The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems: TCP SYN attacks (or SYN Flooding) ?§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake.
When Host B receives the SYN request from A, it must keep track of the partially opened connection in a “listen queue” for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host’s listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out.
This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing. IP Spoofing – IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet — it does no authentication.
Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section. Routing attacks ?§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network.
Like TCP/IP, RIP has no built in authentication, and the information provided in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host “X” has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker’s machine instead.
ICMP attacks – The Internet Control Message Protocol (“ICMP”) is used by the IP layer to send one-way informational messages to a host such as ? ?aping? ?A messages. There is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets. Denial of service attacks primarily use either the ICMP “Time exceeded” or “Destination unreachable” messages, which can cause a host to immediately drop a connection. An attacker can forge one of these ICMP messages, and send it to one or both of the communicating hosts to disconnect their connection.
ICMP messages can also be used to intercept packets by using the ICMP “Redirect” message which is commonly used by gateways when a host has mistakenly assumed the destination is not on the local network. If an attacker forges an ICMP “Redirect” message, it can cause another host to send packets for certain connections through the attacker’s host. This attack is similar to a RIP attack, except that ICMP messages only apply to existing connections, and the attacker (the host receiving redirected packets) must be on a local network.
DNS attacks – The Domain Name Service (“DNS”) is a protocol widely used on the Internet to map hostnames to IP addresses and vise versa. An attacker can use the property of mapping IP address to host name to fool name-based authentication. This attack can be prevented by performing a second DNS query on the hostname returned by the first query. The IP address as identifier is no longer unique – Any security schemes which rely upon IP addresses remaining temporally or spatially unique may have vulnerabilities because the widely use the network address translation and dynamic IP addresses techniques.
In today? ??s TCP/IP network, the widespread use of protocols such as PPP/SLIP and DHCP allow a specific host’s address to change over time: per-connection in the case of PPP/SLIP, while DHCP allows hosts to “lease” IP addresses for arbitrary lengths of time. Firewalls, proxy socket servers, and other “Network Address Translators” further complicate the use of IP addresses as identifiers, because they may translate addresses as traffic moves between the internal and external networks.
Different hosts may appear to be using identical IP addresses, or different IP addresses may be the same host. Thus, IP addresses can no longer be used to uniquely identify a host, even over short time periods. There are many tools available to minimize or prevent the above security problems. On another hand, significant amount of efforts have been put into enhance the TCP/IP protocols to eliminate the vulnerabilities. IPsec is one of the add-ons to the TCP/IP protocol suite and IPv6 has build in some security options and features.