If the intermediate systems between the hacker and the target system permit source routing, fake IP addresses are even easier to implement. The intruder can specify the route in the options field of the IP packet.

inetd, tcp-wrapper, and xinetd all approve access for services by examining the IP address of the incoming request and comparing it to an access list. The secure portmap and rpcbind programs also defer authorization to IP addresses. The rpc.mountd program uses the IP address to control access to file handles if an exported file system specifies a limited access list.

The list of network services that depend on IP addresses for some sort of authorization is quite large. When the fact that IP spoofing is possible is combined with the list of available services, the number of network vulnerabilities becomes large.

---

Note:  For a more detailed look at IP spoofing, see Chapter 5, “IP Spoofing and Sniffing.”

---

Protection

Some sort of encrypted authentication scheme would provide the best form of protection to this vulnerability. However, this is not possible within the framework of the IP level.

For the router TCP connection attack, the only protection from permitting an unauthorized new TCP connection as indicated earlier is randomization of the sequencing numbers between subsequent TCP connections. This prevents the hacker from guessing the sequence number of the SYN ACK packet and responding with an ACK. It does not completely eliminate the possibility that the hacker could guess the sequence number, because the value has a 32-bit range; however, it makes it much more difficult.

A paper by Bellovin (Bellovin, 1993) discusses the exact details of the randomization schemes. This does not provide protection over hijacked connections. If an intruder is able to monitor connections, that intruder could insert packets. Imagine that a user used telnet to connect to the notreal.com system. Even if the telnet used some sort of encrypted authentication with Kerberos, if the data connection took place without encryption, the intruder could insert packets into the data stream, effectively capturing control of the user’s keyboard. Only packet-level authentication could avoid this problem.

The other solution is higher-layer authentication, using some sort of security environment such as Kerberos, SSL, or ssh. These protocols do not rely on the IP address for source authentication.

The ftpd server bounce problem is fixed in vendor patches or by getting the latest wu-ftpd program. All Unix kernels can be modified to reject source routed packets. The kernels can also be modified to prevent the automatic forwarding of IP packets that arrive at the network port but are destined for other systems. Such packets are effectively trying to use the system as a router.

Another IP problem exists with regard to fragmented packets whose fragmentation boundaries lie within TCP packet headers. RFC 1858 addresses ways to deal with vulnerabilities that relate to this problem.

A Long-Term Solution

The newest standard for IP, version 6, includes support for packet-level authentication. Unfortunately, the Internet has yet to offer the infrastructure to support version 6 applications. Broad support from router manufacturers and Unix kernel vendors is required before applications using v6 will become available and popular.

Examining Structural Internet Problems

Unfortunately, some Internet vulnerabilities are quite difficult to fix: they involve a fundamental change in the way the Internet operates, requiring modifications that could be unacceptable to the expected functionality of Internet applications.

DNS Cache Corruption

The problems with DNS are inherent in the design of a distributed database: by delegating responsibility to remote sites, the integrity of the information on those remote sites is uncertain. Added to this problem is the need for caching to improve the performance of the distributed database.

As indicated in previous sections, the cache of a name server can be corrupted to include erroneous resource records, such as fake PTR entries. Such cache corruption can be used to attack rlogind and rshd/remshd. SATAN does a scan for remote shell services: DNS cache corruption is one of the primary ways used to exploit this problem.

The cache corruption can take place by adding extra resource records to replies destined for a name server. A paper by C. Schuba and E. Spafford (Schuba & Spafford, 1993) shows how a hacker can cause the name server to request a reply, which can contain the additional resource records. The paper calls this the “Me Too” attack. Another paper by Bellovin (Bellovin, 1993) also addresses this topic. If SATAN would implement the fourth level of scan, “All Out,” it is highly likely that a DNS cache corruption attack would be included.

The protection against this attack would be to turn off caching on name servers. However, the resulting performance drop on the DNS infrastructure would virtually eliminate its usefulness—a major setback to the performance and usefulness of the Internet.

The proper approach to solving this problem is to use some sort of cryptographic authentication, although this too would create a performance drop.

Sniffers

A packet sniffer is a program that runs on a system and captures every network packet that travels past the network interface, even if it is not destined for this system or originated on this system.

Packet sniffers can easily be installed on most Unix systems to watch traffic crossing the network interface. Recent sniffer attacks on the Internet have resulted in the disclosure of hundreds of thousands of passwords, because many network protocols transmit the passwords in clear text.

Weak Encryption

Although SATAN does not specifically investigate this problem, SATAN does search for the presence of https (tcp/443), which is an SSL version of http. Once the presence of this application is known, packet sniffing can record packets destined for this port. These packets typically contain important financial information (credit card numbers) and may be weakly encrypted. SATAN is useful for a hacker whose goal is to locate active https ports on the Internet.

The assumption that the strength of a cryptographic algorithm is directly related to the key size is not always accurate. All cryptographic schemes use some sort of session key that is generated based on a random number seed. No computer algorithm can easily generate a truly random number. Predictability of the random number seed can decrease the effective bit size of session keys.