It's important to note that TCP and IP, while almost always used together in the TCP/IP suite, are two separate...
protocols. IP is a connectionless protocol, meaning data is transmitted over the internet between two network endpoints without prior arrangement -- including whether the receiver is ready or even exists. IP enables data to be broken down into packets, which are sent from origin to destination. The machines in between use routing protocols to determine where to send the packets, which often arrive at the destination out of order. This is where the connection-oriented TCP comes into play. It is responsible at the origin for breaking the data into packets and numbering them for sequencing. At the receiving end, the packets are reassembled per TCP's numbering sequence and passed up the communication stack to the pertinent application(s).
The TCP/IP suite is comprised of protocols at four layers:
- The application layer includes HTTP, FTP, Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP).
- The transport layer includes TCP and User Datagram Protocol (UDP).
- The network layer includes IP and Internet Control Message Protocol (ICMP).
- The physical layer includes Ethernet and address resolution protocol (ARP).
When considering TCP/IP vulnerabilities, it is critical to separate flaws in the implementation of the protocols from issues inherent within the protocols themselves. Many TCP/IP security issues that make the news are problems with the applications that use TCP/IP for a transport mechanism. For example, VxWorks real-time OS vulnerabilities in July 2019 or FreeRTOS vulnerabilities in October 2018 both could have enabled remote code execution.
It is also important to note that TCP and IP don't have security built into them. Enterprises must implement mechanisms such as authentication and encryption to remain secure when using the TCP/IP suite.
There are, however, some well-known vulnerabilities in the underlying protocols. Mitigations are available, but they do need to be implemented properly to ensure secure TCP/IP use.
IP address spoofing
In IP address spoofing that is used for session hijacking, attackers alter IP packets with false source IP addresses that impersonate another computer system and thus hide the true sender's identity. IP spoofing is often used as a launching point for denial-of-service (DoS), distributed denial-of-service (DDoS) or man-in-the-middle (MitM) attacks.
Defense: Use packet filtering, and configure routers and firewalls to reject packets with spoofed addresses.
ARP maps an IP address to a physical hardware address. In an ARP spoofing attack, also known as cache poisoning or poison routing, an attacker sends false ARP messages to pass a MAC (media access control) address off as a legitimate IP address within the network. Once in the system, the hacker can intercept, modify or stop traffic. Such attacks can lead to data loss, MitM or DoS attacks, or session hijacking.
Defense: Use packet filtering to filter or block potentially forged IP addresses, namely those sent from outside the network that present themselves as coming from inside the network. ARP spoofing detection software also helps prevent such attacks. Encrypting data prior to transmission and requiring authentication upon receipt will also ensure secure communication.
Port scanning is a popular information-gathering technique through which attackers identify open and closed ports on internet-connected devices to potentially launch DoS attacks.
In a TCP three-way handshake, the connecting client sends the server a TCP synchronization packet, or SYN. This is acknowledged by the server with a synchronization acknowledged packet, or SYN/ACK. The client then sends an ACK packet to acknowledge it received the SYN/ACK.
In a SYN flood, also known as a TCP SYN flood or SYN half-open attack, the hacker client never sends back a SYN/ACK but instead floods the server with SYN requests. This effectively leads to a DoS.
Defense: It is impossible to prevent an attacker from performing a port scan on a given network. Use firewalls or intrusion prevention systems to spot and block abnormal activity. Performing a port scan on an organization's own systems can be useful to reveal what a hacker would see during a scan to give the organization a better idea of which ports to close or block.
A fundamental component of the TCP/IP suite, ICMP reports network error conditions -- for example, network problems that prevent packet delivery -- through utilities including ping and traceroute. In ping, for example, ICMP echo requests are sent to troubleshoot, test connectivity and determine response times.
ICMP can be manipulated to execute DoS attacks when an attacker overwhelms a target device with ICMP echo request packets, an attack also known as a ping flood.
In ping of death DoS attacks, attackers send IP packets larger than the size allowed by IP -- 65,536 bytes. The victim, unable to compute the large packets, suffers from a buffer overflow and potential system crash that enable the attacker to inject malicious code.
Defense: While most OSes have patched ping vulnerabilities, there have been incidents as recently as 2018. Update systems with available patches, and set routers and firewalls to block ICMP pings.
Packet reassembly and sequence prediction
As mentioned, if packets transmitted via TCP are too large to cross certain routes, they will be divided into smaller segments. Once all segments reach the server, they are reassembled. To do so in the proper order, a process known as sequence numbers is used.
In a TCP sequence prediction attack, an attacker predicts TCP sequences to ape the original sender and insert false and malicious packets. In such an attack, the hacker would likely cut off the legitimate sender via DoS to mimic the sender and ensure his own packets reach the target -- not the legitimate sender's. The attacker can then potentially access the target system, terminate communication or deliver malware.
Defense: In 2012, the Internet Engineering Task Force released an updated TCP sequence numbers algorithm to prevent prediction. Enterprises can further this effort by using packet filtering to block spoofed addresses.
In a MitM attack, an attacker can split the TCP connection between client and server and insert himself between the two to intercept, read, insert, modify and relay messages between two parties who believe they are communicating with each other.
Defense: To combat MitM attacks, adopt strong authentication policies, including the use of encryption protocols, such as Transport Layer Security (TLS) or Secure Shell (SSH), that offer inherent authentication. Also, ensure users on the network only visit secure websites using HTTPS, and never connect to public Wi-Fi.
DoS and DDoS attacks
DoS and DDoS attacks can be detrimental to an organization's network, server, website or other systems, causing them to be delayed or even shut down, thus preventing access to legitimate systems and users.
Defense: It is impossible to prevent being a DoS or DDoS target, but the effects of such an attack can be minimized by employing good security hygiene, maintaining up-to-date systems and implementing proactive monitoring and alerting processes. Internet service providers can also be instrumental in mitigating DoS attacks by rerouting malicious traffic or using load balancers to reduce the attack's effects.
Overall, apply timely application and system patches to stay secure. Firewalls, antimalware and intrusion detection and prevention systems are also key. To help you sleep at night, remember TCP/IP is critical to the internet, so everyone is using it. When TCP/IP vulnerabilities are found in applications, they are made widely known, and patches are developed quickly. As long as enterprises stay up to date and practice good security hygiene, their risks will be minimal.
Dig Deeper on Web server threats and application attacks
Related Q&A from Sharon Shea
Enabling VPN split tunneling may increase speed and decrease bandwidth use and costs, but it also increases the number of security vulnerabilities ... Continue Reading
What sets web roles and worker roles apart in Microsoft's Azure Cloud Services? Here's a look at how they are different. Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading