Umeå universitet
Teknisk-naturvetenskaplig fakultet
Institutionen för datavetenskap

TCPIP Overview from a Security Perspective

IP: remember: anybody with the right software can send an arbitrary IP packet

IP spoofing: sending fake IP packets with intention to fool the reciever into beliving that you may access this service

TCP: handshakes and sequence numbers make it hard, but still possible to spoof. This is known as a sequence number attack. Vulnerable: r-services

UDP: no handshakes and no sequence numbers make it easy to spoof. An application should not trust a UDP packet just because of it's source address (like NFS & DNS)

ICMP: ICMP messages such as `"port unreachable"` are often related to a single connection and therefore include original IP header and 64 bits of transport header. However, older versions of TCP/IP don't work that way

ICMP: `"ICMP redirect"` messages can be used to take over a route to a server or client, which is a Bad Thing.
At least ICMP messages are not routed.

IP Routing

IP Source routing can be used to send arbitrary packets anywhere. No normal machines should accept source routed packets.
Direct tampering with routing protocols could insert or update a false route (to "steal" a network, for example).

DNS

If somebody has control over your DNS services, bad things can happen. Very vulnerable: r-services
The way DNS works allow servers' caches to be filled with arbitrary data

DNS name level problems:

   stalin# mail secret@gauss.cs < secretfile
           may be sent to secret@mail.gauss.cs in Czechia!

SMTP and sendmail software... brrr...

Goodwill-based sender authentication
Many revealing SMTP commands: VRFY, EXPN
The sendmail program has a very long list of detected holes. It's too long to think that there is no more holes left

Telnet: password entering means open for eavesdropping and trojan horses

Syslog: many impementaions suffer from fixed-buffer problems. Have been exploited

NTP: can be spoofed to set a system's clock. This can in turn be used for replay attacks

RPC

Goodwill-based sender authentication
portmapper indirect calls
often no logging
restrict or block

NIS

encrypted password list available as a service
password verification over net
clients can be fooled to use another server

NFS

Stateless server, stateful clients. Uses (file handle, IP, user id, op, data)-tuples for transactions
Goodwill-based user id authentication
IP source address-based mount access verification

One who has the root file handle has the file system

 Example:	become root@euler
 	power-cycle euler
        snoop net for root file handle for root file system
        now you can send some NFS lookups and getattrs
        (with eulers source address) to get file handles 
        for /etc/passwd and /etc/group
        write your own copies, with your data
        login or su

	Do not try this at home, it's illegal!

AFS: kerberos-based, considered secure

TFTP: UDP, no passwords, should never run unrestricted, but still it does at many sites...

FSP: Sneaky File Tranfser Protocol -- known as a hacker tool

X11

without authentication anybode can open clients, such as dump your keyboard input
key-based, host-based or no authentication

Senast ändrad 1996-05-10 av Jonas Engström (jonas@cs.umu.se)

TCPIP Overview from a Security Perspective

IP: remember: anybody with the right software can send an arbitrary IP packet

IP spoofing: sending fake IP packets with intention to fool the reciever into beliving that you may access this service

TCP: handshakes and sequence numbers make it hard, but still possible to spoof. This is known as a sequence number attack. Vulnerable: r-services

UDP: no handshakes and no sequence numbers make it easy to spoof. An application should not trust a UDP packet just because of it's source address (like NFS & DNS)

ICMP: ICMP messages such as "port unreachable" are often related to a single connection and therefore include original IP header and 64 bits of transport header. However, older versions of TCP/IP don't work that way

ICMP: "ICMP redirect" messages can be used to take over a route to a server or client, which is a Bad Thing. At least ICMP messages are not routed.

IP Routing IP Source routing can be used to send arbitrary packets anywhere. No normal machines should accept source routed packets. Direct tampering with routing protocols could insert or update a false route (to "steal" a network, for example).

DNS If somebody has control over your DNS services, bad things can happen. Very vulnerable: r-services The way DNS works allow servers' caches to be filled with arbitrary data DNS name level problems: stalin# mail secret@gauss.cs < secretfile may be sent to secret@mail.gauss.cs in Czechia!

SMTP and sendmail software... brrr... Goodwill-based sender authentication Many revealing SMTP commands: VRFY, EXPN The sendmail program has a very long list of detected holes. It's too long to think that there is no more holes left

Telnet: password entering means open for eavesdropping and trojan horses

Syslog: many impementaions suffer from fixed-buffer problems. Have been exploited

NTP: can be spoofed to set a system's clock. This can in turn be used for replay attacks

RPC Goodwill-based sender authentication portmapper indirect calls often no logging restrict or block

NIS encrypted password list available as a service password verification over net clients can be fooled to use another server

AFS: kerberos-based, considered secure

TFTP: UDP, no passwords, should never run unrestricted, but still it does at many sites...

FSP: Sneaky File Tranfser Protocol -- known as a hacker tool

X11 without authentication anybode can open clients, such as dump your keyboard input key-based, host-based or no authentication

ICMP: ICMP messages such as `"port unreachable"` are often related to a single connection and therefore include original IP header and 64 bits of transport header. However, older versions of TCP/IP don't work that way

ICMP: `"ICMP redirect"` messages can be used to take over a route to a server or client, which is a Bad Thing.
At least ICMP messages are not routed.

IP Routing

IP Source routing can be used to send arbitrary packets anywhere. No normal machines should accept source routed packets.
Direct tampering with routing protocols could insert or update a false route (to "steal" a network, for example).

DNS

If somebody has control over your DNS services, bad things can happen. Very vulnerable: r-services
The way DNS works allow servers' caches to be filled with arbitrary data
DNS name level problems:
stalin# mail secret@gauss.cs < secretfile may be sent to secret@mail.gauss.cs in Czechia!

SMTP and sendmail software... brrr...

Goodwill-based sender authentication
Many revealing SMTP commands: VRFY, EXPN
The sendmail program has a very long list of detected holes. It's too long to think that there is no more holes left

RPC

Goodwill-based sender authentication
portmapper indirect calls
often no logging
restrict or block

NIS

encrypted password list available as a service
password verification over net
clients can be fooled to use another server

X11

without authentication anybode can open clients, such as dump your keyboard input
key-based, host-based or no authentication