A Simple Active Attack Against TCP Laurent Joncheray Merit Network*Inc* **** Plymouth Road*Suite C Ann Arbor*MI ****** USA Phone*** ***** *** **** Fax*** ***** *** **** E*mail* lpj*merit*e du April *** **** Abstract This paper describes an active attack against the Transport Control Protocol *TCP* which allows a cracker to redirect the TCP stream through his machine thereby permitting him to bypass the protection o*eredby such a system as a one*timepassword *SKEY* or ticketing authentication *Kerberos** The TCP connection is vulnerable to anyone with a TCP packet sni*erand generator located on the path followed by the connection*Some schemes to detect this attack are presented as well as some methods of prevention and some interesting details of the TCP protocol behaviors* *Introduction Passive attacks using sni*ersare becoming more and more frequent on the Internet*The attacker obtains a user id and password that allows him to logon as that user*In order to prevent such attacks peo ple have been using identi*cationschemes such as one*timepassword *SKEY*or ticketing identi*cation *Kerberos** Though they prevent password sni*ng on an unsecure network these methods are still vul nerable to an active attack as long as they neither encrypt nor sign the data stream* * Still many people are complacent believing that active attacks are very di*cultand hence a lesser risk* The following paper describes an extremely sim ple active attack which has been successfully used to break into Unix hosts and which can be done with the same resources as for a passive sni*ngattack* * Some uncommon behaviors of the TCP protocol are also presented as well as some real examples and sta tistical studies of the attack*simpact on the network* Finally some detection and prevention schemes are explained*In order to help any reader unfamiliar with the subtleties of the TCP protocol the article starts with a short description of TCP* The reader can also refers to another attack by R* Morris presented in *Morris** ** Though the following attack is related to Morris*one*it is more widely us able on any TCP connection*In section *we present and compare this attack with the present one* The presentation of the attack will be divided into three parts*the *EstablishedState*which is the state where the session is open and data is ex changed*the set up *oropening*of such a session* and *nallysome real examples* *Established State *** The TCP protocol This section o*ersa short description of the TCP protocol*For more details the reader can refer to *RFC *** ** TCP provides a full duplex reliable stream connection between two end points*A con nection is uniquely de*nedby the quadruple *IPad dress of sender* TCP port number of the sender* IP * Kerberos also provides an encrypted TCP stream option* * The attacks have been performed with a test software and the users were aware of the attack*Although we do not have any knowledge of such an attack being used on the Internet*it may be possible* address of the receiver*TCP port number of the re ceiver**Every byte that is sent by a host is marked with a sequence number *** bits integer* and is ac knowledged by the receiver using this sequence num ber*The sequence number for the *rstbyte sent is computed during the connection opening*It changes for any new connection based on rules designed to avoid reuse of the same sequence number for two dif ferent sessions of a TCP connection* We shall assume in this document that one point of the connection acts as a server *forinstance a tel net server*and the other as the client*The following terms will be used* SVR SEQ*sequence number of the next byte to be sent by the server* SVR ACK*next byte to be received by the server *thesequence number of the last byte received plus one** SVR WIND*server*sreceive window* CLT SEQ*sequence number of the next byte to be sent by the client* CLT ACK*next byte to be received by the client*CLT WIND*client*sreceive window* At the beginning when no data has been ex changed we have SV R SEQ *CLT ACK and CLT SEQ *SV R ACK*These equations are also true when the connection is in a *quiet* state *nodata being sent on each side** They are not true during transitory states when data is sent*The more general equations are* CLT ACK *SV R SEQ *CLT ACK *CLT W IND SV R ACK *CLT SEQ *SV R ACK *SV R W IND The TCP packet header *eldsare* Source Port*The source port number* Destination Port*The destination port number*Sequence number*The sequence number of the *rstbyte in this packet* Acknowledgment Number*The expected se quence number of the next byte to be received* Data O*set* O*setof the data in the packet* Control Bits* URG*Urgent Pointer* ACK*Acknowledgment* PSH*Push Function* RST*Reset the connection* SYN*Synchronize sequence numbers* FIN*No more data from sender* Window*Window size of the sender*Checksum*TCP checksum of the header and data* Urgent Pointer*TCP urgent pointer* Options*TCP options* *SEG SEQ will refer to the packet sequence number *asseen in the header** *SEG ACK will refer to the packet acknowledg ment number* *SEG F LAG will refer to the control bits* On a typical packet sent by the client *noretransmis sion*SEG SEQ is set to CLT SEQ*SEG ACK to CLT ACK* TCP uses a *three*way handshake*to establish a new connection*If we suppose that the client initi ates the connection to the server and that no data is exchanged*the normal packet exchange is *C*f* Fig ure *** *The connection on the client side is on the CLOSED state*The one on the server side is on the LISTEN state* *The client *rstsends its initial sequence num ber and sets the SYN bit* SEG SEQ *CLT SEQ * * SEG F LAG *SY N Its state is now SYN*SENT *On receipt of this packet the server acknowl edges the client sequence number*sends its own initial sequence number and sets the SYN bit* SEG SEQ *SV R SEQ * * SEQ ACK *CLT SEQ * *** SEG F LAG *SY N and set SV R ACK *CLT SEQ * ** Its state is now SYN*RECEIVED *On receipt of this packet the client acknowl edges the server sequence number* SEG SEQ *CLT SEQ * *** SEQ ACK *SV R SEQ * ** and sets CLT ACK *SV R SEQ * ** Its state is now ESTABLISHED *On receipt of this packet the server enters the ESTABLISHED state*We now have* CLT SEQ *CLT SEQ * ** CLT ACK *SV R SEQ * ** SV R SEQ *SV R SEQ * ** SV R ACK *CLT SEQ * ** Closing a connection can be done by using the FIN or the RST *ag*If the RST *agof a packet is set the receiving host enters the CLOSED state and frees any resource associated with this instance of the connection*The packet is not acknowledged* Any new incoming packet for that connection will be dropped* If the FIN *agof a packet is set the receiving host enters the CLOSE*WAIT state and starts the pro cess of gracefully closing the connection*The detail of that procces is beyond the scope of this document* The reader can refer to *RFC *** *for further details* In the preceding example we speci*callyavoided any unusual cases such as out*of*band packets*re transmission*loss of packet*concurrent opening* etc*** These can be ignored in this simple study of the attack* When in ESTABLISHED state*a packet is ac ceptable if its sequence number falls within the ex pected segment *SV R ACK*SV R ACK *SV R W IN D* *forthe server*or *CLT ACK*CLT ACK *CLT W IN D* *forthe client** If the sequence number is beyond those limits the packet is dropped and a acknowl edged packet will be sent using the expected sequence number*For example if SEG SEQ **** * SV R ACK **** *SV R W IN D *** Then SEG SEQ *SV R ACK *SV R W IN D* The server forms a ACK packet with SEG SEQ *SV R SEQ SEG ACK *SV R ACK which is what the server expects to see in the packet* *** A desynchronized state The term *desynchronized state*will refer to the con nection when both sides are in the ESTABLISHED state*no data is being sent *stablestate** and SV R SEQ **CLT ACK CLT SEQ **SV R ACK This state is stable as long as no data is sent*If some data is sent two cases can occur* ** If CLT SEQ *SV R ACK *SV R W IN D and CLT SEQ *SV R ACK the packet is acceptable*the data may be stored for later use *depending on the implementation*but not sent to the user since the beginning of the stream *sequencenumber SV R ACK*is miss ing* ** If CLT SEQ *SV R ACK *SV R W IN D or CLT SEQ *SV R ACK the packet is not ac ceptable and will be dropped*The data is lost* In both case data exchange is not possible even if the state exists* *** The attack The proposed attack consists of creating a desynchro nized state on both ends of the TCP connection so that the two points cannot exchange data any longer* A third party host is then used to create acceptable packets for both ends which mimics the real packets* Assume that the TCP session is in a desynchro nized state and that the client sends a packet with SEG SEQ *CLT SEQ SEG ACK *CLT ACK Since CLT SEQ **SV R ACK the data will not be accepted and the packet is dropped*The third party then sends the same packet but changes the SEG SEQ and SEG ACK *andthe checksum*such that SEG SEQ *SV R ACK* SEG ACK *SV R SEQ Server Client LISTEN CLOSED * * SY N* CLT SEQ * LISTEN SYN*SENT SY N* SV R SEQ * * CLT SEQ * ** * * SYN*RECEIVEDESTABLISHED SV R SEQ * CLT SEQ * ** CLT ACK * SV R SEQ * ** * * ACK* CLT SEQ * ** SV R SEQ * ** ESTABLISHED SV R SEQ * SV R SEQ * ** SV R ACK * CLT SEQ * ** Figure ** Example of a connection opening which is acceptable by the server*The data is pro cessed by the server* If CLT T O SV R OF F SET refers to SV R ACK *CLT SEQ and SV R T O CLT OF F SET refers to CLT ACK * SV R SEQ then the *rstparty attacker has to rewrite the TCP packet from the client to the server as* SEG SEQ *SEG SEQ *CLT T O SV R OF F SET SEG ACK *SEG ACK *SV R T O CLT OF F SET Considering that the attacker can listen to any packet exchanged between the two points and can forge any kind of IP packet *thereforemasquerad ing as either the client or the server*then every thing acts as if the connection goes through the at tacker machine*This one can add or remove any data to the stream*For instance if the connec tion is a remote login using telnet the attacker can include any command on behalf of the user *echo merit*edulpj ** ***rhosts is an example of such a command*and *lterout any unwanted echo so that the user will not be aware of the intruder*Of course in this case CLT T O SV R OF F SET and SV R T O CLT OF F SET have to change*The new values are let as an exercise for the reader* * *** *TCPAck storm* A *aw of the attack is the generation of a lot of TCP ACK packets*When receiving an unaccept able packet the host acknowledges it by sending the expected sequence number *Asthe Acknolegement number*C*f* introduction about TCP*and us ing its own sequence number*This packet is itself unacceptable and will generate an acknowledgement packet which in turn will generate an acknowledge ment packet etc*** creating a supposedly endless loop for every data packet sent* Since these packets do not carry data they are not retransmitted if the packet is lost*This means that if one of the packets in the loop is dropped then the loop ends*Fortunately *orunfortunately** TCP uses IP on an unreliable network layer with a non null packet loss rate*making an end to the loops*More over the more packets the network drops*the shorter is the Ack storm *theloop** We also notice that these loops are self regulating*the more loops we create the more tra*cwe get*the more congestion and packet drops we experience and the more loops are killed* * One can turn o*the echo in the telnet connection in order to avoid the burden of *lteringthe output*The test we did showed up a bug in the current telnet implementation *ormaybe in the telnet protocol itself** If a TCP packet contains both IAC DONT ECHO and IAC DO ECHO the telnet processor will answer with IAC WONT ECHO and IAC WILL ECHO*The other end point will acknowledge IAC DONT ECHO and IAC DO ECHO etc*** creating an endless loop* The loop is created each time the client or the server sends data*If no data is sent no loop appears* If data is sent and no attacker is there to acknowledge the data then the data will be retransmitted*a storm will be created for each retransmission*and eventu ally the connection will be dropped since no ACK of the data is sent*If the attacker acknowledges the data then only one storm is produced *inpractice the attacker often missed the data packet due to the load on the network*and acknowledge the *rstof subse quent retransmission** The attack uses the second type of packet de scribed in Section **** The *rstcase in which the data is stored by the receiver for later processing has not been tested*It has the advantage of not generat ing the ACK storm but on the other hand it may be dangerous if the data is actually processed*It is also di*cultto use with small window connections* *Setup of the session This paper presents two methods for desynchronizing a TCP connection*Others can be imagined but will not be described here*We suppose that the attacker can listen to every packet sent between the two end points* *** Early desynchronization This method consists of breaking the connection in its early setup stage on the server side and creating a new one with di*erent sequence number*Here is the process *Figure*summarizes this process* *The attacker listens for a SYN*ACK packet from the server to the client *stage*in the con nection set up** *On detection of that packet the attacker sends the server a RST packet and then a SYN packet with exactly the same parameters *TCPport* but a di*erent sequence number *referredto as AT K ACK * in the rest of the paper** * The server will close the *rst connection when it receives the RST packet and then reopens a new one on the same port but with a di*er ent sequence number *SV R SEQ * * *on receipt of the SYN packet*It sends back a SYN*ACK packet to the client* *On detection of that packet the attacker sends the server a ACK packet*The server switches to the ESTABLISHED state* *The client has already switched to the ES TABLISHED state when it receives the *rst SYN*ACK packet from the server* This diagram does not show the unacceptable ac knowledgement packet exchanges*Both ends are in the desynchronized ESTABLISHED state now* SV R T O CLT OF F SET *SV R SEQ * *SV R SEQ * * is *xedby the server* CLT T O SV R OF F SET *AT K SEQ * *CLT SEQ * is *xedby the attacker* The success of the attack relies on the correct value being chosen for CLT T O SV R OF F SET *Wrong value may make the client*spacket acceptable and can produce un wanted e*ects* *** Null data desynchronization This method consists for the attacker in sending a large amount of data to the server and to the client* The data sent shouldn*ta*ectnor be visible to the client or sever*but will put both end of the TCP session in the desynchronized state* The following scheme can be used with a telnet session* *The attacker watchs the session without inter fering* *When appropriate the attacker sends a large amount of *null data*to the server**Null data*refers to data that will not a*ectany thing on the server side besides changing the TCP acknowledgment number*For in stance with a telnet session the attacker sends AT K SV R OF F SET bytes consisting of the sequence IAC NOP IAC NOP*** Every two bytes IAC NOP will be interpreted by the tel net daemon*removed from the stream of data and nothing will be a*ected* * Now the Server has SV R ACK *CLT SEQ *AT K SV R OF F SET which of course is desynchronized* *The attacker does the same thing with the client* The method is useful if the session can carry *null data** The time when the attacker sends that data is also very di*cultto determine and may cause some unpredictable side e*ects* * The telnet protocol *RFC **** de*nesthe NOP command as *NoOperation** In other words*do nothing*just ignore those bytes* Server Client LISTEN CLOSED * * SY N* CLT SEQ * SYN*RECEIVEDSYN*SENT SY N* SV R SEQ * * CLT SEQ * ** * * ESTABLISHED SV R SEQ * CLT SEQ * ** CLT ACK * SV R SEQ * ** * * RST* CLT SEQ * ** CLOSED * * SY N* AT K SEQ * SY N* SV R SEQ * * * AT K SEQ * ** * * SYN*RECEIVED * * SY N* AT K SEQ * *** SV R SEQ * * ** ESTABLISHED SV R SEQ * SV R SEQ * * ** SV R ACK * AT K SEQ * ** Figure ** A attack scheme*The attacker*spackets are marked with * *Examples The following logs are provided by running a hacked version of tcpdump *TCPDUMP* on the local ether net where the client resides*Comments are preceded by ***** The *rstexample is a normal telnet session open ing between ********** *theclient*and ************ *theserver** **The client sends a SYN packet*********** is its initial sequence number* *************** *************** ***************** S ************************ win **** ** The server answers with its initial sequence number and the SYN flag* *************** *************** * **************** S ************************ ack ********** win **** ** The client acknowledges the SYN packet* *************** *************** * **************** * ************************ ack ********** win **** ** Now the two end points are in the ESTABLISHED state* ** The client sends * bytes of data* *************** *************** * **************** P ************************ ack ********** win **** *** *** *C *** *** *X ***** ** The rest of the log is the graceful closing of the connection *************** *************** * **************** F ************************ ack ********** win **** *************** *************** ***************** ************************* ack ********** win **** ***************