Security issues in TCP/IP protocol

Label computer securityTCPIP
1114 people read comments(0) Collection Report

This is the "A Look Back" at Security Problems in the TCP/IP Protocol Suite "" reading notes.

In computer security course, involves the TCP / IP, have emphasized TCP / IP existence many security problems, but this does not mean that TCP / IP performance or the security is not good, because of the birth of the TCP / IP itself is not based on the safe, but mainly to solve the problem of communication network. However, with the development of TCP / IP, many aspects are used by some criminals, which reflects the many security problems of TCP / IP.

In "a look back at" security problems in theTCP/IP protocol suite on the "" in the article, the author mainly expounds the protocol level security issues. Can see that some problems exist in the TCP / IP protocol, some are mainly due to a dependent source IP address of the host to seek accreditation, others are mainly utilize the network control protocol, especially routing protocol. In this paper, the author did not involve a specific agreement in the implementation process of the problem, but to discuss the general agreement itself.

Here are some of the TCP/IP security issues that are involved in this article.


1.TCP sequence prediction

This security problem belongs to the session session hijacking of cheating, because it creates a forged TCP session, and not to steal the existing TCP session. The TCP protocol of the initial connection establishment can be seen: the three-way handshake began to establish a TCP connection, first of all, the client sends a with the syn flag data packets, then the server reply a and set the syn and ACK packets with the initial sequence number, the client through sending a confirmation packet to the end of the connection, the acknowledgment data packet sequence number is receive sequence number plus 1. At the same time, also with the ACK flag set. And TCP sequence prediction concept is: attacker by trying to guess at the start of the TCP server sends the initial sequence number and never build a forged TCP session.

Due to the TCP sequence number prediction, first of all to TCP sequence number of randomly generated size no longer like before that coarse grain, making to increase the difficulty of forecasting the attacker.

TCP sequence prediction key attack is forecast does not use random number sequence number, the modern TCP protocol is using the pseudo random number generator to determine the sequence number, which will make sequence number prediction is not so easy, but there are still attacked the possibility. An attacker can use the following to achieve an attack:

The attacker on the victim client sends a denial of service attack, of which the main purpose is to prevent the interference of their client attack.

The attacker sends to the destination server a SYN packet, the source IP address caused by pseudo victim client IP address.

After waiting for a server to the short time response sent to the client. The attacker can send an ACK packet to the end of a TCP handshake, the ACK packet sequence number is predicted under a sequence number, and again pseudo cause victim client IP address source IP address.

Thus, an attacker can send a request to the server as a victim of a client.

TCP sequence on the prediction of the attack, there are some defense.


2 routing attack

The abuse of routing mechanisms and routing protocols are the most simple protocol based attacks. Due to the different routing protocols can be derived from different methods of attack, of which a large part of the host of the source IP address authentication based on.

First the IP source routing, as the name suggests, the agreement is so that the sender according to the data packet from the path and send information of the original reverse link protocol. The attacker can in the middle of tampering with the source IP address to achieve attacks through, which makes the returned data packet according to the pre designed path to send.

To deal with this kind of attack, the best way is that those in a local network, a gateway in refusing to allow the external package sound known sources in the LAN. But the current technology can't do that. A simple way is to reject the connection that has been authenticated in advance. An alternative way of this kind of defense is analysis of IP source routing, if it is from its list of security gateway accepts the routing.

Routing attacks and routing information protocol attacks. Routing information protocol is a routing protocol used in the internal network, it can through the continuous exchange routing information to make dynamic router to the network changes. This information includes the network can be connected to the network, how far the distance to reach these networks. The most important is the router is not carried out the inspection for incoming information, which has disadvantages, can be attacked.

For RIP attacks, easier to deal with than source routing attacks, and the way is similar. The defense is for the router receives the information with some scepticism, that is to say for the received data packets are authenticated, if there is no fraud, which belongs to the normal routing dissemination, it receives, or have refused to.

Then it is the external gateway protocol, which is all protocol transmission routing information between an autonomous system, it is relative to the internal routing protocol. Exterior routing protocol initiated peer routers between detection and identification, two peer routers establish a TCP connection and implementation of the message exchange.

In this paper, the author also describes the Internet control message protocol (ICMP). ICMP is mainly used for transmission control information between IP host and router. The control information refers to the network is smooth, whether the host can access, routing control information is available. You can see this information does not transmit the user's data, but for the user data provide the essential guarantee.

The first can be expected to ICMP can be used for simple DoS attack, such as destination unreachable and time to live exceeded. The most common is the Ping flood attack, Ping tool to host sends an ICMP echo request. In turn, it also uses the ICMP echo reply in response. In order to carry out the attack, a powerful computer sends a large number of requests to a single victim server. If an attacker can create a ping request than the victim server can handle the requests, and the victim servers have enough network bandwidth to accept all of these requests, the aggrieved server is overwhelmed with the network traffic, and gradually began to discard legitimate connections.

Attacks against ICMP, but also can have a way to a certain degree of defense. First, you can see this kind of attack is mainly based on the attack of network bandwidth and the host will not the ICMP data package pretreatment. So in order to limit the bandwidth of the network can be on the router of ICMP data packet bandwidth restrictions, the ICMP occupied bandwidth control in a certain range, the second method is to the ICMP data packet to a certain degree of processing, such as refusing to handle all ICMP packets.


3 potential hazards in the field

In this part, the author uses the phrase "here be dragons" to represent in some areas of risk or potential safety problems. The author means that many protocols have no defects in nature, and therefore have not been abused. The author gives several examples to illustrate this point: finger service, email, domain name system, FTP, etc..

First email as an example. E-mail is probably the most widely used and most valuable service on the Internet. But because the mail server does not use authentication information, it is vulnerable to attack. Subsequently, encryption and authentication are gradually developed in the email. Otherwise, an attacker can easily use the IP sniffer can intercept e-mail messages. One of the ways to improve confidentiality is to encrypt e-mail messages in the transport layer or application layer.

The domain name system (DNS) is a basic protocol of application layer, it is an essential function in the network now. Its main function is to improve a distributed database to map the IP address and the host name. There will be some attacks, such as DOS attacks and password collection.

By DNS to resolve the domain name, the user will believe that the fact that the DNS request will be correctly resolved. But the attacker can attack DNS, the domain name is grafted to the presence or malicious web site. An attacker can monitor all hope translated into the request of the IP address, and then provide a machine has been ousted, so the interceptor monitor traffic on the machine, and intercept the password and so on. This is the so-called network phishing".

Attacks on the DNS, in fact, also includes the DNS cache poisoning, although in this paper does not involve, but the types of attacks as a great threat. The main way is to make the DNS server cache false DNS records.

The article also describes the FTP security issues. The author thinks that FTP itself is not defective, but when the implementation of the FTP requires users to pay more attention to it. FTP using the login and password combination to achieve authentication, but this is only the client sent to the server end of, but this cannot be assurance server similarly to the client must verify the information.


4 ordinary attack

The author also describes some of the most common attacks in the internet.

LAN exist largely alleviated the IP resources, but this, too, will exist a lot of problems, such as LAN vulnerability. If a local area network using the ARP protocol, then the LAN attacks will be easy to achieve. Because the ARP protocol is used to realize the network layer and data link layer analytical, once the attacker makes this analytic mapping into his hope that, then the normal communication will be tampered with, thus to achieve the attack, also is the so-called ARP spoofing. Actually the lack of authentication of information process the main basis is the ARP protocol, network for any computer can claimed to be the IP address with the request. Once the computer receives the ARP response to update the ARP list, then the LAN in the computer cannot normal communication.

Due to the lack of authentication, but the authentication once used, ARP deception will become not so easy. Which can be trusted by the user group.

Another solution is to use static ARP table, which precludes the attacker's IP response, but by the administrator to uniform distribution.


From the above attack, the main defense can be simply summarized into the following categories: authentication, encryption and trust system.

According to the analysis of this article, it is clear that there are some obvious. First, it is not reliable to rely on the IP source address to verify the communication. Second, the serial number of the setting is not safe. Make sure the serial number is not easy to be learned by others, even if it is the user of the machine. Then, on the Internet, some control mechanism seemingly can guarantee the communication of integrity, but does not guarantee the communication security, so when use must give enough protection, so as not to be exploited by attackers.

Guess you're looking for
View comments
* the above user comments only represent their personal views, does not represent the views or position of the CSDN website
    personal data
    • Visit82917 times
    • Integral:One thousand three hundred and thirty-nine
    • Grade
    • Rank:18535th name
    • Original47
    • Reproduced:0
    • Translation:1
    • Comments:49
    Blog column
    Contact information
    Latest comments