Vulnerabilities Attacks and Common Exploits

This section covers some of the vulnerabilities in TCP/IP and the tools used to exploit IP networks.

TCP/IP is an open standard protocol, which means that both network administrators and intruders are aware of the TCP/IP architecture and vulnerabilities.

NOTE There are a number of network vulnerabilities, such as password protection, lack of authentication mechanism, use of unprotected routing protocols, and firewall holes. This section concentrates on TCP/IP vulnerabilities.

Network intruders can capture, manipulate, and replay data. Intruders typically try to cause as much damage to a network as possible by using the following methods:

• Vandalizing—Accessing the web server and altering web pages.

• Manipulating data—Altering the files on a network device.

• Masquerading—Manipulating TCP/IP segments to pretend to be at a valid IP address.

• Session replay—Capturing, altering, and replaying a sequence of packets to causes unauthorized access. This method identifies weaknesses in authentication.

• Session hijacking—Defining himself with a valid IP address after a session has been established to the real IP address by spoofing IP packets and manipulating the sequence number in IP packets.

• Rerouting—Routing packets from one source to an intruder source; altering routing updates to send IP packets to an incorrect destination, allowing the intruder to read and use the IP data inappropriately.

The following are some of the attacking methods intruders use:

• Probes and scans

• Denial-of-Service (DoS) attacks (covered in more detail later)

• Compromises

• Malicious code (such as viruses)

As described in Chapter 6, "Operating Systems and Cisco Security Applications," network scanners and tools are available to both network administrators and intruders. These tools can be used and placed at strategic points in the network to gain access to sensitive data. NetSonar, for example, can be used to find network vulnerabilities and can, therefore, be used by intruders to do as much harm as it does network administrators good if you aren't aware of these vulnerabilities.

DoS attacks are the most common form of attack used by intruders and can take many forms. The intruder's goal is to ultimately deny access to authorized users and tie up valuable system resources.

Figure 8-1 displays several techniques deployed in DoS attacks.

Figure 8-1 Forms of Denial of Service Attack

Private Network

Host or Bastion Hosts

Authorized Users

Figure 8-1 displays a typical network scenario with a router connected to the Internet and all users have access to hosts in a public domain. A bastion host is a computer or host, such as a UNIX host, that plays a critical role in enforcing any organization's network security policy. Bastion hosts are typically highly secured (including physically in secure computer rooms), as these hosts are vulnerable to attacks because they are exposed to untrusted or unknown networks and are the first line of defense. Bastion hosts often provide services to Internet users, such as Web services (WWW), and public access systems, such as FTP or SMTP mail. Because these computers are likely to be attacked, they are often referred to as sacrificial hosts.

Denial of Service (DoS) attacks include

-TCP SYN flood attacks -WinNuke -Land.C -Ping of Death -Chargen Attacks -DNS Poisoning

Private Network

Host or Bastion Hosts

Authorized Users

Figure 8-1 displays a typical network scenario with a router connected to the Internet and all users have access to hosts in a public domain. A bastion host is a computer or host, such as a UNIX host, that plays a critical role in enforcing any organization's network security policy. Bastion hosts are typically highly secured (including physically in secure computer rooms), as these hosts are vulnerable to attacks because they are exposed to untrusted or unknown networks and are the first line of defense. Bastion hosts often provide services to Internet users, such as Web services (WWW), and public access systems, such as FTP or SMTP mail. Because these computers are likely to be attacked, they are often referred to as sacrificial hosts.

The intruder in Figure 8-1 attacks the authorized users and hosts (or bastion host) behind a router by a number of methods, including the following:

• Ping of death—Attack that sends an improperly large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash. The IP protocol header field is set to 1, the last fragment bit is set, and the data length is greater than 65,535, which is greater than the maximum allowable IP packet size.

• TCP SYN Flood attacks—This form of DoS attack randomly opens up a number of TCP ports ensuring that network devices are using CPU cycles for bogus requests. By tying up valuable resources on the remote host, the CPU is tied up with bogus requests, and legitimate users experience poor network response or are denied access. This type of attack can make the host unusable.

• E-mail attacks—This form of DoS attack sends a random number of e-mails to a host. E-mail attacks try to fill an inbox with bogus e-mails, ensuring that the end user cannot send mail while thousands (or an e-mail bomb) of e-mails are received.

• CPU-intensive attacks—This DoS attack ties up systems' resources by using programs such as TROJAN (a program designed to capture username/passwords from a network), or enabling viruses to disable remote systems.

• Teardrop—Exploits an overlapping IP fragment implementation bug in various operating systems. The bug causes the TCP/IP fragmentation reassembly code to improperly handle overlapping IP fragments causing the host to hang or crash.

• DNS poisoning—The attacker exploits the DNS server, causing the server to return a false IP address to a domain name query.

• UDP Bomb—Sends illegal length field in the packet header, causing Kernel panic and crash.

• Distributed Denial Of Service (DDoS)—These DoS attacks are run by multiple hosts. The attacker first compromises vulnerable hosts using various tools and techniques. Then, the actual DOS attack on a target is run from the pool of all the compromised hosts.

• Chargen attacks—Establish a User Datagram Protocol (UDP) service by producing a high-character input. This can cause congestion on a network.

• Attacks via dialup (out of band)—Applications such as Windows 95 have built-in vulnerabilities on data port 139 (known as WinNuke) if the intruders can ascertain the IP address.

• Land.C attacks—A program designed to send TCP SYN packets (TCP SYN is used in the TCP connection phase) that specifies the target's host address as both source and destination. This program can use TCP port 113 or 139 (source/destination), which can also cause a system to stop functioning.

DoS attacks are designed to send traffic to host systems so that they cannot respond to legitimate traffic by overwhelming the end device through a number of incomplete and illegal connections or requests. DoS attacks send more traffic than is possible to process and can send excessive mail requests, excessive UDP packets, and excessive Internet Control Message Protocol (ICMP) pings with very large data packet sizes to render a remote host unusable.

Many other known and unknown attacking methods and terms exist. Here are a few more you should be aware of for the written exam:

• Spoof attack—The attacker creates IP packets with an address found (or spoofed) from a legitimate source. This attack is powerful in situations where a router is connects to the Internet with one or more internal addresses. The real solution to this form of attack is to track down the source device and stop the attack.

• Smurf attack—Named after its exploit program and one of the most recent in the category of network-level attacks against hosts. In this attack, an intruder sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, which all have a victim's spoofed source address. For more details, go to www.cert.org/advisories/CA-1998-01.html.

Smurf attacks include a primary and secondary victim and are extremely potent damaging to any IP network. Smurf attacks result in a large number of broadcast ICMP networks, and if routers are configured to forward, broadcasts can result in a degraded network and poor performance between the primary and secondary device. A quick solution is to disable IP-directed broadcasts.

• Man in the middle attack—Just as with packet sniffers and IP spoofing attacks, a brute-force password attack can provide access to accounts that can be used to modify critical network files and services. An example that compromises your network's integrity is an attacker modifying your network's routing tables. By doing so, the attacker ensures that all network packets are routed to him before they are transmitted to their final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle.

• Birthday attack—Refers to a class of brute-force attacks. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than 50 percent; such a result is called a birthday paradox.

+1 0

Post a comment