386 ________________________________________________________________ Bibliography [Townsley et al., 1999] W. Townsley, A. Valencia, A. Rubens, G. Pall, G. Zorn, and B. Palter. Layer two tunneling protocol "L2TP". RFC 2661, Internet Engineering Task Force, August 1999. Cited on: 235. http://www.rfc-editor.org/rfc/rfc2661.txt [Treese and Wolman, 1993] Win Treese and Alec Wolman. X through the firewall, and other application relays. In USENIX Conference Proceedings, pages 87-99, Cincinnati. OH, June 1993. Cited on: 188. [Tsirtsis and Srisuresh, 2000] G. Tsirtsis and P. Srisuresh, Network address translation—protocol translation (NAT-PT). RFC 2766, Internet Engineering Task Force, February 2000. Cited on: 37 . h ttp://www.rfc-editor.org/rfc/rfc2766.txt [Ts'o, 2000] T. Ts'o. Telnet data encryption option. RFC 2946, Internet Engineering Ta.sk Force. September 2000. Cited on: 59. http://www.rfc-editor.org/rfc/rfc2946.txt [Vaha-Sipila, 2000] A. Vaha-Sipila. URLs for telephone calls. RFC 2806, Internet Engineering Task Force, April 2000. Cited on: 78. http://www.rfc-editor.org/rfc/rfc2806.txt [Vincenzetti et al., 1995] David Vincenzetti, Stefano Taino, and Fabio Bolognesi. STEL: Secure TELnet. In Proceedings of the Fifth USEN1X UNIX Security Symposium, Salt Lake City, UT, 1995. Cited on: 59. [Violino, 1993] Bob Violino. Hackers. Information Week, 430:48-56, June 21, 1993. Cited on: 131. A discussion of the wisdom and prevalence of hiring hackers as security experts. [Vixie, 1999] P. Vixie. Extension mechanisms for DNS (EDNS0). RFC 2671. Internet Engineer-ing Task Force, August 1999. Cited on: 33. http://www.rfc-editor.org/rfc/rfc2671.txt [Voyager, 1994] Voyager. Janitor privileges. 2600, Winter(5), 1994. Cited on: 8. [Voydock and Kent, 1983] V. L. Voydock and S. T. Kent. Security mechanisms in high-level network protocols. ACM Computing Surveys, 15(2): 135—171, June 1983. Cited on: 339. [Wagner and Schneier, 1996] David A. Wagner and Bruce Schneier. Analysis of the SSL 3.0 protocol. Proceedings of the Second USENIX Workshop on Electronic Commerce, pages 29-40, November 1996. Cited on: 325. [Wahl et al., 2000] M. Wahl, H. Alvestrand, J. Hodges, and R. Morgan. Authentication methods for LDAP, RFC 2829, Internet Engineering Task Force, May 2000. Cited on: 65. http://www.rfc-editor.org/rfc/rfc2829.txt Bibliography 387 [Waitzman, 1990] D. Waitzman. Standard for the transmission of IP datagrams on avian carriers. RFC 1149, Internet Engineering Task Force, April 1990. Cited on: 235, http://www.rfc-editor.org/rfc/rfc1149.txt [Waitznwi, 1999] D. Waitzman. IP over avian carriers with quality of service. RFC 2549. Internet Engineering Task Force, April 1999. Cited on: 235. http://www.rfc-editor.org/rfc/rfc2549.txt [Winkler and Dealy, 1995] Ira S. Winkler and Brian Dealy. Information security technology? Don't Rely on It. A case study in social engineering. In Proceedings of the Fifth USENIX UNIX Security Symposium. Salt Lake City, UT. June 1995. Cited on: 122, 231. [Winternitz, 1984] Robert S, Winternitz. Producing a one-way hash function from DES. In Advances in Cryptology: Proceedings of CRYPTO '83. pages 203-207. Plenum Press, I9S4. Cited on: 347. [Woodward and Bernstein, 1974] Carl Wood ward and Robert Bernstein. All the President's Men. Simon and Schuster, New York, 1974. Cited on: 105. [Wray, 2000] J. Wray. Generic security service API version 2: C-bindings. RFC 2744, Internet Engineering Task Force, January 2000. Cited on: 327. http://www.rfc-editor.org/rfc/rfc2744.txt [Wright and Stevens, 1995] Gary R. Wright and W. Richard Stevens. TCP/IP Illustrated: The Implementation, Volume 2. Addison-Wesley. Reading, MA, 1995. Cited on: 19. A walk through the 4.4BSD implemenalion of TCP/IP. [Wu and Wong, 1998] David Wu and Frederick Wong. Remote sniffer detection, 1998, Cited on: 159. http://citeseer.nj.nec.com/wu98remote.html Nice work. A shame it wasn't submitted for publication, [Wu, 1999] Thomas Wu. A real-world analysis of kerberos password security. Proceedings of the Internet Society Symposium on Network and Distributed S\stem Security, pages 13-22, 1999. Cited on: 96, 315,317. [Ye and Smith, 2002] Zishuang Ye and Sean Smith. Trusted paths for browsers. Proceedings of the Eleventh USENIX Security Symposium, pages 263-279, 2002. Cited on: 82. [Yeong et al. , 1995] W. Yeong, T. Howes, and S. Kille. Lightweight directory access protocol. RFC 1777. Internet Engineering Task Force, March 1995. Cited on: 64, 65. http: // www . rfc-editor.org/rfc/rfcl777.txt [Ylonen, 1996] Tatu Ylonen. SSH—secure login connections over the internet. In Proceedings of the Sixth USENIX UNIX Security Symposium, pages 37-42. July 1996. Cited on: 59, 61, 322. 388 ___________________ _________________________________________________ Bibliography Description of a cryptographic replacement for rlogin and rsh. [Yuan and Strayer, 2001] Ruixi Yuan and W. Timothy Straycr. Virtual Private Networks: Tech-nologies and Solutions. Addison-Wesley, Reading, MA, 2001, Cited on: 233. [Zalewski, 2002] Michal Zalewski, Strange attractors and tcp/ip sequence number analysis - one year later, 2002. Cited on: 24. http://lcamtuf.coredump.cx/newtcp/ [Ziemba et al., 1995] G. Ziemba, D. Reed, and P. Traina. Security considerations for IP fragment filtering. RFC 1858, Internee Engineering Task Force, October 1995, Cited on: 21. http://www.rfc-editor.org/rfc/rfcl858.txt List of s 1. IP source addresses aren't unstable (page 20). 2. Fragmented packets have been abused to avoid security checks (page 21). 3. ARP-spoofing can lead to session-hijacking (page 22). 4. Sequence number attacks can be used to subvert address-based authentication (page 23). 5. It is easy to spoof UDP packets (page 27). 6. ICMP Redirect messages can subvert routing tables (page 27). 7. IP source routing can subvert address-based authentication (page 29). 8. It is easy to generate bogus RIP messages. (page 29). 9. The inverse DNS tree can be used for name-spoofing (page 32). 10. The DNS cache can be contaminated to foil cross-checks (page 32). 11. IPv6 network numbers may change frequently (page 35). 12. IPv6 host addresses change frequently, too (page 35). 13. WEP is useless (page 39), 14. Attackers have the luxury of using nonstandard equipment (page 39). 15. Return addresses in mail aren't reliable, and this fact is easily forgotten (page 42). 16. Don't blindly execute MIME messages (page 43). 17. Don't trust RPC's machine name field (page 48). 18. Rpcbind can call RPC services for its caller (page 50). 19. NIS can often be persuaded to give out password files (page 50). 20. It is sometimes possible to direct machines to phony NIS servers (page 50). 389 390 ________________________________________________________________________ List of 4 s 21. If misconfigured, TFTP will hand over sensitive files (page 53). 22. Don't make ftp's home directory writable by ftp (page 56). 23. Don't put a real password file in the anonymous ftp area (page 56). 24. It is easy to wirelap telnet sessions (page 58). 25. The r commands rely on address-based authentication (page 60). 26. Be careful about interpreting WWW format information (page 65). 27. WWW servers should be careful about URLs (page 65). 28. Poorly written query scripts pose a danger to WWW servers (page 66). 29. The MBone can be used to route through some firewalls (page 67). 30. Scalable security administration of peer-to-peer nodes is difficult (page 69). 31. An attacker anywhere on the Internet can probe for X11 servers (page 70). 32. UDP-based services can be abused to create broadcast storms (page 72). 33. Web servers shouldn't believe uploaded state variables (page 76). 34. Signed code is not necessarily safe code (page 80). 35. JavaScript is dangerous (page 82). 36. Users are ill-equipped to make correct security choices (page 83). 37. Humans choose lousy passwords (page 96). 38. There are lots of ways to grab /etc/passwd (page 98). 39. There is no absolute remedy for a denial-of-service attack (page 107). 40. Hackers plant sniffers (page 128). 41. Network monitoring tools can be very dangerous on an exposed machine (page 159). 42. Don't believe port numbers supplied by outside machines (page 178). 43. It is all but impossible to permit most UDP traffic through a packet filler safely (page 207). 44. A tunnel can be built on tup of almost any transport mechanism (page 235). 45. If the connection is vital, don't use a public network (page 236). List of Acronyms ACM Association for Computing Machinery AES Advanced Encryption Standard AFS Andrew File System AH Authentication Header ARP Address Resolution Protocol AS Autonomous System ATM Asynchronous Transfer Mode BGP Border Gateway Protocol BPF Berkeley packet filter BoF birds of a feather CA Certificate Authority CBC Cipher Block Chaining CCS Computers and Communication Security CERT Computer Emergency Response Team CFB Cipher Feedback CGI Common Gateway Interface CIDR Classless Inter-Domain Routing CIFS Common Internet File System COTS Commercial Off-The-Shelf DCE Distributed Computing Environment DDoS Distributed Denial-of-Service DES Data Encryption Standard DHCP Dynamic Host Configuration Protocol 391 DMZ demilitarized zone DNS Domain Name System DOS denial-of-service DRM digital rights management DSO dynamic shared object DSS Digital Signature Standard DTE domain and type enforcement DVMRP Distance Vector Multicast Routing Protocol ECB Electronic Code Book ESP Encapsulating Security Protocol FAQ frequently asked questions FEP Firewall Enhancement Protocol FERPA Family Educational Rights and Privacy Act FTP File Transfer Protocol GPS Global Positioning System GSS-API Generic Security Service Application Program Interface GUI graphical user interface HOTS Hacker Off-the-Shelf HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol ICMP Internet Control Message Protocol IDS intrusion detection system IETF Internet Engineering Task Force IFF identification Friend or Foe IKE Internet Key Exchange IM Instant Messaging IP Internet Protocol IPP Internet Printing Protocol IPSP IP Security Policy IRC internet Relay Chat ISOC Internet Society ISP Internet service provider IV initialization vector KDC Key Distribution Center KINK Kerberized Internet Negotiation of Keys List of Acronyms List of Acronyms 393 KISS keep it simple, stupid L2TP Layer Two Tunneling Protocol LDAP Lightweight Directory Access Protocol LISA Large Installation Systems Administration MAC message authentication code MIB management information base MIME Multipurpose Internet Mail Extensions MLS multilevel secure system MSIE Microsoft Internet Explorer NANOG The North American Network Operators' Group NAS Network Access Server NAT Network Address Translation ND Neighbor Discovery NDSS Networks and Distributed Systems Security NFR Network Flight Recorder NFS Network File System NIDS Network IDS NIS Network Information Service NNTP Network News Transfer Protocol NSA National Security Agency NTP Network Time Protocol OFB output feedback OSPF Open Shortest Path First OTP One-Time Password PAM Pluggable Authentication Module PGP Pretty Good Privacy PHP PHP Hypertext Preprocessor PIN personal identification number PKI Public Key Infrastructure PK1X Public Key Infrastructure (X.509) PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol PSTN Public Switched Te1ephone Network RA Router Advertisement RADIUS Remote Authenttcation Dial In Usr Service 394 List of Acronyms RIP Routing Information Protocol RPC Remote Procedure Call RPM Red Hat Package Manager RR resource record RTP Real-Time Transport Protocol S-box substitution box S/MIME Secure Multipurpose Internet Mail Extensions SA security association SAC Strategic Air Command SASL Simple Authentication and Security Layer SCTP Stream Control Transmission Protocol SIP Session Initiation Protocol SMB Server Message Block SMS Server Management System SMTP Simple Mail Transfer Protocol SNMP Simple Network Management Protocol SOAP Simple Object Access Protocol SPD Security Policy Database SPl Security Parameter Index SSL Secure Socket Layer TCB Trusted Computing Base TCP Transmission Control Protocol TCPA Trusted Computing Platform Alliance TFN Tribe Flood Network TFTP Trivial File Transfer Protocol TGS Ticket-Granting Server TKIP Temporal Key Integrity Protocol TLA Three Letter Abbreviation TLS Transport Layer Security TTL time-to-live UDP User Datagram Protocol UPS uninterruptible power supply U RL Uniform Resource Locator VPN virtual private network W3C World Wide Web Consortium List of Acronyms 395 WEP Wired Equivalent Privacy WWW World Wide Web XDMCP X Display Manager Control Protocol XDR External Data Representation [...]... anonymous FTP and, 167 Apache Web server and, 165 application-level filters, 210 building a honeypot with, 295 CGI scripts, 167 chrootuid and, 163 core dumps and, 162 denial-of-sen ice from, 162 difficult to set up, 163 for CGI scripts, 165 IMAP and, 168 inetd calls, 154 limitations, 162-163 named and, 170 POP3 and, 168 root can break out of, 162 SMTP daemon and, 168 ssh UsePrivilegeSeparation and, 158 suggested... Messenger, 46 SSL and, 46 integrity checking, 15 internal users, see insiders Internet in the home, 331 mapping, 248 shutdown incoming access, 184 Internet Control Message Protocol, see ICMP Internet Engineering Task Force, see IETF Internet Group Management Protocol, 67 Internet Key Exchange, see IKE Internet Liberation Front, 302 Internet Printing Protocol, see IPP Internet Protocol, see IP Internet Relay... DTE Domain Name System, see DNS dongle, see authenticator, handheld doorbell, 249 Dorward, Sean, 310 DOS (denial-of-service), 42, 71, 107 -116, 159, 265, 266, 268 DHCP subject to, 34 exhausting disk space, 109 from chroot environments, 162 ICMP, 108 -109 ,209 IP source address spoofing, 107 remove rpcbind service, 48 syslogd and, 159 Web servers and, 167 downstream liability, 311 DRM (digital rights management),... (Distributed Denial-of-Service), 107 , 110- 117 attack tools, 131 trinoo, 131 botnets and, 117 can only be mitigated, 107 diagram of, 110 flooding network links with, 108 hard to traceback, 108 mitigation, 111 Debian Linux, 261 DEC, 211, see Digital Equipment Corporation Decision, 290-295 DECnet, xviii decryption, see cryptography DECstation 5000, 302 defense in depth 4, 9, 15, 310 filtering e-mail, 206 demilitarized... file access, 85 shared libraries and, 165 suexec and, 167 version 2,0, 165 APOP see POP3, APOP authentication applets, 81 arms races, xiii snort and attack packets, 283 between virus writers and detection software, 107 ,331 cryptographic key length, 338 for acquiring root, 125 password pickers vs password guessers, 95 spoofers vs packet telescope sizes and locations, 117 spotting DOS attack packets, 111... Educational Rights and Privacy Act, see FERPA FAQ (frequently asked questions), 128 Farmer Dan in a hot tub, 241 on finger, 64 scanned Web server hosts, 129 FEP (Firewall Enhancement Protocol), 228 FERPA (Family Educational Rights and Privacy Act), 106 FG.NET (host), 42 field, 344 field (account), 96 file handle, see NFS, file handle file systems Andrew, 52 NFS, 51-52 prevent filling, 102 remote, 317... 202 firewalls and, 228 incoming, 57 over SSL on port 990, 171 passive, 103 ,188 Web browsers, 77 passive data channel, 53-55 passive is preferred, 55 passwords sniffed by dsniff, 129 processing in firewalls, 229 sample session, 54 spoken by Web browsers, 74 transfer modes, 55 tunneling with, 235 Web browsers and, 77 ftp PORT (program), 228 ftpd commands PASV, 53,55,188 PORT, 53.188 TYPE I, 55 PASS, 103 ... see HTTP I, 201 IBM, 338 research, 168 Thinkpad, 332 ICMP (Internet Control Message Protocol), 27-28 can change routing, 27 denial-of-service with bogus packets, 108 -109 D e s t i n a t i o n Unreachable, 28 DOS attacks, 108 , 209 distinguishing "safe" and "unsafe" packets 209 Echo Reply, 217 Echo Request traceroute and, 160 filtering, 209- 210 for v6, 28 Fragmentation Needed, 217 Need Fragment, 217... and, 11 sensitive hosts, 8 with netstat, 267 authentication, 137-151 address-based ssh and, 158 address-based, 23, 32, 60, 70, 149 fails, 28 based on internal and external DNS, 198 based on source address, 149 bidirectional, 315 BSD, 59 by name, 51 59 challenge/response, 145-147, 317, 342 346 X11,71 cryptographic, 64, 103 , 137, 149-150, 313 database, 138, 144 failures, 103 -104 for proxy use, 188 handheld... Relay Chat, see IRC Internet security predictions about, 331-332 we are losing ground, 332 Internet service provider, see ISP Internet Society, see ISOC Internet telephony, 46-47 Internet Worm, 43, 100 Interop, xiii intranet, 14, 60 intranets, 247-258 address allocation efficiency, 252 fax lines used to compromise, 248 host leaks, 252 leaks routing, 248 mapping, 248-249 mergers and divestitures modify, . Denial-of-Service), 107 , 110- 117 attack tools, 131 trinoo, 131 botnets and, 117 can only be mitigated, 107 diagram of, 110 flooding network links with, 108 hard to traceback, 108 mitigation,. 161-167 anonymous FTP and, 167 Apache Web server and, 165 application-level filters, 210 building a honeypot with, 295 CGI scripts, 167 chrootuid and, 163 core dumps and, 162 denial-of-sen. and, 165 suexec and, 167 version 2,0, 165 APOP. see POP3, APOP authentication applets, 81 arms races, xiii snort and attack packets, 283 between virus writers and detection software, 107 ,331