Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next SECURITY WEAKNESSES ASSOCIATED WITH TCP/IP The Transmission Control Protocol/Internet Protocol (TCP/IP) suite is the common bond of all systems on the Internet. Therefore, when a LAN is attached to the Internet, every system on the LAN that is to have Internet access must run TCP/IP. In most cases today, TCP/IP is not the communications protocol already in use on the LAN; Apple’s AppleTalk, Microsoft’s NetBIOS (Network Basic Input/Output System), and Novell’s NetWare are far more common. To obviate the need for the user to select the communications protocol at boot time, most LAN-based systems today employ a dual stack, where a native LAN protocol and TCP/IP are both supported. A protocol manager, such as Microsoft’s NDIS (Network Driver Interface Specification) or Novell’s ODI (Open Data link Interface), is employed so that the communications protocol actually being used for any particular application is transparent to the user. But TCP/IP, by it’s nature, is not currently a secure protocol suite.1 This is not due to lack of ability on the part of the protocol designers, but was due to the desire to have open, flexible communications capabilities. TCP/IP was also designed for a “friendly” network, namely, the ARPANET. As more and more users have connected to the Internet, however, the 'Net has become a more hostile environment and some nefarious individuals have taken advantage of a number of potential weaknesses in the TCP/IP protocols themselves and/or vendors’ implementations. Some of the documented weaknesses of TCP/IP include: 1The current version of IP is called “IP version 4” (IPv4). A new version, IPv6, will have more security, and other, features. IPv6 is the topic of another chapter in this book. •  Passwords sent in the clear: In many TCP/IP applications, such as Telnet (remote host access), File Transfer Protocol (FTP), and Post Office Protocol (POP), the password is sent in an unencrypted fashion over the LAN and Internet. An eavesdropper can potentially obtain usernames and passwords. •  Buffer overflow: Several applications, such as sendmail (UNIX), finger (returns information about a remote host or user), and Hypertext Transfer Protocol (HTTP, the protocol for the World Wide Web), do not ensure that user input fits into the buffer that the program allocates. It is possible, in some situations, to send more data to an application than the buffer was designed to accept; if that data is substitute code, the attacker can gain control of the server. This form of attack was the basis for the Internet worm that brought the Internet down for several days in November 1988. •  IP address spoofing/TCP Initial Sequence Number (ISN) guessing: Every IP packet contains the host addresses of the sender and intended receiver. Some applications only accept packets from “trusted” hosts, a determination made by examining the source address carried in the packet. Unfortunately, there is little in most TCP/IP software implementations that would prevent someone from placing any address that they want in the packet’s Source Address field. Thus, any host can pretend to have any address. Of course, for a TCP connection, spoofing the host address is not sufficient; the attacker has to be able to establish a virtual connection with the target host. When a virtual circuit is created in a TCP environment, the two hosts need to synchronize the Initial Sequence Number of the bytes to be exchanged; this value is almost never 0 and, in fact, changes over time. Due to the vagaries of TCP implementations, however, the ISN can be guessed by an attacker. Using a combination of IP address spoofing and TCP ISN guessing, an attacker can gain privileged access to a server even though the initial packets never get back to the attacker’s system. This type of attack was the basis for the now infamous episode in late 1994 and early 1995 when Kevin Mitnick allegedly broke into Tsutomu Shimomura’s systems at the San Diego Supercomputer Center (SDSC). •  TCP Synchronization (SYN) flooding: When a TCP virtual circuit is being established, a “three-way handshake” is performed; the initiating host sends a request to establish the connection, the destination responds with a “half” acknowledgment, and the first host responds with a confirmation that the connection is set. The destination host waits for this final confirmation; if none is forthcoming within a few seconds, the destination deallocates buffers and will accept other connections. In a SYN flooding attack, the attacking host continuously sends thousands of setup requests each second, usually with a spoofed source address. The destination host, meanwhile, responds with an acknowledgment for every request that it can and waits for the confirmations that are never going to come in. The target host is essentially frozen; it is spending all of its processing time and resources trying to respond to what it does not know are illegitimate requests, and could not effectively handle a legitimate connection, even if one were to get through. This type of denial-of-service attack was launched against Panix, an Internet service provider in New York, in September 1996. •  Small fragments: Many router and firewall filters only act on the first part (fragment) of a larger message and take no action on any fragment that contains the remainder of the message; the thought here is that if the first fragment is accepted, then the rest of the message is also acceptable and if the first fragment was discarded, the rest of the message is meaningless. But if an attacker sends an IP datagram that is so short as to not contain any higher layer information, it may erroneously be passed through the filers. •  World Wide Web spoofing: In this attack, a user’s WWW traffic is maliciously re-routed to a bogus WWW server that pretends to be the legitimate target system. The bogus server can collect username, password, and other information. As a “person-in-the-middle” attack, the bogus system may collect the information without ever disturbing either the user or the legitimate target server. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.