Network Availability Attacks

Another class of network DoS attacks involves an attacker trying to crash the targeted network device or underlying operating system. The following are the most popular and prevalent of these types of attacks.

Attack Stress Testing with Malformed Packets (Fuzzing)

Popularity:

3

Simplicity:

6

Impact:

7

Risk Rating:

5

As you saw in Chapter 2, the TCP/IP stack implementations in different versions of Windows are unique enough that they can be differentiated in their responses to network traffic. The point is that all vendors implement their device IP stacks in various ways, in some cases varied across different versions of the same product. Some implementations are more robust than others and are able to handle a variety of error conditions. Most of the time, developers don't take into account network input that deviates from "normal" traffic, which in some cases can lead to the device or application crashing upon processing it. We've seen this a million times in the security industry, and it is typically the cause of most denial of service vulnerabilities on routers and switches.

To adequately test the robustness of a network stack implementation, you typically want to devise as many "evil" test cases as possible that poke the bounds of your support protocol. You can find bugs and DoS vulnerabilities in network devices simply by crafting different types of packets for that protocol, containing data that pushes the protocol's specifications to the breaking point, otherwise known as fuzzing .

A useful free fuzzing tool suite for testing the robustness of underlying IP stack implementations is IP Stack Integrity Checker (ISIC at http://www.packetfactory.net/Projects/ISIC/). ISIC is "a suite of utilities to exercise the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et al.)." ISIC comes with five individual tools that manage their respective protocols in different ways: isic (IP), tcpsic (TCP), udpsic (UDP), icmpsic (ICMP), and esic (Ethernet). There are also some other free and commercial fuzzing suites that go beyond the IP stack all the way to the application layer.

We devote Chapter 11 to VoIP protocol fuzzing.

Attack Packet Fragmentation

Popularity:

3

Simplicity:

5

Impact:

6

Risk Rating:

5

By fragmenting TCP and UDP packets in unique ways, it is possible to render useless many operating systems and VoIP devices through resource consumption. There are many variations of fragmentation attacks; however, some of the most popular exploits include teardrop, opentear, nestea, jolt, boink, and the ping of death (most can be found at http://packetstormsecurity.org). Some memorable, well-known fragmentation-based vulnerabilities include

  • ISS RealSecure 3.2.x Fragmented SYN Packets DoS Vulnerability   http://www.securityfocus.com/bid/1597

  • CERT Advisory CA-1997-28 IP Denial-of-Service Attacks   http://www.cert.org/advisories/CA-1997-28.html

  • Cisco Security Advisory: Cisco PIX and CBAC Fragmentation Attack   http://www.cisco.com/warp/public/770/nifrag.shtml

For instance, to launch a fragmented UDP flood against our SIP proxy, we can download and run the tool opentear:

 % ./opentear 192.168.1.103 Sending fragmented UDP flood. 

Attack Underlying OS or Firmware Vulnerabilities

Popularity:

10

Simplicity:

8

Impact:

10

Risk Rating:

9

The other major category of DoS attacks on VoIP infrastructure involves an attacker leveraging vulnerabilities in the underlying application or operating system, which can lead to a system crash or overwhelming resource consumption. For instance, any new vulnerability in your Linux system may correspondingly affect the Asterisk application running on top of it. In the same vein, any IOS DoS vulnerability will directly affect Cisco CallManager Express, which runs on top of it. To focus on Cisco a little bit, look at each of the following advisories that were released related to Cisco CallManager (running on Windows) in response to a new worm that exploited a Windows vulnerability:

  • "MS Windows W32.Blaster.Worm Affects Cisco CallManager and IP Telephony Applications" at http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_tech_note09186a00801ae3dc.shtml

  • "Defend Against the Sasser Virus on the MCS Servers" at http://www.cisco.com/en/US/products/hw/voiceapp/ps378/products_tech_note09186a0080223c65.shtml

  • "Cisco Security Advisory: 'Code Red' WormCustomer Impact" at http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml

  • "Cleaning Nimda Virus from Cisco CallManager 3.x and CallManager Applications Servers" at http://www.cisco.com/en/US/products/sw/oicesw/ps556/vproducts_tech_note09186a00800941e4.shtml

Network Availability Attack Countermeasures

The countermeasures listed previously in "Flooding Attack Countermeasures" apply here as well to ensure network availability. We want to add one more countermeasure specific to the attacks we just covered, Network Intrusion Prevention.

Countermeasurs Network Intrusion Prevention Systems

Network-based Intrusion Prevention Systems (NIPSs) are inline network devices that detect and block attacks at wire speed. A NIPS can be deployed in a network in much the same way as a switch or a router. The NIPS inspects each packet that passes through it, looking for any indication of a malicious exploitation of a vulnerability.

When the NIPS does detect an attack, it blocks the corresponding network flow. As an element of the network infrastructure, it must also identify attacks without blocking legitimate traffic.

NIPSs also buy IT admins time to patch enterprise-wide by providing a sort of virtual patch for any exploits that may emerge soon after a new vulnerability is discovered in the public domain.

There are a plethora of NIPS vendors including

  • Cisco Systems

  • Forescout Inc.

  • Fortinet Inc.

  • Internet Security Systems

  • Juniper Networks

  • Lucid Security

  • McAfee

  • NFR Security

  • NitroSecurity Inc.

  • Panda GateDefender Integra

  • Radware

  • Refl ex Security

  • SecureWorks

  • Third Brigade

  • TippingPoint

  • Top Layer



Hacking Exposed VoIP. Voice Over IP Security Secrets & Solutions
Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions
ISBN: 0072263644
EAN: 2147483647
Year: 2004
Pages: 158

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net