An Attacker Ebooks Catalog
When using inline actions, you need to define the length of time that the sensor continues to deny the traffic. This length of time (measured in seconds) is defined by the Deny Attacker Duration parameter. You can also configure the maximum number of attackers that the sensor will deny at one time by using the Maximum Denied Attackers field.
RFC 3704 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the
Regardless of whether you use SSH, SSL, or Telnet for remote access to the managed device, you should also configure ACLs to allow only management servers to connect to the device. Deny and log all attempts from other IP addresses logged. Implement RFC 3704 filtering at the ingress router to reduce the chance of an attacker from outside the network spoofing the addresses of the management hosts.
In this attack scenario, the adversary attempts to appear like a trusted client by interjecting into the conversation after the true client has authenticated. This sort of attack is very difficult if the attacker is unable to see the packets exchanged between client and server. Figure 3-10. Ideal Attacker Position for TCP Spoofing Attack Figure 3-10. Ideal Attacker Position for TCP Spoofing Attack Attacker Attacker Here the attacker sees all the information necessary to launch this attack. Identity Spoofing
After you have determined the source of the attack and that it is truly the attacker and not an attacker spoofing a legitimate source, the shun command is a handy option that will block any current or future connections based on the source IP address or the source IP address and port to the destination IP address and port number. Figure 20-1 illustrates an attacker on the outside attacking a server on the services network. Attacker 192.168.1.23 Attacker 192.168.1.23
Another element of defending your data is identifying potential attackers who might want to steal or manipulate that data. For example, a company might need to protect its data from corporate competitors, terrorists, employees, and hackers, to name just a few. The term hacker is often used very generically to describe attackers. However, not all hackers have malicious intent. As shown in Table 1-5, hackers come in many flavors, which leads to the question, What motivates a hacker Some hackers might work for governments to try to gather intelligence from other governments. Some attackers seek financial gain through their attacks. Other hackers simply enjoy the challenge of compromising a protected information system. This book details several specific attacks that an attacker can launch. However, at this point, you should be familiar with five broad categories of attacks Passive A passive attack is difficult to detect, because the attacker isn't actively sending traffic (malicious or...
Any network has the potential of being compromised. Complex networks are more difficult to protect and can be more difficult to monitor. It is important to identify when your network is under attack and when the attack has resulted in a system or network breach. It is also important to develop an incident-response plan so that the security personnel know how to react to the compromise. Although the ultimate goal is to discover all breaches, some might go unnoticed. The policy must state the actions to take upon discovery of a breach. Most policies differentiate between breaches occurring from within the organization and those originating externally, such as from the Internet. The difference is because it is normally less difficult to identify the offending host if the attack originated from within the network and not from an internal resource that was exploited by an external source. Most organizations implement a stronger exterior-facing security perimeter, which greatly restricts...
Typically, a protocol analyzer is used to examine (sniff) packets. The analyzer can be a hardware-based solution or a PC with a promiscuous network interface card (NIC) and appropriate software. For this kind of attack to work, the attacker must have access to a connection between the actual source and destination devices. An attack protocol analyzer, on the other hand, is an enhanced form of a general protocol analyzer. Attack protocol analyzers look at certain types of applications and protocols for authentication, financial, and security information. An attacker will use this specific information to execute other types of attacks.
As with packet sniffer and IP spoofing attacks, a brute-force password attack can provide access to accounts that can be used to modify critical network files and services. An example of a password attack that compromises your network integrity is when an attacker attaches the router password and then uses that information to modify the routing tables for your network. By doing so, the attacker ensures that all network packets are routed to the attacker before they are transmitted to their final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle.
In the example above, the hacker attached to the Internet already exploited some vulnerability of the DMZ host, which is connected to the DMZ interface of the firewall. The hacker controls the entire DMZ host. His next goal is to compromise the inside host that is connected to the inside (trusted) interface of the firewall. To attack the inside host from the DMZ host, the hacker needs to find the protocols that are permitted from the DMZ to the inside interface. Then the attacker would search for vulnerability on the inside host and exploit it. If the firewall is configured to allow only minimum or no connectivity from the DMZ to the inside, this attack can be stopped.
Because economies depend largely on electronic transactions, those economies are vulnerable to disruptions by an attacker. Cyber-warfare does exist and can pose a real threat to any economy. If disruption of an economy is desired, doing so through electronic means might become the ideal method for a number of reasons. These reasons include the ability to launch an attack from virtually any location, low equipment cost, low connectivity cost, and a lack of sufficient protection. In November 2002, a number of the primary Domain Name System (DNS) servers on the Internet were attacked through a distributed denial-of-service (DDoS) attack and were rendered inoperable for a number of hours. Although the motivation for this attack is unknown, a more sophisticated version could dramatically affect Internet traffic and disrupt many organizations that communicate over the Internet. Another more common political motivation is known as hactivism, which is the act of targeting an organization and...
Before learning about the characteristics of specific network attacks, you need to understand the different types of attacks. Attacks are defined by the goal of the attack rather than the motivation of the attacker. The three major types of network attacks, each with its own specific goal, are as follows Reconnaissance attacks A reconnaissance attack is designed not to inflict immediate damage to a system or network but only to map out the network and discover which address ranges are used, which systems are running, and which services are on those systems. One must access a system or network to some degree to perform reconnaissance, but normally the attacker does not cause any damage at that time.
Attacker J Attacker J An example of a man-in-the-middle attack is when someone working for your ISP gains access to all network packets transferred between your network and any other network. Man-in-the-middle attackers can make sure not to disrupt the traffic and thus set off alarms. Instead, they use their position to stealthily extract information from the network.
The type of attack used against a router depends on the attacker's intent. An access attack is used if the intent is to gain access to the router or network. A denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is used to bring down the router or to introduce routing changes to redirect traffic and deny access to the network. A host can be compromised to gain specific data that might reside on that system, or that system might be used to launch attacks against other network resources. Often, hosts are attacked because the attacker has discovered a vulnerability on a host and wants to exploit it. An attacker will normally exploit a vulnerability within an application to compromise a host. As technologies advance, the number and type of attacks increase. Because management components are used to manage the different network components, it is important to ensure that they are secured to prevent an attacker from gaining control of the entire network.
Distributed DoS attacks are the next generation of DoS attacks on the Internet. This type of attack is not new. UDP and TCP SYN flooding (sending large numbers of UDP segments or TCP SYN packets to the target system), ICMP echo-request floods, and ICMP directed broadcasts (also known as smurf attacks) are similar to distributed DoS attacks however, the scope of a distributed DoS attack is different. Victims of distributed DoS attacks experience packet flooding from many different sources, possibly spoofed IP source addresses that bring network connectivity to a halt. In the past, the typical DoS attack involved a single attempt to flood a target host with packets. With distributed DoS tools, an attacker can conduct the same attack using thousands of systems.
When attacks involve specific network server applications, such as an HTTP server or an FTP server, the attacker focuses on acquiring and keeping all the available connections supported by that server open. This strategy effectively locks out valid users of the server or service.
IP spoofing is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, hackers must first use a variety of techniques to find an IP address of a trusted host and then modify their packet headers to appear as though packets are coming from that trusted host. Further, the attacker can engage other unsuspecting hosts to also generate traffic that appears as though it too is coming from the trusted host, thus flooding the network.
An algorithm's key space is the set of all possible key values. N-bit keys produce a 2n key space size and the change to an n+1-bit key effectively doubles the keyspace. For example, DES with its 56-bit keys has a keyspace of more than 72,000,000,000,000,000 (7.2 x 1016) possible keys, but by adding 1-bit to the key length its keyspace doubles, and an attacker will need twice the amount of time to search the keyspace. Alternatively, as previously mentioned, almost every algorithm has some weak keys that enable an attacker to break the encryption via a shortcut. It is very unlikely that such keys would be chosen, but implementations should still verify all keys and prevent weak keys from being used. With manual key generation, special care must be taken by the operators to avoid defining those weak keys.
MAC spoofing involves the use of a known MAC address of another host that is authorized to access the network. The attacker attempts to make the target switch forward frames destined for the actual host to the attacker device instead. This is done by sending a frame with the other host's source Ethernet address with the objective to overwrite the CAM table entry. After the CAM is overwritten, all the packets destined for the actual host will be diverted to the attacker. If the original host sends out traffic, the CAM table will be rewritten again, moving the traffic back to the original host port. Figure 14-5 shows how MAC spoofing works.
Handshake connection mechanism of TCP IP. The attacker initiates a TCP session with the server by sending a TCP SYN packet to the server. The server responds to this initial packet with a TCP SYN ACK response. The attacker's machine should then respond to this SYN ACK by sending its own SYN ACK back to the server. At this point, the session would be established. What happens in a TCP SYN attack is that the attacker's machine never responds to the TCP SYN ACK sent by the server. This causes the server to wait for response and for the session to start. This is called a half-open session. Each of these half-open sessions uses resources on the server. The attacker floods the server with thousands of these session initiation packets, causing the server eventually to run out of resources, thus denying service to any other inbound connections. Smurf attack A smurf attack is when an attacker sends an ICMP Echo Request to a network address rather than a specific host. The important point is...
If cleartext needs to be permitted in an interface ACL (if it exists), does that not open the VPN for spoofing That is, could an attacker now send cleartext traffic, which should normally be IPSec-encapsulated, to the VPN system, and sneak through the ACLs The answer is no Cisco IOS software automatically prevents this behavior by installing some hidden filters in the early input checks on the dirty interface. This is also true for dynamic crypto map templates, if they contain a crypto ACL. The use of (optional) crypto ACLs in dynamic crypto map templates is always encouraged.
As mentioned previously, only the third message of this four-step procedure is WEP encrypted. Assume, an attacker captures the second and third message, then he can easily calculate the keystream S Other fields (besides the challenge) are rather static and can be guessed they always have the same values in each authentication process. Having S, an attacker can easily authenticate to the network as he is able to correctly respond to each challenge sent by a responder.
Filters are necessary when WLAN security is based on static WEP because of known vulnerabilities in WEP. The filters limit the damage that can be done if an attacker does manage to determine a valid WEP key. Such an attacker can access and see traffic only from hardened applications that have low confidentiality requirements.
If an attacker can compromise the signaling part of the dial network, that is, gain unauthorized access to the switching centers (tandem switches, PBXes, etc.), he she can effectively control signaling and all of its associated services, such as Caller ID, call routing, or billing. Such an event would be analogous to breaking into an Internet Service Provider's (ISP) router in an IP-based public network. An attacker on a phone switch can Manipulate Caller ID to impersonate possibly trusted endpoints (analogous to IP spoofing in the IP world if source address filters, such as filtering on Caller ID, are used, such an attacker can bypass filtering). Manipulate call routing (analogous to compromising a routing protocol in an IP network), so the attacker can redirect calls to almost arbitrary endpoints. For example, when a trusted user dials into an enterprise POP and the attacker redirects the session into a fake access server under the attacker's control. If only unidirectional...
Many users do not change the preconfigured SSID. Although the SSID does not provide real security, an administrator should configure it to a specific network-ID in order to make an attacker's life a little bit harder and to prevent accidental connections. Furthermore, do make SSIDs broadcast. Provide WEP encryption otherwise, even shared key authentication will not function. Without encryption, even an inexperienced attacker can easily compromise the network. clients both wireless and wired Furthermore, the AP allows the attacker to capture and spoof data packets, and gain access to servers and files.
So that you have a better understanding of a man-in-the-middle attack, I'll use Figure 2-5 to illustrate how this attack occurs. In this example, PeerA wants to send data to PeerB. PeerA does a DNS lookup for PeerB's address, shown in Step 1. However, the attacker also sees the DNS request and sends a reply back to PeerA before the DNS server has a chance, shown in Steps 2 and 3. The IP address that the attacker sends is the attacker's own IP address. PeerA knows no better and assumes that when it uses the IP address in the DNS reply that it is sending traffic to PeerB however, as shown in Step 4, the traffic actually is directed to the attacker. This is a simple example of using spoofing of DNS replies. If the DNS server's reply was received before the attacker's, PeerA would connect to PeerB however, a sophisticated hacker could use a session hijacking re-routing attack to redirect traffic sent from PeerA to PeerB to the attacker himself, still pulling off the man-in-the-middle...
An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker's system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. STP recalculation may also cause a denial-of-service (DoS) condition on the network by causing an interruption of 30 to 45 seconds each time the root bridge changes. Figure 14-4 shows an attacker using STP network topology changes to force its host to be elected as the root bridge.
* RFC 2827 filtering at the perimeter router should be used to mitigate the chance of an outside attacker spoofing the addresses of the management hosts. Regardless of whether SSH, SSL, or Telnet is used for remote access to the managed device, access control lists (ACLs) should be configured to allow only management servers to connect to the device. All attempts from other IP addresses should be denied and logged. RFC 2827 filtering at the ingress router should also be implemented to reduce the chance that an attacker from outside the network will spoof the addresses of the management hosts.
By spoofing an ARP reply from a legitimate device with a gratuitous ARP, an attacking device appears to be the destination host sought by the senders. The ARP reply from the attacker causes the sender to store the MAC address of the attacking system in its ARP cache. All packets destined for those IP addresses will be forwarded through the attacker system. Host B (attacker) sends ARP binding B's MAC address to C's IP address. Packets are now diverted through attacker (B).
The major concern with FTP is that the built-in authentication system uses a username and password pair that is transmitted in clear text to the FTP server. This causes obvious concerns when the remote FTP server is accessed across a public, untrusted network. If the FTP username and password are intercepted, the attacker has the same access to your files and directories as you have, leading to disastrous results.
To engage in IP spoofing, hackers must first use a variety of techniques to find an IP address of a trusted host and then modify their packet headers to appear as though packets are coming from that trusted host. Further, the attacker can engage other unsuspecting hosts to generate traffic that appears as though it too is coming from the trusted host, thus flooding the network. Nonblind spoofing This type of attack takes place when the attacker is on the same subnet as the victim. The attacker sniffs the sequence and acknowledgement numbers to eliminate the potential difficulty of calculating them accurately. The biggest threat of spoofing in this instance would be session hijacking. The attacker corrupts the datastream of an established connection, and then re-establishes the datastream with the attack machine using the correct sequence and acknowledgement numbers. Using this technique, an attacker could effectively bypass any authentication measures taken place to build the...
When security incidents occur, respond appropriately. With both NetRanger and Cisco IOS IDS, you can take a variety of actions, such as logging the event, resetting the TCP connection, dropping the offending packets, and dynamically reconfiguring a router's ACLs to shun the attacker. These types of responses need to match the security policy.
XAUTH user authentication often augments wild-card pre-shared secrets. If compromise of the wildcard secret key occurs, this adds an additional layer of protection. Such an approach is better, but does NOT eliminate a simple man-in-the-middle attack, if the attacker, who has compromised the wildcard secret key, can place himself in the packet path between the user and the VPN system. There, the attacker can impersonate the VPN concentrator to the user, and the user to the concentrator, as he can successfully spoof peer authentication and negotiate separate Diffie-Hellman (D-H) secrets with the client and the concentrator. The attacker can then see the XAUTH credentials in cleartext, and submit them to the concentrator, gaining full access to the VPN.
The Cisco IOS Resilient Configuration feature allows for faster recovery in situations in which an attacker has compromised a router and erased its Cisco IOS image configuration file. This feature is available only on platforms with PCMCIA ATA Flash drives. When enabled, this feature saves nonerasable copies of the running Cisco IOS image and
A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This scenario is achieved with attack tools such as gobbler, which looks at the entire DHCP scope and tries to lease all the DHCP addresses available in the DHCP scope. This is a simple resource starvation attack, similar to a SYN flood attack. The attacker can then set up a rogue DHCP server and respond to new DHCP requests from clients on the network. This might result in a man-in-the-middle attack.
To compromise the neighboring device and consequently the network, an attacker can potentially use the information provided by CDP. If your network does not use CDP, you should turn it off. You can disable CDP with the global configuration no cdp running command. You can disable CDP on a particular interface with the no cdp enable command.
In IPSec VPNs, traffic protection security mechanisms depend on key exchange security mechanisms. For example, the strength of 3DES encryption depends heavily on the choice and exchange of encryption keying material, performed using an initial (or periodic, in a case of perfect forward secrecy) Diffie-Hellman (D-H) exchange. If the D-H exchange uses low modulus lengths, the resulting keying material is weak and therefore 3DES encryption does not require a brute force attack against 3DES to break it. The attacker can break the D-H exchange faster and gain direct access to the keying material. Also, the D-H exchange, if not authenticated, is vulnerable to a man-in-the-middle attack. Therefore the strength of peer authentication must be comparable to the strength of the D-H method itself.
Many organizations, such as hotels, airports, and universities, provide public WLAN service to their customers. Without special protection, an attacker can bypass the AP and abuse interclient communication to attack certain hosts. To mitigate this, enable the Publicly Secure Packet Forwarding (PSPF) feature on APs and wireless bridges.
In this scenario, you need to set up an ACL on the router to deny all traffic outside the 172.16.0.0 Class B network, thereby protecting the NetRanger Director from any possible outside attacker. The ACL is applied to the out direction of the router's ethernet 1 interface (see Example 3-22).
In a CAM table overflow attack, an attacker sends thousands of bogus MAC addresses from one port, which looks like valid hosts' communication, to the switch. One of the more popular tools used for launching this type of attack is called Macof, which was written using PERL code, ported to C language, and bundled into the Dsniff suite. Dsniff is a collection of tools for network auditing and penetration testing. Macof can generate 155,000 MAC entries on a switch per minute. The goal is to flood the switch with traffic by filling the CAM table with false entries. When flooded, the switch broadcasts traffic without a CAM entry out on its local VLAN, thus allowing the attacker to see other VLAN traffic that would not otherwise display.
As shown in Figure 6-8, a hacker on the Internet has decided to attempt a DoS attack against the internal e-mail server through the use of half-open TCP connections. Although the PIX Firewall is fully capable of resisting such an attack, the Sensor still notices the attack the moment it has been launched. The FloodGuard algorithm on the PIX Firewall will not start to drop half-open connections until the defined threshold has been exceeded. The Sensor sends a message to the Director stating that an attack is under way. Entries are made in the log showing the packets received. This example uses the ability of the CSIDS to deny packets from the attacker through the adjustment of an access control list on the serial interface of the perimeter router. The configuration of the signature definition for this type of attack specifies that a number of actions happen when this type of attack occurs. The first action is that e-mail is sent from the Director to the administrator stating that an...
When someone's public key is requested, or received over an untrusted network, a potential attacker could intercept that key and substitute it for another (fake) public key. This man-in-the-middle attack would cause the message sender to encrypt all messages with the public key of the attacker. A mechanism is therefore needed that allows verification of the relation between an entity's name and its public key.
Syslog, which is information generated by a device that has been configured for logging, is sent as clear text between the managed device and the management host. Syslog has no packet-level integrity checking to ensure that the packet contents have not been altered in transit. An attacker may alter syslog data in order to confuse a network administrator during an attack. An attacker could attempt a DoS attack on a network by sending bogus NTP data across the Internet to change the clocks on network devices in such a manner that digital certificates are considered invalid. Further, an attacker could attempt to confuse a network administrator during an attack by disrupting the clocks on network devices. This scenario would make it difficult for the network administrator to determine the order of syslog events on multiple devices.
NOTE Man-in-the-middle attacks happen when an intruder has access to data packets that are in transit between connection endpoints. The intruder can then modify information within the packets in an attempt to gain access to the endpoints or for some other nefarious purpose. The intruder might just extract information from the packets. Obtaining a wildcard preshared key this way would permit an attacker to establish a VPN connection to the host from any other system.
To understand the DNS attack protection provided by the Cisco PIX Firewall, it helps to understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the attacker to each of the DNS servers. These queries contain the target's spoofed address. The DNS servers respond to the small query with a large response. These responses are routed to the target, causing link congestion and possible denial of Internet connectivity.
In-band management traffic flows inside the production network and is intermixed with production traffic. Although common in most networks, the risk of in-band management is that an attacker who compromises a system on the production network could interfere with management traffic, capture sensitive information from management packets, or mount further attacks against network management protocols. With in-band management, you should use encrypted protocols such as IPsec, SSH, or Secure Sockets Layer (SSL) rather than clear text protocols such as Telnet.
CAM table overflow In a CAM table overflow attack, an attacker sends thousands of bogus MAC addresses from one port, which looks like valid hosts' communication to the switch. You can mitigate CAM table overflow attacks in several ways. One of the primary ways is to configure port security on the switch. You can apply port security in three ways static secure MAC addresses, dynamic secure MAC addresses, and sticky secure MAC addresses. STP manipulation An STP attack involves an attacker spoofing the root bridge in the topology. The attacker broadcasts out an STP configuration topology change BPDU in an attempt to force an STP recalculation. The BPDU sent out announces that the attacker's system has a lower bridge priority. The attacker can then see a variety of frames forwarded from other switches to it. MAC address spoofing MAC address spoofing involves the use of a known MAC address of another host authorized to access the network. The attacker attempts to make the target switch...
IP broadcast addresses are usually network addresses with the host portion of the address having all 1 bits. For example, the IP broadcast address for the network 192.168.100.0 is 192.168.100.255. Network addresses with all 0s in the host portion, such as 192.168.100.0, can also produce a broadcast response. In a Smurf attack, attackers are using Internet Control Message Protocol (ICMP) echo request packets directed to IP broadcast addresses from remote locations to generate denial-of-service (DoS) attacks. There are three parties in these attacks the attacker, the intermediary, and the victim.
The key exchange itself can be performed over trusted and untrusted channels. Often, an out-of-band exchange of keys over a trusted channel (for example, a diplomat with a suitcase containing keying material chained to his her hand) is used to facilitate later communication over the untrusted channel. Most of the time, trusted channels are not available, therefore keys must be exchanged over a medium, where an attacker might lurk to compromise the exchange. In this case
Deterministic algorithms are used to generate pseudorandom numbers, so it is important to find a PRNG that is crypto logically secure. It is also vital to use a good random seed because the generator will take the seed and use it to generate a larger amount of pseudorandom data. The seed must be variable enough to make trying all possible seeds a difficult prospect for an attacker.
Most people regard NAT a security measure simply because it hides the internal addresses of hosts behind a NAT device. As assignment of global addresses is usually not related to the actual network structure behind the network device (i.e. all inside hosts use the same global pool), NAT also hides the structure of the internal network. Both measures can be put in the security through obscurity class of security measures, as they simply try to withhold information from the attacker. Even though NAT and PAT are used, some addressing information might still leak out of the inside network. Addresses embedded in email messages (the list of servers a message has passed through), or inside SNMP, are often not translated and might reveal internal addressing information and network structure to an attacker.
Although SSH is secured, many vendors' implementations of SSH contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or to cause a denial of service. Most of the SSH vulnerabilities have been addressed in the latest Cisco IOS software and in other vendors' SSH server and client software.
Because time synchronization is a security-related feature, it is wise to configure a router to authenticate NTP information coming from a peer or server. This prevents an attacker from spoofing NTP packets to corrupt the system clock. For added security, you can use an ACL to restrict the IP address(es) with which the router can synchronize time.
One common type of network attack is the half-open SYN attack. This is a DoS attack in which the attacker sends a large quantity of TCP SYN messages to a host without ever completing the three-way TCP handshake. This attack can result in the depletion of memory resources on the host. The most flexible way to mitigate this attack is to use the Cisco IOS Firewall feature set. The following subsections identify two other ways to mitigate half-open SYN attacks.
One of the examples that I like to use to describe a firewall system is the fortification systems that kings used to protected their castles in medieval times. Figure 2-22 shows an example of this. In this figure, the first line of defense is the moat surrounding the castle. For the second line of defense, spearmen are behind the moat, preventing anyone from trying to swim across it. Behind the spearmen is the third line of defense the castle wall, which can be as little as 3 meters high but typically was much higher than this. On the wall are swordsmen, providing the fourth layer of defense. Inside the castle wall are the castle grounds and the castle itself. The castle is built with very high stone walls and turrets, providing the fifth layer of defense. And in the windows of the wall and on top of the turrets are the archers, providing the last layer of defense. As you can see from this system, an attacker must go through many layers of defense to capture or kill the king.
In this formula x is the entity's secret value, and Y is the entity's public value. After that, the two parties exchange their public values. Each party then exponentiates the received public value with its secret value to compute a common shared secret value. When the algorithm completes, both parties have the same-shared secret, which they have computed from their secret value and the public value of the other party. No one listening on the channel can compute that value, as they only know g, p, YA and YB, and at least one secret value is needed to calculate that shared secret. Unless the attacker can compute the discrete algorithm of the above equation to recover xA or xB, they cannot obtain the shared secret.
Phishing is a type of malware with which an e-mail is sent to an unsuspecting user with a link to a fake website. These phishing e-mails can attempt to trick the user to log on to what appears to be a valid banking or e-commerce site. However, what the user is really logging on to is a fake website, and the attacker's purpose is the gathering of the user's account information. Trend Micro collects and maintains a list of these phishing or fake websites. The CSC-SSM module can block the HTTP connection and protect the user from accessing one of these known phishing websites. Trend Micro also collects a list of known websites that harbor spyware. Network attackers often plant spyware on more vulnerable websites and attempt to download spyware to unsuspecting users that frequent these websites. The CSC-SSM module also features the ability to block URL access to prevent users from accessing one of these known websites that are rife with spyware.
A common problem with this type of scenario involves insufficient protection. For example, although FTP and Telnet traffic is being denied and logged to the Sensor, an attacker may also try to enter the network via other methods, such as rlogin, HTTP, or TFTP. In this scenario, other alarms on unauthorized activity are all being generated by a group of hosts on a specific network (hosts 172.31.10.10-13). It seems that all the traffic (except the FTP and Telnet attempts) from these specific attackers is getting through the router's interfaces.
The destination then compares the source's sent signature to the just-computed signature. If they are the same, the destination recognizes that the only device that could have created the signature was a device with the same key. The HMAC function is a one-way process it is impossible to reverse-engineer the process by taking the fingerprint and data and coming up with the symmetric key used to create the fingerprint. If the two fingerprints are different, the destination assumes that the data was tampered with (purposefully, like by an attacker, or by accident, like data corruption or address translation) and discards the data.
Internet clients require DNS servers to resolve the domain name to the IP address of the server they are trying to connect to. Attackers can either use a DoS attack against the server to deny access from other DNS servers and clients, or they can infiltrate the server and change the DNS information. For example, www.mydomain.com could have a DNS entry of 188.8.131.52 an attacker could change this to 184.108.40.206, which points to a different web site, thus redirecting all traffic away from the Mydomain.com web site.
War dialing and war driving allow attackers to get into the victim network without going through the front door. In war dialing, the attacker dials the phone number prefixes assigned to the victim or the victim's area, searching for modem connections. From this list of reachable modems, the attacker can then guess which systems are on the other side. By dialing these numbers, an attacker can very likely bypass a large part of the victim's security measures because, after a successful war-dialing attack, the attacker might appear to be a trusted employee. War driving is very similar to war dialing except the attacker drives a car with a high-gain wireless antenna around the physical location of the victim. The attacker's goal is to identify poorly secured wireless LAN access points (APs) through which the attacker can connect directly to the victim network. For more information on war driving, check out http www.wardriving.com .
You can configure and use many different features on Cisco Catalyst switches. You should be aware of some common weaknesses that can be exploited. In other words, don't become complacent and assume that everyone connected to your network will be good citizens and play by the rules. Think ahead and try to prevent as many things as possible that might be leveraged to assist an attacker. Secure the use of CDP By default, CDP advertisements are sent on every switch port at 60-second intervals. Although CDP is a very handy tool for discovering neighboring Cisco devices, you shouldn't allow CDP to advertise unnecessary information about your switch to listening attackers. For example, the following information is sent in a CDP advertisement in the clear. An attacker might be able to use the device ID to physically locate the switch, its IP address to target Telnet or SNMP attacks, or the native VLAN and switch port ID to attempt a VLAN hopping attack.
The other feature of a smurf attack is that the source IP address of the packet sent by the attacker is the IP address of the attacked host. For example, in Figure 18-9, many hosts may receive the ICMP Echo Request at Step 2. All those hosts then reply with an Echo Reply, sending it to 10.1.1.2 the address that was the source IP address of the original ICMP Echo at Step 1. Host 10.1.1.2 receives a potentially large number of packets. 1. Attacker sends packet destined to subnet broadcast, source 220.127.116.11 (for secondary attack). 1. Attacker sends packet destined to subnet broadcast, source 18.104.22.168 (for secondary attack). Besides smurf and fraggle attacks, other attacks involve the use of what can be generally termed inappropriate IP addresses, both for the source IP address and destination IP address. By using inappropriate IP addresses, the attacker can remain hidden and elicit cooperation of other hosts to create a distributed denial-of-service (DDoS) attack. One of the Layer 3...
A commonly used distributed denial of service (DDoS) attack is known as SYN-flooding. In this type of attack, the attacker sends a series of TCP SYN packets that typically originate from spoofed IP addresses. The constant flood of SYN packets can prevent servers within the data center from handling legitimate connection requests. You can use firewalls and
When a client connects to an AP, operating system utilities normally allow the client to save the SSID. In the future, when that SSID is seen again, the client can create a connection automatically. There is a possibility that clients will be unaware of the connection. If the SSID is being spoofed, the client could connect to a potentially unsafe network. Consider the following scenario. An attacker learns the SSID of your corporate network. Using this information, he sends beacons advertising your SSID. A wireless station in the
An attack consists of sending fake unsolicited ARP replies to host A, as Figure 6-4 shows. The attacker, host C, sends this gratuitous ARP without any MAC spoofing to host A. The content contains a new but incorrect mapping of host B's IP address to the MAC address of host C (the attacker). As soon as host A updates its ARP table, all its IP packets destined to host B are actually sent to the attacker's MAC address (host C). ARP spoofing works only in one way The attacker (host C) intercepts only the packet flow from IP host A to host B. If the attacker wants to sniff the return traffic, he must send If the victim, host B, is actually a router, attacker C receives all the IP packets leaving the local subnet because all nodes will send those datagrams to the attacker, who spoofed the router MAC address. But, the attacker won't receive any IP packet destined to any host on the local subnet with a single ARP spoofing attack. To receive the back traffic, the attacker runs multiple ARP...
The biggest benefit this design provides is requiring that all traffic flow through the firewall. This includes traffic from the Internet to the public servers, which in all previous designs were only protected by a router with ACLs. For example, if an attacker finds an exploit that allows one of your public servers to be compromised (after the attacker gets through the firewall the first time), the attacker still must go back through the firewall (using a different filtering policy) to attack your internal systems.
The final topic to consider when managing firewalls is updating the firewall software. There are two update the software. One reason is to take advantage of new capabilities added to newer software v reason is the need to fix bugs and vulnerabilities in the software. Like all software, firewall software contains many lines of code. The code in the firewall may have been rigorously tested, but there wil that the software developers did not consider or just outright overlooked. A corner case is a situatio outside of normal operations. Typically, corner cases arise when multiple conditions occur simultane extreme level. For example, a DHCP starvation attack (an attack where the attacker tries to exhausl ability to provide clients with leases by generating multiple requests for all the IP addresses in the D along with a distributed denial-of-service (DDoS) attack. The combination of these two attacks may exhaustion on the firewall or trip some other software bug that could make the...
Atomic ARP provides the ability to support basic Layer 2 Address Resolution Protocol (ARP) signatures (see RFC 826, An Ethernet Address Resolution Protocol ). Numerous tools enable an attacker to attack your network at the link layer, including dsniff (http www.monkey.org dugsong dsniff) and ettercap (http ettercap.sourceforge.net). The Atomic ARP signature engine enables Cisco IPS to detect the use of these tools on your network. To tune existing Atomic ARP signatures or create custom signatures, you need to understand the parameters shown in Table 6-11.
Attacker Zombie Attacker Zombie Attacker Zombie Attacker Zombie If the attacker uses nonspoofed addresses for the attack, you can also do source-based RTBH just by adding a static route to the source or source network, as shown in the following example. In this example, the attacker is using the IP address 192.168.20.2. However, an attacker could target a legitimate IP address by spoofing it as the source of an attack and counting on you to black-hole the source using sourced-based RTBH filtering. This is why having antispoofing mechanisms in place is crucial for every network in any organization.
With this configuration in place, an attacker has no way to discover the preshared key that's currently in use. Therefore, an attacker cannot send forged HSRP messages that the real HSRP routers accept and process. Is this MD5 HMAC alone enough to secure HSRP Actually, no, because it does not stop a replay attack. Here is how to mount a replay attack If an attacker can sniff a copy of an HSRP packet with high priority, he can replay this packet by resending it unchanged (including the virtual source MAC address), and the attacker immediately becomes the active router. Therefore, the port security feature described in Chapter 2, Defeating a Learning Bridge's Forwarding Process, must also make the MD5 HMAC secure.
Ninety-nine percent of all networks today have a firewall in place to filter traffic coming from the Internet. In fact, most organizations have a robust set of outer defenses. These typically include one or more demilitarized zones, intrusion detection system or intrusion prevention system, spam filters, VPN concentrators, and antivirus scanners. These outer defenses are in place to protect the organization from very high-risk environments such as the Internet. The problem is that these defenses are virtually no help if an attacker, virus, or worm gains access to the internal networks behind the outer defenses.
Eavesdropping attacks are also known as phone tapping attacks. The main goal is for an attacker to listen, copy, or record a conversation. An example of an eavesdropping attack is an incident reported back in 2006. The phones of about 100 Greek politicians and offices (including the U.S. embassy in Athens and the Greek prime minister) were compromised by a malicious code embedded in Vodafone mobile phone software. The attackers tapped into their conference call system. Basically, by using several prepaid mobile phones, the attackers joined the conference call and recorded their conversations.
Attacker Sends Packets with Spoofed Source MAC Address If Network Access Control Is Based on MAC Address, the Attacker Now Looks Like 10.1.1.2 IP spoofing attacks, as Figure 5-8 shows, are exactly like MAC spoofing attacks, except that the client uses an IP address that isn't his. The goal of such an attack is to harm both innocent bystanders and the initial target by having the destination IP address (the initial target) reply to as many spoofed source IP addresses as possible. The attacker never sees the replies because he spoofs the source IP addresses. This is precisely like DoS attacks of the SYN flood type. This scenario is a reflection attack, which is where a hacker uses a victim's IP address as the source address of packets. Those packets are then sent to a relay, which will be referred to as innocent bystanders. Those innocent bystanders reply to these forged source IP addresses, who then become the victims of the attack because they really have no business dealing with this...
Address Resolution Protocol (ARP) is a tool that allows devices to communicate when they do not have all the information they need about the device that they are trying to communicate with. Attackers can use ARP to learn the MAC and IP Attacker 10.1.1.25 Victim 10.1.1.50 Attacker 10.1.1.25 Victim 10.1.1.50
DoS attacks do not always involve depleting the bandwidth on a link instead, DoS attacks can attempt to deplete resources inside a server or endpoint. In certain cases, servers allocate resources when they receive a packet from the network, and the attacker might seek to exhaust these resources by sending a flood of packets to the victim machine. The classic resource depletion attack is the SYN attack, which exploits the TCP protocol. In the TCP protocol, an endpoint requests a TCP connection with a target server by first sending a SYN (synchronize) packet to the server, as shown in Figure 8-1. Another attack that can cause disruption is the replay attack. The attacker begins by sniffing and recording the packets flowing on the network between two entities during a legitimate connection. The attacker then replays these packets to one of the endpoints. The target endpoint may consider this replayed stream to be legitimate and attempt to process the data, resulting in excessive resource...
Computer viruses are created with malicious intent and sent by attackers. A virus is attached to small pieces of computer code, software, or documents. The virus executes when the software is run on a computer. If the virus spreads to other computers, those computers could continue to spread the virus. Some viruses can be exceptionally dangerous. The most damaging type of virus is used to record keystrokes. Attackers can use these viruses to harvest sensitive information, such as passwords and credit card numbers. Viruses may even alter or destroy information on a computer. Stealth viruses can infect a computer and lay dormant until summoned by the attacker.
If an attacker has access to two switch ports (each from a different switch), he can introduce a rogue switch into the network. The rogue switch can then be configured with a lower bridge priority than the bridge priority of the root bridge. After the rogue switch announces its superior BPDUs, the STP topology reconverges. All traffic traveling from one switch to another switch now passes through the rogue switch, thus allowing the attacker to capture that traffic. Notice PC2 and PC3. If an attacker gained access to the switch ports of these two PCs, he could introduce a rogue switch that advertised superior BPDUs, causing the rogue switch to be elected as the new root bridge. The new data path between PC1 and Serverl, as shown in Figure 6-4, now passes through the attacker's rogue switch. The attacker can configure one of the switch ports as a Switch Port Analyzer (SPAN) port. A SPAN port can receive a copy of traffic crossing another port or VLAN. In this example, the attacker could...
This section begins by exploring the nature of Layer 2 switch operation and why it is such an attractive target for attackers. Then, approaches for mitigating a variety of Layer 2 attacks are addressed. These strategies include best practices for securing a Layer 2 network, protecting against VLAN hopping attacks, preventing an attacker from manipulating Spanning Tree Protocol (STP) settings, stopping DHCP server and ARP spoofing, preventing Content Addressable Memory (CAM) table overflow attacks, and disallowing MAC address spoofing. Other switch-related security topics include port security, Switch Port Analyzer (SPAN), Remote SPAN (RSPAN), VLAN access control lists (VACL), private VLANs, rate limiting, and MAC address notification. Cisco Catalyst switches operate at Layer 2 of the OSI model (the Data Link Layer), as illustrated in Figure 6-1. If an attacker were to gain control of an Ethernet switch operating at Layer 2, all the upper layers could be compromised. As a result, Layer...
A4 Although Yes, sir is sometimes a necessary response, a better one is to suggest that security through obscurity is not overly valuable, especially when the effects will have an impact on every employee in the company on a day-to-day basis. It is not overly difficult for an attacker to learn the ports actually usedit's certainly much less effort than that required to maintain such an obscure environment. protected and why, based on the list of protections installed between the attacker and the host Attacker Filtering Router Firewall Personal Firewall Host 1 Attacker Firewall Host IDS Host 2 9 In the section on the axiom Everything is a target, you saw the various ways in which a web server could be compromised. Now run through the exercise yourself and list the potential methods an attacker could use to gain access to your internal LAN. Cause traffic destined for key servers on the Internet to be directed to the attacker's machine by using NAT. 6 Put yourself in the shoes of a...
The characteristics of Layer 2 LAN devices frequently make these devices attractive targets for attackers. If an attacker can compromise Layer 2, he has access to the upper layers. This chapter explores these Layer 2 vulnerabilities and describes methods of mitigating such weaknesses using features available on Cisco Catalyst switches.
In 1985, the concerns of the paranoid among the security community were confirmed. Wim van Eck released a paper confirming that a well-resourced attacker can read the output of a cathode-ray tube (CRT) computer monitor by measuring the electromagnetic radiation (EMR) produced by the device. This isn't particularly easy to do, but it is by no means impossible. Wim's paper can be found here
Buffer overflows are the most common form of application vulnerability. In short, they occur when an application developer fails to do proper bounds checking with the memory addresses an application utilizes. For example, a typical program might expect 20 bytes of input from the user for a particular memory address. If the user instead sends 300 bytes, the application should drop the other 280 bytes. Unfortunately, if the application has a coding mistake, the 280 bytes can overrun other parts of memory and potentially execute code with the privileges of the original application. If the vulnerable application runs as root, for example, a successful buffer overflow attack usually results in the attacker gaining root privileges. For more detail on buffer overflows, refer to the seminal work on the subject Smashing the Stack for Fun and Profit by Aleph One, which can be found at the following address Buffer overflow attacks earn the highest threat score of any attack in this book. This is...
MAC addresses are sent as clear text per the 802.11 specification. As a result, in wireless LANs that use MAC address authentication, a network attacker might be able to subvert the MAC authentication process by spoofing a valid MAC address. Network attackers can use a protocol analyzer to determine valid MAC addresses that are being used in the network and change their own wireless NICs to use that address, (on NICs that support changing the MAC address).
The attacker's PC is connected to interface Gig 0 3, and the attacker wants to receive a copy of the traffic flowing between PC1 and PC2. If the attacker had caused the switch's CAM table to overflow before the switch learned the MAC addresses of PC1 and PC2, traffic between these two PCs would be flooded out all other switch ports, other than the ports the traffic was received on, allowing the attacker's PC to see and capture the traffic, as shown Attacker's PC MAC BBBB.BBBB.BBBB Attacker's PC MAC BBBB.BBBB.BBBB An attacker could launch a CAM table overflow attack using a utility such as macof, which is a component of a suite of utilities called dsniff. The macof utility can generate as many as 155,000 MAC addresses in a minute. After a short time, the switch learns so many MAC addresses from the attacker's PC that the switch's CAM table overflows, thus forcing the flooding of frames with unlearned MAC addresses. This type of attack noticeably impacts network performance, potentially...
Attacker sees traffic to servers B and D This diagram illustrates a CAM table overflow attack. In this figure, the attacker is sending out multiple packets with various source MAC addresses. Over a short period of time, the CAM table in the switch fills up until it cannot accept new entries. As long as the flood is left running, the CAM table on the switch will remain full. When this happens, the switch begins to broadcast all packets that it receives out of every port so that packets sent to and from server B and server D are also broadcast out of port 3 25 on the switch to which the attacker is attached. In the diagram, the machine of the attacker resides on VLAN 10. The attacker floods MAC addresses to port 3 25 on the switch. When the CAM table threshold is reached, the switch operates as a hub and simply floods traffic out all ports.
Because IP phones are readily accessible and plentiful in many corporate environments, they become attractive targets for attackers. Also, VoIP administrators should be on guard against VoIP variations of spam and fishing (both common in e-mail environments), as well as toll fraud (common in PBX environments). This section details these common attack targets for a VoIP network. Attackers can attempt to maliciously modify VoIP network devices and settings, in addition to intercepting voice streams. For example, an attacker might access or manipulate users in the LDAP directory used by Cisco Unified Communications Manager. This could prevent a user from logging into a Cisco IP Phone (for example, when using the Extension Mobility feature, which allows users to log into a phone and have their profiles applied to that phone). As another example, an attacker might try to gain administrative access to a voice mail system (such as Cisco Unity) and manipulate parameters, such as the voice...
Attackers can place various backdoor Trojan horse programs on systems in a network to enable them to operate from systems within your network. Cisco IDS has three signature engines specifically designed to detect the presence of Trojan horse programs on your network (see Table 6-48). The only one of these engines that has any user-configurable parameters is the Trojan Horse UDP Signature Engine. With the Trojan horse UDP signature, you can configure the Swap Attacker Victim parameter. Since Trojan horse signature engines are highly specialized, you usually do not create custom signatures for them.
Attackers can launch a variety of attacks by initiating an IP spoofing attack. An IP spoofing attack causes an attacker's IP address to appear to be a trusted IP address. For example, if an attacker convinces a host that he is a trusted client, he might gain privileged access to a host. The attacker could also capture traffic, which might include credentials such as usernames and passwords. As another example, you might be familiar with denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks. The perpetrators of such attacks might use IP spoofing to help conceal their identities. To understand how an IP spoofing attack is possible, consider the operation of IP and TCP. At Layer 3, the attacker can easily modify his packets to make the source IP address appear to be a trusted IP address. However, TCP, operating at Layer 4, can be more of a challenge. For an attacker to hijack a session being set up between a legitimate originator and a destination, the attacker needs...
A fundamental approach to protecting voice traffic from attackers is to place it in a VLAN separated from data traffic. This voice VLAN is often called an auxiliary VLAN. VLAN separation alone protects voice traffic from a variety of Layer 2 attacks. For example, an attacker would be unable to launch a man-in-the-middle attack against an IP Phone, where the attacker's MAC address claimed to be the MAC address of the IP Phone's next-hop gateway. Such an attack would be mitigated, because the attacker's PC would be connected to a data VLAN while the IP Phone was connected to the auxiliary VLAN. Endpoints, such as Cisco IP Phones, tend to be less protected than other strategic devices (for example, servers) in a voice network. Therefore, attackers often try to gain control of an endpoint and use that as a jumping-off point to attack other systems. An attacker might be able to gain control of a Cisco IP Phone by modifying the image or configuration file used by the phone. Alternatively,...
NAT is used as a first-level security measure, because it solves addressing problems, and also, by nature, hides inside addresses. Thus, an outside attacker who wants to harm hosts on the inside will not know the target addresses. Using PAT, the attacker will not know which combination of port number and IP address is currently assigned to a desired inside host. The NAT device drops any connection attempts to invalid sockets. Caution NAT PAT provides only weak security and sooner or later attackers discover the inside
With the proliferation of new software and new technologies, attackers are constantly uncovering new vulnerabilities and creating custom exploits to take advantage of them. It is because of this ever-changing nature that the first two phases of an attack are constantly evolving. Effectively combating attacks at the probe and penetrate phases requires an administrator to stay current with malicious IPS signatures and firewall defenses. The attack mechanisms generally used in the persist phase and the later phases are much more stable than those employed early on. At these later phases, the malicious activities of an attacker are more limited. Typically, an attack involves making a system call to the kernel to access the system resources. When this occurs, the malicious code may attempt to modify the operating system, modify files, create or alter network connections, or violate
If an attacker is on the same subnet as the target system, he might launch a man-in-the-middle attack. In one variant of a man-in-the-middle attack, the attacker convinces systems to send frames via the attacker's PC. For example, the attacker could send a series of gratuitous ARP (GARP) frames to systems. These GARP frames might claim that the attacker's Layer 2 MAC address was the MAC address of the next-hop router. The attacker could then capture traffic and forward it to the legitimate next-hop router. As a result, the end user might not notice anything suspicious. Another variant of a man-in-the-middle attack is when the attacker connects a hub to a network segment that carries the traffic the attacker wants to capture, as shown in Figure 1-6. Alternatively, an attacker could connect to a Switch Port Analyzer (SPAN) port on a Catalyst switch, which makes copies of specified traffic and forwards them to the configured SPAN port. The attack could then use a packet-capture utility...
To detect attacks originating from within the Campus module that may result from a workstation compromised by an attacker gaining access through the Internet. d. To detect attacks originating from outside the Campus module that may result from a workstation compromised by an attacker gaining access through the Internet.
If an attacker uses a feature known as IP source routing, he can specify a complete routing path to be taken by two endpoints. Consider Figure 1-5. The attacker is on a different subnet than the destination host. However, the attacker sends an IP packet with a source route specified in the IP header, which causes the destination host to send traffic back to the spoofed IP address via the route specified. This approach can overcome the previously described challenge that an attacker might have when launching a remote IP spoofing (blind spoofing) attack. Attacker Attacker Loose The attacker specifies a list of IP addresses through which a packet must travel. Strict The IP addresses in the list specified by the attacker are the only IP addresses through which a packet is allowed to travel.
Another type of attack targeted at the switch's CAM table is a MAC address spoofing attack. An attacker sends a frame with a false source MAC address specifically, the MAC address of another device on the network. Under normal conditions, as shown in Figure 6-9, the switch's CAM table contains the correct MAC address of the stations attached to the switch's ports. Attacker's PC MAC BBBB.BBBB.BBBB Attacker's PC MAC BBBB.BBBB.BBBB However, Figure 6-10 shows the attacker's PC sending a frame to the switch. It incorrectly shows a source MAC address of DDDD.DDDD.DDDD, which is actually the MAC address of PC2. This frame causes the switch to update its CAM table to show that DDDD.DDDD.DDDD is available off port Gig 0 3, which allows the attacker's PC to start capturing traffic destined for PC2. Attacker's PC MAC BBBB.BBBB.BBBB Attacker's PC MAC BBBB.BBBB.BBBB This condition of the attacker's PC receiving traffic for PC2, as shown in Figure 6-11, is a temporary condition. When PC2 sends...
3 Alice and Bob exchange digitally signed Diffie-Hellman numbers for the purpose of establishing a shared secret. The Diffie-Hellman numbers are signed so that each peer can validate the identity of the other peer. Otherwise, an attacker could masquerade as Bob and perform a Diffie-Hellman exchange with Alice a man-in-the-middle attack (see Subverting Diffie-Hellman, earlier in this chapter).
Transport mode protects traffic between two IPscc hosts (between a PC and a server, for example) and does not afford any traffic flow confidentiality. That is, the volume of traffic transmittedTrom oneTiost to another can easily be observed, even if encryption is used, because the original source and destination addresses are left intact. An attacker could use this data to determine where servers are located, with the assumption that servers transmit and receive more data than clients.
Attackers can attempt to launch an attack by sending gratuitous ARP (GARP) replies. These GARP messages can tell network devices that the attacker's MAC address corresponds to specific IP addresses. For example, the attacker might be able to convince a PC that the attacker's MAC address is the MAC address of the PC's default gateway. As a result, the PC starts sending traffic to the attacker. The attacker captures the traffic and then forwards the traffic to the appropriate default gateway. To illustrate, consider Figure 6-6. PC1 is configured with a default gateway of 192.168.0.1. However, the attacker sends GARP messages to PC1, telling PC1 that the MAC address corresponding to 22.214.171.124 is BBBB.BBBB.BBBB, which is the attacker's MAC address. Similarly, the attacker sends GARP messages to the default gateway, claiming that the MAC address corresponding to PCl's IP address of 192.168.0.2 is BBBB.BBBB.BBBB. This ARP cache poisoning causes PC1 and Routerl to exchange traffic via the...
Even with these basic security services in place, an attacker could still unleash an attack. Should either the trusted code or a trusted path not present or become compromised, the operating system and all applications could easily fall victim to hostile code. Adding to your challenge in defending these endpoints is the fact that an operating system might be made more vulnerable if there is a need to provide support for legacy protocols. Standardizing on a proven, modern operating system may help decrease the need for such legacy support.
However, if an attacker connects a rogue DHCP server to the network, the rogue DHCP server can respond to a client's DHCP request. Even though both the rogue DHCP server and the actual DHCP server respond to the request, the client uses the rogue DHCP server's response if it reaches the client before the response from the actual DHCP server. This is shown in Figure 6-5. The DHCP response from an attacker's DHCP server might assign the attacker's IP address as the client's default gateway or DNS server. As a result, the client could be influenced to send traffic to the attacker's IP address. The attacker can then capture the traffic and forward the traffic to an appropriate default gateway. Because, from the client's perspective, everything is functioning correctly, this type of DHCP server spoofing attack can go undetected for a long period of time. Another type of DHCP attack is more of a DoS attack against the DHCP server. Specifically, the attacker can repeatedly request IP address...
Get All The Support And Guidance You Need To Make Sure You Are Safe In This Crazy World! This Book Is One Of The Most Valuable Resources In The World When It Comes To The Art Of Self Defense The Easy Way! Try not to get ensnared in your own little bubble and be cognizant that there are people outside of your domain. Whether we like it or not there are individuals out there whose aims are not always advantageous.