This section covers some of the vulnerabilities in TCP/IP and the tools used to exploit IP networks.
TCP/IP is an open standard protocol, which means that both network administrators and intruders are aware of the TCP/IP architecture and vulnerabilities.
NOTE There are a number of network vulnerabilities, such as insufficient password protection, lack of authentication mechanisms, use of unprotected routing protocols, and firewall holes. This section concentrates on TCP/IP vulnerabilities.
Network intruders can capture, manipulate, and replay data. Intruders typically try to cause as much damage to a network as possible by using the following methods:
■ Vandalizing—Accessing the web server and altering web pages.
■ Manipulating or modifying data—Altering the files on a network device.
■ Masquerading—Manipulating TCP/IP segments to pretend to be at a valid IP address.
■ Session replay—Capturing, altering, and replaying a sequence of packets to cause unauthorized access. This method identifies weaknesses in authentication.
■ Session hijacking—Defining himself with a valid IP address after a session has been established to the real IP address, by spoofing IP packets and manipulating the sequence number in IP packets.
■ Rerouting—Routing packets from one source to an intruder source or altering routing updates to send IP packets to an incorrect destination, allowing the intruder to read and use the IP data inappropriately.
The following are some of the attack methods and types of attacks intruders use:
■ Probes and scans
■ Denial-of-service (DoS) attacks
■ Malicious code (such as viruses)
■ Misconfiguration of protocols
■ Network monitor tools to log all packets
As described in Chapter 5, "Operating Systems and Cisco Security Applications," network scanners and tools are available to both network administrators and intruders. These tools can be used and placed at strategic points in the network to gain access to sensitive data. Cisco Secure Scanner, for example, can be used to find network vulnerabilities; therefore, intruders can use it to do as much harm as it does network administrators good if you aren't aware of these vulnerabilities.
DoS attacks are the most common form of attack used by intruders and can take many forms. The intruder's goal is to ultimately deny access to authorized users and tie up valuable system resources.
Figure 7-1 displays several techniques deployed in DoS attacks.
Figure 7-1 Forms of Denial-of-Service Attack
Denial of Service (DoS) attacks include
-TCP SYN flood attacks -WinNuke -Land.C -Ping of Death -Chargen Attacks -DNS Poisoning
Host or Bastion Hosts
Vulnerable Cisco IOS Router
Host or Bastion Hosts
Figure 7-1 displays a typical network scenario in which a router is connected to the Internet and all users have access to hosts in a public domain. A bastion host is a computer or host, such as a UNIX host, that plays a critical role in enforcing any organization's network security policy. Because bastion hosts are directly exposed to untrusted and unknown networks, and thus the first line of defense in the network, they are typically highly secured (including physically, in secure computer rooms). Bastion hosts often provide services to Internet users, such as web services, and provide public access systems, such as FTP or SMTP mail. Because these computers are likely to be attacked, they are often referred to as sacrificial hosts.
The intruder in Figure 7-1 attacks the authorized users and hosts (or bastion hosts) behind a router by using a number of methods, including the following:
■ Ping of death—Attack that sends an improperly large Internet Control Message Protocol (ICMP) echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash. The IP header field is set to 1, the last fragment bit is set, and the data length is greater than 65,535, which is greater than the maximum allowable IP packet size.
■ TCP SYN flood attack—DoS attack that randomly opens a number of TCP ports, ensuring that network devices are using CPU cycles for bogus requests. By tying up valuable resources on the remote host, the CPU is tied up with bogus requests, and legitimate users experience poor network response or are denied access. This type of attack can make the host unusable.
■ E-mail attack—DoS attack that sends a random number of e-mails to a host. E-mail attacks try to fill an inbox with bogus e-mails, ensuring that the end user cannot send mail while thousands (or an e-mail bomb) of e-mails are received. The most recent style of e-mail attack is the e-mail bounce attack. This is achieved by sending a large attachment to a list of bogus e-mail addresses and putting your victim in the Reply To field using options in the mail client. Helpful, high-capacity e-mail servers (such as AOL) return the attachment. Thus, you send one copy out and the victim gets back one for every name on the Cc list.
■ CPU-intensive attack—DoS attack that ties up a system's resources by using a program, such as a Trojan horse (a program designed to capture usernames/passwords from a network), or enabling viruses to disable remote systems. A new variation of this attack, called BOINK, sends a file with one data byte per packet, and sends them out of sequence. The host CPU utilization then goes to 100 percent as the destination host tries to reassemble the file. By sending many simultaneous BOINK packets, the attacker can crash a very high-powered server and cause loss of data.
■ Teardrop—Exploits an overlapping IP fragment implementation bug in various operating systems. The exploit causes the TCP/IP fragmentation reassembly code to improperly handle overlapping IP fragments, causing the host to hang or crash.
■ DNS poisoning—Exploits the DNS server, causing the server to return a false IP address to a domain name query.
■ UDP bomb—Sends an illegal Length field in the packet header, causing kernel panic and crash. This is an old attack but attackers do upgrade their own attack tools.
■ Distributed denial-of-service (DDoS) attack—DoS attack that the attacker runs on multiple hosts. The attacker first compromises vulnerable hosts using various tools and techniques. Then, the actual DOS attack on a target is run from the pool of all the compromised hosts.
■ Chargen attack—Establishes a connection to a host via TCP or UDP and attempts to generate a stream of data output. Typically, the command used is telnet ip-address chargen. Most security conscious networks turn this service off on all Cisco IOS-enabled devices.
■ Attack via dialup (out of band)—Using any form of dialup access exposes your network to attackers, because dialup connections are allocated an IP address, thus making your network vulnerable. Although less common these days, because the Internet has expanded so dramatically, attack via dialup is still a cause for concern if the connection is not secured correctly. Even the most basic step, turning off the modem when not in use, is a valid security option. Other forms of security include using RSA tokens and certificates.
■ Land.C attack—A program designed to send TCP SYN packets (TCP SYN is used in the TCP connection phase) that specify the target's host address as both source and destination.
NOTE Some of the attacks in this list are old and are described here as examples only. Ensure that you check the http://www.cert.org website for the latest style of attacks reported.
DoS attacks are designed to send traffic to host systems so that they cannot respond to legitimate traffic by overwhelming the end device through a number of incomplete and illegal connections or requests. DoS attacks send more traffic than is possible to process and can send excessive mail requests, excessive UDP packets, and excessive ICMP pings with very large data packet sizes to render a remote host unusable.
Many other known and unknown attack methods and terms exist. Here are a few more you should be aware of for the written exam:
■ Spoof attack—The attacker creates IP packets with an address obtained (or spoofed) from a legitimate source. This attack is powerful in situations where a router connects to the Internet with one or more internal addresses. The real solution to this form of attack is to track down the source device and stop the attack. The spoofed address is actually a valid address for the network. RFC 1918/2827 should be implemented to avoid this style of attack.
■ Smurf attack—Named after its exploit program, the smurf attack is one of the most recent in the category of network-level attacks against hosts. In this attack, an intruder sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, which all have a victim's spoofed source address. For more recent details on this form of attack and many others, go to http://www.cert.org/advisories/.
Smurf attacks include a primary and secondary victim and are extremely damaging to any IP network. Smurf attacks result in a large number of broadcast ICMP packets, and if routers are configured to forward, broadcasts can result in a degraded network and poor performance between the primary and secondary device. A quick solution is to disable ip-directed broadcasts. This command is enabled by default in Cisco IOS 12.1 and higher.
■ Man-in-the-middle attack—An attack in which an attacker is able to read and modify at will messages between two parties without either party knowing that the link between them has been compromised. The attacker must be able to observe and intercept messages going between the two victims. Man-in-the-middle attacks are particularly problematic for devices in the public domain running cryptography. An attacker may create mischief and compromise the integrity of data flowing between two trusted devices.
■ Birthday attack—Class of brute-force attacks. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than 50 percent; such a result is called a birthday paradox. The attacker presents what appears to be a trusted source for signing. After the device has signed, the attacker takes the signature and attaches it to the fraudulent contract. This signature then "proves" that the trusted and compromised host signed the fraudulent contract.
Was this article helpful?