dcsimg
Results 1 to 23 of 23

Thread: TCP and internet security

  1. #1

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2002
    Posts
    352

    TCP and internet security

    I am trying to wrap my head around the fear people have when using port forwarding.

    I use winsock to allow my applications to communicate. To do that on using the internet requires opening a port on the firewall.

    People seem real scared to do that, and I dont understand why. My app uses a protocol I created, other than a hacker figuiring out how to make my code do something bad, how does this put the computer in danger.

    I just dont get it....

  2. #2
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,322

    Re: TCP and internet security

    Open system service ports can expose vulnerabilities. Ports are mysterious to Joe Fivethumbs. Joe Fivethumbs looks like a genius next to any "system administrator" (PC janitor). Therefore ports = bad.

  3. #3

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2002
    Posts
    352

    Re: TCP and internet security

    Quote Originally Posted by dilettante View Post
    Open system service ports can expose vulnerabilities. Ports are mysterious to Joe Fivethumbs. Joe Fivethumbs looks like a genius next to any "system administrator" (PC janitor). Therefore ports = bad.
    I know that is the tag line " can expose vulnerabilities"

    But what does that mean? some hacker can send random strings and make things happen?

    WP

  4. #4
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    753

    Re: TCP and internet security

    Any listening port is a potential vulnerability. The more open ports, the greater the risk that some hacker will find a way in. No matter how hard we try, software is never perfect. If you have ever operated an open server, you will know what I am talking about.

    As far as port forwarding is concerned, the big problem is a total lack of standards. Every brand of router is different, so advising a casual user on how to port forward is difficult. Most don't have a clue how to access the router, let alone make changes to it.

    J.A. Coutts

  5. #5
    Hyperactive Member
    Join Date
    Mar 2018
    Posts
    297

    Re: TCP and internet security

    I'm surprised at some of the flippant responses here.

    Open ports are a security vulnerability and its a "good thing" that the box jockeys are finally pushing back against opening ports for every swinging dick who thinks his "protocol" is immune to attacks.
    Last edited by DllHell; Aug 15th, 2019 at 11:54 AM.

  6. #6
    Hyperactive Member
    Join Date
    Mar 2018
    Posts
    297

    Re: TCP and internet security

    if only there were some ancient and well understood methods for two endpoints to communicate without port forwarding on the client end. That would be super cool.

  7. #7

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2002
    Posts
    352

    Re: TCP and internet security

    to re-state,

    you guys are saying that a hacker will be able to understand my protocol, then use it to harm the computer?

    How is that possible if my TCP communication is limited to very simple commends back and forth. I just don't get it, I still am missing something???

  8. #8
    Hyperactive Member
    Join Date
    Mar 2018
    Posts
    297

    Re: TCP and internet security

    Quote Originally Posted by axisdj View Post
    to re-state,

    you guys are saying that a hacker will be able to understand my protocol, then use it to harm the computer?

    How is that possible if my TCP communication is limited to very simple commends back and forth. I just don't get it, I still am missing something???
    The hacker doesn't need to understand your protocol to perform a dos\ddos

    The hacker doesn't need to understand your protocol to fuzz it (google fragroute)

    Your application isn't the target, its a convenient vector to attack higher osi layers. For example, they are sending bad packets in the hopes that a cisco router (or whatever) is the one listening and then the computer\network is compromised
    Last edited by DllHell; Aug 15th, 2019 at 01:33 PM.

  9. #9
    Fanatic Member
    Join Date
    Dec 2012
    Posts
    753

    Re: TCP and internet security

    Let me give you an example. Long ago I farmed out our SMTP (email) service to a third party because it was just taking too much effort to deal with the spam. After the ISP service was sold, I dropped SMTP service entirely and removed the "MX" record. The standards say that if the "MX" record is not available, the "A" record can be used. So the server was being bombarded by requests on port 25 (SMTP), fed by "A" DNS requests. To discourage this traffic, I developed my own SMTP server that has zero accounts and re-introduced the "MX" record. The port 25 traffic is now reasonable, and the DNS traffic has been substantially reduced.

    To monitor the SMTP traffic, I added a listening port 26. This port soon became a target for the hackers. So I added a routine that requires a magic secret word to be sent within a few milliseconds, or it closes. On any given day, there are always a few attempts to access this port, but so far it has resisted. On this particular server, I disabled every unnecessary listening port by shutting down the service that opened it. It is also protected by an upfront NAT router that only forwards needed ports. Even with all these precautions, if a hacker is serious about gaining access and has the resources to feed the effort, he/she will eventually succeed.

    J.A. Coutts

  10. #10
    Lively Member
    Join Date
    Mar 2019
    Posts
    64

    Re: TCP and internet security

    Quote Originally Posted by axisdj View Post
    to re-state,

    you guys are saying that a hacker will be able to understand my protocol, then use it to harm the computer?

    How is that possible if my TCP communication is limited to very simple commends back and forth. I just don't get it, I still am missing something???
    The thing is that the internet world is a dangerous place. Honest people (I am assuming the people on this forum) tend to write code as if it will never be abused. I have seen people spin up threads to handle new connections. That is an attack waiting to happen. 100,000 connection attempts and the machine is dead before its received one command on a socket. Also your commands must NEVER be in plain text. A man in the middle can intercept and start trying different commands with different parameters etc. Does your code always handle it properly? Are there commands in your code that you never expected to use but could cause harm? And a thousand other things that the internet will think of.

    Simple things like making sure you have a valid command before handing it off to a thread to process can make a big difference. In our code if we get something we don't understand we drop all open connections and refuse to accept any new ones for 60 seconds while simultaneously raise an alert in our monitoring system.

    In internet facing apps you must always code for what MIGHT happen not what you expect to happen.

    cheers

  11. #11

  12. #12
    Lively Member
    Join Date
    Mar 2019
    Posts
    64

    Re: TCP and internet security

    Use HTTPS

  13. #13
    Frenzied Member wqweto's Avatar
    Join Date
    May 2011
    Posts
    1,477

    Re: TCP and internet security

    Quote Originally Posted by vbwins View Post
    Use HTTPS
    HTTP is fine w/o encryption unless transmitting credentials/sensitive info. I though you meant plain-text protocols can be exploited on general principles -- just by being plain-text which allows *commands* and *parameters* manipulation.

    cheers,
    </wqw>

  14. #14

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2002
    Posts
    352

    Re: TCP and internet security

    Still don't get it.... Oh well.

    I wonder if there is a place I can go to have hackers try to do something malicious with my code.. Maybe if I see it in action I will understand.

    I would assume they would have to make my very simple communication protocol place a malicious file somewhere and execute it...

    WP

  15. #15
    PowerPoster Arnoutdv's Avatar
    Join Date
    Oct 2013
    Posts
    3,510

    Re: TCP and internet security

    Have a look at the following article, maybe it makes things more clear

    https://www.coengoedegebure.com/buff...cks-explained/

  16. #16
    Hyperactive Member
    Join Date
    Mar 2018
    Posts
    297

    Re: TCP and internet security

    Quote Originally Posted by axisdj View Post
    Still don't get it.... Oh well.
    Because you refuse to acknowledge that the attacker isn't looking at the details of your protocol

    Quote Originally Posted by axisdj View Post
    I wonder if there is a place I can go to have hackers try to do something malicious with my code.. Maybe if I see it in action I will understand.
    browsing the cve list should give a good idea about what happens when people expose their software to the internet

    Quote Originally Posted by axisdj View Post
    I would assume they would have to make my very simple communication protocol place a malicious file somewhere and execute it...
    It's not about your code or protocol. They want to break winsock or any of the numerous libraries used to make your protocol work
    Last edited by DllHell; Aug 16th, 2019 at 09:42 AM.

  17. #17
    Frenzied Member wqweto's Avatar
    Join Date
    May 2011
    Posts
    1,477

    Re: TCP and internet security

    Quote Originally Posted by DllHell View Post
    They want to break winsock or any of the numerous libraries used to make your protocol work
    IMO that's extremely rare. This would compromise all services on the given platform -- apache, DNS -- in one go.

    cheers,
    </wqw>

  18. #18
    Frenzied Member PlausiblyDamp's Avatar
    Join Date
    Dec 2016
    Location
    Newport, UK
    Posts
    1,061

    Re: TCP and internet security

    Quote Originally Posted by wqweto View Post
    HTTP is fine w/o encryption unless transmitting credentials/sensitive info. I though you meant plain-text protocols can be exploited on general principles -- just by being plain-text which allows *commands* and *parameters* manipulation.

    cheers,
    </wqw>
    The problem with that is often people don't realise what constitutes sensitive info. Potentially anything being accessed once a person is logged in may be considered sensitive as there is a very good chance that there will be cookies involved that contain enough information to potentially allow session hijacking or similar.

    These days if you are doing pretty much anything over the public internet I would recommend https as it isn't difficult to set up and services like letsencrypt remove the cost barrier as well. Coupled with google etc. now flagging a non-https website as "Not secure" (if you need an example just look at the address bar for this website).

    If you are implementing your own protocols over the internet then anything sent unencrypted is potentially visible.

  19. #19
    Frenzied Member wqweto's Avatar
    Join Date
    May 2011
    Posts
    1,477

    Re: TCP and internet security

    Quote Originally Posted by axisdj View Post
    I am trying to wrap my head around the fear people have when using port forwarding.
    You can research SSH tunneling as a considerable more secure alternative, esp. w/ key based auth it's quite secure and very convenient as one generic user can have many different keys.

    This is like differentiating your users on login name *and* password combined i.e. john/123456 is different than john/password1 - weird but useful.

    cheers,
    </wqw>

  20. #20
    PowerPoster
    Join Date
    Feb 2006
    Posts
    20,322

    Re: TCP and internet security

    There is also SSH Tunneling. Since Windows 10 has SSH support these days it is more viable than it once was.

  21. #21
    PowerPoster
    Join Date
    Jun 2013
    Posts
    4,322

    Re: TCP and internet security

    Quote Originally Posted by DllHell View Post
    ...you refuse to acknowledge that the attacker isn't looking at the details of your protocol
    ...
    It's not about your code or protocol. They want to break winsock or any of the numerous libraries used to make your protocol work
    That can (should) be ruled out ... same goes for the DDOS attacks you brought up...

    The implementor of a service (using a TCP-listening server-app) has to be able to rely on the
    "lower layers" on a given system, to have a high security-level (unhackable by "normal means").

    These system-layers should be hardened in the meantime - even on windows-OSes,
    otherwise we would not have statistics like the one below (WebServer-usage, Win-OS vs. Linux-OS):
    https://w3techs.com/technologies/com...nux,os-windows


    @axisdj
    So, it's up to you, to implement your Server-App (your protocol above the lower layers) in a way,
    which makes it hard to hack... mainly by avoiding code-snippets which could be used for
    potential buffer-overruns.

    E.g. if you use "CopyMemory-calls" all over the place to do you internal buffer-handling and -caching,
    you should give those calls a second look - on whether the "length of the source-buffer-allocation" -
    as well as the length of the destination-buffer-allocation is within the bounds of the "Bytes you plan to move".

    If you have no such Mem-Moving-APIs in place, then leaving array-bounds-checking enabled within
    your VB-App should be enough of a security-measure against potential buffer-overrun-attacks
    (because compared to "plain C", VB is a quite "secure language", since pointer-based-ops are not used very often).

    As for your "opening a port on the firewall" (for incoming connections).
    I'd avoid that (though not for the same over-paranoid reasons others have brought up).

    I'd avoid it, because sometimes "no amount of talking can convince users ... or admins"
    (and because, in case you were able to convince them, it is still a hazzle to "explain to 'normal users'
    per phone or mail, how to do it properly - on one of the hundreds of different inet-router-models,
    which you have to study beforehand, before being able to give proper advice).

    So, as always my question: "What do you really want to do in the end?"

    Why not just set up your own "normal WebServer, which communicates over http or https" on the Public Internet?
    The Ports 80 and 443 are (usually) always "open" on client-machines - even in LANs which have Port-limitations on "outgoing-connections".

    So, each Client-App you deploy has only to know the Public Internet-IP of your own WebServer,
    and can then initiate an (outgoing) connection from the client-side (no Firewall-fiddling required at all).
    If Clients want to communicate with other Clients "directly" (in a chat-like fashion),
    you will have to route these messages over you WebServer, which then acts as a Proxy.

    Olaf
    Last edited by Schmidt; Aug 17th, 2019 at 10:06 AM.

  22. #22

    Thread Starter
    Hyperactive Member
    Join Date
    Jul 2002
    Posts
    352

    Re: TCP and internet security

    Quote Originally Posted by Schmidt View Post
    That can (should) be ruled out ... same goes for the DDOS attacks you brought up...

    The implementor of a service (using a TCP-listening server-app) has to be able to rely on the
    "lower layers" on a given system, to have a high security-level (unhackable by "normal means").

    These system-layers should be hardened in the meantime - even on windows-OSes,
    otherwise we would not have statistics like the one below (WebServer-usage, Win-OS vs. Linux-OS):
    https://w3techs.com/technologies/com...nux,os-windows


    @axisdj
    So, it's up to you, to implement your Server-App (your protocol above the lower layers) in a way,
    which makes it hard to hack... mainly by avoiding code-snippets which could be used for
    potential buffer-overruns.

    E.g. if you use "CopyMemory-calls" all over the place to do you internal buffer-handling and -caching,
    you should give those calls a second look - on whether the "length of the source-buffer-allocation" -
    as well as the length of the destination-buffer-allocation is within the bounds of the "Bytes you plan to move".

    If you have no such Mem-Moving-APIs in place, then leaving array-bounds-checking enabled within
    your VB-App should be enough of a security-measure against potential buffer-overrun-attacks
    (because compared to "plain C", VB is a quite "secure language", since pointer-based-ops are not used very often).

    As for your "opening a port on the firewall" (for incoming connections).
    I'd avoid that (though not for the same over-paranoid reasons others have brought up).

    I'd avoid it, because sometimes "no amount of talking can convince users ... or admins"
    (and because, in case you were able to convince them, it is still a hazzle to "explain to 'normal users'
    per phone or mail, how to do it properly - on one of the hundreds of different inet-router-models,
    which you have to study beforehand, before being able to give proper advice).

    So, as always my question: "What do you really want to do in the end?"

    Why not just set up your own "normal WebServer, which communicates over http or https" on the Public Internet?
    The Ports 80 and 443 are (usually) always "open" on client-machines - even in LANs which have Port-limitations on "outgoing-connections".

    So, each Client-App you deploy has only to know the Public Internet-IP of your own WebServer,
    and can then initiate an (outgoing) connection from the client-side (no Firewall-fiddling required at all).
    If Clients want to communicate with other Clients "directly" (in a chat-like fashion),
    you will have to route these messages over you WebServer, which then acts as a Proxy.

    Olaf
    Thanks for the logical response Olaf. I would assume we should be able to count on the OS level functions (winsock) to be as safe as possible.

    I do not use copyMem in any of my communication so that should not be an issue and bounds checking is enabled in my compilation.

    For now I will leave my system in place, (because it works and very few use it) I assume if I did this I would need to wrap all communications into what the routers will see as normal webpages? I currently send files back and forth, how would that work in using the Web server method?

    I have implemented a very detailed description of how to open/forward the port and a few customers are using it.

    Thanks again Olaf for bringing clarity.

  23. #23
    Super Moderator Shaggy Hiker's Avatar
    Join Date
    Aug 2002
    Location
    Idaho
    Posts
    33,929

    Re: TCP and internet security

    It doesn't have to be web pages. Web Services don't deal in web pages (they can, of course), yet they don't use any special ports. Using something like that to send back and forth files, images, or what not, will work. Not sure what Web Service support VB6 has, but I assume that there is plenty.
    My usual boring signature: Nothing

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Featured


Click Here to Expand Forum to Full Width