Network Attacks and Countermeasures


Most attacks against networks are Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks in which the objective is to consume a network’s bandwidth to make network services unavailable. But there are several other types of attacks, some of which are discussed in this section.

SYN flood

In a SYN flood attack, TCP packets requesting a connection (SYN bit set) are sent to the target network with a spoofed source address. The target responds with a SYN-ACK packet, but the spoofed source never replies. Half-open connections are incomplete communication sessions awaiting completion of the TCP three-way handshake. These connections can quickly overwhelm a system’s resources while waiting for the half-open connections to time out. This causes the system to crash or otherwise become unusable.

SYN floods are countered on Cisco routers by using two features: TCP Intercept, which effectively proxies for the half-open connections; and Committed Access Rate (CAR), which limits the bandwidth available to certain types of traffic. Checkpoint’s FW-1 firewall has a feature known as SYN Defender that functions similar to the Cisco TCP Intercept feature. Other defenses include changing the default maximum number of TCP half-open connections and reducing the timeout period on networked systems.

ICMP flood

In an ICMP flood attack, large numbers of ICMP packets (usually Echo Request) are sent to the target network to consume available bandwidth and/or system resources. Because ICMP isn’t required for normal network operations, the easiest defense is to drop ICMP packets at the router or filter them at the firewall.

UDP flood

In a UDP flood attack, large numbers of UDP packets are sent to the target network to consume available bandwidth and/or system resources. UDP floods can generally be countered by dropping unnecessary UDP packets at the router. However, if the attack is using a required UDP port (DNS port 53), other countermeasures need to be employed.

Smurf

A Smurf attack is a variation of the ICMP flood attack. (Read the earlier section “ICMP flood.”) In a Smurf attack, ICMP Echo Request packets are sent to the broadcast address of a target network by using a spoofed IP address on the target network. The target, or bounce site, then transmits the ICMP Echo Request to all hosts on the network. Each host then responds with an Echo Reply packet, overwhelming the available bandwidth and/or system resources. Countermeasures against Smurf attacks include dropping ICMP packets at the router.

Fraggle

A Fraggle attack is a variant of a Smurf attack (see the preceding section) that uses UDP Echo packets (UDP port 7) rather than ICMP packets. Cisco routers can be configured to disable the TCP and UDP services (known as TCP and UDP small servers) that are most commonly used in Fraggle attacks.

Teardrop

In a Teardrop attack, the length and fragmentation offset fields of sequential IP packets are modified, causing the target system to become confused and crash.

Session hijacking (Spoofing)

IP spoofing involves altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the network.




CISSP For Dummies
CISSP For Dummies
ISBN: 0470537914
EAN: 2147483647
Year: 2004
Pages: 242

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net