Network Security: TCP Attacks and Countermeasures

Questions and Answers

What happens if the number of TCP retransmissions reaches 5 on the server?

The half-open connection is expired. (correct)

The TCP stack resets the connection automatically.

The connection remains active indefinitely.

The server conserves resources by ignoring retransmissions.

What is the default value of the parameter 'net.ipv4.tcp_synack_retries', which influences the duration of half-open connections?

2

10

3

5 (correct)

In virtualized environments, what cause does VM NAT dropping with an RST response indicate?

The SYN/ACK packet has no corresponding SYN record. (correct)

The VM is running out of memory resources.

The TCP connection is established successfully.

The NAT cloud is overloading the VM.

What is the significance of the round trip time displayed by 'ip tcp_metrics show'?

It reflects the performance of TCP in the network.

How does reducing the size of the SYN queue affect SYN flooding attacks?

It helps in quicker expiration of half-open connections.

What is a primary method used in TCP session hijacking?

Sniffing traffic and guessing sequence numbers

In the context of TCP reset attacks, what is essential for spoofing a reset packet?

The ACK number should match the sequence number of the sent packet

Which scenario describes an action that would NOT typically occur during a TCP session hijacking attack?

Establishing a secure connection using TLS

What does the 'receiver window' refer to in the context of fast-moving ACK numbers during video streaming?

The maximum capacity of the receiving buffer at the recipient

What is the main goal of a TCP reset attack?

To terminate an active TCP connection abruptly

What is a primary method through which an attacker can gain unauthorized access to a TCP session?

By injecting malicious data into the session

What role does the Seq# play in a TCP session?

It protects the session by maintaining packet order

What is required for a TCP RST attack concerning the Seq#?

It must be incremented by one from the previous packet

For session hijacking, how should the Seq# be provided?

Within the buffer boundary

What is a key characteristic of manual spoofing in session hijacking?

It requires inclusion of the Ack#

What happens if the Seq# is too large during an attack?

The packet will be discarded

In automatic spoofing for session hijacking, what information is necessary?

No specific information needs to be provided

What is a common method used to find the next Seq# for packet injection?

Intercepting the communication flow

What is a consequence of triggering the SYN Cookie countermeasure?

It could potentially lead to a larger DDoS attack.

What happens when SYN Cookie is enabled during a TCP connection attempt?

No resources are reserved for the SYN packet.

What is the primary purpose of using a SYN Cookie in TCP connections?

To prevent resource reservation for half-open connections.

How does the TCP Reset Attack typically function?

By sending spoofed TCP reset (RST) packets to terminate connections.

What role does the sequence number play when SYN Cookies are used?

It is critical for resource reservation once the expected ACK is received.

What is the consequence of not reserving resources for a SYN packet in the SYN queue?

Increased risk of denial-of-service attacks.

What mechanism is employed to compute the SYN Cookie?

COMPUTED using IP address and port number.

What does it mean when a connection is marked as a 'proven destination' in TCP?

The connection is always treated as legitimate once established.

What happens to the session during a session hijacking attack?

Both sides keep sending packets while the client freezes.

What is the purpose of redirecting standard input and standard output in a reverse shell?

To allow the attacker to receive input and output from the victim's machine.

What does the command '0&1' represent in the context of a reverse shell on Unix?

It combines standard input with standard error, allowing for uniform feedback.

Why won’t a firewall allow an attacker to connect to the victim's machine through usual connections?

Firewalls are designed to block all incoming traffic by default.

What is a significant risk associated with attempting session hijacking techniques on unauthorized targets?

It can result in legal action against the attacker.

Study Notes

VirtualBox and VM NAT

• VM NAT can drop packets by responding with RST because SYN/ACK lacks the SYN record.

SYN Flooding Attack Countermeasures

• TCP retransmission on the server resets half-open connections after 5 retries (net.ipv4.tcp_synack_retries = 5).
• A SYN flood attack must send multiple packets faster than the server resets connections.
• The SYN queue size can be modified (net.ipv4.tcp_max_syn_backlog = 512) to reduce defenses against attacks.

TCP Cache and SYN Cookies

• TCP cache keeps a quarter of its queue available for proven connections, preventing resource reservation without active connections.
• SYN cookie helps mitigate SYN flooding by avoiding storage of SYN packets until resources are actually needed.
• A hash is computed from the IP address and port before sending the SYN/ACK; it matches with an incoming ACK to reserve resources.

TCP Reset Attack

• Closing TCP connections can be likened to completing a phone call.
• Fast-moving ACK numbers in streaming require guessing to fit into the receiver's window.

Constructing RST Packets

• Sniffing TCP packets allows creating and spoofing RST packets to terminate active connections.
• Effectiveness diminishes in encrypted connections like SSH.

TCP Session Hijacking

• An attacker can take over an existing TCP session, inserting malicious data or gaining unauthorized access.
• Once the session is established, security relies on the sequence number defined in TCP packets.
• Process includes sniffing, guessing or predicting the sequence number, injecting packets, and taking over the session.

Sequence Number Importance

• Sequence numbers in packets must be accurate for both TCP RST attacks and session hijacking.
• For RST attacks, an attacker needs to provide x+1 as the sequence number.

Session Hijacking Techniques

• Manual spoofing requires the acknowledgment bit to be set to include the correct Ack#.
• Automatic spoofing can use previously known values to replicate sequence accuracy, easing the injection process.

Impacts on TCP Sessions

• During hijacking, continuous packet exchanges freeze the client's side, manipulating the session dynamics.

Reverse Shell Exploits

• Attackers can bypass firewalls using reverse shells obtained via successful session hijacking, creating a shell on the attacker's machine.
• With Unix, standard input and output can be redirected allowing remote execution of commands that transmit error messages back to the attacker.

Description

This quiz covers various aspects of network security focusing on TCP attacks such as SYN flooding and TCP reset attacks. It also discusses countermeasures like SYN cookies and adjusting TCP settings to mitigate these vulnerabilities. Test your understanding of how these concepts relate to network performance and security.