Securing Your OSPF Network

The TCP SYN attack exploits this design by having an attacking source host generate TCP SYN packets with random source addresses toward a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Because the SYN ACK is destined for an incorrect or non-existent host, the last part of the “three-way handshake” is never completed and the entry remains in the connection queue until a timer expires, typically for about one minute. By generating phony TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services (such as e-mail, file transfer, or WWW) to legitimate users.

There is no easy way to trace the originator of the attack because the IP address of the source is forged. The external manifestations of the problem include inability to get e-mail, inability to accept connections to WWW or FTP services, or a large number of TCP connections on your host in the state SYN_RCVD.

Attacks on Network Devices & Defense Strategies

This section will discuss some of the better known attacks that can be made against network devices and how to defend against them.

Devices Behind Firewalls

The TCP SYN attack is characterized by an influx of SYN packets from random source IP addresses. Any device behind a firewall that stops inbound SYN packets is already protected from this mode of attack, and no further action is needed. Examples of firewalls include a Cisco Private Internet Exchange (PIX) Firewall and a Cisco router configured with access lists.

For examples of how to set up access lists on a Cisco router, please refer to the document Increasing Security on IP Networks (also available from the Cisco Fax-on-Demand service at 415-596-4408, Doc ID# 116).

Protecting Devices Offering Publicly Available
Services (Mail Servers, Public Web Servers)

Preventing SYN attacks on devices behind firewalls from random IP addresses is relatively simple because you can use access lists to explicitly limit inbound access to a select few IP addresses. However, in the case of a public Web server or mail server facing the Internet, there is no way to determine which incoming IP source addresses are friendly and which are unfriendly. Therefore, there is no clear-cut defense against an attack from a random IP address. Several options are available to hosts:

•  Increase the size of the connection queue (SYN ACK queue).

•  Decrease the time out waiting for the three-way handshake.

•  Employ vendor software patches to detect and circumvent the problem (if available).

You should contact your host vendor to see if they have created specific patches to address the TCP SYN ACK attack.

---

TIPS:  
Filtering IP addresses at the server is ineffective because an attacker can vary his IP address, and the address might or might not be the same as that of a legitimate host.

---

UDP Diagnostic Port Denial of Service Attacks

What is a UDP diagnostic port attack? A sender transmits a volume of requests for UDP diagnostic services on the router, which causes all CPU resources to be consumed servicing the phony requests. There is a potential denial of service attack at Internet service providers (ISPs) that targets network devices.

Network Impact of the UDP Diagnostic Port Attack

By default, the Cisco router has a series of diagnostic ports enabled for certain UDP and TCP services including echo, chargen, and discard. When a host attaches to those ports, a small amount of CPU is consumed to service these requests.

If a single attacking device sends a large barrage of requests with different, random phony source IP addresses, it is possible that the Cisco router can become overwhelmed and slow down or fail.

The external manifestation of the problem includes a process table full error message (%SYS-3 NOPROC) or a very high CPU utilization. The exec command show process will show a lot of processes with the same name, for example, “UDP Echo.”

Defending Against Attacks Directly to Network Devices

Any network device that has both the UDP and TCP diagnostic services available should be protected by a firewall or at least have the services disabled. For a Cisco router, this can be accomplished by using the following global configuration commands:

    no service udp-small-servers    no service tcp-small-servers 

Cisco IOS Password Encryption

A non-Cisco source has recently released a new program to decrypt user passwords (and other passwords) in Cisco configuration files. The program will not decrypt passwords set with the enable secret command.

The unexpected concern that this program has caused among Cisco customers indicates that many customers are relying on Cisco password encryption for more security than it was designed to provide. This document explains the security model behind Cisco password encryption and the security limitations of that encryption.

Network Impact: User Passwords (VTY & Enable)

User passwords and most other passwords (not enable secret-encrypted commands) in Cisco IOS configuration files are encrypted using a scheme that’s very weak by modern cryptographic standards.

Although Cisco does not distribute a decryption program, at least two different decryption programs for Cisco IOS passwords are available to the public on the Internet; the first public release of such a program of which Cisco is aware was in early 1995. Any amateur cryptographer would be expected to be able to create a new program with no more than a few hours work.

The scheme used by Cisco IOS for user passwords was never intended to resist a determined, intelligent attack; it was designed to avoid casual “over-the-shoulder” password theft. The threat model was someone reading a password from an administrator’s screen. The scheme was never supposed to protect against someone conducting a determined analysis of the configuration file.

Because of the weak encryption algorithm, it has always been Cisco’s position that customers should treat any configuration file containing passwords as sensitive information, the same way they would treat a clear text list of passwords.

Enable Secret Passwords

enable secret-encrypted passwords are hashed using the MD5 algorithm. As far as anyone at Cisco knows, it is impossible to recover an enable secret password based on the contents of a configuration file (other than by obvious dictionary attacks).

This applies only to passwords set with enable secret, and not to passwords set with enable password. Indeed, the strength of the encryption used is the only significant difference between the two commands.