Essential Insecurities Part 5 – IP

Essential Insecurities Part 5 – IP

The Internet Protocol or IP is what makes the World Wide Web go around. IP packet is divided up into the header and the data.

The IP header has fields such as the source and destination IP address, and fragment offset. What can go wrong here? We’ll use the typical Alice and Bob for two people on a network.

Take the example of Alice’s computer talking to Bob’s. Alice’s will use a name service to look up the IP address, like DNS or WINS. If all is well, then this name service sends back an IP address. Alice’s computer builds a packet with this address as the destination. But can you trust the name service? No, of course not. An attacker can poison these services with incorrect information. Alice’s packet could be sent to the attacker’s machine.

But let us suppose that we are using only IP addresses, without any names or name services. This makes more work for the Alice and Bob, of course, but remembering a few IP addresses is a small price to pay for security. Right? Ok, to prevent poisoning we skip the name lookup and instead send a packet to Bob’s computer’s IP address.

When the response arrives, Alice looks to see if it came from Bob. From the source address alone, can she be certain who sent this packet? No. Attackers can falsify or spoof their IP addresses. Now if the attacker is outside the network, he could pretend to be a computer on the inside. This might fool a router or firewall into allowing the connection. The packet with Bob’s address could really be from anyone inside or outside the network.

The fragment offset field can also be misused. The idea here is networks have a maximum size for the packets transmitting packets. When a packet exceeds this maximum transmission unit (MTU), the router fragments the packet. The offset is the number of bytes into the packet. The destination computer then uses the offset field to reassemble the packet. Just like IP addresses, an attacker can falsify the fragment offset.

Fragmentation can be used to hide data or attack availability. For instance, say you are watching the router for some bad command (like format C:). At attacker could send this in two fragments, “form” and “at C:”.  Other ways are to send fragments with offsets that overlap or send only the initial fragment without the rest of the packet. These can confuse the OS, chewing up memory and eventually make the computer unavailable.

This is significant because to spoof Bob’s computer, the attacker will first have to knock Bob off the network. An IP address has to be unique on a segment and hence only one computer can use the address at a time.

Posted by