Network Availability Attacks

Another class of network DoS attacks involves an attacker trying to crash the targeted network device or underlying operating system. The following are the most popular and prevalent of these types of attacks.

Attack Stress Testing with Malformed Packets (Fuzzing)

As you saw in Chapter 2, the TCP/IP stack implementations in different versions of Windows are unique enough that they can be differentiated in their responses to network traffic. The point is that all vendors implement their device IP stacks in various ways, in some cases varied across different versions of the same product. Some implementations are more robust than others and are able to handle a variety of error conditions. Most of the time, developers don't take into account network input that deviates from "normal" traffic, which in some cases can lead to the device or application crashing upon processing it. We've seen this a million times in the security industry, and it is typically the cause of most denial of service vulnerabilities on routers and switches.

To adequately test the robustness of a network stack implementation, you typically want to devise as many "evil" test cases as possible that poke the bounds of your support protocol. You can find bugs and DoS vulnerabilities in network devices simply by crafting different types of packets for that protocol, containing data that pushes the protocol's specifications to the breaking point, otherwise known as fuzzing .

A useful free fuzzing tool suite for testing the robustness of underlying IP stack implementations is IP Stack Integrity Checker (ISIC at http://www.packetfactory.net/Projects/ISIC/). ISIC is "a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et al.)." ISIC comes with five individual tools that manage their respective protocols in different ways: isic (IP), tcpsic (TCP), udpsic (UDP), icmpsic (ICMP), and esic (Ethernet). There are also some other free and commercial fuzzing suites that go beyond the IP stack all the way to the application layer.

We devote Chapter 11 to VoIP protocol fuzzing.

Attack Packet Fragmentation

By fragmenting TCP and UDP packets in unique ways, it is possible to render useless many operating systems and VoIP devices through resource consumption. There are many variations of fragmentation attacks; however, some of the most popular exploits include teardrop, opentear, nestea, jolt, boink, and the ping of death (most can be found at http://packetstormsecurity.org). Some memorable, well-known fragmentation-based vulnerabilities include

• ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability   http://www.securityfocus.com/bid/1597

• CERT Advisory CA-1997-28 IP Denial-of-Service Attacks   http://www.cert.org/advisories/CA-1997-28.html

• Cisco Security Advisory: Cisco PIX and CBAC Fragmentation Attack   http://www.cisco.com/warp/public/770/nifrag.shtml

For instance, to launch a fragmented UDP flood against our SIP proxy, we can download and run the tool opentear:

 % ./opentear 192.168.1.103 Sending fragmented UDP flood. 

Attack Underlying OS or Firmware Vulnerabilities

The other major category of DoS attacks on VoIP infrastructure involves an attacker leveraging vulnerabilities in the underlying application or operating system, which can lead to a system crash or overwhelming resource consumption. For instance, any new vulnerability in your Linux system may correspondingly affect the Asterisk application running on top of it. In the same vein, any IOS DoS vulnerability will directly affect Cisco CallManager Express, which runs on top of it. To focus on Cisco a little bit, look at each of the following advisories that were released related to Cisco CallManager (running on Windows) in response to a new worm that exploited a Windows vulnerability:

• "MS Windows W32.Blaster.Worm Affects Cisco CallManager and IP Telephony Applications" at http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801ae3dc.shtml

• "Defend Against the Sasser Virus on the MCS Servers" at http://www.cisco.com/en/US/products/hw/voiceapp/ps378/products_tech_note09186a0080223c65.shtml

• "Cisco Security Advisory: 'Code Red' WormCustomer Impact" at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

• "Cleaning Nimda Virus from Cisco CallManager 3.x and CallManager Applications Servers" at http://www.cisco.com/en/US/products/sw/oicesw/ps556/vproducts_tech_note09186a00800941e4.shtml