Part of the beauty of using the internet to move information around lies in the apparently seamless and user-friendly way in which transmissions are accomplished. This stems in large part from the use of a common set of transmission/reception mechanisms or protocols – but it’s the very standardization of these methods that leaves them so open to exploitation and attack. One of the prime examples of this lies with the Transmission Control Protocol/Internet Protocol or TCP/IP. In this article, we take a closer look at these protocols and TCP/IP vulnerabilities.
IP and Source Routing
Though commonly used together, TCP and IP are actually separate protocols. The “connectionless” Internet Protocol (IP) allows information streams to be broken up into segments known as data packets (or simply, packets), which may then be sent from point to point via various routing protocols used by the machines along the transit route.
IP takes either of two forms: IPv4 or IPv6. The Address Resolution Protocol (ARP), Internet Group Multicast Protocol, and Internet Control Message Protocol (ICMP) are transmission mechanisms that also exist at the internet layer. When information is broken up into packets, the IP source generates a listing of the routes that packets must take to reach their intended destination. This listing may in turn be used by the recipient to send information back to the sender.
Unfortunately, at this stage attackers can also gain access to the source path, and modify the options in the route for a data packet. In what’s known as a source route attack, an attacker may also be at liberty to read the data packets, potentially gaining access to confidential information, financial details, or intellectual property. This risk may be offset to some extent by dropping or forwarding any data packets which carry the source route option.
TCP and Reassembly
TCP is a connection-based protocol, requiring a formal connection to be established between sender and receiver before any data is passed. This is done via a “three-way handshake“, in which a client first sends a SYN segment to a server requesting that a connection be set up, the server responds with a SYN-ACK segment acknowledging the request, and the client sends back an ACK segment to confirm, establishing the connection.
Data packets reaching their destination may arrive in a logical sequence, or out of order. In some cases, they may not arrive at all. At the data’s origin point, it’s the job of the Transmission Control Protocol or TCP to break the information into packets, which it then assigns numbers to for reassembly at the destination point.
Predicting TCP Sequences
With some diligent application of the right kind of algorithms, it’s possible for an attacker to guess the sequence of numbers that TCP assigns to a stream of data packets. Knowing the next number in a transmission sequence, an attacker may potentially “step in” to an ongoing communication and pose as the originator of the message.
TCP sequence numbers are typically increased by a constant amount each second, and by half of that number each time a connection begins. So one way of guarding against the prediction of the next number in a sequence by an attacker who may have gained access to a server through apparently legitimate means is to generate a random increment for the initial sequence number.
TCP Blind Spoofing
Here, an attacker is able to guess both the sequence number of an ongoing communication session and its port number. They are then in a position to carry out an injection attack, inserting corrupted or fraudulent data into the stream – or worse, malicious code or malware.
Remember those SYN and ACK segments needed to establish a TCP connection? Under the protocol rules, a client or server receiving these requests is required to respond to them, to keep the communication going. This requirement is the basis of a SYN flooding attack, whereby multiple SYN packets are spoofed using a bogus source address, then sent to a targeted server.
Under compulsion to respond, the server will send out SYN-ACK packets to an address that doesn’t exist, creating a flood of half-opened sessions awaiting replies that will never come. During this time, no fresh connections will be allowed by the server, and connection requests from legitimate users will be ignored – a Denial of Service or DoS scenario.
Using a packet sniffer (a tool for detecting the presence and movement of data packets), an attacker may capture data packets and gain full access to an HTTP session. If there’s weak authentication between a web server and its clients, the attacker may assume full control of the client’s rights, switching the communication to one directly between them and the targeted server.
In an unsecured communication, data may pass between sender and receiver as “clear text” – unprotected and unencrypted information which may include user credentials and passwords. By spoofing an IP address, and attacker may intercept an ongoing transmission and become the man (or woman, or bot) in the middle of a communication, steering valuable data towards themselves – or misinformation and malware toward the recipient.
Web Application and Browser Security Weaknesses
Typically, a web browser will create a cache of the sites you’ve visited, consisting of a portion of your hard drive where data from various pages (including images, passwords, and credentials) is stored for easy access. If a device becomes compromised, a hacker may gain access to this cache and your confidential data without the need for authentication on their part. That’s why it’s advisable to clear your browser caches and disable the automatic saving of passwords on unsecured machines.
Cookie poisoning attacks may be blunted by a Web Application Firewall (WAF), which can analyze HTTP sessions and trace the conditions set for cookies deposited by a given web server.
In this specialized form of man-in-the-middle attack, a hacker may spoof the IP address of a client, redirect their machine, and send the same data repeatedly to a targeted server. This replayed data may also be modified or corrupted prior to its repeat sending.
Enhanced session tracking features on a web browser can help reduce the risk of these replay attacks, as they may red flag the repeat data traffic as illegitimate, based on their stored history.
This form of assault begins with a session hijacking, after which an attacker injects malicious code into a web application or browser that will be executed when it gets to its destination. The hijacking typically occurs using cookies or tokens stolen from a legitimate user’s previous sessions.
Enabling enhanced security controls for cookie-dependent user authentication and/or disabling the running of scripts on visited sites are guards against this.
DNS Protocol Attacks
Assaults on the Domain Name System (DNS, which resolves alpha-numeric IP addresses with more recognizable host domain names like MyWebsite.com) allow attackers to modify DNS records so that they misdirect traffic to incorrect or spoofed IP addresses.
DNS cache poisoning falsifies information in the DNS cache, with the aim of redirecting traffic to a site or resource set up by the attackers – the classic pharming ploy that lures unsuspecting users to a bogus web site that’s identical in appearance to a legitimate one, for harvesting user credentials or financial data. DNS spoofing alters the IP address of a computer to match that of a DNS server, re-routing traffic to the attacker’s own machines.
A set of extensions known as DNSSEC (DNS security) have been issued to help address DNS security vulnerabilities.
Share this Post