So Many Vulnerabilities in TCP/IP Protocol?

Reply in the public account below:Interview Manual to get the three interview PDF manuals compiled by Jie Ge.

According to the analysis report on the cybersecurity monitoring data of China’s internet in the first half of 2020, malicious program-controlled servers, denial of service attacks (DDoS), and other network attacks have been on the rise. To this day, network attacks have become one of the main factors affecting network information security and business information security.

A network attack refers to the act of exploiting vulnerabilities and security flaws in the network to attack the software and hardware of network systems and their system data. The TCP/IP protocol, as the foundational protocol of the network, did not consider that the network would face so many threats from the beginning of its design, leading to many attack methods. Since all communications in the network originate from data packets, automatic collection and decoding analysis of data packets can quickly discover and trace network attacks.

TCP/IP Protocol

The industry typically divides the TCP/IP protocol stack into four layers: the link layer, network layer, transport layer, and application layer.

  • The link layer is primarily used to handle the transmission of data over physical media (such as Ethernet, Token Ring, etc.), implementing the network driver for the network interface card;

  • The network layer uses the IP protocol as the core of the entire protocol stack, whose main functions include packet routing and forwarding, achieving internetworking and congestion control;

  • The transport layer provides end-to-end communication for applications between hosts, defining two protocols: TCP and UDP;

  • The main function of the application layer is to handle the logic of applications, such as file transfer, name resolution, and network management. Protocols at this layer include the FTP file transfer protocol based on TCP, the HTTP hypertext transfer protocol, and the DNS domain name service based on UDP.

So Many Vulnerabilities in TCP/IP Protocol?TCP/IP Protocol Model Layer Structure Diagram

Because the TCP/IP protocol has four layers, and each layer has different functions and protocols, the attack methods targeting different protocol layers also vary: attacks on the link layer mainly involve physical destruction of network hardware and infrastructure or forcibly altering router routes; the IP protocol and ARP protocol are the two most important protocols in the network layer, with attacks on the network layer mainly including IP fragmentation attacks and ARP spoofing; since the TCP and UDP protocols are the two main protocols of the transport layer, there are many attacks targeting the transport layer, including DoS attacks; while the application layer has the most protocols in the entire protocol stack, the number of attacks on this layer is enormous, commonly including DNS spoofing.

ARP Attack

ARP (Address Resolution Protocol) resolves the IP address of a network host into a MAC address, with each host device having an ARP cache (ARP Cache). By checking its own ARP cache, it can determine whether to directly map (if present) or broadcast an ARP request packet (if absent);

Then it checks whether the target IP address in the packet matches its own IP address. If they match, it can send an ARP response to inform the MAC address;

When the source node receives the ARP response packet, it can add the obtained target host IP address and MAC address mapping entry to its own ARP cache.

So Many Vulnerabilities in TCP/IP Protocol?ARP Protocol Working Principle

ARP attacks achieve ARP spoofing by forging IP addresses and MAC addresses, creating a large amount of ARP traffic in the network to cause network congestion. As long as the attacker continuously sends forged ARP response packets, they can change the IP-MAC entries in the target host’s ARP cache, causing network interruption or man-in-the-middle attacks. Therefore, ARP attacks are often referred to as ARP spoofing.

Although ARP attacks can only occur on Ethernet and have a low threshold, their impact can be significant, leading to situations such as network disconnection, limited traffic, and account theft. Network operations can implement ARP defense mechanisms, such as deploying network mirroring on switches to capture suspicious packets for analysis, and can also combine techniques like DHCP snooping and IP source protection to maintain network security.

DoS Attack

The TCP protocol is a connection-oriented reliable communication method based on streams, which can reduce the bandwidth overhead caused by retransmissions in poor network conditions.

Specifically, the process of establishing a TCP connection involves three steps, with each step connecting the sender and receiver, commonly known as the “three-way handshake”: the sender sends a SYN packet, enters the SYN_SENT state, indicating the server port it plans to connect to and the initial sequence number, and waits for the receiver to confirm;

The receiver receives the SYN packet and sends a SYN_ACK to confirm with the sender, entering the SYN_RECV state; the sender receives the SYN_ACK packet and sends an ACK to the receiver, completing the connection establishment.

So Many Vulnerabilities in TCP/IP Protocol?

TCP Three-Way Handshake

Since the TCP protocol is a connection-oriented transport control protocol, the main purpose of DoS attacks is to make user hosts or networks unable to receive or process external requests. For example, by generating a large volume of useless data to cause network congestion, preventing the attacked host from communicating normally with the outside;

utilizing connection duplication flaws to repeatedly send duplicate service requests, making it unable to process other requests normally; or exploiting protocol flaws to repeatedly send attack data, occupying host or system resources, leading to crashes.

In simple terms, a DoS (Denial of Service) attack typically uses packet flooding to disrupt or severely hinder local service responses to legitimate external requests, causing the local system to crash.

SYN flood attacks are the most common type of DoS attack. The attacker disguises their own IP source address and sends TCP connection requests to the local system;

the local system replies with SYN-ACK to the disguised address, causing the local system to not receive RST messages and be unable to receive ACK responses, remaining in a half-connected state until resources are exhausted. The attacker sends connection requests faster than the TCP timeout release resource speed, using repeated connection requests to prevent the local service from receiving other connections.

The best way to mitigate SYN flood attacks is to implement preventive strategies by using network performance management tools to automatically filter suspicious packets, shorten SYN timeout periods, and set SYN cookies to assign a cookie for each request. If repeated SYN packets from a certain IP are received within a short time, it is considered an attack, and that IP address is discarded.

DNS Attack

The IP protocol relies on IP addresses and IP routers to transmit data information packets from the original device to the destination device. IP addresses are machine language, usually long, so despite their uniqueness, they are inconvenient to remember and use. Based on this, people invented DNS. DNS (Domain Name System) is a domain name system that is usually shorter, combining readability and practicality. Since domain names correspond one-to-one with IP addresses, users only need to enter the domain name in the address bar while browsing the internet, and the system will directly resolve the domain name, translating it into an IP address.

After executing the domain name search, the domain name server saves the domain name records, each record containing the domain name and IP address. If a certain address of the domain name server is artificially modified, it can manipulate the user’s access address, a behavior known as “domain hijacking.” The initiators of “domain hijacking” are domain name server providers, so the effective way to solve this problem is to abandon or switch domain name servers.

In addition to “domain hijacking,” another common DNS attack is called “domain pollution” or “domain spoofing.” When a computer sends a “domain query” to the domain name server, the domain name server sends the response back to the computer. The process of sending requests and receiving information involves a time difference. Network attacks can forge incorrect responses to the computer before the correct information is received, resulting in the information being an incorrect IP.

In the face of network attacks, in addition to raising security awareness and actively maintaining the system, strengthening firewall settings, we can also analyze data packets to trace network attacks.

By collecting and decoding network data, mastering the minutest changes in the network, and effectively configuring alert information based on the characteristic values or behaviors of network attacks, we can quickly locate attacks in the network.

We can also use network performance management tools with security protection functions, such as Tiandan NPM, which supports automatic analysis of suspicious packets like TCP port scanning, ARP attacks, and DoS attacks, achieving automatic alerts to ensure normal data transmission and usage.

Recommended Reading

12 Questions About the Soul of TCP Protocol to Strengthen Your Network Foundation!

Make sure to take this TCP summary!

TCP Three-Way Handshake and Four-Way Teardown and 11 States

After three days and two nights of hard work, I finally finished this lengthy article on TCP/IP!

Wow! Impressive! It’s the first time I’ve seen an expert explain the TCP three-way handshake and four-way teardown so clearly.

Leave a Comment