ZHEJIANG SCI-TECH UNIVERSITY

SCHOOL OF INFORMATICS

INFORMATION COMMUNICATION ENGINEERING

MODERN COMPUTER NETWORK

HOMEWORK-3

PROFFESSOR HUANGLICAN

TCP/IP LAYERS VURNERABILITIES THREATS AND SECURITY MEASURES

NGENDAHIMANA MOISE

L20192C060203

mailto:ngendahimana_moise@hotmail.com

1. ABSTRACT

The TCP/IP protocol suite, which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols, regardless of the correctness of any implementations. We describe a variety of attacks based on these flaws, including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks. We also present defenses against these attacks, and conclude with a discussion of broad-spectrum defenses such as encryption.

KEY WORDS: TCP/IP Models,Security Threats,Attacks,

2. INTRODUCTION

DEFINITION OF TCP

TCP(Transmission Control Protocol) is a 4 layer protocol which was designed to provide a reliable end-to-end byte stream over an unreliable inter network.

TCP/IP(Transmission Control Protocol and Internet Protocol) reference model was developed by Department of Defence Project Research Agency (ARPA, later DARPA) as a part of a research project of network interconnection to connect remote machines.

TCP was formally defined in RFC 793 in September 1981.From that time this protocol has improved and been fixed on various errors and inconsistencies.Some major RFC were clarifications and bug fixes in RFC 1122; extensions for high-performance in RFC 1323; selective acknowledgments in RFC 2018; congestion control in RFC 2581; re-purposing of header fields for quality of service in RFC 2873; improved re-transmission timers in RFC 2988; and explicit congestion notification in RFC 3168.

All TCP connections are full duplex and point-to-point Full duplex means that traffic can go both directions at the same time while point-to-point means that each connection has exactly two end points. TCP does not support multicast or broadcasting.

TCP FUNCTION

TCP/IP uses the client/server model of communication in which a user or machine is provided a service (like sending a web-page) by another computer (a server) in the network.Collectively, the TCP/IP suite of protocols is classified as stateless, which means each client request is considered new because it is unrelated to previous requests. Being stateless frees up network paths so they can be used continuously.TCP divides a message or file into packets that are transmitted over the internet and then reassembled when they reach their destination.Each machine supporting TCP has a TCP entity which manage TCP streams and interfaces to the IP layer. A TCP entity accepts user data streams for local processes,break them into pieces not exceeding 64KB to fit in a single Ethernet frame with the IP and TCP headers and then sends each piece as a separate IP datagram.

TCP sends datagram fast enough to make use of the capacity but not cause congestion and time out and re-transmit any datagram lost or not delivered. Since datagram may arrive in a disorder, it is also a TCP job to reassemble them into messages in the proper sequence.IP is responsible for the address of each packet so that it gets to the correct destination.

TCP/IP model layers and Threats

What is an attack?

A network attack can be defined as any method, process, or means used to maliciously attempt to compromise network security.

What is a threat?

A threat is any circumstance or event with the potential to adversely impact data or systems via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. Threats may involve intentional actors (e.g., attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee.)  Threats can be local, such as a disgruntled employee, or remote, such as an attacker in another geographical area.

TCP/IP functionality is divided into four layers , each of which include different protocols. The 4 layers are as follows :

 

Figure 1 OSI Layers vs TCP/IP Layers

•  Application layer

The application layer standardizes data exchange for applications. Protocols include HTTP,HTTPS, FTP, POP3, SMTP,SSH,SMB,NFS,SNMP,DNS,etc

Application Layer Threats and Attacks

1. Confidential Information Disclosure:

DNS constitutes one of the most fundamental Internet services with two parts:

DNS Server that plays a role of responding clients request.

DNS Client/Resolver which is part of the OS

From the DNS Server stored records and information a hacker may get user registry data including domain registration information,servers addresses and names responsible for the domain with their IP Addresses,registration dates and honors contacts. Some of these information to the public might compromise security.

For example registry data using dig and the dnsrecon and fierce scrips.

2. Man-in the-Middle and Denial of Service Attacks:

DHCP Protocol one of the most popular protocol almost used in all networks.

 

Figure 2 DHCP Process

The Client makes no attempt to verify the identity of the DHCP Server ,If you run your own DHCP server, you can direct traffic through your own router and make client user use your DNS server also known as Man-in-the-Middle Attack

DOS attacks are equally straightforward to launch it’s enough to connect a DHCP server to a network and configure it to assign clients the IP addresses of other networks.

3. Eavesdropping on and Modifying Transmitted Packets:

All data transmitted using FTP Protocol including credentials are in plain-text format anyone who can intercept through the channel can intercept it.The POP3, IMAP and SMTP protocols as well as their secure versions SMTPS, POP3S and IMAPS can not provide adequate security against cracking passwords because they allow you to guess passwords.

•  Transport layer

The transport layer handles communications between hosts and is responsible for flow control, reliability, and multiplexing.This layer provides connection-oriented or connection-less services for transporting application layer services between networks. Protocols include TCP and UDP (User Data-gram Protocol).Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) are commonly used transport layer protocols.

This protocol allow us to unambiguously identify communication endpoints or sockets.A socket allow packets to be identified uniquely.It consists of an IP Address, a name of transport layer protocol(TCP or UDP) and a port number one port can only be assigned for one service.

Transport Layer’s Threats and Attacks

1. Threats:

• TCP "SYN" attack

This happens during a three-way handshake between a client and server when the client sends a synchronization request and then the server send back synchronization and acknowledgment and reserve all resources for this request. However, an acknowledgment message will not be sent, which makes half of the connection open, and the attacker sends many synchronous requests to make the server busy without responding to the server.

• TCP land attack

This attack happens when the attacker pretends to be an authorized person by spoofing the source IP address, then he or she tries to send a SYN packet to open the TCP post in the server.

• TCP sequence number generation attack

The most crucial part in TCP segment is sequence number which is helpful in tracking the data, every data sent has sequence number which is exchange between server and client at the beginning of the connection, the sequence number must be within bound which is called receiver window size, any segment out of this bound will be discarded.

2. Defense: -Blocking unused ports.

-Monitoring network for port scan attacks.

-Increase the rate of change of ISN. Increase the rate of change of ISN

-Cryptography algorithm for ISN generation

• Network layer

The internet (or networking) layer connects independent networks to transport the packets containing the data across network boundaries. Internet Protocol(IP) is the fundamental network layer protocol for TCP/IP. Other commonly used protocols at the network layer are Internet Control Message Protocol (ICMP) and Internet Group Management Protocol (IGMP).

Network Layer’s Threats and Attacks

1. Threats:

• IP Spoofing and Routing Tables Modification

Since Datagram headers(like the data they hold) lack both encryption or signatures, the attacker may use a simple method to obtain this information and modify it

The biggest threat in the third OSI model layer is IP Spoofing, the ability of attackers to change the source IP address

This is used mainly to obscure the attacker’s real IP address

The IP Protocol enables routing or sending datagram across networks

The IPV6 Specification stipulates that every computer should be set to listen on for broadcasts about new routing paths and change its routing table accordingly

This can allow the attacker to block all computers in a local network by broadcasting false paths.

• TCP Tunneling over ICMP

A Third malicious threat in the third layer of the OSI model involves the non-convention use of ICMP

The protocol was never meant to be used for packet transmission,and because of this,it is not blocked in most systems

ICMP may be turned however into a vehicle for transmitting data,including TCP tunneling.

2. Defense:To protect the system from threats specific to layer three, consider:

• BLOCKING automatic routing modifications:netsh interface ipv6 set interface "Local Area Connection" routerdiscovery=disabled


• ENCRYPTING and signing datagrams using IP Sec


• FILTERING packets that modify routing tables


• MONITORING all network layer protocol packets, including broadcast packets and ICMP packets


• DIVIDING networks into firewall-protected subnets

•  Data-link layer

This layer handles communications on the physical network components.The data-link layer consists of methods and protocols that operate only on a link, which is the network component that interconnects nodes or hosts in the network. Protocols in the layer include Ethernet and ARP (Address Resolution Protocol).
Data-link Layer’s Threats and Attacks

1. Threats: ARP Poisoning

Method_1: flooding a switch with fake MAC addresses and associated fake IP addresses

This attack is easy to detect and might not be effective depending on the switch.

Method_2: poisoning the ARP cache in the targeted computer

Since it is ARP that is responsible for translating MAC addresses into their associated IP addresses, by modifying the ARP cache the attacker can cause packets sent to the IP address of server X to be in fact sent to the computer chosen by the attacker ;If that server's ARP cache becomes poisoned aswell, and the attacker’s computer will forward received data to its original destinations, the communications between client and server will not be interrupted: however, the attacker has full access to all the data transmitted

2. Defense: The 802.1X STANDARD provides definitions for medium access control techniques both in wired and wireless networks

• A CLIENT (supplicant) must have an authentication code, which could be a certificate issued for the computer (EAP-TLS) or a password (EAP-PSK)


• AN AUTHENTICATOR (a switch in wireless networks) is supposed to be a RADIUS server’s proxy. It only opens a port if a computer trying to connect can prove its identity.


• A RADIUS server verifies computers’ identity and allows the switch to open a given port or blocks this


• This solution is fundamentally flawed: once a computer is granted access, all other computers connected to the port will be able to listen on the data transmitted over this port.

3. CONCLUSION

The main goal of the current study has been to provide a review of the TCP/IP model layers’ functionality.The second aim of this study has been to investigate the main attacks and threats in each layer and each protocol within each layer separately with different counter measures and defense solutions.In the application layers, the main protocols were: HTTP, SMTP, DHCP, DNS ,SNMP, and FTP;in the following layer they were TCP and UDP; and in the Internet layer they were: IP, ARP, ICMP and IGMP.

4. REFERENCE

[1] Elizabeth LeMay, Karen Scarfone, and Peter Mell,"The Common Misuse Scoring System (CMSS): Metrics for Software Feature Misuse Vulnerabilities",National Institute of Standards and Technology (NIST) Interagency Report 7864,July 2012.

[2] Sheila Frankel, Paul Hoffman, Angela Orebaugh, and Richard Park,"Guide to SSL VPNs",National Institute of Standards and Technology (NIST) Special Publication 800-113,July 2008.

[3] Joint Task Force Transformation Initiative,"Guide for Conducting Risk Assessments",National Institute of Standards and Technology (NIST) Special Publication 800-30 Revision 1,September 2012.

[4] Albandari Mishal Alotaibi, Bedour Fahaad Alrashidi, Samina Naz and Zahida Parveen,"Security issues in Protocols of TCP/IP Model at Layers Level",University of Hail, Department of Computer Science, Hail, Saudi Arabia,VOL. 5, NO. 5, MAY 2017, 96–104.

[5] Andrew S. Tanenbaum and David J. Wetherall, "Computer Networks(Fifth Edition)", Pearson Education, 2011.

[6] https://tools.ietf.org/html/rfc1123

[7] http://www.tech-faq.com/network-attacks.html, “Understanding Network Attacks”