messages.
inserted using the command arp (UNIX and Windows Note that even ff a machine ignores redirect messages
95/NT). its datagrams are still delivered (not so efficiently,
Alternatively, a secure ARP server should be consid- though). So, ICMP redirect spoofing can be avoided
ered. An ARP server responds to ARP requests on be- by configuring hosts to ignore redirect messages.
half of another machine by consulting permanent en- Besides, for every redirect message received, a check
tries in its own ARP cache. Even safer is to have (using the permanent entries in the ARP cache)
trusting machines configured to use ARP replies com- should be made to verify that the message is from a
ing from the ARP server rather than replies from other router currently used by the machine.
sources (usually a difficult task, though). Finally,
since the use of touters removes the threat of ARP R/P-Based Route Spoofing:
spoofing between IP subnets, the separation of trusted Modern computer networks generally use dynamic

10
muting algorithms. A very popular dynamic algorithm obtain some services from t a r g e t . c o m . First of all,
is d i s t a n c e v e c t o r r o u t i n g [18]. Distance vector the first-hop router from e v i l . e o m is set up by the
routing operates by having each router maintain a table attacker (preparing the route spoof) to route to
(i.e., a vector) giving the best known distance to each e v i l . c o r n ' s network any arriving datagram containing
destination and which line to use to get there. The vvv.xxx.yyy 7~,z as the destination address. Then the
metric used might be number of hops, time delay, to- IP address vvv.xxx.yyy.zzz is illegitimately assigned
tal number of packets queued, or something similar. to e v i l . c o r n by the attacker. Finally, when
R I P [ 19] is a widely used implementation of vector- e v i i . e o m begins to send OP-spoofed) packets to tar-
distance routing. It partitions participants into active g e t . c o r n , source routing (with the first-hop ~ in
andpassive (silent) machines. A router running RIP in the route) is used (otherwise answers would be prop-
active mode broadcast, every 30 seconds, a message erly forwarded to friend.corn). So, when the server
consisting of pairs, where each pair contains an IP answers (using the reverse route to vvv.xxx.yyy.zzz),
network address and an integer distance to that net- the packets are actually going to the compromised
work (measured in hops). These advertisements me first-hop router and getting routed to e v i !, e ore.
used by receiving neighbors (touters and hosts) to up- This type of attack can be prevented, of course, by dis-
date their routing table. Passive machines just listen allowing source routing on t a r g e t . e o m ' s network.
and update their tables, they do not advertise. Only
touters can run RIP in active mode; hosts must use 5.1.3. DNS Spoofing.
passive mode.
One simple way to route spoof, is to broadcast illegit- When resolver software on a host needs to convert a
imate route information via UDP on port 520 (RIP's domain name (e.g., jupiter.cs.yl.edu) to an IP address
well-known port). This can be done from almost any (e.g., 127.0.0.127) it sends an address lookup query to
PC by users with special privileges to use RIP. All a DNS name server. Similarly, a reverse lookup query
passive participants will be affected. Besides, if the set is sent when an IP address is to be converted to a do-
of passive participants includes one or more routers main name.
then the damage can be widespread. D N S S p o o f i n g may occur whenever a DNS server
RIP-based route spoofmg can be prevented either by gets compromised by a security attack that forge or
disallowing touters to use RIP passively or by allow- tamper with its tables. As the responses from a DNS
ing them only a limited passive use of RIP. server are trusted by all hosts on the Internet, a
compromised DNS server can direct clients to connect
Source Routing-Based Attacks: to illegitimate servers, or deceive servers trying to
Normally IP routing is dynamic with each muter mak- verify if an IP address corresponds to the name of a
ing a decision about which next-hop router to send the trusted client.
datagram to. However, IP can optionally use s o u r c e DNS spoofing can be partially prevented by maintain-
r o u t i n g . The idea behind source muting is that the ing a local database of domain names and the associ-
sender specifies the route, Two forms are provided: ated IP addresses (e.g., UNIX's/etc/hosts file). Every
• Strict source routing: The exact path is specified. server's database should contain, at least, the associa-
• Loose source routing: The sender specifies a list of tions corresponding to the server's trusted hosts.
IP address that the datagram must traverse, but the Besides, an attacker trying to impersonate a trusted
datagram can also pass through intermediate routers. client, usually modifies the reverse lookup tables
Besides, the Host Requirements RFC specifies that a maintained by the DNS server that is authoritative
TCP client must be able to specify a source mute, and (i.e., directly responsible) for the records related to th¢
that a TCP server must be able to receive a source attacker machine's IP address. However, the correct
route, and use the reverse route for all segments on association between the domain name of the legitimate
that TCP connection (if a newer source route is re- client and its IP address is maintained by the DNS
ceived, the earlier one is overridden). server that is authoritative for the client's domain
IP spoofmg attacks based on source muting, are usu- name. Not only the two authoritative servers need not
ally mounted with the aid of route spoofing. The fol- to be physically the same one, but even if they are, the
lowing example illustrates how an attack of this type tables for reverse and forward lookups are maintained
is carried on: on separate files.
So, even if the reverse lookup table gets compromised,
The server target.tom extends trust to several hosts chances are good that the forward lookup table remains
including f r i e n d . e o m (whose legitimate IP address is sound (particularly if the attack comes from an external
vvv.xxx.yyy.zzz). An attacker operating the host network). Therefore as a defense to DNS spoofing, all
e v i l . c o m wants to impersonate f r i e n d . c o m to responses to reverse lookup queries should be

11
cross-checked by making a forward lookup query to the TCP port it desires disabled. Since the reply mes-
detect possible inconsistencies. sages that are being sent from F r i e n d to U n r e a e h
The following example will illustrate how DNS will never be acknowledged, F r i e n d ' s queue of in-
spoofing is used to mount attacks: complete connections will keep increasing until a
limit is reached after which all incoming packets re-
An attacker running e v i l . e o m finds r* programs on lated to connection establishment are silently discarded
target.eom and modifies the reverse DNS entries for by TCP (including the ones coming from T a r g e t ) .
evil.corn (on eompromised.dns.eom) to look
like friend.corn (a host trusted by target.corn). Now, to better understand the above scenario, some
When evil.corn connects to t a r g e t . c o r n , the latter related details will be explained:
sends to e o m p r o r n i s e d . d n s . e o m a reverse lookup
query (using the IP address received from e v i l . c o r n ) • What is attacked?: The attack is usually directed
and gets back the (spoofed) name of f r i e n d . c o r n . either to port TCP 513 (rlogin) or to port TCP 514
As explained before, the use of products that cross- (rsh). Often, the command 'echo "+ +" >> ~/.rhosts'
check the responses to reverse lookup queries (e.g., (used in UNIX to extend trust to any user from any
TCP W r a p p e r [20]) may help to prevent this type host) is executed to install a backdoor.
of attack.
• Why is it called a 'blind' attack?: Because E v i l ' s
5.1.4. TCP Connection Spoofing TCP software never 'sees' any message from T a r g e t ' s
Blind Attacks. TCP (which is sending to F r i e n d all the datagrams re-
lated to the fake connection). Hence E v i l must rely
A T C P c o n n e c t i o n s p o o f i n g a t t a c k is a very exclusively on guessing.
complex (IP spoofing-based) 'blind' attack. The fol-
lowing scenario outlines a typical TCP connection • What is guessed?: TCP is a connection-oriented, reli-
spoofing attack: able transport protocol. Connection-oriented means the
The Hosts: T a r g e t is a server trusting the host two applications using TCP must establish a TCP
Friend, E v i l is the attacker's machine and Unreaeh connection with each other before they can exchange
is an unreachable host. data. Reliability is provided in TCP by the use of
The Events: E v i l (impersonating F r i e n d ) starts a checksums, timers, data sequencing and acknowledg-
TCP connection with T a r g e t which, in turn, sends a ments. By assigning a sequence number to e v e r y byte
reply (related to the connection establishment protocol) transferred, and requiring an acknowledgment from the
to the real Friend because neither DNS spoofing nor other end upon receipt, TCP can guarantee reliable de-
source routing is being used. livery. Sequence nUmbers are used to ensure proper or-
At this point, E v i l is facing two problems: dering of the data and to eliminate duplicate data bytes.
1) It doesn't know what the answer from. T a r g e t was, Note that in a TCP session there are usually two
so it cannot be sure about the exact contents of the streams of data (every end point is receiving from one
message that must be sent to T a r g e t to continue with of them and sending through the other). So an 1 S N
the connection establishment protocol. (initial sequence number)must be assigned to each
2) It must block the deliver (to Friend) of messages stream when the connection is being established. To
being sent by T a r g e t , otherwise these unexpected see how it is done, let's suppose that C is a client
messages would induce F r i e n d to ask T a r g e t to wishing to connect to the server S, and analyze the
abort the connection being established (which would connection establishment process (often called the
frustrate the attack). three-way handshake):
Since the attacker has been gathering enough statistics
as to predict what should be answered to T a r g e t to 1 C ~--SYN XX---> S
continue with the connection establishment, a new
message containing a guessed reply is sent from E v i l 2 C <---SYN Y Y / A C K XX+I--- S
(impersonating F r i e n d ) to T a r g e t . If the attacker is
correct in her prediction, the connection is established, 3 C ~--ACK YY+ 1---> S
and T a r g e t is compromised. Generally, after com-
promise, the attacker will use r* commands to insert a 1. C sends a TCP message (known as SYN request) to
backdoor. S with the special flag SYN (SYNchronize sequence
Meanwhile, to deal" with the second problem, E v i l numbers) set to ON. A SYN request specifies the port
(this time impersonating U n r e a e h ) has been flooding number of the server that the client wants to connect
F r i e n d with TCP connection requirements directed to to, and the client's ISN (XX in this example).

12
2. The server responds with its own S Y N message An exhaustive discussion on TCP connection spoofing
containing S's ISN (YY) and acknowledging C's S Y N attacks can be found in [ 21 ].
by specifying that the n e x t byte expected from C is
the byte numbered XX+ 1. 5.2. Hijacking.
3. C acknowledges the SYN message from S, and data
transfer may take place. In section $. 1 . 4 . a basic, though complex, form of
connection spoofing was analyzed. The possibility of
The problem with the blind attack outlined in the sce- an attack of this type, was first discussed by R. Morris
nario is that E v i l never sees the second message, [ 22]. Morris' attack can easily be extended by sniffing
which is in fact sent to Friend. So what is to be the network somewhere between the (trusted) client and
guessed by the attacker is YY (in order to have Evil the (target) server. The Sniffer could be used to get the
sending the ACK YY+I message). However, this is server's ISN, and, even better, to establish a full du-
not an easy task because each TCP maintains a 32-bit plex TCP connection with the server (assuming the
ISN counter that is incremented by 64,000 every half- real trusted client is down, or under a denial of service
second, and, additionally, by 64,000 each time a con- attack).
nection is established. Note however that Morris' attack relies on the trusted
To get an idea of where in the 32-bit sequence number hosts identification scheme, and is thus useless in sit-
space T a r g e t ' s TCP is, the attacker establishes sev- uatious where password authentication is required,
eral counectious to a TCP port on T a r g e t , and stores A different, yet related, type of attack based on sniff'rag
the final ISN received. Besides, the attacker calculates and IP spoofing is known as H i j a c k i n g or T C P
the average RTI" (round-trip time) from E v i l to session hijacking.
T a r g e t to E v i l (most likely by using ICMP Ping TCP hijacking attacks are mounted to take over exist-
messages). Now the attacker has the baseline (the last ing connections. Intruders bypass one-time passwords
received ISN) and a good idea of how long it will take and other strong authentication schemes by hijacking
an IP datagram to travel across the Internet to reach the connection after the authentication is complete.
T a r g e t (approximately half the average RTT, as most Suppose that a legitimate user connects to a remote
times the routes are symmetrical). So, the attacker im- site through a login or terminal session, if the intruder
mediately proceeds to initiate the three-way handshake hijacks the connection after the user completed the
(each interim connection would increment the ISN by authentication, the remote site is compromised. An
64,000) and finally the spoofed segment with the pre- even worse situation occurs if the user has logged into
dicted ACK is sent to Target. As said before, if the the remote system as root, then the attacker might
guess is correct, T a r g e t is compromised. issue a comma~ad to change the supemser password, or
add a privileged account to the password database.
• What must be disabled on Friend& In the SYN re- Sniffers and hijacking software are the basic tools used
quest sent by E v i l (impersonating Friend) to to mount hijacking attacks.
T a r g e t , not only the destination port number is speci- A truly skillful hijack can be fully accomplished
fied, but also the source port number is included (as in without divulging a single clue to the user, weaker
every TCP segment). So when T a r g e t answers by implementations (which can be used to hijack idle
sending to F i e n d the second segment in the three-way terminM sessions) echo to the user the attacker's
handshake protocol (SYN/ACK)it will use as destina- keystrokes and responses from the remote host.
tion port number, the same one he received as source An interesting hijacking attack is described in [2 3].
port number in the SYN request. Therefore, what must The proposed attack is based on the creation of a
be disabled on F r i e n d is precisely this port. In the desynchronized state (with mismatching sequence
outlined scenario aDenial of Service attack known numbers) on each end of a TCP connection so that the
as T C P S Y N f l o o d i n g attack (or just SYN attack) two points cannot exchange data any longer. A third
is used to disable the port. Denial of Service attacks party host (the intruder's host) is then used to create
(and SYN attacks) are discussed in section $ . 3 . acceptable packets (mimicking the real ones) for both
($.3.3.). ends. Although some flaws related to the attack can be
• How can this attack beprevented?: This attack can be used to detect it, chances are good that it can be
prevented by disabling all the r* commands, or (if trust mounted without detection.
is extended only to local hosts) by having the router(s) The best way to reduce the threat of a TCP connection
deny any packet coming from outside with a source IP spoofing is to use an encryption-based terminal proto-
address correslxmding to a local host. RARP queries col. These protocols can limit the consequences of in-
could be used to detect attacks coming from machines troducing fake data on the connection, because even if
on the same physical network as the target server. the receiver accepts the data as valid, the command

13
interpreter will not be able to make sense-of it. processing its normal workload. Message flooding at-
More details on hijacking can be found in [ 24 ]. tacks are frequently directed against authentication
servers. Under a message flooding attack, an authenti-
5.3. Denial of Service. cation server can become so loaded as to be unable to
respond requests coming from its clients. This will al-
In a denial o f service attack (D.O.S. attack), one low the attacker's machine to easily masquerade as the
user takes up so much of a shared resource that none of legitimate authentication server and, by answering
the resource is left for other users [25]. There are two with bogus information to authentication queries, to
types of denial of service attacks. The first type of at- log into privileged accounts.
tack attempts to damage or destroy resources so no- Often, message flooding is accomplished just by bom-
body can use them. The second type of attack over- barding a server with thousand of ICMP echo request
loads some system service or exhausts some resource, messages (using a ping program).
thus preventing others from using the service. Message flooding can also be used to congest network
Networks are vulnerable to several DOS attacks. Three traffic. A simple way to do this is by piping packets
important types will be discussed in the following between two well-known ports (ports used to pro-
sections: Service Overloading, Message Flooding and vide standard TCP/UDP services) to create an infinite
Clogging. sequence (e.g., sending chargen packets [port 19] over
to the echo port [port 7]). Of course, this specific type
5.3.1. Service Overloading. of message flooding can be easily prevented by turning
off services that might be used to cause infinite
Service overloading occurs when floods of requests sequences (there are also some filtering programs that
are made to a server process on a single computer. prevent redirecting data between selected ports).
Usually these bruteforce attacks can cause the system
to be so busy that it is unable to process regular tasks 5.3.3. Clogging.
in a timely fashion. Many requests will be discarded
and, in some extreme cases, the attacked host will The implementatiOn of the three-way handshake proto-
crash. A special case of service overloading results col used by TCP to establish connections (see
when a server process is forced to consume so many S. 1.4.), can be abused to mount a very nasty denial
resources as to cause its host to crash. A typical of service attack known as T C P S Y N f l o o d i n g
example of this type of attack is known as Finger attack (or just SYN attack). The potential for abuse
Bomb. Finger is a client, used to gather information arises at the point where the server system has sent an
about users of a host. If John Doe has an account on acknowledgment (SYN/ACK) back to client but has
the host v i c t i m . c o r n , any user on snoop.corn not yet received the ACK message. This is what is
could 'finger' John Doe's account by executing the known as a half-open connection. The server has built
command: in its system memory a queue containing all pending
s n o o p > finger [email protected]. connections. This queue is of finite size, and it can be
This finger of course is recognized as coming from made to overflow by intentionally creating too maay
snoop.com. However if the following eornmarld were partially open connections. This can be accomplished
used: by flooding a server port with spoofed SYN messages.
s n o o p > finger johndoe@ victim.corn@third corn As the packets are spoofed to impersonate unreachable
it would effectively appear as johndoe being fingered at clients, the protocol will never be completed, and thus
victim.corn from t h i r d . c o m . Since finger servers ac- the half-open queue will eventually fill causing the
cept nested queries, an attacker could execute: server to be unable to accept any new incoming con-
snoop> finger johndoe@ @ @ @ @...@ @victim.com nections.
This would cause victim.corn to finger itself recur- Although the half-open connections will eventually
sively. If victim.corn fingers itself recursively enough expire, the attacking system can just keep sending
times, then memory, swap space, and hard drive space spoofed SYN requirements faster than the victim sys-
will eventually fill up, causing the machine to crash. tem can expire the pending connections.
An obvious, though drastic, way to prevent this attack TCP SYN flooding has been used to mount major
is disabling the finger service. attacks to Interact Service Providers. The services
themselves are not harmed, just the ability to provide
5.3.2. Message Flooding. them is impaired.
Blocking an ongoing attack by having a router deny
Message f l o o d i n g occurs when a user slows down a any packet coming from a specific IP address is not a
system on the network to prevent the system from solution because Usually each of the source addresses

14
in the spoofed packets is randomly chosen, by the [ 13] J. Kohl, C. Neuman, The Kerberos
attacker's software, from an array of tmreachable IP Network Authentication Service (vs).
addresses. RFC 1510, September 1993.
Several patches have been released to make UNIX ker-
nels SYN-attaek resistant. If a patch is not available, [ 14] Project Loki. Phrack Magazine,Volume
then, at least, the number of half-open connections al- Seven, Issue Forty-Nine, File 06.
lowed should be increased and the amount of time that Whit~ by [email protected] for Phrack
a connection is allowed to stay in a half-open state Magazine. Guild Productions, August 199 6.
should be reduced.
Additional details on TCP SYN flooding can be found [15] D.C. Hummer, An Ethernet Address
in [26]. Resolution Protocol. RFC 826, 1982.

116] D. Atkins et d., Internet Security. New

References. Riders, 1996, pp. 257-316.

I171 W. Stevens, T C P / I P Illustrated, Vol. 1.

[I] A. Silberschatz, P. Galvin, Operating Addison-Wesley, 1994, pp. 119-123.
Systems Concepts. Addison-Wesley,
Fourth Edition, 1994, pp. 431. [18] A.S. Tanenbaum, C o m p u t e r Networks.
Prentice Hall, 3rd. ed., 1996, pp. 355-359.
[21 C.H. Bennett, G. Brassard, A.K. Ekert,
Quantum Cryptography. Scientific [19] C. Hedrick, Routing Information
American, v. 267, n.4, 1992, pp. 50-57. Protocol. RFC 1058, 1988.

131 Bruce Schneier, Applied Cryptography. [20] K. Siyan, C. Hare, Internet Flrewalis and
Wiley, Second Edition, 1996, pp. 554-557. Network Security. New Riders, 1995,
pp. 304-306.
[41 W. Stallings, Network and lnternetwork
Security. Prentice Hall, 1995, pp. 214-217. 1211 IP-spoofing Demystified.
By [email protected]
[Sl W. Stevens, T C P / I P Illustrated, Vol. 1. Guild Produclions, J u n e 1996.
Addison-Wesley, 199 4.
I22] R. Morris, A Weakness in the 4.2 BSD
[6] D. Comer, l n t e r n e t w o r k i n g with T C P / I P UNIX TCP/IP Software. Computing
Vol. 1. Prentice Hall, Third Edition, 199 5. Science Technical Report 117. AT&T Bell
Laboratories, 1985.
[7] A.S. Tanenbaum, C o m p u t e r Networks.
Prentice Hall, Third Edition, 19 9 6. 123] L. Joncheray, A Simple Active Attack
Against TCP. Merit Network, Inc.
[81 ISS Sniffer FAQ. http://www.iss.net/. [email protected], April 1995.

[91 D. Atkins eta/., Internet Security. New [241 IP Spoofing Attacks and Hijacked
Riders, 1996, pp. 258-279. Terminal Connections. CF~T Advisory
CA-95"01. Available at http://www.cert.org and
[lOI S. Garfinkel, PGP: Pretty Good Privacy. at tip://info.cert.org/pub/cert_advisories/1995.
O ReiUy, 1994.
[2s] S. Garfhakel, G. Spafford, Practical UNIX
[111 SSL Version 3.0. & Internet Security. O Reilly, 2nd Edition,
http://home.netscape.com/eng/ssl3/ssl-toc.html. 1996, pp. 759-778.

I121 N. Hailer, The S/KEY One-Time [26] TCP SYN Flooding and IP
Password System. RFC 1760, Spoofing Attacks. CERT Advisory
BcUcore, February 1995. CA-96.21. Available at http://www.cert.org and
at ftp://info.cert.org/pub/cert advisories/1996.

15