
2/47

On Network SecurityFor internal use

only.

Huawei Confidential

Revision Record

Date

Revised

Version Description Author

2002-07-12 V1.0 First draft finished Wang Zhen


3/47


only.

Huawei Confidential

ContentsChapter 1 Overview.......................................................................................................................... 1

1.1 Background........................................................................................................................... 11.2 Importance of Security.......................................................................................................... 11.3 Our Enemies......................................................................................................................... 21.4 Our Enemies' Tricks.............................................................................................................. 2

Chapter 2 Hacker Strategies ........................................................................................................... 52.1 Denial Of Service (DOS)....................................................................................................... 5

2.1.1 Cause Analysis........................................................................................................... 52.1.2 Types of DOS............................................................................................................. 62.1.3 Distributed Denial Of Service (DDOS)....................................................................... 82.1.4 Defense Against and Exploration of DOS................................................................ 112.2 Sniff..................................................................................................................................... 132.2.1 Principle.................................................................................................................... 132.2.2 How to Guard Against Sniff?.................................................................................... 14

2.3 Scanning............................................................................................................................. 142.3.1 Scanning Attack ....................................................................................................... 142.3.2 Security Scanning .................................................................................................... 15

2.4 Security Problems of Routing Protocols ............................................................................. 162.4.1 Route Spoofing: Attack to the RIP Protocol............................................................. 162.4.2 Route Spoofing: Attack to the BGP Protocol ........................................................... 162.4.3 Route Spoofing: Attack to the OSPF Protocol ......................................................... 16

2.5 Buffer Overflow................................................................................................................... 172.5.1 Loopholes of and Attacks to Buffer Overflow........................................................... 172.5.2 Protection Against Buffer Overflow .......................................................................... 19

Chapter 3 Security Problems of Other Protocols ....................................................................... 203.1 Security at the Network Layer............................................................................................. 20

3.1.1 Source IP Address Spoofing.................................................................................... 203.1.2 The Attack of Over-long Reassembled IP Segmented Packet and the Solution to It22

3.2 Security at the Transport Layer .......................................................................................... 233.3 Security at the Application Layer ........................................................................................ 24

Chapter 4 Security Strategies ....................................................................................................... 274.1 What Is Security?................................................................................................................ 274.2 Security Service, Mechanism and Technology................................................................... 274.3 Network Security System.................................................................................................... 27

Chapter 5 Security Technologies ................................................................................................. 295.1 CallBack.............................................................................................................................. 295.2 AAA: Authentication, Authorization and Accounting........................................................... 295.3 Certification Authority (CA) ................................................................................................. 305.4 Packet Filtering................................................................................................................... 325.5 Address Translation............................................................................................................ 335.6 Data Compression .............................................................................................................. 33

5.6.1 Description of IPComp ............................................................................................. 335.6.2 IPComp Association (IPCA)..................................................................................... 34

5.7 Encryption and Key Exchange............................................................................................ 355.7.1 IP Security (IPSec)................................................................................................... 355.7.2 Internet Key Exchange (IKE).................................................................................... 36

5.8 Application Specific Packet Filter (ASPF)........................................................................... 375.8.1 ASPF Principle ......................................................................................................... 375.8.2 ASPF Working Process............................................................................................ 38


4/47


only.

Huawei Confidential

5.8.3 Detection of and Prevention Against DOS............................................................... 385.9 Firewall................................................................................................................................ 39

5.9.1 What Is Firewall?...................................................................................................... 395.9.2 What Firewall Can Do? ............................................................................................ 395.9.3 Types of Firewall ...................................................................................................... 415.9.4 Operating System of Firewall ................................................................................... 425.9.5 The Counter-attack Function of Firewall .................................................................. 425.9.6 Limitation of Firewall ................................................................................................ 42


5/47


only.

Huawei Confidential

Key words:

Denial Of Service (DOS), Distributed Denial Of Service (DDOS), Sniff, scanning, routespoofing, buffer overflow, address spoofing, network security system, securitytechnology

Abstract:

This document introduces some basic concepts of network security, common methodsof network attack, and some network security technologies. Chapter 1 briefly describesthe current network security condition and common problems of network security.Chapter 2 analyzes the forms and causes of common network attacks, such as DOS,Sniff and scanning. Chapter 3 covers some security problems existing in the currentprotocols. Chapter 4 briefly deals with the concept of security and the security system.Chapter 5 introduces some security technologies currently in common use.

Acronyms and Abbreviations:

DOS: Denial Of Service

AAA:Authentication, Authorization and AccountingASPF: Application Specific Packet Filter

References:

Null


6/47


only.

2007-03-22 Huawei Confidential Page 1 of 47

Chapter 1 Overview1.1 Background

Internet brings immense vitality to the people all over the world and realizes theborderless global village. But we are still hindered by many undesirable factors: theshortage of IP address, serious consumption of bandwidth, limitation of governmentalregulations and deficiency in programming technology. Now, the numerous loopholesthat have accumulated on the network confront us with even greater threats. Thetrouble-makers lurking on the network will seek for these loopholes to attack thenetwork system, which will inevitably cost us much more efforts for our former

negligence. Though most network system products are labeled with "security",compared with the weak network protocols and defective technologies we have, itseems that dangers are still everywhere.

1.2 Importance of SecurityIt is no doubt that Internet will become the biggest public data network. It realizes andboosts personal and business communication across the world. The Internet traffic issoaring daily, and people communicate more and more through email; mobile officeand Small Office & Home Office (SOHO) telnet through Internet; commercialtransaction and even tax collecting are done on the World Wide Web (WWW).

While Internet is revolutionizing and improving our mode of business activity, this hugenetwork, along with the related technologies, is also opening the door to the increasingnetwork security threats. Though the latent security loopholes may cause tremendousrisks, in aspects of guiding e-business operation, Internet is still very safe. For example,in a hotel, it is by far safer when you send your credit card information to the e-marketadministrator by the network than by phone or by the waiter. It is because thee-business transaction is usually guarded by security technologies, while the hotelwaiter and the e-market administrator are not always supervised or credible.

However, in online business operation, people's concern about security can be as badas the security hazards that exist on the network. Usually, with the concern and doubtabout computer, people tend to be incredulous of Internet. The incredulity costs manycompanies serious loss of business opportunities, especially those that have just

completed the Web infrastructures.Therefore, we must take actions to improve the condition of network security. We mustnot only take effective security measures, but must also convince people of theireffectiveness. Of course, adequate promotion on how to protect the customer's securityand privacy is also necessary.

Besides, to protect the customer, a company must also protect its employees andcooperation partners against security hazards, because the communication ofemployees and cooperation partners may also be affected by network attacks. Networkattacks may paralyze the employee's work for hours, and the network will also have tobe closed to avoid damage. Obviously, the employee's work efficiency and morale aregreatly retarded by the waste and loss of time and data.


7/47


only.


1.3 Our Enemiesz Hacker

This is an ordinary and overly romantic name for the computer enthusiast who loves toobtain the access authority of other people's computer or network. Many hackers arecontent with simple invasion and leaving their "footprints" on the victim's desktop.Another type of hacker enthuses in decryption, which is more dangerous. They attackall computer systems, steal or sabotage confidential data, modify the webpage, finallyleaving the business operation in chaos. There are also some amateur hackers, whoonly seek for some hacker tools on the network for their own use. They do not care foror understand the principle and aftermath of these tools.

z The Unperceivable Group

The company employees only focus on their specific work and responsibility, and oftenneglect the rules for network security. For example, for easy memorization, they usesome simple words as passwords. The hackers can easily work out these passwords or

decrypt them with some effective decrypting software.

The employees may also cause security hazards without intending to do so. Forexample, the infection of computer virus. The most common way of virus infection is byusing floppy disks or downloading files from Internet. When the employees transferdata by floppy disks, they may also transfer the virus to the network, yet they do noteven know that their computers are infected. The employees may also bring trouble tothe network when they download files from Internet.

We should notice the human-factor errors. Whether they are computer beginners orexperts, they may make these errors when installing the anti-virus software. This is alsoa security hazard.

z The Group with a Grudge

What brings more unnerving dangers than misoperation does is the people whosabotage the network with a grudge or vengeance. These people, who have receivedcustomer complaint, retired or have been fired and harbor a grudge, may revengefullycause their network to catch virus or maliciously delete some vital files. This group ishighly threatening, because they usually know which part of the network carries thevaluable information and know the security mechanism.

z Peepers

Some employees may play the peeper out of curiosity or mischief. They illegally obtainthe access authority of confidential data and secure the information that they are notentitled to, just to prove to other people that they can do it.

There are still some people who access private information out of curiosity, for example,

the financial data, private mails and employees' payroll and the like. This behavior maynot bring serious dangers, but peeping at other people's financial issues or healthrecord may harm their reputation and cause ugly results.

1.4 Our Enemies' Tricksz Virus

Virus is the best-known security problem, because it usually affects a wide range offields. Designed as a specific event and once triggered, the virus program canpromulgate itself and infect the other computers. For example, the macro virus attachesto the file that contains the macro structure. Every time macro is run, the macro virus isactivated. When activated, some viruses may cause annoying interruption, such as a


8/47


only.


ridiculous pop-up message. Some viruses are destructive. They delete files or slowdown the system running speed.

A network may get infected by downloading files from the floppy disk or from the

Internet. When a computer on the network gets infected, the chances are that the othercomputers on the same network will get infected.

z Trojan Horse

Trojan Horse is a program secretly installed in the target system either directly by ahacker or by an unnoticed user. Once installing the program successfully and obtainingthe administrator's authority, the attacker can directly and remotely control the targetsystem.

Trojan Horse is a vehicle for other destructive codes. It usually appears as a harmlessand even useful program, such as a computer game, which is but a camouflage. Thevirus of Trojan Horse may delete files, replicate itself and send the program to alladdresses in the mail address list. It can also prepare for other attacks. Vicious

programs include NetBus, BackOrifice and BO2k. Benign programs include netcat,VNC and pcAnywhere.

z Vandals

With the development of application software such as ActiveX and Java Applets,websites are becoming more vivid. The application software can create special effectsto make the websites more interactive and attractive. However, it also makes it easierto download and run these application programs, thus providing new entrances forsabotage. Vandal is an application software or Applet (a Java application program) thatcauses damage of varied degrees. Vandal can damage the partition of the file or thesystem.

z Network Attack

Since the TCP/IP protocol that constitutes Internet is weak in security, network security

becomes an actual issue that we must face. Many types of attack exist on the network.They include:

Packet interceptionThe attacker uses the data-obtaining device to intercept thedata from the data flow in transmission. The attacker analyzes the data to obtain theusername/password or other sensitive information. Delay exists when data istransmitted on Internet. Compound with the geological span, it is practically impossibleto avoid data interception.

IP address spoofingThe attacker changes his own IP address to disguise as anintranet user or a credible extranet user, and sends specific packets to disturb thenormal transmission of network data. He can also fake some acceptable routingpackets (such as the ICMP specific packets) to change the routing information and thenintercept the information.

Source route attackThe sender of packet specifies the route for the packet in theOption field of the IP packet, and the packet may be sent to some protected networks.

Port scanningThe attacker finds the system loophole by detecting the port that thefirewall is monitoring. Or he may have known that the router software of a certainversion has a loophole, and queries the specific port to judge whether the loopholeexists. Then he attacks the routers by these loopholes so that the router is under hiscontrol or fails to run normally.

Denial Of Service (DOS)The attacker intends to stop the legal user from accessingthe resources. For example, he sends large quantities of packets to exhaust thebandwidth resource of the network. The macro virus, Mellisa, is designed for DOS.


9/47


only.


Many big websites suffer serious loss due to the attack of Distributed Denial Of Service(DDOS).

z Data Interception

The data transmitted over the network may be intercepted by unauthorized people.These criminals can intercept and even modify the content of the data. They canintercept data in many ways, for example, by IP address theft.

z Social Engineering

Social engineering is an increasing non-technical method used to obtain confidentialinformation on network security. For example, a social engineer can pretend to be atechnical support representative and call the employee to get the password. Someother people can achieve the same end by bribery.

z Spam

Spam is the emails sent automatically or the advertisement information emailedautomatically. Though harmless, spam is a real nuisance. It consumes much of our

time and memory space.


10/47


only.


Chapter 2 Hacker Strategies

2.1 Denial Of Service (DOS)DOS is s system loophole that prevails globally. Hackers revel in this strategy, whilenumerous network users are falling victim to it. Tribe Flood Network, TFN2K, Smurf,Targaand still more programs are yet to come. Like plagues, these programs areflooding over the network, putting the global village at a disadvantage. We have todevelop a simple and easy security solution to fight against the attack that may occurout of anywhere at any time.

There are many attack forms of DOS. The basic DOS is by using excessive legalrequests to occupy service resources. The service resources gets overloaded and isunable to respond to other requests. The service resources includes the networkbandwidth, the space of file systems, open processes or service ports.

This form of DOS causes resource shortage. No mater how fast the computer'sprocessing speed, how large the memory, or how high the Internet rate, they can notstand this attack. There is a limit to everything. The attacker can always find a requestvalue that exceeds the limit value and exhausts the service resources. Do not take it forgranted that adequate bandwidth always promises a highly efficient website. DOSbelittles service resources of all types.

Two typical forms of DOS: exhausted resources and overloaded resources. When theservice resources receives legal requests that by far exceed its capacity (for example,

when a full Web server receives excessive requests), it denies service to legal users.

DOS can also result from software defects or wrong program configuration. ViciousDOS differs from unintentional overloaded service in that the sender of the formersends excessive requests to the resources and causes other users unable to accessthe service resources.

2.1.1 Cause Analysisz Software Defects

DOS is usually caused by software defects or wrong configuration. Software defectsinclude system defects concerning security in the operating system or application

program. The defects often originate from wrong programming, careless audit ofsource codes, unintended side effects, or improper binding.

According to the level of unlimited or unauthorized system access caused by the wronginformation, the defects can be divided into different degrees. Some DOS attacks resultfrom the inherent defects of protocol developing; some DOS attacks can be avoided bysimple patches; some DOS attacks caused by system defects cannot be eliminated.

z Wrong Configuration

Wrong configuration can also become a threat to system security. The wrongconfiguration usually occurs in the hardware, the system or the application program.

By correctly configuring the router, firewall, switch and other connection devices on thenetwork, we can reduce the possibility of these errors. In other words, we can say that


11/47


only.


wrong configuration gives birth to DOS. Wrong configuration is usually generated bysome inexperienced or irresponsible employees or by wrong theories.

z Resource Bottleneck

Finally, some unintentional DOS attacks are caused by the bottleneck of overloadedbandwidth or resources. There is no fixed solution to this type of problems.

2.1.2 Types of DOSGenerally, the primary problem of the attacker is network bandwidth. The attackercannot send too many requests to the small-scale and low-rate networks. However,DOS such as "the ping of death" can destroy an unpatched UNIX system with onlysmall amount of packets.

Of course, most DOS attacks still require high bandwidth. But high bandwidth is ownedby big companies and is usually denied to the hacker who works as a one-man army. To

break this restriction, the vicious attacker develops DDOS. Thus the attacker can usetools to integrate a lot of network bandwidth and send a large number of requests to thesame target.

I. Common Network-based DOS Attacks

z Big Ping Packets

The attacker pings a large number of packets to occupy all bandwidth, so the data ofnormal services cannot reach or be processed by the host. If the packets pinged are toobig, they will be fragmented, thus increasing the processing load of the device duringthe attack. The firewall of some devices cannot filter the fragmented packets in theattack, so the fragmented packets can still penetrate the firewall and reach the host,and then the host will deny service to the legal user.

z Smurf (Directed Broadcast)

The broadcast information can be sent to the devices on the entire network by a certainmeans (by the broadcast address or other mechanisms). When a device sends an"ICMP echo" request (such as PING) with the broadcast address, some systems willrespond with an "ICMP echo" response. That is, sending one packet can receivemultiple responses. Smurf is based on this principle. In addition, it needs a fake sourceaddress.

In other words, the attacker sends packets that have the address of the attacked hostas the source address and the broadcast address as the destination address on thenetwork. Thus many systems respond to the attacked host with large quantities ofinformation (because the attacker has faked the victim host's address).

The method of generating a lot of responses by sending one packet on the network isalso called "amplifier". The Smurf amplifiers are available on www.netscan.org. Someshiftless and irresponsible websites are still attacked by the "amplifier" because of thiskind of loophole.

z Fraggle

Fraggle is similar to Smurf and is simply improved. With some UDP-based service thatthe host provides, the attacker uses the UDP response instead of the ICMP response togenerate a lot of response packets, thus attacking the victim network or host.

z SYN Flood

To communicate over the network, a host needs to establish the TCP handshake first,which requires three packet switches. Once a server receives the SYN packet of the
http://www.netscan.org/http://www.netscan.org/


12/47


only.


client, it must respond with an SYN-ACK packet, and wait for the client to respond withan ACK packet for acknowledgement. Then a connection is finally established.

However, if the client sends only an SYN packet for initialization and does not send the

ACK packet for acknowledging the server, it will keep the server waiting for the ACKpacket. Some TCP/IP protocol stacks have only limited memory buffer for establishingTCP connection, so the server can wait for only a limited number of ACK packets. If thebuffer if full of initialization messages of false connection, the TCP/IP protocol stack willstop responding to the subsequent connection till the connection attempts in the buffertime out. Even if establishing TCP connection is unlimited, SYN Flood still consumes alot of the victim system resources.

z Slashdot Effect

The Slashdot Effect causes the Web server or servers of other types to get overloadedbecause of heavy network transmission. In these circumstances, the network traffic isgenerated for a certain webpage or link.

This also occurs as a normal phenomenon on the website with heavy visits. We mustdistinguish the normal phenomenon from DOS. If your server becomes congestedsuddenly and even fails to respond to further requests, you should examine thephenomenon of resource shortage closely. Check whether the 10000 clicks are alldone by the legal user, or 5000 of them by the legal user, and 5000 of them by anattacker.

z UDP Flood

Various attacks with a disguise use the simple TCP/IP service, such as Chargen andEcho, to transmit useless data that occupies the bandwidth to the full. The attackerfakes a UDP connection in the Chargen service of a certain host, and directs theresponse address to a host providing the Echo service, thus generating abundantuseless data flow between two hosts. Data flow of a certain quantity will cause DOS tothe bandwidth.

z Land Attack

The attacker sets the IP address of a victim as the source address and destinationaddress of the TCP SYN message. Thus the victim sends the SYN-ACK message to itsown address, which responds with an ACK message and creates a null connection.Each null connection created in this way will stay till it times out.

Different victims react to the Land attack differently. Many UNIX hosts will crash, andNT hosts will become extremely slow (for about five minutes).

z Teardrop

Teardrop uses the information contained in the packet header of the IP fragmentationthat is trusted in the TCP/IP stack implementation to attack the victim. The IP segmentcontains information that indicates which segment of the original packet the currentsegment carries. When receiving fake segments containing overlapped offset, someservers that runs TCP/IP (including the Windows NT with the patch earlier than servicepack 4) will crash.

Defense: Apply the latest service packet on the server, or reassemble the segmentsinstead of forwarding them when configuring the firewall.

z Email Bomb

Email bomb is one of the primitive anonymous attacks. The attacker configures adevice to keep sending many emails to the same address, and exhausts the bandwidthof the receiver's network.

z Ping of Death


13/47


only.


In the early period, the router restricts the maximum length of the packet. When runningthe TCP/IP protocol stack, many operating systems specify the maximum length of theICMP packet as 64 KB. The systems read the packet header, and then generate thebuffer for the payload according to the information contained in the header. When thereceiver receives a malformed packet, namely, the packet who claims that its lengthexceeds the upper limit of the ICMP packet (the overloaded length is over 64 KB), errorof memory allocation occurs. It causes the TCP/IP protocol stack to collapse and thereceiver to undergo system down.

II. Defense

Now all standard TCP/IP protocol stacks are capable of tackling with jumbo packets,and most firewalls can automatically filter these packets.

III. Development of DOS

As we are fortifying our defenses, the attackers are also developing their DOSstrategies. Tribe Flood Network (TFN) and TFN2K introduce a new concept: DDOS.These programs enable the devices that are distributed over the network to worktogether to attack a host, making the victim host appear as if it were attacked by manyhosts located in various places. The distributed devices are manipulated by severalcontrol devices to perform attacks of various types, such as UDP Flood, SYN Flood,and so on.

2.1.3 Distributed Denial Of Service (DDOS)DDOS is short for Distributed Denial Of Service. It is a distributed, cooperative,large-scale and special attack that is based on DOS. It mainly targets at relatively big

websites, such as websites of large companies, search engines and governmentaldepartments. Different from DOS which needs only a single device, DDOS uses anumber of controlled devices to attack one device. DDOS is more violent, hard todefend against and more destructive. Figure 2-1 shows the principle of DDOS.

Figure 2-1 Principle of DDOS


14/47


only.


This figure shows that DDOS consists of the performers of three levels: the attacker,the controlling terminal, and the agent. The devices at the three levels play differentroles in the attack.

I. Roles of the Devices

z Attacker

The computer used by the attacker works as the controlling console. It can by any hoston the network, or even a mobile laptop. The attacker host manipulates the wholeprocess of attack and sends attack commands to the controlling terminals.

z Controlling terminal

Controlling terminals are some hosts invaded and controlled by the attacker. Thesehosts respectively control a lot of hosts that serve as the agent. A special program isinstalled on the controlling terminal, so the controlling terminal can receive the specialcommands sent by the attacker and then send these commands to the agents.

z

AgentThe agents are also some hosts invaded and controlled by the attacker. They run theattack program for receiving and executing the commands sent by the controllingterminal. The agent is the executer of attack that really launches the attack to the victimhost.

DDOS consists of three steps.

z Step 1

The attacker looks for a host that has security loopholes on Internet. The attackerenters the system and installs a backdoor program on the host. The more hosts theattacker invades, the bigger his army for attack.

z Step 2

The attacker installs the attack program on the invaded hosts. Some of the hosts serveas the controlling terminal in the attack and some serve as the agent.

z Step 3

The hosts at different levels perform their own task respectively. Under the maneuver ofthe attacker, they launch the attack to the target host. Since the attacker maneuvers theattack behind the scene, it will not be tracked by the monitoring system during theattack, so it is hard to reveal the attacker's identity.

II. Common DDOS Weapons

It is relatively difficult to implement DDOS, because it requires the attacker to becapable of invading other people's computers. Unfortunately, some click hacker

programs appear. These invading and attacking programs can be installed withinseveral seconds, making DDOS a handy matter. The following are some commonhacker programs.

1) Trinoo

The principle of Trinoo is to send four-byte UDP packets that contain all "0"s to randomports on the attacked host. When the attacked host processes the trash packets thatare beyond its processing capability, its network performance drops continuously till itfails to provide normal service and crashes. Trinoo need not fake the IP address anduses the following communication ports:

z From the attacker host to the controlling terminal: 27665/TCPz From the controlling terminal to the agent: 27444/UDPz From the agent to the main server of the victim host: 31335/UDP


15/47


only.


2) TFN

TFN is composed of the program of the controlling terminal and that of the agent. It canfake packets and usually uses the following attack methods:

z SYN Floodz Ping Floodz UDP Bomb3) TFN2K

TFN2K evolves from TFN. Based on the features of TFN, TFN2K has some new ones.In TFN2K, the network communication between the controlling terminal and the agentis encrypted, and the communication may be mixed with many false packets. In TFN,the ICMP communication is not encrypted. TFN2K has new attack methods: Mix andTarga3. In TFN2K, the process port on the agent can be configured.

4) Stacheldraht

Stacheldraht also evolves from TFN and inherits the latter's features. Thecommunication between the controlling terminal and the agent in Stacheldraht is also

encrypted. In addition, it fakes the command source and can escape from theRFC2267 filter of some routers. There is a built-in agent upgrade module inStacheldrah. The module can automatically download and install the latest agentprogram.

III. Monitoring and Detecting DDOS

Now, there are more and more DDOS on the network. We must detect the attack assoon as possible to avoid heavy loss.

DDOS can be detected in the following ways:

1) By Analyzing Abnormal Conditions

You must get alert and check the communication on the following occasions:z When communication on the network soars suddenly and exceeds the normal limitz When a certain service item of the website always failsz When you find jumbo ICP packets and UDP packets passing the host or packets

of suspicious content

In general, when your device becomes abnormal, you had better take these factors intoaccount, and stop the attack before it happens.

2) By Using DDOS Detecting Tools

When the attacker seeks a stage for his script, he has to scan the system first to findloopholes. Currently, some tools for detecting network invasion are available on themarket. These tools guard the system against the attacker's scanning. Moreover, somescanning tools can also detect and delete the agent program installed in the system by

the attacker.

IV. Defense Strategies Against DDOS

Since DDOS is rather covert, so far we have not developed an effective solution tofighting back DDOS. Therefore we must raise our awareness of security andprecaution, and improve the security condition of the network system. We can take thefollowing security and precaution measures:

1) Make sure to discover the systems loopholes, and install patch programs in thesystem as soon as possible. Establish and optimize the backup mechanism forsome important information (such as the configuration information of the system).Take caution when setting the password of some privilege accounts (such as the


16/47


only.


administrator account). We can take these measures to reduce the opportunity forthe attacker to take advantage of the system.

2) In network management, check the physical environment of the system regularly,and prohibit the unnecessary network service. Lay down restriction on bordersecurity to ensure that the packets output are correctly restricted. Check thesystem configuration information regularly, and make sure to check the dailysecurity log.

3) Fortify the network security with network security tools (such as the firewall); andconfigure the security rules correctly to filter all possible fake packets.

4) Another good defense measure is to accommodate the work with the InternetService Provider (ISP), and request the ISP to provide access control on the routerand limitation on the total bandwidth.

5) When you find your system under the DDOS attack, you must start yourcounter-attack strategies. Track the attacking packets as soon as possible,contact the ISP and relative emergency organizations promptly, analyze theaffected system, confirm the other nodes involved and stop the traffic from thenodes known to be under attack.

6) When you are a potential DDOS victim and find that your computer is controlled bythe attacker as the controlling terminal or agent, do not treat the matter lightly justbecause your system is temporarily not damaged. The attacker has already foundthe loophole in your system, which poses as a serious threat to your system.Therefore, once you find DDOS software existing in the system, delete thesoftware as soon as possible to avoid further dangers.

2.1.4 Defense Against and Exploration of DOSHackers are discovering the defects in operating systems and network devices, and areusing these defects to perform vicious attacks. In general, we can protect the networkagainst attacks with the following two methods:

z Mend the loopholes that we have found in the systemz Identify, track or prohibit the nasty devices or networks from accessing out system

In the second method, the primary problem facing us is how to identify the viciousattacking devices, especially those that can cause DOS. These devices hide their ownaddresses and use those of the victim's that they have faked. The attacker fakesthousands of vicious packets to attack the victim host.The principle of TFN2K is assimple as we have mentioned in Figure 2-1, and the program explained in this figureprovides a user interface that is easy to operate.

I. By Using Packet Filter and Other Routing Configuration

Packet filter is used to filter the ports that connect to extranet. This measure guards

against fake addresses, so the device on extranet cannot attack the device on intranetby faking the latter's address. It has been controversial whether to use the packet filteron the ports connecting to extranet or on the ports connecting to intranet. RFC2267recommends using the packet filter on the ports connecting to intranet on the globalInternet, but doing so will bring about a lot of troubles. Using the Access Control List(ACL) on medium-level routers will not cause much trouble, but will pose as an obviousthreat to backbone routers which are already full.

Also, when the ISP uses packet filter on the ports connecting to extranet, the traffic ofoverload will be transferred to other devices that are not so busy. The ISP also does notcare whether the customers use this technology on the edge routers or not. Of course,this filter technology is not perfectly safe. It depends on the filter mechanism used bythe network administrator.


17/47


only.


II. By Tracking Anonymous Attacks Through DNS

From the viewpoint of a responsible network management system (NMS), our goal isnot simply to stop DOS, but to further trace the initial cause and schemer of the attack.When someone uses attacking tools (such as TFN2K) with fake source address on thenetwork, though we cannot use ready-made tools to identify its legality, we can stillanalyze the attacking tool through domain name system (DNS).

If the attacker targets at www.ttttt.com, he must send a DNS request to resolve thedomain name first. The attacking tool will perform this step by calling thegethostbyname() function or the corresponding interface of application program. Thatis, the DNS request generated before the attack provides us with a related list, whichwe can use to locate the attacker.

It is practical to read the suspicious DNS request list by using ready-made tools or bymanually reading the DNS request log. However, this measure has threedisadvantages:

z The attacker usually queries and resolves the address with the local DNS servingas the initial point. Therefore, sometimes the sender of DNS request that we havefound is not the attacker, but is the local DNS that the attacker has sent therequest to. Despite this, if the attacker is hiding within an organization with a localDNS, we can still take this organization as the initial point of the query.

z The attacker may have known the IP address of his target, or have obtained the IPaddress by other means (such as ping). He may also start the attack a long timeafter he has obtained the IP address. In such cases, we cannot locate the attacker(or his local server) from the time period of the DNS request.

z DNS has a default time to live (TTL) for different domain names. So the attackercan use the information in the DNS buffer to resolve the domain name. To make adetailed resolution record better, you can shorten the default TTL of DNS. Butdoing so will increase the DNS query frequency and occupy more networkbandwidth.

III. By Using "ngrep" to Tackle with TFN2K

Based on the principle of tracking the TFN2K resident program by DNS, a practical toolcalled ngrep has been developed. The modified ngrep can monitor about five types ofTFN2K attack:

z Targa3z SYN Floodz UDP Floodz ICMP Floodz Smurf

Ngrep also has a buffer that can be recycled for recording DNS requests and ICMPrequests. When ngrep detects an attack, it will print the content of its buffer andcontinue recording the ICMP response. Careless attacker will locate a target by pingingthe target host, and we can capture such attackers by recording the ICMP responsesduring or after the attack.

Also note that ngrep uses the method of network monitoring (the network is based onbroadcast), so it cannot be used on the network that is based on the Ethernet switch(the transmission is point-to-point). The modified ngrep need not locate in the samenetwork segment as DNS does, but it must locate in a position where it can monitor allDNS requests. Theoretically, ngrep can well detect TFN2K attacks targeting atextranet.


18/47


only.


2.2 SniffSniff is an old-school topic. It is no news to obtain sensitive information on the network

by Sniff. There are also many successful cases. Well, what is Sniff then?

Sniff is a sniffing device, or a bugging device. Sniff furtively works at the bottom networklayer, and records all the victim's secrets, catching the victim off his guard.

Sniff can be software or hardware. There are several platforms for the Sniff software,such as Windows and UNIX. The Sniff hardware is also called the network analyzer.They all aim at one thing: obtaining various information transmitted on the network.

2.2.1 PrincipleOn the Ethernet, all communication is broadcast. That is, usually, all network interfaces

in the same network segment can access all data that is transmitted on the physicalmedia. Each network interface has a unique hardware address, which is the MACaddress of the network interface card (NIC). Most systems use the 48-bit addresswhich represents a device on the network. Generally, the MAC addresses on the NICsare different. After an address segment is allocated to the NIC vendor, each address inthis segment is allocated to an NIC the vendor manufactures.

The Address Resolution Protocol (ARP) and the Reverse Address Resolution Protocol(RARP) are used for the conversion between the MAC address and the IP address. Innormal condition, a network interface should respond to only the following two types offrames:

1) The frame that matches the NIC's MAC address2) The broadcast frame that is sent to all devices

In an actual system, the NIC receives and transmits the data. After the NIC receives thedata, the single-chip program inside the NIC receives the destination MAC address ofthe frame. Then according to the receiving mode configured in the computer's NICdriving program, the single-chip program decides whether NIC will receive the frame ornot. If yes, NIC receives the frame and generates the interruption signal to inform CPU;if not, NIC discards the frame.

Therefore NIC stops the data that it will not receive, and the computer does not knowthis at all. After receiving the interruption signal, CPU starts to interrupt the currentprocessing flow. According to the interruption program address of NIC configured inNIC's driving program, the operating system calls the driving program for receiving thedata. The driving program receives the data, and puts the data in the signal stack forprocessing by the system. NIC receives signals in four modes:

z Broadcast mode

NIC can receive the broadcast information on the network.

z Multicast mode

NIC set in this mode can receive multicast data.

z Direct mode

Only the destination NIC can receive the data.

z Promiscuous mode

NIC can receive all data that is transmitted through it, regardless of whether the data isintended for it or not.


19/47


only.


In short, based on the broadcast mode, data is transmitted on the Ethernet. That is, allphysical signals have to pass a certain device. When an NIC is set to the promiscuousmode, the NIC can receive all data that passes through it, thus the attacker canintercept, analyze and monitor the packets. This is the principle of Sniff: set the NIC toreceiving all data that it can receive.

2.2.2 How to Guard Against Sniff?

The most effective way to guard against Sniff is to segment the network properly and touse switches and bridges on the network. In ideal condition, each device has its ownnetwork segment. This measure greatly increases the cost of network construction.Therefore, try to implement the devices that can trust each other in the same networksegment, thus avoiding Sniff among the devices.

We also need to shield the hardware between the network segments. Also, with theencryption technology, such as Security Shell (SSH), we can encrypt the sensitive data

that is transmitted on the network. The sensitive data includes the user ID, password,bank account, confidential commercial information and so on.

2.3 ScanningScanning is to perform security detection on the computer system or other networkdevices, thus discover the security loopholes and defects that the hacker may takeadvantage of. Obviously, the scanning software is a double-bladed knife. The hackeruses it to invade the system, and the system administrator can use it to effectivelyprotect the system from invasion.

2.3.1 Scanning AttackI. Address Scanning

The address scanning software uses programs such as ping to detect the targetaddress. If the address responds, it means that the address and the network segmentof the specified address exist. Sometimes the hacker uses the TCP/UDP packet toestablish a connection to a certain address to judge whether there is response.

II. Port Scanning

The hacker usually uses some software to establish connection to a serial of TCP/UDP

ports of a large scale of hosts. According to the response, the hacker judges whetherthe hosts provide service by these ports.

III. Response Mapping

The hacker sends false information to the host, and then decides which hosts existaccording to the response "host unreachable". Currently, normal scanning is easilydetected by the firewall, so the hacker uses the common messages that will not triggerfirewall rules. These messages include RESET, SYN-ACK, and DNS response.


20/47


only.


IV. Slow Scanning

The detecting device for scanning decides whether the attacked host is being scannedby monitoring the connection counts (for example, 10 times every second) that the hoststarts within a short period of time. So the hacker can use some scanning software withslower scanning speed to scan the system.

2.3.2 Security ScanningI. Two Scanning Strategies

There are two security scanning strategies: the passive strategy and the activestrategy.

The passive strategy is based on the host. This strategy checks the improper settings,

weak passwords and other objects that go against the security rules in the system.The active strategy is based on the network. This strategy executes some script files tosimulate attacks to the system and records how the system reacts, thus finding theloophole in the system.

Scanning that uses the passive strategy is called system security scanning, andscanning that uses the active strategy is called network security scanning.

II. Four Types of Detection Technique of Security Scanning

z Application-based detection

It uses a passive and indestructive method to check the settings of the applicationsoftware package, and thus find the security loopholes.

z Host-based detection

It uses a passive and indestructive method to check the system. Usually, it involvessuch problems as in the system core, file attributes, patches of the operating system,and so on. This technique also includes decrypting the passwords and eliminatingweak passwords.

Therefore, this technique locates system problems and detects system loopholesaccurately. Its disadvantage is that it depends on the platform, and upgrading this kindof detection software is complicated.

z Target-based detection

It uses a passive and indestructive method to check the system attributes and fileattributes, such as the database, registration number, and so on. It uses the MessageDigest Algorithm (MDA) to check the encryption result of files.

The mechanism of this technique is based on a closed loop. It continuously processesthe files, the system target, attributes of the system target, generates the detectionresult, and then compares the detection result with the former detection result. Once itdetects changes, it informs the administrator.

z Network-based detection

It uses an active and indestructive method to check whether the system may beattacked and collapse. It uses a series of scripts to simulate attacks to the system andthen analyzes the result. It can also check the system according to network loopholesthat are already known.


21/47


only.


Network detection techniques are usually used for penetration experiments andsecurity audit. The software with this type of techniques can detect a series of platformloopholes, and it is easy to install. But it may also affect the network performance.

2.4 Security Problems of Routing ProtocolsThe attacker spoofs the routing protocols in order to make the device accept, store andtransmit false routing information. The attacker illegally obtains the network topologyinformation by receiving the routing information.

2.4.1 Route Spoofing: Attack to the RIP ProtocolTaking advantage of the defects of the Routing Information Protocol (RIP), the attackersends fake RIP packets, and spoofs the device that runs RIP.

RIP V1 has no authentication mechanism and does not authenticate the routinginformation that it receives. RIP V2 is comparatively safer because it has the option toauthenticate the information by plain-text password or Message Digest 5 (MD5)encryption.

In general, RIP is very simple and there are many weapons on the network that attackRIP. In terms of security, RIP is weak. Especially when RIP works with the other routingprotocols, the fake routing information can diffuse through the other routing protocolsonce RIP is attacked. Then larger scales of networks will be affected.

2.4.2 Route Spoofing: Attack to the BGP ProtocolBorder Gateway Protocol (BGP) uses TCP as the transmission protocol, so it willinevitably receive some TCP attacks, such as the TCP semi-connection attack. BGP

packets do not have sequence numbers for themselves and depend on TCP sequencenumbers. Therefore, if the TCP run by the device uses the mechanism of predictablesequence number, the attacker can use tools to insert fake TCP packets into the TCPflow, and then launch the attack. (The routers of some vendors use the mechanism ofrandom sequence number.)

Besides, if BGP and RIP are associated (the model of BGP trusting the route learnedthrough RIP), BGP will transmit the routing information that it has obtained from RIP.But the protocol is not to blame for the defect. Generally, BGP has a relatively soundsecurity mechanism.

2.4.3 Route Spoofing: Attack to the OSPF ProtocolOpen Shortest Path First (OSPF) is configured with several security mechanisms andis much safer than RIP. However, once the password is sniffed, OSPF is also open toseveral attacks. In these attacks, the attacker inserts false packets of routinginformation to get the attacked device into an unstable state.

The prerequisite to these attacks is getting the password for authentication, thereforeprotecting the password is vital. By default, OSPF exchanges some passwords with theadjacent OSPF nodes for authentication every 10 seconds. Thus the possibility for thepassword to get sniffed increases greatly. Generally, it is difficult to attack OSPF.


22/47


only.


2.5 Buffer OverflowIn the past 10 years, the security loopholes targeted by buffer overflow are most

common. What is more serious is that buffer overflow takes up the greatest part ofremote network attacks. This type of attack enables an anonymous Internet user toobtain the authority to partially or completely control a host. Since this type of attackmeans that anyone can get the control authority of the host, it represents a mostserious threat to security.

The loopholes of buffer overflow are common and they are easy to implement. This isone reason why buffer overflow becomes a common method of security attack. Anotherreason is that the loopholes of buffer overflow give the attacker what he wants: to injectand execute the attacking codes. With certain authority, the injected attacking codesrun the program with buffer overflow loopholes, and then get the control authority of theattacked host.

2.5.1 Loopholes of and Attacks to Buffer OverflowThe aim of buffer overflow is to disturb the functions of a program that has someprivileges. If the attacker gets the control authority of the program, and if the programhas adequate authority, then the attacker can control the entire host.

Usually, the attacker attacks the root program, and runs execution codes such as"exec(sh)" to get the shell of root. But it is not always so. In this attack, the attacker mustachieve the following two goals:

1) To arrange suitable codes in the address space of the program2) By properly initializing the register and memory, make the program transfer

to the address space that we have arranged

Based on these two goals, we can classify buffer overflow as follows:

I. Arranging Suitable Codes in the Address Space of the Program

There are two methods to do so:

1) Code Injection

The attacker inputs a character string in the attacked program, and then the programwill put the character string in the buffer. The data contained in this string is a commandserial that can run on the victim hardware platform. The attacker stores the attackingcodes in the buffer of the victim program. There are two different ways to operate:

z The attacker does not have to overflow any buffer to achieve this end. He only

needs enough space for storing the attacking codes.z The buffer can be set anywhere: the stack (containing the local variable), the heap

(the application program dynamically applies to the heap for memory) and thestatic data area (containing initialized or uninitialized data).

2) By Using Existing Codes

Sometimes, the codes that the attacker needs already exist in the attacked program.The attacker then only needs to input some parameters in the codes to make theprogram transfer to an existing segment of codes (legal codes). For example, theattacking codes demand to execute "exec("/bin/sh")", and the codes execute"exec("/bin/sh")" in libc (a standard function library and exists in the form of file). "arg" isa pointer parameter that points to a character string. The attacker only needs to changethe parameter pointer that he has input to make the pointer point to "/bin/sh". Then theprogram will transfer to the corresponding command serial in libc.


23/47


only.


II. Making the Program Transfer to the Attacking Codes

By using all these methods, the attacker tries to change the execution flow of theprogram and make the program transfer to the attacking codes. The basic method is tooverflow a buffer without border check or with other defects, thus disturbing the normalexecution order of the program. By buffer overflow, the attacker can typeover theadjacent program space in a nearly violent way and directly escape from the systemexamination.

1) Activation Records

Whenever a function is called, the caller leaves an activation record in the stack. Theactivation record contains the address which the function returns to when the callingfinishes. The attacker usually overflows these automatic variables and points theaddress for returning to the attacking codes. After the program address for returning ischanged, when the function calling finishes, the program transfers to the address set bythe attacker instead of to the original address. This type of buffer overflow is oftencalled "stack smashing attack" and is currently a common method of buffer overflow.

2) Function Pointers

"void (* foo)()" indicates that the variable of a function pointer with the returning value of"void" is "foo". The function pointer can locate any address space, therefore theattacker only needs to find a buffer that can be overflowed near a function pointer of anyspace. Then he overflows the buffer to change the function pointer. At a certain moment,when the program calls the function through the function pointer, the program flow isrealized as the attacker has intended. One instance of attack is the superprobeprogram in the Linux system.

3) Longjmp Buffers

When the C language contains a simple checking/recovering system, it is calledsetjmp/longjmp. It means setting "setjmp(buffer)" at the checking point, and setting

"longjmp(buffer)" to recover the checking point. However, if the attacker can enter thespace of the buffer, "longjmp(buffer)" is then actually for transferring to the code of theattacker.

Just like the function pointer, the longjmp buffer can point to any place. So what theattacker needs to do is to find a buffer that can be overflowed. An example is Perl 5.003.The attacker first enters the longjmp buffer which is used for recovering buffer overflow,and then induces the longjmp buffer to enter the recovering mode, so the Perlinterpreter transfers to the attacking codes.

III. The Integrated Technology of Code Injection and Flow Control

The simplest and most common method of buffer overflow is to integrate code injection

and activation record in a character string. The attacker locates an automatic variablethat can be overflowed, transmits a large character string to the program, changes theactivation record by inducing buffer overflow, and meanwhile injects the codes. This isan attack template pointed out by Levy. Since the C language opens only a small bufferfor the user and parameters, attacks aiming at such loopholes are really common.

Code injection and buffer overflow need not necessarily be completed in one action.The attacker can inject the codes in one buffer, and does not overflow the buffer. Thenhe overflows another buffer to transfer the program pointer. This method applies to thebuffer with small space for overflow (the space cannot hold all the codes).

If the attacker attempts to use the resident codes instead of injecting external codes,the attacker usually needs to parameterize the codes. For example, some codesegments in libc (almost all C programs need libc for connection) can execute


24/47


only.


"exec(something)". "something" is the parameter. The attacker then uses the bufferoverflow to change the program parameter, and uses another buffer overflow to pointthe program pointer to the specified code segment in libc.

2.5.2 Protection Against Buffer OverflowCurrently, there are four basic methods to protect the buffer from the attack andinfluence of overflow.

I. Writing Correct Codes

Writing correct codes is a highly significant but also time-consuming task, especiallywriting programs such as the C language which is liable to errors (for example, thecharacter string ends with 0). This writing style results from the traditional emphasis onperformance and neglect of correctness. Though much time has been spent getting

people to understand how to write safe programs, programs with security loopholes stillcome out. Therefore some tools and technologies are developed to help inexperiencedprogrammers write safe and correct programs.

The simplest method is using grep to search for library calling that is apt to produceloopholes in the source codes. For example, by calling strcpy and sprintf, it is found thatthese two functions do not check the length of the parameters that are input. In fact, thisproblem exists in different versions of standard library of the C language.

In order to discover common loopholes such as buffer overflow and problems thatoccur in competition in program/task design, the code checking team checks a lot ofcodes. But there are still errors straying from precaution. Though substitute functionslike strncpy and snprintf are used to prevent buffer overflow, errors still occur due to theintrinsic problems of code writing. Take the example of the lprm program. Though it has

passed the code security check, buffer overflow still occurs in this program.

Though these tools help the programmer develop safer programs, the tools cannotreveal all loopholes of buffer overflow due to the characteristics of the C language.Therefore, the error-detection technology can only reduce the possibility of bufferoverflow, but cannot absolutely eliminate it. Unless the programmer ensures that hecan always be correct, we still need further measures to guarantee the reliability ofprograms.

II. Inexecutable Buffer

When the address space of the data segment in the program is set as inexecutable, theattacker cannot execute the codes that are injected into the buffer of the attacked

program. This technology is called inexecutable buffer.

In fact, many early UNIX systems are designed with this technology. Yet in order topresent better performance and functions, the late UNIX and MS Windows systems aredesigned with executable codes input dynamically in the data segment. To keep thecompatibility of programs, it is impossible to design the data segments of all programsas inexecutable.

III. Checking Array Border

Code injection not only causes buffer overflow, but also disturbs the execution flow ofthe program. Unlike the protection method of inexecutable buffer, the technology ofchecking array border completely avoids the occurrence and attack of buffer overflow.

Thus, as long as the array cannot be overflowed, there is no chance for overflow.


25/47


only.


To realize array border check, the "read" and "write" operation of all arrays must bechecked to ensure that the operation on the arrays is safe. The direct method is tocheck the operation of all arrays. But usually some optimization technologies can beused to reduce the checking counts.

IV. Checking the Integrity of Program Pointer

Checking the integrity of program pointer differs slightly from checking array border.The latter prevents the program pointer from being changed, and the former detectswhether the program pointer is changed before it is called. Thus, even the attacker hassuccessfully changed the program pointer, the changed pointer will not be usedbecause the system has detected the change beforehand.

Compared with checking array border, this method cannot solve all problems of bufferoverflow. We will not use this method if we use other methods to solve buffer overflow.Yet this method features good performance and excellent compatibility.

Chapter 3 Security Problems of Other Protocols

3.1 Security at the Network Layer3.1.1 Source IP Address Spoofing

The IP protocol sends IP packets according to the destination address field in the IPpacket header. If the destination address is an address on the local network, the IPpacket will be sent directly to the destination. If the destination address is not on thelocal network, the IP packet will first be sent to the gateway, and then to otheraddresses, depending on the gateway. This is the processing methods specified by theIP protocol.

When the IP protocol performs routing for the IP packet, it does not check the source IPaddress contained in the IP packet header at all. It also considers that the source IPaddress in the IP packet header is the IP address of the device that sends this packet.When the destination host that receives the packet communicates with the source host,it considers the source IP address in the header of the IP packet it has received as thedestination address of the IP packet it will send. Then it communicates data with thesource host.

Being simple and highly efficient, this mode of data communication is also a securityhazard of the IP protocol. Many network security accidents result from thisdisadvantage of the IP protocol.

I. Types of Source IP Address Spoofing

The security hazard of the IP protocol leaves the TCP/IP network open to two types ofattack.

1) DOS Attack

The most common attack is DOS.


26/47


only.


Take the attack of TCP-SYN Flood as an example. The attacker sends a lot ofTCP-SYN packets to the attacked host. The source address in these TCP-SYN packetsis not the IP address of the attacking host; instead, it is an IP address faked by theattacker. After receiving the TCP-SYN packet sent by the attacker, the attacked hostallocates some resource for a TCP connection. Also, the attacked host takes thesource address (which is faked by the attacker) of the packet it has received as thedestination address, and sends the TCP-(SYN+ACK) response to the destination host.Since the fake IP address is chosen carefully by the attacker and does not exist at all,the attacked host will never receive the response to the TCP-(SYN+ACK) packet that ithas sent. Therefore the TCP state machine of the attacked host will be in the waitingstate.

If the TCP state machine of the attacked host is configured with timeout control, theresource allocated to the connection will not be released until the state machine timesout. Therefore if the attacker sends enough TCP-SYN packets to the attacked host fastenough, the TCP module of the attacked host will undergo DOS, because the TCPmodule cannot allocate system resource to the new TCP connection. Moreover, even if

the network administrator of the attacked host monitors the packets of the attacker, hecannot check out the attacker with the source address information in the IP packetheader.

The attacker in TCP-SYN Flood is not the only one who fakes the source IP address inthe attack. Actually, taking advantage of the IP protocol for not checking the source IPaddress, every attacker inputs fake source IP address in the packet header to start anattack, so that the attacker will not be discovered.

2) Hijack Attack

The disadvantage of the IP protocol brings about another common hazard to theTCP/IP network: the hijack attack.

The attacker gets some privileges by attacking the victim host. This attack only works

on the host with authentication based on the source address. Authentication based onthe source address is taking the IP address as the criterion for allocating the securityauthority.

Take the firewall as an example, the firewall on some networks permits only the IPpackets that come from the network trusted by its own network to pass. Yet since the IPprotocol does not check whether the source IP address contained in the IP packet is theauthentic address of the source host that sends this packet, the attacker can stillescape from the firewall by source IP address spoofing. There are some networkapplication programs that use the IP address as the criterion for allocating the securityauthority. The attacker can also obtain privileges by source IP address spoofing, andcauses serious loss for the victim.

II. Solution

We cannot eliminate the security hazards caused by this inherent defect of the IPprotocol. We can only take some redemptive measures to minimize the dangers of thisdefect.

An ideal counter-attack to this threat is: Before the gateway or router that connects theLANs permits the IP packets from extranet to enter the LAN, the gateway or router mustcheck the IP packet. If the source IP address of the IP packet is an IP address thatexists on the LAN which the packet will enter, the gateway or router rejects the IPpacket to enter the LAN. This solution can well solve the problem.


27/47


only.


But some Ethernet cards receive the packets that they have sent themselves, and inactual application, some LANs need the trust-relationship to share resources.Therefore, this solution is not very practical.

Another counter-attack is to check the source IP address when the IP packet goes outfrom the LAN. That is, before the gateway or router that connects the LANs permits theIP packet to be sent from the LAN, the gateway or router must check the source IPaddress of the IP packet. If the source IP address of the IP packet is not the IP addressthat exists on the LAN from which the IP packet will be sent, the gateway or routerrejects the IP packet to leave the LAN.

Thus, to pass through the gateway or router, the attacker needs at least the IP addressthat exists on the LAN which the attacker has entered. If the attacker launches anattack, it is easy to trace the attacker according to the source IP address of the IPpacket that he has sent.

It is recommended that the gateway and router of every ISP or LAN check and filter the

source IP address of the IP packet that is sent from the LAN. If every gateway androuter work in this way, source IP address spoofing will never work. Currently, not everygateway or router works in this way, so the network administrator has to supervise thenetwork under his management as closely as possible, always on the look-out forpossible attacks.

3.1.2 The Attack of Over-long Reassembled IP Segmented Packet and theSolution to It

Internet is composed of numerous connected networks. The interconnected networksusually have different Maximum Transmission Units (MTUs). To transmit IP packetsaccurately on networks with different MTUs, the IP protocol provides the function to

segment and reassemble IP packets. That is, to transmit IP packets to the network withsmaller MTU, the IP protocol takes the MTU of the destination network as the maxlength of the IP packet. The IP protocol segments the IP packets that are generatedwith larger MTU on the local network, and then sends the IP packets to the destinationhost.

When the segmented IP packets reach the IP protocol of the destination host, the IPprotocol of the destination host finds that the IP packets that have arrive are notintegrated packets. It will buffer the IP packets first. When all the related IP packetsarrive, the IP protocol reassembles the IP packets into an integrated one, and thensends the IP packet to the upper-layer protocol.

The following four fields in the IP header can identify all segmented IP packets thatbelong to one integrated IP packet:

z The Identification fieldz The Protocol fieldz The Source address fieldz The Destination address field.

In the Flag filed in the IP header, the DF bit indicates whether the packet can besegmented or not, and the MF bit indicates whether the IP packet is an IP segmentedpacket. In the IP header, the Fragment offset field indicates the position of this segmentin the original integrated IP packet. It is based on these six fields that the IP protocolsegments and reassembles the IP packet.

To reassemble the IP packets, the IP protocol reassembles all IP segments whose MFbit is 1 (that is, they belong to the same integrated IP packet) into one IP packet, till the

IP protocol receives an IP segment with the MF bit of 0. This is the last segment.


28/47


only.


The length of the reassembled IP packet is obtained by adding the data lengths of theIP segments. The Header length field in the IP header is only 16 bits, which means thatthe max length of the IP packet is 65535. If the lengths of the IP segments that arereceived add up to more than 65535, and the IP protocol has not checked this, the IPprotocol will collapse or in the state of service failure because of overflow.

Normally, this does not occur. But such a hazard usually becomes an opportunity forthe attacker, and it exists on the operating system of many networks. The infamousPing attack is exactly based on this security hazard.

Ping is a common program for diagnosing the network condition. Actually, it is an ICMPpacket with the type of "ECHO_REQUEST" sent to the destination host according tothe Internet Control Message Protocol (ICMP). If the ICMP module of the destinationhost receives the packet, it responds to the source host with an ICMP packet with thetype of "ECHO_RESPONSE". If, within the specified time, there is no"ECHO_RESPONSE" packet, pinging times out and shows that the destinationaddress is unreachable.

The Ping attack is also sending the "ECHO_REQUEST" packet to the attacked host.But the packet in this case is composed of a series of IP segmented packets that aremanually created by the attacker. And the lengths of the IP segmented packets add upto more than 65535. The aim of the attacker is to make the IP protocol of the destinationhost reassemble these IP segmented packets, and to confront the IP protocol with theIP packet whose length exceeds 65535.

Solution: When reassembling the IP segments, the IP protocol must carefully judge andprocess the IP packet whose length exceeds 65535. After discovering IP segmentswhose lengths accumulate to more than 65535, the IP protocol must discard all IPsegments that are received, and release the resource that they have occupied.

3.2 Security at the Transport Layer

In the Internet application protocol, the Inter-process Communication (IPC) in a broadsense is usually used for communicating with security protocols at different layers. Twopopular IPC programming interfaces are BSD Sockets and the Transport LayerInterface (TLI). Both interfaces are available in the V command in the UNIX system.

To provide secure service on Internet, the first idea is to enhance its IPC interface, suchas BSD Sockets. Detailed operation is to authenticate the entities on both ends, toexchange the data encryption key, and so on. The Netscape Company follows thistheory and enacts the Security Sockets Layer (SSL) protocol that is based on reliabletransmission service (such as the service provided by TCP/IP). SSL V3 is enacted inDecember, 1995. It mainly includes the following two protocols:

1) The SSL Record Protocol: concerning segmenting, compressing, authenticatingand encrypting the information provided by the application program. SSL V3supports MD5 and Secure Hash Algorithm (SHA) for authenticating the data andR4 and Data Encryption Standard (DES) for encrypting the data. The key forauthenticating and encrypting the data can be negotiated by the SSL HandshakeProtocol.

2) SSL Handshake Protocol: for exchanging the version number, encryptionalgorithm, (mutual) identity authentication, and the key. SSL V3 supports thekeyexchanging algorithm of Deffie-Hellman, the key exchanging mechanism basedon the Rivest-Shamir-Adleman cryptographic algorithms (RSA), and another keyexchanging mechanism based on Fortezza chip.


29/47


only.


The Netscape Com. has launched to the public the SSL reference implementation(SSLref). Another free SSL implementation is called SSLeay. SSLref and SSLeayprovide all TCP/IP applications with the SSL function. The Internet Assigned NumberAuthority (IANA) has assigned fixed port numbers to the TCP/IP application with theSSL function. For example, port number 443 is assigned to HTTP application with theSSL function (https), port number 465 is assigned to the SMTP application with the SSLfunction (ssmtp), and port number 563 is assigned to the NNTP application with theSSL function (snntp).

Microsoft launches the improved version of SSL2: the Personal CommunicationTechnology (PCT). At least in terms of the recording format used, SSL and PCT arehighly similar. Their main difference lies in that they have different value for the MostSignificant Bit in the field of version number: For SSL, the bit is 0, and for PCT, it is 1.With this difference, the two protocols can be supported discriminatingly.

In April, 1996, the Internet Engineering Task Force (IETF) authorizes a Transport LayerSecurity (TLS) organization to draft the Transport Layer Security Protocol (TLSP). The

protocol will be a standard proposal formally submitted to the Internet EngineeringSteering Group (IESG). TLSP will resemble SSL in many aspects.

One advantage of the security mechanism at the network layer is its transparency. Thatis, security service can be provided without any change at the application layer. But thisis impossible for the transport layer. Theoretically, every TCP/IP application that appliesTLSP, such as SSL or PCT, must make some modification in order to addcorresponding new functions, and must use a (slightly) different IPC interface.

Therefore, the disadvantage of the security mechanism at the transport layer is thatboth ends, the IPC interface at the transport layer and the application program, have tobe modified. However, compared with the security mechanism at the network layer andthe application layer, the modification made here is rather small.

Another disadvantage is that it is difficult to establish a security mechanism at thetransport layer for UDP-based communication. Compared with the security mechanismat the network layer, the advantage of the security mechanism at the transport layer isthat it provides process-to-process (instead of host-to-host) security service.Combining this advantage with the security service at the application layer, the securitymechanism can take a great leap forward.

3.3 Security at the Application LayerThe security protocol at the network layer (transport layer) allows adding securityattributes for the data channel between hosts (or processes). Essentially, it means thatthe real (perhaps and encrypted) data channel is established between hosts (orprocesses), but the channel cannot discriminate the security requirements of a specificfile that is transmitted on the same channel. For example, when a secure IP channel isestablished between two hosts, all IP packets transmitted on this channel will beencrypted automatically. Likewise, when a security data channel is establishedbetween two processes through TLSP, all messages transmitted between the twoprocesses will be encrypted automatically.

It needs a security mechanism at the application layer to distinguish the differentsecurity requirements of a specific file. Providing security service at the applicationlayer is the most flexible method to handle the security requirements of a single file. Forexample, the signature email system may need to encrypt certain paragraphs in theemail that the system will send. The protocol of the lower layers that provides securityfunctions usually does not know the paragraph structure of the mails that will be sent,


30/47


31/47


only.


Secure Electronic Transaction (SET) protocol, which specifies the methods how thebearer pays through the credit card on Internet. This mechanism is backed by aninfrastructure for certification, which supports the X.509 certificate.

In applying the security functions we have mentioned in the previous text, we areconfronted with a primary problem: applying every single function needs thecorresponding modification. Therefore it is ideal if there is a unified modifying method.

One step in this direction is the Security Shell (SSH) developed by Tatu Yloenen of theHelsinki University. SSH enables the user to safely telnet to the host, executecommands and transport files. It realizes a key exchanging protocol and a protocol ofauthenticating the host and the client. SSH has many popular and free versions that runon the UNIX system platform. It also has the business version packaged and marketedby the Data Fellows Company.

Pushing the SSH theory one step forward, we get the authenticated key distributionscheme. The authenticated key distribution scheme actually provides an Application

Program Interface (API). API provides security service for all kinds of networkapplication program, for example, programs of authentication, data confidentiality andintegrity, access control and non-repudiation service.

Currently, some practical authenticated key distribution schemes have been developed.For example, Kerberos (V4 and V5) by the Massachusetts Institute of Technology (MIT),CryptoKnight and Netwrok Security Program by IBM, SPX by DEC and TESS by theKarlsruhe University. These are the instances widely applied.

There are also modification and extension of the authenticated key distribution scheme.For example, SESAME and OSF DCE extend the service of Kerberos V5 by addingaccess control, and Yaksha extends the service of Kerberos V5 by addingnon-repudiation service.

A problem confronting the authenticated key distribution scheme is the unpopularity itmeets with on Internet. One reason is that it still requires modifying the applicationprogram. Taking this into account, it is crucial for the authenticated key distributionscheme to provide a standardized and secure API. If this is realized, the R&Dengineers no longer have to modify an entire application program for adding only a fewsecurity functions. Therefore, the most prominent progress in the field of authenticatingsystem design is to develop the standardized and secure API, namely, GenericSecurity Services API (GSS-API).

Obviously, GSS-API (V1 and V2) is too technical for a programmer who is not a securityexpert. However, the researchers of the Austin University, Texas, push API to a higherlevel than GSS-API by developing Security Network Program (SNP). SNP makesprogramming concerning network security easier.


32/47


only.


Chapter 4 Security Strategies

4.1 What Is Security?Security consists of five basic elements:

z Confidentialityz Integrityz Availabilityz Controllabilityz Auditability.

Confidentiality: The information is not revealed to unauthorized entity or process.Integrity: Only the authorized person can modify the data, and it can be checkedwhether the data has been modified by unauthorized entity.

Availability: The authorized entity can access the data when necessary, that is, theattacker cannot occupy all the resource and hamper the work of the authorized entity.

Controllability: The flow direction and behavior mode of the information within theauthorized scope is controllable.

Auditability: The crit

Documents

On Network Security 20070322 A