Typical Attacks Against Network Resources

All networks are subject to attacks against network resources. To understand how to protect against attacks, it is important to look at what some of the most common attacks are and how they can be used to attack a network. The SSCP exam will likely mention several if not all of these different network attacks in one form or another.

An administrator should not try to focus on one specific attack as an individual threat against their network. An attacker will likely employ several of these attacks to compromise a network resource.

Spoofing

Spoofing is used when an attacker falsifies a data packet before sending it to the source to make the packet seem as if it is coming from a trusted source. IP spoofing is used to alter the packet at the TCP level.

Spoofing can be used to hide an attacker's identity. It is common for malicious hackers to spoof their source IP address so that the attack cannot be easily traced back to them. Spoofing can also be used to send untrusted commands or replies to a trusted computer and have that trusted computer act on that packet as if it were actually a trusted transmission. Figure 7.20 shows how an attacker can use the standard IP header to spoof the actual source of the packet.

Figure 7.20: IP Header that Includes Spoofed Source IP

Sniffing

Sniffing refers to the process of intercepting traffic passing along a network. This can be accomplished due to the general broadcast nature of data networks, which allows any computer on a particular network segment to hear all traffic that passes by. Sniffing is a passive attack since it does not modify any data or systems. A very common form of passive sniffing that is used to locate unprotected wireless networks is known as war driving. War driving is the process of driving around with a wireless network card and special sniffing software to locate wireless networks that can then be further sniffed and possibly compromised. An example packet can be seen in Figure 7.21, where an attacker views a NetBIOS packet.

Figure 7.21: NetBIOS Packet

Another method used to sniff networks is to physically tap into the network cabling. This is why physical security of all network resources should be audited and monitored. A malicious user could splice the network cable to capture all traffic passing along the cable. If this type of attack is of particular concern, fiber-optical cables should be used, which are nearly impossible to tap into.

Session Hijacking

TCP session hijacking is when a malicious hacker takes over a session between two machines so that the traffic coming from the hacker's computer will be seen as trusted to the receiving computers. Sniffing, as described in the previous section, is usually a precursor to session hijacking attacks. Usually, the malicious user will spoof the IP address of one of the trusted computers to send unauthorized traffic to the victim's computer.

A computer placed between two computers that are conducting a trusted session is known as a man-in-the-middle (MITM) attack. It is common with this type of attack for the attacker to sniff a packet being sent, alter that packet, and then redirect the packet back to its original destination.

IP Fragmentation

IP fragmentation occurs because during the course of data communication over different networks, there will be different maximum transmission unit (MTU), which will cause the fragmentation of the packet. For instance, if a packet travels from a token ring environment, which allows a MTU of 4464, to an Ethernet environment, which allows a MTU of 1500, the router before the Ethernet network will fragment the packet to comply with the Ethernet standard of a MTU of 1500.

Usually, the device that receives the fragmented packet will rebuild the packet before passing it on or interpreting the data. A malicious user can attack some firewalls that do not include stateful inspection by sending a large number of fragmented packets to the device. This will make the device vulnerable to a DoS attack. Also, because the device never receives the rest of the fragmented packet that it is expecting, it never rebuilds the full packet and thus never logs the packet in its audit logs. This method of attack is commonly used to elude detection from IDSs. This is becoming harder because most modern firewalls and IDSs will attempt to reassemble all packets and will log this type of attack.

IDS Attacks

Intrusion Detection Systems (IDS) are used to detect and alert you about potential attacks against the network. It is common for IDS devices to be setup to e-mail, page, issue an SNMP trap, or otherwise alert the administrator to a potential attack.

Since these devices are used to detect attacks, they are commonly the targets of attacks themselves. For instance, a packet fragmentation attack can be used to mount a DoS attack on the IDS so that it can no longer detect attacks and therefore cannot alert you of the attack.

An IDS can be setup on a blackened interface, which will not contain an IP address. There are two methods that can be used to deploy this type of IDS. The first is to have two interfaces on the IDS. One interface will be used to capture all network packets and the other will be used to manage the PC over the network. This type of attack is still vulnerable to attacks on the administration interface. The second way to deploy an IDS is to only have one interface without an IP address. This way, it will be impossible to attack the machine since it will not be seen on the network. It does however require any administration functions to be performed while sitting at the console of the IDS. This can also significantly delay response time to an attack since the attacks will only be known as often as you can physically check the IDS logs.

SYN Floods

DoS attacks are one of the most common forms of attacks and is also the hardest to defend against. The SYN flood is one of the most common types of DoS attacks. To understand how a SYN flood attack works, you must understand how servers process connections. Typically, a machine will send the server a SYN and then the server will send an ACK packet back to the client. A connection is then established between the client and server machines and data transmission will then begin. A server holds a connection queue open once it receives the SYN packet and awaits an ACK back from the client. Only a specific number of these "half open" connections can be maintained on the server at any given time.

A SYN flood attack is conducted by spoofing the IP address of the SYN packet before sending it to the server. The server then sends an ACK packet back to the client. If the spoofed IP address is legitimate, the ACK packet is sent to the owner of the legitimate IP address and the packet is dropped. The server then waits a period of time, still holding the connection open, and tries to resend the ACK packet. This continues until the server eventually drops the connection because an ACK package is never received.

If an attacker sends enough of these SYN packets to the server, the server will eventually have all available connections occupied by these false connections and will not be able to respond to the actual client request. This is how the SYN flood DoS attack can quickly bring down a server and make it unavailable for legitimate users.

A DoS attack can be very hard to defend against. The first step to take is to deny traffic from the attacking IP addresses. The problem is that attackers will then likely redirect the attack to the next device, usually a router, upstream from the network. The administrator is then tasked with contacting the administrator of that router and having them deny the IP addresses. This process can be very cumbersome since it may be hard to reach the support level that can help deny traffic. More often than not, a DoS attack stops when the attacker decides to stop, or when traffic is denied on all routers that can affect a network performance.

Private Branch Exchange Attacks: Wardialing

Wardialing is the process of dialing a phone number to see if the number has a modem and thus a computer attached to it. If a computer answers when a number is called, the attacker can then begin to try to penetrate those computers.

The appropriate network infrastructure and planning are necessary steps in protecting your network from an attack. The process of protecting your network should begin before the first computer is installed or the first cable is laid. With the proper infrastructure and planning you can limit the time and resources needed to recover from an attack.

You should first determine the level of security and uptime that will be required by your network. If your network will require maximum uptime, you may want to implement a mesh topology. You must decide if the uptime of your network and the recovery times warrant the expense required with setting up the mesh topology for your network. If your network requires maximum security, you may wish to use fiber-optic cabling to reduce the risk of an attacker physically taping the cable. Again, this will greatly depend on the amount of money allocated for network setup. If your network is ever attacked or physically damaged in any way, the amount of planning you have put into the network infrastructure can greatly reduce the time and expenses required to bring the network back up.

A common method that is used is to wardial entire exchanges that belong to a corporation searching for a computer setup to provide remote access to the network. There are many common tools available to wardial entire exchanges.