Figure 2-1. The TCP/IP protocol stack.
Lasse Huovinen
Jani Hursti
Department of Computer Science
Helsinki University of Technology
Lasse.Huovinen@hut.fi
Jani.Hursti@hut.fi
1. Introduction
1.1. Background
Denial of Service threats are a type of security threats that have so far got only little attention in information security. Their purpose is to slow down or crash networked computers and they are usually very hard to prevent. Because their purpose is not to result in the direct loss of confidential information they have not traditionally caused much trouble for the attacked party. Now, the Internet is being increasingly used in commercial purposes. The availability of a particular service, for example, an electronic store, is of crucial importance. Thus, the Denial of Service attacks are becoming a real threat. For organizations that rely on their communications, delays caused by Denial of Service cause serious harm. This is why there are increasing attempts to prevent Denial of Service attacks.
This paper discusses two Denial of Service attacks, Land, its modification LaTierra, and Teardrop in detail, and gives recommendations on how to cope with them.
The objectives of this paper are to give a detailed description of the two studied Denial of Service attacks so that the reader can understand the problems of Denial of Service protection. The paper also aims to give sufficient information for actions in the case of the threat of the studied Denial of Service attacks.
The scope of the paper is limited to the two Denial of Service attacks, Land and Teardrop. The reader is assumed to have a fairly good background in computer architectures, software engineering, and networking. Background information in these subject areas is not given in this paper.
The two Denial of Service attacks are studied by performing example attacks in a closed laboratory network. The results of the attacks are recorded, patches are installed, and the results are summarized in this paper. Information concerning the attacks and their prevention is sought intensively from the World Wide Web. Literature of operating systems and networking is used to assist in the process.
2. General Description of TCP/IP Stack and its Vulnerabilities
2.1. Structure of the TCP/IP Stack
The TCP/IP protocol family is based on protocol layering where the upper protocols use the services of the lower ones. The IP layer
takes care of the movement of data packets across the network, while the TCP and UDP layers provide reliable transport and the
sending of datagrams between ports, respectively. The TCP/IP protocol stack is shown in Figure 2-1.
Vulnerabilities in the stack can be found at every level, and also in the combinations of the functionalities of different levels. The two attacks presented in this paper use two vulnerabilities, one that is based on the addresses on the IP layer and the opening of a TCP connection (Land and LaTierra), and the other that is based on the reassembly of the UDP datagrams (Teardrop).
2.2. Address Processing and IP Spoofing
As shown in Figure 2-2, every IP packet has a source and a destination address. These unique addresses are used to identify the sender and the receiver in an IP network. Nothing basically prevents from using any address in the packet. A raw socket allows direct access to a protocol ([5] page 428), thus allowing a programmer to modify the IP packet manually. Changing either of the addresses is called IP spoofing. IP Spoofing itself can be used to cause many kinds of harm but in combination with other options of the TCP/IP packet, IP spoofing can be effectively used for a Denial of Service attack.
2.3. Fragmentation and Reassembly
Most network technologies have a maximum packet size that they can handle. This packet size is called the Maximum Transfer Unit, MTU ([4] page 186). If the underlying network cannot transport a given packet because it is too large, the packet has to be broken into smaller pieces. This is called fragmentation.
Once the packet fragments have reached their final destination, the packet is reassembled from the fragments. Both fragmentation and reassembly are done in TCP/IP by the IP layer ([4] page 186).
When the IP layer receives an IP packet it does typically the following ([5] page 449)
There are many types of Denial of Service attacks that are based on dozens of different methods. A Denial of Service Attack can be based on, for example, crashing routers which makes a network inaccessible, crashing DNS servers or stealing DNS requests which prevents the use of Domain Names, congesting hosts with requests, or simply crashing the machines of the users themselves.
A Denial of Service Attack can also be used in conjunction with an another attack. If, for example, a secure communications channel is congested by using Denial of Service, it may force the user of that channel to move to an insecure channel, giving the attacker access to confidential information.
3.2.1. Exploited Vulnerability
Teardrop is an attack that exploits the vulnerability found in some implementations of the packet reassembly described in Chapter 2.3. When a packet is processed, the implementations typically check whether the given packet is too long, but it does not check whether the packet is too short and misaligned.
Figure 3-1 shows what happens. The stack receives the first fragment and allocates memory for it. The offset of the next packet is put to the end of the memory area as well as the end pointer. The stack expects the next datagram to start at the offset and calculates the end pointer to point to the end of the new packet, meaning the size of the first one plus the size of the second packet minus the discarded second IP header. The amount of needed memory == end-offset. But the offset is spoofed in the second packet and points at the inside of the first memory area. The stack tries to do realigning to correct it, but if the second packet is short enough, the pointers change places. The offset pointer still points at the end of the first packet but the end pointer now points inside the memory area, not at the end of it. Now, the result of the calculation needed memory == end-offset is negative. As the next step in reassembly is to allocate memory for the new packet, the memory allocation routine may fail because it is given a negative number as an argument. The failure in memory allocation causes the host to crash.
A Teardrop attack sends one or multiple fragmented UDP packets to a host, and with correct fragment sizes and false fragment offsets, the destination host memory allocation fails.
The function tear() in the file tear.c performs the Teardorp exploit. At first, the function checks if the given IP addresses and ports are valid. Then it fills the IP header and the UDP header with legal values except for the fragment values as described above. Finally, the function sends the UDP datagram in two fragments to the server which is intented to be crashed. Some servers may need more than one try before the attack succeeds. A detailed description of the function can be found from the comments in the source code.
The following lists operation systems and the result of the Teardrop attack:
3.3.1. Exploited Vulnerability
The Land attack uses IP spoofing in combination with the opening of a TCP connection. It sends a packet that requests to open a TCP connection, meaning the SYN flag is on in the TCP header (see Figure 3-2). This is a legal procedure. But what is illegal is changing the IP addresses in the underlying IP packet. In Land, both IP addresses, source and destination are modified to be the same, the address of the destination host.
When the destination host receives the packet, it answers to the SYN request. When answering, the destination host typically constructs a packet where the ACK flag is on, changes the destination address to the source address and vice versa. This results in sending the packet back to itself, because the addresses were the same. As a result, the kernel gets into an ACK war against itself. In the TCP state machine this causes the initial problem as in SYN_RECEIVED state the machine expects to receive an ACK message, not SYN + ACK.
But the actual problems are caused by the TCP sequence numbers. These are the ones that cause the machine to continue sending ACK packets and thus remaining in the loop. The state machine expects that the sequence numbers relate to the ACK segments that were sent, but now the sequence number is not updated by the other end. Because of this, it sends an ACK paket with the same sequence numbers to request the other end to correct them. Of course it still remains in the same SYN_RECEIVED state, receives its own "wrong sequence numbers" message and interprets this to be the answer. Because the secuence numbers are still wrong, another ACK is sent. And another. And another....
The LaTierra attack works like the Land attack except that LaTierra sends the TCP packet to more than one port and more than once. This will work on some OSs which cannot be exploited using the Land attack.
The function land() in the file land.c and the function latierra() in the file latierra.c perform the Land and LaTierra exploits, respectively. Both functions fill the IP and TCP headers as described above. TCP pseudoheader is used to compute the TCP checksum. Finally the functions send the constructed TCP packets to the server to be exploited. The detailed description of the functions can be found from the comments in the source code.
The following lists the tested operation systems and the result of the Land attack:
The following lists the tested operation systems and the result of the LaTierra attack:
There are many possibilities to protect oneself against Denial of Service attacks. Some ways are to fix networking code of the OS kernel (patches), and to configure the network and install protective devices such as firewalls. The network admistrator has to take care of the network very carefully, because new exploits are invented constantly. The best ways to get information are to join the relevant mailing lists, search information from organizations such as CERTs, purchase commercial software from companies such as ISS, read magazines, and discuss with other admistrators. This chapter gives some hints on how to protect against DoS attacks. Protection against Land, LaTierra, and Teardrop attacks are discussed in more detail.
Patches are usually pieces of code or individual files that fix a part of the programs with errors. For Windows, the only way to get rid of a bug is to use patches published by Microsoft. The situation is same with commercial Unix operating systems. Fixes are published by the company marketing the OS. For free Unixes (e.g., Linux and FreeBSD) patches are published by a person who finds and fixes a bug. Every person who is able to act as system admistrator can fix bugs by herself. Patches are usually freely available on the Internet for both commercial and free operating systems.
Generally speaking, patches are released for free operating systems more often and more faster than for commercial operating systems. The reason is that free operating systems can be inspected by more persons than commercial systems.
The Teardrop exploit fixes for Linux and Windows can be found from the Internet. The Linux can be fixed inserting the following piece of code to the Linux kernel file ip_fragment.c:
frag_kfree_s(tmp, sizeof(struct ipfrag));
}
}
/* This is the line 579 in the Linux version 2.0.30. */
/*
* This should make Linux to be not vulnerable against
* teardrop attack.
* Originally, the solution is written by "route|daemon9".
*/
if(offset > end) {
skb->sk = NULL;
printk("IP: Invalid fragment from %s: offset %d > end %d\n",
in_ntoa(iph->saddr));
kfree_skb(skb, FREE_READ);
ip_statistics.IpReasmFails++;
ip_free(qp);
return NULL;
}
/*
* Insert this fragment in the chain of fragments.
*/
It performs a check that the fragments are correct size and thus the Teardrop attack won't work anymore.
The following executables modify Windows TCP/IP stack in such a way that the Teardrop attack won't work against Windows servers anymore (read the file README.TXT):
The Land exploit fix for Windows is available on the Internet. The following executables make Windows non-vulnerable against the Land attack (read the file README.TXT):
An interesting point with the Windows pathes is that they require a correct service pack to be installed and may include corrections for more bugs than what is described. For example, the Land fix also makes the system tolerant for Teardrop.
Configuring the network into protected segments is the basic way to protect agains DoS. For example, all publicly available services such as DNS are placed on a separate protected segment while other machines are in separate ones. The most important tool in protecting those segments is firewalls and Chapter 4.3 has been totally devoted to firewalls.
The segment can be served by a Network Address Translation, NAT, device (NAT is often performed by a firewall). The main functionality of a dedicated NAT box is not to protect against attacks. But a NAT box modifies the addresses on an IP packet, as it passes the box, it may remove the threat of a Land attack. This, of course, depends on the intelligence of the NAT box. If it has been designed to just mechanically change addresses, it may also change the spoofed source address to be the same as the destination.
Firewalls are network nodes which are able to filter IP packets. They can be also application level proxies for controlling and logging traffic that flows through firewall. Firewalls are usually placed between the corporate network and the Internet. Figure 4-1 shows an example of firewall. Quite often there exists more than one parallel firewalls between the corporate network and the Internet.
Firewalls are quite flexible way to protect against DoS attacks. If the firewall is able to filter suspious incoming IP datagrams, the servers inside the corporate network are protected. A firewall saves lot's of admistrative work. It is necessary to configure the firewall to filter suspious datagrams and the servers inside the corporate network can still be vulnerable to attacks. Naturally, firewalls do not protect servers from attacks which are originated inside the corporate network.
Firewalls can protect servers from the Land and LaTierra attacks. If the firewall notices that an IP packet is coming outside of the corporate network with the source address inside the corporate network, the packet should be filtered. Against the Teardrop attack firewalls are not very effective. The only way to use firewalls to protect the corporate network against Teardrop attacks is to filter all incoming UDP datagrams.
Encryption methods can be used to authenticate packets. This prevents IP spoofing and thus Land. Packet sniffers that intercept a packets coming from the network adapter before they reach the IP layer can identify false packets before they cause harm. The most radical ways include disconnecting computers from global networks or replacing the whole operating systems to more reliable ones.
4.4. Tracking and Catching an Attacker
As both of the described attacks use specially crafted packets for attacking, it may prove to be very hard to find out who did it as the address information has been tampered with. The very nature of Land requires to change the source address and no attacker will put his own address into a Teardrop packet.
Once the attacks have started, they are hard to observe (though detecting the consequeces is easy). Teardrop causes the machine to crash so the machine itself cannot be used for monitoring. Typically, the operating systems do not crash in Land, but as the kernel goes into an internal loop, this is also hard to monitor.
In hunting the attacker, network segmentation and traffic analysis helps. If a firewall prevents attacks from coming from certain directions, especially public networks, the attacker can be tracked to those segments where the attack is possible. After this, one needs to examine the machines on these segments. As both attacks require root rights to those machines if they are Unix, the hunter can trace who has the right to use them and with which privileges. This may reveal the attacker. Probably something can also be done by luring the attacker to certain machines with traps. This is done by ensuring that the possibility to attack exists, but is restricted to a small domain of machines.
Denial of Service is a security threat that has recently gained much public attention. Typically the attacks use bugs found in common operating systems and cause the machines to slow down their operation or crash. This paper has described two attack types, Land and Teardrop that use vulnerabilities on IP packet reassembly and the opening of a TCP connection. Both can be protected against mainly with patches and firewall configurations.
Appendix A: Description of the exploit code
This appendix lists the program files, gives a very general description of the program and introduces the program options. The detailed description of the program can be found from the comments in the program source code.
The list of the program files:
The main() function in the file crash.c just parses the arguments given to the program and then calls an appropriate function to perform the actual attack. The functions land(), latierra() and tear() perform Land, LaTierra and Teardrop attacks, respectively, as described in Chapter 3.
The program includes a two test functions: normpack() and synflood(). The function normpack() just sends TCP packet (no SYN flag set) to a selected server as many time as wanted. The function synflood() sends TCP packet with SYN flag set to a selected server as many times as wanted. The purpose of these functions is to demonstrate that Land and LaTierra attacks are really effective.
The program is compiled and tested only in the Linux RedHat 4.2 operating system. Notice that superuser privileges are needed when running this program (because of "raw sockets").
The program usage is following:
./crash attack_type obligatory_parameters optional_parameters
-t Teardrop attack:
obligatory parameters (order is important):
source IP address
destination IP address
optional parameters:
-s source TCP port (default: random)
-d destination TCP port (default: random)
-n number of tries (default: 1)
-l Land attack:
obligatory parameters:
destination IP address
optional parameters:
destination TCP port (default: all ports between 1 and 1000)
-lt LaTierra attack:
obligatory parameters:
destination IP address
optional parameters:
-b first port (default: 1)
-e last port (default: first port)
-n number of loops (default: 1)
-syn SYN packet flooding:
obligatory parameters:
destination IP address
optional parameters:
number of tries (default: 1)
-norm Ordinary IP packet flooding:
obligatory parameters:
destination IP address
optional parameters:
number of tries (default: 1)