In this article, we’ll discuss TCP/IP: the importance of mastering it, and how mastering it can benefit hackers. We will then look at how hackers are able to attack TCP/IP and the various network attacks associated with it. We will also discuss methods that security teams can use to protect against these TCP/IP attacks.
TCP/IP is actually the most widely used protocol today. TCP/IP is currently the most common standard for device communication within computer networks.
The TCP/IP stack is divided into several layers, each of which is important for certain aspects of communication. It is possible to develop each of these layers without affecting the adjacent layers. With TCP/IP, data encapsulation is achieved in different headers across different transport layers of the protocol stack.
Despite attempts to make TCP as secure as possible, there are still attacks that exploit it.
What are the basic TCP/IP hacking techniques?
Hackers are able to attack some of the bugs that exist in the TCP/IP protocol suite. There are three main attacks:
- Address falsification
- TCP sequence number prediction
- Port scanning
Let’s briefly discuss these techniques.
Hackers have always been able to manipulate the direction an IP packet travels based on the implementation of the IP header. Anyone with access to the IP header can act as a routing device and determine where the packet goes. This applies to both the source and destination of the traffic.
Hackers can then impersonate the IP address of another host on the network and send packets that appear to originate from that host.
TCP sequence number prediction
This attack attempts to correctly guess the sequence number used to identify packets in a TCP connection. If hackers can achieve this, they can spoof packets going to the target host on the network. The target host has no way of knowing that these spoofed packets originate from a malicious host.
The attacker achieves this by listening to the communication between the sender and the recipient. All an attacker needs is the sender’s IP address and the correct sequence number, and this attack will succeed.
Hackers are able to perform port scans to identify open ports and services present and running within network hosts. This is done with the intention of pinpointing and attacking a vulnerable target.
There are several different types of port scans that can be used:
- TCP “connect()” scan: This is a UNIX system call that can be used to open a connection to a port of interest. The “connect()” call will only succeed if there is a listening server or if the port is not in use. This method is very easy to detect and will be detected by a proper security audit
- TCP SYN scan: This is an alternative that can be used to scan “connect()”. Here, the hacker sends a SYN packet to the destination. This tricks the target into waiting for an incoming connection
- TCP FIN scan: Hackers can use this as an alternative to the above two methods. Instead of sending a SYN packet, the hacker sends a FIN packet. This technique will not work where certain packet filters have been enforced.
Once a port is identified as open, hackers can target it for attacks. These attacks will also depend heavily on the services running on the ports.
What are some network attacks associated with TCP/IP?
Hackers discovered flaws in the TCP/IP implementation. These vulnerabilities led to the possibility of different kinds of attacks. Below are the main classes of attacks that result from these vulnerabilities:
- Denial-of-Service attacks
- Spoofing attacks
Let’s discuss how each of these vulnerabilities works.
Denial-of-Service attacks prevent valid and legitimate users from accessing information they should be able to access. An attacker transmits massive amounts of fake data to a target with the intention of rendering it unusable by overwhelming it. The target will eventually run out of memory or CPU and may eventually fail.
The two main types of flood attacks are:
- CHARGEN and ECHO
- SYN flood
There are also other Denial-of-Service attacks that hackers can exploit – such as the famous Ping of Death, which increases the size of the ping packet and causes the system to crash.
CHARGEN and ECHO
Some TCP/IP implementations offer two key services, CHARGEN and ECHO. CHARGEN runs on TCP and UDP port number 19, while ECHO runs on TCP and UDP port number 7.
CHARGEN will respond to any incoming UDP packet with randomly selected characters numbered from 0 to 512. ECHO will respond to all incoming packets with whatever it just received.
These two services are intended for system diagnostics, but instead hackers have found a way to exploit them into tools that can perform Denial-of-Service attacks. This is possible because it is quite easy to set up a chain of requests between two servers that target the CHARGEN port on one server and target the ECHO port on the other server while spoofing the IP address of one server.
Once you do this, the fake IP address of one server will appear legitimate to the victim and a chain of requests and responses will be created. Such an attack will result in a lot of network traffic, so network users will have slow access to the Internet.
This attack can be used to target a specific target of interest so that users are denied access.
This attack involves sending fake SYN packets to the target host, flooding (and thus consuming) all new network connections to the target host. This results in legitimate TCP connection requests not receiving any connections; thereby denying service.
Spoofing attacks are attacks that trick systems on a network into believing that the attacker is either a legitimate server or client. Below are the two main categories of spoofing attacks:
- Client-side spoofing
- Server-side spoofing
Hackers are able to perform this type of spoofing by posing as an authorized client to the server. There are several methods by which this can be done.
One common one is IP spoofing. Hackers create packets with a spoofed source IP address and then impersonate legitimate clients on the network. One application is when working with servers requiring IP-based authentication. Using this technique, it is easy to trick such servers.
Server-side spoofing works in a different way. Instead of the hacker impersonating a legitimate client within the network, we focus on impersonating the server so that clients on the network can connect to it. The motivation behind this attack is to collect sensitive information from clients who willingly send it to a “legitimate” server.
Some TCP/IP-based attacks include abuse of routing infrastructure, domain name systems, and many other TCP/IP implementations. Let’s briefly consider some.
Routing attacks on infrastructure
Routers make routing decisions based on information stored in the routing table. Routers will periodically share routing information to keep their routing tables up to date. These updates are known as link state updates (LSU).
Possible threats here mainly come from spoofing attacks. A hacker can hack into router A and cause it to send fake routing control packets to routers B and C, causing them to switch traffic to router A. The hacker then sets up an intermediary to monitor traffic coming from the routers. B and C.
DNS abuse attacks
Since there are many types of DNS attacks, we decided to divide them into four main groups:
- Bulk DoS attacks: This attack involves overwhelming the DNS server by overwhelming it with a large number of requests. These may come from one or more sources and lead to service degradation or unavailability
- Exploits: These attacks exploit various bugs that affect DNS services
- Stealth/slow drip attacks: These attacks involve sending a small amount of traffic to a DNS server, resulting in server capacity exhaustion. This can ultimately lead to service degradation
- Protocol Exploitation: These attacks exploit DNS leading to data exfiltration
Other TCP/IP attacks also include fileless security, x-windows, and distributed coordinated attacks.
What are some detection and protection methods for TCP/IP-based attacks?
Below are some of the methods security teams can use to prevent or defend against TCP/IP-based attacks:
System configuration improvements
When the system is properly configured, all possible loopholes are sealed and hackers cannot exploit them for attacks. For example, if vulnerable protocols are disabled in the system, hackers will not have smooth access to the target.
Improved router configuration
Information in the routing table is accessible to hackers and can be altered for malicious intent. If proper router configurations are implemented, hackers may not be able to gain unauthorized access to systems.
Properly configured security solutions such as firewalls, intrusion detection systems, and intrusion prevention systems are able to identify malicious network traffic and alert the security team in real time. This is effective in thwarting attackers’ attempts to breach networks.
Some of the TCP/IP-based attacks discussed above are quite old, yet only recently are we seeing smart security solutions capable of catching most of them. Scanning tools are also improving as more attacks are detected. Knowing how to exploit these problems is essential for ethical hackers, who can then design solutions to solve them and make networks more secure.
- Guang Yang, “Introduction to TCP/IP Network Attacks“
- Brenden Claypool, “Stealth Port Scanning Methods“
- TCP/IP (Transmission Control Protocol/Internet Protocol), TechTarget
- What IP Means and How It Works, Lifewire
- TCP/IP, Computer Hope