UDP, ICMP, AND OTHER PROTOCOLS User Datagram Protocol (UDP)
UDP is a connectionless transport protocol. It is a thin protocol on top of IP, providing high speed but low functionality. Delivery of UDP datagrams is not guaranteed. Nor can it detect duplicate datagrams. The UDP protocol is mostly used by application services were squeezing the best performance out of existing IP network is necessary such as trivial file transfer (TFTP) and NFS, and by the DNS.
Internet Control Message Protocol (ICMP)
ICMP [RFC 792, 1981] manages and controls the IP layer, as in reporting network errors, such as a host or entire portion of the network being unreachable or a packet being directed at a closed port, reporting network congestion, assisting in troubleshooting, reporting time-outs, or forcing routing options. In general, much of the best effort in delivering IP datagrams is associated with ICMP.
The purpose of the ICMP messages is to provide feedback and suggestions about problems, for example, when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, or when the gateway can direct the host to send traffic on a shorter route. To avoid the infinite regress, no ICMP messages are sent about ICMP messages. Also, ICMP messages are only sent about errors in handling fragment zero of fragmented datagrams.
Address Resolution Protocol (ARP)
ARP [RFC 826, 1982] is used to determine the Ethernet MAC address of a device whose IP address is known. This needs to be done only for outgoing IP packets because IP datagram must be Ethernet framed with the destination hardware address. The translation is performed with a table look-up.
The TCP/IP suite had many design weaknesses so far as security and privacy are concerned, all perhaps due to the era (the 1980s) that which the development took place. For example, the ICMP redirect message, intended to improve routing performance, has often been used maliciously. In this section, we summarize some of these issues. All major OS have made improvements in their implementations of the protocol stack that disable many of the attacks described below.
A number of protocols permit covert channels. For example, ICMP echo request packets should have an 8-byte header and a 56-byte payload. ICMP echo requests should not be carrying any data. However, such ICMP packets can be significantly larger, carrying covert data in their payloads. Covert channels are prevalent in nearly all the protocols of the TCP/IP suite.
IP Address Spoofing
IP spoofing replaces the IP address of (usually) the sender or (in rare cases) the destination with a different address. Because the IP layer of the OS normally adds these IP addresses to a data packet, a spoofed must circumvent the IP layer and talk directly to the raw network device.
IP Fragment Attacks
Many firewalls do not perform packet reassembly. Attackers create artificially fragmented packets in order to fool such firewalls. A well-behaving set of IP fragments is non-overlapping. However, a cleverly constructed second fragment packet can have an offset value that is less than the length of the data in the first fragment, so that upon packet reassembly it overrides several bytes of the first fragment.
In the IP layer implementations of nearly all OS, there are bugs in the reassembly code. An attacker can create and send a pair of carefully crafted but malformed IP packets that in the process of reassembly cause a server to “panic” and crash.
TCP segments have a number of flags that have, collectively, a strong influence on how the segment is processed. However, not all the flags can be independently set or reset. For example, SYN FIN, SYN FIN PSH, SYN FIN RST, SYN FIN RST PSH are all illegal combinations. Past implementations have accounted only for valid combinations, ignoring the invalid combinations as simply “will not happen.” Attackers have written special programs that construct such illegal packets, and cause the network hosts to crash or hang.
The SYN Flood
In the TCP protocol as designed, there is no limit set on the time to wait after receiving the SYN. An attacker initiates many connection requests with spoofed source addresses to the victim machine. The SYN+ACK packets that the victim host sends are not replied to.
Once the limit of the half-open connections is reached, the victim host will refuse further connection establishment attempts from any host until a partially opened connection in the queue is completed or times out. This effectively removes a host from the network for several seconds, making it useful at least as a stepping tool to other attacks, like IP spoofing.
TCP exploits are typically based on IP spoofing and sequence number prediction. In establishing a TCP connection, both the server and the client generate an initial sequence number from which they will start counting the packets transmitted. This sequence number is (should be) generated at random, and should be hard to predict.