Security System 1 - 08
-
Upload
akungbgl4475 -
Category
Documents
-
view
222 -
download
0
Transcript of Security System 1 - 08
-
8/14/2019 Security System 1 - 08
1/36
#8. Recognizing TCP/IP Attacks
-
8/14/2019 Security System 1 - 08
2/36
AGENDA
Working with Protocol and Services
-
8/14/2019 Security System 1 - 08
3/36
Recognizing TCP/IP
Attacks Attacks on TCP/IP usually occur at the
host-to-host or Internet layer, although any
layer is potentially vulnerable. TCP/IP is
susceptible to attacks from both outsideand inside an organization.
-
8/14/2019 Security System 1 - 08
4/36
Recognizing TCP/IP
Attacks The opportunities for external attacks are
somewhat limited by the devices in the
network, including the router. The router
blocks many of the protocols fromexposure to the Internet. Some protocols,
such as ARP, arent routable and arent
generally vulnerable to outside attacks.
Other protocols, such as SMTP and ICMP,pass through the router and form a normal
part of Internet and TCP/IP traffic. TCP,
UDP, and IP are all vulnerable to attack.
-
8/14/2019 Security System 1 - 08
5/36
Recognizing TCP/IP
Attacks Sniffing the Network
A network sniffer, orscanner, is a device
that captures and displays network traffic.
Your existing computers have the ability tooperate as sniffers. Network cards usually
only pass information up to the protocol
stack if the information is intended for the
computer on which theyre installed; anynetwork traffic not intended for that
computer is ignored.
-
8/14/2019 Security System 1 - 08
6/36
Recognizing TCP/IP
AttacksMost NICs can be placed into what is
calledpromiscuous mode, which allows the
NIC to capture all information that it sees
on the network. Devices such as routers,bridges, and switches are used to
separate or segment networks within a
larger network (known as virtual LANs, or
VLANs). Any traffic in a particular segmentis visible to all stations in that segment.
-
8/14/2019 Security System 1 - 08
7/36
Recognizing TCP/IP
AttacksAdding a network sniffer such as the one
included by Microsoft in its Systems
Management Server (SMS) package
allows any computer to function as anetwork sniffer. This software is widely
available and is very capable. A number of
public domain or shareware sniffers are
also available online, such as Wireshark(http://www.wireshark.org.
-
8/14/2019 Security System 1 - 08
8/36
Recognizing TCP/IP
AttacksBy using a sniffer, an internal attacker can
capture all the information transported by
the network. Many advanced sniffers can
reassemble packets and create entiremessages, including user IDs and
passwords. This vulnerability is particularly
acute in environments where network
connections are easily accessible tooutsiders. For example, an attacker could
put a laptop or a portable computer in your
wiring closet and attach it to your network.
-
8/14/2019 Security System 1 - 08
9/36
Recognizing TCP/IP
Attacks Scanning Ports
A TCP/IP network makes many of the ports
available to outside users through the
router.These ports respond in a predictable
manner when queried. For example, TCP
attempts synchronization when a session
initiation occurs.
-
8/14/2019 Security System 1 - 08
10/36
Recognizing TCP/IP
AttacksAn attacker can systematically query your
network to determine which services and
ports are open. This process is calledport
scanning, and it is part of fingerprinting anetwork; it can reveal a great deal about
your systems. Port scans are possible both
internally and externally. Many routers,
unless configured appropriately, will let allprotocols pass through them.
-
8/14/2019 Security System 1 - 08
11/36
Recognizing TCP/IP
AttacksPort scans help in identifying what services
are running on a network. Individual
systems within a network might also have
applications and services running that theowner doesnt know about. These services
could potentially allow an internal attacker
to gain access to information by connecting
to the port associated with those services.Many Microsoft Internet Information Server
(IIS) users dont realize the weak security
that this product offers.
-
8/14/2019 Security System 1 - 08
12/36
Recognizing TCP/IP
AttacksIf they didnt install all of the security
patches when they installed IIS on their
desktops, attackers can exploit the
weaknesses of IIS and gain access toinformation. This has been done in many
cases without the knowledge of the owner.
These attacks might not technically be
considered TCP/IP attacks, but they arebecause the inherent trust of TCP is used
to facilitate the attacks.
-
8/14/2019 Security System 1 - 08
13/36
Recognizing TCP/IP
AttacksAfter they know the IP addresses of your
systems, external attackers can attempt to
communicate with the ports open in your
network, sometimes simply by using Telnet.
-
8/14/2019 Security System 1 - 08
14/36
Recognizing TCP/IP
AttacksThis process of port scanning can be
expanded to develop a footprint of your
organization. If your attacker has a single
IP address of a system in your network,they can probe all the addresses in the
range and probably determine what other
systems and protocols your network is
utilizing. This allows the attacker to gainknowledge about the internal structure of
your network.
-
8/14/2019 Security System 1 - 08
15/36
Recognizing TCP/IP
AttacksIn addition to scanning, network mapping
allows you to visually see everything that is
available. The most well-known network
mapper is nmap, which can run on alloperating systems and is found at
http://nmap.org/.
-
8/14/2019 Security System 1 - 08
16/36
Recognizing TCP/IP
Attacks TCP Attacks
TCP operates using synchronized connections.
The synchronization is vulnerable to attack; this is
probably the most common attack used today. Asyou may recall, the synchronization, or
handshake, process initiates a TCP connection.
This handshake is particularly vulnerable to a
DoS attack referred to as a TCP SYN flood attack.
The protocol is also susceptible to access and
modification attacks, which are briefly explained in
the following sections.
-
8/14/2019 Security System 1 - 08
17/36
Recognizing TCP/IP
Attacks TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the
TCP ACK attack, is common. The purpose
is to deny service. The attack begins as anormal TCP connection: The client and
server exchange information in TCP
packets.
-
8/14/2019 Security System 1 - 08
18/36
-
8/14/2019 Security System 1 - 08
19/36
Recognizing TCP/IP
AttacksIdentifying TCP/IP Security Concerns
TCP client continues to send ACK packets
to the server. The ACK packets tell the
server that a connection is requested. Theserver responds with an ACK packet to the
client. The client is supposed to respond
with another packet accepting the
connection, and a session is established.
-
8/14/2019 Security System 1 - 08
20/36
Recognizing TCP/IP
AttacksIn this attack, the client continually sends
and receives the ACK packets but doesnt
open the session. The server holds these
sessions open, awaiting the final packet inthe sequence.
This causes the server to fill up the
available sessions and deny other clients
the ability to access the resources.
-
8/14/2019 Security System 1 - 08
21/36
Recognizing TCP/IP
AttacksThis attack is virtually unstoppable in most
environments without working with
upstream providers. Many newer routers
can track and attempt to prevent this attackby setting limits on the length of an initial
session to force sessions that dont
complete to close out. This type of attack
can also be undetectable. An attacker canuse an invalid IP address, and TCP wont
care because TCP will respond to any valid
request presented from the IP layer.
-
8/14/2019 Security System 1 - 08
22/36
Recognizing TCP/IP
Attacks TCP Sequence Number AttackTCP
sequence number attacks occur when an
attacker takes control of one end of a TCP
session. This attack is successful when theattacker kicks the attacked end off the
network for the duration of the session.
Each time a TCP message is sent, either
the client or the server generates asequence number.
-
8/14/2019 Security System 1 - 08
23/36
Recognizing TCP/IP
AttacksIn a TCP sequence number attack, the
attacker intercepts and then responds with
a sequence numbersimilar to the one used
in the original session. This attack caneither disrupt or hijack a valid session. If a
valid sequence number is guessed,
attackers can place themselves between
the client and server.
-
8/14/2019 Security System 1 - 08
24/36
-
8/14/2019 Security System 1 - 08
25/36
Recognizing TCP/IP
AttacksIn this case, the attacker effectively hijacks
the session and gains access to the
session privileges of the victims system.
The victims system may get an errormessage indicating that it has been
disconnected, or it may reestablish a new
session. In this case, the attacker gains the
connection and access to the data from thelegitimate system. The attacker then has
access to the privileges established by the
session when it was created.
-
8/14/2019 Security System 1 - 08
26/36
Recognizing TCP/IP
Attacks TCP/IP Hijacking
TCP/IP hijacking, also called active sniffing,
involves the attacker gaining access to a
host in the network and logicallydisconnecting it from the network. The
attacker then inserts another machine with
the same IP address. This happens quickly
and gives the attacker access to thesession and to all the information on the
original system.
-
8/14/2019 Security System 1 - 08
27/36
Recognizing TCP/IP
AttacksThe server wont know this has occurred
and will respond as if the client is trusted.
In this example, the attacker forces the
server to accept its IP address as valid.TCP/IP hijacking presents the greatest
danger to a network because the hijacker
will probably acquire privileges and access
to all the information on the server. As witha sequence number attack, there is little
you can do to counter the threat.
-
8/14/2019 Security System 1 - 08
28/36
-
8/14/2019 Security System 1 - 08
29/36
UDP Attacks
A UDP attackattacks either a maintenance
protocol or a UDP service in order to
overload services and initiate a DoS
situation. UDP attacks can also exploitUDP protocols.
One of the most popular UDP attacks is the
ping of death discussed earlier in the
section Identifying Denial-of-Service andDistributed Denial-ofService Attacks.
-
8/14/2019 Security System 1 - 08
30/36
UDP Attacks
UDP packets arent connection oriented
and dont require the synchronization
process described in the previous section.
UDP packets, however, are susceptible tointerception, and UDP can be attacked.
UDP, like TCP, doesnt check the validity of
IP addresses. The nature of this layer is to
trust the layer below it, the IP layer.
-
8/14/2019 Security System 1 - 08
31/36
-
8/14/2019 Security System 1 - 08
32/36
UDP Attacks
ICMP supports maintenance and reporting
in a TCP/IP network. It is part of the IP level
of the protocol suite. Several programs,
including Ping, use the ICMP protocol. Untilfairly recently, ICMP was regarded as a
benign protocol that was incapable of much
damage. However, it has now joined the
ranks of protocols used in common attackmethods for DoS attacks. Two primary
methods use ICMP to disrupt systems:
smurf attacks and ICMP tunneling.
-
8/14/2019 Security System 1 - 08
33/36
UDP Attacks
Smurf Attacks
Smurf attacks can create havoc in a
network. A smurf attack uses IP spoofing
and broadcasting to send a ping to a groupof hosts in a network. An ICMP ping
request (type 8) is answered with an ICMP
ping reply (type 0) if the targeted system is
up, otherwise an unreachable message isreturned. If a broadcast is sent to a
network, all of the hosts will answer back
to the ping. The result is an overload of the
network and the target system.
-
8/14/2019 Security System 1 - 08
34/36
-
8/14/2019 Security System 1 - 08
35/36
UDP Attacks
ICMP Tunneling ICMP messages can
contain data about timing and routes. A
packet can be used to hold information
that is different from the intendedinformation. This allows an ICMP packet to
be used as a communications channel
between two systems. The channel can be
used to send a Trojan horse or othermalicious packet. This is a relatively new
opportunity to create havoc and mischief in
networks.
-
8/14/2019 Security System 1 - 08
36/36
UDP Attacks
The countermeasure for ICMP attacks is to
deny ICMP traffic through your network.
You can disable ICMP traffic in most
routers, and you should consider doing soin your network.
Many of the newer SOHO router solutions
(and some of the personal firewall solutions
on end-user workstations) close down theICMP ports by default. Keep this in mind,
as it can drive you nuts when you are trying
to see if a brand-new station/server/router
i d i