Security System 1 - 08

8/14/2019 Security System 1 - 08

1/36

#8. Recognizing TCP/IP Attacks


2/36

AGENDA

Working with Protocol and Services


3/36

Recognizing TCP/IP

Attacks Attacks on TCP/IP usually occur at the

host-to-host or Internet layer, although any

layer is potentially vulnerable. TCP/IP is

susceptible to attacks from both outsideand inside an organization.


4/36

Recognizing TCP/IP

Attacks The opportunities for external attacks are

somewhat limited by the devices in the

network, including the router. The router

blocks many of the protocols fromexposure to the Internet. Some protocols,

such as ARP, arent routable and arent

generally vulnerable to outside attacks.

Other protocols, such as SMTP and ICMP,pass through the router and form a normal

part of Internet and TCP/IP traffic. TCP,

UDP, and IP are all vulnerable to attack.


5/36

Recognizing TCP/IP

Attacks Sniffing the Network

A network sniffer, orscanner, is a device

that captures and displays network traffic.

Your existing computers have the ability tooperate as sniffers. Network cards usually

only pass information up to the protocol

stack if the information is intended for the

computer on which theyre installed; anynetwork traffic not intended for that

computer is ignored.


6/36

Recognizing TCP/IP

AttacksMost NICs can be placed into what is

calledpromiscuous mode, which allows the

NIC to capture all information that it sees

on the network. Devices such as routers,bridges, and switches are used to

separate or segment networks within a

larger network (known as virtual LANs, or

VLANs). Any traffic in a particular segmentis visible to all stations in that segment.


7/36

Recognizing TCP/IP

AttacksAdding a network sniffer such as the one

included by Microsoft in its Systems

Management Server (SMS) package

allows any computer to function as anetwork sniffer. This software is widely

available and is very capable. A number of

public domain or shareware sniffers are

also available online, such as Wireshark(http://www.wireshark.org.


8/36

Recognizing TCP/IP

AttacksBy using a sniffer, an internal attacker can

capture all the information transported by

the network. Many advanced sniffers can

reassemble packets and create entiremessages, including user IDs and

passwords. This vulnerability is particularly

acute in environments where network

connections are easily accessible tooutsiders. For example, an attacker could

put a laptop or a portable computer in your

wiring closet and attach it to your network.


9/36

Recognizing TCP/IP

Attacks Scanning Ports

A TCP/IP network makes many of the ports

available to outside users through the

router.These ports respond in a predictable

manner when queried. For example, TCP

attempts synchronization when a session

initiation occurs.


10/36

Recognizing TCP/IP

AttacksAn attacker can systematically query your

network to determine which services and

ports are open. This process is calledport

scanning, and it is part of fingerprinting anetwork; it can reveal a great deal about

your systems. Port scans are possible both

internally and externally. Many routers,

unless configured appropriately, will let allprotocols pass through them.


11/36

Recognizing TCP/IP

AttacksPort scans help in identifying what services

are running on a network. Individual

systems within a network might also have

applications and services running that theowner doesnt know about. These services

could potentially allow an internal attacker

to gain access to information by connecting

to the port associated with those services.Many Microsoft Internet Information Server

(IIS) users dont realize the weak security

that this product offers.


12/36

Recognizing TCP/IP

AttacksIf they didnt install all of the security

patches when they installed IIS on their

desktops, attackers can exploit the

weaknesses of IIS and gain access toinformation. This has been done in many

cases without the knowledge of the owner.

These attacks might not technically be

considered TCP/IP attacks, but they arebecause the inherent trust of TCP is used

to facilitate the attacks.


13/36

Recognizing TCP/IP

AttacksAfter they know the IP addresses of your

systems, external attackers can attempt to

communicate with the ports open in your

network, sometimes simply by using Telnet.


14/36

Recognizing TCP/IP

AttacksThis process of port scanning can be

expanded to develop a footprint of your

organization. If your attacker has a single

IP address of a system in your network,they can probe all the addresses in the

range and probably determine what other

systems and protocols your network is

utilizing. This allows the attacker to gainknowledge about the internal structure of

your network.


15/36

Recognizing TCP/IP

AttacksIn addition to scanning, network mapping

allows you to visually see everything that is

available. The most well-known network

mapper is nmap, which can run on alloperating systems and is found at

http://nmap.org/.


16/36

Recognizing TCP/IP

Attacks TCP Attacks

TCP operates using synchronized connections.

The synchronization is vulnerable to attack; this is

probably the most common attack used today. Asyou may recall, the synchronization, or

handshake, process initiates a TCP connection.

This handshake is particularly vulnerable to a

DoS attack referred to as a TCP SYN flood attack.

The protocol is also susceptible to access and

modification attacks, which are briefly explained in

the following sections.


17/36

Recognizing TCP/IP

Attacks TCP SYN or TCP ACK Flood Attack

The TCP SYN flood, also referred to as the

TCP ACK attack, is common. The purpose

is to deny service. The attack begins as anormal TCP connection: The client and

server exchange information in TCP

packets.


18/36


19/36

Recognizing TCP/IP

AttacksIdentifying TCP/IP Security Concerns

TCP client continues to send ACK packets

to the server. The ACK packets tell the

server that a connection is requested. Theserver responds with an ACK packet to the

client. The client is supposed to respond

with another packet accepting the

connection, and a session is established.


20/36

Recognizing TCP/IP

AttacksIn this attack, the client continually sends

and receives the ACK packets but doesnt

open the session. The server holds these

sessions open, awaiting the final packet inthe sequence.

This causes the server to fill up the

available sessions and deny other clients

the ability to access the resources.


21/36

Recognizing TCP/IP

AttacksThis attack is virtually unstoppable in most

environments without working with

upstream providers. Many newer routers

can track and attempt to prevent this attackby setting limits on the length of an initial

session to force sessions that dont

complete to close out. This type of attack

can also be undetectable. An attacker canuse an invalid IP address, and TCP wont

care because TCP will respond to any valid

request presented from the IP layer.


22/36

Recognizing TCP/IP

Attacks TCP Sequence Number AttackTCP

sequence number attacks occur when an

attacker takes control of one end of a TCP

session. This attack is successful when theattacker kicks the attacked end off the

network for the duration of the session.

Each time a TCP message is sent, either

the client or the server generates asequence number.


23/36

Recognizing TCP/IP

AttacksIn a TCP sequence number attack, the

attacker intercepts and then responds with

a sequence numbersimilar to the one used

in the original session. This attack caneither disrupt or hijack a valid session. If a

valid sequence number is guessed,

attackers can place themselves between

the client and server.


24/36


25/36

Recognizing TCP/IP

AttacksIn this case, the attacker effectively hijacks

the session and gains access to the

session privileges of the victims system.

The victims system may get an errormessage indicating that it has been

disconnected, or it may reestablish a new

session. In this case, the attacker gains the

connection and access to the data from thelegitimate system. The attacker then has

access to the privileges established by the

session when it was created.


26/36

Recognizing TCP/IP

Attacks TCP/IP Hijacking

TCP/IP hijacking, also called active sniffing,

involves the attacker gaining access to a

host in the network and logicallydisconnecting it from the network. The

attacker then inserts another machine with

the same IP address. This happens quickly

and gives the attacker access to thesession and to all the information on the

original system.


27/36

Recognizing TCP/IP

AttacksThe server wont know this has occurred

and will respond as if the client is trusted.

In this example, the attacker forces the

server to accept its IP address as valid.TCP/IP hijacking presents the greatest

danger to a network because the hijacker

will probably acquire privileges and access

to all the information on the server. As witha sequence number attack, there is little

you can do to counter the threat.


28/36


29/36

UDP Attacks

A UDP attackattacks either a maintenance

protocol or a UDP service in order to

overload services and initiate a DoS

situation. UDP attacks can also exploitUDP protocols.

One of the most popular UDP attacks is the

ping of death discussed earlier in the

section Identifying Denial-of-Service andDistributed Denial-ofService Attacks.


30/36

UDP Attacks

UDP packets arent connection oriented

and dont require the synchronization

process described in the previous section.

UDP packets, however, are susceptible tointerception, and UDP can be attacked.

UDP, like TCP, doesnt check the validity of

IP addresses. The nature of this layer is to

trust the layer below it, the IP layer.


31/36


32/36

UDP Attacks

ICMP supports maintenance and reporting

in a TCP/IP network. It is part of the IP level

of the protocol suite. Several programs,

including Ping, use the ICMP protocol. Untilfairly recently, ICMP was regarded as a

benign protocol that was incapable of much

damage. However, it has now joined the

ranks of protocols used in common attackmethods for DoS attacks. Two primary

methods use ICMP to disrupt systems:

smurf attacks and ICMP tunneling.


33/36

UDP Attacks

Smurf Attacks

Smurf attacks can create havoc in a

network. A smurf attack uses IP spoofing

and broadcasting to send a ping to a groupof hosts in a network. An ICMP ping

request (type 8) is answered with an ICMP

ping reply (type 0) if the targeted system is

up, otherwise an unreachable message isreturned. If a broadcast is sent to a

network, all of the hosts will answer back

to the ping. The result is an overload of the

network and the target system.


34/36


35/36

UDP Attacks

ICMP Tunneling ICMP messages can

contain data about timing and routes. A

packet can be used to hold information

that is different from the intendedinformation. This allows an ICMP packet to

be used as a communications channel

between two systems. The channel can be

used to send a Trojan horse or othermalicious packet. This is a relatively new

opportunity to create havoc and mischief in

networks.


36/36

UDP Attacks

The countermeasure for ICMP attacks is to

deny ICMP traffic through your network.

You can disable ICMP traffic in most

routers, and you should consider doing soin your network.

Many of the newer SOHO router solutions

(and some of the personal firewall solutions

on end-user workstations) close down theICMP ports by default. Keep this in mind,

as it can drive you nuts when you are trying

to see if a brand-new station/server/router

i d i

Security System 1 - 08

Documents

Transcript of Security System 1 - 08