Networking Exploits

What is a network exploit? The same thing as an application-based exploit or malware, except it uses network media and protocols to carry out its dirty deeds. Networking exploits have taken quite a step up in the past five or more years as more and more companies depend on their businesses functioning on the Internet and over networks with other business units and partners. As more people in general attach to and use the Internet, more network-based exploits will appear. This section of the chapter highlights some of the most common network-based exploits, why they are dangerous, what can or cannot be done about them and how they all relate to the SSCP exam.

Denial of Service Attacks

Although they do not destroy or steal data like some other types of attacks, DoS attackers' objective is to bring down a network, denying service to its legitimate users. DoS attacks are easy to initiate; software is readily available from hacker Web sites and warez newsgroups that allow anyone to launch a DoS attack with little or no technical expertise.

The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that crashes the servers, overwhelms the routers, or otherwise prevents the network's devices from functioning properly. DoS can be accomplished by tying up the server's resources by, for example, overwhelming the CPU and memory resources. In other cases, a particular user or machine can be the target of DoS attacks that hang up the client machine and require it to be rebooted.

Distributed DoS (DDoS) attacks use intermediary computers, called agents, on which programs called zombies have previously been surreptitiously installed. The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. Because the attack comes from the computers running the zombie programs, which could be on networks anywhere in the world, the hacker is able to conceal the true origin of the attack.

Examples of DDoS tools hackers use are Tribe FloodNet (TFN), TFN2K, Trinoo, and Stacheldraht (German for barbed wire). Early versions of DDoS tools targeted UNIX and Solaris systems, but TFN2K can run on both UNIX and Windows systems.

Because DDoS attacks are so popular, many tools have been developed to help detect, eliminate, and analyze DDoS software that could be installed on a network. It is important to note that DDoS attacks pose a two-layer threat. Not only can a network be the target of a DoS attack that crashes its servers and prevents incoming and outgoing traffic, but the computers can be used as the "innocent middlemen" to launch a DoS attack against another network or site.

DoS/DDoS attacks can be accomplished in a number of ways. Application exploits, OS exploits, and protocol exploits can all be used to overload systems and create a DoS. The following sections address specific types of DoS and DDoS attacks and explain how they work.

Protocol exploits use the characteristics of a protocol, such as the handshake method TCP uses to establish a communications session, to obtain a result that was never intended—for example, overwhelming the targeted system to the point where it is unable to communicate with legitimate users. There are many ways that the normal behavior of network protocols can be manipulated to congest the network or server to the point where no legitimate communications can get through. This section discusses in detail what a DoS attack is and the many ways that the characteristics of TCP/IP can be used to launch DoS attacks. We also discuss source routing attacks and other protocol exploits.

Exam Warning 

For the SSCP exam, you will be confronted with questions on DoS attacks. Make sure you pay close attention to this section of the text and know what kind of attacks are considered DoS attacks and why.

DoS Attacks that Exploit TCP/IP

DoS attacks are one of the most popular choices of Internet hackers who want to disrupt a network's operations. In February 2000, massive DoS attacks brought down several of the world's biggest Web sites, including Yahoo.com and Buy.com. Many such attacks exploit various characteristics of the TCP/IP protocol suite. This section goes into detail on how various DoS attacks work. Attack types and their outcomes are not limited to but include:

  • Domain Name System (DNS) DoS attacks, which exploit the DNS protocols

  • SYN/LAND attacks, which exploit the way the TCP handshake process works

  • The Ping of Death, which uses a "killer packet" to overwhelm a system

  • Ping flood, fraggle, and smurf attacks, which use various methods to "flood" the network or server

  • User Datagram Protocol (UDP) bomb and UDP snork, which exploit the UDP

  • Teardrop attacks, which exploit the IP packet header fields

  • Exploits of Simple Network Management Protocol (SNMP), which is included with most TCP/IP implementations

DNS DoS Attack

The DNS DoS attack exploits the difference in size between a DNS query and a DNS response, in which all of the network's bandwidth is tied up by bogus DNS queries. The attacker uses the DNS servers as "amplifiers" to multiply the DNS traffic.

The attacker begins by sending small DNS queries to each DNS server that contains the spoofed IP address of the intended victim. The responses returned to the small queries are much larger in size so that if a large number of responses are returned at the same time, the link becomes congested and denial of service will take place.

One solution to this problem is for administrators to configure DNS servers to respond with a "refused" response, which is much smaller in size than a name resolution response, when they received DNS queries from suspicious or unexpected sources.

SYN/LAND Attacks

Synchronization (SYN) attacks exploit the TCP "three-way handshake," the process by which a communications session is established between two computers. Because TCP (unlike UDP) is connection-oriented, a session, or direct one-to-one communication link, must be created prior to the sending of data. The client computer initiates the communication with the server (the computer whose resources it wants to access).

The "handshake" includes the following steps:

  1. The client machine sends a SYN request segment.

  2. The server sends an acknowledgment (ACK) message and a SYN, which acknowledges the client machine's request that was sent in Step 1, and sends the client a SYN request of its own. The client and server machines must synchronize each other's sequence numbers.

  3. The client sends an ACK back to the server, acknowledging the server's request for synchronization. When both machines have acknowledged each other's requests, the handshake has been successfully completed and a connection is established between the two computers.

Figure 8.1 illustrates how the process works.

click to expand
Figure 8.1: TCP Uses a "Three-way Handshake" to Establish a Connection

A SYN attack uses this process to flood the system targeted as the victim of the attack with multiple SYN packets that have bad source IP addresses. This causes the system to respond with SYN/ACK messages. The problem comes in when the system, waiting for the ACK message from the client that normally comes in response to its SYN/ACK, puts the waiting SYN/ACK messages into a queue. This is a problem because the queue is limited in the number of messages it can handle. When the queue is full, all subsequent incoming SYN packets will be ignored. For a SYN/ACK to be removed from the queue, an ACK must be returned from the client or an interval timer must run out and terminate the three-way handshake process.

Because the source IP addresses for the SYN packets sent by the attacker are no good, the ACK's that the server is waiting for never come. The queue stays full, and there is no room for valid SYN requests to be processed. Thus, service is denied to legitimate clients attempting to establish communication with the server.

The LAND attack is a variation on the SYN attack. In the LAND attack, instead of sending SYN packets with IP addresses that do not exist, the flood of SYN packets all have the same spoof IP address—that of the targeted computer.

Is there anything that can be done to prevent SYN flooding on networks? TCP SYN cookies are used to prevent SYN flooding attacks. SYN cookies can aid in preventing SYN flood attacks. When the firewall notices that traffic has reached a specific SYN-flood threshold that can be predefined, the firewall can send back a SYN/ACK to the client with an Initial Sequence Number (ISN) of the TCP SYN cookie for that connection. The firewall will receive the final ACK in the handshake and when it does, it will check that a secret function works for a recent value of the counter. This is hard to fake because creating valid "fake" ACK response packets can be very difficult to duplicate. Now, the firewall can rebuild an original TCP SYN from the encoded value within the cookie and continue the communication with the host. Once the flood is defeated, the firewall resumes normal functionality by disabling the use of SYN cookies dynamically. When SYN cookies are in use, the security administrator may experience limited use of their firewall based on TCP so although this is a great fix, it can potentially disable services for a moment until the flood is quickly subsided.

Exam Warning 

Make sure you know the details of the LAND attack and how to prevent it. The LAND attack can be prevented by filtering out incoming packets whose source IP addresses appear to be from computers on the internal network.

The Ping of Death

Another type of DoS attack is the Ping of Death (also known as the large packet ping). The Ping of Death attack is launched by creating an IP packet larger than 65,536 bytes, which is the maximum allowed by the IP specification (sometimes referred to as a killer packet). This packet can cause the target system to crash, hang, or reboot. Exercise 8.02 demonstrates how to perform a ping of death attack.

Note 

Be aware that most new OSs (Cisco IOS, Windows 2000, Window XP, and so on) that allow for the use of the Ping utility will not let you create a packet large enough to do a Ping of Death.

Exercise 8.02: Performing a Ping of Death Attack

start example

In this exercise, you will be creating a DoS attack against a machine in a network lab. The first example will be the Ping of Death attack, which, while rather old, is still effective against unpatched UNIX and Windows 95 machines. To complete this part of the exercise, you will need two machines, both running Windows 95. When both are connected to the network, bring up a command shell by clicking on the Start button, then on Run. Enter command into the box to launch the shell. At the prompt, type ping -l 65510 <other.machine.ip> and press Enter. You should almost immediately see the other machine flash to the Windows "blue screen," informing you that an error has occurred. You can also try pinging the machine to see if it will respond. This attack will also work against Solaris 2.5 systems, and other older OS platforms.

end example

Ping Flood/Fraggle/Smurf

The ping flood or ICMP flood is a means of tying up a specific client machine. It is caused by an attacker sending a large number of ping packets (Internet Control Message Protocol [ICMP] echo request packets) to the Winsock or dialer software. This flood prevents the software from responding to server ping activity requests, which causes the server to eventually time-out the connection. A symptom of a ping flood is a huge amount of modem activity, as indicated by the modem lights. This type of attack is also referred to as a ping storm.

The fraggle attack is related to the ping storm. Using a spoofed IP address (which is the address of the targeted victim), an attacker sends ping packets to a subnet, causing all computers on the subnet to respond to the spoofed address and flood it with echo reply messages.

The smurf attack is a form of brute force attack that uses the same method as the ping flood, but directs the flood of ICMP echo request packets at the network's router. The destination address of the ping packets is the broadcast address of the network, which causes the router to broadcast the packet to every computer on the network or segment. This can result in a very large amount of network traffic if there are many host computers and can create congestion that causes a denial of service to legitimate users.

Note 

The broadcast address is normally represented by all 1s in the host ID (in the binary form of the address). This means, for example, that on Class C network 192.168.1.0, the broadcast address would be 192.168.1.255. The number 255 in decimal represents 11111111 in binary, and in a Class C network, the last, or z, octet represents the host ID. A message sent to the broadcast address is sent simultaneously to all hosts on the network.

In its most insidious form, the smurf attacker spoofs the source IP address of the ping packet. Then both the network to which the packets are sent and the network of the spoofed source IP address will be overwhelmed with traffic. The network to which the spoofed source address belongs will be deluged with responses to the ping when all the hosts to which the ping was sent answer the echo request with an echo reply.

Smurf attacks can generally do more damage than some other forms of DoS, such as SYN floods. The SYN flood affects only the ability of other computers to establish a TCP connection to the flooded server, but a smurf attack can bring an entire Internet Service Provider (ISP) down for minutes or hours. This is because a single attacker can easily send 40 to 50 ping packets per second, even using a slow modem connection. Because each packet is broadcast to every computer on the destination network, the number of responses per second is 40 to 50 times the number of computers on the network—which could be hundreds or thousands. This is enough data to congest even a T1 link.

One way to prevent a smurf attack from using a network as the broadcast target is to turn off the capability to transmit broadcast traffic on the router. Most routers allow you to do this. To prevent the network from being the victim of the spoofed IP address, the firewall should be configured to filter out incoming ping packets.

UDP Bomb/UDP Snork

An attacker can use the User Datagram Protocol (UDP) and one of several services that echo packets on receipt to create service-denying network congestion by generating a flood of UDP packets between two target systems. For example, the UDP chargen service on the first computer, which is a testing tool that generates a series of characters for every packet that it receives, sends packets to another system's UDP echo service, which echoes every character it receives. UDP chargen is on port 19. By exploiting these testing tools, an endless flow of echoes goes back and forth between the two systems, congesting the network. This is sometimes called a UDP packet storm or UDP bomb.

In addition to port 7, the echo port, an attacker can use port 17, the quote of the day service (quotd), or the daytime service on port 13. These services also echo packets they receive. Disabling unnecessary UDP services on each computer (especially those mentioned earlier) or using a firewall to filter those ports or services protects you from this type of attack.

The snork attack is similar to the UDP bomb. It uses a UDP frame that has a source port of either 7 (echo) or 9 (chargen), with a destination port of 135 (Microsoft location service). The result is the same as the UDP bomb—a flood of unnecessary transmissions that can slow performance or crash the systems that are involved.

Teardrop Attacks

The teardrop attack works a little differently from the Ping of Death, but with similar results. The teardrop program creates IP fragments, which are pieces of an IP packet into which an original packet can be divided as it travels through the Internet. The problem is that the offset fields on these fragments, which are supposed to indicate the portion (in bytes) of the original packet that is contained in the fragment, overlap.

For example, normally two fragments' offset fields might appear as shown here:

Fragment 1:  (offset) 100 – 300 Fragment 2:  (offset) 301 – 600

This indicates that the first fragment contains bytes 100 through 300 of the original packet and the second fragment contains bytes 301 through 600.

Overlapping offset fields appear something like this:

Fragment 1: (offset) 100 – 300 Fragment 2: (offset) 200 – 400 

When the destination computer tries to reassemble these packets, it is unable to do so and could crash, hang, or reboot.

Variations include:

  • NewTear

  • Teardrop2

  • SynDrop

  • Boink

All of these programs generate some sort of fragment overlap. For more information about these variations, see An Analysis of Fragmentation Attacks, by Jason Anderson, at rr.sans.org/threats/frag_attacks.php.

SNMP Exploits

SNMP is used to monitor network devices and manage networks. It is a set of protocols that uses messages called Protocol Data Units (PDUs) over the network to various machines or devices that have SNMP agent software installed. These agents maintain Management Information Bases (MIBs) that contain information about the device. When agents receive the PDUs, they respond with information from the MIB.

Note 

For more information about SNMP exploits, see the following articles:

  • SNMP Vulnerability Poses Major Threat
    (www.vnunet.com/news/1129218)

  • SNMP Alert 2002: What Is It All About?
    (rr.sans.org/protocols/SNMP_alert.php)

Vulnerabilities have been discovered in some implementations of SNMP that provide a means for attackers to disable the devices or create a DoS. SNMPv2 (or version 2) is the older protocol that is most commonly used within the TCP/IP (IPv4) protocol suite. When the TCP/IP (IP version 4) stack was created, most of the protocols used within were not very secure. In fact, most exploits that happened on most systems were the direct result of issues revolving around the older protocols. For instance, SNMPv2 will send its community string information, which contains read and write passwords that are sent in cleartext. This is a problem because it is easily captured with a sniffer and can be used to manipulate a system that is using the older version of the protocol. SNMPv3 (version 3) is the newer protocol used within the TCP/IP (IPv6 or IPng "Next Generation") protocol suite. This version of SNMP will remove the inherent flaws (like the one just explained) from being exploited. The problem here is that IPv6 is not widely deployed as of the writing of this book.

Source Routing Attacks

TCP/IP supports source routing, which is a means to permit the sender of network data to route the packets through a specific point on the network. There are two types of source routing:

  • Strict Source Routing   The data's sender can specify the exact route (rarely used).

  • Loose Source Record Route (LSRR)   The sender can specify certain routers (hops) through which the packet must pass.

The source route is an option in the IP header that allows the sender to override routing decisions that are normally made by the routers between the source and destination machines. Network administrators use source routing to map the network and for troubleshooting routing and communications problems. It can also be used to force traffic through a route that will provide the best performance. Unfortunately, hackers can exploit source routing.

If a system allows source routing, intruders can use it to reach private internal addresses on the local area network (LAN) that normally would not be reachable from the Internet, by routing the traffic through another machine that is reachable from both the Internet and the internal machine. Source routing can be disabled on most routers to prevent this type of attack.

Other Protocol Exploits

The attacks we have discussed so far involve exploiting some feature or weakness of the TCP/IP protocols. Hackers can also exploit vulnerabilities of other common protocols, such as HTTP, DNS, Common Gateway Interface (CGI), and other commonly used protocols.

Spoofing

The dictionary defines a spoof as a good-humored hoax, but the definition of the verb "to spoof" indicates a less benign action: "to fool or deceive somebody" (Microsoft Encarta World English Dictionary 2001). Hackers use spoofed addresses to deceive other computers and fool them into thinking a message originated from a different machine. Although IP spoofing is probably the most popular, it is not the only spoofing method used by hackers. Others include:

  • Address Resolution Protocol (ARP) spoofing

  • Web spoofing

  • DNS spoofing

Exam Warning 

Please make sure you know the exact definition of spoofing and concentrate on the different kinds like IP and ARP spoofing.

IP Spoofing

IP spoofing involves changing the packet headers of a message to indicate that it came from an IP address other than the true source. In essence, the sending computer impersonates another machine, fooling the recipient into accepting its messages. The spoofed address is normally a trusted port, which allows a hacker to get a message through a firewall or router that would otherwise be filtered out. When configured properly, modern firewalls protect against IP spoofing.

Spoofing is used whenever it is beneficial for one machine to impersonate another. It is often used in combination with one of the other types of attacks. For example, a spoofed address is used to hide the true IP address of the attacker in Ping of Death, Teardrop, and other attacks. Remote Procedure Call (RPC) services, the X Window system, the UNIX r services (rlogin, rsh, and so on) and any service that uses IP address authentication are all susceptible to IP spoofing.

After deciding on the targeted victim, the next step in spoofing is to find out the address of a trusted host. Legitimate communications between the trusted host and the target can be intercepted and examined. Often hackers use a DoS attack against the trusted host to prevent it from communicating on the network. Then the packet headers can be modified to make it look as though the attacker's messages are coming from the trusted host, and the packets are sent to a service or port that uses address authentication. One of the most difficult aspects of IP spoofing is the necessity of correctly guessing the sequence numbers of the trusted machine. This process is made easy for the attacker by the numerous spoofing tools that are available on the Web.

ARP Spoofing

The ARP maintains the ARP cache. This is a table that maps IP addresses to media access control (MAC [physical]) addresses of computers on the network. This cache is necessary because the MAC address is used at the physical level to locate the destination computer to which a message should be delivered. If there is no cache entry for a particular IP address, a broadcast message is sent by ARP to all the computers on the subnet, requesting that the machine with the IP address in question respond with its MAC address. This mapping then gets added to the ARP cache. ARP spoofing, also called ARP poisoning, is a method of sending forged replies that result in incorrect entries in the cache. This results in subsequent messages being sent to the wrong computer (the machine whose MAC address is incorrectly matched with the IP address). Once again, hacker tools such as ARPoison and Parasite have automated this process.

DNS Spoofing

DNS spoofing refers to two methods of causing a DNS server to direct users incorrectly:

  • Poisoning of the DNS cache (similar to ARP poisoning in that incorrect information is entered into the cache) of name resolution servers, resulting in those servers directing users to the wrong Web sites or e-mail being sent to the wrong mail servers.

  • Using the recursive mechanism of DNS to predict the request that a DNS server will send and responding with forged information. (For more information on how recursion works, see the article DNS Overview with a Discussion of DNS Spoofing at http://rr.sans.org/DNS/DNS.php.)

Either of these methods allows the attacker to intercept the victim's mail or to set up spoofed Web pages that give users inaccurate information. This method can even be used to con the victim into providing personal information through Web forms.

start sidebar
Damage & Defense…
What Makes DNS Spoofing So Dangerous?

Because the DNS is responsible for managing the resolution of domain names (such as www.microsoft.com) into an equivalent IP addresses (for example, 206.122.10.6), any successful replacement of a valid address with an alternate address causes people attempting to access the domain name to visit the wrong TCP/IP address. This gives attackers the chance to create their own Web site that masquerades as a legitimate site and to attempt to steal all kinds of information by getting between the user and the real site. Alternatively, the attackers can completely take over the apparent role of the real site. Because DNS helps mediate access to Web, FTP, e-mail, and other services, the opportunities for mischief inherent in DNS spoofing are serious and powerful.

end sidebar

Exam Warning 

For the SSCP exam you must not forget about the types of attacks listed here. You will be expected to have knowledge about them, especially the most common ones.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net