#8.

Recognizing TCP/IP Attacks

AGENDA
 Working with Protocol and Services
 Recognizing TCP/IP
Attacks
 Attacks on TCP/IP usually occur at the
host-to-host or Internet layer, although any
layer is potentially vulnerable. TCP/IP is
susceptible to attacks from both outside
and inside an organization.
 Recognizing TCP/IP
Attacks
 The opportunities for external attacks are
somewhat limited by the devices in the
network, including the router. The router
blocks many of the protocols from
exposure to the Internet. Some protocols,
such as ARP, aren’t routable and aren’t
generally vulnerable to outside attacks.
Other protocols, such as SMTP and ICMP,
pass through the router and form a normal
part of Internet and TCP/IP traffic. TCP,
UDP, and IP are all vulnerable to attack.
 Recognizing TCP/IP
Attacks
 Sniffing the Network
A network sniffer, or scanner, is a device
that captures and displays network traffic.
Your existing computers have the ability to
operate as sniffers. Network cards usually
only pass information up to the protocol
stack if the information is intended for the
computer on which they’re installed; any
network traffic not intended for that
computer is ignored.
 Recognizing TCP/IP
Attacks
Most NICs can be placed into what is
called promiscuous mode, which allows the
NIC to capture all information that it sees
on the network. Devices such as routers,
bridges, and switches are used to
separate or segment networks within a
larger network (known as virtual LANs, or
VLANs). Any traffic in a particular segment
is visible to all stations in that segment.
 Recognizing TCP/IP
Attacks
Adding a network sniffer such as the one
included by Microsoft in its Systems
Management Server (SMS) package
allows any computer to function as a
network sniffer. This software is widely
available and is very capable. A number of
public domain or shareware sniffers are
also available online, such as Wireshark
(http://www.wireshark.org.
 Recognizing TCP/IP
Attacks
By using a sniffer, an internal attacker can
capture all the information transported by
the network. Many advanced sniffers can
reassemble packets and create entire
messages, including user IDs and
passwords. This vulnerability is particularly
acute in environments where network
connections are easily accessible to
outsiders. For example, an attacker could
put a laptop or a portable computer in your
wiring closet and attach it to your network.
 Recognizing TCP/IP
Attacks
 Scanning Ports
A TCP/IP network makes many of the ports
available to outside users through the
router.
These ports respond in a predictable
manner when queried. For example, TCP
attempts synchronization when a session
initiation occurs.
 Recognizing TCP/IP
Attacks
An attacker can systematically query your
network to determine which services and
ports are open. This process is called port
scanning, and it is part of fingerprinting a
network; it can reveal a great deal about
your systems. Port scans are possible both
internally and externally. Many routers,
unless configured appropriately, will let all
protocols pass through them.
 Recognizing TCP/IP
Attacks
Port scans help in identifying what services
are running on a network. Individual
systems within a network might also have
applications and services running that the
owner doesn’t know about. These services
could potentially allow an internal attacker
to gain access to information by connecting
to the port associated with those services.
Many Microsoft Internet Information Server
(IIS) users don’t realize the weak security
that this product offers.
 Recognizing TCP/IP
Attacks
If they didn’t install all of the security
patches when they installed IIS on their
desktops, attackers can exploit the
weaknesses of IIS and gain access to
information. This has been done in many
cases without the knowledge of the owner.
These attacks might not technically be
considered TCP/IP attacks, but they are
because the inherent trust of TCP is used
to facilitate the attacks.
 Recognizing TCP/IP
Attacks
After they know the IP addresses of your
systems, external attackers can attempt to
communicate with the ports open in your
network, sometimes simply by using Telnet.
 Recognizing TCP/IP
Attacks
This process of port scanning can be
expanded to develop a footprint of your
organization. If your attacker has a single
IP address of a system in your network,
they can probe all the addresses in the
range and probably determine what other
systems and protocols your network is
utilizing. This allows the attacker to gain
knowledge about the internal structure of
your network.
 Recognizing TCP/IP
Attacks
In addition to scanning, network mapping
allows you to visually see everything that is
available. The most well-known network
mapper is nmap, which can run on all
operating systems and is found at
http://nmap.org/.
 Recognizing TCP/IP
Attacks
 TCP Attacks
TCP operates using synchronized connections.
The synchronization is vulnerable to attack; this is
probably the most common attack used today. As
you may recall, the synchronization, or
handshake, process initiates a TCP connection.
This handshake is particularly vulnerable to a
DoS attack referred to as a TCP SYN flood attack.
The protocol is also susceptible to access and
modification attacks, which are briefly explained in
the following sections.
 Recognizing TCP/IP
Attacks
 TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the
TCP ACK attack, is common. The purpose
is to deny service. The attack begins as a
normal TCP connection: The client and
server exchange information in TCP
packets.
 Recognizing TCP/IP
Attacks
Identifying TCP/IP Security Concerns
TCP client continues to send ACK packets
to the server. The ACK packets tell the
server that a connection is requested. The
server responds with an ACK packet to the
client. The client is supposed to respond
with another packet accepting the
connection, and a session is established.
 Recognizing TCP/IP
Attacks
In this attack, the client continually sends
and receives the ACK packets but doesn’t
open the session. The server holds these
sessions open, awaiting the final packet in
the sequence.
This causes the server to fill up the
available sessions and deny other clients
the ability to access the resources.
 Recognizing TCP/IP
Attacks
This attack is virtually unstoppable in most
environments without working with
upstream providers. Many newer routers
can track and attempt to prevent this attack
by setting limits on the length of an initial
session to force sessions that don’t
complete to close out. This type of attack
can also be undetectable. An attacker can
use an invalid IP address, and TCP won’t
care because TCP will respond to any valid
request presented from the IP layer.
 Recognizing TCP/IP
Attacks
 TCP Sequence Number Attack TCP
sequence number attacks occur when an
attacker takes control of one end of a TCP
session. This attack is successful when the
attacker kicks the attacked end off the
network for the duration of the session.
Each time a TCP message is sent, either
the client or the server generates a
sequence number.
 Recognizing TCP/IP
Attacks
In a TCP sequence number attack, the
attacker intercepts and then responds with
a sequence number similar to the one used
in the original session. This attack can
either disrupt or hijack a valid session. If a
valid sequence number is guessed,
attackers can place themselves between
the client and server.
 Recognizing TCP/IP
Attacks
In this case, the attacker effectively hijacks
the session and gains access to the
session privileges of the victim’s system.
The victim’s system may get an error
message indicating that it has been
disconnected, or it may reestablish a new
session. In this case, the attacker gains the
connection and access to the data from the
legitimate system. The attacker then has
access to the privileges established by the
session when it was created.
 Recognizing TCP/IP
Attacks
 TCP/IP Hijacking
TCP/IP hijacking, also called active sniffing,
involves the attacker gaining access to a
host in the network and logically
disconnecting it from the network. The
attacker then inserts another machine with
the same IP address. This happens quickly
and gives the attacker access to the
session and to all the information on the
original system.
 Recognizing TCP/IP
Attacks
The server won’t know this has occurred
and will respond as if the client is trusted.
In this example, the attacker forces the
server to accept its IP address as valid.
TCP/IP hijacking presents the greatest
danger to a network because the hijacker
will probably acquire privileges and access
to all the information on the server. As with
a sequence number attack, there is little
you can do to counter the threat.
 UDP Attacks
A UDP attack attacks either a maintenance
protocol or a UDP service in order to
overload services and initiate a DoS
situation. UDP attacks can also exploit
UDP protocols.
One of the most popular UDP attacks is the
ping of death discussed earlier in the
section “Identifying Denial-of-Service and
Distributed Denial-ofService Attacks.”
 UDP Attacks
UDP packets aren’t connection oriented
and don’t require the synchronization
process described in the previous section.
UDP packets, however, are susceptible to
interception, and UDP can be attacked.
UDP, like TCP, doesn’t check the validity of
IP addresses. The nature of this layer is to
trust the layer below it, the IP layer.
 UDP Attacks
 ICMP Attacks ICMP attacks occur by
triggering a response from the ICMP
protocol to a seemingly legitimate
maintenance request. From earlier
discussions, you’ll recall that ICMP is often
associated with echoing.
 UDP Attacks
ICMP supports maintenance and reporting
in a TCP/IP network. It is part of the IP level
of the protocol suite. Several programs,
including Ping, use the ICMP protocol. Until
fairly recently, ICMP was regarded as a
benign protocol that was incapable of much
damage. However, it has now joined the
ranks of protocols used in common attack
methods for DoS attacks. Two primary
methods use ICMP to disrupt systems:
smurf attacks and ICMP tunneling.
 UDP Attacks
 Smurf Attacks
Smurf attacks can create havoc in a
network. A smurf attack uses IP spoofing
and broadcasting to send a ping to a group
of hosts in a network. An ICMP ping
request (type 8) is answered with an ICMP
ping reply (type 0) if the targeted system is
up, otherwise an unreachable message is
returned. If a broadcast is sent to a
network, all of the hosts will answer back
to the ping. The result is an overload of the
network and the target system.
 UDP Attacks
 ICMP Tunneling ICMP messages can
contain data about timing and routes. A
packet can be used to hold information
that is different from the intended
information. This allows an ICMP packet to
be used as a communications channel
between two systems. The channel can be
used to send a Trojan horse or other
malicious packet. This is a relatively new
opportunity to create havoc and mischief in
networks.
 UDP Attacks
The countermeasure for ICMP attacks is to
deny ICMP traffic through your network.
You can disable ICMP traffic in most
routers, and you should consider doing so
in your network.
Many of the newer SOHO router solutions
(and some of the personal firewall solutions
on end-user workstations) close down the
ICMP ports by default. Keep this in mind,
as it can drive you nuts when you are trying
to see if a brand-new station/server/router
is up and running.