0 оценок0% нашли этот документ полезным (0 голосов)
327 просмотров36 страниц
Attacks on TCP / IP usually occur at the host-host or Internet layer. External attacks are somewhat limited by the devices in the network, including the router. A network sniffer, or scanner, is a device that captures and displays network traffic.
Attacks on TCP / IP usually occur at the host-host or Internet layer. External attacks are somewhat limited by the devices in the network, including the router. A network sniffer, or scanner, is a device that captures and displays network traffic.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
Attacks on TCP / IP usually occur at the host-host or Internet layer. External attacks are somewhat limited by the devices in the network, including the router. A network sniffer, or scanner, is a device that captures and displays network traffic.
Авторское право:
Attribution Non-Commercial (BY-NC)
Доступные форматы
Скачайте в формате PPTX, PDF, TXT или читайте онлайн в Scribd
AGENDA Working with Protocol and Services Recognizing TCP/IP Attacks Attacks on TCP/IP usually occur at the host-to-host or Internet layer, although any layer is potentially vulnerable. TCP/IP is susceptible to attacks from both outside and inside an organization. Recognizing TCP/IP Attacks The opportunities for external attacks are somewhat limited by the devices in the network, including the router. The router blocks many of the protocols from exposure to the Internet. Some protocols, such as ARP, aren’t routable and aren’t generally vulnerable to outside attacks. Other protocols, such as SMTP and ICMP, pass through the router and form a normal part of Internet and TCP/IP traffic. TCP, UDP, and IP are all vulnerable to attack. Recognizing TCP/IP Attacks Sniffing the Network A network sniffer, or scanner, is a device that captures and displays network traffic. Your existing computers have the ability to operate as sniffers. Network cards usually only pass information up to the protocol stack if the information is intended for the computer on which they’re installed; any network traffic not intended for that computer is ignored. Recognizing TCP/IP Attacks Most NICs can be placed into what is called promiscuous mode, which allows the NIC to capture all information that it sees on the network. Devices such as routers, bridges, and switches are used to separate or segment networks within a larger network (known as virtual LANs, or VLANs). Any traffic in a particular segment is visible to all stations in that segment. Recognizing TCP/IP Attacks Adding a network sniffer such as the one included by Microsoft in its Systems Management Server (SMS) package allows any computer to function as a network sniffer. This software is widely available and is very capable. A number of public domain or shareware sniffers are also available online, such as Wireshark (http://www.wireshark.org. Recognizing TCP/IP Attacks By using a sniffer, an internal attacker can capture all the information transported by the network. Many advanced sniffers can reassemble packets and create entire messages, including user IDs and passwords. This vulnerability is particularly acute in environments where network connections are easily accessible to outsiders. For example, an attacker could put a laptop or a portable computer in your wiring closet and attach it to your network. Recognizing TCP/IP Attacks Scanning Ports A TCP/IP network makes many of the ports available to outside users through the router. These ports respond in a predictable manner when queried. For example, TCP attempts synchronization when a session initiation occurs. Recognizing TCP/IP Attacks An attacker can systematically query your network to determine which services and ports are open. This process is called port scanning, and it is part of fingerprinting a network; it can reveal a great deal about your systems. Port scans are possible both internally and externally. Many routers, unless configured appropriately, will let all protocols pass through them. Recognizing TCP/IP Attacks Port scans help in identifying what services are running on a network. Individual systems within a network might also have applications and services running that the owner doesn’t know about. These services could potentially allow an internal attacker to gain access to information by connecting to the port associated with those services. Many Microsoft Internet Information Server (IIS) users don’t realize the weak security that this product offers. Recognizing TCP/IP Attacks If they didn’t install all of the security patches when they installed IIS on their desktops, attackers can exploit the weaknesses of IIS and gain access to information. This has been done in many cases without the knowledge of the owner. These attacks might not technically be considered TCP/IP attacks, but they are because the inherent trust of TCP is used to facilitate the attacks. Recognizing TCP/IP Attacks After they know the IP addresses of your systems, external attackers can attempt to communicate with the ports open in your network, sometimes simply by using Telnet. Recognizing TCP/IP Attacks This process of port scanning can be expanded to develop a footprint of your organization. If your attacker has a single IP address of a system in your network, they can probe all the addresses in the range and probably determine what other systems and protocols your network is utilizing. This allows the attacker to gain knowledge about the internal structure of your network. Recognizing TCP/IP Attacks In addition to scanning, network mapping allows you to visually see everything that is available. The most well-known network mapper is nmap, which can run on all operating systems and is found at http://nmap.org/. Recognizing TCP/IP Attacks TCP Attacks TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. As you may recall, the synchronization, or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as a TCP SYN flood attack. The protocol is also susceptible to access and modification attacks, which are briefly explained in the following sections. Recognizing TCP/IP Attacks TCP SYN or TCP ACK Flood Attack The TCP SYN flood, also referred to as the TCP ACK attack, is common. The purpose is to deny service. The attack begins as a normal TCP connection: The client and server exchange information in TCP packets. Recognizing TCP/IP Attacks Identifying TCP/IP Security Concerns TCP client continues to send ACK packets to the server. The ACK packets tell the server that a connection is requested. The server responds with an ACK packet to the client. The client is supposed to respond with another packet accepting the connection, and a session is established. Recognizing TCP/IP Attacks In this attack, the client continually sends and receives the ACK packets but doesn’t open the session. The server holds these sessions open, awaiting the final packet in the sequence. This causes the server to fill up the available sessions and deny other clients the ability to access the resources. Recognizing TCP/IP Attacks This attack is virtually unstoppable in most environments without working with upstream providers. Many newer routers can track and attempt to prevent this attack by setting limits on the length of an initial session to force sessions that don’t complete to close out. This type of attack can also be undetectable. An attacker can use an invalid IP address, and TCP won’t care because TCP will respond to any valid request presented from the IP layer. Recognizing TCP/IP Attacks TCP Sequence Number Attack TCP sequence number attacks occur when an attacker takes control of one end of a TCP session. This attack is successful when the attacker kicks the attacked end off the network for the duration of the session. Each time a TCP message is sent, either the client or the server generates a sequence number. Recognizing TCP/IP Attacks In a TCP sequence number attack, the attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can either disrupt or hijack a valid session. If a valid sequence number is guessed, attackers can place themselves between the client and server. Recognizing TCP/IP Attacks In this case, the attacker effectively hijacks the session and gains access to the session privileges of the victim’s system. The victim’s system may get an error message indicating that it has been disconnected, or it may reestablish a new session. In this case, the attacker gains the connection and access to the data from the legitimate system. The attacker then has access to the privileges established by the session when it was created. Recognizing TCP/IP Attacks TCP/IP Hijacking TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system. Recognizing TCP/IP Attacks The server won’t know this has occurred and will respond as if the client is trusted. In this example, the attacker forces the server to accept its IP address as valid. TCP/IP hijacking presents the greatest danger to a network because the hijacker will probably acquire privileges and access to all the information on the server. As with a sequence number attack, there is little you can do to counter the threat. UDP Attacks A UDP attack attacks either a maintenance protocol or a UDP service in order to overload services and initiate a DoS situation. UDP attacks can also exploit UDP protocols. One of the most popular UDP attacks is the ping of death discussed earlier in the section “Identifying Denial-of-Service and Distributed Denial-ofService Attacks.” UDP Attacks UDP packets aren’t connection oriented and don’t require the synchronization process described in the previous section. UDP packets, however, are susceptible to interception, and UDP can be attacked. UDP, like TCP, doesn’t check the validity of IP addresses. The nature of this layer is to trust the layer below it, the IP layer. UDP Attacks ICMP Attacks ICMP attacks occur by triggering a response from the ICMP protocol to a seemingly legitimate maintenance request. From earlier discussions, you’ll recall that ICMP is often associated with echoing. UDP Attacks ICMP supports maintenance and reporting in a TCP/IP network. It is part of the IP level of the protocol suite. Several programs, including Ping, use the ICMP protocol. Until fairly recently, ICMP was regarded as a benign protocol that was incapable of much damage. However, it has now joined the ranks of protocols used in common attack methods for DoS attacks. Two primary methods use ICMP to disrupt systems: smurf attacks and ICMP tunneling. UDP Attacks Smurf Attacks Smurf attacks can create havoc in a network. A smurf attack uses IP spoofing and broadcasting to send a ping to a group of hosts in a network. An ICMP ping request (type 8) is answered with an ICMP ping reply (type 0) if the targeted system is up, otherwise an unreachable message is returned. If a broadcast is sent to a network, all of the hosts will answer back to the ping. The result is an overload of the network and the target system. UDP Attacks ICMP Tunneling ICMP messages can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. This is a relatively new opportunity to create havoc and mischief in networks. UDP Attacks The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network. Many of the newer SOHO router solutions (and some of the personal firewall solutions on end-user workstations) close down the ICMP ports by default. Keep this in mind, as it can drive you nuts when you are trying to see if a brand-new station/server/router is up and running.