TCP/IP is the collection of protocols that manages connectivity across the Internet. Because system attacks that take advantage of flaws and weaknesses in the protocol generally do not get as much attention as the likes of the "ILOVEYOU" virus, many people are unaware of the type and the severity of attacks that can be launched. In this month's column, we will look at why the TCP/IP protocol family is vulnerable to abuse and consider what, if anything, can be done to reduce the likelihood of attack.

Attacks against TCP/IP use the protocol's own capabilities to disrupt its activities -- just as you might disrupt traffic in a large city by staging a major downtown event to begin at 6:00 p.m. or by fiddling with the timing of traffic signals. The weaknesses in TCP/IP exist primarily because the protocol designers could not have anticipated the degree to which intelligent people would abuse the Internet, any more than the designers of federal and regional laws could have anticipated the many ways in which crafty lawyers would find loopholes. Laws are designed to be fair, but are not necessarily fairly applied. Protocols are engineered to be robust, resilient, and to some degree self-correcting, but are not immune to abuse. In addition, not only are the algorithms that describe how protocols work complicated, but the specifications that describe their inner workings often leave a little too much room for interpretation. As a result, some of the same mechanisms that permit the Internet to continue working under random stresses and failures also allow the protocols to be abused.

Last month's column described denial-of-service attacks. These include anything from disabling a system (e.g., by pulling the plug or corrupting a vital configuration file) to overwhelming a system with so many requests that it is unable to respond to its normal, and legitimate, workload. Denial of service defines a broad category of attacks. It includes some all too familiar attack scenarios -- like SYN flooding -- along with a lot of other types of attack (e.g., desynchronization attacks) with which even the typical system or network manager may be unfamiliar.

Denial-of-service attacks are only one variety of attacks that use the protocol against itself. Denial-of-service attacks involving TCP/IP interfere with the normal timing and sequencing of state changes (e.g., OPEN, SYN_RCVD) that occur as connections are established, used, and then closed. By stalling or hanging these connections, the attack depletes resources on the victim's system.

Other types of attacks against TCP/IP include:

1. IP spoofing (falsifying an IP address to gain access to restricted systems or data)
2. Connection hijacking (stealing ongoing connections)
3. Source-routing and RIP attacks (redirecting connections by changing or adding routes)
4. ICMP attacks (using the management protocol of TCP/IP to deny service or close legitimate connections)
5. Desynchronization attacks (stealing or breaking an existing connection by pushing packet sequence numbers outside the valid range)

IP spoofing

In IP spoofing attacks, an attacker uses a forged IP address and the victim accepts this address without

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine