Security problems in the TCP/IP protocol suite

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Security problems in the TCP/IP protocol suite

Full text

Pdf (2.72 MB)

Source

ACM SIGCOMM Computer Communication Review archive
Volume 19 , Issue 2 (April 1989) table of contents

Pages: 32 - 48

Year of Publication: 1989

ISSN:0146-4833

Author

S. M. Bellovin

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 54, Downloads (12 Months): 387, Citation Count: 58

Additional Information:

abstract cited by index terms collaborative colleagues

Tools and Actions:	Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/378444.378449 What is a DOI?

ABSTRACT

The TCP/IP protocol suite, which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols, regardless of the correctness of any implementations. We describe a variety of attacks based on these flaws, including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks. We also present defenses against these attacks, and conclude with a discussion of broad-spectrum defenses such as encryption.

CITED BY 58

	John Zao , Joshua Gahm , Gregory Troxel , Matthew Condell , Pam Helinek , Nina Yuan , Isidro Castineyra , Stephen Kent, A public-key based secure mobile IP, Wireless Networks, v.5 n.5, p.373-390, Oct. 1999
	Jari Arkko , Tuomas Aura , James Kempf , Vesa-Matti Mäntylä , Pekka Nikander , Michael Roe, Securing IPv6 neighbor and router discovery, Proceedings of the 3rd ACM workshop on Wireless security, p.77-86, September 28-28, 2002, Atlanta, GA, USA
	John Zao , Stephen Kent , Joshua Gahm , Gregory Troxel , Matthew Condell , Pam Helinek , Nina Yuan , Isidro Castineyra, A public-key based secure mobile IP, Proceedings of the 3rd annual ACM/IEEE international conference on Mobile computing and networking, p.173-184, September 26-30, 1997, Budapest, Hungary
	Jun Xu , Mukesh Singhal, Design of a high-performance ATM firewall, ACM Transactions on Information and System Security (TISSEC), v.2 n.3, p.269-294, Aug. 1999
	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, ACM SIGCOMM Computer Communication Review, v.30 n.4, p.295-306, October 2000
	Anish Bhimani, Securing the commercial Internet, Communications of the ACM, v.39 n.6, p.29-35, June 1996
	Jim Binkley , William Trost, Authenticated ad hoc routing at the link layer for mobile systems, Wireless Networks, v.7 n.2, p.139-145, March/April 2001
	A. Khan , N. Al-Darwish , M. Guizani , M. Benten , H. Youssef, Design and implementation of a software bridge with packet filtering and statistics collection functions, International Journal of Network Management, v.7 n.5, p.251-263, September—October 1997
	Joris Claessens , Bart Preneel , Joos Vandewalle, (How) can mobile agents do secure electronic transactions on untrusted hosts? A survey of the security issues and the current solutions, ACM Transactions on Internet Technology (TOIT), v.3 n.1, p.28-48, February 2003
	Udaya Kiran Tupakula , Vijay Varadharajan, A practical method to counteract denial of service attacks, Proceedings of the twenty-sixth Australasian conference on Computer science: research and practice in information technology, p.275-284, February 01, 2003, Adelaide, Australia
	Christos Douligeris , Aikaterini Mitrokotsa, DDoS attacks and defense mechanisms: classification and state-of-the-art, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.44 n.5, p.643-666, 5 April 2004
	Jie Ren , Richard Taylor , Paul Dourish , David Redmiles, Towards an architectural treatment of software security: a connector-centric approach, ACM SIGSOFT Software Engineering Notes, v.30 n.4, July 2005
	Wenke Lee , Salvatore J. Stolfo , Kui W. Mok, Algorithms for mining system audit data, Data mining, rough sets and granular computing, Physica-Verlag GmbH, Heidelberg, Germany, 2002
	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Network support for IP traceback, IEEE/ACM Transactions on Networking (TON), v.9 n.3, p.226-237, June 2001
	Wenke Lee , Salvatore J. Stolfo , Kui W. Mok, Adaptive Intrusion Detection: A Data Mining Approach, Artificial Intelligence Review, v.14 n.6, p.533-567, December 1, 2000
	Randall J. Atkinson, Toward a More Secure Internet, Computer, v.30 n.1, p.57-61, January 1997
	Yih-Chun Hu , Adrian Perrig , Marvin Sirbu, SPV: secure path vector routing for securing BGP, ACM SIGCOMM Computer Communication Review, v.34 n.4, October 2004
	Nicholas Puketza , Mandy Chung , Ronald A. Olsson , Biswanath Mukherjee, A Software Platform for Testing Intrusion Detection Systems, IEEE Software, v.14 n.5, p.43-51, September 1997
	Kurt Gutzmann, Access Control and Session Management in the HTTP Environment, IEEE Internet Computing, v.5 n.1, p.26-35, January 2001
	Florian P. Buchholz , Clay Shields, Providing process origin information to aid in computer forensic investigations, Journal of Computer Security, v.12 n.5, p.753-776, September 2004
	Terence K. T. Law , John C. S. Lui , David K. Y. Yau, You Can Run, But You Can't Hide: An Effective Statistical Methodology to Trace Back DDoS Attackers, IEEE Transactions on Parallel and Distributed Systems, v.16 n.9, p.799-813, September 2005
	Casey Carter , Robin Kravets , Jean Tourrilhes, Contact networking: a localized mobility system, Proceedings of the 1st international conference on Mobile systems, applications and services, p.145-158, May 05-08, 2003, San Francisco, California
	Antonio Pescapè , Giorgio Ventre, Experimental analysis of attacks against intradomain routing protocols, Journal of Computer Security, v.13 n.6, p.877-903, December 2005
	Nicholas J. Puketza , Kui Zhang , Mandy Chung , Biswanath Mukherjee , Ronald A. Olsson, A Methodology for Testing Intrusion Detection Systems, IEEE Transactions on Software Engineering, v.22 n.10, p.719-729, October 1996
	William Enck , Patrick Traynor , Patrick McDaniel , Thomas La Porta, Exploiting open functionality in SMS-capable cellular networks, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
	Dmytro Zakhalyavko , Constantine Manikopoulos, Detecting denial of service attacks using database queries, Proceedings of the 9th WSEAS International Conference on Communications, p.1-7, July 14-16, 2005, Athens, Greece
	S. Kent, Comments on “security problems in the TCP/IP protocol suite”, ACM SIGCOMM Computer Communication Review, v.19 n.3, p.10-19, July 1989
	Thomas E. Daniels , Eugene H. Spafford, Network traffic tracking systems: folly in the large?, Proceedings of the 2000 workshop on New security paradigms, p.119-124, September 18-21, 2000, Ballycotton, County Cork, Ireland
	Dijiang Huang , Qing Cao , Amit Sinha , Marc J. Schniederjans , Cory Beard , Lein Harn , Deep Medhi, New architecture for intra-domain network security issues, Communications of the ACM, v.49 n.11, p.64-72, November 2006
	Niels Provos, A virtual honeypot framework, Proceedings of the 13th conference on USENIX Security Symposium, p.1-1, August 09-13, 2004, San Diego, CA
	Tal Garfinkel , Mendel Rosenblum, When virtual is harder than real: security challenges in virtual machine based computing environments, Proceedings of the 10th conference on Hot Topics in Operating Systems, p.20-20, June 12-15, 2005, Santa Fe, NM
	Robert Stone, Centertrack: an IP overlay network for tracking DoS floods, Proceedings of the 9th conference on USENIX Security Symposium, p.15-15, August 14-17, 2000, Denver, Colorado
	Peter M. Gleitz , Steven M. Bellovin, Transient addressing for related processes: improved firewalling by using IPV6 and multiple addresses per host, Proceedings of the 10th conference on USENIX Security Symposium, p.8-8, August 13-17, 2001, Washington, D.C.
	Florian P. Buchholz , Clay Shields, Providing Process Origin Information to Aid in Network Traceback, Proceedings of the General Track: 2002 USENIX Annual Technical Conference, p.261-274, June 10-15, 2002
	Aviel D. Rubin, Independent one-time passwords, Proceedings of the 5th conference on USENIX UNIX Security Symposium, p.15-15, June 05-07, 1995, Salt Lake City, Utah
	Steven M. Bellovin, Using the domain name system for system break-ins, Proceedings of the 5th conference on USENIX UNIX Security Symposium, p.18-18, June 05-07, 1995, Salt Lake City, Utah
	Wenke Lee , Salvatore J. Stolfo, Data mining approaches for intrusion detection, Proceedings of the 7th conference on USENIX Security Symposium, 1998, p.6-6, January 26-29, 1998, San Antonio, Texas
	Carsten Benecke , Uwe Ellermann, Securing 'classical IP over ATM networks', Proceedings of the 7th conference on USENIX Security Symposium, 1998, p.7-7, January 26-29, 1998, San Antonio, Texas
	Steven M. Bellovin, Problem areas for the IP security protocols, Proceedings of the 6th conference on USENIX Security Symposium, Focusing on Applications of Cryptography, p.21-21, July 22-25, 1996, San Jose, California
	Laurent Joncheray, A Simple active attack against TCP, Proceedings of the 5th conference on USENIX UNIX Security Symposium, p.2-2, June 05-07, 1995, Salt Lake City, Utah
	Gene H. Kim , Hilarie Orman , Sean O'Malley, Implementing a secure rlogin environment: a case study of using a secure network layer protocol, Proceedings of the 5th conference on USENIX UNIX Security Symposium, p.7-7, June 05-07, 1995, Salt Lake City, Utah
	Barath Raghavan , Saurabh Panjwani , Anton Mityagin, Analysis of the SPV secure routing protocol: weaknesses and lessons, ACM SIGCOMM Computer Communication Review, v.37 n.2, April 2007
	Steena D. S. Monteiro , Robert F. Erbacher, An authentication and validation mechanism for analyzing syslogs forensically, ACM SIGOPS Operating Systems Review, v.42 n.3, April 2008
	Peter M. Gleitz , Steven M. Bellovin, Transient addressing for related processes: improved firewalling by using IPV6 and multiple addresses per host, Proceedings of the 10th conference on USENIX Security Symposium, p.8-8, August 13-17, 2001, Washington, D.C.
	Qijun Gu , Peng Liu , Chao-Hsien Chu, Analysis of area-congestion-based DDoS attacks in ad hoc networks, Ad Hoc Networks, v.5 n.5, p.613-625, July, 2007
	P.C. van Oorschot , Tao Wan , Evangelos Kranakis, On interdomain routing security and pretty secure BGP (psBGP), ACM Transactions on Information and System Security (TISSEC), v.10 n.3, p.11-es, July 2007
	Ariel Futoransky , Fernando Miranda , José Orlicki , Carlos Sarraute, Simulating cyber-attacks for fun and profit, Proceedings of the 2nd International Conference on Simulation Tools and Techniques, March 02-06, 2009, Rome, Italy
	Steven M. Bellovin, Packets found on an internet, ACM SIGCOMM Computer Communication Review, v.23 n.3, p.26-31, July 1993
	Udaya Kiran Tupakula , Vijay Varadharajan, Tracing DDoS Floods: An Automated Approach, Journal of Network and Systems Management, v.12 n.1, p.111-135, March 2004
	Reuven Cohen , Gabi Nakibly, On the computational complexity and effectiveness of N-hub shortest-path routing, IEEE/ACM Transactions on Networking (TON), v.16 n.3, p.691-704, June 2008
	Patrick Traynor , William Enck , Patrick Mcdaniel , Thomas La Porta, Exploiting open functionality in SMS-capable cellular networks, Journal of Computer Security, v.16 n.6, p.713-742, December 2008
	Su-Kit Tang , Kin-Yeung Wong , Kai-Hau Yeung, Record path header for triangle routing attacks in IPv6 networks, WSEAS TRANSACTIONS on COMMUNICATIONS, v.7 n.12, p.1202-1211, December 2008
	Marios S. Andreou , Aad van Moorsel, Logging based IP Traceback in switched ethernets, Proceedings of the 1st European workshop on system security, March 31-31, 2008, Glasgow, Scotland
	Patrick Traynor , Michael Chien , Scott Weaver , Boniface Hicks , Patrick McDaniel, Noninvasive Methods for Host Certification, ACM Transactions on Information and System Security (TISSEC), v.11 n.3, p.1-23, March 2008
	Wesam Lootah , William Enck , Patrick McDaniel, TARP: Ticket-based address resolution protocol, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.15, p.4322-4337, October, 2007
	Su-Kit Tang , Kin-Yeung Wong , Kai-Hau Yeung, Record path header for triangle routing attacks in IPv6 networks, WSEAS TRANSACTIONS on COMMUNICATIONS, v.7 n.6, p.675-684, June 2008
	Senda Hammouda , Zouheir Trabelsi, An enhanced secure ARP protocol and LAN switch for preveting ARP based attacks, Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly, June 21-24, 2009, Leipzig, Germany
	Steven M. Bellovin , Randy Bush, Configuration management and security, IEEE Journal on Selected Areas in Communications, v.27 n.3, p.268-274, April 2009