SlideShare ist ein Scribd-Unternehmen logo

Report on TCP vulnerabilities

Prakhar Bansal
Prakhar Bansal

Please read and write ur reviews in comments.

1 von 33
Downloaden Sie, um offline zu lesen
TCP Vulnerabilities and IP Spoofing: Current Challenges and Future Prospects Colloquium Report Submitted in Partial Fulfillment of the Requirements for the Degree of Masters of Technology Submitted by Prakhar Bansal Registration No. - 2011CS29 Computer Science and Engineering Department Motilal Nehru National Institute of Technology Allahabad, Allahabad -211004, India October 2012
Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Related Research Work . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 TCP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1 TCP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 Establishing a TCP Connection . . . . . . . . . . . . . . . . 7 4.3 Closing a TCP Connection . . . . . . . . . . . . . . . . . . . 7 4.4 SYN Flooding Attack . . . . . . . . . . . . . . . . . . . . . . 8 5 ARP Cache Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 12 5.1 ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2 Theory of Operation . . . . . . . . . . . . . . . . . . . . . . 14 5.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 14 6 LOT: Light-weight Opportunistic Plug and Play Secure Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1 Communication Model . . . . . . . . . . . . . . . . . . . . . 16 6.2 Handshake among Gateways . . . . . . . . . . . . . . . . . . 18 6.3 LOT Packet Structure . . . . . . . . . . . . . . . . . . . . . 21 7 Observation and Discussion . . . . . . . . . . . . . . . . . . . . . . 21 7.1 Redefinition of TCP Three-way Handshake . . . . . . . . . . 21 7.2 Redefinition of ARP Protocol . . . . . . . . . . . . . . . . . 24 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Bibliography 27 1
List of Figures 1 TCP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3 Sequence states of client side TCP . . . . . . . . . . . . . . . . . . . 9 4 Sequence states of server side TCP . . . . . . . . . . . . . . . . . . 9 5 ARP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Huang solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7 LOT communication model . . . . . . . . . . . . . . . . . . . . . . 17 8 Phase 1: hello phase . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9 Phase 1: network block validation phase . . . . . . . . . . . . . . . 20 10 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 22 11 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 23 12 Redefinition of ARP protocol . . . . . . . . . . . . . . . . . . . . . 24 2
Abstract With the invent of computer systems, the need of communication becomes essential. Standard communication protocols are developed to provide communi- cation over computer networks. Protocols are predefined formal systematic rules required for an effective communication. Billions of people are interconnected with Internet via these protocols. But what if these protocols are themselves vulnerable to various types of attacks. Attacks from hacktivist groups like ‘Anonymous’ are increasing day by day. Moreover the arsenal of hacking groups is growing rapidly. Today the attacks are more dangerous and concentrated, packets/second rate has been increased and attacks are more distributed [1]. There is also a significant growth in frequency of attacks mainly distributed denial of service attacks (DDoS attacks) and IP spoofing attacks. There is 50% increase in DDoS attacks in the first quarter of 2012 in comparison to same quarter last year [2]. According to Norton cybercrime report 2012, cybercrime costs $110 billion globally out of which $8 billion to India [3]. Today all countries are spending huge percentage of their GDP to improve cyber security. In this fiscal year 2012-13, India spent 37.7 crores on cyber security [4]. United States has proposed $800 million for cyber security in next 2013 fiscal budget [4]. Attackers are able to perform cyber attacks due to vulnerabilities in existing protocol structure. If we focus on these protocols then need of government spend- ing on cyber security would be less. This report focuses on vulnerabilities in protocols, mainly Transmission Con- trol Protocol (TCP) and Address Resolution Protocol (ARP), exploiting probable attacks and there counter measures. At last report discusses LOT, light weight opportunistic plug and play secure tunneling protocol to be deployed at network gateways in order to defend against IP spoofing and flooding attacks.
1 Introduction Cyber security is becoming a major challenge to today's computing world. Ac- cording to ‘Norton cybercrime report 2012’, there are 556 million victims/year, 1.5+ million victims/day and 18 victims/second affected by cybercrime. 2 out of 3 on-line adults have been victim of cybercrime in their lifetime. The global price tag of cybercrime has reached up to $110 billions, $197 average cost/victim. cyber- crime costs USA $21 billion, $46 billion to China, $8 billion to Brazil, $2 billion to Russia, Australia and Mexico each, and $8 billion to India. More than 42 million people in India have been victimized by cybercrime in last 12 months [3]. Accord- ing to BBC report, UK businesses lose around £21 billion a year to cybercrime [5]. According to report published by international research scientists from University of Cambridge, ‘Measuring the cost of cybercrime’ on 18 June, 2012, government should spend more on policing the Internet rather than spending on security and catching cyber criminals [6]. Recent attacks are more sophisticated and distributed in nature. Websites for Department of Justice and the FBI were attacked by Anonymous on Jan 19, 2012 in response to the shut down of the file sharing website Megaupload and bill Stop Online Piracy Act (SOPA). Anonymous used “Low Orbit Ion Cannon”(LOIC) to attack supporters of SOPA on January 19, 2012. Group claimed this to be their largest attack with over 5,635 people participating in the DDoS attack via LOIC [anonymous archives]. Attacks that exploits TCP vulnerabilities exceeds in large number in past. Anonymous attacks on facebook on October 12, 2012, which leads facebook to shutdown in Europe. Group also attacks on many Indian websites including website for supreme court of India and other national political parties in response to Internet censorship. May be their intention is right, but this exploits how vulnerable our protocols are. Transmission Control Protocol (TCP) is an end-to-end, connection oriented, reliable transport layer protocol. TCP is designed to support multiple network applications and provides reliable interprocess communication between processes in host computers in interconnected computer networks. Cerf and Kahn, firstly describes the concepts of TCP [7]. But TCP and many other protocols are vul- nerable to attacks leading billions of people on stake. Virtually all applications use the concepts of TCP and are therefore on risk. Researches are still going on security problems of core protocols [8]. 1
2 Problem Statement To design a reliable, scalable and secure network. The network which no one can spoof, no one can flood and no one can hack. The need of secure, scalable and reliable communication network becomes very important today. The network which no one can spoof, no one can flood or no one can hack is very big challenge. Leon Panetta, Defense Secretary, USA said that next 9/11 attacks could be cyber attacks on 12th October, 2012. Protocol vulnerabilities is one of the long standing major challenge in network communication. Recent report from Prolexic states that their is a 88 % increase in attacks since last year [9]. The attacks from groups like ‘Anonymous’ are increasing day by day. Although intention of anonymous may seem to be good but their way to make our network down is wrong. These attacks shows that how vulnerable our network protocols are. The focus of this report is to study the vulnerabilities in TCP and ARP protocol and to discuss a solution suggested by Yossi Gilad and Amir Hergberg to install LOT protocol on network gateways. 3 Related Research Work TCP is based on concepts firstly described by Cerf and Kahn [7]. In September 1981, Defense Advanced Research Projects Agency (DARPA) proposed Transmis- sion Control Protocol as a transport layer protocol in RFC 793 which standardizes the basic mechanism and policies of TCP. RFC 1122 provides clarifications and errata for the original [8]. RFC 4987 published on August 2007 contains the discussion on TCP SYN flooding attacks [10]. In 1994 Bill Cheswick and Steve Bellovin [bellovin 94] dis- covered the weaknesses in TCP implementations [11]. SYN flooding attack are firstly highlighted in Phrack magazine in 1996 [12]. Kevin Mitnick, exploits DDoS attack known as Mitnick-Shimomura attack firstly [13]. In February 2000, mafiaboy, 15 years old Michael launched ‘Project Rivolta’, which took down the websites of four giants yahoo, CNN, ebay, dell and amazon, and threatens the entire world about TCP SYN flooding attacks. In april 1989, article entitled ‘Security problems in the TCP/IP protocol suite’ by S.M. Bellovin, AT & T Bell Labs, exploits various vulnerabilities in TCP [14]. 2
In 2002, Lemon proposed ‘syn-cache’ approach which aims to reduce amount of state information maintained for connections in the SYN-RECEIVED state, and allocates full Transmission Control Block (TCB), data structure usually in kernel which is used to store all the information related to TCP connection [7], only after connection has transited to ESTABLISHED state [15]. In 1996, Bernstein proposed ‘syn-cookie’ approach which eliminates the need of maintaining state information at server side in SYN-RECEIVED state. It uses the encrypted cookie based on information of client in establishing the three-way handshake [16]. In 2002, Zquete describes mechanism for improving the functionality of SYN cookies [17]. Ingress filtering is proposed in RFC 2267 to stop IP spoofing and related work is done by Baker and Savola in 2004 [18]. Ingress filtering technique ensures that packets that are coming are originated from same network from which they claimed [18]. However, Beverly and Bauer in 2005 found that lack of ingress filtering on ISP’s are still quite common [19]. F. Gont proposed the minor extensions in TCP in his draft, ‘Survey of Security Hardening Methods for Transmission Control Protocol (TCP) Implementations’, published on March 13, 2012 [8]. Yanyan Li and Keyu Jiang, in paper, ‘Prospect for the future Internet – A study based on TCP/IP vulnerabilities’, discusses ARP cache poisoning and SYN flooding attack [20]. S. Gavaskar, R. Surendiran and E. Ramaraj proposed Three Counters Algo- rithm in 2010 [21] for SYN flooding attacks. Dommetry in 2000 proposed tunneling protocol mechanisms [22]. Savage, Snorean and Dean suggests packet marking techniques in early 2000’s [23]. Yossi Gilad and Amir Herzberg from Bar-Ilan university presented LOT, a lightweight opportunistic plug and play secure tunneling protocol to be deployed at network gateways. Tunnels are formed when LOT is installed on gateways. LOT tunnels allow allows gateways to discard packets that are spoofed IP addresses. LOT helps to mitigate attacks such as DNS poisoning, network scans, flooding attacks and denial of service (dos) attacks [24]. 3
4 TCP Vulnerabilities Transmission Control Protocol (TCP) is deployed as a standard interprocess com- munication among the communicating hosts in the networks. TCP is described in RFC 793 [7]. TCP is a connection- oriented, end-to-end reliable protocol de- signed support communication between pairs of processes in distinct host comput- ers which are interconnected via communication network. From the day it was proposed and till date, it was updated, modified via several RFCs and drafts but still it is vulnerable to various network attacks. During the last thirty years many vulnerabilities have been identified in TCP protocol implementations, which is the core platform for most of the current ap- plications [14]. TCP has been gone through levels of modifications, it is being updated and modified from time to time, but still it is vulnerable to several at- tacks. 4.1 TCP Header TCP segments are sent as internet datagrams. TCP header follows IP header and contains information only for TCP protocol. IP header carries information about source and destination host addresses. The minimum TCP header size should be 20 bytes with no options and no data. segment.size >= 20 If a segmment doesn’t pass this check, it will be eventually dropped. • Source Port Number: 16-bit source port address. • Destination Port Number: 16-bit destination port address. Researches [25] has shown that port numbers on the server and client must be distinct. For the client to communicate they must know the server port number, so the server port number is actually open. • Sequence Number: 32-bit number. If SYN bit is not set, sequence number of the first data octet in the segment. If SYN bit is set, sequence number is initial sequence number (ISN) and first data octet is ISN+1. 4
Figure 1: TCP header [7] Attackers can exploit various attacks via predicting sequence numbers. Mor- ris in 1985 was first to descricbe sequence number prediction attacks. 1995, Kevin Mitnick attack on Shimomura exploits this vulnerability. RFC 6528 entitled ‘Defending against sequence number attacks’ discusses this in great detail [26]. • Acknowledgement Number: 32-bit number. If ACK bit is set, acknowledgement number is sequence number of next seg- ment which sender of acknowledgement is expecting. • Data Offset: 4-bit number, indicates where data begins in TCP header. • Reserved: 3-bits reserved for future needs. These bits must be 0. • Control bits: 8-bits. The combinations of control bits can cause malfunc- tion of some implementations. Sometimes any unusual combination can lead system to crash [27] [28]. – NS bit: Nonce Sum, is an optional addition to Explicit Congestion Noti- fication (ECN) that protects against accidental or malicious concealment 5
of marked packets from the TCP sender. It improves the robustness of congestion control by preventing receivers from exploiting ECN to gain an unfair share of network bandwidth. It is defined in RFC 3540 [29]. – CWR bit: via Congestion Window Reduced (CWR) flag, data sender can inform the data receiver that the congestion window has been re- duced. It is defined in RFC 3168 and studied by Ramakrishnan [30]. – ECE bit: via an ECN-Echo (ECE) flag, data receiver can inform the data sender when a CE, Congestion Experienced (CE) packet has been received. Explicit Congestion Notification (ECN) is a addition in IP suggested in RFC 3168. [30] – URG bit: Urgent Pointer field significant. SIGURG is deliverd to corresponding process. – ACK bit: Acknowledgment field significant – PSH bit: Push bit, indicates that receiver should pass the data to the upper layer as soon as it reads PUSH bit is set. – RST bit: is used to request the abnormal close of a TCP connection. – SYN bit: is used for synchronization of sequence numbers in 3-way handshake procedure. Four different types of vulnerabilities can exploit use of SYN bit: SYN-flooding attacks, connection forging attacks, connection flooding attacks, and connection reset attacks. – FIN bit: is used for connection termination. It generates the signal to remote host indicating end of data transfer from generating side. Various resource exhaustion attacks can be done in connection termination phase of TCP. • Window Size: 16-bit number, advertises how many bytes of data the remote peer is allowed to send before a new advertisement is made. • Checksum: The checksum field is the 16 bit one’s complement of the one’s complement sum of all 16 bit words in the header and text. Segments with invalid checksum, if flooded on host computer could not cre- ate state information at the firewall. [31] describes the exploitation of TCP checksum for performing firewall evasion and DoS attacks. 6
• Urgent Pointer: 16-bit field. tells the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set [7]. [32] originally describes TCP urgent pointer could be exploited for DoS attacks, which are dangerous enough to lead the system crash. • Options: These are of variable length. Options may lie in the end of TCP header. • Padding: These are of variable length. Paddings are composed of zeros embedded to ensure the boundary between header and data. • Data: The usable data which hosts actually wants to communicate. 4.2 Establishing a TCP Connection The process on client host which wants to send data to server host which is on some communication network first inform the client TCP. Server must be in LISTEN state at some known port on some host whose address also must be known. The three-way handshake procedure is used for establishing the connection. 4.3 Closing a TCP Connection TCP connection can be terminated in three cases: • Local user initiates by telling its TCP to close the connection. Local user creates FIN segment and place it on outgoing segment queue. Now, TCP accepts no further sends. and enters in FIN-WAIT-1 state. How- ever, receives are allowed in this state. All segments sent before FIN will be retransmitted until acknowledged. When another TCP sends the FIN of its own, first TCP acknowledge it. TCBs will be deleted by both the TCPs. • Remote TCP initiates by sending a control signal FIN. TCP can receive a FIN segment from remote network, receiving TCP ac- knowledge it. State is transited to CLOSE-WAIT. Local user after finishing its own data to be sent, send FIN and TLBs will be deleted after receiving ACK of FIN. 7
Figure 2: Three-way handshake • Both users close simultaneously. Both users send FIN segment at the same time. When all the data segments preceding these segments are processed and acknowledged, both TCP send ACK of FIN they received. On receiving these ACKs, both delete TCBs. 4.4 SYN Flooding Attack 4.4.1 Theory of Operation Bill Cheswick and Steve Bellovin in 1994 discovered TCP SYN flooding vulner- ability [11] [10]. Kevin Mitnick's Shimomura attack [13] in 1995 and attacks on ISP's mail servers in 1996 caused TCP SYN flooding well known [10]. TCP uses ‘three-way handshake’ for connection establishment between two 8
Figure 3: Sequence states of client side TCP [7] 9 Figure 4: Sequence states of server side TCP [7]
distinct computing systems. According to RFC 793 [7], server side TCP that is in LISTEN state, when receives a SYN segment from client side TCP, it would be transited to SYN-RECEIVED state. It must maintain the record of initial sequence number (ISN) of client and other information in the Transmission control block (TCB), and respond to client with SYN and ACK [7]. TCB is the data structure within the kernel of system used to store all information corresponding to TCP connection [7]. SYN flooding attack is to exhaust the memory at attacked system by sending large number of SYN requests with spoofed IP addresses so that real users can not access the server [8]. Large number of SYN segments from forged IP addresses exhaust the memory needed for storing TCBs. The main point is that attacker don’t want to establish the three-way handshake at all. He will use forged source IP address for SYN segments typically, concealing his own IP address. Server sends back acknowledgement and its own SYN segment telling its own ISN in response of SYN segment generated by attacker. If the forged IP address corresponds to some reachable system then this reachable system responds with RST segment which cause the connection to abort because its states are different. However, if forged IP address is unreachable no reply will come and server will keep sending SYN/ACK segment for each request until timeout occurs and connection aborts. The success of SYN flooding attack also lies on three things: [10] • Barrage Size Barrage size must be large enough to lead the port queue full and reach the backlog. Backlog is number of connections pending in half-open state. • Frequency For a effective SYN flooding attacks new SYN segments must needs to be send before TCBs of previous segments began to reclaimed. • IP Addresses The success of SYN flooding attack lies in unreachable and large set of IP addresses called ‘Botnet’. Attackers usually ping the IP addresses before using them for attack via sending ICMP echo request and if ICMP echo response come back, then that IP will not be used to perform attack. 10
4.4.2 Countermeasures • Filtering Ingress filtering defined in RFC 2267 is suggested for preventing attacker to use set of wide range of forged IP addresses [18]. Ingress filtering ensures that the packet arrives from the same network from which it claims to be. This is the best way without needing any modification in TCP. • Increasing Backlog Increasing the backlog implies increasing the capacity to hold number of half-open connections is an easy way to deal with SYN flooding attack. But Lemon has shown that this can have serious negative affect on the system state as generally data structures and algorithms are inefficient to deal with increased backlog [15]. This is needed to be note here that experiments with increased backlog with efficient data structures and algorithms are not studied yet [10]. • Reducing SYN-RECEIVED Timer Reducing the SYN-RECEIVED timer leads to claim the TCBs early. How- ever, this may leads some legitimate users not to create connection. • Recycling the Oldest Half-Open TCB This implies that once the entire backlog is exhausted, incoming SYNs over- write the oldest half-open TCB entry. But this may lead to disconnect pre- viously established legitimate connections. • SYN Cache SYN cache approach reduces amount of state information maintained for connections in the SYN-RECEIVED states and allocates full Transmission control block (TCB) only after the connection has been transited to the ESTABLISHED state. Hosts implementing a SYN cache have some secret bits that they select from incoming SYN segments. The secret bits are hashed along with the IP addresses and TCP ports of the segment, and the hash value determines the location in a global hash table where the incomplete TCB is stored. There is a limit for each hash value, and when this limit is reached, the oldest entry is dropped [16]. • SYN Cookies 11
SYN cookies allocates no state at all for connections in SYN-RECEIVED state. This technique encodes most of the information required to complete the three-way handshake into the sequence number of SYN/ACK segment transmitted. Thus no TCB reserved at site. If SYN was not spoofed, then the acknowledgement number and other fields in ACK that completes handshake used and put into the TCB [15]. Drawbacks: – It provides the limited number of space in the sequence number field and it is very difficult to encode all the information in initial segment. for ex; support for selective acknowledgement (SACK). – If the SYN/ACK segment sent is lost then normal TCP will retransmit it after timeout as their is a state information at site, but if SYN cookies are enabled there will be no state and re-transmission is impossible. – Yanyan Li and Keyu Jiang [20] suggests one more drawback that is ACK flooding attack. 5 ARP Cache Poisoning Attack 5.1 ARP Protocol The Address Resolution Protocol (ARP) was originally published in RFC 826 by David C. Plummer from MIT in 1982 [33]. To communicate with the host on a network we must know the 48-bit ethernet address (MAC address) of the host. ARP protocol maps network addresses (IP) to ethernet addresses (MAC). Host which wants to know the physical address of target host, broadcasts ARP request on the network. ARP request actually asks ‘any one who has this IP address, reply with your MAC address’. The host with the given IP unicast ARP reply. The request generating host caches the <IP, MAC> pairing in its ARP table. ARP cache is a data structure for storing IP addresses with corresponding MAC addresses. ARP cache entries expires after some time (in most implementations 20 minutes). 12
Figure 5: ARP header [33] 13
5.2 Theory of Operation ARP protocol is a stateless protocol. When an ARP reply is received, the host updates its ARP cache even if the host had not issued a corresponding ARP request. It means ARP reply is not needed to be authenticated. Most important point is that this false ARP reply is reflected in ARP cache as soon as host receives it. However, some implementations check that whether ARP table has some entry for this IP address before or not. Once the host updates its ARP table, the attacker also gets the packets intended for some other system. 5.3 Countermeasures • Huang T. and Bai G. in 2008 in their paper, ‘Method against ARP spoof- ing based in improved protocol mechanism’ suggests state in ARP protocol. When the ARP request is sent the state of the the ARP protocol changes to REQUEST-SENT from INITIAL with a timer activated. When ARP reply comes the state of the ARP changes to RESPONSE-RECEIVED and then the cache is updated. If reply doesn't arrives and times out then, it backs to INITIAL state [34]. Figure 6: Huang solution [34] DISCUSSION: This procedure will prevent host from ARP spoofing through instantaneous ARP reply. However, when host is in REQUEST-SENT state, it is vulnerable to attacks. • Some firewall and router manufactures have procedure in their products to detect the ARP spoofing attacks and tell the user but its not enough. soft- 14
wares like arp-guard are in market to recognize changes in the ARP tables and send these changes to the management system. arp-guard system analyzes and processes the sensor network messages [35]. • Vipul Roy and Rohit Tripathi in 2005 suggests the use of combinations of dig- ital signatures and one-time passwords based on hash chains [36]. However, use of cryptography makes this complex. • Seung Yeob Nam in 2010 proposed voting-based resolution mechanism to prevent ARP attacks. This suggests host before updating its own table, firstly asks other neighboring hosts about the MAC address of respective host in their ARP table [7]. 6 LOT: Light-weight Opportunistic Plug and Play Secure Tunneling Protocol According to latest Prolexic Quarterly Global DDoS Attack Report, Quarter 3, 2012, there is a significant increase of 88 % in total number of Distributed Denial of Service (DDoS) attacks in comparison from last year. The duration of attack is also tremendously increased to 33 hours from 19 hours. Also, there is 230 % increase in average attack bandwidth in comparison to last year. China remains at number 1 attack originating country with total 68.08 % of whole share and 8973 autonomous system network [9]. Hacking activist group ‘Anonymous’ attacks are also increased significantly from the past few years. This shows the weaknesses in the architecture of our network. LOT is a light-weight opportunistic plug and play secure tunneling protocol for secure and forging free communication. LOT is needed to be installed at communi- cating network gateways. Once installed one gateway would establish an efficient tunnel for secure communication with another gateway. Another participating gateway will be detected automatically [24]. LOT tunnels provides efficient solution for IP spoofing and discards packets that are originated from forged IP addresses. Thus this makes network free from denial of service and flooding attacks. LOT gateways implements local and remote quotas for particular network. In 15
this way it prevents from packet floods from specific network. Moreover attack originated network would be hindered itself. Furthermore, LOT uses near source filtering, which allows gateways more specifically LOT gateways to block certain types of packets permanently or tem- porarily. This can be done by manual or automatic configuration based on some learning mechanism (if congestion is greater than certain limit and it is due to large number of SYN segments, let them not allow to come). This prevents from network scans and attacks like DNS reflection. LOT has congestion detection mechanism between gateways. If a packet drop rate is higher in between tunnels then there might be congestion in the network. We can take appropriate action afterwards. This helps mitigating denial of service attacks. RFC 2267, suggests the use of ingress filtering by all the ISPs in the world. Ingress filtering enables us to check whether the packet comes from same network from which it claims to be from [18]. Advanced Network Architecture Group does a survey in 2011, according to this most of the ISPs have not yet installed ingress filtering mostly in developing countries. Lack of ingress filtering support and IP spoofing is very high. LOT installed gateway adds a pseudo random tag to each packet it sent to other LOT gateway. Another communicating gateway discards the packet without the tag or if mismatch occurs. It indicates that it is not originated from the same network block from which it pretends to be. Thus LOT prevents us from forged packets and defends against many denial of service attacks. LOT is practical, requires no coordination between gateways, plug and play protocol [24]. The code prototype is available online at url: ‘http://lighttunneling.sourceforge.net’. 6.1 Communication Model As RFC 791 ’Internet Protocol’ by Jon Postel in September 1981 tells IP address has address space {0, 1}32 [37], LOT protocol states that every entity in network has address space S of {0, 1}l . Each d ∈ S is an address. Network block address space B, where B ⊆ S, is in address space of S if, ∃P, a prefix, P∈ {0, 1}l , l’<l and ∀d, if d ∈ B, then it also holds d ∈ S and d has a prefix P. It is similar to CIDR notation [24]. 16
Network entities are either LOT gateways or hosts behind the network blocks. Each and every entity e is associated with a single network block N B(e) ⊆ S. Any host must belong to single address and must belong to network block |N B(h) = 1|. Figure 7: LOT communication model [24] Two network entities e1 and e2 are said to be peer iff, • N B(e1 ) ⊂ N B(e2 ) and N B(e1 ) N B(G) N B(e2 ) means, for eg; entities A, C are peers. • N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and N B(e1 ) N B(G) or N B(e2 ) N B(G) for eg; entities F, G and A, D are peers. Network entities send and receive messages via source address ‘src’ and desti- nation address dst. When a message is sent from source ‘src’ towards destination ‘dst’, it reaches to next peer entity e.next(dst) and so on till it reaches to destina- tion. 17
6.2 Handshake among Gateways LOT uses stateless handshake procedure for establishment of tunnel between gate- ways. If there are more than one gateways between two network blocks, individual tunnel is established between them and for each LOT tunnel it is required to handshake first. Handshake between two gateways consists of two phases: • Hello Phase: Once gateway find another gateway it checks the potential to establish a LOT tunnel. Gateway identifies the network block behind gateway. • Network Block Validation: Network block is behind the gateway. In this phase each gateway has to prove that it can intercept packets sent to network block behind it. After handshake gateway receives a proof from other gateway that validation is done successfully and tunnel is established. 6.2.1 Hello Phase Let’s take two gateways, hosts in network blocks associated to them wants to communicates. Gateway A forwards any arbitrary packet from host A behind it, to host B which belongs to some network block which is not associated with gateway A, say gateway B. This triggers LOT on originating gateway. Gateway begins handshake by sending hello message to host B. This message is intercepted by another gateway on the network, gateway B and it responds. To reduce the possibility of LOT overhead, Hello requests are sent with very low probability. Hello request consists of current time, description of network block behind gateway and a cryptographic cookie - cookie A, generated by gateway A. Cookie is generated by pseudo-random function computed over ‘destination address’ and ‘current time’. Network block belongs to some address space {0, 1}l . A network block is described by (baseaddr,l). When gateway B intercepts hello request, it sends reply with possibility q ≈ 1. Hello response generated by gateway B contains description of network block associated, cookie A and time A. The hello reply is authenticated by gateway A's cookie. 18
Figure 8: Phase 1: hello phase [24] Cookie A sent back in response allows gateway A to keep no state and rest state- less. This stateless approach make sure that no resources are allocated at sender side makes it free from resource exhaustion attacks, like in three-way handshake it may occur [7]. 6.2.2 Network Block Validation Network block is validated by gateway, say gateway A to ensure that whether other gateway , say gateway B can intercept the traffic sent corresponding to its network block. Validation process is done in several iterations, each iteration validates one host selected randomly on the network block. However for the sake of reducing overhead, protocol validates only a portion of the addresses and not the entire network block. The most important benefit here is that it maintains no state at sending side when validating a network block and also it send at most a single packet in response for every packet received. This prevents it from DoS attacks. 19
Figure 9: Phase 1: network block validation phase [24] Design: Each gateway knows network blocks associated with other gateways. Gateways is network validation phase must be agreed on n, number of iterations. To deal with the possibility of DoS attacks the global constant on maximum iterations is set as nmax . Each gateway sends one packet to a random address from target network block. Since there could be at most 2 ∗ nmax packets that can be sent out in nmax iterations. This creates limit on number of packets that can be sent. To avoid network load problem to initiates handshake, handshakes are initiated with probability 1/2nmax . The packet contains a random cookie as challenge, if gateway corresponds to same network block it can intercept the packet otherwise not. Pseudo-random based function is used to derive destination address and cookie. Response of previous challenge is included in the next challenge. When gateway receives a challenge intercepts a challenge it checks its own cookie by reconstructing it on its site. In order to reconstruct gateway uses its secret key and the parameters used 20
to create the cookie, extracted from response such as time. After gateway successfully checks the validity of the response, it chooses a new random destination address in remote network and sends a new challenge. In order to get validated the new challenge, gateway also echoes previous cookie and time, iteration number i and maximum number of iterations agreed upon. This process of challenge and response is repeated n times. 6.3 LOT Packet Structure In order to encapsulates LOT in a packet, there is a significant modification in IP header and data. Some of the major changes in original packets are as follows: • IP flags: DF and MF flags are always unset in IP Header as LOT does not allow packet fragmentation within the LOT tunnel. • Protocol Type (Transport Layer Protocol): To indicate that the packet is encapsulated using LOT, this field is modified. LOT gateways can pass not only encapsulated packet but also non-encapsulated packet. • LOT Header: A LOT header is attached with the packet. The most signif- icant bit of LOT header is outgoing periodic tag. Field for reconstruction of the original packet including IP flags and transport protocol. Field that allow receiving-end gateway to reconstruct the session key. 7 Observation and Discussion 7.1 Redefinition of TCP Three-way Handshake While studying TCP protocol, I observed few things in three-way handshake. These things are as follows: • The success of flooding attacks depends on frequency of SYN segments reach- ing at server side. Neither increasing backlog nor shortening acknowledge- ment waiting time at receiver side, will work as these could resist original user to establish a connection. 21
Figure 10: Redefinition of TCP three-way handshake Attackers usually send SYN flood messages from set of unreachable IPs. If IPs are reachable then that system will reply with RST segment and connection will be aborted. If the backlog is filling fast, why not we firstly ping the client before sending any reply. Pinging will ensure the IPs are atleast some existing system and not wasting our resources. So, I suggest to start pinging the IPs if the backlog is filling fast. We can set some threshold for it. • The SYN-cookie mechanism can be further improved so that there would be no need for maintaining state and allocating the memory. Hence, there is no need of TCBs. Client sends ‘SY N ’ to server. Server reply with ‘SY N/ACK/cookieserver ’. Server generates its cookie cookieserver via client IP address, port address and client request time and current time at server. Once it reaches to client, client accepts segment and send ‘ACK/cookieclient /cookieserver ’ to server. Server authenticates its cookie and validates client. All communication is done like this, no need maintaining any state. 22
Figure 11: Redefinition of TCP three-way handshake 23
• When there occurs a time-out when SYN/ACK is lost. Client should send the SYN packet again after time-out. Now, server treats it as a brand new request and creates a new cookie based on client details. • In Linux, SYN-cookie mechanism is disabled by default but it can be en- abled via changing value of variable sysctl.net.ipv4.tcp_syncookie to 1, in /etc/sysctl.conf file. 7.2 Redefinition of ARP Protocol ARP is a stateless protocol. It maintains no state of ARP queries and replies. The problem with ARP protocol is that it accepts any ARP reply and updates its ARP table as soon as any ARP reply received. Figure 12: Redefinition of ARP protocol • The probable solution of this problem is to maintain a new data-structure along with existing ARP table. This data-structure is a dynamic list which records all the ARP requests we send. 24
When a ARP reply came, before making any changes to ARP table we can check this list of outstanding requests. If we have sent any corresponding request asking MAC address for this IP, then we will confirm this ARP reply by asking few neighbors. According to their response we can decide whether to add it or not in ARP table. • We can furthermore improve ARP protocol via originating Reverse Address Resolution Protocol (RARP) for the MAC address comes in ARP response. If only one reply came and it matches its fine. But if more than one reply came, more than one IPs then there is something wrong and response can be discarded. But this can discard real user too. 8 Conclusion Recent network attacks has shown how vulnerable our networks are. Flooding, IP spoofing, cache poisoning attacks and denial of service attacks are becoming a significant threat. There is a tremendous increase in percentage of attacks from past few years. The duration of attacks is also increased significantly. The band- width of attack is also increased. It means this is becoming a serious challenge to mitigate these. Ingress filtering was suggested but not yet completely implemented by all ISPs. TCP SYN cache is good for reducing TCP SYN flooding attacks but it is very com- plex due to cryptographic implementations. It requires to maintain some state. TCP cookies can not retransmit the packet if it is lost as there is no state infor- mation. Huang suggestion for maintaining the state in ARP, somewhat good but still vulnerable. LOT protocol is best but it requires LOT protocol to be installed on mostly gateways on network. All gateways shares a secret key first through vulnerable network, this can be dangerous. LOT tunnels cannot pass over Network Address Translators (NATs). However NAT devices do not prevent LOT. It means on NAT tunnels will be formed to and from the NAT device. Now, the world is changing. The face of network communication is changing rapidly. Now use of smart-phones and embedded systems is increasing rapidly. Now, transactions are now done on smartphones. Smartphones technology is not yet matured. Cloud computing and mobile computing are attackers future targets. 25
Security in cloud computing is still a major issue. There is a need of reliable, scalable and fault-tolerant clouds both on system and mobile. Protocols are not much sophisticated and thus vulnerable to attacks. The research in developing sophisticated network protocols and applications is still very important area. So, the field is full of challenges and thrust for future research. 26
Bibliography [1] “Prolexic Quarterly Global DDoS Attack Report,” Quater 4, 2011. [2] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 1, 2012. [3] “2012 Norton Cybersecurity Report,” [4] Department of Information Technology in http://www.indiabudget.nic.in, Ministry of Communications and Information Technology, 2012-13. [5] “Government to warn businesses about cyber crime threat,” BBC, 5 september 2012. [6] Ross Anderson and Chris Bardon, “Measuring the cost of cybercrime,” [7] Postel, J, “Transmission Control Protocol, RFC 793,” Defense Advanced Research Projects Agency, September, 1981. [8] F. Gont, “Survey of Security Hardening Methods for Transmission Control Protocol (TCP) Implementations,” Internet Draft, March 2012. [9] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 3, 2012. [10] Eddy, W, “TCP SYN Flooding Attacks and Common Mitigations, RFC 4987,” Net- work Working Group, August, 2007. [11] Bennahum, D, “PANIX ATTACK,” [12] daemon9, route, and infinity, “Project Neptune,” vol. 7, , July, 1996. [13] Shimomura, T. , “Technical details of the attack described by Markoff in NYT,” in http://www.gont.com.ar/docs/post-shimomura-usenet.txt, Message posted in USENETs comp.security.misc newsgroup, 1995. 27
[14] S. M. Bellovin , “Security problems in the TCP/IP protocol suite,” vol. 19, ACM SIGCOMM Computer Communication, April, 1989. [15] Lemon, “SYN cookies,” in http://cr.yp.to/syncookies.html, read on 5 October, 2012. [16] Bernstein, D., “Resisting SYN flood DoS attacks with a SYN cache,” Proceedings of the BSDCon 2002 Conference, 2002. [17] Zquete, A., “Improving the functionality of SYN cookies,” 6th IFIP Communications and Multimedia Security Conference (CMS 2002), 2002. [18] P. Ferguson, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” RFC 2267, January 1998. [19] Beverly, R and Bauer, S., “The Spoofer Project: Inferring the extent of source address filtering on the Internet,” Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005. [20] Li, Yanyan and Keyu Jiang, “Prospect of the Future Internet – A Study Based on TCP/IP vulnerabilities,” IEEE International Conference on Computing, Measure- menrt, Control and Sensor Network, 2012. [21] S.Gavaskar, R.Surendiran and Dr.E.Ramaraj, “ Three Counter Defense Mechanism for TCP SYN Flooding Attacks,” vol. 6, International Journal of Computer Appli- cations (0975 – 8887), September 2010. [22] Dommety, G., “ Key and sequence number extensions to GRE. RFC 2890,” The Internet Society. [23] Savage, S. and Wetherall, D, “Practical network support for IP traceback,” Proceed- ings of the ACM SIGCOMM Conference on Internet Measurement, 2000. [24] Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP Spoofing and Flood- ing Attacks,” vol. 15 of 6, ACM Transactions on Information and System Security, July 2012. [25] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks,” TCP Maintenance and Minor Extensions (tcpm) , July 7, 2011. [26] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks, RFC 6528,” TCP Maintenance and Minor Extensions (tcpm) , February 2012. 28
[27] Postel, J., “ TCP and IP bake off, RFC 1025,” September 1987. [28] Braden, B., “ Extending TCP for Transactions – Concepts, RFC 1379,” November 1992. [29] Spring, N., Wetherall, D., Ely, D., “Robust Explicit Congestion Notification (ECN) Signaling with Nonces. RFC 3540,” 2003. [30] Ramakrishnan, K., Floyd, S., and D. Black, “The Addition of Explicit Congestion Notification (ECN) to IP, RFC 3168,” September, 2001. [31] Ely, D., “Firewall spotting and networks analisys with a broken CRC,” in http://www.phrack.org/phrack/60/p60-0x0c.txt, Phrack Magazine, Volume 0x0b, Is- sue 0x3c, Phile 0x0c of 0x10., 2002. [32] Windows 95/NT DoS, “Post to the bugtraq mailing-list,” in http://seclists.org/bugtraq/1997/May/0039.html, , . [33] David C. Plummer, “n Ethernet Address Resolution Protocol – or – Converting Net- work Protocol Addresses to 48-bit Ethernet Address for Transmission on Ethernet Hardware RFC 826,” [34] Huang, T. and Bai, G., “Method against ARP spoofing baseed on improved protocol mechanism,” [35] “ARP Guard,” in https://www.arp-guard.com/info. [36] Vipul Goyal and Rohit Tripathy, “An Efficient Solution to the ARP Cache Poisoning Problem,” Springer-Verlag Berlin Heidelberg 2005. [37] Postel, J., “Internet Protocol, The Protocol Specification, RFC 791,” DARPA In- ternet Program. 29

Empfohlen

TCP Vulnerabilities
TCP VulnerabilitiesTCP Vulnerabilities
TCP VulnerabilitiesPrakhar Bansal
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_PrateekPrateek Mathur
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1HamesKellor
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3Carl Ford
 
A43030104
A43030104A43030104
A43030104IJERA Editor
 
BasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet FiltersBasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet Filtersbhasker nalaveli
 
Network Monitoring with Wireshark
Network Monitoring with WiresharkNetwork Monitoring with Wireshark
Network Monitoring with WiresharkSiddharth Coontoor
 

Empfohlen

TCP Vulnerabilities
TCP VulnerabilitiesTCP Vulnerabilities
TCP VulnerabilitiesPrakhar Bansal
 
Profile_Prateek
Profile_PrateekProfile_Prateek
Profile_PrateekPrateek Mathur
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1HamesKellor
 
Telecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsTelecom security from ss7 to all ip all-open-v3-zeronights
Telecom security from ss7 to all ip all-open-v3-zeronightsP1Security
 
Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3Sinnreich Henry Johnston Alan Pt 3
Sinnreich Henry Johnston Alan Pt 3Carl Ford
 
A43030104
A43030104A43030104
A43030104IJERA Editor
 
BasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet FiltersBasepaperControlling IP Spoofing through Interdomain Packet Filters
BasepaperControlling IP Spoofing through Interdomain Packet Filtersbhasker nalaveli
 
Network Monitoring with Wireshark
Network Monitoring with WiresharkNetwork Monitoring with Wireshark
Network Monitoring with WiresharkSiddharth Coontoor
 
Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)Bhargu Bhargavi
 
internet applications
internet applications internet applications
internet applicationsSrinivasa Rao
 
Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Mumbai Academisc
 
Review of black hole and grey hole attack
Review of black hole and grey hole attackReview of black hole and grey hole attack
Review of black hole and grey hole attackijma
 
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...ijdpsjournal
 
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...IDES Editor
 
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-JM code group
 
AODV protocol and Black Hole attack
AODV protocol and Black Hole attackAODV protocol and Black Hole attack
AODV protocol and Black Hole attackRaj Sikarwar
 
Public Key Cryptosystem Approach for P2P Botnet Detection and Prevention
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionPublic Key Cryptosystem Approach for P2P Botnet Detection and Prevention
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionIJERA Editor
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Cldap threat-advisory
Cldap threat-advisoryCldap threat-advisory
Cldap threat-advisoryAndrey Apuhtin
 
srinu_resume_new
srinu_resume_newsrinu_resume_new
srinu_resume_newsrinivas rao
 
Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Mumbai Academisc
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFAIJNSA Journal
 
A Review on various Security Attacks in Mobile Adhoc Network
A Review on various Security Attacks in Mobile Adhoc NetworkA Review on various Security Attacks in Mobile Adhoc Network
A Review on various Security Attacks in Mobile Adhoc NetworkIRJET Journal
 
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijripublishers Ijri
 
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...IDES Editor
 
Tbhf
TbhfTbhf
TbhfLijo George
 
Presentation1
Presentation1Presentation1
Presentation1Danesh Khandelwal
 
Distance bounding
Distance boundingDistance bounding
Distance boundingHarish Kumar
 
thesis
thesisthesis
thesisDan-Stefan Dragan
 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring 📡 Sebastien Dudek
 

Weitere ähnliche Inhalte

Was ist angesagt?

internet applications
internet applications internet applications
internet applicationsSrinivasa Rao
 
Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Mumbai Academisc
 
Review of black hole and grey hole attack
Review of black hole and grey hole attackReview of black hole and grey hole attack
Review of black hole and grey hole attackijma
 
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...ijdpsjournal
 
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...IDES Editor
 
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-JM code group
 
AODV protocol and Black Hole attack
AODV protocol and Black Hole attackAODV protocol and Black Hole attack
AODV protocol and Black Hole attackRaj Sikarwar
 
Public Key Cryptosystem Approach for P2P Botnet Detection and Prevention
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionPublic Key Cryptosystem Approach for P2P Botnet Detection and Prevention
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionIJERA Editor
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...ijceronline
 
Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Mumbai Academisc
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFAIJNSA Journal
 
A Review on various Security Attacks in Mobile Adhoc Network
A Review on various Security Attacks in Mobile Adhoc NetworkA Review on various Security Attacks in Mobile Adhoc Network
A Review on various Security Attacks in Mobile Adhoc NetworkIRJET Journal
 
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijripublishers Ijri
 
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...IDES Editor
 

Was ist angesagt? (20)

Firewalls (6)
Firewalls (6)Firewalls (6)
Firewalls (6)
 
internet applications
internet applications internet applications
internet applications
 
Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)Controlling ip spoofing through inter domain packet filters(synopsis)
Controlling ip spoofing through inter domain packet filters(synopsis)
 
Review of black hole and grey hole attack
Review of black hole and grey hole attackReview of black hole and grey hole attack
Review of black hole and grey hole attack
 
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
A Cluster based Technique for Securing Routing Protocol AODV against Black-ho...
 
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
Preventing Autonomous System against IP Source Address Spoofing: (PASIPS) A N...
 
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
전력 계통망에 있어서 보안일반 및 이슈와 기술 그리고 정책 방향-소셜 네트워크 서비스 등 차세대 기술 환경 맥락으로-
 
AODV protocol and Black Hole attack
AODV protocol and Black Hole attackAODV protocol and Black Hole attack
AODV protocol and Black Hole attack
 
Public Key Cryptosystem Approach for P2P Botnet Detection and Prevention
Public Key Cryptosystem Approach for P2P Botnet Detection and PreventionPublic Key Cryptosystem Approach for P2P Botnet Detection and Prevention
Public Key Cryptosystem Approach for P2P Botnet Detection and Prevention
 
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...IJCER (www.ijceronline.com) International Journal of computational Engineerin...
IJCER (www.ijceronline.com) International Journal of computational Engineerin...
 
Cldap threat-advisory
Cldap threat-advisoryCldap threat-advisory
Cldap threat-advisory
 
srinu_resume_new
srinu_resume_newsrinu_resume_new
srinu_resume_new
 
Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)Efficient packet marking for large scale ip trace back(synopsis)
Efficient packet marking for large scale ip trace back(synopsis)
 
Lightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFALightweight C&C based botnet detection using Aho-Corasick NFA
Lightweight C&C based botnet detection using Aho-Corasick NFA
 
A Review on various Security Attacks in Mobile Adhoc Network
A Review on various Security Attacks in Mobile Adhoc NetworkA Review on various Security Attacks in Mobile Adhoc Network
A Review on various Security Attacks in Mobile Adhoc Network
 
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
Ijricit 01-001 pipt - path backscatter mechanism for unveiling real location ...
 
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
An Authentication Protocol for Mobile Devices Using Hyperelliptic Curve Crypt...
 
Tbhf
TbhfTbhf
Tbhf
 
Presentation1
Presentation1Presentation1
Presentation1
 
Distance bounding
Distance boundingDistance bounding
Distance bounding
 

Ähnlich wie Report on TCP vulnerabilities

NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring 📡 Sebastien Dudek
 
Extending TFWC towards Higher Throughput
Extending TFWC towards Higher ThroughputExtending TFWC towards Higher Throughput
Extending TFWC towards Higher Throughputstucon
 
High_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdfHigh_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdfSHIKHAARYA26
 
High_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdfHigh_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdfSHIKHAARYA26
 
Evaluation of Real-Time Communication in IoT Services by WebRTC
Evaluation of Real-Time Communication in IoT Services by WebRTCEvaluation of Real-Time Communication in IoT Services by WebRTC
Evaluation of Real-Time Communication in IoT Services by WebRTCChandan Sarkar
 
Towards a Design Philosophy for Interoperable Blockchain Systems
Towards a Design Philosophy for Interoperable Blockchain SystemsTowards a Design Philosophy for Interoperable Blockchain Systems
Towards a Design Philosophy for Interoperable Blockchain Systemseraser Juan José Calderón
 
A Push-pull based Application Multicast Layer for P2P live video streaming.pdf
A Push-pull based Application Multicast Layer for P2P live video streaming.pdfA Push-pull based Application Multicast Layer for P2P live video streaming.pdf
A Push-pull based Application Multicast Layer for P2P live video streaming.pdfNuioKila
 
Improved kernel based port-knocking in linux
Improved kernel based port-knocking in linuxImproved kernel based port-knocking in linux
Improved kernel based port-knocking in linuxdinomasch
 
Networking principles protocols and practice
Networking principles protocols and practiceNetworking principles protocols and practice
Networking principles protocols and practiceDAVID RAUDALES
 
Thesis Statement On Digital Security
Thesis Statement On Digital SecurityThesis Statement On Digital Security
Thesis Statement On Digital SecurityLindsey Jones
 
Security And Privacy Issues Of Iots
Security And Privacy Issues Of IotsSecurity And Privacy Issues Of Iots
Security And Privacy Issues Of IotsSamantha Randall
 
Seminar Report on Quantum Key Distribution
Seminar Report on Quantum Key DistributionSeminar Report on Quantum Key Distribution
Seminar Report on Quantum Key DistributionShahrikh Khan
 
Secure and Smart IoT using Blockchain and AI
Secure and Smart IoT using Blockchain and AISecure and Smart IoT using Blockchain and AI
Secure and Smart IoT using Blockchain and AIAhmed Banafa
 
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdfcomparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdfteja61850
 

Ähnlich wie Report on TCP vulnerabilities (20)

thesis
thesisthesis
thesis
 
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
NSC 2014 HomePlugAV PLC: Practical attacks and backdooring
 
Extending TFWC towards Higher Throughput
Extending TFWC towards Higher ThroughputExtending TFWC towards Higher Throughput
Extending TFWC towards Higher Throughput
 
Report
ReportReport
Report
 
Fulltext02
Fulltext02Fulltext02
Fulltext02
 
High_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdfHigh_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdf
 
High_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdfHigh_Speed_TCP_for_Large_Congestion_Windows.pdf
High_Speed_TCP_for_Large_Congestion_Windows.pdf
 
Evaluation of Real-Time Communication in IoT Services by WebRTC
Evaluation of Real-Time Communication in IoT Services by WebRTCEvaluation of Real-Time Communication in IoT Services by WebRTC
Evaluation of Real-Time Communication in IoT Services by WebRTC
 
Towards a Design Philosophy for Interoperable Blockchain Systems
Towards a Design Philosophy for Interoperable Blockchain SystemsTowards a Design Philosophy for Interoperable Blockchain Systems
Towards a Design Philosophy for Interoperable Blockchain Systems
 
A Push-pull based Application Multicast Layer for P2P live video streaming.pdf
A Push-pull based Application Multicast Layer for P2P live video streaming.pdfA Push-pull based Application Multicast Layer for P2P live video streaming.pdf
A Push-pull based Application Multicast Layer for P2P live video streaming.pdf
 
Improved kernel based port-knocking in linux
Improved kernel based port-knocking in linuxImproved kernel based port-knocking in linux
Improved kernel based port-knocking in linux
 
Hafeez saad m_eng_2016
Hafeez saad m_eng_2016Hafeez saad m_eng_2016
Hafeez saad m_eng_2016
 
Networking principles protocols and practice
Networking principles protocols and practiceNetworking principles protocols and practice
Networking principles protocols and practice
 
Thesis Statement On Digital Security
Thesis Statement On Digital SecurityThesis Statement On Digital Security
Thesis Statement On Digital Security
 
Thesis
ThesisThesis
Thesis
 
Security And Privacy Issues Of Iots
Security And Privacy Issues Of IotsSecurity And Privacy Issues Of Iots
Security And Privacy Issues Of Iots
 
Seminar Report on Quantum Key Distribution
Seminar Report on Quantum Key DistributionSeminar Report on Quantum Key Distribution
Seminar Report on Quantum Key Distribution
 
Secure and Smart IoT using Blockchain and AI
Secure and Smart IoT using Blockchain and AISecure and Smart IoT using Blockchain and AI
Secure and Smart IoT using Blockchain and AI
 
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdfcomparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
comparison_of_scada_protocols_and_implementation_of_iec_104_and_mqtt.pdf
 
be_report - report
be_report - reportbe_report - report
be_report - report
 

Report on TCP vulnerabilities

  • 1. TCP Vulnerabilities and IP Spoofing: Current Challenges and Future Prospects Colloquium Report Submitted in Partial Fulfillment of the Requirements for the Degree of Masters of Technology Submitted by Prakhar Bansal Registration No. - 2011CS29 Computer Science and Engineering Department Motilal Nehru National Institute of Technology Allahabad, Allahabad -211004, India October 2012
  • 2. Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 3 Related Research Work . . . . . . . . . . . . . . . . . . . . . . . . . 2 4 TCP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.1 TCP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2 Establishing a TCP Connection . . . . . . . . . . . . . . . . 7 4.3 Closing a TCP Connection . . . . . . . . . . . . . . . . . . . 7 4.4 SYN Flooding Attack . . . . . . . . . . . . . . . . . . . . . . 8 5 ARP Cache Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 12 5.1 ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2 Theory of Operation . . . . . . . . . . . . . . . . . . . . . . 14 5.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 14 6 LOT: Light-weight Opportunistic Plug and Play Secure Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.1 Communication Model . . . . . . . . . . . . . . . . . . . . . 16 6.2 Handshake among Gateways . . . . . . . . . . . . . . . . . . 18 6.3 LOT Packet Structure . . . . . . . . . . . . . . . . . . . . . 21 7 Observation and Discussion . . . . . . . . . . . . . . . . . . . . . . 21 7.1 Redefinition of TCP Three-way Handshake . . . . . . . . . . 21 7.2 Redefinition of ARP Protocol . . . . . . . . . . . . . . . . . 24 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Bibliography 27 1
  • 3. List of Figures 1 TCP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 2 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3 Sequence states of client side TCP . . . . . . . . . . . . . . . . . . . 9 4 Sequence states of server side TCP . . . . . . . . . . . . . . . . . . 9 5 ARP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 6 Huang solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 7 LOT communication model . . . . . . . . . . . . . . . . . . . . . . 17 8 Phase 1: hello phase . . . . . . . . . . . . . . . . . . . . . . . . . . 19 9 Phase 1: network block validation phase . . . . . . . . . . . . . . . 20 10 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 22 11 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 23 12 Redefinition of ARP protocol . . . . . . . . . . . . . . . . . . . . . 24 2
  • 4. Abstract With the invent of computer systems, the need of communication becomes essential. Standard communication protocols are developed to provide communi- cation over computer networks. Protocols are predefined formal systematic rules required for an effective communication. Billions of people are interconnected with Internet via these protocols. But what if these protocols are themselves vulnerable to various types of attacks. Attacks from hacktivist groups like ‘Anonymous’ are increasing day by day. Moreover the arsenal of hacking groups is growing rapidly. Today the attacks are more dangerous and concentrated, packets/second rate has been increased and attacks are more distributed [1]. There is also a significant growth in frequency of attacks mainly distributed denial of service attacks (DDoS attacks) and IP spoofing attacks. There is 50% increase in DDoS attacks in the first quarter of 2012 in comparison to same quarter last year [2]. According to Norton cybercrime report 2012, cybercrime costs $110 billion globally out of which $8 billion to India [3]. Today all countries are spending huge percentage of their GDP to improve cyber security. In this fiscal year 2012-13, India spent 37.7 crores on cyber security [4]. United States has proposed $800 million for cyber security in next 2013 fiscal budget [4]. Attackers are able to perform cyber attacks due to vulnerabilities in existing protocol structure. If we focus on these protocols then need of government spend- ing on cyber security would be less. This report focuses on vulnerabilities in protocols, mainly Transmission Con- trol Protocol (TCP) and Address Resolution Protocol (ARP), exploiting probable attacks and there counter measures. At last report discusses LOT, light weight opportunistic plug and play secure tunneling protocol to be deployed at network gateways in order to defend against IP spoofing and flooding attacks.
  • 5. 1 Introduction Cyber security is becoming a major challenge to today's computing world. Ac- cording to ‘Norton cybercrime report 2012’, there are 556 million victims/year, 1.5+ million victims/day and 18 victims/second affected by cybercrime. 2 out of 3 on-line adults have been victim of cybercrime in their lifetime. The global price tag of cybercrime has reached up to $110 billions, $197 average cost/victim. cyber- crime costs USA $21 billion, $46 billion to China, $8 billion to Brazil, $2 billion to Russia, Australia and Mexico each, and $8 billion to India. More than 42 million people in India have been victimized by cybercrime in last 12 months [3]. Accord- ing to BBC report, UK businesses lose around £21 billion a year to cybercrime [5]. According to report published by international research scientists from University of Cambridge, ‘Measuring the cost of cybercrime’ on 18 June, 2012, government should spend more on policing the Internet rather than spending on security and catching cyber criminals [6]. Recent attacks are more sophisticated and distributed in nature. Websites for Department of Justice and the FBI were attacked by Anonymous on Jan 19, 2012 in response to the shut down of the file sharing website Megaupload and bill Stop Online Piracy Act (SOPA). Anonymous used “Low Orbit Ion Cannon”(LOIC) to attack supporters of SOPA on January 19, 2012. Group claimed this to be their largest attack with over 5,635 people participating in the DDoS attack via LOIC [anonymous archives]. Attacks that exploits TCP vulnerabilities exceeds in large number in past. Anonymous attacks on facebook on October 12, 2012, which leads facebook to shutdown in Europe. Group also attacks on many Indian websites including website for supreme court of India and other national political parties in response to Internet censorship. May be their intention is right, but this exploits how vulnerable our protocols are. Transmission Control Protocol (TCP) is an end-to-end, connection oriented, reliable transport layer protocol. TCP is designed to support multiple network applications and provides reliable interprocess communication between processes in host computers in interconnected computer networks. Cerf and Kahn, firstly describes the concepts of TCP [7]. But TCP and many other protocols are vul- nerable to attacks leading billions of people on stake. Virtually all applications use the concepts of TCP and are therefore on risk. Researches are still going on security problems of core protocols [8]. 1
  • 6. 2 Problem Statement To design a reliable, scalable and secure network. The network which no one can spoof, no one can flood and no one can hack. The need of secure, scalable and reliable communication network becomes very important today. The network which no one can spoof, no one can flood or no one can hack is very big challenge. Leon Panetta, Defense Secretary, USA said that next 9/11 attacks could be cyber attacks on 12th October, 2012. Protocol vulnerabilities is one of the long standing major challenge in network communication. Recent report from Prolexic states that their is a 88 % increase in attacks since last year [9]. The attacks from groups like ‘Anonymous’ are increasing day by day. Although intention of anonymous may seem to be good but their way to make our network down is wrong. These attacks shows that how vulnerable our network protocols are. The focus of this report is to study the vulnerabilities in TCP and ARP protocol and to discuss a solution suggested by Yossi Gilad and Amir Hergberg to install LOT protocol on network gateways. 3 Related Research Work TCP is based on concepts firstly described by Cerf and Kahn [7]. In September 1981, Defense Advanced Research Projects Agency (DARPA) proposed Transmis- sion Control Protocol as a transport layer protocol in RFC 793 which standardizes the basic mechanism and policies of TCP. RFC 1122 provides clarifications and errata for the original [8]. RFC 4987 published on August 2007 contains the discussion on TCP SYN flooding attacks [10]. In 1994 Bill Cheswick and Steve Bellovin [bellovin 94] dis- covered the weaknesses in TCP implementations [11]. SYN flooding attack are firstly highlighted in Phrack magazine in 1996 [12]. Kevin Mitnick, exploits DDoS attack known as Mitnick-Shimomura attack firstly [13]. In February 2000, mafiaboy, 15 years old Michael launched ‘Project Rivolta’, which took down the websites of four giants yahoo, CNN, ebay, dell and amazon, and threatens the entire world about TCP SYN flooding attacks. In april 1989, article entitled ‘Security problems in the TCP/IP protocol suite’ by S.M. Bellovin, AT & T Bell Labs, exploits various vulnerabilities in TCP [14]. 2
  • 7. In 2002, Lemon proposed ‘syn-cache’ approach which aims to reduce amount of state information maintained for connections in the SYN-RECEIVED state, and allocates full Transmission Control Block (TCB), data structure usually in kernel which is used to store all the information related to TCP connection [7], only after connection has transited to ESTABLISHED state [15]. In 1996, Bernstein proposed ‘syn-cookie’ approach which eliminates the need of maintaining state information at server side in SYN-RECEIVED state. It uses the encrypted cookie based on information of client in establishing the three-way handshake [16]. In 2002, Zquete describes mechanism for improving the functionality of SYN cookies [17]. Ingress filtering is proposed in RFC 2267 to stop IP spoofing and related work is done by Baker and Savola in 2004 [18]. Ingress filtering technique ensures that packets that are coming are originated from same network from which they claimed [18]. However, Beverly and Bauer in 2005 found that lack of ingress filtering on ISP’s are still quite common [19]. F. Gont proposed the minor extensions in TCP in his draft, ‘Survey of Security Hardening Methods for Transmission Control Protocol (TCP) Implementations’, published on March 13, 2012 [8]. Yanyan Li and Keyu Jiang, in paper, ‘Prospect for the future Internet – A study based on TCP/IP vulnerabilities’, discusses ARP cache poisoning and SYN flooding attack [20]. S. Gavaskar, R. Surendiran and E. Ramaraj proposed Three Counters Algo- rithm in 2010 [21] for SYN flooding attacks. Dommetry in 2000 proposed tunneling protocol mechanisms [22]. Savage, Snorean and Dean suggests packet marking techniques in early 2000’s [23]. Yossi Gilad and Amir Herzberg from Bar-Ilan university presented LOT, a lightweight opportunistic plug and play secure tunneling protocol to be deployed at network gateways. Tunnels are formed when LOT is installed on gateways. LOT tunnels allow allows gateways to discard packets that are spoofed IP addresses. LOT helps to mitigate attacks such as DNS poisoning, network scans, flooding attacks and denial of service (dos) attacks [24]. 3
  • 8. 4 TCP Vulnerabilities Transmission Control Protocol (TCP) is deployed as a standard interprocess com- munication among the communicating hosts in the networks. TCP is described in RFC 793 [7]. TCP is a connection- oriented, end-to-end reliable protocol de- signed support communication between pairs of processes in distinct host comput- ers which are interconnected via communication network. From the day it was proposed and till date, it was updated, modified via several RFCs and drafts but still it is vulnerable to various network attacks. During the last thirty years many vulnerabilities have been identified in TCP protocol implementations, which is the core platform for most of the current ap- plications [14]. TCP has been gone through levels of modifications, it is being updated and modified from time to time, but still it is vulnerable to several at- tacks. 4.1 TCP Header TCP segments are sent as internet datagrams. TCP header follows IP header and contains information only for TCP protocol. IP header carries information about source and destination host addresses. The minimum TCP header size should be 20 bytes with no options and no data. segment.size >= 20 If a segmment doesn’t pass this check, it will be eventually dropped. • Source Port Number: 16-bit source port address. • Destination Port Number: 16-bit destination port address. Researches [25] has shown that port numbers on the server and client must be distinct. For the client to communicate they must know the server port number, so the server port number is actually open. • Sequence Number: 32-bit number. If SYN bit is not set, sequence number of the first data octet in the segment. If SYN bit is set, sequence number is initial sequence number (ISN) and first data octet is ISN+1. 4
  • 9. Figure 1: TCP header [7] Attackers can exploit various attacks via predicting sequence numbers. Mor- ris in 1985 was first to descricbe sequence number prediction attacks. 1995, Kevin Mitnick attack on Shimomura exploits this vulnerability. RFC 6528 entitled ‘Defending against sequence number attacks’ discusses this in great detail [26]. • Acknowledgement Number: 32-bit number. If ACK bit is set, acknowledgement number is sequence number of next seg- ment which sender of acknowledgement is expecting. • Data Offset: 4-bit number, indicates where data begins in TCP header. • Reserved: 3-bits reserved for future needs. These bits must be 0. • Control bits: 8-bits. The combinations of control bits can cause malfunc- tion of some implementations. Sometimes any unusual combination can lead system to crash [27] [28]. – NS bit: Nonce Sum, is an optional addition to Explicit Congestion Noti- fication (ECN) that protects against accidental or malicious concealment 5
  • 10. of marked packets from the TCP sender. It improves the robustness of congestion control by preventing receivers from exploiting ECN to gain an unfair share of network bandwidth. It is defined in RFC 3540 [29]. – CWR bit: via Congestion Window Reduced (CWR) flag, data sender can inform the data receiver that the congestion window has been re- duced. It is defined in RFC 3168 and studied by Ramakrishnan [30]. – ECE bit: via an ECN-Echo (ECE) flag, data receiver can inform the data sender when a CE, Congestion Experienced (CE) packet has been received. Explicit Congestion Notification (ECN) is a addition in IP suggested in RFC 3168. [30] – URG bit: Urgent Pointer field significant. SIGURG is deliverd to corresponding process. – ACK bit: Acknowledgment field significant – PSH bit: Push bit, indicates that receiver should pass the data to the upper layer as soon as it reads PUSH bit is set. – RST bit: is used to request the abnormal close of a TCP connection. – SYN bit: is used for synchronization of sequence numbers in 3-way handshake procedure. Four different types of vulnerabilities can exploit use of SYN bit: SYN-flooding attacks, connection forging attacks, connection flooding attacks, and connection reset attacks. – FIN bit: is used for connection termination. It generates the signal to remote host indicating end of data transfer from generating side. Various resource exhaustion attacks can be done in connection termination phase of TCP. • Window Size: 16-bit number, advertises how many bytes of data the remote peer is allowed to send before a new advertisement is made. • Checksum: The checksum field is the 16 bit one’s complement of the one’s complement sum of all 16 bit words in the header and text. Segments with invalid checksum, if flooded on host computer could not cre- ate state information at the firewall. [31] describes the exploitation of TCP checksum for performing firewall evasion and DoS attacks. 6
  • 11. • Urgent Pointer: 16-bit field. tells the current value of the urgent pointer as a positive offset from the sequence number in this segment. The urgent pointer points to the sequence number of the octet following the urgent data. This field is only be interpreted in segments with the URG control bit set [7]. [32] originally describes TCP urgent pointer could be exploited for DoS attacks, which are dangerous enough to lead the system crash. • Options: These are of variable length. Options may lie in the end of TCP header. • Padding: These are of variable length. Paddings are composed of zeros embedded to ensure the boundary between header and data. • Data: The usable data which hosts actually wants to communicate. 4.2 Establishing a TCP Connection The process on client host which wants to send data to server host which is on some communication network first inform the client TCP. Server must be in LISTEN state at some known port on some host whose address also must be known. The three-way handshake procedure is used for establishing the connection. 4.3 Closing a TCP Connection TCP connection can be terminated in three cases: • Local user initiates by telling its TCP to close the connection. Local user creates FIN segment and place it on outgoing segment queue. Now, TCP accepts no further sends. and enters in FIN-WAIT-1 state. How- ever, receives are allowed in this state. All segments sent before FIN will be retransmitted until acknowledged. When another TCP sends the FIN of its own, first TCP acknowledge it. TCBs will be deleted by both the TCPs. • Remote TCP initiates by sending a control signal FIN. TCP can receive a FIN segment from remote network, receiving TCP ac- knowledge it. State is transited to CLOSE-WAIT. Local user after finishing its own data to be sent, send FIN and TLBs will be deleted after receiving ACK of FIN. 7
  • 12. Figure 2: Three-way handshake • Both users close simultaneously. Both users send FIN segment at the same time. When all the data segments preceding these segments are processed and acknowledged, both TCP send ACK of FIN they received. On receiving these ACKs, both delete TCBs. 4.4 SYN Flooding Attack 4.4.1 Theory of Operation Bill Cheswick and Steve Bellovin in 1994 discovered TCP SYN flooding vulner- ability [11] [10]. Kevin Mitnick's Shimomura attack [13] in 1995 and attacks on ISP's mail servers in 1996 caused TCP SYN flooding well known [10]. TCP uses ‘three-way handshake’ for connection establishment between two 8
  • 13. Figure 3: Sequence states of client side TCP [7] 9 Figure 4: Sequence states of server side TCP [7]
  • 14. distinct computing systems. According to RFC 793 [7], server side TCP that is in LISTEN state, when receives a SYN segment from client side TCP, it would be transited to SYN-RECEIVED state. It must maintain the record of initial sequence number (ISN) of client and other information in the Transmission control block (TCB), and respond to client with SYN and ACK [7]. TCB is the data structure within the kernel of system used to store all information corresponding to TCP connection [7]. SYN flooding attack is to exhaust the memory at attacked system by sending large number of SYN requests with spoofed IP addresses so that real users can not access the server [8]. Large number of SYN segments from forged IP addresses exhaust the memory needed for storing TCBs. The main point is that attacker don’t want to establish the three-way handshake at all. He will use forged source IP address for SYN segments typically, concealing his own IP address. Server sends back acknowledgement and its own SYN segment telling its own ISN in response of SYN segment generated by attacker. If the forged IP address corresponds to some reachable system then this reachable system responds with RST segment which cause the connection to abort because its states are different. However, if forged IP address is unreachable no reply will come and server will keep sending SYN/ACK segment for each request until timeout occurs and connection aborts. The success of SYN flooding attack also lies on three things: [10] • Barrage Size Barrage size must be large enough to lead the port queue full and reach the backlog. Backlog is number of connections pending in half-open state. • Frequency For a effective SYN flooding attacks new SYN segments must needs to be send before TCBs of previous segments began to reclaimed. • IP Addresses The success of SYN flooding attack lies in unreachable and large set of IP addresses called ‘Botnet’. Attackers usually ping the IP addresses before using them for attack via sending ICMP echo request and if ICMP echo response come back, then that IP will not be used to perform attack. 10
  • 15. 4.4.2 Countermeasures • Filtering Ingress filtering defined in RFC 2267 is suggested for preventing attacker to use set of wide range of forged IP addresses [18]. Ingress filtering ensures that the packet arrives from the same network from which it claims to be. This is the best way without needing any modification in TCP. • Increasing Backlog Increasing the backlog implies increasing the capacity to hold number of half-open connections is an easy way to deal with SYN flooding attack. But Lemon has shown that this can have serious negative affect on the system state as generally data structures and algorithms are inefficient to deal with increased backlog [15]. This is needed to be note here that experiments with increased backlog with efficient data structures and algorithms are not studied yet [10]. • Reducing SYN-RECEIVED Timer Reducing the SYN-RECEIVED timer leads to claim the TCBs early. How- ever, this may leads some legitimate users not to create connection. • Recycling the Oldest Half-Open TCB This implies that once the entire backlog is exhausted, incoming SYNs over- write the oldest half-open TCB entry. But this may lead to disconnect pre- viously established legitimate connections. • SYN Cache SYN cache approach reduces amount of state information maintained for connections in the SYN-RECEIVED states and allocates full Transmission control block (TCB) only after the connection has been transited to the ESTABLISHED state. Hosts implementing a SYN cache have some secret bits that they select from incoming SYN segments. The secret bits are hashed along with the IP addresses and TCP ports of the segment, and the hash value determines the location in a global hash table where the incomplete TCB is stored. There is a limit for each hash value, and when this limit is reached, the oldest entry is dropped [16]. • SYN Cookies 11
  • 16. SYN cookies allocates no state at all for connections in SYN-RECEIVED state. This technique encodes most of the information required to complete the three-way handshake into the sequence number of SYN/ACK segment transmitted. Thus no TCB reserved at site. If SYN was not spoofed, then the acknowledgement number and other fields in ACK that completes handshake used and put into the TCB [15]. Drawbacks: – It provides the limited number of space in the sequence number field and it is very difficult to encode all the information in initial segment. for ex; support for selective acknowledgement (SACK). – If the SYN/ACK segment sent is lost then normal TCP will retransmit it after timeout as their is a state information at site, but if SYN cookies are enabled there will be no state and re-transmission is impossible. – Yanyan Li and Keyu Jiang [20] suggests one more drawback that is ACK flooding attack. 5 ARP Cache Poisoning Attack 5.1 ARP Protocol The Address Resolution Protocol (ARP) was originally published in RFC 826 by David C. Plummer from MIT in 1982 [33]. To communicate with the host on a network we must know the 48-bit ethernet address (MAC address) of the host. ARP protocol maps network addresses (IP) to ethernet addresses (MAC). Host which wants to know the physical address of target host, broadcasts ARP request on the network. ARP request actually asks ‘any one who has this IP address, reply with your MAC address’. The host with the given IP unicast ARP reply. The request generating host caches the <IP, MAC> pairing in its ARP table. ARP cache is a data structure for storing IP addresses with corresponding MAC addresses. ARP cache entries expires after some time (in most implementations 20 minutes). 12
  • 17. Figure 5: ARP header [33] 13
  • 18. 5.2 Theory of Operation ARP protocol is a stateless protocol. When an ARP reply is received, the host updates its ARP cache even if the host had not issued a corresponding ARP request. It means ARP reply is not needed to be authenticated. Most important point is that this false ARP reply is reflected in ARP cache as soon as host receives it. However, some implementations check that whether ARP table has some entry for this IP address before or not. Once the host updates its ARP table, the attacker also gets the packets intended for some other system. 5.3 Countermeasures • Huang T. and Bai G. in 2008 in their paper, ‘Method against ARP spoof- ing based in improved protocol mechanism’ suggests state in ARP protocol. When the ARP request is sent the state of the the ARP protocol changes to REQUEST-SENT from INITIAL with a timer activated. When ARP reply comes the state of the ARP changes to RESPONSE-RECEIVED and then the cache is updated. If reply doesn't arrives and times out then, it backs to INITIAL state [34]. Figure 6: Huang solution [34] DISCUSSION: This procedure will prevent host from ARP spoofing through instantaneous ARP reply. However, when host is in REQUEST-SENT state, it is vulnerable to attacks. • Some firewall and router manufactures have procedure in their products to detect the ARP spoofing attacks and tell the user but its not enough. soft- 14
  • 19. wares like arp-guard are in market to recognize changes in the ARP tables and send these changes to the management system. arp-guard system analyzes and processes the sensor network messages [35]. • Vipul Roy and Rohit Tripathi in 2005 suggests the use of combinations of dig- ital signatures and one-time passwords based on hash chains [36]. However, use of cryptography makes this complex. • Seung Yeob Nam in 2010 proposed voting-based resolution mechanism to prevent ARP attacks. This suggests host before updating its own table, firstly asks other neighboring hosts about the MAC address of respective host in their ARP table [7]. 6 LOT: Light-weight Opportunistic Plug and Play Secure Tunneling Protocol According to latest Prolexic Quarterly Global DDoS Attack Report, Quarter 3, 2012, there is a significant increase of 88 % in total number of Distributed Denial of Service (DDoS) attacks in comparison from last year. The duration of attack is also tremendously increased to 33 hours from 19 hours. Also, there is 230 % increase in average attack bandwidth in comparison to last year. China remains at number 1 attack originating country with total 68.08 % of whole share and 8973 autonomous system network [9]. Hacking activist group ‘Anonymous’ attacks are also increased significantly from the past few years. This shows the weaknesses in the architecture of our network. LOT is a light-weight opportunistic plug and play secure tunneling protocol for secure and forging free communication. LOT is needed to be installed at communi- cating network gateways. Once installed one gateway would establish an efficient tunnel for secure communication with another gateway. Another participating gateway will be detected automatically [24]. LOT tunnels provides efficient solution for IP spoofing and discards packets that are originated from forged IP addresses. Thus this makes network free from denial of service and flooding attacks. LOT gateways implements local and remote quotas for particular network. In 15
  • 20. this way it prevents from packet floods from specific network. Moreover attack originated network would be hindered itself. Furthermore, LOT uses near source filtering, which allows gateways more specifically LOT gateways to block certain types of packets permanently or tem- porarily. This can be done by manual or automatic configuration based on some learning mechanism (if congestion is greater than certain limit and it is due to large number of SYN segments, let them not allow to come). This prevents from network scans and attacks like DNS reflection. LOT has congestion detection mechanism between gateways. If a packet drop rate is higher in between tunnels then there might be congestion in the network. We can take appropriate action afterwards. This helps mitigating denial of service attacks. RFC 2267, suggests the use of ingress filtering by all the ISPs in the world. Ingress filtering enables us to check whether the packet comes from same network from which it claims to be from [18]. Advanced Network Architecture Group does a survey in 2011, according to this most of the ISPs have not yet installed ingress filtering mostly in developing countries. Lack of ingress filtering support and IP spoofing is very high. LOT installed gateway adds a pseudo random tag to each packet it sent to other LOT gateway. Another communicating gateway discards the packet without the tag or if mismatch occurs. It indicates that it is not originated from the same network block from which it pretends to be. Thus LOT prevents us from forged packets and defends against many denial of service attacks. LOT is practical, requires no coordination between gateways, plug and play protocol [24]. The code prototype is available online at url: ‘http://lighttunneling.sourceforge.net’. 6.1 Communication Model As RFC 791 ’Internet Protocol’ by Jon Postel in September 1981 tells IP address has address space {0, 1}32 [37], LOT protocol states that every entity in network has address space S of {0, 1}l . Each d ∈ S is an address. Network block address space B, where B ⊆ S, is in address space of S if, ∃P, a prefix, P∈ {0, 1}l , l’<l and ∀d, if d ∈ B, then it also holds d ∈ S and d has a prefix P. It is similar to CIDR notation [24]. 16
  • 21. Network entities are either LOT gateways or hosts behind the network blocks. Each and every entity e is associated with a single network block N B(e) ⊆ S. Any host must belong to single address and must belong to network block |N B(h) = 1|. Figure 7: LOT communication model [24] Two network entities e1 and e2 are said to be peer iff, • N B(e1 ) ⊂ N B(e2 ) and N B(e1 ) N B(G) N B(e2 ) means, for eg; entities A, C are peers. • N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and N B(e1 ) N B(G) or N B(e2 ) N B(G) for eg; entities F, G and A, D are peers. Network entities send and receive messages via source address ‘src’ and desti- nation address dst. When a message is sent from source ‘src’ towards destination ‘dst’, it reaches to next peer entity e.next(dst) and so on till it reaches to destina- tion. 17
  • 22. 6.2 Handshake among Gateways LOT uses stateless handshake procedure for establishment of tunnel between gate- ways. If there are more than one gateways between two network blocks, individual tunnel is established between them and for each LOT tunnel it is required to handshake first. Handshake between two gateways consists of two phases: • Hello Phase: Once gateway find another gateway it checks the potential to establish a LOT tunnel. Gateway identifies the network block behind gateway. • Network Block Validation: Network block is behind the gateway. In this phase each gateway has to prove that it can intercept packets sent to network block behind it. After handshake gateway receives a proof from other gateway that validation is done successfully and tunnel is established. 6.2.1 Hello Phase Let’s take two gateways, hosts in network blocks associated to them wants to communicates. Gateway A forwards any arbitrary packet from host A behind it, to host B which belongs to some network block which is not associated with gateway A, say gateway B. This triggers LOT on originating gateway. Gateway begins handshake by sending hello message to host B. This message is intercepted by another gateway on the network, gateway B and it responds. To reduce the possibility of LOT overhead, Hello requests are sent with very low probability. Hello request consists of current time, description of network block behind gateway and a cryptographic cookie - cookie A, generated by gateway A. Cookie is generated by pseudo-random function computed over ‘destination address’ and ‘current time’. Network block belongs to some address space {0, 1}l . A network block is described by (baseaddr,l). When gateway B intercepts hello request, it sends reply with possibility q ≈ 1. Hello response generated by gateway B contains description of network block associated, cookie A and time A. The hello reply is authenticated by gateway A's cookie. 18
  • 23. Figure 8: Phase 1: hello phase [24] Cookie A sent back in response allows gateway A to keep no state and rest state- less. This stateless approach make sure that no resources are allocated at sender side makes it free from resource exhaustion attacks, like in three-way handshake it may occur [7]. 6.2.2 Network Block Validation Network block is validated by gateway, say gateway A to ensure that whether other gateway , say gateway B can intercept the traffic sent corresponding to its network block. Validation process is done in several iterations, each iteration validates one host selected randomly on the network block. However for the sake of reducing overhead, protocol validates only a portion of the addresses and not the entire network block. The most important benefit here is that it maintains no state at sending side when validating a network block and also it send at most a single packet in response for every packet received. This prevents it from DoS attacks. 19
  • 24. Figure 9: Phase 1: network block validation phase [24] Design: Each gateway knows network blocks associated with other gateways. Gateways is network validation phase must be agreed on n, number of iterations. To deal with the possibility of DoS attacks the global constant on maximum iterations is set as nmax . Each gateway sends one packet to a random address from target network block. Since there could be at most 2 ∗ nmax packets that can be sent out in nmax iterations. This creates limit on number of packets that can be sent. To avoid network load problem to initiates handshake, handshakes are initiated with probability 1/2nmax . The packet contains a random cookie as challenge, if gateway corresponds to same network block it can intercept the packet otherwise not. Pseudo-random based function is used to derive destination address and cookie. Response of previous challenge is included in the next challenge. When gateway receives a challenge intercepts a challenge it checks its own cookie by reconstructing it on its site. In order to reconstruct gateway uses its secret key and the parameters used 20
  • 25. to create the cookie, extracted from response such as time. After gateway successfully checks the validity of the response, it chooses a new random destination address in remote network and sends a new challenge. In order to get validated the new challenge, gateway also echoes previous cookie and time, iteration number i and maximum number of iterations agreed upon. This process of challenge and response is repeated n times. 6.3 LOT Packet Structure In order to encapsulates LOT in a packet, there is a significant modification in IP header and data. Some of the major changes in original packets are as follows: • IP flags: DF and MF flags are always unset in IP Header as LOT does not allow packet fragmentation within the LOT tunnel. • Protocol Type (Transport Layer Protocol): To indicate that the packet is encapsulated using LOT, this field is modified. LOT gateways can pass not only encapsulated packet but also non-encapsulated packet. • LOT Header: A LOT header is attached with the packet. The most signif- icant bit of LOT header is outgoing periodic tag. Field for reconstruction of the original packet including IP flags and transport protocol. Field that allow receiving-end gateway to reconstruct the session key. 7 Observation and Discussion 7.1 Redefinition of TCP Three-way Handshake While studying TCP protocol, I observed few things in three-way handshake. These things are as follows: • The success of flooding attacks depends on frequency of SYN segments reach- ing at server side. Neither increasing backlog nor shortening acknowledge- ment waiting time at receiver side, will work as these could resist original user to establish a connection. 21
  • 26. Figure 10: Redefinition of TCP three-way handshake Attackers usually send SYN flood messages from set of unreachable IPs. If IPs are reachable then that system will reply with RST segment and connection will be aborted. If the backlog is filling fast, why not we firstly ping the client before sending any reply. Pinging will ensure the IPs are atleast some existing system and not wasting our resources. So, I suggest to start pinging the IPs if the backlog is filling fast. We can set some threshold for it. • The SYN-cookie mechanism can be further improved so that there would be no need for maintaining state and allocating the memory. Hence, there is no need of TCBs. Client sends ‘SY N ’ to server. Server reply with ‘SY N/ACK/cookieserver ’. Server generates its cookie cookieserver via client IP address, port address and client request time and current time at server. Once it reaches to client, client accepts segment and send ‘ACK/cookieclient /cookieserver ’ to server. Server authenticates its cookie and validates client. All communication is done like this, no need maintaining any state. 22
  • 27. Figure 11: Redefinition of TCP three-way handshake 23
  • 28. • When there occurs a time-out when SYN/ACK is lost. Client should send the SYN packet again after time-out. Now, server treats it as a brand new request and creates a new cookie based on client details. • In Linux, SYN-cookie mechanism is disabled by default but it can be en- abled via changing value of variable sysctl.net.ipv4.tcp_syncookie to 1, in /etc/sysctl.conf file. 7.2 Redefinition of ARP Protocol ARP is a stateless protocol. It maintains no state of ARP queries and replies. The problem with ARP protocol is that it accepts any ARP reply and updates its ARP table as soon as any ARP reply received. Figure 12: Redefinition of ARP protocol • The probable solution of this problem is to maintain a new data-structure along with existing ARP table. This data-structure is a dynamic list which records all the ARP requests we send. 24
  • 29. When a ARP reply came, before making any changes to ARP table we can check this list of outstanding requests. If we have sent any corresponding request asking MAC address for this IP, then we will confirm this ARP reply by asking few neighbors. According to their response we can decide whether to add it or not in ARP table. • We can furthermore improve ARP protocol via originating Reverse Address Resolution Protocol (RARP) for the MAC address comes in ARP response. If only one reply came and it matches its fine. But if more than one reply came, more than one IPs then there is something wrong and response can be discarded. But this can discard real user too. 8 Conclusion Recent network attacks has shown how vulnerable our networks are. Flooding, IP spoofing, cache poisoning attacks and denial of service attacks are becoming a significant threat. There is a tremendous increase in percentage of attacks from past few years. The duration of attacks is also increased significantly. The band- width of attack is also increased. It means this is becoming a serious challenge to mitigate these. Ingress filtering was suggested but not yet completely implemented by all ISPs. TCP SYN cache is good for reducing TCP SYN flooding attacks but it is very com- plex due to cryptographic implementations. It requires to maintain some state. TCP cookies can not retransmit the packet if it is lost as there is no state infor- mation. Huang suggestion for maintaining the state in ARP, somewhat good but still vulnerable. LOT protocol is best but it requires LOT protocol to be installed on mostly gateways on network. All gateways shares a secret key first through vulnerable network, this can be dangerous. LOT tunnels cannot pass over Network Address Translators (NATs). However NAT devices do not prevent LOT. It means on NAT tunnels will be formed to and from the NAT device. Now, the world is changing. The face of network communication is changing rapidly. Now use of smart-phones and embedded systems is increasing rapidly. Now, transactions are now done on smartphones. Smartphones technology is not yet matured. Cloud computing and mobile computing are attackers future targets. 25
  • 30. Security in cloud computing is still a major issue. There is a need of reliable, scalable and fault-tolerant clouds both on system and mobile. Protocols are not much sophisticated and thus vulnerable to attacks. The research in developing sophisticated network protocols and applications is still very important area. So, the field is full of challenges and thrust for future research. 26
  • 31. Bibliography [1] “Prolexic Quarterly Global DDoS Attack Report,” Quater 4, 2011. [2] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 1, 2012. [3] “2012 Norton Cybersecurity Report,” [4] Department of Information Technology in http://www.indiabudget.nic.in, Ministry of Communications and Information Technology, 2012-13. [5] “Government to warn businesses about cyber crime threat,” BBC, 5 september 2012. [6] Ross Anderson and Chris Bardon, “Measuring the cost of cybercrime,” [7] Postel, J, “Transmission Control Protocol, RFC 793,” Defense Advanced Research Projects Agency, September, 1981. [8] F. Gont, “Survey of Security Hardening Methods for Transmission Control Protocol (TCP) Implementations,” Internet Draft, March 2012. [9] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 3, 2012. [10] Eddy, W, “TCP SYN Flooding Attacks and Common Mitigations, RFC 4987,” Net- work Working Group, August, 2007. [11] Bennahum, D, “PANIX ATTACK,” [12] daemon9, route, and infinity, “Project Neptune,” vol. 7, , July, 1996. [13] Shimomura, T. , “Technical details of the attack described by Markoff in NYT,” in http://www.gont.com.ar/docs/post-shimomura-usenet.txt, Message posted in USENETs comp.security.misc newsgroup, 1995. 27
  • 32. [14] S. M. Bellovin , “Security problems in the TCP/IP protocol suite,” vol. 19, ACM SIGCOMM Computer Communication, April, 1989. [15] Lemon, “SYN cookies,” in http://cr.yp.to/syncookies.html, read on 5 October, 2012. [16] Bernstein, D., “Resisting SYN flood DoS attacks with a SYN cache,” Proceedings of the BSDCon 2002 Conference, 2002. [17] Zquete, A., “Improving the functionality of SYN cookies,” 6th IFIP Communications and Multimedia Security Conference (CMS 2002), 2002. [18] P. Ferguson, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing,” RFC 2267, January 1998. [19] Beverly, R and Bauer, S., “The Spoofer Project: Inferring the extent of source address filtering on the Internet,” Proceedings of Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005. [20] Li, Yanyan and Keyu Jiang, “Prospect of the Future Internet – A Study Based on TCP/IP vulnerabilities,” IEEE International Conference on Computing, Measure- menrt, Control and Sensor Network, 2012. [21] S.Gavaskar, R.Surendiran and Dr.E.Ramaraj, “ Three Counter Defense Mechanism for TCP SYN Flooding Attacks,” vol. 6, International Journal of Computer Appli- cations (0975 – 8887), September 2010. [22] Dommety, G., “ Key and sequence number extensions to GRE. RFC 2890,” The Internet Society. [23] Savage, S. and Wetherall, D, “Practical network support for IP traceback,” Proceed- ings of the ACM SIGCOMM Conference on Internet Measurement, 2000. [24] Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP Spoofing and Flood- ing Attacks,” vol. 15 of 6, ACM Transactions on Information and System Security, July 2012. [25] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks,” TCP Maintenance and Minor Extensions (tcpm) , July 7, 2011. [26] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks, RFC 6528,” TCP Maintenance and Minor Extensions (tcpm) , February 2012. 28
  • 33. [27] Postel, J., “ TCP and IP bake off, RFC 1025,” September 1987. [28] Braden, B., “ Extending TCP for Transactions – Concepts, RFC 1379,” November 1992. [29] Spring, N., Wetherall, D., Ely, D., “Robust Explicit Congestion Notification (ECN) Signaling with Nonces. RFC 3540,” 2003. [30] Ramakrishnan, K., Floyd, S., and D. Black, “The Addition of Explicit Congestion Notification (ECN) to IP, RFC 3168,” September, 2001. [31] Ely, D., “Firewall spotting and networks analisys with a broken CRC,” in http://www.phrack.org/phrack/60/p60-0x0c.txt, Phrack Magazine, Volume 0x0b, Is- sue 0x3c, Phile 0x0c of 0x10., 2002. [32] Windows 95/NT DoS, “Post to the bugtraq mailing-list,” in http://seclists.org/bugtraq/1997/May/0039.html, , . [33] David C. Plummer, “n Ethernet Address Resolution Protocol – or – Converting Net- work Protocol Addresses to 48-bit Ethernet Address for Transmission on Ethernet Hardware RFC 826,” [34] Huang, T. and Bai, G., “Method against ARP spoofing baseed on improved protocol mechanism,” [35] “ARP Guard,” in https://www.arp-guard.com/info. [36] Vipul Goyal and Rohit Tripathy, “An Efficient Solution to the ARP Cache Poisoning Problem,” Springer-Verlag Berlin Heidelberg 2005. [37] Postel, J., “Internet Protocol, The Protocol Specification, RFC 791,” DARPA In- ternet Program. 29