Security Problems in the TCP/IP Protocol Suite
Murray Hill, New Jersey 07974
The TCP/IP protocol suite, which is very widely used today, was developed
under the sponsorship of the Department of Defense. Despite that, there are a
number of serious security flaws inherent in the protocols, regardless of the
correctness of any implementations. We describe a variety of attacks based on
these flaws, including sequence number spoofing, routing attacks, source address
spoofing, and authentication attacks. We also present defenses against these
attacks, and conclude with a discussion of broad-spectrum defenses such as
The TCP/IP protocol suite
, which is very widely used today, was developed under the sponsorship
of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the
protocols. Some of these flaws exist because hosts rely on IP source address for authentication; the
are a notable example. Others exist because network control mechanisms, and
in particular routing protocols, have minimal or non-existent authentication.
When describing such attacks, our basic assumption is that the attacker has more or less complete
control over some machine connected to the Internet. This may be due to flaws in that machine’s own
protection mechanisms, or it may be because that machine is a microcomputer, and inherently
unprotected. Indeed, the attacker may even be a rogue system administrator.
We are not concerned with flaws in particular implementations of the protocols, such as those used by
the Internet ‘‘worm’’
. Rather, we discuss generic problems with the protocols themselves. As
will be seen, careful implementation techniques can alleviate or prevent some of these problems. Some
of the protocols we discuss are derived from Berkeley’s version of the UNIX
system; others are generic
We are also not concerned with classic network attacks, such as physical eavesdropping, or altered or
injected messages. We discuss such problems only in so far as they are facilitated or possible because
of protocol problems.
For the most part, there is no discussion here of vendor-specific protocols. We do discuss some
problems with Berkeley’s protocols, since these have become de facto standards for many vendors, and
not just for UNIX systems.
2. TCP SEQUENCE NUMBER PREDICTION
One of the more fascinating security holes was first described by Morris
. Briefly, he used TCP
sequence number prediction to construct a TCP packet sequence without ever receiving any responses
from the server. This allowed him to spoof a trusted host on a local network.