_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Internet Address Spoofing and Hijacked Session Attacks January 23, 1995 1100 PST Number F-08 _____________________________________________________________________________ PROBLEM: Sophisticated new attacks on Internet systems based on forged IP packets and hijacked login sessions. PLATFORMS: Primarily Unix systems connected to the Internet, although all systems that support session authentication based on IP addresses are potentially vulnerable. Systems protected by packet filtering firewalls may also be vulnerable. DAMAGE: Unauthorized privileged access to systems. SOLUTION: Enable router packet filtering on inbound Internet traffic, and protect systems against root compromise. _____________________________________________________________________________ VULNERABILITY These attacks represent a significant new threat to Internet ASSESSMENT: systems. Without proactive measures in place, these attacks are very difficult to detect or defend against. CIAC strongly recommends sites implement the solutions described below as soon as is possible. _____________________________________________________________________________ Critical Information about the Internet Attacks CIAC has received information regarding a new attack technique on systems connected to the Internet. These attacks are based on the exploitation of two separate vulnerabilities: forging or spoofing the source address of IP packets and hijacking already established login sessions. Although these vulnerabilities are currently being used together to attack systems, each may also be used on its own. Both of these vulnerabilities must be addressed in order to keep systems secure. IP Spoofing Attacks ------------------- Description ----------- The first vulnerability, spoofing IP packets, allows an intruder on the Internet to effectively impersonate a local system's IP address. If other local systems perform session authentication based on the IP address of a connection (e.g. rlogin with .rhosts or /etc/hosts.equiv files under Unix), they will believe incoming connections from the intruder actually originate from a local "trusted host" and will not require a password. This technique is especially damaging when root connections are permitted with no password. Services that are vulnerable to forged IP packets include: SunRPC & NFS BSD Unix "r" commands, including rlogin Services secured by TCP Wrappers using source address access control X Windows It is possible for forged packets to penetrate firewalls based on filtering routers if the router is not configured to block incoming packets with source addresses in the local domain. It is important to note that this attack is possible even if no session packets can be routed back to the attacker. Note also that this attack is not based on the source routing option of the IP protocol. The IP spoofing attacks are very similar to those described in section 2 of "Security Problems in the TCP/IP Protocol Suite" by Steve Bellovin. This paper was published in _Computer Communication Review_ vol. 19, no. 2 (April 1989), pages 32-48. It is also available via anonymous FTP from research.att.com in the file /dist/internet_security/ipext.ps.Z. Additional information is available in the paper "A Weakness in the 4.2BSD Unix TCP/IP Software," by Robert T. Morris. It is also available via anonymous FTP from research.att.com in the file /dist/internet_security/117.ps.Z. Detection --------- IP spoofing attacks are currently very difficult to detect. If your site has the ability to monitor network traffic on the external interface of your Internet router, examine incoming traffic for packets with both a source and destination address in your local domain. Such packets should never be found entering your site from the Internet and are a strong indicator that an IP spoofing attack is in progress. Users within the Department of Energy (DOE) and Department of Defense (DOD) communities may obtain a new version of the Network Intrusion Detector (NID) with added features allowing the detection of IP spoofing attacks. Please contact Bob Palasek, NID Project Leader, at (510) 422-8527 or palasek@llnl.gov, for more information. Additionally, two freely available software tools are known to allow this type of packet monitoring on Unix systems: tcpdump and netlog. The tcpdump package is available via anonymous FTP from ftp.ee.lbl.gov in the file /tcpdump.tar.Z (MD5 checksum 4D8975B18CAD40851F382DDFC9BD638F). When built and installed, the command # tcpdump src net X.Y and dst net X.Y will print all packets found that claim to have both a source and destination IP address on the X.Y network. The netlog package, developed at Texas A&M University, is available via anonymous FTP at coast.cs.purdue.edu in the file /pub/tools/unix/TAMU/netlog-1.2.tar.gz (MD5 checksum 1DD62E7E96192456E8C75047C38E994B). When built and installed, it may be invoked with the command # tcplogger -b | extract -U -e 'srcnet=X.Y.0.0 && dstnet=X.Y.0.0 {print}' to scan for packets with a source and destination address on the same network. Prevention ---------- Currently, the best defense against IP spoofing attacks is to filter packets as they enter your router from the Internet, blocking any packet that claims to have originated inside your local domain. This feature, known as an input filter, is currently known to be supported by several brands of routers: Bay Networks/Wellfleet, version 5 and later Cabletron with LAN Secure Cisco, RIS software version 9.21 and later Livingston NSC If your current router hardware does not support packet filtering on inbound traffic, a second router may be installed between the existing router and the Internet connection. This second router may then be used to filter spoofed IP packets with an output filter. Hijacked Session Attacks ------------------------ Description ----------- The second attack currently being observed involves the use of a tool called "tap" to take over existing login sessions on a system. This tool allows an intruder with root access to gain control of any other session currently active on the system, executing commands as if they had been typed by the owner of the session. If the user session has previously performed a telnet or rlogin to another system, then the intruder may gain access to the remote system as well, bypassing any authentication normally required for access. Currently, the tap tool is only known to affect SunOS 4.1.x systems, although the system features that allow the attack are not unique to Sun systems. Detection --------- The owner of the hijacked session may notice unusual activity, including the appearance of commands typed by the intruder. Users should be notified of this possibility and encouraged to report any suspicious activity. Prevention ---------- The primary defense against this attack is to prevent root compromise through careful system management, installation of security patches, and network controls such as firewalls. The tap tool currently in use makes use of SunOS loadable module support to dynamically modify the operation of the running Unix kernel. CIAC recommends that sites not requiring loadable modules disable this feature on their SunOS 4.1.x systems. To do so, edit the kernel configuration file found in the /sys/`arch -k`/conf directory and comment out the following line with a "#" character: options VDDRV # loadable modules Then build and install the new kernel: # /etc/config CONFIG_NAME # cd ../CONFIG_NAME # make # cp /vmunix /vmunix.orig # cp vmunix / # sync; sync; sync Finally, reboot the system to activate the new kernel. Note that intruders have been known to regenerate their own kernels and reboot systems to install the functionality they desire. The authenticity of the running kernel should be verified after any unexplained system reboots. _____________________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center, Eric Allman, Steve Bellovin, Keith Bostic, Bill Cheswick, Mike Karels, and Tsutomu Shimomura for their assistance in the construction of this bulletin. _____________________________________________________________________________ For emergencies and off-hour assistance, DOE and DOE contractor sites can contact CIAC 24-hours a day via an integrated voicemail and SKYPAGE number. To use this service, dial 1-510-422-8193 or 1-800-759-7243 (SKYPAGE). The primary SKYPAGE PIN number, 8550070 is for the CIAC duty person. A second PIN, 8550074 is for the CIAC Project Leader. CIAC's FAX number is 510-423-8002, and the STU-III number is 510-423-2604. Send E-mail to ciac@llnl.gov. Previous CIAC notices, anti-virus software, and other information are available on the Internet via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53). CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send requests of the following form: subscribe list-name LastName, FirstName PhoneNumber as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber." Send to: ciac-listproc@llnl.gov not to: ciac@llnl.gov e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address and initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.