ADVISORY NOTICE

F-08: Internet Address Spoofing and Hijacked Session Attacks

January 23, 1995 1100 PST


PROBLEM:       Sophisticated new attacks on Internet systems based on
               forged IP packets and hijacked login sessions.
PLATFORMS:     Primarily Unix systems connected to the Internet, although
               all systems that support session authentication based on IP
               addresses are potentially vulnerable.  Systems protected by
               packet filtering firewalls may also be vulnerable.
DAMAGE:        Unauthorized privileged access to systems.
SOLUTION:      Enable router packet filtering on inbound Internet traffic,
               and protect systems against root compromise.

VULNERABILITY  These attacks represent a significant new threat to Internet
ASSESSMENT:    systems.  Without proactive measures in place, these attacks
               are very difficult to detect or defend against.  CIAC strongly
               recommends sites implement the solutions described below as
               soon as is possible.

Critical Information about the Internet Attacks

CIAC has received information regarding a new attack technique on systems connected to the Internet. These attacks are based on the exploitation of two separate vulnerabilities: forging or spoofing the source address of IP packets and hijacking already established login sessions. Although these vulnerabilities are currently being used together to attack systems, each may also be used on its own. Both of these vulnerabilities must be addressed in order to keep systems secure.

IP Spoofing Attacks

Description

The first vulnerability, spoofing IP packets, allows an intruder on the Internet to effectively impersonate a local system's IP address. If other local systems perform session authentication based on the IP address of a connection (e.g. rlogin with .rhosts or /etc/hosts.equiv files under Unix), they will believe incoming connections from the intruder actually originate from a local "trusted host" and will not require a password. This technique is especially damaging when root connections are permitted with no password.

Services that are vulnerable to forged IP packets include:

SunRPC & NFS
BSD Unix "r" commands, including rlogin
Services secured by TCP Wrappers using source address access control
X Windows

It is possible for forged packets to penetrate firewalls based on filtering routers if the router is not configured to block incoming packets with source addresses in the local domain. It is important to note that this attack is possible even if no session packets can be routed back to the attacker. Note also that this attack is not based on the source routing option of the IP protocol.

The IP spoofing attacks are very similar to those described in section 2 of "Security Problems in the TCP/IP Protocol Suite" by Steve Bellovin. This paper was published in _Computer Communication Review_ vol. 19, no. 2 (April 1989), pages 32-48. It is also available via anonymous FTP from research.att.com in the file /dist/internet_security/ipext.ps.Z. Additional information is available in the paper "A Weakness in the 4.2BSD Unix TCP/IP Software," by Robert T. Morris. It is also available via anonymous FTP from research.att.com in the file /dist/internet_security/117.ps.Z.

Detection

IP spoofing attacks are currently very difficult to detect. If your site has the ability to monitor network traffic on the external interface of your Internet router, examine incoming traffic for packets with both a source and destination address in your local domain. Such packets should never be found entering your site from the Internet and are a strong indicator that an IP spoofing attack is in progress.

Users within the Department of Energy (DOE) and Department of Defense (DOD) communities may obtain a new version of the Network Intrusion Detector (NID) with added features allowing the detection of IP spoofing attacks. Please contact Bob Palasek, NID Project Leader, at (510) 422-8527 or palasek@llnl.gov, for more information.

Additionally, two freely available software tools are known to allow this type of packet monitoring on Unix systems: tcpdump and netlog. The tcpdump package is available via anonymous FTP from ftp.ee.lbl.gov in the file /tcpdump.tar.Z (MD5 checksum 4D8975B18CAD40851F382DDFC9BD638F). When built and installed, the command

     # tcpdump src net X.Y and dst net X.Y

will print all packets found that claim to have both a source and destination IP address on the X.Y network. The netlog package, developed at Texas A&M University, is available via anonymous FTP at coast.cs.purdue.edu in the file /pub/tools/unix/TAMU/netlog-1.2.tar.gz (MD5 checksum 1DD62E7E96192456E8C75047C38E994B). When built and installed, it may be invoked with the command

     # tcplogger -b | extract -U -e 'srcnet=X.Y.0.0 && dstnet=X.Y.0.0 {print}'

to scan for packets with a source and destination address on the same network.

Prevention

Currently, the best defense against IP spoofing attacks is to filter packets as they enter your router from the Internet, blocking any packet that claims to have originated inside your local domain. This feature, known as an input filter, is currently known to be supported by several brands of routers:

Bay Networks/Wellfleet, version 5 and later
Cabletron with LAN Secure
Cisco, RIS software version 9.21 and later
Livingston
NSC

If your current router hardware does not support packet filtering on inbound traffic, a second router may be installed between the existing router and the Internet connection. This second router may then be used to filter spoofed IP packets with an output filter.

Hijacked Session Attacks

Description

The second attack currently being observed involves the use of a tool called "tap" to take over existing login sessions on a system. This tool allows an intruder with root access to gain control of any other session currently active on the system, executing commands as if they had been typed by the owner of the session. If the user session has previously performed a telnet or rlogin to another system, then the intruder may gain access to the remote system as well, bypassing any authentication normally required for access.

Currently, the tap tool is only known to affect SunOS 4.1.x systems, although the system features that allow the attack are not unique to Sun systems.

Detection

The owner of the hijacked session may notice unusual activity, including the appearance of commands typed by the intruder. Users should be notified of this possibility and encouraged to report any suspicious activity.

Prevention

The primary defense against this attack is to prevent root compromise through careful system management, installation of security patches, and network controls such as firewalls.

The tap tool currently in use makes use of SunOS loadable module support to dynamically modify the operation of the running Unix kernel. CIAC recommends that sites not requiring loadable modules disable this feature on their SunOS 4.1.x systems.

To do so, edit the kernel configuration file found in the /sys/`arch -k`/conf directory and comment out the following line with a "#" character:

     options        VDDRV           # loadable modules

Then build and install the new kernel:

     # /etc/config CONFIG_NAME
     # cd ../CONFIG_NAME
     # make
     # cp /vmunix /vmunix.orig
     # cp vmunix /
     # sync; sync; sync

Finally, reboot the system to activate the new kernel. Note that intruders have been known to regenerate their own kernels and reboot systems to install the functionality they desire. The authenticity of the running kernel should be verified after any unexplained system reboots.

CIAC wishes to acknowledge the contributions of the CERT Coordination Center, Eric Allman, Steve Bellovin, Keith Bostic, Bill Cheswick, Mike Karels, and Tsutomu Shimomura for their assistance in the construction of this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]