# Internet Holes - UDP Viruses

## Series Introduction

The Internet is now the world's most popular network and it is full of potential vulnerabilities. In this series of articles, we explore the vulnerabilities of the Internet and what you can do to mitigate them.

## Background

The Internet Protocol (IP) suite [Standard 5] includes two widely used protocols designed to provide application-level access to services. One of them is the Transmission Control Protocol (TCP) [Standard 7] which is designed to provide reliable end-to-end terminal sessions to the application layer, and the other one is called User Datagram Protocol (UDP) [Standard 6] which is designed, in essence, to simulate an application-level version of IP. UDP packets have the following format:

    0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I |0|1|0|0|  IHL  |Type of Service|          Total Length         |
P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|         Identification        |Flags|      Fragment Offset    |
h +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
e |  Time to Live |0|0|0|1|0|0|0|1|         Header Checksum       |
a +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                    Options ...                |    Padding    |
---+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
U |          Source Port          |        Destination Port       |
D +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
P |            Length             |            Checksum           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              Data                             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...


Whenever a UDP packet shows up at an Internet router, unless specifically configured otherwise, the router will try to route the packet to the destination address specified in the IP header. Each UDP packet stands on its own as far as the IP protocol is concerned, and there are no reliability features associated with these packets. It is the responsibility of the application programs using these packets to provide any desired reliability. The first field (0100) indicates that this is an IP version 4 packet, while the field containing 00010001 is the indicator for a UDP packet.

The UDP portion of the packet includes a Source Port and Destination Port. The Destination Port is used to identify which application program the packet is to be sent to for processing, while the Source Port and the Source Address provide the return address for the application to use when sending response packets, assuming any response is called for. The Length and {\it Checksum fields are used to determine the number of data bytes in the packet and to verify that random noise in transmission hasn't corrupted the packet in transit. Neither of these items provide any protection against malicious modification. The Data area contains the data sent to the application program for its use.

## UDP Virus Examples

Let's start with a simple example of a UDP Virus. Fomr now on, we will eliminate unnecessary detail from the packets:

    0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
I |   4     | ...                                                 |
P +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ...                              |
h +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
e |                 |    17       | ...                           |
a +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
d |                            127.0.0.1                          |
e +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
r |                        Victim's IP Address                    |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ...                              |
---+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
U |                7              |                7              |
D +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
P |             ...               |               ...             |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                              ...                              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
...


In this case, the source and detination ports are both 7, and the source and destination IP addresses are 127.0.0.1 and the victim's IP address. UDP Port 7 is normally the echo service. The function of this service is to transmit whatever data was sent to it back to the source. In this case, the source is identified as IP address 127.0.0.1 - also known as localhost. This special IP address is called the loopback address of the machine sending the packet because it is used for a computer to sent IP messages to itself. When this packet is recieved, a copy of the packet will be sent to port 7 of IP address 127.0.0.1, the echo port of the victim's computer.

Since this packet was from port 7 of the victim's computer, it will, in turn, send a copy of the packet to itself, and off we go. The result is an infinite stream of echo packets sent from the victim's computer to itself. In demonstrations, this has been shown to cause the victim computer to crash.

This particular service (echo) is an accident waiting to happen. In the following examples, we have removed more unnecessary details:

From Port: 7
Dest Port: 7
From IP: Victim-1
Dest IP: Victim-2


In this simple extension of the previous attack, two hosts are targetted to send an infinite stream of packets between each other. The only difference between the previous examnple and this one is that instead of using the loopback address, we use the address of a second victim. On a high speed line, such as an Ethernet, this will likely crash one or both computers and disable the Internet until they crash. In a lower speed line, it will dominate the communications media, widely denying services. But if we want to be more certain of this, we might add something else to the packet. For example, if we set the Type of Service field to Network Control, Low Delay, High Throughput, High Reliability by setting its value to all 1's we will force these packets to override other packets in the path between the two victims.

It turns out that the echo service is not the only UDP service with this sort of a problem. Another example is the {\it daytime service on UDP port 13. The daytime service ignores the data part of the packet sent to it and returns a packet containing the time of day as determined by the clock on the computer providing the service. This is used, among other things, to synchronize clocks for cross matching audit entries between two systems. Here's an example:

From Port: 7
Dest Port: 13
From IP: Victim-1
Dest IP: Victim-2


This is the most complicated example yet. In this case, two different ports on two different systems are used to create the virus. Port 13 on Victim-2 ignores the input and produces a daytime packet, while Port 7 on Victim-1 sends a copy of that packet back to Port 13 on Victim-2 to close the loop.

## Environmental Factors

There is a pattern to the environments that provide ripe breading ground for these protocol-level viruses in the Internet, and that pattern is not very complicated. All of the services return a result regardless of their input, eliminating any syntactic or semantic restriction that could prevent the infinite loop, and all of them either produce more or the same amount of output as they require input to produce that output.

Another way to think about this is to consider that these services form loops without negative feedback mechanisms. A loop without negative feedback either remains stable or grows without bound due to positive feedback, and any perterbation on a stable loop tends to create positive feedback.

To put this concept into practice, let's identify other UDP services that are likely to provide environments for protocol viruses. Here's my short list:

11: systat
17: quote of the day
19: chargen
37: time
43: whois
513: who
550: new-rwho


## Prevention and Limitations

The easiest way to prevent UDP viruses is to turn off all UDP services not in use and block UDP services at routers, firewalls, and other IP filters. Fortunately, the services listed above can be eliminated in most systems without undue harm.

Another form of protection is provided by eliminating outside packets with inside addresses (see the previous Internet Holes article on preventing IP address forgery for further details). This eliminates all of the outside attacks that pit one internal machine against another. Similarly, packet filters could be configured to prevent packets from known viral ports to other known viral ports. For example, we could refuse packets to port 7 from ports 7, 11, 13, 17, 19, 37, 43, 513, and 550 as a start.

Unfortunately, there are some limits on prevention.

One limit is that most systems within a LAN don't have the sort of filtering capability needed to defend against these attacks and most systems that run IP have some of these services enabled by default. This means that almost any insider could easily deny services with such an attack. For example, if a logging server were used to keep log files, this attack could be used to crash the logging server as a prelude to other breakins.

Another limitation is that the Harvest Web server sometimes used UDP port 7 to determine whether or not to update a cached Web file. This means that any server that provides Web caching has to make UDP port 7 available for this service to work properly.

A final limitation is that an insider could set up their own UDP service (e.g., on port 1025) and use this service to crash the computer they are logged into.

## Summary

UDP viruses are a denial of service threat to anyone using the IP protocol, but they are a threat that can be managed with relative easy given proper technology and knowledge.