[Paper Review] A Look Back at “Security Problems in the TCP/IP Protocol Suite”

Title A Look Back at “Security Problems in the TCP/IP Protocol Suite” [Link]
Author Steven M. Bellovin Email bellovin@acm.org
Publishing 20th Annual Computer Security Application Conference “classic paper” (ACSAC)AT&T Labs – Research Year 2004
Abstract About fifteen years ago, I wrote a paper on security problems in the TCP/IP protocol suite, In particular, I focused on protocol-level issues, rather than implementation flaws. It is instructive to look back at that paper, to see where my focus and my predictions were accurate, where I was wrong, and where dangers have yet to happen. This is a reprint of the original paper, with added commentary.
Summary  Security issues & Defenses

Issues Sub Problems/Possible Attacks Defenses/Countermeasures
TCP Sequence
Number Prediction
1. Makes “r” possibly execute malicious commands2. Generates queue overflows so that trusted client lost messages (DoS)3. Further session hijacking attack 1. A cryptographic hash function to create a separate sequence number space for each  “connection”, a connection being defined per RFC791 as the unique 4-tuple <localhost, localport, remotehost, remoteport>.2. Random ISN generation à negative effects on the correctness of TCP in the presence of duplicate packets, the sum of a sequence

of random increments will have a normal distribution, which implies that the actual range

of the ISNs is quite small with Central limit theorem (CERT CA-2001-09)

Routing Issues Source
Routing
1. Addr-based authentication 1. Configure routers to reject external packets2. Use firewall,3. Reject src-routed packets at border routers
RIP Attack 1. No authentication allows an intruder to send bogus routing info, whose entries are visible widely2. AS 7007 attack3. Spammers hijack route, inject spam, and then withdraw the route. 1. Filter out packets with bogus source. (Network ingress filtering)
EGP 1. Impersonates a second E/G for AS2. Claims reachability for some network where the real GW is down. 1. Reasonably secure due to restricted topologies, but now BGP
ICMP 1. ARP Spoofing 1. Includes plausible sequence number2. ICMP redirect disabled
“Authentication” Server 1. Do not use it
Applications Finger 1. Displaying useful info. about users 1. Firewall blocks the finger protocol
Email(POP) 1. Use encryption mode – SSL
DNS 1. DNS Sequence number attack2. Intercepts virtually all requests to translate names to IP addresses, and supply the address of a subverted  machine instead3. DNS Zone transfer (AXFR): no authentication on the request 1. DNSSec provides digitally signed resource records
FTP 1. FTP authentication in plaintext2. Anonymous FTP – bounce attack 1. Cryptographic protection for FTP
SNMP 1. No authentication reveals MIB 1. Use community string (simple plaintext pass)2. SNMPv3 defines user-based security model which provides cryptographic authentication
Remote Booting 1. RARP with TFTP2. BOOTP with TFTP3. Impersonate the server and send false DATA packets 1. 4 byte random transaction id2. DHCP
Trivial Attacks 1. LAN vulnerable to eavesdropping (ARP poisoning, smurf attack)2. TFTP with no authentication3. Reserved Ports

Comprehensive Defenses: Authentication, Encryption, Trusted Systems

Note This paper covers a general idea of overall security problems in TCP/IP suite. It also provides a lot of references to see countermeasures of certain issues at a glance.This paper is based on what the author wrote original paper back in 1989. It reviews different types of protocol flaws itself and possible attacks from TCP sequence guessing, routing protocol issues to application layer protocols such as finger, POP3, SNMP, DNS, and FTP. Also he corrected wrong descriptions in previous paper if any as well as defense techniques and their limitations against such attacks.