Corporate Home > News > Papers

Attacks against weaknesses in the TCP/IP protocol

About Smurfs and other vermin

Introduction

Lately we have seen a new phenomenon in the digital underground. I.e. the phenomenon in itself is not new, but as it has become very easy to get ones hands on the tools needed to do the bad deed, we have experienced more instances. This phenomenon is known by different names. e.g. Smurf, Land, Bonk etc. The intent is the same however - to halt computers thus disabling their intended use.

This paper attempts to explain these attacks and show how one of the problems which are a nuisance to those who works with computers, really is set up.

Data availability

One may split data security into three different parts: integrity, confidentiality and availability. If someone who is not allowed to, manages to change your data, the integrity is compromised. You can no more trust that your valuable information is true any more.

Your information's confidentiality is compromised if a person is able to enter your computer(s). He/she may then get to know information not intended to be available for that person. He/she may even distribute the information.

That latter category though - availability - is the one where the attacks discussed in this paper belong. The data's availability is of course important in running a business and huge losses may occur if important information is no longer available as a result of an attack against the computers. Such attacks are often named "Denial-of-Service" (DOS).

About the TCP/IP protocol

The attacks which are discussed in this paper are all utilizing weaknesses in the implementation of the TCP/IP protocol to make the attacked computer stop working as intended. To understand the attacks one has to have a basic knowledge of how this protocol is intended to function.

TCP/IP is short for Transmission Control Protocol/Internet Protocol and is one of several network protocols developed by the United States Department of Defense (DoD) at the end of the 1970s. The reason why such a protocol was designed, was the need to build a network of computers being able to connect to other networks of the same kind (routing). This network was named ARPANET (Advanced Research Project Agency Internetwork), and is the younger sister to what we call Internet these days.

Well, TCP/IP is a protocol which is used to transfer data through networks. Actually TCP/IP consists of several protocols. The most important are:

IP Internet Protocol

This protocol mainly takes care of specifying where to send the data. In an IP packet there are sender and receiver information.

TCP Transmission Control Protocol
This protocol handles the secure deliverance of data to the address specified in the IP protocol. Here are the data which are to be sent through the network.
UDP User Datagram Protocol
UDP may be used as an alternative to TCP. The difference is that UDP does not guarantee that the data is sent to the receiver. On the other hand this protocol has less overhead then the TCP protocol - data transmission is faster.
ICMP Internet Control Message Protocol
This protocol is used to send messages about the network situation as such. One well-known use of ICMP is the Ping program which is often used to test whether other computers are "alive".

Communication through a network using TCP/IP or UDP/IP will typically use a lot of TCP/IP packets or datagrams. Each of the packets will have a sending and a receiving address, some data and some additional information. The address information is in the IP part of the protocol - the rest is in the TCP or the UDP part of the packet. ICMP has no separate IP part - all information is in the ICMP packet.

In addition to the recipient's address all TCP/IP communication uses a special port number which it connects to. These port numbers determine the kind of service the sender wants to communicate to the receiver of information. Some well-known port numbers are:

21 - FTP (File Transfer Protocol)
23 - Telnet
25 - SMTP (Simple Mail Transfer Protocol)
80 - HTTP (HyperText Transfer Protocol)

If one computer intends to transfer a file to another, the communication typically is directed to port number 21 at the receiving computer. This is the ftp port.

All defined port numbers are in a file called Services on a computer which supports TCP/IP.

The various details of the protocols are not discussed in this paper. A lot of information is available on the Internet for those interested in more thorough information.

About the attacks

The attacks which are described in this document are only some of all those available on the Internet. Their common denominator is that they all use weaknesses or erroneous implementations of the TCP/IP protocol, or they utilize weaknesses in the specification of the TCP/IP protocol itself.

Anyone more interested in this can look up the web site www.rootshell.com which describes the various attacks. This site also has links to programs to download for protection against the attacks.

All the attacks described below will function on a Windows for Workgroups, Windows 95 or Windows NT computer. They may also work for other operating systems. Once again, refer to www.rootshell.com for a complete list of which attacks that function on the different operating systems.

WinNuke

The first kind of attack mentioned is the well-known WinNuke (or just nuke). Nuking has been a popular activity, particularly perhaps in schools. This kind of attacks is mainly aimed at computers running Windows 95, Windows NT and Windows for Workgroups 3.1x operating systems. The outcome of the attack is usually that the computer is halted and has to be restarted.

The reason why the computer halts is that Microsoft did not handle a special status flag in the TCP protocol - the flag URG (for urgent). If this flag is set on a packet sent to a computer running the mentioned Microsoft OS, the computer will wait for a stream of so-called Out-of-Band (OOB) traffic from the sending computer. This kind of traffic has higher priority than ordinary network traffic. The problem arises when such messages are not sent - then the computer hangs. It seems like this is a result of a bad implementation of Microsoft's TCP/IP protocol as this situation is not satisfactorily handled.

This attack is very easy to carry out (it is actually legitimate networking traffic) - it has even been implemented as one code line in the programming language Perl. The attack is normally directed against port 139 (Netbios Session Service) on the computer.

Fortunately it is easy to protect a computer against this kind of attack. Microsoft has released patches to download from Microsoft's web site. When these patches are installed you are protected against this kind of attacks.

TearDrop

This attack utilizes another weakness in the implementation of the TCP/IP protocol. The outcome of the attack may vary, but normally the result is that the computer halts and has to be restarted. The vulnerable operating systems are mostly Microsoft Windows 95, Microsoft NT and Linux (a free UNIX-like OS).

The reason why this attack succeeds is an implementation error in the part of the TCP/IP protocol supposed to take care of fragmented packets. Packet fragmentation may occur if the receiving TCP/IP packets are larger than what is the permitted size in the network. If so, the packets are split into smaller packets, each consisting of parts of the original packet. When the smaller packets arrive at the recipient's computer they are supposed to be put together - here the error occurs which results in the computer hanging.

Technically the attack is conducted by sending a special combination of two UDP/IP packets. The first one has offset 0, the MF (More Fragments) flag set to 1, and has size N. The second one has offset less than N, the MF flag set to 0 and size less than N. (The second packet overlaps the first while the size is less.) The erroneous TCP/IP implementation will see this as the start of the package being "before" the end - resulting in the computer halting.

NewTear

This attack is close to the TearDrop attack. The difference is the padding size of the package (20 bytes while TearDrop uses 28 bytes) and manipulation of the UDP size. This attack function against computers running Windows 95 and Windows NT, even if the TearDrop patch is installed, which may indicate that Microsoft did not take variations of the attack into account when the patch was programmed.

Bonk/Boink

Another variant of the TearDrop attack. Offset of the second fragmented packet is set to be larger than the length of the IP header. Similar to the other attacks - the computer halts. It is not known why this attack succeeds.

Bonk attacks the computer's port 55. Boink is a variant of Bonk - the difference is that the latter enables attacks on other ports than 55.

Land

Here the attack is carried out by sending a TCP/IP packet with the SYN flag set (i.e. request to open a connection) to any port on the target computer. The packet is modified in such a way that the sending and receiving address are identical (spoofing). This situation is not handled correctly by some TCP/IP implementations - the result is that the computer halts. This attack is mostly directed against port 139 on computers running Microsoft operating systems.

Ssping

A variant of the so-called "Ping-of Death" attack. A person sends an ICMP packet (ECHO_REQUEST) with an abnormal size to the target computer. Maximum size of TCP/IP datagrams is 65536 octets (1 octet = 8 data bits). It is however possible to send datagrams larger than the defined maximum size. When the target computer receives such datagrams it may halt. Once more the reason why, is the implementation of the part of the TCP/IP protocol which is supposed to handle fragmented packets. A simple test to see if you are vulnerable (no guarantee though) is to ping your own computer. Use the command ping -l 65510 your_ip_address. If the computer halts you are vulnerable to this kind of attack.

SYN Flooding

This is a family of Denial-of-Service attacks which all use variations of the same technique. Simply stated the attack is carried-out by sending a stream of packets to a target computer requesting to connect (SYN flag is set). Each time the target computer receives such a request, resources are allocated - but no connection is set up. When a lot of such requests are received the target computer cannot allocate more resources to network traffic - the result may be that the computer halts.

Smurf

Graphics smurfs are cute creatures which do not harm anyone. Smurfs in the computer security context however is another matter altogether. Smurfing is another kind of attack than what is discussed so far in this paper. A smurf kind of attack may be considered more dangerous than the other kind.

The Smurf attack is not intended to halt a computer but a network of computers. This is accomplished by sending a continuos stream of modified ICMP packets to the target network.

The packets are modified in such a way that the sending address is identical to one of the target computer addresses (spoofing). In addition the packets are sent to a so-called broadcast address, which results in the modified packets ending on all the computers in the network. The computers in the target network will respond by sending an ICMP ECHO_RESPONSE message to the computer they assume the message originated from - the target computer in the network. If the attacker has a fast Internet connection, one does not have to be a great mathematician to see that the amount of data generated by this attack may halt the attacked network. The network will be hung till the attacker stops or the incoming ICMP traffic is blocked.

This kind of attack has been used to halt several Internet Service Providers (ISPs) and all customers of those. It is difficult to effectively protect oneself against this kind of attacks.

In concluding

As mentioned before the different attacks discussed in this paper are only some of all that exist. The tendency is clear though - the number of different attacks is increasing. The reason why is probably mainly that TCP/IP has become very popular, and there are a lot of people who are familiar with this protocol's strengths and weaknesses. This will probably result in a lot more of the Denial-of-Service attacks against companies and other organizations in the future. Some of these attacks may be severe for those involved.

What should bring most anxiety in analyzing this situation is the fact that it is extremely easy to get the tools necessary to carry out the attacks. Binary versions as well as source code are available for everyone on the Internet. This cannot be reversed.

What is important however, is that those responsible for data security constantly are aware of the situation. Then security-aware organizations can be in the front and protect its computers and networks against possible attackers.