UDP less secure?

Black Swan

The 3G wireless card I use to access the web is UDP. I realise that UDP is stateless and somewhat unreliable when compared to TCP, in that it does not acknowledge packets have been received, and consequently a bit faster than TCP. But is UDP less secure than TCP?

Martyr

I'd say alot less secure.

There would be lots of potential for MITM attacks against applications using UDP.
Unless there was some kind of verification/integrity checks of data..which is highly unlikely if the application is using UDP in the first place.

Don't know any case examples of attacks on UDP though.

JimmyCrackCorn!

UDP is no less secure than TCP im not sure i understand your question though regarding accessing websites with UDP? (edit - Re read your post see my vpn comment for why it uses udp)

Both protocols transmit data with to only difference being that TCP adds a layer for flow control error recovery.

UDP on the other hand has less overhead and state checking.

Nether protocol was was developed with security in mind when Al Gore invented the internet and as such are not secure protocols.

Arguing which one is more secure than the other is a mute point.

In general what you will find is that both those protocols(UDP/TCP) will have an extra layer of applied on top of them to secure the contents of the communication depending on needs.

e.g Most VPN software works over UDP as you don't want the retry/error recovary functionality of TCP at that level

SSl uses TCP as you want it to retry packets if they get lost.

I hope that helps.

_CreeD_

The most prevalent VPN protocol in use is IPSec, which natively tunnels over it's own ESP and (god forbid) AH IP protocols. Yes they can be encapsulated in UDP, and often are for PAT with NAT-T but it is only an option and one you avoid if possible as it adds overhead (it can also be encapsulated in TCP on some platforms). ISAKMP is handled by UDP but then it is not involved in payload transactions.
The problem with UDP as stated is not that it in itself is any less secure, but it is harder TO secure as by it's nature it does not require connections to be maintained by the protocol itself. Essentially it's much harder for security appliances/software to accurately keep track of UDP flows vs. TCP (though TCP packets can be manipulated to masquerade as valid connections it is still easier to mitigate threats from it).

Martyr

There are plenty of weaknesses with ipv4 but atleast you have to predict sequence numbers to hijack a TCP session, where is this problem with UDP? :P

gnxx

I don't really buy the fact that DNS is flawed as proof that UDP is less secure than TCP.

JimmyCrackCorn is absolutely correct. It is a protocol. Security should be a concern higher up the networking stack.

I'd guess that VPN software ( given its security requirement etc ) would handle sequence and reliablity.

BTW: Unreliable is such a nasty term with software. Hard disks could be considered unreliable by the same token ....

Martyr

Blue Lagoon wasn't asking about the how applications used UDP.
We're not discussing how ESP can be used with UDP and by the way, there are problems there too.

I'm amazed at the lack of knowledge about the differences between UDP / TCP here...its common knowledge.

gnxx

Can you indicate a post that shows a lack of understanding?

The only post that showed a complete lack of knowledge was your post suggestig that UDP was responsible for security problems with DNS .. you have since edited out this part of your post.

Martyr wrote: »

Blue Lagoon wasn't asking about the how applications used UDP.
We're not discussing how ESP can be used with UDP and by the way, there are problems there too.

I'm amazed at the lack of knowledge about the differences between UDP / TCP here...its common knowledge.

Martyr

The only post that showed a complete lack of knowledge was your post suggestig that UDP was responsible for security problems with DNS .. you have since edited out this part of your post.

Yes, very good observation, i edited it before your remark.

Let me bring you up to speed, we're talking about UDP being less secure than TCP.

I've argued that UDP IS less secure because of its design...show me where BL mentioned anything about ESP or other protocols that use UDP for transport of data?

Yes, I'm saying you don't understand, clearly.

BaconZombie

With MiTM attacks both are just as insecure as each other....

Martyr wrote: »

There are plenty of weaknesses with ipv4 but atleast you have to predict sequence numbers to hijack a TCP session, where is this problem with UDP? :P

Martyr

BOFH_139 wrote:

With MiTM attacks both are just as insecure as each other....

Fair enough, i really meant spoofing attacks..which is kinda like a MITM.

My point is that TCP supports synchronisation, sequence numbers which require predicting if you want to attack the connection.

UDP by design doesn't support this, its unreliable.

gnxx wrote:

BTW: Unreliable is such a nasty term with software. Hard disks could be considered unreliable by the same token ....

If you believe reliability isn't fundamental to security of data, then i guess you would say UDP is not less secure than TCP.

Check out the following article if you still think i'm talking rubbish, why not go and find out for yourselves?

Unfortunately, simpler, connectionless protocols that run over IP, such as UDP, cannot preserve the security and privacy of the data flow.

Today, UDP is used in cases where the nature of the data makes reliability less important or when users cannot tolerate the large delay caused by errors like losing a packet in a connection-oriented protocol, such as Transmission Control Protocol (TCP).

The most common uses of UDP over IP networks are found in applications such as video and audio streaming, and other real-time halfduplex communication links.Unfortunately, UDP has several shortcomings that leave it vulnerable to attack if left unprotected.

Some of UDP’s security flaws arise because it does not check IP streams for errors or lost packets. Hence, it is extremely susceptible to such attacks as IP-spoofing (masquerading), UDP snooping, and packet interception.

The challenge is delivering bandwidth intensive applications over a protocol that carries a minimal amount of overhead (such as UDP) without compromising the security, privacy, and reliability desired by the end user.

common sense.

JimmyCrackCorn!

Its a bit silly to be honest

if DNS worked over TCP which it can do would people use tcp to be more secure?

This argument is the equivalent of asking which is more secure an open door or an open window.

Each one has mutually exclusive attack vectors.

e.g TCPs "reliability" and flow control can be abused in many many ways the simplest example of which is the sin flood.

The key point is there is a valid reason for both protocols and as above none of the protocols that make up the TCP/IP stack were ever designed to be secure and they never will be.

As for trying to argue that udp is more secure based on "reliability,sequence,resistence to spoofing" is literally a fundementally flawed argument. (yes that applys to the attached article also)

Martyr

Its a bit silly to be honest

Reliable data is silly?

As for trying to argue that udp is more secure based on "reliability,sequence,resistence to spoofing" is literally a fundementally flawed argument. (yes that applys to the attached article also)

Flawed how exactly?

TCP uses sequence numbers, UDP uses nothing, hence why i said UDP is less secure.

gnxx

You are selectively quoting/misquoting. Nobody suggested reliable data is silly.

As I stated, reliable / unreliable is a nasty term when associated with technology.

By stating that UDP is unreliable, we are generally making a declaration that packets (a) may go missing and (b) be delivered out of sequence

This is the important point. Since the programmer understands this unreliability they can then choose to build these features on top of the basic protocol.

In the case of TCP, the programmer assumes that the protocol will deliver a basic service ( connection based transport ). Furthermore the programmer assumes that the protocol will deliver these services without flaws.

Given the vast number of attacks on the underlying TCPIP protocol, this is not the case. This is TRUE unreliability.

To me, unreliable is when a service fails to deliver on its published and expected behaviour. From experience, the largest security holes are exposed when an underlying components FAILS to deliver on its specified function ( IE it behaves unreliably )

Since UDP is so lightweight and simple, it rarely fails to deliver** ( even though RFC states that delivery and duplicate protection are not guaranteed ) :-)

** Deliver as in perform to specification.

Martyr wrote: »

Reliable data is silly?



Flawed how exactly?

TCP uses sequence numbers, UDP uses nothing, hence why i said UDP is less secure.

Martyr

gnxx wrote:

You are selectively quoting/misquoting. Nobody suggested reliable data is silly.

No, you and jimmy are saying that it doesn't matter if UDP is unreliable for ensuring the security of data in a UDP packet.

Would you agree on that?

As I stated, reliable / unreliable is a nasty term when associated with technology.

So you would buy a computer that only works some of the time?
Surely you would want something thats reliable, no?

By stating that UDP is unreliable, we are generally making a declaration that packets (a) may go missing and (b) be delivered out of sequence

Yes, and that is the reality of UDP, it is clearly documented all over the internet.

To me, unreliable is when a service fails to deliver on its published and expected behaviour. From experience, the largest security holes are exposed when an underlying components FAILS to deliver on its specified function ( IE it behaves unreliably )

OK, so..UDP is by your own admission, unreliable..but that you shouldn't tell people that?

gnxx

You are not getting the point here.

The unreliability of UDP is clearly stated by its specification. This makes it reliable from a design viewpoint. Anybody building a secure application on top of UDP will understand its limitations. They will design their code with the understanding of the issues of the protocol.

TCP/IP makes various promises about its reliability. These promises have been broken/hacked/demonstrated to fail.

A key cornerstone to security is reliablity. Something is unreliable when it doesn't perform as expected.

UDP performs as expected !! UDP isn't broken when it fails to deliver a packet. UDP isn't broken when packets are delivered out of sequence. The specification clearly states this may occur.

Martyr

You are not getting the point here.

Yeah, you're right, happy? :P

FruitLover

I think points are being missed, and tangents are being gone off on.

OP, what exactly do you mean by "The 3G wireless card I use to access the web is UDP"?

_CreeD_

Yup, I was going to go add to this but every point that needs to has been made. Martyr, no offense, but you are completely misunderstanding security as it relates to protocols and higher level controls, it has been clarified for you many times and at this stage I think you are refusing to acknowledge this out of stubbornness.
OP, the transport is irrelevant, it's the underlying data and how it is controlled/encrypted/hashed/checked for consistency by the applications/session managers on either side that define it's security.

Martyr

Martyr, no offense, but you are completely misunderstanding security as it relates to protocols and higher level controls, it has been clarified for you many times and at this stage I think you are refusing to acknowledge this out of stubbornness

No, I'm not.

Before responding further, can i ask that everyone here carefully read the rest of my post before commenting themselves.

I'm sick of users on these forums just skimming my posts, looking for any opportunity to respond with unconstructive criticisms and personal attacks.

I'm well aware for many years, that an application using UDP for packet delivery can add its own layer of security..but this has got nothing to do with UDP

The OP asked whether UDP was less secure than TCP.

There was no mention of ESP or encryption or the exact application using UDP to deliver data...just plain straight forward question of which was less secure.

I argued that unless there was an extra layer of security (such as ESP), UDP by itself was much less secure than TCP.

I did not give any reasoning for this or what else was on my mind, because I wrongly assumed that it was obvious to anyone with basic knowledge of internet protocols and security.

Of course, neither UDP or TCP were designed to be secure, I already know this.

However, TCP has several distinct advantages which clearly make it more secure than UDP. (which most of the world, except on security forum of boards.ie, seem to agree with)

I hope you're still reading by the way, and not already hitting the reply button.

TCP requires a connection to be established, UDP does not, therefore its easier to spoof malicious UDP packets.

TCP uses sequence numbers, UDP does not, therefore its easier to hijack a UDP connection.

Why is using a connectionless protocol such as UDP a potential security issue?

To understand why, we have to go back to 1996 when CERT (not __Creed__ :P ) published an advisory on UDP spoofing attacks.

TCP involves a negotiated connection setup and termination, sequence numbers (very important point) and re-transmission for lost packets.

UDP does not have any of these features.

Example scenario of problem where UDP is used:

Echo is a small Internet Protocol (IP) service defined in RFC 862.

The echo server listens on UDP or TCP port 7 by default, and sends any packets received back to the source node.

Character Generator (Chargen) is another small IP service on UDP or TCP port 19.

This service, once it receives a packet, generates between 0 and 512 random characters, and sends them back to the source node in a packet.

Chargen is defined in RFC 864.

Both of the services can be exploited to create a denial of service condition in the following manner: A UDP packet is sent from an echo service to a chargen service.

The chargen service generates a UDP packet containing random characters and sends the new UDP packet back to the echo service port.

The echo service receives the UDP packet and sends it back to chargen without any changes.Repeat indefinitely.

This type of behavior can be initiated between chargen and echo services on two machines, or the same machine.

Either way, the process goes on, and an infinite loop is created between the echo and chargen service. Since a large number of UDP packets
are generated during this process, the network becomes congested, and the affected machine(s) spends all of its time processing the received and sent packets.

The result is that the affected machine(s) becomes unable to respond to normal service requests.

An attacker would spoof the source node to create DoS attack on 2 computers.

No doubt __Creed__, gnxx, jimmy or somebody else out there will argue that this is a "protocol problem" ...but of course it is, i don't disagree, these are services using UDP

You're not on this planet to "get it", gnxx - someday what i've said will make sense to you.

And now i'm finished explaining this, and i'm finished on these forums too. :mad:

Since in last couple of weeks i've met too many cretins here who seem to think they know everything and i'm an asshole with no education.

Obviously I need to go back to school and get the same great education you all got here in Ireland.

Good bye!

mick.fr

Come on guys...

Also more and more VPN do use SSL instead of IPSec now. IPSec is still required where the full IP stack is needed though. Such as VOIP.

Screaming Monkey

I don't know, the youth of today, this udp vs tcp is a subtle pointless argument.

The answer is "as a protocol tcp is a tiny bit more secure than udp", but you have to remember that tcp/udp interacts with the other OSI model layers, http://en.wikipedia.org/wiki/OSI_model so you can't discuss protocols in isolation in terms of "overall security of a system", i.e 3G thing, if you do then its just a protocol sitting there doing nothing and we could talk RFC's all day.

Also think the "Chargen" example is slightly flawed, yes it shows weaknesses in UDP, but it also sounds like a crappy application issue which shows that you can't take the "security" of something in isolation which is what others are saying.

and the original question "The 3G wireless card I use to access the web is UDP", doesn't make sense, but i think CreeD sums it up

the transport is irrelevant, it's the underlying data and how it is controlled/encrypted/hashed/checked for consistency by the applications/session managers on either side that define it's security.

SM

BaconZombie

Well me ADSL2+ connection is :

IP over PPP over Ethernet over ATM

? wrote:

the transport is irrelevant, it's the underlying data and how it is controlled/encrypted/hashed/checked for consistency by the applications/session managers on either side that define it's security.