P1: 35
Mateti WL040/Bidgolio-Vol I WL040-Sample.cls June 20, 2003 13:24 Char Count= 0
APPLICATIONS 433make it rather easy to predict this sequence number. The
attacker either sniffs the current SEQ/ACK of the connec-
tion or can algorithmically predict them.Closing a Connection by FIN
The attacker constructs a spoofed FIN packet. It will have
the correct SEQ numbers so that it is accepted by the
targeted host connection. This host would believe the
(spoofed) sender did not have any data left. Any packets
that may follow would be ignored as bogus. The rest of
the four-way handshake is also supplied by the attacker.
A similar connection killing attack using RST has also
been seen.Connection Hijacking
Host YY accepts the packets from XX only when correct
SEQ/ACK numbers are used. The attacker ZZ can send
one or two packets to YY spoofing the source address as
XX, at a time when XX was silent. YY would accept these
data, and update ACK numbers. XX would continue to
send its old SEQ numbers, as it is unaware of the spoofed
data. As a result, subsequent packets from XX are dis-
carded by YY. The attacker ZZ could then impersonate to
be XX, but using correct SEQ/ACK numbers from the per-
spective of YY. This results in ZZ hijacking the connection:
host XX is confused while YY thinks nothing is wrong as
ZZ sends “correctly synchronized” packets to YY.APPLICATIONS
Nearly all network applications are based on a client–
server architecture where one process, the client, requests
services from a second process, the server. Typically, the
client and server processes are on different machines, but
they need not be.File Transfer Protocol (FTP), Telnet,
and rlogin
The three application protocols described in this section
are all based on TCP. They send authentication informa-
tion and data in the clear (i.e., unencrypted), and hence
are easily compromised by network sniffers. Also, their
authentication of host is simply the IP address that they
respond to. Consequently, utilities based on these proto-
cols should not be used in situations where security is a
concern. The SSH described later provides near equiva-
lent functionality at a higher level of security.Telnet
Telnet [RFC 854] establishes a TCP connection with a
telnet server on the reserved port 23, and passes the
keystrokes of the telnet client to the server, and accepts
the output of the server as characters to be displayed on
the client. The server presents these keystrokes as input
received from a pseudo-terminal to the OS hosting the
telnet server. Telnet defines a network virtual terminal
(NVT) format as that which permits interoperability with
machines that use different characters for common
operations such as terminating a line and interrupting
a run-away process. The telnet client typically maps the
signal-generating keys of the keyboard to invoke the corre-sponding control functions of the NVT. The control func-
tions are encoded as escape sequences of 2 bytes, the IAC
(255), followed by the 1-byte code of the control function.
Telnet uses the URGENT DATA mechanism of TCP to send
control functions so that the telnet server can respond
appropriately.File Transfer Protocol (FTP)
FTP [RFC 959, 1985] uses two TCP connections, one
called thecontrolconnection and the other thedatacon-
nection. The client can issue a number of commands on
the control connection that change various settings of the
FTP session. All content transfer occurs on the data con-
nection. The FTP client opens a control connection to
port 21 of the FTP server machine. This connection per-
sists the entire session. The format of data passed over the
control connection is the same as that of telnet NVT. The
GET command requests for the transfer of the contents
that the server has (popularly known asdownloading), and
the PUT command requests the server to receive and store
the contents that the client is about to send (popularly
known asuploading).
The data connection can be opened in two modes. In
theactive modeFTP, the server initiates a data connection
as needed from its port 20 to a port whose number is sup-
plied by the client via the PORT command. In thepassive
modeFTP, the server informs the client a port number
higher than 1024, to which the client initiates a data con-
nection.rlogin
The rlogin protocol [RFC 1282] is similar in functionality
to telnet, and also operates by opening a TCP connection
on the rlogin server machine at port 513. It is widely used
between UNIX hosts because it provides transport of more
of the UNIX terminal environment semantics than does
the telnet protocol, and because on many UNIX hosts it
can be configured not to require user entry of passwords
when connections originate from trusted hosts.Dynamic Host Configuration
Protocol (DHCP)
DHCP [RFC 2131, 1997] consists of a protocol for deliver-
ing host-specific configuration parameters from a DHCP
server to a host, and a mechanism for allocation of IP
addresses to hosts. The IP configuration parameters that
DHCP can supply include subnet mask, a list of default
routers, TTL, and MTU. A typical host will use DHCP soon
after booting into the OS to configure its network. DHCP
assumes that the IP layer software will pass the packets
delivered to the NIC of the host even though the IP address
has not been assigned yet. DHCP has three mechanisms
for IP address allocation. In “automatic allocation,” DHCP
assigns a permanent IP address to a client. In “dynamic
allocation,” DHCP leases an IP address to a client for a
limited period of time (or until the client explicitly relin-
quishes the address). In “manual allocation,” a client’s IP
address is manually assigned but uses DHCP to convey the
assigned address to the client. Dynamic allocation is the
only one of the three mechanisms that allows automatic
reuse of an address that is no longer needed by the client
to which it was assigned.