The following security breach and defense technique examples are excerpts from Ciscos Web page. If you require more detailed information regarding them, you should read them from the source. The information is provided here to illustrate the point that every aspect of networking has to be aware of security and its impact on your network and organization.
Vulnerabilities in Cisco CHAP Authentication
Challenge Handshake Authentication Protocol (CHAP) is a security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server then determines whether that user is allowed access.
A serious security vulnerability (bug ID CSCdi91594) exists in PPP CHAP authentication in all classic Cisco IOS software versions. The vulnerability permits attackers with appropriate skills and knowledge to completely circumvent CHAP authentication. Other PPP authentication methods are not affected.
A moderately sophisticated programmer with appropriate knowledge can set up an unauthorized PPP connection to any system that is running vulnerable software and that depends on CHAP for authentication. To gain this unauthorized access, an attacker must have the following:
This vulnerability cannot be exploited by an attacker using an unmodified, properly functioning PPP/CHAP implementation; the attacker must make modifications to his or her software to exploit this vulnerability.
Considering the three minimum requirements for this breach of security to succeed, you can easily see how after the attacker is in, an experienced hacker or cyber thief can cost your organization lots of money.
TCP Loopback DoS Attack (land.c) and Cisco Devices
Somebody has released a program, known as land.c, that can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target hosts address as both source and destination and using the same port on the target host as both source and destination.
All Cisco IOS/700 software systems that can be reached via TCP from distrusted hosts are affected. Classic Cisco IOS software systems that are running vulnerable versions and that can be reached via TCP from distrusted hosts are affected.
This vulnerability enables attackers to deny service to legitimate users and to administrators. Recovery might require physically visiting the affected hardware. Appropriate firewalls and some configuration workarounds can block this attack. Cisco has classified the potential results of this attack by level of vulnerability.
Smurfing Denial of Service (DoS) Attacks
The smurf attack, named after its exploit program, is the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at broadcast addresses, all of which has a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs an IP broadcast to the layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with one echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines replying to each packet.
Currently, the providers/machines most commonly hit are Internet Relay Chat (IRC) servers and their providers. There are two parties affected by this attack:
Assume a switched network consisting of 100 hosts, and that the attacker has access to T1 circuit. The attacker sends, for example, a 768 kbps stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the bounce site.
These ping packets hit the bounce sites broadcast network of 100 hosts. Each takes the packet and responds to it, creating 100 ping replies outbound. By multiplying the bandwidth, you see that 76.8 Mbps is used outbound from the bounce site after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets).
TCP SYN Denial of Service Attacks & Defense Strategies
When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the TCP three-way handshake.
While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.