Hackers Beware

•Loose source routing (LSR). The sender specifies a list of IP addresses that the traffic or packet must go through, but it could also go through any other addresses that it needs to. In other words, you do not care about the exact path the packet takes through the network, as long as it goes through these addresses.

•Strict source routing (SRS). The sender specifies the exact path that the packet must take. If the exact path cannot be taken, the packet is dropped and an ICMP message is returned to the sender. In other words, you care about the exact path the packet must take, and if it cannot take this path for any reason, the packet is not sent.

You might wonder why source routing was put into the TCP specification in the first place. In the early days of the Internet, it was helpful from a troubleshooting standpoint, because you could specify which path a packet took through the network. Also, when new links are set up on a network, it is helpful to force certain packets through those links to make sure they are working properly before all traffic is sent across the link. This way, if there is a problem, it can be fixed without causing a disruption of service. Also, it can be helpful if you want to send traffic to make sure it does not go through a competitor’s router or a hostile router. For example, if one of your competitors owns an ISP, you might want to specify the exact route your proposals take through the network to make sure that your competitors cannot get a copy.

Some companies use source routing to test the redundancy of their networks. For some companies, high availability is very important. This means that if a device or connection on a network goes down, there are alternate ways for the traffic to get routed. The simplest way to do this is to have backup routers. A company has a primary router and a backup router, and the backup router only is used if the primary router goes down.

But how does a company know if the backup router is working properly? Ideally, there should be some way to test it beforehand, because waiting for the primary router to go down to see if the backup is working can be very risky. By utilizing source routing, the company can send test packets where it specifies that it wants the packet to go through the backup router. This way, the company can see if the backup system is configured correctly without taking down the primary system.

Source routing works by using a 39-byte source route option field in the IP header. Because source routing is put in the IP header, there is a limit to how many IP addresses can be specified. Because the option field for source routing is 39 bytes, and 3 bytes of that are overhead information, 36 bytes are left for the addresses. Each address uses 4 bytes. If you divide 36 by 4, you have room for 9 addresses—but it’s not that simple. Because the last address must be the destination address, it only leaves

room for 8 addresses. As you can imagine, with the growth of the Internet, there are cases where the number of hops or IP addresses a packet goes through is more than 8. In these cases, only loose source routing can be used, because strict source routing would drop the packet if the exact path were not found. For an in-depth description of the IP and TCP protocols, please see TCP/IP Illustrated, Volume 1, by Richard Stevens and Gary Wright, published by Addison Wesley Longman.

Basically, source routing works by taking the first address from the list and making that the destination address. If strict source routing is specified, it must be the next hop; if it is not, it is dropped. Depending on how your firewall is configured, this can result in an ICMP Destination Unreachable message being generated. In most cases, if your firewall filter is set to Reject Only, an ICMP Destination Unreachable message is generated. If the firewall is configured to Deny, no message is generated and the packet is just dropped.

With loose source routing, it does not matter how many other hops a packet goes through before it gets to the address specified in the list. After it gets to the destination, it pulls the next address off the list and that becomes the destination. It then continues in that fashion until either the destination is found or the packet cannot be routed. It is important to note that if the sender specifies source routing to get to the destination, the destination machine automatically uses the same source routing to get back to the sender. This is why it is so dangerous: you might not know it is being used. You might reply to a packet, and if the sender used source routing, you will automatically be using source routing without knowing it.

To illustrate how source routing is used, we will look at the traceroute program that comes with both UNIX and Windows. Traceroute has the option to specify source routing when you use the program. On a UNIX machine, you use the -g option for loose source routing. The following is an example:

Traceroute -g 10.10.10.5 10.35.50.10

On a Windows machine, you would use the -j option for loose source routing, as follows:

Tracert -j 10.10.10.5 10.35.50.10

To show you how source routing modifies the route, the following is the traceroute output from doing an ordinary traceroute to

www.newriders.com:

Tracing route to scone.donet.com [205.133.113.87] over a maximum of 30 hops:

Trace complete.

Next, I perform a traceroute using loose source routing with an IP address of 205.171.24.5, which means that I do not care what route the traceroute program uses as long as it goes through the specified IP address. The following is the command that is issued on a UNIX machine:

Traceroute -g www.newriders.com 205.171.24.5

The following is the output generated from running this command:

Tracing route to scone.donet.com [205.133.113.87] over a maximum of 30 hops:

Trace complete.

You can see that the input I provided altered the path that the program used. At step 8, the packet took a different path. I did this to make sure the packet went through the gateway that I specified. Also, notice that as dynamic as the Internet is, every path does not work. In this case, based on the IP address that I told it to go through, the packet could not find a path to the route. This is something to keep in mind with source routing: make sure that your packets can still find a valid path to their destination.

As you can see, source routing has tremendous benefits for spoofing.An attacker sends a packet to the destination with a spoofed address but specifies loose source routing and puts his IP address in the list. Then, when the recipient responds, the packet goes back to the spoofed address, but not before it goes through the attacker’s machine. The attacker is not flying blind because he can see both sides of the conversation.

A couple of points are worth noting. First, you might want to specify several addresses besides yours—this way, if someone catches it, he cannot pinpoint who is targeting him. Second, strict source routing could also be used but is a lot harder because you have to know the exact path. My philosophy is, because both will work, why not use loose source routing—after all, it is easy and has a higher chance of success.

As you have seen, using source routing makes it very straightforward to spoof an address and see both sides of the conversation that is taking place. There is a little more detail that has to be covered to make this

work smoothly (in terms of sequence numbers), but that will be covered in Chapter 5.

Protection Against Source Routing

The best way to protect yourself or your company against source routing spoofing attacks is to disable source routing at your routers. There are very few cases where people actually use source routing for legitimate purposes. For this reason, it is usually a good idea to block this type of traffic from entering or leaving your network. If your router blocks all traffic that has source routing specified, an attacker cannot launch this type of attack. On a Cisco router, you use the IP source-route command to enable or disable source routing. Other routers have similar commands that you can use to disable source routing.

Now let’s look at the third possible way to spoof IP addresses, which is prevalent on UNIX machines: exploiting a trust relationship.

Trust Relationships

Mainly in UNIX environments, machines can set up trust relationships. This is done to make it easier to move from machine to machine. For example, if I am a developer at a company that has five UNIX servers and I work on all five servers, I do not want to constantly have to log on to all the systems. Instead, I set up a trust relationship between the servers. If a user is authenticated by one server and that server has a trust relationship with other servers, the user can move freely between the servers without re-authenticating. The trust relationship basically uses IP addresses for authentication, which, based on what you learned about IP spoofing, is very dangerous. From a convenience standpoint, trust relationships are really nice, but from a security standpoint, they are a nightmare.

After a trust relationship is set up, you can move from machine to machine using the UNIX r commands for access. These commands do not require authentication, which means the user does not have to re-type her password. To set up a trust relationship, an administrator puts a list of hosts and/or users that are trusted in either an .rhosts file that is in a user’s home directory or an /etc/hosts.equiv for the entire system. The hosts.equiv file is usually more popular because it is done on a system basis, as opposed to a user-by-user basis. The hosts.equiv file either allows or denies hosts and users to use the r commands (like rlogin or rsh) to connect to another machine without supplying a password. The general format for each line of the file is the following:

+ or - hostname username

where the + sign allows access and the - sign denies access. Basically, the - sign means that the user must always supply a password to gain access. The hostname is the name of the host or IP address, which is trusted, and the username is optional, but is a username that is trusted on that host.

For example, if I trust Sally’s machine, I would put Sally’s hostname in my hosts.equiv file. This way, anyone that is authenticated by Sally is automatically trusted by my machine.

From a spoofing standpoint, trust relationships are easy to exploit. For example, if an attacker knows that server A trusts anyone coming from machine Y, which has an IP address of 10.10.10.5, and he spoofs his address to 10.10.10.5, he is allowed access without a password, because he is trusted. The main problem is still seeing the response traffic, because all of the responses are sent back to the actual IP that is being spoofed and not the attacker. For this reason, the attacker is flying blind, where he can send packets to a victim but not receive any response. This will be addressed in more detail in the Chapter 6.

Protection Against Trust Relationships

The easiest way to protect against a spoofing attack involving trust relationships is to not use them. This is not always an easy solution, because some companies depend on them, but there are things that can be done to minimize exposure. First, limit who has a trust relationship. I have known several companies where, by default, when a new UNIX machine is set up, administrators configure it to trust every other box, when in reality trust relationships are very rarely used at the company. In this case, it makes more sense to determine who really needs a trust relationship and set it up for a small number of machines.

Second, do not allow trust relationships to be used via the Internet. In most cases, a trust relationship is for internal users to access several machines; yet some companies trust machines that are located at an individual’s house or a contractor facility. This is extremely dangerous and should be eliminated or minimized.

Email Spoofing

Email spoofing is done for three main purposes. First, attackers do it to hide their identity. If an attacker wants to send an email to someone, but does not want that person to know it came from him, email spoofing is very effective. Also, in this case, anonymous remailers can be used. An anonymous remailer is an entity that an attacker sends his email to, and the remailer forwards it to the destination concealing who really sent the message. This allows an attacker to send anonymous email via the Internet. For additional information on how anonymous remailers work, you can access the Anonymous Remailers FAQ at

http://www.andrebacard.com/remail.html. A list of anonymous remailers can be found at http://www.looksmart.com/eus1/eus53832/eus155852/eus282841/eus55 8112/r?l&.

Second, if an attacker wants to impersonate someone or get someone else in trouble, he can spoof that person’s email. This way, whoever receives the email will think it came from the person the attacker is impersonating and will blame that person for the content. Third, email spoofing can be used as a form of social engineering. For example, if an attacker wants you to send him a sensitive file and the attacker spoofs his email address so you think the request is coming from your boss, you might send him the email.

There are three basic ways to perform email spoofing and each has various levels of difficulty to perform and various levels of covertness. The following are the three main types:

•Similar email address

•Modify mail client

•Telnet to port 25

Each of these types will be covered, showing the relative ease to perform email spoofing and what can be done to protect against it.

Similar Email Address

Some people do not consider this email spoofing, because it is so easy and straightforward, but because I see attackers use this to exploit information, we will cover it in this section. People have become so accustomed to using email that they tend to blindly trust emails, without careful examining who the email is really going to.

With this type of attack, an attacker finds out the name of a boss or supervisor at a company. Because most companies post their management team on their Web site, it is fairly easy to do. After he has an individual’s name and his supervisor’s name, the attacker registers an email address that looks similar to the supervisor’s name. For example, suppose that Eric works at ABC Company and Johny John, Eric’s supervisor, is the vice president of IT. The attacker simply goes to hotmail, Netscape, or one of the companies that offers free email, and signs up for an account. The attacker picks a username like johnyjohn, john2, johnyjohn55, or something that looks like an account that could belong to Johny John. In the Alias field of the email, he puts the username as Johny John. The Alias field is what is displayed in the From field in your email client. Have you ever noticed when you receive an email, it does not have the full email address; it only has a person’s name? That is because

the email client is set to display just the Name or Alias field. By viewing the email header, you can see what the real email address is, but few users do this.

Now that the attacker has an email address, he sends an email to Eric from this address. In the body of the email, he might say something like the following:

Hello, how is everything going? I was working from home so I am sending this from

my personal email account. I am under some tight deadlines from management and

need you to help me out. Could you send me all of the proposals you have worked on

for the last 3 months and your client list? I have to put together a master list

for management showing them how hard we have been working and I need it ASAP. Your

job depends on it.

Thanks for you help,

Johny John

When Eric receives this, there is a good chance he only sees Johny John in the From field and might not even know it is his personal account. Even if Eric checks, because the email address appears correct, he would probably reply to it and the attacker would get the information he wants. This is a very simple but effective attack methodology. I have seen many clients have very sensitive information compromised, because they trusted the From field of an email.

Protection Against Similar Email Addresses

Users need to be educated on the dangers of email and informed that email is not a secure means of communication. Companies also should teach users how easy it is to spoof or disguise email and to always verify the From field. One way to help users is to configure mail clients so that they always show the full email address and not the alias. The full email address can provide some indication that something unusual is going on. In the preceding case, doing this might not help, because an ambitious employee would not want to question his boss, and if the boss says he needs the information ASAP, the employee might not want to doubt the legitimacy of the email.

To overcome these problems, you should set up the company’s email so that it can be accessed remotely and via the Internet. Next, make it company policy that, for security reasons, any work-related activities have

to use work email. This way, if the user questions an external email address, he has a policy backing him.

Another possible solution is to use public key encryption. If the sender of the message attaches a digital signature, which is signed with his private key, and you can encrypt it with his public key, you can assume that the message actually came from him, unless his key was compromised. As you will see throughout this book, encryption helps solve a lot of security problems, if used properly. Yet, few companies utilize and harness the power of encryption.

Modifying a Mail Client

When email is sent from a user, there is no authentication or validation performed on the From address. Therefore, if an attacker has a mail client like Eudora or Outlook, he can go in and specify whatever address he wants to appear in the From line. Figure 4.5 shows the screen that is used by Eudora.

Figure 4.5. Account setup dialog box for Eudora mail client.

In this case, an attacker can specify whatever return address he wants. The only catch is that when the user replies, the reply goes back to the real address and not to the person spoofing the address. In the workplace, this can be nasty if employees start spoofing addresses of other employees with negative comments.

Protection Against Modifying a Mail Client

In this case, preventing employees from modifying a mail client is difficult, but there are some things you can do to minimize their chances. First, make sure you have a security policy or, more specifically an email policy, outlining that this type of behavior is unacceptable and will result in

immediate termination. Then, the policy must be enforced. In other words, if anyone does this, no matter who he is, he must be terminated. One problem that companies make with security policies is that they do not uniformly enforce them—therefore, people do not take them seriously.

Next, you need to make sure that logging is performed on all systems, especially your mail server, and that these logs are carefully preserved. This is so important because, if an employee spoofs another’s email address, you can discover who it was by looking at the logs. Nothing is worse than having a policy that you cannot enforce.

Another way to detect email spoofing is by looking at the full email header. Most mail systems have an option that allows you to view all of the hosts that a message went through from source to destination. This can indicate not only whether someone spoofed an email but where the message originated from. The following is the full header of an email message:

X-Persona: <test>

Received: from manic.cs.test.edu (manic [141.161.20.10])

by cssun.test.edu (8.9.2/8.9.2) with ESMTP id NAA08916 for <colee@cssun.test.edu>; Mon, 30 Oct 2000 13:47:18

-0500 (EST)

Received: from test.com ([207.159.90.19])

by manic.cs.test.edu (8.9.1b+Sun/8.9.1) with ESMTP id

NAA11633

for <colee@cs.test.edu>; Mon, 30 Oct 2000 13:46:27 - 0500 (EST)

Received: by test.com from localhost

(router,SLMail V2.7); Mon, 30 Oct 2000 15:39:17 -0500 Received: by test.com from ibm1

(208.246.68.48::mail daemon; unverified,SLMail V2.7); Mon, 30 Oct 2000

15:39:16 -0500

Message-Id: <4.2.0.58.20001030134740.0094acd0@mail1.test.com> X-Sender: ecole@209.229.51.254

X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Mon, 30 Oct 2000 13:48:18 -0500

To: eric@cs.test.edu

From: Eric Cole <eric@test.com> Subject: Test

Mime-Version: 1.0

Content-Type: text/plain; charset="us-ascii"; format=flowed X-UIDL: 7cd8eb5f25d62871b140b12063f92b35

test

In this example, test.edu and test.com are sample names that were used to protect the real sites. By going through this header, you can see that