IP and ICMP Exploits

Prabhaker Mateti

Abstract:  This lecture explains a few of the past exploits at the IP level. This work is supported in part by NSF DUE-9951380.

Table of Contents

  1. Educational Objectives
  2. IP Exploits
  3. IP Spoofing
    1. Some Uses of IP Address Forgery
    2. IP Spoofing in a Blind Attack
    3. IP Spoofing in a non-Blind Attack
    4. Detection of IP spoofing
    5. Prevention of IP Spoofing
  4. IP Fragment Attacks
  5. Route Spoofing
  6. ICMP Tunnelling
  7. Lab Experiment
  8. Acknowledgements
  9. References

Educational Objectives

  1. Understand the IP at a detailed level.
  2. Understand spoofing as a basic technique on which attacks can be built.
  3. Understand the reasons for certain IP filtering rules we will use later.

IP and ICMP Exploits

The Internet Protocol (IP)  provides for two and only two functions. It defines a datagram that can be routed through the Internet, and it provides a means for fragmenting datagrams into packets and reassembling packets into the original datagrams.   The IP Datagram is as follows.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |Version|  IHL  |Type of Service|          Total Length         |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |         Identification        |Flags|      Fragment Offset    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |  Time to Live |    Protocol   |         Header Checksum       |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                       Source Address                          |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Destination Address                        |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                    Options                    |    Padding    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                             data                              |
   \                                                               \
   \                                                               \
   |                             data                              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |             data              |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Spoofing

On the Internet, "to spoof" can mean:

  1. To deceive for the purpose of gaining access to someone else's resources (for example, to fake an Internet address so that one looks like a certain kind of Internet user)
  2. To simulate a communications protocol by a program that is interjected into a normal sequence of processes for the purpose of adding some useful function
  3. To playfully satirize a Web site.

IP Spoofing

IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address.  Because the IP layer of the OS normally adds these IP addresses to a data packet, a spoofer has to circumvent the IP layer and talk directly to the raw network device.  IP spoofing is normally used to deposit another exploit on the target machine.

The attacker A takes over the identity of a trusted host T in order to subvert the security of the target host U. The trusted host T is either discovered to be down (temporarily for a few seconds say) or is disabled using a variety of methods.  In the blind attack A is unable to see the replies, if any, that U gives T.  In the non-blind attack, all conversation between U and T is seen by A.  Depending on how carefully the intervening routers are configured, it is not necessary that A reside on the same subnet as T.

Any services that authenticate based on the IP addresses or host names are vulnerable.  Services that are so vulnerable to the IP spoofing attack include RPC,  NFS, r-commands, anything wrapped by the TCP daemon wrappers, X windows, and other applications that use source IP addresses for authentication.

Some Uses of IP Address Forgery

[using Dunnigan and Nofi's classification scheme]

  1. Concealment: IP address forgery is commonly used to conceal the identity of an attacker, especially when denial of services is the goal of the attack.
  2. Camouflage: IP address forgery is used to make one site appear to be another as a way to convince the victim, for example, that an attack is from a University, when in fact it is from a competitor.
  3. False and Planted Information: IP address forgery can be used to create the impression that a particular site is acting maliciously in order to create friction or lead a defender to falsely accuse an innocent third party.
  4. Reuses: IP address forgery can be used to support another activity designed to gain the confidence of the defender. For example, a salesperson for information security products could create IP address forgeries in order to convince a client of the need for their services.
  5. Displays: IP address forgery has been used in order to lead defenders to believe that many sites are participating in an attack when in fact only a small number of individuals are responsible.
  6. Demonstrations: IP address forgery has been used to demonstrate a potential for untraceable attacks as a way to convince defenders not to try to catch attackers.
  7. Feints: IP address forgery can be used to try to fool an enemy into believing that an attack is coming from outside or from a particular direction, when the real attack is very different. This is a way to misdirect the enemy into spending limited resources in the wrong way.
  8. Lies: IP address forgery has been used to create a more convincing lie that somebody known to the defender is communicating with them about a particular matter.
  9. Insight: IP address forgery can be used to gain insight into how an opponent reacts and as a sort of probe to determine what sorts of responses are likely to arise.

Another way to view this issue is in terms of the net effect on information in information systems.

  1. Corruption of Information: IP addresses are often used as the basis for Internet control decisions. For example, DNS updates are often designated as coming only from specific other servers. With IP address forgery, the entire DNS system could be corrupted, causing services to be rerouted through enemy servers.
  2. Denial of Services: The Internet is basically a fragile network that depends on the proper behavior and good will of the participants for its proper operation. Without wide-ranging changes to the way the Internet works, denial of services is almost impossible to prevent. For example, the same DNS attack could be used to cause widespread denial of services, or perhaps even to create loops in the packet delivery mechanisms of the Internet backbone.
  3. Leakage of Information: Forged IP addresses can be used to cause a host to take orders for the delivery of information to enemy sites by forging authorization as if it were from a legitimate authorizing site.
  4. Misplaced Liability: Forged IP addresses could be used, as described above under False and Planted Information, to cause defenders to assert claims against innocent bystanders and to lay blame at the wrong feet. These are only some of the examples of what forged IP addresses can do. Without a lot of effort, many other examples can be created.

 

IP Spoofing in a Blind Attack

The attacker A takes over the identity of a trusted host T in order to subvert the security of the target host U. The trusted host T is disabled using a method described in a later section. As far as  U knows, it is carrying on a conversation with a trusted pal T.  The IP datagrams sent by A with the forged IP sender address reach the target U fine but the datagrams U sends back (destined for T) end up in the bit-bucket. The attacker A also never sees them, and hence the name of this attack. The intervening routers do route the response packets of U to T.   But T's TCP layer will discard them because the packets are "replies" to packets it never sent.  So the attacker must  know what was sent, and predict what response the server will send.

IP Spoofing in a non-Blind Attack

Non-blind spoofing is related to session hijacking, and will be described in a later lecture.

Route Spoofing

There are three main mechanisms by which an attacker can spoof routing information.

  1. An attacker sends out an ICMP redirect packet with the source address set to the regular gateway. The packet contains also contains the ``new'' gateway to use. The recipient of such a packet is expected to change their routing tables replacing the old gateway with the new one. 
  2. RIP-based attacks work by broadcasting illegitimate routing information to passive RIP hosts and routers via UDP port 520. In both of the above cases, the redirection can be made to any host chosen by the attacker.
  3. Source routing allows the sending host to choose a route that a packet must travel to get to its destination.  Traffic coming back to that host will take the reverse route.  The attacker designs a route so that the packets go through his site. 


 

DNS Spoofing

Spoofing of the DNS can occur when the DNS server has been compromised by a security attack. The spoof could happen in two ways; when the security attack itself modifies its tables or when the attacker modifies the tables after having compromised the security of the DNS server. DNS has two types of ``nameservers''; primary and secondary. There can only be one primary nameserver and it is the most ``authoritative'' one can find within a domain's namespace. The secondary nameservers get their infomation from the primary nameserver. If the primary nameserver has been compromised, all the secondary nameservers will have incorrect information. If such information eventually propagates throughout the entire Internet, it may have devastating effects.

Detection of IP spoofing

We can monitor packets using network-monitoring software (such as netlog).  A packet on an external interface that has both its source and destination IP addresses in the local domain is an indication of IP spoofing.  Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access.

Prevention of IP Spoofing

All routers must employ proper IP filtering rules.  They should only route packets from sources that could legitimately come from the interface the packet arrives on.  Most routers now have options to turn off the ability to spoof IP source addresses by checking the source address of a packet against the routing table to ensure the return path of the packet is through the interface it was received on. We will be discussing IP filtering techniques and tools in a later lecture.

IP Fragment Attacks

When packets are too large to be sent in a single IP packet, due to interface hardware limitations for example, they can be split up by an intermediate router unless prohibited by the Don't Fragment flag. IP fragmentation occurs a router receives a packet larger than the MTU (Maximum Transmission Unit) of the next network segment.  All such fragments will have the same Identification field value, and the fragment offset indicates the position of the current fragment  in the context of the pre-split up segment.  Intermediate routers are not expected to re-assemble the fragments.  The final destination will reassemble all the fragments of an IP packet and pass it to higher protocol layers (like TCP or UDP).

In the IP layer implementations of nearly all OS, there are bugs in the reassembly code.  An attacker can create and send a pair of carefully crafted but malformed IP packets which in the process of reassembly cause a server to panic and crash.  Two well known attack programs of this kind are teardrop and land.

Microsfot issued patch for an IP fragment attack as recently as  May 19, 2000; see http://www.microsoft. com/technet/security/bulletin/fq00-029.asp

ICMP Smurfing

"Smurf" is the name of an automated program that attacks a network by exploiting IP broadcast addressing and certain other aspects of Internet operation. Smurf and similar programs can cause the attacked part of a network to become "inoperable." The exploit of smurfing, as it has come to be known, takes advantage of certain known characteristics of the Internet Protocol (IP) and the Internet Control Message Protocol (ICMP). The ICMP is used by network nodes and their administrators to exchange information about the state of the network. ICMP can be used to ping other nodes to see if they are operational. An operational node returns an echo message in response to a ping message.

A smurf program builds a network packet that appears to originate from another address (this is known as "spoofing" an IP address). The packet contains an ICMP ping message that is addressed to an IP broadcast address, meaning all IP addresses in a given network.  If the routing device delivering traffic to those broadcast addresses performs the IP broadcast to layer 2 broadcast function, most hosts on that IP network will reply to it with an ICMP echo reply each. The echo responses to the ping message are sent back to the "victim" address. Enough pings and resultant echoes can flood the network making it unusable for real traffic.

The "smurf" attack's cousin is called "fraggle", which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf".

There are two parties who are hurt by this attack: the intermediary (broadcast) devices, and the spoofed address target. The attackers rely on the ability to source spoofed packets to the "amplifiers" in order to generate the traffic which causes the denial of service.  In order to stop this, all networks should perform filtering either at the edge of the network where customers connect (access layer) or at the edge of the network with connections to the upstream providers, in order to defeat the possibility of source address spoofed packets from entering from downstream networks, or leaving for upstream networks.

One way to defeat smurfing is to disable IP broadcast addressing at each network router since it is seldom used. This is one of several suggestions provided by the CERT Coordination Center.  The CERT Coordination Center's Advisory on "smurf" IP Denial-of-Service Attacks provides an explanation and suggestions for network administrators on how to avoid being part of a smurf attack.


ICMP Tunneling

It's possible to transmit data in ICMP ECHO request and reply messages.  This allows you to code simple client/server applications that ride on IP directly and don't require transport layer overhead.

Lab Experiment

tbd

Acknowledgements

References

 

  1. Brecht Claerhout, "A short overview of IP spoofing: PART I," 1996, Recommended Reading.
  2. Craig A. Huegen, The Latest in Denial of Service Attacks: "Smurfing": Description and Information to Minimize Effects, Feb 2000, http://www.quadrunner.com/~chuegen/smurf.txt Recommended Reading.