Lesson 2: TCP/IP Layers and Vulnerabilities
Now that you have reviewed the four communication layers used with the TCP/IP suite and can identify the information that is contained in an IP datagram, you should consider the types of attacks that might occur at each level. This is not meant to be a comprehensive list; rather it provides you with an understanding of the types of attacks that can occur at different levels.
In Chapter 11, "Incident Detection and Response," you will review attacks that have already occurred on local networks as well as on the Internet, and each provides detailed information on how the TCP/IP protocol was exploited.
Identify the types of attacks that can occur at the Network Interface layer
Identify the types of attacks that can occur at the Internet layer
Identify the types of attacks that can occur at the Transport layer
Identify the types of attacks that can occur at the Application layer
Identifying Possible Network Interface Layer Attacks
At the Network Interface layer, the packet of information that is placed on the wire is known as a frame. The packet is comprised of three areas: the header, the payload, and the FCS. Because the Network Interface layer is used for communications on a local network, the attacks that occur at this level would be carried out on local networks. Some of the ways the network layer can be exploited to compromise the C-I-A triad include the following:
The header contains the MAC address of the source and destination computers and is required to successfully send a directed message from a source computer to a destination computer. Attackers can easily spoof the MAC address of another computer. Any security mechanism based on MAC addresses is vulnerable to this type of attack.
A DoS attack overloads a single system so that it cannot provide the service it is configured to provide. An ARP protocol attack could be launched against a computer to overwhelm it, which would make it unavailable to support the C-I-A triad.
The ARP cache stores MAC addresses of computers on the local network that have been contacted within a certain amount of time in memory. If incorrect, or spoofed, entries were added to the ARP cache, then the computer is not able to send information to the correct destination.
Identifying Possible Internet Layer Attacks
At the Internet layer, IP datagrams are formed. The packet is comprised of two areas: the header and the payload. Some of the ways the Internet layer can be exploited to compromise the C-I-A triad include the following:
If the IP header fields and lengths are known, the IP address in the IP datagram can be easily discovered and spoofed. Any security mechanism based on the source IP address is vulnerable to this attack.
This attack occurs when a hacker places himself or herself between the source and destination computer in such a way that neither notices his or her existence. Meanwhile, the attacker can modify packets or simply view their contents.
With a DoS attack at this level, simple IP-level protocols and utilities can be exploited to overload a computer, thus breaking the C-I-A triad.
For fragmented datagrams, the Offset field is used with packet reassembly. If the offset is changed, the datagram is reformed incorrectly. This could allow a datagram that would typically not pass through a firewall to gain access to your internal network, and could disrupt the C-I-A triad.
Because IP datagrams can pass through several computers between the source and destination, the information in the IP header fields is read and sometimes modified, such as when the information reaches a router. If the packet is intercepted, the information in the header can be modified, corrupting the IP datagram. This could cause the datagram to never reach the destination computer, or it could change the protocols and payload information in the datagram.
Identifying Possible Transport Layer Attacks
At the Transport layer, either a UDP header is added to the message or a TCP header is added. The application that is requesting the service determines what protocol will be used. Some of the ways the Transport layer can be exploited to compromise the C-I-A triad include the following:
By knowing the UDP and TCP header fields and lengths, the ports that are used for communications between a source and destination computer can be identified, and that information can be corrupted or exploited.
With a DoS attack at this level, simple IP-level protocols and utilities can be exploited to overload a computer, thus breaking the C-I-A triad. For instance, by knowing the steps involved in a three-way TCP handshake, a hacker or cracker might send the packets in the incorrect order and disrupt the availability of one of your servers. An example of this is a SYN flood, where a hacker sends a large number of SYN packets to a server and leaves the session half open. The server leaves these sessions half-open for a prescribed amount of time. If the hacker is successful in opening all available sessions, legitimate traffic will be unable to reach the server.
This kind of attack occurs after a source and destination computer have established a communications link. A third computer disables the ability of one the computers to communicate, and then imitates that computer. Because the connection has already been established, the third computer can disrupt your C-I-A triad.
Identifying Possible Application Layer Attacks
Application layer attacks can be some of the most difficult to protect against because they take advantage of vulnerabilities in applications and lack of end-user knowledge of computer security. Some of the ways the Application layer can be exploited to compromise the C-I-A triad include the following:
Attachments can be added to e-mail messages and delivered to a user's inbox. The user can open the e-mail message and run the application. The attachment might do immediate damage, or might lay dormant and be used later. Similarly, hackers often embed malicious code in Hypertext Markup Language (HTML) formatted messages. Exploits of this nature might take advantage of vulnerability in the client's e-mail application or a lack of user knowledge about e-mail security concerns.
When a client computer uses a Web browser to connect to a Web server and download a Web page, the content of the Web page can be active. That is, the content is not just static information, but can be executable code. If the code is malicious, it can be used to disrupt the C-I-A triad.
File Transfer Protocol (FTP) is used to transfer files from one computer to another. When a client has to provide a user name and password for authentication, that information can be sent across the Internet using plain text. The information can be captured at any point along the way. If the client uses the same user name and password as they use to attach to your corporate servers, that information could be obtained by a hacker or cracker and used to access your company's information.
The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."
At what layer of the DARPA communication model can a DoS attack occur?
Network Interface layer
Internet layer
Transport layer
Application layer
All of the above
None of the above
An attack occurs that attempts to disrupt a computer by sending TCP handshake packets in the wrong order. At what communications layer would this attack occur?
Network Interface layer
Internet layer
Transport layer
Application layer
Lesson Summary
Knowing the information that is available in each field of the headers created at the Network Interface, Internet, and Transport layers of the TCP/IP protocol suite allows dissimilar computers running on dissimilar networks to communicate with each other, because the information that is passed from computer to computer can be interpreted by each computer. This provides great functionality and communications compatibility, but unfortunately, it also provides hackers and crackers with the information needed to disrupt your company's C-I-A triad. The types of attacks that can be formed at each layer include the following:
Attacks at the Network Interface layer involve manipulation of the header information and addressing. This layer supports communication on a local network, and therefore uses MAC addresses to communicate. Attacks at this layer are localized to a single network, and can use the MAC addressing information protocols that are used to resolve MAC addresses to deny or disrupt communications.
Attacks at the Internet layer also involve manipulation of the header information and addressing. The IP addresses of the source and destination computers are part of the header, as well as the Transport layer protocol that particular datagram is using. Attacks can therefore involve exploiting the IP addressing information. Other attacks at this layer could cause a denial of service, or cause fragmented datagrams to be reassembled incorrectly.
Attacks at the Transport layer can take advantage of the TCP and UDP protocols and the various implementations of those protocols. Examples of this type of attack would be sending the ending sequence of a TCP three-way handshake, or sending a packet that is larger that the largest supported packet size.
Attacks at the Application layer typically attack applications that are used to pass information between client and server computers. An example of this would be a client opening a Web browser and retrieving a Web page from a Web server. An attack might send damaging information and commands to the client computer.