Report on TCP vulnerabilities

TCP Vulnerabilities and IP Spooﬁng:
Current Challenges and Future Prospects

Colloquium Report
Submitted in Partial Fulﬁllment of the Requirements
for the Degree of Masters of Technology

Submitted by
Prakhar Bansal
Registration No. - 2011CS29

Computer Science and Engineering Department
Motilal Nehru National Institute of Technology Allahabad,
Allahabad -211004, India
October 2012

Contents

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
3 Related Research Work . . . . . . . . . . . . . . . . . . . . . . . . . 2
4 TCP Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.1 TCP Header . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
4.2 Establishing a TCP Connection . . . . . . . . . . . . . . . . 7
4.3 Closing a TCP Connection . . . . . . . . . . . . . . . . . . . 7
4.4 SYN Flooding Attack . . . . . . . . . . . . . . . . . . . . . . 8
5 ARP Cache Poisoning Attack . . . . . . . . . . . . . . . . . . . . . 12
5.1 ARP Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . 12
5.2 Theory of Operation . . . . . . . . . . . . . . . . . . . . . . 14
5.3 Countermeasures . . . . . . . . . . . . . . . . . . . . . . . . 14
6 LOT: Light-weight Opportunistic Plug and Play Secure
Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.1 Communication Model . . . . . . . . . . . . . . . . . . . . . 16
6.2 Handshake among Gateways . . . . . . . . . . . . . . . . . . 18
6.3 LOT Packet Structure . . . . . . . . . . . . . . . . . . . . . 21
7 Observation and Discussion . . . . . . . . . . . . . . . . . . . . . . 21
7.1 Redeﬁnition of TCP Three-way Handshake . . . . . . . . . . 21
7.2 Redeﬁnition of ARP Protocol . . . . . . . . . . . . . . . . . 24
8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Bibliography 27

1

List of Figures

1 TCP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2 Three-way handshake . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3 Sequence states of client side TCP . . . . . . . . . . . . . . . . . . . 9
4 Sequence states of server side TCP . . . . . . . . . . . . . . . . . . 9
5 ARP header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
6 Huang solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7 LOT communication model . . . . . . . . . . . . . . . . . . . . . . 17
8 Phase 1: hello phase . . . . . . . . . . . . . . . . . . . . . . . . . . 19
9 Phase 1: network block validation phase . . . . . . . . . . . . . . . 20
10 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 22
11 Redefinition of TCP three-way handshake . . . . . . . . . . . . . . 23
12 Redefinition of ARP protocol . . . . . . . . . . . . . . . . . . . . . 24

2

Abstract

With the invent of computer systems, the need of communication becomes
essential. Standard communication protocols are developed to provide communi-
cation over computer networks. Protocols are predefined formal systematic rules
required for an effective communication. Billions of people are interconnected with
Internet via these protocols. But what if these protocols are themselves vulnerable
to various types of attacks.
Attacks from hacktivist groups like ‘Anonymous’ are increasing day by day.
Moreover the arsenal of hacking groups is growing rapidly. Today the attacks are
more dangerous and concentrated, packets/second rate has been increased and
attacks are more distributed [1]. There is also a significant growth in frequency
of attacks mainly distributed denial of service attacks (DDoS attacks) and IP
spoofing attacks. There is 50% increase in DDoS attacks in the first quarter of
2012 in comparison to same quarter last year [2].
According to Norton cybercrime report 2012, cybercrime costs $110 billion
globally out of which $8 billion to India [3].
Today all countries are spending huge percentage of their GDP to improve cyber
security. In this fiscal year 2012-13, India spent 37.7 crores on cyber security [4].
United States has proposed $800 million for cyber security in next 2013 fiscal
budget [4].
Attackers are able to perform cyber attacks due to vulnerabilities in existing
protocol structure. If we focus on these protocols then need of government spend-
ing on cyber security would be less.
This report focuses on vulnerabilities in protocols, mainly Transmission Con-
trol Protocol (TCP) and Address Resolution Protocol (ARP), exploiting probable
attacks and there counter measures. At last report discusses LOT, light weight
opportunistic plug and play secure tunneling protocol to be deployed at network
gateways in order to defend against IP spoofing and flooding attacks.

1 Introduction

Cyber security is becoming a major challenge to today's computing world. Ac-
cording to ‘Norton cybercrime report 2012’, there are 556 million victims/year,
1.5+ million victims/day and 18 victims/second affected by cybercrime. 2 out of
3 on-line adults have been victim of cybercrime in their lifetime. The global price
tag of cybercrime has reached up to $110 billions, $197 average cost/victim. cyber-
crime costs USA $21 billion, $46 billion to China, $8 billion to Brazil, $2 billion to
Russia, Australia and Mexico each, and $8 billion to India. More than 42 million
people in India have been victimized by cybercrime in last 12 months [3]. Accord-
ing to BBC report, UK businesses lose around £21 billion a year to cybercrime [5].
According to report published by international research scientists from University
of Cambridge, ‘Measuring the cost of cybercrime’ on 18 June, 2012, government
should spend more on policing the Internet rather than spending on security and
catching cyber criminals [6].
Recent attacks are more sophisticated and distributed in nature. Websites for
Department of Justice and the FBI were attacked by Anonymous on Jan 19, 2012
in response to the shut down of the file sharing website Megaupload and bill Stop
Online Piracy Act (SOPA). Anonymous used “Low Orbit Ion Cannon”(LOIC) to
attack supporters of SOPA on January 19, 2012. Group claimed this to be their
largest attack with over 5,635 people participating in the DDoS attack via LOIC
[anonymous archives]. Attacks that exploits TCP vulnerabilities exceeds in large
number in past. Anonymous attacks on facebook on October 12, 2012, which leads
facebook to shutdown in Europe. Group also attacks on many Indian websites
including website for supreme court of India and other national political parties in
response to Internet censorship. May be their intention is right, but this exploits
how vulnerable our protocols are.
Transmission Control Protocol (TCP) is an end-to-end, connection oriented,
reliable transport layer protocol. TCP is designed to support multiple network
applications and provides reliable interprocess communication between processes
in host computers in interconnected computer networks. Cerf and Kahn, firstly
describes the concepts of TCP [7]. But TCP and many other protocols are vul-
nerable to attacks leading billions of people on stake. Virtually all applications
use the concepts of TCP and are therefore on risk. Researches are still going on
security problems of core protocols [8].

1

2 Problem Statement

To design a reliable, scalable and secure network. The network which no one can
spoof, no one can flood and no one can hack.
The need of secure, scalable and reliable communication network becomes very
important today. The network which no one can spoof, no one can flood or no one
can hack is very big challenge. Leon Panetta, Defense Secretary, USA said that
next 9/11 attacks could be cyber attacks on 12th October, 2012.
Protocol vulnerabilities is one of the long standing major challenge in network
communication. Recent report from Prolexic states that their is a 88 % increase in
attacks since last year [9]. The attacks from groups like ‘Anonymous’ are increasing
day by day. Although intention of anonymous may seem to be good but their way
to make our network down is wrong. These attacks shows that how vulnerable our
network protocols are.
The focus of this report is to study the vulnerabilities in TCP and ARP protocol
and to discuss a solution suggested by Yossi Gilad and Amir Hergberg to install
LOT protocol on network gateways.

3 Related Research Work

TCP is based on concepts firstly described by Cerf and Kahn [7]. In September
1981, Defense Advanced Research Projects Agency (DARPA) proposed Transmis-
sion Control Protocol as a transport layer protocol in RFC 793 which standardizes
the basic mechanism and policies of TCP. RFC 1122 provides clarifications and
errata for the original [8].
RFC 4987 published on August 2007 contains the discussion on TCP SYN
flooding attacks [10]. In 1994 Bill Cheswick and Steve Bellovin [bellovin 94] dis-
covered the weaknesses in TCP implementations [11]. SYN flooding attack are
firstly highlighted in Phrack magazine in 1996 [12].
Kevin Mitnick, exploits DDoS attack known as Mitnick-Shimomura attack
firstly [13]. In February 2000, mafiaboy, 15 years old Michael launched ‘Project
Rivolta’, which took down the websites of four giants yahoo, CNN, ebay, dell and
amazon, and threatens the entire world about TCP SYN flooding attacks.
In april 1989, article entitled ‘Security problems in the TCP/IP protocol suite’
by S.M. Bellovin, AT & T Bell Labs, exploits various vulnerabilities in TCP [14].

2

In 2002, Lemon proposed ‘syn-cache’ approach which aims to reduce amount of
state information maintained for connections in the SYN-RECEIVED state, and
allocates full Transmission Control Block (TCB), data structure usually in kernel
which is used to store all the information related to TCP connection [7], only after
connection has transited to ESTABLISHED state [15].
In 1996, Bernstein proposed ‘syn-cookie’ approach which eliminates the need
of maintaining state information at server side in SYN-RECEIVED state. It uses
the encrypted cookie based on information of client in establishing the three-way
handshake [16].
In 2002, Zquete describes mechanism for improving the functionality of SYN
cookies [17].
Ingress filtering is proposed in RFC 2267 to stop IP spoofing and related work
is done by Baker and Savola in 2004 [18].
Ingress filtering technique ensures that packets that are coming are originated
from same network from which they claimed [18]. However, Beverly and Bauer in
2005 found that lack of ingress filtering on ISP’s are still quite common [19].
F. Gont proposed the minor extensions in TCP in his draft, ‘Survey of Security
Hardening Methods for Transmission Control Protocol (TCP) Implementations’,
published on March 13, 2012 [8].
Yanyan Li and Keyu Jiang, in paper, ‘Prospect for the future Internet – A
study based on TCP/IP vulnerabilities’, discusses ARP cache poisoning and SYN
flooding attack [20].
S. Gavaskar, R. Surendiran and E. Ramaraj proposed Three Counters Algo-
rithm in 2010 [21] for SYN flooding attacks.
Dommetry in 2000 proposed tunneling protocol mechanisms [22]. Savage,
Snorean and Dean suggests packet marking techniques in early 2000’s [23].
Yossi Gilad and Amir Herzberg from Bar-Ilan university presented LOT, a
lightweight opportunistic plug and play secure tunneling protocol to be deployed
at network gateways. Tunnels are formed when LOT is installed on gateways. LOT
tunnels allow allows gateways to discard packets that are spoofed IP addresses.
LOT helps to mitigate attacks such as DNS poisoning, network scans, flooding
attacks and denial of service (dos) attacks [24].

3

4 TCP Vulnerabilities

Transmission Control Protocol (TCP) is deployed as a standard interprocess com-
munication among the communicating hosts in the networks. TCP is described
in RFC 793 [7]. TCP is a connection- oriented, end-to-end reliable protocol de-
signed support communication between pairs of processes in distinct host comput-
ers which are interconnected via communication network. From the day it was
proposed and till date, it was updated, modified via several RFCs and drafts but
still it is vulnerable to various network attacks.
During the last thirty years many vulnerabilities have been identified in TCP
protocol implementations, which is the core platform for most of the current ap-
plications [14]. TCP has been gone through levels of modifications, it is being
updated and modified from time to time, but still it is vulnerable to several at-
tacks.

4.1 TCP Header

TCP segments are sent as internet datagrams. TCP header follows IP header and
contains information only for TCP protocol. IP header carries information about
source and destination host addresses. The minimum TCP header size should be
20 bytes with no options and no data.

segment.size >= 20

If a segmment doesn’t pass this check, it will be eventually dropped.

• Source Port Number: 16-bit source port address.

• Destination Port Number: 16-bit destination port address.
Researches [25] has shown that port numbers on the server and client must
be distinct. For the client to communicate they must know the server port
number, so the server port number is actually open.

• Sequence Number: 32-bit number.
If SYN bit is not set, sequence number of the first data octet in the segment.
If SYN bit is set, sequence number is initial sequence number (ISN) and first
data octet is ISN+1.

4

Figure 1: TCP header [7]

Attackers can exploit various attacks via predicting sequence numbers. Mor-
ris in 1985 was first to descricbe sequence number prediction attacks. 1995,
Kevin Mitnick attack on Shimomura exploits this vulnerability. RFC 6528
entitled ‘Defending against sequence number attacks’ discusses this in great
detail [26].

• Acknowledgement Number: 32-bit number.
If ACK bit is set, acknowledgement number is sequence number of next seg-
ment which sender of acknowledgement is expecting.

• Data Offset: 4-bit number, indicates where data begins in TCP header.

• Reserved: 3-bits reserved for future needs. These bits must be 0.

• Control bits: 8-bits. The combinations of control bits can cause malfunc-
tion of some implementations. Sometimes any unusual combination can lead
system to crash [27] [28].

– NS bit: Nonce Sum, is an optional addition to Explicit Congestion Noti-
fication (ECN) that protects against accidental or malicious concealment

5

of marked packets from the TCP sender. It improves the robustness of
congestion control by preventing receivers from exploiting ECN to gain
an unfair share of network bandwidth. It is defined in RFC 3540 [29].
– CWR bit: via Congestion Window Reduced (CWR) flag, data sender
can inform the data receiver that the congestion window has been re-
duced. It is defined in RFC 3168 and studied by Ramakrishnan [30].
– ECE bit: via an ECN-Echo (ECE) flag, data receiver can inform the
data sender when a CE, Congestion Experienced (CE) packet has been
received. Explicit Congestion Notification (ECN) is a addition in IP
suggested in RFC 3168. [30]
– URG bit: Urgent Pointer field significant.
SIGURG is deliverd to corresponding process.
– ACK bit: Acknowledgment field significant
– PSH bit: Push bit, indicates that receiver should pass the data to the
upper layer as soon as it reads PUSH bit is set.
– RST bit: is used to request the abnormal close of a TCP connection.
– SYN bit: is used for synchronization of sequence numbers in 3-way
handshake procedure. Four different types of vulnerabilities can exploit
use of SYN bit:
SYN-flooding attacks, connection forging attacks, connection flooding
attacks, and connection reset attacks.
– FIN bit: is used for connection termination. It generates the signal to
remote host indicating end of data transfer from generating side. Various
resource exhaustion attacks can be done in connection termination phase
of TCP.

• Window Size: 16-bit number, advertises how many bytes of data the remote
peer is allowed to send before a new advertisement is made.

• Checksum: The checksum field is the 16 bit one’s complement of the one’s
complement sum of all 16 bit words in the header and text.
Segments with invalid checksum, if flooded on host computer could not cre-
ate state information at the firewall. [31] describes the exploitation of TCP
checksum for performing firewall evasion and DoS attacks.

6

• Urgent Pointer: 16-bit field.
tells the current value of the urgent pointer as a positive offset from the
sequence number in this segment. The urgent pointer points to the sequence
number of the octet following the urgent data. This field is only be interpreted
in segments with the URG control bit set [7].
[32] originally describes TCP urgent pointer could be exploited for DoS
attacks, which are dangerous enough to lead the system crash.

• Options: These are of variable length. Options may lie in the end of TCP
header.

• Padding: These are of variable length. Paddings are composed of zeros
embedded to ensure the boundary between header and data.

• Data: The usable data which hosts actually wants to communicate.

4.2 Establishing a TCP Connection

The process on client host which wants to send data to server host which is on some
communication network first inform the client TCP. Server must be in LISTEN
state at some known port on some host whose address also must be known. The
three-way handshake procedure is used for establishing the connection.

4.3 Closing a TCP Connection

TCP connection can be terminated in three cases:
• Local user initiates by telling its TCP to close the connection.
Local user creates FIN segment and place it on outgoing segment queue.
Now, TCP accepts no further sends. and enters in FIN-WAIT-1 state. How-
ever, receives are allowed in this state. All segments sent before FIN will be
retransmitted until acknowledged. When another TCP sends the FIN of its
own, first TCP acknowledge it. TCBs will be deleted by both the TCPs.

• Remote TCP initiates by sending a control signal FIN.
TCP can receive a FIN segment from remote network, receiving TCP ac-
knowledge it. State is transited to CLOSE-WAIT. Local user after finishing
its own data to be sent, send FIN and TLBs will be deleted after receiving
ACK of FIN.

7

Figure 2: Three-way handshake

• Both users close simultaneously.
Both users send FIN segment at the same time. When all the data segments
preceding these segments are processed and acknowledged, both TCP send
ACK of FIN they received. On receiving these ACKs, both delete TCBs.

4.4 SYN Flooding Attack

4.4.1 Theory of Operation

Bill Cheswick and Steve Bellovin in 1994 discovered TCP SYN ﬂooding vulner-
ability [11] [10]. Kevin Mitnick's Shimomura attack [13] in 1995 and attacks on
ISP's mail servers in 1996 caused TCP SYN ﬂooding well known [10].
TCP uses ‘three-way handshake’ for connection establishment between two

8

Figure 3: Sequence states of client side TCP [7]

9
Figure 4: Sequence states of server side TCP [7]

distinct computing systems. According to RFC 793 [7], server side TCP that is
in LISTEN state, when receives a SYN segment from client side TCP, it would
be transited to SYN-RECEIVED state. It must maintain the record of initial
sequence number (ISN) of client and other information in the Transmission control
block (TCB), and respond to client with SYN and ACK [7]. TCB is the data
structure within the kernel of system used to store all information corresponding
to TCP connection [7].
SYN flooding attack is to exhaust the memory at attacked system by sending
large number of SYN requests with spoofed IP addresses so that real users can
not access the server [8]. Large number of SYN segments from forged IP addresses
exhaust the memory needed for storing TCBs. The main point is that attacker
don’t want to establish the three-way handshake at all. He will use forged source
IP address for SYN segments typically, concealing his own IP address.
Server sends back acknowledgement and its own SYN segment telling its own
ISN in response of SYN segment generated by attacker. If the forged IP address
corresponds to some reachable system then this reachable system responds with
RST segment which cause the connection to abort because its states are different.
However, if forged IP address is unreachable no reply will come and server will keep
sending SYN/ACK segment for each request until timeout occurs and connection
aborts.
The success of SYN flooding attack also lies on three things: [10]

• Barrage Size
Barrage size must be large enough to lead the port queue full and reach the
backlog. Backlog is number of connections pending in half-open state.

• Frequency
For a effective SYN flooding attacks new SYN segments must needs to be
send before TCBs of previous segments began to reclaimed.

• IP Addresses
The success of SYN flooding attack lies in unreachable and large set of IP
addresses called ‘Botnet’. Attackers usually ping the IP addresses before
using them for attack via sending ICMP echo request and if ICMP echo
response come back, then that IP will not be used to perform attack.

10

4.4.2 Countermeasures

• Filtering
Ingress filtering defined in RFC 2267 is suggested for preventing attacker to
use set of wide range of forged IP addresses [18]. Ingress filtering ensures
that the packet arrives from the same network from which it claims to be.
This is the best way without needing any modification in TCP.

• Increasing Backlog
Increasing the backlog implies increasing the capacity to hold number of
half-open connections is an easy way to deal with SYN flooding attack. But
Lemon has shown that this can have serious negative affect on the system
state as generally data structures and algorithms are inefficient to deal with
increased backlog [15]. This is needed to be note here that experiments
with increased backlog with efficient data structures and algorithms are not
studied yet [10].

• Reducing SYN-RECEIVED Timer
Reducing the SYN-RECEIVED timer leads to claim the TCBs early. How-
ever, this may leads some legitimate users not to create connection.

• Recycling the Oldest Half-Open TCB
This implies that once the entire backlog is exhausted, incoming SYNs over-
write the oldest half-open TCB entry. But this may lead to disconnect pre-
viously established legitimate connections.

• SYN Cache
SYN cache approach reduces amount of state information maintained for
connections in the SYN-RECEIVED states and allocates full Transmission
control block (TCB) only after the connection has been transited to the
ESTABLISHED state. Hosts implementing a SYN cache have some secret
bits that they select from incoming SYN segments. The secret bits are hashed
along with the IP addresses and TCP ports of the segment, and the hash value
determines the location in a global hash table where the incomplete TCB is
stored. There is a limit for each hash value, and when this limit is reached,
the oldest entry is dropped [16].

• SYN Cookies

11

SYN cookies allocates no state at all for connections in SYN-RECEIVED
state. This technique encodes most of the information required to complete
the three-way handshake into the sequence number of SYN/ACK segment
transmitted. Thus no TCB reserved at site. If SYN was not spoofed, then the
acknowledgement number and other fields in ACK that completes handshake
used and put into the TCB [15].
Drawbacks:

– It provides the limited number of space in the sequence number field
and it is very difficult to encode all the information in initial segment.
for ex; support for selective acknowledgement (SACK).
– If the SYN/ACK segment sent is lost then normal TCP will retransmit
it after timeout as their is a state information at site, but if SYN cookies
are enabled there will be no state and re-transmission is impossible.
– Yanyan Li and Keyu Jiang [20] suggests one more drawback that is ACK
flooding attack.

5 ARP Cache Poisoning Attack

5.1 ARP Protocol

The Address Resolution Protocol (ARP) was originally published in RFC 826 by
David C. Plummer from MIT in 1982 [33]. To communicate with the host on a
network we must know the 48-bit ethernet address (MAC address) of the host.
ARP protocol maps network addresses (IP) to ethernet addresses (MAC). Host
which wants to know the physical address of target host, broadcasts ARP request
on the network. ARP request actually asks ‘any one who has this IP address,
reply with your MAC address’. The host with the given IP unicast ARP reply.
The request generating host caches the <IP, MAC> pairing in its ARP table.
ARP cache is a data structure for storing IP addresses with corresponding MAC
addresses. ARP cache entries expires after some time (in most implementations
20 minutes).

12

Figure 5: ARP header [33]

13

5.2 Theory of Operation

ARP protocol is a stateless protocol. When an ARP reply is received, the host
updates its ARP cache even if the host had not issued a corresponding ARP
request. It means ARP reply is not needed to be authenticated. Most important
point is that this false ARP reply is reflected in ARP cache as soon as host receives
it. However, some implementations check that whether ARP table has some entry
for this IP address before or not. Once the host updates its ARP table, the attacker
also gets the packets intended for some other system.

5.3 Countermeasures

• Huang T. and Bai G. in 2008 in their paper, ‘Method against ARP spoof-
ing based in improved protocol mechanism’ suggests state in ARP protocol.
When the ARP request is sent the state of the the ARP protocol changes to
REQUEST-SENT from INITIAL with a timer activated. When ARP reply
comes the state of the ARP changes to RESPONSE-RECEIVED and then
the cache is updated. If reply doesn't arrives and times out then, it backs to
INITIAL state [34].

Figure 6: Huang solution [34]

DISCUSSION: This procedure will prevent host from ARP spoofing through
instantaneous ARP reply. However, when host is in REQUEST-SENT state,
it is vulnerable to attacks.

• Some firewall and router manufactures have procedure in their products to
detect the ARP spoofing attacks and tell the user but its not enough. soft-

14

wares like arp-guard are in market to recognize changes in the ARP tables and
send these changes to the management system. arp-guard system analyzes
and processes the sensor network messages [35].

• Vipul Roy and Rohit Tripathi in 2005 suggests the use of combinations of dig-
ital signatures and one-time passwords based on hash chains [36]. However,
use of cryptography makes this complex.

• Seung Yeob Nam in 2010 proposed voting-based resolution mechanism to
prevent ARP attacks. This suggests host before updating its own table,
firstly asks other neighboring hosts about the MAC address of respective
host in their ARP table [7].

6 LOT: Light-weight Opportunistic Plug and Play Secure
Tunneling Protocol

According to latest Prolexic Quarterly Global DDoS Attack Report, Quarter 3,
2012, there is a significant increase of 88 % in total number of Distributed Denial
of Service (DDoS) attacks in comparison from last year. The duration of attack
is also tremendously increased to 33 hours from 19 hours. Also, there is 230 %
increase in average attack bandwidth in comparison to last year. China remains at
number 1 attack originating country with total 68.08 % of whole share and 8973
autonomous system network [9].
Hacking activist group ‘Anonymous’ attacks are also increased significantly
from the past few years. This shows the weaknesses in the architecture of our
network.
LOT is a light-weight opportunistic plug and play secure tunneling protocol for
secure and forging free communication. LOT is needed to be installed at communi-
cating network gateways. Once installed one gateway would establish an efficient
tunnel for secure communication with another gateway. Another participating
gateway will be detected automatically [24].
LOT tunnels provides efficient solution for IP spoofing and discards packets
that are originated from forged IP addresses. Thus this makes network free from
denial of service and flooding attacks.
LOT gateways implements local and remote quotas for particular network. In

15

this way it prevents from packet floods from specific network. Moreover attack
originated network would be hindered itself.
Furthermore, LOT uses near source filtering, which allows gateways more
specifically LOT gateways to block certain types of packets permanently or tem-
porarily. This can be done by manual or automatic configuration based on some
learning mechanism (if congestion is greater than certain limit and it is due to
large number of SYN segments, let them not allow to come). This prevents from
network scans and attacks like DNS reflection.
LOT has congestion detection mechanism between gateways. If a packet drop
rate is higher in between tunnels then there might be congestion in the network.
We can take appropriate action afterwards. This helps mitigating denial of service
attacks.
RFC 2267, suggests the use of ingress filtering by all the ISPs in the world.
Ingress filtering enables us to check whether the packet comes from same network
from which it claims to be from [18]. Advanced Network Architecture Group does
a survey in 2011, according to this most of the ISPs have not yet installed ingress
filtering mostly in developing countries. Lack of ingress filtering support and IP
spoofing is very high.
LOT installed gateway adds a pseudo random tag to each packet it sent to other
LOT gateway. Another communicating gateway discards the packet without the
tag or if mismatch occurs. It indicates that it is not originated from the same
network block from which it pretends to be. Thus LOT prevents us from forged
packets and defends against many denial of service attacks.
LOT is practical, requires no coordination between gateways, plug and play
protocol [24].
The code prototype is available online at url: ‘http://lighttunneling.sourceforge.net’.

6.1 Communication Model

As RFC 791 ’Internet Protocol’ by Jon Postel in September 1981 tells IP address
has address space {0, 1}32 [37], LOT protocol states that every entity in network
has address space S of {0, 1}l . Each d ∈ S is an address. Network block address
space B, where B ⊆ S, is in address space of S if, ∃P, a prefix, P∈ {0, 1}l , l’<l
and ∀d, if d ∈ B, then it also holds d ∈ S and d has a prefix P. It is similar to
CIDR notation [24].

16

Network entities are either LOT gateways or hosts behind the network blocks.
Each and every entity e is associated with a single network block N B(e) ⊆ S.
Any host must belong to single address and must belong to network block
|N B(h) = 1|.

Figure 7: LOT communication model [24]

Two network entities e1 and e2 are said to be peer iﬀ,

• N B(e1 ) ⊂ N B(e2 ) and
N B(e1 ) N B(G) N B(e2 ) means,
for eg; entities A, C are peers.

• N B(e2 ) N B(e1 ), N B(e1 ) N B(e2 ) and
N B(e1 ) N B(G) or N B(e2 ) N B(G) for eg; entities F, G and A, D are
peers.

Network entities send and receive messages via source address ‘src’ and desti-
nation address dst. When a message is sent from source ‘src’ towards destination
‘dst’, it reaches to next peer entity e.next(dst) and so on till it reaches to destina-
tion.

17

6.2 Handshake among Gateways

LOT uses stateless handshake procedure for establishment of tunnel between gate-
ways. If there are more than one gateways between two network blocks, individual
tunnel is established between them and for each LOT tunnel it is required to
handshake first. Handshake between two gateways consists of two phases:

• Hello Phase: Once gateway find another gateway it checks the potential
to establish a LOT tunnel. Gateway identifies the network block behind
gateway.

• Network Block Validation: Network block is behind the gateway. In this
phase each gateway has to prove that it can intercept packets sent to network
block behind it.

After handshake gateway receives a proof from other gateway that validation
is done successfully and tunnel is established.

6.2.1 Hello Phase

Let’s take two gateways, hosts in network blocks associated to them wants to
communicates. Gateway A forwards any arbitrary packet from host A behind
it, to host B which belongs to some network block which is not associated with
gateway A, say gateway B. This triggers LOT on originating gateway.
Gateway begins handshake by sending hello message to host B. This message
is intercepted by another gateway on the network, gateway B and it responds.
To reduce the possibility of LOT overhead, Hello requests are sent with very low
probability.
Hello request consists of current time, description of network block behind
gateway and a cryptographic cookie - cookie A, generated by gateway A. Cookie
is generated by pseudo-random function computed over ‘destination address’ and
‘current time’. Network block belongs to some address space {0, 1}l . A network
block is described by (baseaddr,l).
When gateway B intercepts hello request, it sends reply with possibility q ≈
1. Hello response generated by gateway B contains description of network block
associated, cookie A and time A. The hello reply is authenticated by gateway A's
cookie.

18

Figure 8: Phase 1: hello phase [24]

Cookie A sent back in response allows gateway A to keep no state and rest state-
less. This stateless approach make sure that no resources are allocated at sender
side makes it free from resource exhaustion attacks, like in three-way handshake
it may occur [7].

6.2.2 Network Block Validation

Network block is validated by gateway, say gateway A to ensure that whether other
gateway , say gateway B can intercept the traﬃc sent corresponding to its network
block. Validation process is done in several iterations, each iteration validates one
host selected randomly on the network block. However for the sake of reducing
overhead, protocol validates only a portion of the addresses and not the entire
network block.
The most important beneﬁt here is that it maintains no state at sending side
when validating a network block and also it send at most a single packet in response
for every packet received. This prevents it from DoS attacks.

19

Figure 9: Phase 1: network block validation phase [24]

Design:
Each gateway knows network blocks associated with other gateways. Gateways
is network validation phase must be agreed on n, number of iterations. To deal
with the possibility of DoS attacks the global constant on maximum iterations
is set as nmax . Each gateway sends one packet to a random address from target
network block. Since there could be at most 2 ∗ nmax packets that can be sent out
in nmax iterations. This creates limit on number of packets that can be sent. To
avoid network load problem to initiates handshake, handshakes are initiated with
probability 1/2nmax .
The packet contains a random cookie as challenge, if gateway corresponds to
same network block it can intercept the packet otherwise not. Pseudo-random
based function is used to derive destination address and cookie. Response of
previous challenge is included in the next challenge. When gateway receives a
challenge intercepts a challenge it checks its own cookie by reconstructing it on its
site. In order to reconstruct gateway uses its secret key and the parameters used

20

to create the cookie, extracted from response such as time.
After gateway successfully checks the validity of the response, it chooses a new
random destination address in remote network and sends a new challenge. In order
to get validated the new challenge, gateway also echoes previous cookie and time,
iteration number i and maximum number of iterations agreed upon.
This process of challenge and response is repeated n times.

6.3 LOT Packet Structure

In order to encapsulates LOT in a packet, there is a significant modification in IP
header and data. Some of the major changes in original packets are as follows:

• IP flags: DF and MF flags are always unset in IP Header as LOT does not
allow packet fragmentation within the LOT tunnel.

• Protocol Type (Transport Layer Protocol): To indicate that the packet
is encapsulated using LOT, this field is modified. LOT gateways can pass
not only encapsulated packet but also non-encapsulated packet.

• LOT Header: A LOT header is attached with the packet. The most signif-
icant bit of LOT header is outgoing periodic tag.
Field for reconstruction of the original packet including IP flags and transport
protocol.
Field that allow receiving-end gateway to reconstruct the session key.

7 Observation and Discussion

7.1 Redefinition of TCP Three-way Handshake

While studying TCP protocol, I observed few things in three-way handshake.
These things are as follows:

• The success of flooding attacks depends on frequency of SYN segments reach-
ing at server side. Neither increasing backlog nor shortening acknowledge-
ment waiting time at receiver side, will work as these could resist original
user to establish a connection.

21

Figure 10: Redefinition of TCP three-way handshake

Attackers usually send SYN flood messages from set of unreachable IPs. If IPs
are reachable then that system will reply with RST segment and connection
will be aborted. If the backlog is filling fast, why not we firstly ping the
client before sending any reply. Pinging will ensure the IPs are atleast some
existing system and not wasting our resources.
So, I suggest to start pinging the IPs if the backlog is filling fast. We can set
some threshold for it.

• The SYN-cookie mechanism can be further improved so that there would be
no need for maintaining state and allocating the memory. Hence, there is no
need of TCBs.
Client sends ‘SY N ’ to server. Server reply with ‘SY N/ACK/cookieserver ’.
Server generates its cookie cookieserver via client IP address, port address and
client request time and current time at server.
Once it reaches to client, client accepts segment and send ‘ACK/cookieclient /cookieserver ’
to server. Server authenticates its cookie and validates client.
All communication is done like this, no need maintaining any state.

22

Figure 11: Redeﬁnition of TCP three-way handshake

23

• When there occurs a time-out when SYN/ACK is lost. Client should send
the SYN packet again after time-out. Now, server treats it as a brand new
request and creates a new cookie based on client details.

• In Linux, SYN-cookie mechanism is disabled by default but it can be en-
abled via changing value of variable sysctl.net.ipv4.tcp_syncookie to 1, in
/etc/sysctl.conf file.

7.2 Redefinition of ARP Protocol

ARP is a stateless protocol. It maintains no state of ARP queries and replies.
The problem with ARP protocol is that it accepts any ARP reply and updates its
ARP table as soon as any ARP reply received.

Figure 12: Redefinition of ARP protocol

• The probable solution of this problem is to maintain a new data-structure
along with existing ARP table. This data-structure is a dynamic list which
records all the ARP requests we send.

24

When a ARP reply came, before making any changes to ARP table we can
check this list of outstanding requests. If we have sent any corresponding
request asking MAC address for this IP, then we will confirm this ARP reply
by asking few neighbors. According to their response we can decide whether
to add it or not in ARP table.

• We can furthermore improve ARP protocol via originating Reverse Address
Resolution Protocol (RARP) for the MAC address comes in ARP response.
If only one reply came and it matches its fine. But if more than one reply
came, more than one IPs then there is something wrong and response can be
discarded. But this can discard real user too.

8 Conclusion

Recent network attacks has shown how vulnerable our networks are. Flooding,
IP spoofing, cache poisoning attacks and denial of service attacks are becoming a
significant threat. There is a tremendous increase in percentage of attacks from
past few years. The duration of attacks is also increased significantly. The band-
width of attack is also increased. It means this is becoming a serious challenge to
mitigate these.
Ingress filtering was suggested but not yet completely implemented by all ISPs.
TCP SYN cache is good for reducing TCP SYN flooding attacks but it is very com-
plex due to cryptographic implementations. It requires to maintain some state.
TCP cookies can not retransmit the packet if it is lost as there is no state infor-
mation. Huang suggestion for maintaining the state in ARP, somewhat good but
still vulnerable.
LOT protocol is best but it requires LOT protocol to be installed on mostly
gateways on network. All gateways shares a secret key first through vulnerable
network, this can be dangerous. LOT tunnels cannot pass over Network Address
Translators (NATs). However NAT devices do not prevent LOT. It means on NAT
tunnels will be formed to and from the NAT device.
Now, the world is changing. The face of network communication is changing
rapidly. Now use of smart-phones and embedded systems is increasing rapidly.
Now, transactions are now done on smartphones. Smartphones technology is not
yet matured. Cloud computing and mobile computing are attackers future targets.

25

Security in cloud computing is still a major issue. There is a need of reliable,
scalable and fault-tolerant clouds both on system and mobile. Protocols are not
much sophisticated and thus vulnerable to attacks.
The research in developing sophisticated network protocols and applications is
still very important area. So, the ﬁeld is full of challenges and thrust for future
research.

26

Bibliography

[1] “Prolexic Quarterly Global DDoS Attack Report,” Quater 4, 2011.

[2] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 1, 2012.

[3] “2012 Norton Cybersecurity Report,”

[4] Department of Information Technology in http://www.indiabudget.nic.in, Ministry
of Communications and Information Technology, 2012-13.

[5] “Government to warn businesses about cyber crime threat,” BBC, 5 september 2012.

[6] Ross Anderson and Chris Bardon, “Measuring the cost of cybercrime,”

[7] Postel, J, “Transmission Control Protocol, RFC 793,” Defense Advanced Research
Projects Agency, September, 1981.

[8] F. Gont, “Survey of Security Hardening Methods for Transmission Control Protocol
(TCP) Implementations,” Internet Draft, March 2012.

[9] “Prolexic Quarterly Global DDoS Attack Report,” Quarter 3, 2012.

[10] Eddy, W, “TCP SYN Flooding Attacks and Common Mitigations, RFC 4987,” Net-
work Working Group, August, 2007.

[11] Bennahum, D, “PANIX ATTACK,”

[12] daemon9, route, and inﬁnity, “Project Neptune,” vol. 7, , July, 1996.

[13] Shimomura, T. , “Technical details of the attack described by Markoﬀ in
NYT,” in http://www.gont.com.ar/docs/post-shimomura-usenet.txt, Message posted
in USENETs comp.security.misc newsgroup, 1995.

27

[14] S. M. Bellovin , “Security problems in the TCP/IP protocol suite,” vol. 19, ACM
SIGCOMM Computer Communication, April, 1989.

[15] Lemon, “SYN cookies,” in http://cr.yp.to/syncookies.html, read on 5 October, 2012.

[16] Bernstein, D., “Resisting SYN flood DoS attacks with a SYN cache,” Proceedings
of the BSDCon 2002 Conference, 2002.

[17] Zquete, A., “Improving the functionality of SYN cookies,” 6th IFIP Communications
and Multimedia Security Conference (CMS 2002), 2002.

[18] P. Ferguson, “Network Ingress Filtering: Defeating Denial of Service Attacks which
employ IP Source Address Spoofing,” RFC 2267, January 1998.

[19] Beverly, R and Bauer, S., “The Spoofer Project: Inferring the extent of source
address filtering on the Internet,” Proceedings of Steps to Reducing Unwanted Traffic
on the Internet Workshop (SRUTI), 2005.

[20] Li, Yanyan and Keyu Jiang, “Prospect of the Future Internet – A Study Based on
TCP/IP vulnerabilities,” IEEE International Conference on Computing, Measure-
menrt, Control and Sensor Network, 2012.

[21] S.Gavaskar, R.Surendiran and Dr.E.Ramaraj, “ Three Counter Defense Mechanism
for TCP SYN Flooding Attacks,” vol. 6, International Journal of Computer Appli-
cations (0975 – 8887), September 2010.

[22] Dommety, G., “ Key and sequence number extensions to GRE. RFC 2890,” The
Internet Society.

[23] Savage, S. and Wetherall, D, “Practical network support for IP traceback,” Proceed-
ings of the ACM SIGCOMM Conference on Internet Measurement, 2000.

[24] Gilad, Yossi and Hergberg, Amir, “LOT: A Defense Against IP Spoofing and Flood-
ing Attacks,” vol. 15 of 6, ACM Transactions on Information and System Security,
July 2012.

[25] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks,” TCP
Maintenance and Minor Extensions (tcpm) , July 7, 2011.

[26] F. Gont and S. Bellovin, “ Defending Against Sequence Number Attacks, RFC 6528,”
TCP Maintenance and Minor Extensions (tcpm) , February 2012.

28

[27] Postel, J., “ TCP and IP bake off, RFC 1025,” September 1987.

[28] Braden, B., “ Extending TCP for Transactions – Concepts, RFC 1379,” November
1992.

[29] Spring, N., Wetherall, D., Ely, D., “Robust Explicit Congestion Notification (ECN)
Signaling with Nonces. RFC 3540,” 2003.

[30] Ramakrishnan, K., Floyd, S., and D. Black, “The Addition of Explicit Congestion
Notification (ECN) to IP, RFC 3168,” September, 2001.

[31] Ely, D., “Firewall spotting and networks analisys with a broken CRC,” in
http://www.phrack.org/phrack/60/p60-0x0c.txt, Phrack Magazine, Volume 0x0b, Is-
sue 0x3c, Phile 0x0c of 0x10., 2002.

[32] Windows 95/NT DoS, “Post to the bugtraq mailing-list,” in
http://seclists.org/bugtraq/1997/May/0039.html, , .

[33] David C. Plummer, “n Ethernet Address Resolution Protocol – or – Converting Net-
work Protocol Addresses to 48-bit Ethernet Address for Transmission on Ethernet
Hardware RFC 826,”

[34] Huang, T. and Bai, G., “Method against ARP spoofing baseed on improved protocol
mechanism,”

[35] “ARP Guard,” in https://www.arp-guard.com/info.

[36] Vipul Goyal and Rohit Tripathy, “An Efficient Solution to the ARP Cache Poisoning
Problem,” Springer-Verlag Berlin Heidelberg 2005.

[37] Postel, J., “Internet Protocol, The Protocol Specification, RFC 791,” DARPA In-
ternet Program.

29

Report on TCP vulnerabilities

More Related Content

What's hot (20)

Similar to Report on TCP vulnerabilities (20)

Report on TCP vulnerabilities