TCP/IP Vulnerabilities

ECE 478/578 Computer and Network Security Project

Submitted by Rudhrakumar Venkatesan venkatru@ece.orst.edu Shashidhar Lakkavalli lakkavsh@ece.orst.edu

Abstract
TCP/IP is a set of protocols developed to allow cooperating computers to share resources across a network. The TCP/IP protocol suite, which is very widely used today, has a large number of serious security flaws inherent in the protocols, regardless of the correctness of any implementations. We describe a variety of attacks based on these flaws. The Attack methods in TCP/IP Networks, which we will be trying to explore in this paper, are (i) (ii) (iii) (iv) Sniffing - A Passive attack using Sniffer Programs those trap the packets. Denial of Service on Swap space, Bandwidth, RAM, Caches. Spoofing, hijacking - Redirection of TCP Stream through Active Attacks. Sequence Number Prediction Attacks. We will also be studying some sniffer programs, spoofing & hijacking tools & their impact on the network. We also explore the various methods of detection, prevention and recovery from such attacks.

Contents 1 Introduction 2 Passive Attacks

2.1 Sniffing 2.1.1 Protocols Vulnerable to Sniffing 2.1.2 Methods for sniffing 2.1.3 Prevention of Vulnerabilities 2.1.4 Encryption Tools 2.1.5 Sniffing Programs 1.1 TCP/IP 1.2 Attacks

3 Active Attacks
3.1 Spoofing & Hijacking 3.1.1 IP Spoofing 3.1.2 Hijacking 3.1.3 How Its Done 3.1.3.1 Connection Killing 3.1.3.2 Connection Hijacking 3.1.4 Impact 3.1.5 Solutions 3.2 Sequence Number Guessing 3.2.1 Details Of Attack 3.2.2 Solutions 3.3 Denial Of Service 3.3.1 Some Basic Targets for an Attack 3.3.2 The Attacks 3.3.3 Protecting a system against DOS Attack

4 Conclusion 5 Reference

1 Introduction
The TCP/IP protocol suite is the most widely used communication standard on the Internet. Despite that, there are a number of serious security flaws inherent in the protocols. Flaws even arise due to the bad implementation and improper configuration of the Applications using these protocol suites. The attacks are classified into Active attacks and passive attacks depending on the behaviour of the attacker. Sniffing is the most common form of passive attack and so we will be discussing about it in detail, where as there are many prominent forms of active attacks and we will be considering spoofing, hijacking, sequence number prediction and Denail of service attacks into discussion.

1.1 TCP/IP TCP provides a full duplex reliable stream connection between two end points. A connection is uniquely defined by the quadruple (IP address of sender, TCP port number of the sender, IP address of the receiver, TCP port number of the receiver). Every byte that is sent by a host is marked with a sequence number (32 bits integer) and is acknowledged by the receiver using this sequence number. The sequence number for the first byte sent is computed during the connection opening. It changes for any new connection based on rules designed to avoid reuse of the same sequence number for two different sessions of a TCP connection. 1.2 Attacks In security, the word attack has taken on very specific connotations. For example, you might here of researchers trying to "attack a cryptosystem". The word is often used in the abstract sense rather than in any physical sense. This academic circles, this word is often used in preference to other synonyms such as crack or break. A passive attack (like sniffer)is one that can take place by eavedropping. An active attack(Like Hijacking) is one that requires interaction, such as injecting something into the data stream or change, delete, reroute, add, forge or divert data. All attacks are divided into these two categories.

2. Passive Attacks 2.1 Sniffing

Packet sniffing is the act of intercepting and reading any or all network traffic that is being transmitted across a shared network communication channel. Sniffing programs are of 2 two forms. Commercial packet sniffers are used to help maintain networks. Underground packet sniffers are used to break into computers.

2.1.1 Protocols vulnerable to sniffing? Following is a sampling of typical protocols that are sniffed, especially for passwords. Telnet and rlogin Sniffing can capture the keystrokes as the user types them, including the user name and password. http The default version of HTTP has numerous holes. Many web sites use "Basic" authentication, which sends passwords across the wire in plain-text. Many web sites use another technique which prompts the user for a username and password, which are also sent across the network in plain-text. Data sent in clear-text. snmp Almost all SNMP traffic is SNMPv1, which has no good security. SNMP passwords (called community-strings) are sent across the wire in the clear. nntp Passwords sent in the clear. Data sent in clear pop Passwords sent in the clear. Data sent in clear FTP Passwords sent in the clear. Data sent in clear imap Passwords sent in the clear. Data sent in clear

Fig 1.0 Sniffing Program in Action

2.1.2 Methods for sniffing The network interface card (NIC) hardware in a networked computer receives every piece of network traffic that is transmitted across the physical network. Ordinarily the network device driver software will process only incoming traffic which contains the address of its host computer, or broadcast packets which are meant for all computers on a network. However certain network adapter hardware can be configured to operate in an altered state where the network device driver processes all traffic transmitted across the network, whether addressed to the host computer or not. Monitoring network traffic requires both hardware and software mechanisms working together. The monitoring process begins with the NIC, with the packets being captured by the device driver software. Both the hardware and the software components of the NIC need to provide mechanisms for capturing the raw packets. After the network traffic is processed by the NIC, software mechanisms are needed to filter the captured data. Finally, a mechanism is required to extract and reconstruct the data portion of the captured packets, and to display what you get in a readable format. 2.1.3 Prevention of vulnerabilities Most of the systems have secure alternatives. However most sites do not implement these solutions, and are consequently vulnerable to this sort of attack. The remaining of the vulnerabilities are caused by faulty implementation of protocols. Examples of faulty protocol implementation include Windows NT's password hashing algorithm. TELNET packets bound for an Windows NT server, for example, can be intercepted and decrypted by someone knowing the password hashing weakness Some of the methods of preventing sniffing are : 1. Authentication schemes such as MD4 and MD5, KERBEROS, DESLOGIN, s/key, and SSH are available to prevent the clear text transmission of user names and passwords across a network. Public key encryption programs such as PGP are available to encrypt electronic mail (E-mail) to prevent the contents from being read. 2. Sniffer programs running in promiscous mode can be found out by identifying the sessions currently running on the machine. In Unix machines, Ifconfig a reveals all programs running in promisuous mode. Ultrix can possibly detect someone running a sniffer by using the commands pfstat and pfconfig. pfconfig allows you to set who can run a sniffer pfstat shows you if the interface is in promiscuous mode. 3. Often a sniffer log becomes so large that the file space is all used up. On a high volume network, a sniffer will create a large load on the machine. These sometimes trigger enough alarms that the administrator will discover a sniffer. 4. Secure Socket Layer : SSL is built into all popular web browsers and web servers. It allows encrypted web surfing, and is almost always used in e-commerce when users enter their credit card information.

5. To detect a sniffing device that only collects data and does not respond to any of the information, requires physically checking all your ethernet connections by walking around and checking the ethernet connections individually. 6. Active hubs send to each system only packets intended for it rendering promiscuous sniffing. 7. Using interfaces that will not allow processes to run in promiscuous mode and thus prevent sniffing. 2.1.4 Encryption Tools Deslogin SwIPe Netlock Kerberos One time password techniques 2.1.5 Tools to detect packet sniffers Antisniff Check Promiscuous Mode Neped Sentinet 2.1.6 Sniffing programs Ethereal Network Associates Sniffer BlackICE Pro CiAll Tcpdump(Unix)

3. Active Attacks 3.1 Spoofing & Hijacking

Passive attacks using sniffers are becoming more and more frequent on the Internet. The attacker obtains a user id and password that allows him to logon as that user. In order to prevent such attacks people have been using identification schemes such as one-time password [SKEY] or ticketing identification [Kerberos]. Though they prevent password sniffing on an unsecure network these methods are still vulnerable to an active attack as long as they neither encrypt nor sign the data stream. Still many people are complacent believing that

active attacks are very difficult and hence a lesser risk. But we can implement a IP hijack and successfully spoof the system with an active attack which can be done with the same resources as for a passive sniffing attack. 3.1.1 IP spoofing To gain access, intruders create packets with spoofed source IP addresses. This exploits applications that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system. It is possible to route packets through filtering-router firewalls if they are not configured to filter incoming packets whose source address is in the local domain. It is possible to spoof even if no reply packets can reach the attacker. Examples of configurations that are potentially vulnerable include - routers to external networks that support multiple internal interfaces - routers with two interfaces that support subnetting on the internal network - proxy firewalls where the proxy applications use the source IP address for authentication. 3.1.2 Hijacking Once the intruders have root access on a system, they can hijack existing terminal and login connections from any user on the system. In taking over the existing connections, intruders can bypass one-time passwords and other strong authentication schemes by tapping the connection after the authentication is complete. For example, a legitimate user connects to a remote site through a login or terminal session; the intruder hijacks the connection after the user has completed the authentication to the remote location; the remote site is now compromised. Spoofing is classified into Non-blind spoofing Using the spoofing to interfer with a connection that sends packets along your subnet. Blind spoofing Using the spoofing to interfer with a connection (or creating one), that does not send packets along your cable. The concept of non-blind spoofing(NBS) is pretty simple. Because packets travel within your reach, you can get the current sequence and acknowledge (SEQ/ACK) numbers on the connection. NBS is thus a very easy and accurate method of attack, but limited to connections going over your subnet. In spoofing documentation these attacks are sometimes ommited, because they are mostly 'denial-of-service' attacks, or because people don't realise the advantage a spoof (in particulary a hijack) can have above simple password sniffing. Spoofing in generally is refered to as a verry high level of attack. This refers to blind spoofing (BlS). 3.1.3 How It's Done 3.1.3.1 Connection Killing Setup host A <------X------------------------->host B | A,B have a TCP connection running host S <------/ A,S on same subnet

a. Using reset (RST) Concept TCP packets have flags which indicate the status of the packet, like RST. That is a flag used to reset a connection. To be accepted, only the sequence number has to be correct (there is no ACK in a RST packet). So we are going to wait for packets in a connection between A and B. Assume we wait for packets to A. We will calculate (from B's packets) the sequence number for A's packets (from B's ACK's), and fire a bogus RST packet from S (faking to be A) to B. b. Closing a connection (FIN) Concept An other flag is FIN and says: "no more data from sender". This flag is used when closing a connection down the normal legit way. So if there was a way to make a packet that is accepted by one of the two hosts, this host would believe the 'sender' didn't have any data left. Following (real) packets would be ignored as they are considered bogus. That's it, because we can sniff the current SEQ/ACK of the connection we can pretend to be either host A or B, and provide the other host with CORRECT packetinformation, and an evil FIN flag. The beauty of it all is, that after a FIN is send the other host always replies with one if it is accepted, so we have a way to verify our killing, and can be 100% sure of success (if for some reason we missed a SEQ or ACK, we can just resend). RST killing is more popular and is prefered. 3.1.3.2 Connection Hijacking Setup host A <------X------------------------->host B | A,B have a TCP connection running (TELNET) host S <------/ A,S on same subnet Concept Assume a TELNET from A (client) to B (server). TCP separates good and bogus packets by their SEQ/ACK numbers i.e. B trusts the packets from A because of its correct SEQ/ACK numbers. So if there was a way to mess up A's SEQ/ACK, B would stop believing A's real packets. We could then impersonate to be A, but using correct SEQ/ACK numbers (that is numbers correct for B). We would now have taken over the connection (host A is confused, B thinks nothings wrong, and S sends 'correct' data to B). This is called 'Hijacking' a connection. To mess up A's SEQ/ACK numbers we simply insert a data packet into the stream at the right time (S as A->B), the server B would accept this data, and update ACK numbers, A would continue to send it's old SEQ numbers, as it's unaware of our spoofed data. Takeover phase 1: Stealing connection. Sending Spoofed clean-up data... Waiting for spoof to be confirmed... Phase 1 ended. Takeover phase 2: Getting on track with SEQ/ACK's again Server SEQ: C34A680B (hex) ACK: 5C8223F5 (hex) Phase 2 ended. Takeover phase 3: Sending MY data. Sending evil data. Waiting for evil data to be confirmed... Phase 3 ended.

3.1.4. Impact Current intruder activity in spoofing source IP addresses can lead to unauthorized remote root access to systems behind a filtering-router firewall. After gaining root access and taking over existing terminal and login connections, intruders can gain access to remote hosts. 3.1.5 Solutions A. Detection IP spoofing 1. If you monitor packets using network-monitoring software such as netlog, look for a packet on your external interface that has both its source and destination IP addresses in your local domain. If you find one, you are currently under attack. 2. Another way to detect IP spoofing is to compare the process accounting logs between systems on your internal network. If the IP spoofing attack has succeeded on one of your systems, you may get a log entry on the victim machine showing a remote access; on the apparent source machine, there will be no corresponding entry for initiating that remote access. Hijacking 1. When the intruder attaches to an existing terminal or login connection, users may detect unusual activity, such as commands appearing on their terminal that they did not type or a blank window that will no longer respond to their commands. Encourage your users to inform you of any such activity. 2. In addition, pay particular attention to connections that have been idle for a long time. Once the attack is completed, it is difficult to detect. However, the intruders may leave remnants of their tools. For example, you may find a kernel streams module designed to tap into existing TCP connections. B. Prevention IP spoofing The best method of preventing the IP spoofing problem is to install a filtering router that restricts the input to your external interface (known as an input filter) by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network in order to prevent a source IP spoofing attack originating from your site. If your vendor's router does not support filtering on the inbound side of the interface or if there will be a delay in incorporating the feature into your system, you may filter the spoofed IP packets by using a second router between your external interface and your outside connection. Configure this router to block, on the outgoing interface connected to your original router, all packets that have a source address in your internal network. For this purpose, you can use a filtering router or a UNIX system with two interfaces that supports packet filtering. Disabling source routing at the router does not protect you from this attack, but it is still good security practice to do so.

Hijacking There is no specific way to prevent users from hijacking other than preventing intruders from gaining root access in the first place. If you have experienced a root compromise, you have to do a recovery.

3.2 Sequence Number Guessing

3.2.1 Details of the Attack If TCP sequence numbers are predictable, a hacker can forge a connection from another machine. The hacker doesn't need to see the packets from the server; the server believes the hacker is the trusted client. This is easily done on any Internet machines where the hacker has full privileges: Macs, Windows etc. Lets assume that the attacker, in this case X, has been able to spoof the IPaddress of client A. Spoofing attacks are also discussed in this paper(3.1). Sequence number guessing is related with the 3-way handshake used in the TCP. Suppose client machine A wants to talk to remote server B. It sends the following message: A-B: SYN, ISNa That is, it sends a packet with the SYN ("synchronize sequence number") bit set and an initial sequence number ISNa. B replies with B-A: SYN, ISNb, ACK(ISNa) In addition to sending its own initial sequence number, it acknowledges A's. The actual numeric value ISNa also appears in the message. A concludes the handshake by sending A-B: ACK(ISNb) The initial sequence numbers are intended to be more or less random. RFC 793 specifies that the 32-bit counter be incremented by 1 in the low-order position about every 4 microseconds. Instead, some unix versions like Free-BSD increment it by a constant every second, and by another constant for each new connection. Thus, if a connection is opened to a machine, then guessing the sequence number for the next connection is not very tough. And this leads to the source of attack. Suppose X is the attacker. X first opens a real connection to its target. This gives ISNb. It then impersonates A and sends Ax-B: SYN, ISNx where "Ax" denotes a packet sent by X pretending to be A. B's response to X's original SYN B-A: SYN, ISNb', ACK(ISNx) the legitimate A, about which more anon. X never sees that message but can still send Ax-B: ACK(ISNb') using the predicted value for ISNb'.

If X had guessed the sequence number right B's server thinks it has a legitimate connection with A, when in fact X is sending the packets. X can't see the output from this session, but it can execute commands as more or less any user There is a minor difficulty here. If A sees B's message, it will realize that B is acknowledging something it never sent, and will send a RST packet in response to tear down the connection. 3.2.2 Solution The problem encountered above is because the attacker was able to guess the initial sequence number. By having the initial sequence number a random number, the sequence attack can be avoided. But, this leads to protocol problems like duplicate packets and reincarnations of packets of the old connection at the server, due to which the server will not be able to distinguish if the packets were from the current session or from the previous connection. One way to avoid this is to allot sequence number space to each port, and the sequence numbers are incremented according to the following relationship ISN = M + F(localhost, localport, remotehost, remoteport). It is important that F not be computable from the outside, or an attacker could still guess at sequence numbers from the initial sequence number used for some other connection. If F is a cryptographic hash function of the connection-id and some secret data, then it is a good source of a unpredictable random number. Hash techniques like MD5 is a good choice, since the code is widely available. The secret data can either be a true random number [10], or it can be the combination of some per-host secret and the boot time of the machine. The boot time is included to ensure that the secret is changed on occasion. Other data, such as the host's IP address and name, may be included in the hash as well.

3.3 Denial of service

Denial of service is about without permission knocking off services, for example through crashing the whole system. This kind of attacks are easy to launch and it is hard to protect a system against them. Such attacks are motivated typically due to Sub-cultural status, To gain access, Revenge, Political reasons, Economical reasons or Nastiness. 3.3.1 Some basic targets for an attack a. Swap Space Most systems have several hundred Mbytes of swap space to service client requests. The swap space is typical used for forked child processes which have a short life time. The swap space will therefore almost never in a normal cause be used heavily. A denial of service could be based on a method that tries to fill up the swap space. b. Bandwidth If the bandwidth is to high the network will be useless. Most denial of service attack influence the bandwidth in some way.

c. Kernel Tables Overflow in the kernel tables will cause serious problems on the system. The kernel have a kernelmap limit, if the system reach this limit it can not allocate more kernel memory and must be rebooted. The kernel memory is not only used for RAM, CPU:s, screens and so on, it it also used for ordinaries processes. Meaning that any system can be crashed and with a mean algorithm pretty fast. In Solaris 2.X the amount of kernel memory the system is usingit is measured and reported with the sar command , but for SunOS 4.X there is no such command. So in SunOS 4.X we don't even can get a warning. d. RAM A denial of service attack that allocates a large amount of RAM can make a great deal of problems. NFS and mail servers are actually extremely sensitive because they do not need much RAM and therefore often don't have much RAM. An attack at a NFS server is trivial. The normal NFS client will do a great deal of caching, but a NFS client can be anything including the program you wrote yourself. 3.3.2 The Attacks (A). Taking Advantage Of Finger Most fingerd installations support redirections to an other host. Ex: $finger @system.two.com@system.one.com In this example the finger will go through system.one.com and on to system.two.com. As far as system.two.com knows it is system.one.com who is fingering. So this method can be used for hiding, but also for a very dirty denial of service attack. Foe eg in : $ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack. All those @ signs will get finger to finger host.we.attack again and again and again... The effect on host.we.attack is powerful and the result is high bandwidth, short free memory and a hard disk with less free space, due to all child processes. The solution is to install a fingerd which don't support redirections, for example GNU finger. (B). Freezing Up X-Windows If a host accepts a telnet session to the X-Windows port, somewhere between 6000 and 6025(In most cases 6000) it could be used to freeze up the X-Windows system. This can be made with multiple telnet connections to the port or with a program which sends multiple XOpenDisplay() to the port. The same thing can happen to Motif or Open Windows. The solution is to deny connections to the X-Windows port. (C). Attacking With Lynx Clients A World Wide Web server will fork an httpd process as a respond to a request from a client, typical Netscape or Mosaic. The process lasts for less than one second and the load will therefore never show up if someone uses ps. In most causes it is therefore very safe to launch a denial of service attack that makes use of multiple WWW clients, typical lynx clients. But the netstat command could be used to detect the attack. Some httpd:s (for example http-gw) will have problems besides the normal high bandwidth, low memory. And the attack can in those cases get the server to loop.

(D). Malicious Use Of Telnet Under Solaris 2.4 If the attacker makes a telnet connections to the Solaris 2.4 host and quits using: Ex: Control-} quit then will inetd keep going "forever". The solution is to install the proper patch. (E). How To Disable Services Most Unix systems disable a service after N sessions have been open in a given time. Well most systems have a reasonable default (lets say 800 - 1000), but not some SunOS systems that have the default set to 48... The solutions is to set the number to something reasonable. (F). Malicious Use Of UDP Services It is simple to get UDP services (echo, time, daytime, chargen) to loop, due to trivial IPspoofing. The effect can be high bandwidth that causes the network to become useless. In the example the header claim that the packet came from 127.0.0.1 (loopback) and the target is the echo port at system.we.attack. As far as system.we.attack knows is 127.0.0.1 system.we.attack and the loop has been establish. Ex: from-IP=127.0.0.1 to-IP=system.we.attack Packet type:UDP from UDP port 7 to UDP port 7 SunOS 4.1.3. is known to boot if a packet with incorrect information in the header is sent to it. This is the cause if the ip_options indicate a wrong size of the packet. The solution is to install the proper patch. (G). ICMP Redirect Attacks Gateways uses ICMP redirect to tell the system to override routing tables, that is telling the system to take a better way. To be able to misuse ICMP redirection we must know an existing connection. If we have found a connection we can make the route lose it connectivity or we could send false messages to the host if the connection we have found don't use cryptation. Ex: (false messages to send) DESTINATION UNREACHABLE TIME TO LIVE EXCEEDED PARAMETER PROBLEM PACKET TOO BIG The effect of such messages is a reset of the connection. The solution could be to turn ICMP redirects off, not much proper use of the service. (H). Broadcast Storms This is a very popular method in networks there all of the hosts are acting as gateways. There are many versions of the attack, but the basic method is to send a lot of packets to all hosts in the network with a destination that don't exist. Each host will try to forward each packet so the packets will bounce around for a long time. And if new packets keep coming the network will soon be in trouble. Services that can be misused as tools in this kind of attack is for example ping, finger and sendmail. But most services can be misused in some way or another. (I). Email Bombing And Spamming In a email bombing attack the attacker will repeatedly send identical email messages to an address. The effect on the target is high bandwidth, a hard disk with less space and so on... Email spamming is about sending mail to all (or rather many) of the users of a system. The point of using spamming instead of bombing is that some users will try to send a replay and if the address is false will the mail bounce back. In that cause have one mail transformed to three mails. The effect on the bandwidth is obvious. There is no way to prevent email bombing or spamming. However have a look at CERT:s paper "Email bombing and spamming".

(J). The Dot Dot Bug Windows NT file sharing system is vulnerable to the under Windows 95 famous dot dot bug (dot dot like ..). Meaning that anyone can crash the system. If someone sends a "DIR ..\" to the workstation will a STOP messages appear on the screen on the Windows NT computer. Note that it applies to version 3.50 and 3.51 for both workstation and server version. The solution is to install the proper patch. (K). Hostile Applets A hostile applet is any applet that attempts to use your system in an inappropriate manner. The problems in the java language could be sorted in two main groups: 1) Problems due to bugs. 2) Problems due to features in the language. In group one we have for example the java bytecode verifier bug, which makes is possible for an applet to execute any command that the user can execute. Meaning that any attack methods described, could be executed through an applet. If you need a high level of security you should use some sort of firewall for protection against java. As a user you could have java disable. (L). Virus Computer virus is written for the purpose of spreading and destroying systems. Virus is still the most common and famous denial of service attack method. It is a misunderstanding that virus writing is hard. If you know assembly language and have source code for a couple of virus it is easy. Several automatic toolkits for virus construction could also be found, for example: * Genvir. * VCS (Virus Construction Set). * VCL (Virus Construction Laboratory). * PS-MPC (Phalcon/Skism - Mass Produced Code Generator). * IVP (Instant Virus Production Kit). * G2 (G Squared). PS-MPC and VCL is known to be the best and can help the novice programmer to learn how to write virus. An automatic tool called MtE could also be found. MtE will transform virus to a polymorphic virus. The polymorphic engine of MtE is well known and should easily be catch by any scanner. (M). Anonymous Ftp Abuse If an anonymous FTP archive have a writable area it could be misused for a denial of service attack. We can fill up the hard disk. Also can a host can be made temporarily unusable by massive numbers of FTP requests. Novells Netware FTP server is known to get short of memory if multiple ftp sessions connects to it. (N). Syn Flooding A SYN packet is the first portion of the TCP "Three-Way Handshake". It basically says, "Hey, over here... I want to connect to you." When a TCP/IP stack receives a SYN pacet, it responds with a SYN/ACK. which says "OK, you can connect to me, just let me make sure it's you." At this point, it is waiting for an ACK, which says "Yeah, it's really me!". Now,if the source address in the SYN packet does not exist, but has a path to it in place, that SYN/ACK will never be answered with an ACK, and the TCP/IP stack will wait forever for that packet (actually until a certain amount of time has passed which is implementation-dependent). If a whole bunch of those faked SYN packets are received simultaneously, the connection queue of the target machine will he filled. The connection queue is the number of half-open (SYN_RECEIVED) connections the kernel will allow on a port before it starts dropping further connection requests

to that port. For each Operating System there is a standard default, which may be configurable by the superuser. (O). Crashing Systems With Ping Flooding If someone can ping a machine from a Windows 95 machine, it is possible to reboot or freeze your machine. The attacker simply writes: ping -l 65510 address.to.the.machine And the machine will freeze or reboot. It even works for for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash). AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash). OSF/1, 3.2C, Solaris 2.4 x86 (reboot). (P). Malicious Use Of Subnet Mask Reply Message The subnet mask reply message is used under the reboot, but some hosts are known to accept the message any time without any check. If so all communication to or from the host us turned off, it's dead. The host should not accept the message any time but under the reboot. 3.3.3 Protecting A System Against Denial Of Service Attacks You can not make your system totally secured against denial of service, but the following methods can reduce the risk. (A). Security Patches Always install the proper security patches. Also note that patches change over time and that a solution suggested in security bulletins (i.e. CERT) often is somewhat temporary. (B). Port Scanning Check which services you have. Scan the ports with sprobe or some other port scanner. You should do this regualy to see that anyone don't have installed a service that you don't want on the system. Disable every service that you don't need, could for example be rexd, fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen, tftp, exec, ufs, daytime, time. Any combination of echo, time, daytime and chargen is possible to get to loop. There is however no need to turn discard off. The discard service will just read a packet and discard it, so if you turn off it you will get more sensitive to denial of service and not the opposite. (C). Check For The Attacks Check for the possible attacks. Perform a stress test your system with several services and look at the effect. (D). Extra Security Systems The basic that you always should install is a logdaemon and a wrapper. A firewall could also be very good, but expensive. Note that you should be very careful if building your own firewall or you might open up new and very bad security holes, but it is a very easy if you have some basic knowledge. It is also very good to replace services that you need, for example telnet, rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be found on the web. (E). Monitoring Security Also monitor security regularly, for example through examining system log files, history files. Even in a system without any extra security systems could several tools be found for monitoring, for example: - uptime - showmount - ps - netstat - finger

(F). Keeping Up To Date It is very important to keep up to date with security problems.

4. Conclusion
In this paper, we considered the most common passive and active attacks possible on TCP/IP protocol suite. Several attack methods, their impact, detection, prevention and solutions were discussed. In the course of the discussion, we see that most of the vulnerabilities are due to bad implementation and improper configuration of the network applications. The user can employ the use of vulnerability detection and prevention tools to minimize the possibility of attacks on user machines and applications. The IETF has considered the TCP/IP protocol suite vulnerabilities and the upcoming versions of TCP and IP is expected to minimize them.

5. References
[1]. Security Problems in the TCP/IP Protocol Suite Bellovin, Steven M.; 1989; [2]. A Simple Active Attack Against TCP Joncheray, Laurent; 1995; [3]. IP Hijacking Laurant Joucheray; April 24, 1995; [4]. Sequence Number Attacks Rik Farrow; December 1994 ; [5]. A Weakness in the 4.2BSD Unix TCP/IP Software Morris, Robert T; 1985; [6]. Hacking Lexicon http://www.robertgraham.com/pubs/hacking-dict.html [7]. Some TCP/IP Vulnerabilities http://staff.washington.edu/dittrich/talks/agora/ [8]. The Hawks security links http://www.dbnet.ece.ntua.gr/~george/security/ [9]. INTRODUCTION TO DENIAL OF SERVICE http://www.attrition.org/~modify/texts/denial_of_service/denial_of_service.txt [10]. TCP/IP Security http://www.security.promo.ru/english/block.html