Introduction

This section examines the protocols at the lower levels of the TCP/IP stack, focusing on their vulnerabilities and security issues. The focus is on IP, ARP and TCP.

2.1 Basic Protocols

2.1.1 IP Protocol (Internet Protocol)

• Main function: A packet multiplexer that adds an IP header to messages of higher-level protocols
• Features:
• Unreliable datagram service (no guarantees of delivery, order, uniqueness)
• Header checksum does not protect data
  • Lack of authentication of the source address (IP spoofing is possible)

Example of IP spoofing in C:

// Example of creating a RAW socket with IP address substitution
int sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
char packet[4096];
// Filling in the IP header with a fake source IP
struct iphdr *ip = (struct iphdr *)packet;
ip->saddr = inet_addr("192.168.1.100"); // Spoofed
ip address->daddr = inet_addr("10.0.0.1");
// ... the remaining fields
of the sendto header(sock, packet, ip->tot_len, 0, (struct sockaddr *)&dest, sizeof(dest));

• Fragmentation:
  • Packets can fragment when the MTU is exceeded

• Security issues: bypassing filters, overlapping fragments with different contents

• IP addresses (IPv4):

• 32-bit, divided into network and host parts (CIDR)

• Broadcast addresses (all 0 or 1 in the host part)

• Directed broadcast traffic can be used for attacks

2.1.2 ARP (Address Resolution Protocol)

• Purpose: Converting IP addresses to MAC addresses for Ethernet
• Operating mechanism: Broadcast requests and responses with caching of results
• Vulnerabilities:
  • ARP spoofing: spoofing ARP responses to redirect traffic
  • Lack of authentication in the protocol

Example of ARP spoofing:

// Example of sending a fake ARP response
struct arp_packet {
    uint16_t htype; // Hardware type
    uint16_t ptype; // Protocol type
// ... other fields of the ARP header
    u_char sha[6]; // Sender's MAC (forged)
u_char spa[4]; // Sender's IP (forged)
u_char tha[6]; // Target's MAC
    u_char tpa[4]; // IP of the target
};

struct arp_packet pkt;
// Filling with fake
memcpy data(pkt.sha, attacker_mac, 6);
memcpy(pkt.spa, victim_ip, 4);
// ...
send_packet(&pkt);

2.1.3 TCP (Transmission Control Protocol)

• Main function: Providing a reliable duplex connection over an unreliable IP
• Mechanisms:
• Sequential numbers for ordering and confirmation
  • Overload control and retransmission

Establishing a connection (Three-way handshake)

1. Client → Server: SYN (ISNc)
2. Server → Client: SYN-ACK (iSNS, ACK(ISNc+1))
3. Client → Server: ACK(iSNS+1)

Example in C:

// Simplified example of TCP handshake
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in serv_addr;
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(80);
inet_pton(AF_INET, "192.168.1.1", &serv_addr.sin_addr);

// SYN
connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
// The kernel completes the handshake automatically

TCP vulnerabilities:

1. SYN flood: Sending multiple SYNs without completing the handshake

   • Filling the queue of half-open connections
   • Solution: SYN cookies

2. The ISN predictability attack:

3. If the initial sequence number (ISN) is predictable, spoofing is possible

   • Solution: Cryptographically strong ISN generation (RFC 1948)

Visualization of ISN:

• Good implementation: diffuse point cloud (FreeBSD 4.6)
• Poor implementations: clear patterns (Windows NT 4.0, IRIX 6.5)

1. Privileged ports (1-1024):
2. On UNIX, only root can open
3. Unreliable authentication scheme, as it is not universal

Closing the connection

• An asymmetric process (each side closes independently)
• FIN packages for initiating closure

Safety conclusions

1. IP layer:

   • There is no source authentication
   • Possible spoofing and fragmentation attacks

2. ARP:

3. Vulnerable to spoofing

   • Solutions: Static ARP, ARP inspection

4. TCP:

5. Vulnerable to spoofing with predictable ISN

6. SYN-flooding can cause DoS

   • Privileged ports are an unreliable authentication mechanism

Recommendations:

• Use cryptographic authentication methods (do not rely on IP/TCP mechanisms)
• Configure filtering of directed broadcast traffic
• Implement protection against SYN flood
• Ensure correct ISN generation (RFC 1948)