1. No category

TCP security

TCP Insecurity
Rocky K. C. Chang
30 March 2007
Outline
SYN flooding
 Sequence number attacks
 Extraneous TCP state transitions
 Problems with TCP timers
 State desynchronization attack
 Reset attacks
 ICMP attack
 Congestion window attacks (not covered here)

2
Rocky K. C. Chang
SYN flooding


An attacker persistently sends spoofed TCP SYN
segments to a victim.
TCP control block (TCB) is created for each
pending connection.
A
R
TCP SYN, ICMP, UDP, ...
(with R's address as the
source IP address)
TCP SYN-ACK,
TCP RST, ICMP,
UDP, ...
V
3
Rocky K. C. Chang
The effectiveness of SYN flooding
Min. rate of TCP SYN packets to stall
the servers (number per second)
1200
Microsoft Win2000
Advanced Server
1000
800
600
400
200
BSD
Linux kernel 2.2.9-19
0
0
2000
4000
6000
8000
10000
Max. number of TCP half-open connections
allowed by the servers
4
Rocky K. C. Chang
Sequence number attacks
3 hosts: A, B, and X
 B grants A some special privileges, and A
can get some actions performed by B.
 X tries to get the same action done by B
for itself.



Establish a forged connection with B.
Prevent A from responding to A.
5
Rocky K. C. Chang
The attack procedure

(1) X  B: SYN (ISN = M), SRC = A


(2) B  A: SYN (ISN = N, AN = M+1)



X impersonates A based based on the IP
address.
Normally A will respond with an RST segment.
SYN-flood A.
(3) X  B: ACK (AN = N+1), SRC = A


Without actually receiving the second message,
X needs to guess B’s ISN.
In the old 4.2BSD, the ISN was incremented
by 128 each second and by 64 after each
connection is started.
6
Rocky K. C. Chang
In details







X swamps port 21 (ftp) on A with connection
requests.
X creates a real connection to a port on B, and
record the returned ISN (N’).
Create a raw IP socket, and change its source IP
to that of A.
Send a SYN packet from port 21 to port 514
(remote syslog) on B.
Send an ACK to B with the AN = N’+64.
Send data to B, and port 514 expects a null,
followed by a user name, followed by a command.
If all goes well, B will execute the command.
7
Rocky K. C. Chang
Possible defenses
The weakness in the 4.2BSD was first
identified by Robert Morris in 1985.
 In 1994, Kevin Mitnick broke into the
computer of Tsutomu Shimomura using
this attack.
 Possible defenses



Randomize the increment on the ISN. Take a
look at
http://lcamtuf.coredump.cx/newtcp/#windows
Packet filtering in the firewall.
8
Rocky K. C. Chang
Extraneous state transitions

Consider that X sends a TCP segment to
A with both SYN and FIN bits on


X  A: SYN FIN (SN = M)
A practical study:



RedhatB sends SYN-FIN to RedhatA (Linux
kernel 2.2.9-19).
RedhatA returns with a SYN-ACK message
and moves to the SYN_RECV state.
RedhatA then retransmits SYN-ACK several
times and ended the connection (5 minutes
12 seconds).
9
Rocky K. C. Chang
Extraneous state transitions

However, if a system (SUNOS 4.1.3, SVR4)
processes the SYN first and then the FIN,
then



There will be a state transition from
SYN_RCVD to CLOSE_WAIT.
A is expecting the application to send a close
signal so that it can send a FIN to X.
A gets stuck in this half-open state. If the
keepalive timer is enabled, it will take 2 hours
to reset the connection.
10
Rocky K. C. Chang
Extraneous state transitions
CLOSED
Active open/SYN
Passive open
Close
Close
LISTEN
SYN_RCVD
SYN/SYN + ACK
Send/SYN
SYN/SYN + ACK
ACK
Close/FIN
SYN_SENT
SYN + ACK/ACK
ESTABLISHED
Close/FIN
FIN/ACK
FIN_WAIT_1
CLOSE_WAIT
FIN/ACK
ACK
Close/FIN
FIN_WAIT_2
CLOSING
FIN/ACK
ACK Timeout after two
segment lifetimes
TIME_WAIT
LAST_ACK
ACK
CLOSED
11
Rocky K. C. Chang
Problems with TCP timers

Consider a TCP simultaneous open scenario.





X
A
X
A




A:
X:
A:
X:
SYN
SYN
SYN
SYN
(SN
(SN
(SN
(SN
=
=
=
=
M)
N)
M, AN = N+1)
N, AN = M+1)
The attacker X may not send his second message.


In some systems, the connection-establishment timer is
turned off when the host receives the SYN from the
other host.
In others (like Linux), the timer is not turned off but it
takes > 20 minutes to release the port.
12
Rocky K. C. Chang
State desynchronization attack



Assume that the attacker can see the packets
exchanged between a server and a client.
The attack is to desynchronize the states
between the server and the client in the
ESTABLISHMENT state.
Denote




SVR_SEQ: SN of the next byte to be sent by the server.
SVR_SEQ0 is the server’s ISN.
SVR_ACK: next byte to be received by the server.
CLT_SEQ: SN of the next byte to be sent by the client.
CLT_SEQ0 is the client’s ISN.
CLT_ACK: next byte to be received by the client.
13
Rocky K. C. Chang
Recall from comp5311
server
attacker
4, d
= 144
t
r
o
p
src
SYN (
rt =
est po
55)
44, dest port = 15
RST (src port = 14
55, initial
44, dest port = 15
SYN (src port = 14
SN= 5000)
55)
44, dest port = 15
55)
rt = 15
o
p
t
s
44, de
rt = 14
ACK (src port = 14
ACK (
src po
client
N=
nitial S
i
,
5
5
15
SYN/A
4000)
CK
SYN/A
CK
14
Rocky K. C. Chang
At the end of the handshaking,

In the normal case,





CLT_SEQ = CLT_SEQ0 + 1.
CLT_ACK = SVR_SEQ0 + 1.
SVR_SEQ = SVR_SEQ0 + 1.
SVR_ACK = CLT_SEQ0 + 1.
In the case of a state desynchronization
attack,


SVR_SEQ  CLT_ACK and
CLT_SEQ  SVR_ACK
15
Rocky K. C. Chang
What can the attack do?

The client sends the first segment with




Because of the first inequality, the segment may
be dropped.
The attacker can now replay the segment but
change the SEG_SEQ and SEG_ACK such that



SEG_SEQ = CLT_SEQ  SVR_ACK and
SEG_ACK = CLT_ACK  SVR_SEQ
SEG_SEQ = SVR_ACK and
SEG_ACK = SVR_SEQ.
The attacker can add or remove the TCP data if it
is left unprotected.
16
Rocky K. C. Chang
The RESET attacks
The goal of these attacks is to cause one
of the 2 endpoints of a TCP connection to
incorrectly teardown the connection.
 To launch the attack successfully, the
attacker needs to know the following:




The socket addresses of the connection,
A sequence number that will be used in the
RST, and
The window size that the 2 endpoints are using.
17
Rocky K. C. Chang
Blind reset attack using the RST bit

RFC793 [RFC0793] currently requires handling of
a segment with the RST bit when in a
synchronized state to be processed as follows:



If the RST bit is set and the sequence number is outside
the current receive window (SEG.SEQ < RCV.NXT ||
SEG.SEQ > RCV.NXT+ RCV.WND) , silently drop the
segment.
If the RST bit is set and the sequence number is
acceptable i.e.: (RCV.NXT <= SEG.SEQ <
RCV.NXT+RCV.WND) then reset the connection.
An attacker can therefore generate an RST
segment with a "in-window" sequence number.

Take 262,143 RESET segments to reset a Cisco router.
18
Rocky K. C. Chang
A proposed defense



If the RST bit is set and the sequence number is outside the
current receive window, silently drop the segment.
If the RST bit is set and the sequence number exactly
matches the next expected sequence number (RCV.NXT),
then TCP MUST reset the connection.
If the RST bit is set and the sequence number does not
exactly match the next expected sequence value, yet is
within the current receive window (RCV.NXT < SEG.SEQ <
RCV.NXT+RCV.WND),


TCP MUST send an acknowledgment (challenge ACK):
<SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>
After sending the challenge ACK, TCP MUST drop the
unacceptable segment and stop processing the incoming
packet further.
19
Rocky K. C. Chang
Blind reset attack using the SYN bit

RFC793 currently requires handling of a segment
with the SYN bit set in the synchronized state to
be as follows:



If the SYN bit is set and the sequence number is outside
the expected window, send an ACK back to the sender.
If the SYN bit is set and the sequence number is
acceptable i.e.: (RCV.NXT <= SEG.SEQ <=
RCV.NXT+RCV.WND) then send a RST segment to the
sender.
An attacker can therefore reset one endpoint by
sending such a SYN segment to the other.
20
Rocky K. C. Chang
A proposed defense

Instead, change the handling of the SYN
in the synchronized state to the following
will mitigate this attack:

If the SYN bit is set, irrespective of the
sequence number, TCP MUST send a challenge
ACK to the remote peer:
<SEQ=SND.NXT><ACK=RCV.NXT><CTL=ACK>

After sending the acknowledgment, TCP MUST
drop the unacceptable segment and stop
processing further.
21
Rocky K. C. Chang
ICMP attacks

Neither RFC1122] nor RFC0793 recommend any
validation checks on the received ICMP
messages.


Thus, as long as the ICMP payload contains the
information that identifies an existing communication
instance, it will be processed by the corresponding
transport-protocol instance, and the corresponding
action will be performed.
In the case of TCP, an attacker could send a
forged ICMP message to the attacked host.

As long as he is able to guess the four-tuple that
identifies the communication instance to be attacked, he
will be able to use ICMP to perform a variety of attacks.
22
Rocky K. C. Chang
ICMP blind connection-reset attack

When TCP is handled an ICMP error message, it
will perform its fault recovery function, as
follows:



If the network problem being reported is a hard error
(e.g., Destination Unreachable with protocol/port
unreachable in ICMPv4), TCP will abort the
corresponding connection.
If the network problem being reported is a soft error,
TCP will just record this information, and repeatedly
retransmit its data until they either get acknowledged,
or the connection times out.
A possible defense is to treat these hard errors as
soft.
23
Rocky K. C. Chang
Summary

The TCP insecurity affects





Web services
BGP connections
SSL, SSL-VPN
…
Possible counter-measures







The TCP MD5 option does not seem to be very useful.
Randomize the initial sequence numbers.
Do not use fixed default TCP window sizes or fixed client
ports.
Improve the TCP RESET processing.
Improve the ICMP error processing.
Detecting SYN flooding attacks.
Aggressively timeout pending states.
24
Rocky K. C. Chang
Acknowledgments

This set of notes is based on






B. Guha and B. Mukherjee, “Network Security via Reverse
Engineering of TCP Code: Vulnerability Analysis and Proposed
Solutions,” IEEE Network, July/August, pp. 40-48, 1997.
R. Morris, “A Weakness in the 4.2BSD Unix TCP/IP Software,”
1985.
L. Joncheray, “Simple Active Attack Against TCP,” Proc. USENIX
Security Symp., 1995.
R. Stewart and M. Dalal, “Improving TCP's Robustness to
Blind In-Window Attacks”, draft-ietf-tcpm-tcpsecure04.txt, Feb., 2006.
P. Watson, “Slipping in the Window: TCP Reset Attacks,”
Technical white paper, Dec. 2003.
F. Gont, “ICMP attacks against TCP,” draft-ietf-tcpmicmp-attacks-00.txt , Feb., 2006.
25
Rocky K. C. Chang

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz