Lecture 16: TCP/IP Vulnerabilities and DoS Attacks: IP ...

1 Lecture 16: TCP/IP Vulnerabilities and DoS Attacks: IP Spoofing, SYN Flooding, and The Shrew DoSAttackLecture Notes on Computer and Network Security by Avi Kak 10, 20224:58pm 2022 Avinash Kak, Purdue UniversityGoals: To review the IP and TCP packet headers Controlling TCP Traffic Congestion and the Shrew DoS Attack The TCP SYN Flood Attack for Denial of Service IP Source Address Spoofing Attacks BCP 38 for Thwarting IP Address Spoofing for DoS Attacks Python and Perl Scripts for Mounting DoS Attacks with IPAddress Spoofing and SYN Flooding Troubleshooting Networks with the Netstat UtilityCONTENTSS ection and TCP/IP Protocol Network Layer (also known as the Internet14 Layer or the IP Layer) , The Transport Layer Protocol for versus TCP Breaks Up a Byte Stream That36 Needs to be Sent to a TCP State Transition Demonstration of the 3-Way the Handshake for Establishing52a TCP Congestion Control and the Shrew DoS Source Address Spoofing for SYN Flood71 DoS IP Source Address Spoofing With BCP DoS through IP Address Spoofing and89 SYN Flooding When The Attacking and The AttackedHosts Are in The Same the Netstat Utility for Problems113 Computer and Network Security by Avi KakLecture 16 Back to TCP and IP We now live in a world in which the acronyms TCP and IP arealmost as familiar as some other computer-related words likebits, bytes, megabytes, etc.

2 IP stands for theInternet Protocolthat deals with the routingof packets from one host to another in a network. A host can beany digital device with a communications interface. It may be acomputer, a smartphone, a router, etc. On the other hand, TCP, which stands forTransmissionControl Protocol, has the job of ensuring that the data packetsdelivered by the IP protocol did arrive at their destination. Youcould say that the TCP protocol sits on top of the IP protocol in the sense that TCP asks IP to send a packet to itsdestination and then makes sure that the packet was actuallyreceived at the destination. A less reliable version of TCP is UDP (User DatagramProtocol).Despite the pejorative sense associated with thephrase less reliable ,UDP is extremely important to theworking of the internet, as you will discover in this and the3 Computer and Network Security by Avi KakLecture 16next Lecture .

3 The different communication and application protocols thatregulate how computers work together are commonly visualizedas belonging to a layered organization of protocols that isreferred to as theTCP/IP protocol stack. Some of the moreimportant protocols in this stack are presented in the and Network Security by Avi KakLecture 16 Back to THE TCP/IP PROTOCOL STACK The TCP/IP protocol stack is most commonly conceived of asconsisting of the following seven layers:7. Application Layer(HTTP, HTTPS, FTP, SMTP, SSH, SMB, POP3, DNS, NFS, etc.)6. Presentation Layer(MIME, XDR)5. Session Layer(TLS/SSL, NetBIOS, SOCKS, RPC, RMI, etc.)4. Transport Layer(TCP, UDP, etc.)3. Network Layer(IPv4, IPv6, ICMP, IPSec, IGMP, etc.)2. Data Link Layer(MAC, PPP, SLIP, ATM, etc.)1. Physical Layer(Ethernet(IEEE ), WiFi(IEEE ), USB, Bluetooth, etc.)

4 5 Computer and Network Security by Avi KakLecture 16 This 7-layer model of the protocols is referred to as theOSI(Open Systems Interconnection) model. In the literature oncomputer networks, you ll also see an older 4-layer model inwhich the Application Layer is a combination of the top threelayers of the OSI model. That is, the Application Layer in the4-layer model combines the Application Layer, the PresentationLayer, and the Session Layer of the OSI model. Additionally,inthe 4-layer model, the Data Link Layer and the Physical Layerof the OSI model are combined into a single layer called theLink Layer. Also note that the Network Layer is frequentlyalso called theInternet Layerand theIP Layer. Even though TCP and IP are just two of the protocols thatreside in the stack, the entire stack is commonly referred toasthe TCP/IP protocol is because of the centralityof the roles played by the TCP and the IP restof the protocol stack would be rendered meaningless withoutthe TCP and the IP protocols.

5 Regarding theApplication Layer, the acronymHTTP standsfor the HyperText Transport Protocol and the relatedHTTPS stands for HTTP Secure. These are the main protocols used forrequesting and delivering web pages. When you click on a URLthat begins with the stringhttp://..or thestringhttps://.., you are asking the HTTP protocol in theformer case and the HTTPS protocol in the latter case to fetcha web page for you. Another famous protocol in the Application6 Computer and Network Security by Avi KakLecture 16 Layer isSMTPfor Simple Mail Transfer Protocol. With regardto the other protocols mentioned in the Application Layer, in alllikelihood you are probably already well conversant withSSH,FTP, etc. [For Windows users, theSMB(Samba) protocol in the Application Layer is used toprovide support for cross-platform (Microsoft Windows, Mac OS X, and other Unix systems) sharing of filesand printers.]

6 Back in the old days, the SMB protocol operatedthrough theNetBIOS protocol in the SessionLayer. NetBIOS, which stands for Network Basic Input/Output System , is meant to provide networkrelated services at the Session Layer. Ports 139 and 445 are assigned to the SMB acronym SMB stands for Server Message Block .] The purpose of thePresentation Layeris to translate, encode,compress, and apply other transformations to the data, ifnecessary, in order to condition it appropriately for processingby the protocols in the lower layers on the mentionedin Lecture 2, the data payload in all internetcommunications is based on the assumption that it consistssolely of a set of characters that possess commonly used protocol in the PresentationLayer isMIME, which stands forMultipurpose Internet all email is transmitted using the SMTP protocol in the Application Layer through the MIME protocolin the Presentation Layer.

7 The protocol XDR, which stands for Extensible Data Representation , is another protocol that isused for safe transfer of data between computers. As to what is meant by a session in theSession Layerprotocols,a session may consist of a single request from a client for some7 Computer and Network Security by Avi KakLecture 16data from a server, or, more generally, a session may involvemultiple back-and-forth exchanges to data between twoendpoints of a communication security is an issue,these data transfers, whether in a single client request or inmultiple back-and-forth exchanges, must be the reason for whyTLS/SSLis in the Session Layer. TLSstands for for the Transport Layer Security and SSL for SecureSocket Layer. The most important protocol in theTransport LayerisTCP(Transmission Control Protocol).

8 Its job is to provide forreliableexchange of data between two endpoints, and, equallyimportantly, to provide mechanisms forcongestion word reliable means that a sending endpoint knows forsure that the data actually arrived at the receiving a reliable service is provided by TCP (TransmissionControl Protocol). [As you would guess, ensuring reliability means that the sendingendpoint must receive an acknowledgment message from the receiving endpoint for eachtransmission.]Congestion controlmeans the ability of a sendingTCP to ramp up or ramp down the rate at which it sends outinformation in response to the ability of the receiving TCP tokeep up with the traffic. The other commonly used Transport Layer protocol,UDP(User Datagram Protocol), is used for quickly checking on thestatus of hosts and routers in the internet, for the transmissionof error messages to the upstream hosts and routers in a8 Computer and Network Security by Avi KakLecture 16communication link, fetching snippets of information fromotherhosts and routers, UDP does not engage inelaborate handshaking and acknowledgments, it is a fasterprotocol and critical to the overall efficiency with which theinternet operates.

9 The primary job of theNetwork Layerprotocols is to take careof network addressing. When a protocol in this layer receives abyte stream referred to as a datagram or a packet froman upper layer, it attaches a header with that byte streamthat tells the protocols in the lower layers as to where exactlythe data is supposed to go in the internet. The data packet maybe intended for a host in the same local network or in a remotenetwork, in which case the the packet will have to pass throughone or more routers. Perhaps the most important protocol at theData Link Layeristhe Media Access Control (MAC) protocol. The MAC protocolprovides the addressing mechanism [you have surely heard of MAC addressesthat are associated with Ethernet and WiFi interfaces that resideat the Physical Layer, as mentionedin the next bullet.]

10 ] for data packets to be routed to a particularmachine in a LAN (Local Area Network). The MAC protocolalso uses sub-protocols, such as theCSMA/CD(Carrier SenseMultiple Access with Collision Detection) protocol, to decidewhen the machines connected to the same communicationmedium, such as a LAN, should communicate. [Consider the case of asmall LAN in your house or in a small business in which all the computers talk to the and Network Security by Avi KakLecture 16 Computer-to-computer communications in such a LAN is analogous to a group of people trying to have aconversation. If everyone speaks at the same time, no one will hear/understand anything. So the participantsin a group conversation must observe some etiquette so that everyone can be heard. The CSMA protocol isone way to ensure the same for the case of computers in the sameLAN.