RE: Why TCP is more secure than UDP?

["Dave Koontz" <dkoontz () mbc edu>]

Maybe I missed something in this LONG thread, but what is the real concern
we are trying to identify and negate?  TCP vs. UDP delivery mechanisms?  For
WHAT purpose and in what environment.  A transport protocol is exactly that,
a WAY to deliver something.  

You've heard the differences about 3-Way handshake vs. best effort delivery,
and header manipulation.  I hope everyone on this list are aware of the
basics here.  So what are we trying to solve?  The real question in my mind
is what SERVICES are we referring to, and what sorts of packet payloads are
of issue.  And how well has that service been programmed.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of levinson_k () securityadmin info
Sent: Wednesday, July 11, 2007 1:49 PM
To: security-basics () securityfocus com
Subject: Re: Why TCP is more secure than UDP?

Google will help:


www.google.com/search?q=tcp+security+spoof


It's not really advisable to state that TCP is more secure than UDP.  SSH
and SSL run over TCP, and those are subject to a variety of trivial attacks
such as man-in-the-middle session hijacking via ARP spoofing, primarily if
the attacker controls a system on the same local subnet as the client or the
server.


However, there are some security advantages to using TCP over UDP.  For one
thing, in the real world, it is less common that ongoing established TCP
sessions and port scans would be spoofed.  


Some TCP attacks require the attacker to see the response packets in order
to be of any benefit to the attacker.  An attacker may not always be able to
guarantee that she will see the reply packets (unless the attacker controls
a system on the same subnet as the client or server, or somewhere on a
dedicated path between the two).  


Some types of attacks can be mounted without the attacker seeing the reply,
such as denial of service attacks or blind attacks where the attacker can
guess the response.  


For other types of attacks like port scans or attacks at the application
level (format attacks on listening TCP applications like RPC or HTTP), a
security person who observes these attacks in an IDS or other security log
can often reasonably assume that the source IP address is not likely to be
spoofed.  


These issues can make it problematic to use firewall or router ACLs to
secure UDP applications.  For example, a common recommendation for securing
UDP applications like SNMP v2 and TFTP is to use router ACLs to filter which
source IP addresses are allowed to send data to these applications.  But UDP
makes it easier to spoof the source IP in order to bypass this security
control.  


Also, with UDP not having any built-in mechanism to guarantee delivery or
retransmit lost data, it may be easier for an attacker to delete, insert,
modify or flood security-related logs like firewall and IDS logs that are
sent via unprotected Syslog.


UDP applications can still in theory add some of these protections such as
guaranteed delivery at a higher level of the OSI networking model, such as
the application layer.  Not sure how often this is done, however.


kind regards,


Karl Levinson

http://securityadmin.info