attacks on network

8/6/2019 Attacks on Network

1/11

Common Types of Network Attacks

Without security measures and controls in place, your data might be subjected to an attack. Some

attacks are passive, meaning information is monitored; others are active, meaning the

information is altered with intent to corrupt or destroy the data or the network itself.

Your networks and data are vulnerable to any of the following types of attacks if you do not havea security plan in place.

Eavesdropping

In general, the majority of network communications occur in an unsecured or "cleartext" format,which allows an attacker who has gained access to data paths in your network to "listen in" or

interpret (read) the traffic. When an attacker is eavesdropping on your communications, it isreferred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is

generally the biggest security problem that administrators face in an enterprise. Without strongencryption services that are based on cryptography, your data can be read by others as it

traverses the network.

Data Modification

After an attacker has read your data, the next logical step is to alter it. An attacker can modify thedata in the packet without the knowledge of the sender or receiver. Even if you do not require

confidentiality for all communications, you do not want any of your messages to be modified intransit. For example, if you are exchanging purchase requisitions, you do not want the items,

amounts, or billing information to be modified.

Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a valid entity.In certain cases, it is possible for an IP address to be falsely assumed identity spoofing. An

attacker might also use special programs to construct IP packets that appear to originate fromvalid addresses inside the corporate intranet.

After gaining access to the network with a valid IP address, the attacker can modify, reroute, ordelete your data. The attacker can also conduct other types of attacks, as described in the

following sections.

Password-Based Attacks

A common denominator of most operating system and network security plans is password-basedaccess control. This means your access rights to a computer and network resources are

determined by who you are, that is, your user name and your password.


2/11

Older applications do not always protect identity information as it is passed through the networkfor validation. This might allow an eavesdropper to gain access to the network by posing as a

valid user.

When an attacker finds a valid user account, the attacker has the same rights as the real user.

Therefore, if the user has administrator-level rights, the attacker also can create accounts forsubsequent access at a later time.

After gaining access to your network with a valid account, an attacker can do any of thefollowing:

y Obtain lists of valid user and computer names and network information.y Modify server and network configurations, including access controls and routing tables.y Modify, reroute, or delete your data.

Denial-of-Service Attack

Unlike a password-based attack, the denial-of-service attack prevents normal use of yourcomputer or network by valid users.

After gaining access to your network, the attacker can do any of the following:

y Randomize the attention of your internal Information Systems staff so that they do notsee the intrusion immediately, which allows the attacker to make more attacks during the

diversion.y Send invalid data to applications or network services, which causes abnormal termination

or behavior of the applications or services.y

Flood a computer or the entire network with traffic until a shutdown occurs because ofthe overload.

y Block traffic, which results in a loss of access to network resources by authorized users.Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs when someone between you and the

person with whom you are communicating is actively monitoring, capturing, and controllingyour communication transparently. For example, the attacker can re-route a data exchange.

When computers are communicating at low levels of the network layer, the computers might notbe able to determine with whom they are exchanging data.

Man-in-the-middle attacks are like someone assuming your identity in order to read your

message. The person on the other end might believe it is you because the attacker might beactively replying as you to keep the exchange going and gain more information. This attack is

capable of the same damage as an application-layer attack, described later in this section.

Compromised-Key Attack


3/11

A key is a secret code or number necessary to interpret secured information. Although obtaininga key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker

obtains a key, that key is referred to as a compromised key.

An attacker uses the compromised key to gain access to a secured communication without the

sender or receiver being aware of the attack.With the compromised key, the attacker can decryptor modify data, and try to use the compromised key to compute additional keys, which mightallow the attacker access to other secured communications.

Sniffer Attack

Asnifferis an application or device that can read, monitor, and capture network data exchanges

and read network packets. If the packets are not encrypted, a sniffer provides a full view of thedata inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless

they are encrypted andthe attacker does not have access to the key.

Using a sniffer, an attacker can do any of the following:

y Analyze your network and gain information to eventually cause your network to crash orto become corrupted.

y Read your communications.


4/11

EXTRA

Introduction to network attacks : Network Layer

Lets continue our small review of network attacks, by checking this time some typical attackson the network layer. There are the most known examples of what can be done.

ARP cache poisoning

ARP works basically on broadcast :

y when a machine connects to the network, it broadcasts its MAC address to the LAN (ethernetbroadcast)

y when a machine needs to find a recipient (for a given IP), it sends a request using broadcast.When this learning process is over, the machine keeps the information in its ARP cache, that tosave the network resources. The cache is a simple correspondence table of MAC / IP addresses.

You can have a look to your ARP cache with :

$ arp -a

Beyond its convenience, the big problem with broadcasting is that it does not authentication at

all.

So, you can easily see how easy it is to corrupt an ARP cache with some forged packet. As theMAC address the only way to route date on an ethernet LAN, the potential impact of this attack

is huge !

For best efficiency, the attacker will flood the targets with faked ARP responses at an high rate.That way, it gives little chance to a valid ARP record to survive long, as it will get quickly

overwritten in the cache.

Nowadays, there are many convenient tools to drive this attack, like Ettercap.

You can start it in graphic mode :

$ ettercap -G

Got to the Sniff / United sniffing menu and select your network interface :


5/11

Hosts / scan for hosts menu allow you to quickly visualize the machines of the LAN.

Then, in the Mitm (Man In The Middle) menu, choose Arp cache poisonning :

Finally, start / start sniffing (default is all machines are targeted) :

Immediatly, Ettercap starts collecting data. Here some POP credentials can be read :


6/11

Several workaround can be set against this, though none is really satisfying :

1. use static ARP entries for the LAN (arp -s 192.168.1.111-22-33-44-11-11) ; that is really notconvenient, not scalable and unpractical for mobile devices ;

2. some switches can detect MAC address changes and deactivate their port (look at switchportport-security on Cisco switches) ;

3. there are some tools to be set on a probe ; arpwatch for Linux checks the LAN and send an alertby mail or to syslog in case of maliscious ARP events ;

4. more generic IDS / IPS like Snort should also be able to detect this attack ;5. Radius / EAP hardware devices authentication is a more complex solution but the recommended

one on large networks.

ICMP Attacks

ICMP is a protocol that is just over IP in the networking stack, aimed to diagnose links. Astandard ping, for instance, is based on this protocol.

In some cases, it could be used to drive some attacks.

Ping of the Death

Thats the historical attack. An ICMP packet is encapsulated inside an IP datagram.

An ICMP datagram is structured as below :

A few ICMP requests types :

0 = echo reply8 = echo request11 = TTL expired12 = option error (wrong header)

The maximum size of an IP datagram is 65 535 octets, though each ethernet link has a maximum

ethernet packet size that it can support. That is the MTU value (default is 1500 octets).When a packet bigger than this size must be sent, it is fragmented in smaller sized packets which

are sent one after another. They will be reassembled by the recipient in the right order.For instance in the case of an ICMP echo request (ping), the ICMP header has a lenght of 8

octets and the IP header in which it is encapsulated is of 20 octets (without any additionaloption).

So :65535 20 8 = 65507 octets are left available at most for the data field of the ICMP packet.


7/11

If an ICMP packet bigger than this size is built and sent, it will be send fragmented to therecipient.

When the recipient reassembles it, it gets an invalid IP datagram with a size bigger than 65 535octets.

A sane IP stack would just drop it.But in the past, that leaded to a buffer overflow DoS attack.with many old IP stacks (Windows 95, NT, Linux 2.0, ), this caused some unexpected

behaviour : networking crash, system freeze, rebootThe IP stack had a buffer for 65 535 octets without exception catching in case of superior sized

packet. That caused the memory to be written with the extra bits anywhere, with unpredictableeffects.

Nowadays, all systems must be protected against this well known attack, but unfortunately the

same kind of behaviour is regularly found in different protocols or applications.

If you try to practice this attack, you will see that ping prevents it :

$ ping -s 65508 192.168.1.1Error: packet size 65508 is too large. Maximum is 65507

Sing is a nice tool to easily play with ICMP packets. No problem this time :

$ sing -s 65508 192.168.1.1

The capture below shows the packet fragmentation that results :

How to protect from such issues ? Check regularly vulnerabilities issues and keep your systemup to date.

Many administrators just block all the ICMP protocol on their firewall. It is a kind ofoverreaction : ICMP is in no way a danger, but is really useful when you need some diagnosis. If

you also think that blocking it hides your network topology, you are wrong but that is anothersubject.

So update your systems, allow ICMP (and somehow prepare yourself for IPv6 ).


8/11

ICMP Flood

Another very basic attack. It consists in sending as many and as big as possible ping requests at a

high rate.The goal is to saturate the target ressources : bandwith and responsiveness as the target network

card has to process a lot of data.

On modern hardware, there are little chances that an isolated attack has any sensible impact.

Also, a well configured firewall or a good OS should discard high rated requests.

However, this still can be efficient on weak topologies and when it comes from multiplessources.

I am of course thinking about botnets, built with infected PC, that can scale from hundreds tothousands of machines.

Hping is a famous tool that allow to easily forge all kind of TCP, UDP and ICMP packets with

their options.

It takes just one line to flood a taget :

$ hping3 --flood -1 192.168.1.1

Just to mention that you could have done it as well with Sing :

$ sing -T 0 192.168.1.1

Pong attack

This attack may lay to topology discovery.

As mentioned above, many administrator block ICMP from their firewall for security purpose. In

general, the applied rule filters requests from the outside, but still responses from insidesrequests are allowed.

The trick here is to send a response on a target list of IP which are supposed to be find behind the

firewall.

If it goes through the firewall, two cases are possible :

1. the packet reaches the target, but this one destroys the packet as it was not waiting foranything. As a result, the attacker does not get any response.

2. the packet never reaches its target, because there is no target (the machine is off or the IP is notallocated) ; in that case, the firewall should answer with an ICMP packet host unreachable.

By scanning an IP range, we are able that way to guess the network map that is behind thefirewall.


9/11

If you just want to try it using ping, you will need something like tcpdump to see the hostunreachable response.

For instance, on my network, there is not an IP such as 192.168.1.99 :

$ sing -reply 192.168.1.99$ tcpdump icmptcpdump: WARNING: arptype 65534 not supported by libpcap - falling back tocooked sockettcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes15:21:55.142086 IP 10.8.0.6 > 192.168.1.99: ICMP echo reply, id 58219, seq 0,length 1615:21:58.192068 IP 10.8.0.1 > 10.8.0.6: ICMP host 192.168.1.99 unreachable,length 4415:22:23.086762 IP 10.8.0.6 > star.int.jcbnet.org: ICMP echo reply, id 64619,seq 0, length 16

Thats confirmed.Other uses of this attack can be imagined. Like firing up a flood attack targeting something

behind the firewall.It shows one of the limit of filtered based firewalling. A well configured IDS/IPS must be set

up to detect all these well known ICMP attacks and block them.

IP spoofing

The goal of IP spoofing is to take advantage of the network accesses a target may be grantedwith.

Nowadays, the fact is that still many applications rely sometimes uniquely on the IP address

as a source of authentication. Not only obsolete services (rsh, login, telnet), but some widelyused like DNS or SMTP. Not to mention the firewalling rules.Altering an IP packet with an IP address that is not yours is not a difficult thing. It just consists in

using a raw socket not to use the system IP stack that would certainly discard such packets.Many tools can do it.

However, because the IP address is reused the higher layer transport layer, the attacker has toconsider the UDP and TCP protocol.

There is nothing much to do concerning UDP, as it is a non-connected protocol. The attacker willbe free to send the requests he wants.

However, because the TCP protocol opens a session, the attacker will have much more work todo.

The big issue is that he will never receive the answers from the packets he sends the real hostwill. Therefore, it is necessary to blindly guess what is going on, not to loose the session.

There are several methods :

1. Initiatinganew sessionandguessingthe TCP sequencenumbers :To be established, a TCPsession follow a strict order : SYN, SYN-ACK and ACK. Each packet sent through TCP must be

aknowledge. To differentiate the packets and send back that way an individual ACK, each


10/11

packets has its own TCP sequence number. For every new packet, the sequence number is

increased by the sender.

This illustrates better :

What the attacker has to do is sending the right ACK at the right moment, with not only the

good TCP content but a proper TCP sequence number.

This technic is somehow historical, as nowadays modern systems generate a random TCP

sequence number that is very hard to predict (even using flood).2. Stealinganexisting session:It requires the attacker to be somewhere on the ethernet link

between the two targets. It becomes easier to generate proper sequence numbers by sniffing a

legitimate conversation.

3. Combining several LAN attacks :If the attacker is on the LAN, he can combine several attacks(ARP, DoS, SNAT) to sniff and block legitimate traffic and replay it.

As this attack requires pretty much efforts, an alternative driving to the same effect is often used

instead : DNS poisoning.Otherwise, if the goal of IP spoofing is just DoS, the attacker dont need to care about all that.

This is unfortunately the most frequent use.The goal is to hide a bit more the attacker and to make it difficult to build a proper defensive

firewalling rule (what IP to use to block the aggressive packets ?).All the attacker need to do is to send the forged packets without caring of responses at all.

A good protection starts by controlling the lower layer attacks (ARP, sniffing, ).

Then, firewalls should have a proper rule limiting the rate of SYN packets for any source, toprevent flood attacks trying to catch a valid TCP number.

Finally, always use up-to-date systems that have a strong randomization algorithm for TCP

sequence numbers.I would like to add that, as much as possible, weak authenticated application should be

suppressed. Unfortunately, it wont be an easy thing to work without DNS, SMTP and so on

Conclusion

Thats it for this quick tour of network layer attacks. It shows how weak many protocols are and

the power an attacker can get. Next time, we will quickly talk about transport layer attacks, asthis article already started to cover it (TCP).


11/11

attacks on network

Documents