03/04/02
The five papers reviewed for the paper group centered on security problems and TCP vulnerabilities. The papers discussed deficiencies and holes in TCP, which make it vulnerable to, hacks, spoofs and attacks. The first three papers were really quite good and detailed. The last two papers were merely supporting material for the first two papers and served as clarification and to flesh-out details in the first three papers.
The first paper – “Analysis of a Denial of Service Attack on TCP” first provides a good overall discussion on how connections are made and an analysis of the “three-way handshaking” protocol. The paper then discusses the “syn-flooding” attack in detail, including the vectors for this attack (i.e., single address, short list, no list). The paper then goes and provides several possible solutions to the problem (i.e., system and router configuration optimizations, infrastructure improvements, connection establishment improvements, various firewall approaches, and using an Active Monitoring tool. The system configuration optimizations suggested include – reducing timeout, increasing backlog queue length, and disabling non-essential services. The router configuration improvements include configuring external interfaces to deny packets that have source addresses from internal networks and configuring internal interfaces to deny packets to the outside that have source addresses from external networks. The firewall changes include relay-firewall protection and using a firewall as a semi-transparent gateway. The active monitoring suggestion gets lots of discussion and sounds like an interesting approach.
The second paper – “Security Problems in the TCP/IP Protocol Suite” is a really good paper that outlines several attacks against the TCP/IP protocol, including TCP Sequence Number Prediction, routing abuses, (e.g., RIP attacks, Exterior Gateway Protocol attacks, ICMP attacks), authentication server spoofs, and a host of other, more minor hacks that can be made using inherent security flaws with the modern implementations of TCP/IP. The authors of the paper suggest a number of possible solutions to, or defenses against, these attacks.
The third paper – “Defending against sequence number attacks” is an internet RFC memo which details the TCP Sequence Number attack and suggests some defenses against these attacks. The paper does a very good job explaining exactly what these attacks are, what they accomplish and illustrates exactly what happens. It provides some good ideas how to defend against these attacks.
The fourth paper – “Packets Found on an Internet” is a relatively interesting discussion on strange packets found while sniffing an intranet. It discusses address space oddities such as anomalous broadcasts and attempts to connect to old/obsolete/non-existent machines, strange requests, ICMP peculiarities, and DNS oddities. The paper while providing information on the chaf that can be found on a network, is ultimately not all that useful as it seems a bit limited in scope and only analyzes a large, but relatively isolated network.
The fifth paper – “A Weakness in the 4.2BSD Unix TCP/IP Software” is another discussion on the Syn-ack attack problem. This is a pretty good description of the problem but does not make an attempt to offer solutions to the problem. It is well written, but not very useful an additional source to this paper group as other papers offer at least as good a description and also provide discussions on fixing the problem and closing the hole.