Ethical hacking: TCP/IP for hackers
In this article, we’ll discuss TCP/IP: the importance of mastering it and how this mastery can be beneficial to hackers. We will then look at how hackers are able to attack TCP/IP and the different network attacks associated with it. We’ll also discuss the methods that security teams can use to protect themselves from these TCP/IP attacks.
Overview of TCP/IP
TCP/IP is actually the most widely-used protocol today. TCP/IP is currently the most common standard for communicating devices within computer networks.
The TCP/IP stack is divided into several layers, each of which is important for particular aspects of communication. It is possible to develop each of these layers without affecting adjacent ones. With TCP/IP, data encapsulation is achieved in different headers across different transportation layers of the protocol stack.
Despite attempts to make TCP as secure as possible, there still are some attacks that abuse it.
What are some essential TCP/IP hacking techniques?
Hackers are able to attack some flaws that exist within the TCP/IP protocol suite. There are three major attacks:
- Address spoofing
- TCP sequence number prediction
- Port scanning
Let’s briefly discuss these techniques.
Hackers have always been able to manipulate the direction that an IP packet takes based on the implementation of the IP header. Whoever has access to the IP header can act as a routing device and determine where the packet goes. This is true for both the source and destination of the traffic.
Hackers can then impersonate another host’s IP address within the network and send packets appearing to originate from this host.
TCP sequence number prediction
This attack attempts to correctly guess the sequence number used to identify packets in a TCP connection. If hackers are able to achieve this, they can counterfeit packets heading to the target host on the network. The target host has no way of knowing that these counterfeit packets are from a malicious host.
The attacker achieves this by listening to the communication between the sender and receiver. All the attacker needs is the sender’s IP address and the correct sequence number, and this attack succeeds.
Hackers are able to perform port scans in order to identify open ports and the services present and running within the network’s hosts. This is done with the intention of pinpointing and attacking a vulnerable target.
There are several different types of port scans that can be used:
- TCP “connect()” scan: This is a UNIX system call that can be used to open a connection with an interesting port. The call to “connect()” will only succeed if there is a listening server, or else the port is not in use. This method is very easily discoverable and will be detected in a proper security audit
- TCP SYN scan: This is an alternative that can be used to the “connect()” scan. Here, the hacker sends a SYN packet to the target. This tricks the target that an incoming connection is pending
- TCP FIN scan: Hackers can use this as an alternative to the two methods above. Instead of sending a SYN packet, the hacker sends a FIN packet. This technique will not work where certain packet filters have been enforced
Once a port has been identified to be open, hackers can then target them for attacks. These attacks will also largely depend on the services that are running on the ports.
What are some network attacks associated with TCP/IP?
Hackers have discovered flaws within the implementation of TCP/IP. These vulnerabilities have led to the possibility for different kinds of attacks. The following are the main classes of attacks that result from these vulnerabilities:
- Denial-of-Service attacks
- Spoofing attacks
Let us discuss how each of these vulnerabilities work.
Denial-of-Service attacks prevent valid and legitimate users from gaining access to information that they should be able to access. The attacker transmits huge amounts of bogus data to the target, with the intention of rendering it unusable by overwhelming it. The target eventually runs out of memory or CPU processing and might ultimately crash.
The two main types of flooding attacks are:
- CHARGEN and ECHO
- SYN flooding
There are also other Denial-of-Service attacks that hackers can use — for instance, the famous Ping of Death, which inflates the size of a ping packet and causes a system to crash.
CHARGEN and ECHO
Some TCP/IP implementations offer some two key services, CHARGEN and ECHO. CHARGEN runs on TCP and UDP port number 19, while ECHO runs on TCP and UDP number 7.
For any incoming UDP packet, CHARGEN will respond with randomly selected characters numbering anywhere between 0 and 512. ECHO will respond to any incoming packets with whatever it has just received.
These two services are intended to be for diagnosis of the system, but instead, hackers have found a way of abusing these into tools that can perform Denial-of-Service attacks. This is possible because it is quite easy to set up a chain of requests between two servers targeting the CHARGEN port on one server and targeting the ECHO port on the other while spoofing one’s server’s IP address.
Once this is done, the spoofed IP address of one server will appear legitimate to the victim and the chain of request and response will be established. Such an attack will result in great traffic on the network, leaving network users with slow internet access.
This attack can be leveraged to target a particular target of interest, leaving users without access.
This attack involves the sending of bogus SYN packets to a target host, flooding (hence consuming) all new network connections to a target host. This results in legitimate requests to TCP connections failing to receive any connection; thus, the service is denied.
Spoofing attacks are attacks that trick systems within the network into believing that the attacker is either a legitimate server or client. The following are the two major categories of spoofing attack:
- Client-side spoofing
- Server-side spoofing
Hackers are able to perform this type of spoofing by impersonating an authorized client to a server. There are a few methods by which this can be done.
One of the common ones is IP spoofing. Hackers craft packets with a spoofed source IP address, then impersonate legitimate clients on the network. One application of this is when dealing with servers requiring IP-based authentication. Using this technique, it is easy to fool such servers.
Server-side spoofing operates in a different manner. Instead of a hacker impersonating a legitimate client within the network, the focus is on impersonating a server in order to allow clients on the network to connect to them. The motivation behind this attack is to collect sensitive information from clients as they willingly submit it to the “legitimate” server.
Some TCP/IP-based attacks involve abusing routing infrastructure, domain name systems and numerous other TCP/IP implementations. Let’s briefly consider a few.
Routing infrastructure attacks
Routers make routing decisions based on the information stored within the routing table. Routers will periodically share routing information in order to keep their routing tables up-to-date. These updates are known as Link State Updates (LSU).
The possible threats here are mainly from spoofing attacks. A hacker can break into router A and make it send bogus routing control packets to routers B and C, causing them to switch traffic to router A. The hacker then sets up a man-in-the-middle to spy on traffic coming from routers B and C.
DNS misuse attacks
Since there are numerous types of DNS attacks, we decided to categorize them into four main groups:
- Volumetric DoS attacks: This attack involves overwhelming the DNS server by flooding it with a high number of requests. These may originate from one or multiple sources and lead to service degradation or unavailability
- Exploits: These attacks exploit various bugs that affect the DNS services
- Stealth/slow drip attacks: These attacks involve sending low amounts of traffic to the DNS server, resulting in capacity exhaustion within the server. This may ultimately lead to service degradation
- Protocol abuse: These attacks abuse DNS leading to data exfiltration
Other TCP/IP attacks also include no-file security, x-windows and distributed coordinated attacks.
What are some detection and protection methods for TCP/IP-based attacks?
The following are some of the methods that can be applied by security teams in order to prevent or defend against TCP/IP-based attacks:
System configuration improvements
When a system is properly configured, all the possible loopholes are sealed and hackers are unable to exploit them for attacks. For instance, when vulnerable protocols are disabled within a system, hackers will not have smooth access to the target.
Router configuration improvements
Information within the routing table can be accessed by hackers and altered for malicious intent. Where proper router configurations are implemented, hackers may not be able to gain unauthorized access into systems.
Properly configured security solutions such as firewalls, intrusion detection systems and intrusion prevention systems are able to identify malicious traffic within the network and notify the security team in real time. This is effective at thwarting attackers’ attempts to breach networks.
Some of the discussed TCP/IP-based attacks above are quite old, yet only recently are we seeing intelligent security solutions able to pick most of them up. Scanning tools are also getting better as more attacks get discovered. Knowing how to exploit these issues is essential for ethical hackers, who can then suggest solutions to resolve them and make networks safer.
- Guang Yang, “Introduction to TCP/IP Network Attacks“
- Brenden Claypool, “Stealth Port Scanning Methods“
- TCP/IP (Transmission Control Protocol/Internet Protocol), TechTarget
- What IP Means and How It Works, Lifewire
- TCP/IP, Computer Hope