Managing Your OSPF Network

The following security breach and defense technique examples are excerpts from Cisco’s Web page. If you require more detailed information regarding them, you should read them from the source. The information is provided here to illustrate the point that every aspect of networking has to be aware of security and its impact on your network and organization.

Vulnerabilities in Cisco CHAP Authentication

Challenge Handshake Authentication Protocol (CHAP) is a security feature supported on lines using PPP encapsulation that prevents unauthorized access. CHAP does not itself prevent unauthorized access; it merely identifies the remote end. The router or access server then determines whether that user is allowed access.

A serious security vulnerability (bug ID CSCdi91594) exists in PPP CHAP authentication in all “classic” Cisco IOS software versions. The vulnerability permits attackers with appropriate skills and knowledge to completely circumvent CHAP authentication. Other PPP authentication methods are not affected.

Network Impact

A moderately sophisticated programmer with appropriate knowledge can set up an unauthorized PPP connection to any system that is running vulnerable software and that depends on CHAP for authentication. To gain this unauthorized access, an attacker must have the following:

•  Knowledge of the details of this vulnerability.

•  Access to modifiable code (generally meaning source code) for a PPP/CHAP implementation and sufficient programming skill to make simple changes to that code. Note that such source code is widely available on the Internet.

•  A modest amount of information about the configuration of the network to be attacked, including such things as usernames and IP addresses.

This vulnerability cannot be exploited by an attacker using an unmodified, properly functioning PPP/CHAP implementation; the attacker must make modifications to his or her software to exploit this vulnerability.

Considering the three “minimum requirements” for this breach of security to succeed, you can easily see how after the attacker is in, an experienced hacker or cyber thief can cost your organization lots of money.

TCP Loopback DoS Attack (land.c) and Cisco Devices

Somebody has released a program, known as land.c, that can be used to launch denial of service attacks against various TCP implementations. The program sends a TCP SYN packet (a connection initiation), giving the target host’s address as both source and destination and using the same port on the target host as both source and destination.

Network Impact

All Cisco IOS/700 software systems that can be reached via TCP from distrusted hosts are affected. Classic Cisco IOS software systems that are running vulnerable versions and that can be reached via TCP from distrusted hosts are affected.

This vulnerability enables attackers to deny service to legitimate users and to administrators. Recovery might require physically visiting the affected hardware. Appropriate firewalls and some configuration workarounds can block this attack. Cisco has classified the potential results of this attack by level of vulnerability.

•  Highly vulnerable releases might hang indefinitely, requiring hardware resets, when attacked.

•  Moderately vulnerable releases will not accept any new TCP connections for about 30 seconds after receiving an attack packet, permitting denial of service to administrators and possibly to users, but will recover and will continue to forward packets.

•  Largely invulnerable releases will continue to operate normally with negligible performance impact.

“Smurfing” Denial of Service (DoS) Attacks

The “smurf” attack, named after its exploit program, is the most recent in the category of network-level attacks against hosts. A perpetrator sends a large amount of ICMP echo (ping) traffic at broadcast addresses, all of which has a spoofed source address of a victim. If the routing device delivering traffic to those broadcast addresses performs an IP broadcast to the layer 2 broadcast function, most hosts on that IP network will take the ICMP echo request and reply to it with one echo reply each, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines replying to each packet.

Currently, the providers/machines most commonly hit are Internet Relay Chat (IRC) servers and their providers. There are two parties affected by this attack:

•  The intermediary (broadcast) devices (referred to as “bounce sites” in this document)

•  The spoofed address target (referred to as the “victim” in this document), in which the victim is the target of a large amount of traffic that the bounce sites generate

Assume a switched network consisting of 100 hosts, and that the attacker has access to T1 circuit. The attacker sends, for example, a 768 kbps stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the bounce site.

These ping packets hit the bounce site’s broadcast network of 100 hosts. Each takes the packet and responds to it, creating 100 ping replies outbound. By multiplying the bandwidth, you see that 76.8 Mbps is used outbound from the bounce site after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets).

TCP SYN Denial of Service Attacks & Defense Strategies

When a normal TCP connection starts, a destination host receives a SYN (synchronize/start) packet from a source host and sends back a SYN ACK (synchronize acknowledge). The destination host must then hear an ACK (acknowledge) of the SYN ACK before the connection is established. This is referred to as the “TCP three-way handshake.”

While waiting for the ACK to the SYN ACK, a connection queue of finite size on the destination host keeps track of connections waiting to be completed. This queue typically empties quickly since the ACK is expected to arrive a few milliseconds after the SYN ACK.