SUMMARY

Attacks against low layer network protocols are sneaky and difficult to detect and protect against, because they can be run without even "touching" the targeted hosts . Another problem is that releasing a new, more secure version of a network protocol takes far more time than patching a hole in a piece of software. So the window of opportunity between discovering a new flaw and its elimination by the protocol vendor or the standard board is large. In fact, it may take years before the bug is completely fixed. During this time period, affected networks remain vulnerable.

Spare for commonplace ARP spoofing, which we don't describe here (but we do provide Cisco-specific countermeasures), these types of attacks involve custom packet-generation skills and a complete understanding of the protocols involved. Thus, such exploitation belongs to the realm of reasonably advanced hacking. Also, the attacks described here require local access to the network. In a sense, they are a continuation of the "what do I do after getting root or enable" discussion in Chapter 10. We can't overemphasize the importance of understanding and countering a local attacker, who may not be that local after all (if backdoors, cable, and wireless exploitation are taken into the account). The fact that the majority of hacking attacks that get media coverage are remote simply does not reflect the reality of everyday network security practice.

In spite of the complexity of defending against protocol-centric attacks, it is still possible to deflect the majority of them if the defender understands the affected protocols better than the attacker and follows the recommendations provided in the countermeasures sections accompanying every outlined attack. Cisco engineers were quite creative at developing the countermeasures, and if you are just as creative in setting them up on the network under your supervision, the majority if not all attacks against network protocols on low layers can be defeated.