TCP/IP and their attacks

There’s an ever-increasing amount of talk about hacking in the news, but what exactly happens? Well, Denial of Service (DoS) and Distributed DoS (DDoS) are both pressing problem and it appears they will continue to be so in the foreseeable future. On the basic level of networking, your computer and the internet send packets of information back and forth to each other. Your computer might send a package saying “Hey, please show me this webpage” and the other side responds by fetching the webpage and sending it to your screen. Some of the most common attacks are:

SYN flooding: Sending a large amount of SYN packets and never acknowledge any of the replies received, leaving the server hanging on the line. This fills up the network traffic and the recipient’s buffer is filled.

ICMP attack:  Aka “smurfing” this exploits the Internet Control Message Protocol, where users send an echo packet to see if a host is alive. With “Smurf Amplifying”, the malicious user would send an echo request with the victim as sender, sending it to multiple smurf amplifiers (shared addresses by hosts). When these responded, the victim would get drowned in incoming traffic. (Anderson, 2008, pp. 638-639)

SNMP attack: The Simple Network Management Protocol monitors and manage network devices. Attacks sends malicious network requests, flooding the network system and preventing legitimate network demands. (Dejan and Mladen Ðuro Veinovic, 2013)

The malicious packet-DDoS is certainly interesting. Sending small continuous pings might cause the buffer to overflow on the remote host and crash it. The ping packet can be made up to 65536 bytes, however, it will be fragmented and sent in smaller groups of 8 octets in size each.

It’s possible to even use just plain old notepad, for educational purposes of course, to try this out. (Shekhar, 2016)

Malformed packet attacks can contain invalid data or be of an illegal packet site. There are two types of Ping of Death attacks; one simply being larger than the default 32 bytes, overwhelming the victim’s system with returning packets. The other uses a C# program and RAW Sockets to increase the number and speed of the packets, in addition to the size. The advantage in this attack is speed, by removing checks and safeguard bypassing the standard TCP Socket with RAW Sockets. The malicious user can then send request packets and ignore any replies, too. (Elleithy et al., 2005, pp.66)

There certainly seems to be a lot of ways to perform malicious attacks online. The original thought behind the web was friendly interaction and trust, now we have PGP signing parties to verify authenticity and have to figure out ways to protect our TCP/IP connections.

A funny and informative summary of various attacks and how they work:

 

How to improve the TCP/IP protocol to avoid attacks:

One of the problems associated with DDoS is the inability to cancel disruptive flows of packets until they consume the victim’s network resources with traffic. Yaar, Perrig and Song (2004) mentions that typical solutions to help alleviate this problem are per-flow state at routers, ISPs collaboration and overlay infrastructures. They suggest a solution called Stateless Internet Flow Filter, allowing the end-host to stop individual flows from reaching the network. Network traffic is divided into privileged or unprivileged where the privileged are prioritized and controlled by the recipients and the latter is general traffic. Handshaking are done to determine capabilities by the routers in the network and privileged channels are established. If a server and clients employ this protocol, they can stop unprivileged packet flooding.

Cerroni et al (2009, pp.417-430) proposes a security feature for detecting SNMP attacks early. Their ideas are to use data mining techniques to processes traffic information. Monitor stations on hosts using the SNMP protocol are interconnected, sharing a knowledge base and thereby filtering normal traffic from malicious behaviour traffic. Early detection and indeed identifying an attack have been some of the issues with DDoS attacks. (Yaar, Perrig and Song, 2004)

Microsoft advises administrators on how to set up their server to modify the way TCP/IP works and to address some of the types of DDoS – namely SYN flood, ICMP attacks and SNMP attacks. Their configuration allows the admin to enable SYN flood protection when an attack is detected and to set threshold values to determine what constitutes an attack. (Meier et al., 2006)

Both prevention but also early detection in order to restrict the damage these attacks inflict. Knowing the normal traffic of your webserver is necessary to identify when you have much more traffic which might indicate an attack. (Rubens, 2016) Some standard methods for mitigate the attack are:

  • Rate limit the router in order to stop the web server from being overworked
  • Look at the sources and create filters in your router to stop obvious malicious-sourced packets, making it drop them
  • Half-open connections can be timed out with a smaller time limit
  • Spoofed or malformed packages can be dropped
  • Lower the thresholds for SYN, ICMP and UDP flood drop
  • Call the ISP or hosting provider to let them know of the attack

Data probing and Intrusion Detection Prevention (IDP) is a good security measure which is on the rise. One such example is Splunk, which is a “Google-style” search and interface platform for analysing data logs from all parts of a computer and network system. Previously called a tool, Splunk now has many other sections of interest for an enterprise such as user activity analytics, therefore insisting they should be called a “platform” instead of “a tool”. Presuming the systems are set up for most components to log their every event, Splunk will make order of the chaos that is detailed log files. Log files from various applications, app servers, web servers, network wire data, databases, virtual machines, telecom equipment, the operating systems and much more will be analysed and handle the big data into something easily maintainable.  Based on these big data, Splunk will be able to alert IT security about possible breaches or incidents if the log files detect abnormal activity.  (Nott, 2016, pp.11-11, Kerner, 2016, pp.14-14) There are several providers and brands performing such data collections and analyzations.

Summary: Yong, Tefera and Beshah (2012) believes that internet security will never be perfect. Botnets have a complex nature of networks and no solutions have been implemented globally. They developed a mathematical model to estimate how big a problem an attack will be as they don’t think it will go away when we have traffic through the internet like we do today. In other words, when using TCP/IP as it is today we will not get rid of the problem. We can however levee the flood as good as possible and use several methods to detect the attacks early and thereby stop them in the midst.

Bibliography

Anderson, R. (2008) Security engineering: a guide to building dependable distributed systems. John Wiley & Sons. pp.1-1040.

Cerroni, W., Monti, G., Moro, G. and Ramilli, M. (2009) ‘Network Attack Detection Based on Peer-to-Peer Clustering of SNMP Data’, Quality of Service in Heterogeneous Networks, Springer Science & Business Media B.V. / Books [Online]. pp.417-30.

Dejan, M. T. and Mladen Ðuro Veinovic. (2013) ‘Attacks on IEEE 802.11 wireless networks’, Vojnotehnicki Glasnik, Vol 61, Iss 2, Pp 242-271 (2013), (2), pp.242.

Elleithy, K., Blagovic, D., Cheng, W. and Sideleau, P. (2005) ‘Denial of Service Attack Techniques: Analysis, Implementation and Comparison’, Journal of Systemics, Cybernetics and Informatics, Vol 3, Iss 1, Pp 66-71 (2005), (1), pp.66.

Kerner, S. M. (2016) ‘Splunk Updates Enterprise Security, User Behavior Analytics Platforms’, eWeek, pp.14-.

Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R. and Murukan, A. (2006) How to: Harden the TCP/IP Stack. Improving Web Application Security: Threats and Countermeasures [Online] msdn.microsoft.com: Available from: https://msdn.microsoft.com/en-us/library/ff648853.aspx (Accessed: 19.07.2018).

Nott, G. (2016) ‘Splunk’s ambition to weave machine data fabric through your entire business’, CIO (13284045), pp.11-.

Rubens, P. (2016) 6 Tips for Fighting DDoS Attacks [Online] Available from: http://www.esecurityplanet.com/network-security/5-tips-for-fighting-ddos-attacks.html (Accessed: 21.07.2018).

Shekhar, A. (2016) How To Perform Ping of Death Attack Using CMD And Notepad (Just For Learning) [Online] Available from: https://fossbytes.com/perform-ping-of-death-attack-using-cmd-just-for-learning/ (Accessed: 22.07.2018).

Yaar, A., Perrig, A. and Song, D. (2004) ‘SIFF: A stateless internet flow filter to mitigate DDoS flooding attacks’, Anonymous Security and Privacy, 2004. Proceedings. 2004 IEEE Symposium on, IEEE. IEEE. pp.130-43.

Yong, W., Tefera, S. H. and Beshah, Y. K. (2012) ‘Understanding Botnet: From Mathematical Modelling to Integrated Detection and Mitigation Framework’, 2012 13th ACIS International Conference on Software Engineering, Artificial Intelligence, Networking & Parallel/Distributed Computing, pp.63.

Image source: https://pixabay.com/en/gifts-packages-made-loop-570808/, user: blickpixel. CC0 Licence, public domain.