Launching a Local IP Spoofing Attack Using a Maninthe Middle Attack

If an attacker is on the same subnet as the target system, he might launch a man-in-the-middle attack. In one variant of a man-in-the-middle attack, the attacker convinces systems to send frames via the attacker's PC. For example, the attacker could send a series of gratuitous ARP (GARP) frames to systems. These GARP frames might claim that the attacker's Layer 2 MAC address was the MAC address of the next-hop router. The attacker could then capture traffic and forward it to the legitimate next-hop router. As a result, the end user might not notice anything suspicious.

Another variant of a man-in-the-middle attack is when the attacker connects a hub to a network segment that carries the traffic the attacker wants to capture, as shown in Figure 1-6. Alternatively, an attacker could connect to a Switch Port Analyzer (SPAN) port on a Catalyst switch, which makes copies of specified traffic and forwards them to the configured SPAN port. The attack could then use a packet-capture utility to capture traffic traveling between end systems. If the captured traffic is in plain text, the attacker might be able to obtain confidential information, such as usernames and passwords.

Figure 1-6 Man-in-the-Middle Attack




SW1 R1 Hub R1



Protecting Against an IP Spoofing Attack

The following approaches can be used to mitigate IP spoofing attacks:

■ Use access control lists (ACL) on router interfaces. As traffic comes into a router from an outside network, an ACL could be used to deny any outside traffic claiming to be addressed with IP addressing used internally on the local network. Conversely, ACLs should be used to prevent traffic leaving the local network from participating in a DDoS attack. Therefore, an ACL could deny any traffic leaving the local network that claimed to have a source address that was different from the internal network's IP address space.

■ Encrypt traffic between devices (for example, between two routers, or between an end system and a router) via an IPsec tunnel. In Figure 1-7, notice that the topology is now protected with an IPsec tunnel. Even though the attacker can still capture packets via his rogue hub, the captured packets are unreadable, because the traffic is encrypted inside the IPsec tunnel.

Figure 1-7 Protecting Traffic in a Tunnel

IPsec Tunnel



IPsec Tunnel





■ Use cryptographic authentication. If the parties involved in a conversation are authenticated, potential man-in-the-middle attackers can be thwarted. Potential attackers will not be successfully authenticated by the other party in the conversation.

Understanding Confidentiality Attacks

A confidentiality attack (see Figure 1-8) attempts to make "confidential" data (such as personnel records, usernames, passwords, credit card numbers, and e-mails) viewable by an attacker. Because an attacker often makes a copy of the data, rather than trying to manipulate the data or crash a system, confidentiality attacks often go undetected. Even if auditing software to track file access were in place, if no one suspected an issue, the audit trail might never be examined.

Figure 1-8 Confidentiality Attack

Figure 1-8 Confidentiality Attack

In Figure 1-8, a web server and a database server have a mutual trust relationship. The database server houses confidential customer information, such as credit card information. As a result, Company A decides to protect the database server (for example, patching known software vulnerabilities) better than the web server. However, the attacker leverages the trust relationship between the two servers to obtain customer credit card information and then make a purchase from Company B using the stolen information. The procedure is as follows:

Step 1 The attacker exploits a vulnerability in Company A's web server and gains control of that server.

Step 2 The attacker uses the trust relationship between the web server and the database server to obtain customer credit card information from the database server.

Step 3 The attacker uses the stolen credit card information to make a purchase from Company B.

Table 1-8 identifies several methods that attackers might use in a confidentiality attack.

— Table 1-8 Confidentiality Attack Strategies f Key _"__

Table 1-8 identifies several methods that attackers might use in a confidentiality attack.



Packet capture

A packet-capture utility (such as Wireshark, available at http:// can capture packets visible by a PC's network interface card (NIC) by placing the NIC in promiscuous mode. Some protocols (for example, Telnet and HTTP) are sent in plain text. Therefore, an attacker can read these types of captured packets, perhaps allowing him to see confidential information.

Ping sweep and port scan

A confidentiality attack might begin with a scan of network resources, to identify attack targets on a network. A ping sweep could be used to ping a series of IP addresses. Ping replies might indicate to an attacker that network resources can be reached at those IP addresses. As soon as a collection of IP addresses is identified, the attacker might scan a range of UDP and/or TCP ports to see what services are available on the host at the specified IP addresses. Also, port scans often help attackers identify the operating system running on the target system.

Dumpster diving

Because many companies throw away confidential information, without proper shredding, some attackers rummage through company dumpsters in hopes of discovering information that could be used to compromise network resources.

Electromagnetic interference (EMI) interception

Because data is often transmitted over wire (for example, unshielded twisted-pair), attackers can sometimes copy information traveling over the wire by intercepting the EMI being emitted by the transmission medium. These EMI emissions are sometimes called "emanations."

Table 1-8 Confidentiality Attack Strategies (Continued)

Table 1-8 Confidentiality Attack Strategies (Continued)




If an attacker gains physical access to a wiring closet, he might physically tap into telephone cabling to eavesdrop on telephone conversations. Or he might insert a shared media hub inline with a network cable. This would let him connect to the hub and receive copies of packets flowing through the network cable.

Social engineering

Attackers sometimes use social techniques (which often leverage people's desire to be helpful) to obtain confidential information. For example, an attacker might pose as a member of the IT department and ask a company employee for her login credentials "for the IT staff to test the connection."

Sending information over overt channels

An attacker might send or receive confidential information over a network using an overt channel. An example of using an overt channel is tunneling one protocol inside another (for example, sending instant messaging traffic via HTTP). Steganography is another example of sending information over an overt channel. An example of steganography is sending a digital image made up of millions of pixels, with "secret" information encoded in specific pixels. Only the sender and receiver know which pixels represent the encoded information.

Sending information over covert channels

An attacker might send or receive confidential information over a network using a covert channel, which can communicate information as a series of codes and/or events. For example, binary data could be represented by sending a series of pings to a destination. A single ping within a certain period of time could represent a binary 0, and two pings within that same time period could represent a binary 1.

Understanding Integrity Attacks

Integrity attacks attempt to alter data (that is, compromise its integrity). Figure 1-9 shows an example of an integrity attack.

Figure 1-9 Integrity Attack



Figure 1-9 Integrity Attack

Banking Customer (Account # 12345)

Traffic diverted to attacker due to a man-in-the-middle attack.

In the figure, an attacker has launched a man-in-the-middle attack (as previously described). This attack causes data flowing between the banking customer and the banking server to be sent via the attacker's computer. The attacker then can not only intercept but also manipulate the data. In the figure, notice that the banking customer attempts to deposit $500 into her account. However, the attacker intercepts and changes the details of the transaction, such that the instruction to the banking server is to deposit $5,000 in the attacker's account.

The following list describes methods that attackers might leverage to conduct an integrity attack:

■■— ■ Salami attack: This is a collection of small attacks that result in a larger attack when

Key "

Topic combined. For example, if an attacker had a collection of stolen credit card numbers, he could withdraw small amounts of money from each credit card (possibly unnoticed by the credit card holders). Although each withdrawal is small, they add up to a significant sum for the attacker.

■ Data diddling: The process of data diddling changes data before it is stored in a computing system. Malicious code in an input application or virus could perform data diddling. For example, a virus, Trojan horse, or worm could be written to intercept keyboard input. It would display the appropriate characters on-screen so that the user would not see a problem. However, manipulated characters would be entered into a database application or sent over a network.

■ Trust relationship exploitation: Different devices in a network might have a trust relationship between themselves. For example, a certain host might be trusted to communicate through a firewall using specific ports, while other hosts are denied passage through the firewall using those same ports. If an attacker could compromise the host that had a trust relationship with the firewall, the attacker could use the compromised host to pass normally denied data through a firewall. Another example of a trust relationship is a web server and a database server mutually trusting one another. In that case, if the attacker gained control of the web server, he might be able to leverage that trust relationship to compromise the database server.

■ Password attack: A password attack, as the name suggests, attempts to determine a user's password. As soon as the attacker gains the username and password credentials, he can attempt to log into a system as that user, and therefore inherit that user's set of permissions. Various approaches are available for determining passwords:

— Trojan horse: A program that appears to be a useful application captures a user's password and then makes it available to the attacker.

— Packet capture: A packet-capture utility can capture packets seen on a PC's NIC. Therefore, if the PC can see a copy of a plain-text password being sent over a link, the packet-capture utility can be used to glean the password.

— Keylogger: A keylogger is a program that runs in the background of a computer, logging the user's keystrokes. After a user enters a password, it is stored in the log created by the keylogger. An attacker then can retrieve the log of keystrokes to determine the user's password.

— Brute force: A brute-force password attack tries all possible password combinations until a match is made. For example, the brute-force attack might start with the letter a and go through to the letter z. Then the letters aa through zz are attempted, until a password is determined. Therefore, using a mixture of uppercase and lowercase letters in passwords, in addition to special characters and numbers, can help mitigate a brute-force attack.

— Dictionary attack: A dictionary attack is similar to a brute-force attack, in that multiple password guesses are attempted. However, the dictionary attack is based on a dictionary of commonly used words, rather than the brute-force method of trying all possible combinations. Picking a password that is not a common word can help mitigate a dictionary attack.

■ Botnet: A software "robot" typically is thought of as an application on a machine that can be controlled remotely (for example, a Trojan horse or a back door in a system). If a collection of computers is infected with such software robots, called "bots," this collection of computers (each of which is called a "zombie") is known as a "botnet." Because of the potentially large size of a botnet, it might compromise the integrity of a large amount of data.

■ Hijacking a session: Earlier in this chapter, you read about how an attacker could hijack a TCP session (for example, by completing the third step in the three-way TCP handshake process between an authorized client and a protected server). If an attacker successfully hijacked a session of an authorized device, he might be able to maliciously manipulate data on the protected server.

Understanding Availability Attacks

Availability attacks attempt to limit a system's accessibility and usability. For example, if an attacker could consume the processor or memory resources on a target system, that system would be unavailable to legitimate users.

Availability attacks vary widely, from consuming the resources of a target system to doing physical damage to that system. Attackers might employ the following availability attacks:

.— ■ Denial of service (DoS): An attacker can launch a DoS attack on a system by sending

Topic the target system a flood of data or requests that consume the target system s resources.

Alternatively, some operating systems and applications might crash when they receive specific strings of improperly formatted data, and the attacker could leverage such operating system and/or application vulnerabilities to render a system or application inoperable. The attacker often uses IP spoofing to conceal his identity when launching a DoS attack, as shown in Figure 1-10.

Figure 1-10 Denial-of-Service Attack Attacker with Spoofed Target

Figure 1-10 Denial-of-Service Attack Attacker with Spoofed Target

Flood of Requests

■ Distributed denial of service (DDoS): DDoS attacks can increase the amount of traffic flooded to a target system. Specifically, the attacker compromises multiple systems. The attacker can instruct those compromised systems, called "zombies," to simultaneously launch a DDoS attack against a target system.

■ TCP SYN flood: Earlier in this chapter you reviewed the three-way TCP handshake process. One variant of a DoS attack is for an attacker to initiate multiple TCP sessions by sending SYN segments but never completing the three-way handshake. As illustrated in Figure 1-11, the attack can send multiple SYN segments to a target system, with false source IP addresses in the header of the SYN segment. Because many servers limit the number of TCP sessions they can have open simultaneously, a SYN flood can render a target system incapable of opening a TCP session with a legitimate user.

Figure 1 -11 TCP SYN Flood Attack

SYN (Source IP:

SYN (Source IP:


SYN (Source IP:


■ ICMP attacks: Many networks permit the use of ICMP traffic (for example, ping traffic), because pings can be useful for network troubleshooting. However, attackers can use ICMP for DoS attacks. One ICMP DoS attack variant called "the ping of death" uses ICMP packets that are too big. Another variant sends ICMP traffic as a series of fragments in an attempt to overflow the fragment reassembly buffers on the target device. Also, a "Smurf attack" can use ICMP traffic directed to a subnet to flood a target system with ping replies, as shown in Figure 1-12. Notice in the figure that the attacker sends a ping to the subnet broadcast address of This collection of pings instructs devices on that subnet to send their ping replies to the target system at IP address, thus flooding the target system's bandwidth and processing resources.

NOTE For illustrative purposes, Figure 1-12 shows only three systems in the subnet being used for the Smurf attack. However, realize that thousands of systems could potentially be involved and send ping replies to the target system.

Figure 1-12 Smurf Attack

Figure 1-12 Smurf Attack

■ Electrical disturbances: At a physical level, an attacker could launch an availability attack by interrupting or interfering with the electrical service available to a system. For example, if an attacker gained physical access to a data center's electrical system, he might be able to cause a variety of electrical disturbances:

— Power spike: Excess power for a brief period of time

— Electrical surge: Excess power for an extended period of time

— Power fault: A brief electrical outage

— Blackout: An extended electrical outage

— Power sag: A brief reduction in power

— Brownout: An extended reduction in power

To combat such electrical threats, Cisco recommends that you install uninterruptible power supplies (UPS) and generator backups for strategic devices in your network. Also, you should routinely test the UPS and generator backups.

■ Attacks on a system's physical environment: Attackers could also intentionally damage computing equipment by influencing the equipment's physical environment. For example, attackers could attempt to manipulate such environmental factors as the following:

— Temperature: Because computing equipment generates heat (for example, in data centers or server farms), if an attacker interferes with the operation of the air conditioning system, the computing equipment could overheat.

— Humidity: Because computing equipment is intolerant of moisture, an attacker could, over time, cause physical damage to computing equipment by creating a high level of humidity in the computing environment.

— Gas: Because gas can often be flammable, if an attacker injects gas into a computing environment, small sparks in that environment could cause a fire.

Consider the following recommendations to mitigate such environmental threats:

— Computing facilities should be locked (and inaccessible via a dropped ceiling, a raised floor, or any other way other than a monitored point of access).

— Access should require access credentials (for example, via a card swipe or a fingerprint scan).

— Access points should be visually monitored (for example, via local security personnel or remotely via a camera system).

— Climate control systems should maintain temperature and humidity and send alerts if specified temperature and humidity thresholds are exceeded.

— The fire detection and suppression systems should be designed not to damage electronic equipment.

Best-Practice Recommendations

You now have a fundamental understanding of threats targeting network and computing environments. Cisco recommends the following best practices to help harden the security of your network:

.— ■ Routinely apply patches to operating systems and applications.

Key Topic

■ Disable unneeded services and ports on hosts.

■ Require strong passwords, and enable password expiration.

■ Protect the physical access to computing and networking equipment.

■ Enforce secure programming practices, such as limiting valid characters that can be entered into an application's dialog box.

■ Regularly back up data, and routinely verify the integrity of the backups.

■ Train users on good security practices, and educate them about social engineering tactics.

■ Use strong encryption for sensitive data.

■ Defend against technical attacks by deploying hardware- and software-based security systems (for example, firewalls, IPS sensors, and antivirus software).

■ Create a documented security policy for company-wide use.

0 0

Post a comment