Over the years numerous malicious attacks have been perpetrated based around the subversion of various parameters of standard networking protocols and the manner in which they handle data. In this way the very essence of the protocols functional integrity is corrupted to do the attacker’s bidding.
Over the years numerous malicious attacks have been perpetrated based around the subversion of various parameters of standard networking protocols and the manner in which they handle data. In this way the very essence of the protocols functional integrity is corrupted to do the attacker’s bidding. This usually translates to achieving some form of network functional degradation or some form of normal network operating mechanisms interference or breakdown.
Information Security Breaches
Security-related mechanisms and process are aspects of a network which are continually under threat. The attacker’s goal is generally to breach network information security in such a way as to provide an opportunity that the attacker can exploit to their financial benefit.
Identity theft and leakage of personally identifiable information being very notorious and since they are deemed to be “news-worthy” by the media we tend to hear a lot about them but in reality they literally constitute only the tip of the iceberg. The media always seem to project the image that the general public really couldn’t care less; that is until the malicious activity actually impacts each and every one of them personally which probably explains the noteworthiness of breaches of personally identifiable information security as it is our personal details that are placed in jeopardy.
Financial attacks against electronic payment mechanisms such as those represented by the payment card industry are prime targets. Nobody is happy when presented with the bill for goods and services that they did not purchase, consume or otherwise authorize. So the individual will complain loud and clear for as long as it takes to rectify the situation even for what are truly trivial amounts of money. It’s the principle that matters.
As per usual the villains are able to take advantage of this state of affairs by obtaining your payment card information and using it to make transactions in foreign countries. You can prove to the bank that you were not in said country at the time the transactions took place and so the bank reimburses you. The villains get what they want, you get your money back and the bank wears it or so you think. Wrong; you still pay by way of higher interest rates.
Basic Denial of Service Attacks (DoS) Techniques
A Denial of Service attack is a prime example of an attacker’s ultimate malicious intent in their desire to bring normal network functioning and network resources access requests to a grinding halt. Some of the techniques used in implementing a DoS attack often involve mechanisms designed to overwhelm the target’s resources such as:
Storage Consumption – Consuming all available local storage space on the target machine will cause the target computer (usually a server) to slowly grind to a halt. Tactics employed in this form of DoS attack can be as simple as sending huge email attachments or other large file transfers. Multiple large DVD VOB files and uncompressed JPEG or BMP (bitmap) images of insanely high resolution are common file types used to accomplish this.
Subnet Mask Corruption – The attacker may send a message which causes the target machine to reset its subnet mask and so disrupt the target’s subnet routing
Connection Resources Consumption – By sending very large numbers of requests for services of a server an attacker can consume all of the target’s available connection resources thereby resulting in any new authentic or otherwise connections to be denied.
Specific Denial of Service (DoS) Attacks
Buffer Overflow Attack – In essence a buffer overflow attack occurs when a process receives much more data than expected and if it has no programmed routine to deal with this excessive amount of data, it may act in unexpected ways that an attacker can exploit. There are numerous variations and forms of buffer overflow attack that have been perpetrated over the years, with the most common of all undoubtedly being the “Ping of Death”.
Ping of Death – The Ping of Death attack is also referred to as the “Large Packet Ping Attack” and is simple to instigate. All an attacker needs to do to initiate a “ping of death” attack is to use the ubiquitous network utility PING (Internet Control Message Protocol (ICMP) Packet Internet Groper) to “ping” the target with an illegally modified (in a protocol sense and not the common law sense) and very large IP datagram. This will result in overfilling of the target system’s buffers causing the target to reboot or hang.
PING can be configured to send these “illegal” IP datagram packets in bursts or as a continual stream. In the case of a continual stream the target will be immediately under attack once it reboots and will thus hang or reboot continually until something is done to stop it receiving the attacker’s packets.
Changing its LAN IP address will do the trick but may cause unforeseen disruptions in other network services such as web pages that are no longer located at the old address. Using a filtering device; such as a router or dedicated firewall, to drop all incoming Internet Control Message Protocol (ICMP) packets and thus blocking Ping requests works better and with less overall network disruption. This does however; make remote network administration a little more difficult but not impossible.
Long File or User Names – Another basic buffer overflow attack that can be perpetrated very simply is for the attacker to send; the intended target, packets (usually standard ping packets) with user or file names larger than 256-characters long. Email delivery processes are also a popularly exploited mechanism for deploying this type of excessively long file or user name attack.
SYN Attack – A SYN attack occurs when an attacker exploits the use of the buffer space during the Transmission Control Protocol (TCP) session initialization three-way handshake.
Traditionally the receiving end of a conversation has only required a small “in-process” buffer to satisfy correct functioning of the TCP session initialization. Once the connection has been successfully established the small amount of buffer used by each TCP connection establishment request is returned to the “in-processing” buffer pool ready for reuse by the next conversation TCP establishment request.
Note that the receiving machine can maintain multiple concurrent conversations all established using the same small “in-process” buffer pool. To instigate a Denial of Service (DoS) attack that exploits this behavior an attacker simply floods the target system’s small “in-process” queue with connection requests, but does not send an Acknowledgement respond when a target system replies to those requests. This causes the target system to “time out” while waiting for the proper response.
With enough “in limbo” “in-process” requests the target system will become unstable, hang, crash or become unusable. This means the target system will need to be rebooted. Once rebooted; the attack will continue anew for as long as the attacker desires or until the network administrator becomes aware that they are under this type of attack and takes appropriate measures to counteract it.
Identifying the source IP Addresses of the attack packets and then using a firewall or router to block all traffic from this source is usually the first port of call but does have its drawbacks. The Distributed Denial of Service (DDoS) attack for example is far more difficult to counter this way as is the Distributed Reflected Denial of Service (DRDoS) attack.
Teardrop Attack – In a Teardrop attack the attacker will modify the length and fragmentation offset fields in sequential Internet Protocol (IP) packets. Upon reception of these modified packets a target system will become confused and crash since it is receiving contradictory instructions on how the fragments are offset on these packets.
Countering this type of attack will involve careful analysis of captured packets to determine that the offset fields have been deliberately modified to cause the systems under attack to crash.
Smurf Attacks – Here a combination of IP Address Spoofing and ICMP flooding are used to saturate a target network with traffic to such an extent that all normal traffic is effectively “drowned out” thereby causing a Denial of Service (DoS) attack. Smurf attacks consist of three separate elements; the source site, the bounce site and the target site.
- First of all an attacker will select a bounce site. This is usually a very large network.
- The attacker then modifies a PING packet to contain the address of the target site as the PING packet’s source address
- Next the attacker sends the spoofed PING packet to the broadcast address of the target site
- This will result in the bounce site broadcasting the spoofed packet to all devices configured to receive messages from that broadcast address, which by default will be all devices on that Local Area Network (LAN) or subnet segment if the network has been configured into a number of smaller subnets for administrative purposes
- All devices on the bounce site network receiving this misinformation will not know that it is misinformation and so they will automatically respond to the request with a reply to the site which is the intended target of the smurf attack
- This results in the target site being overwhelmed by a huge number of erroneous replies that it knows nothing about
- The outcome of the oversaturation is that the target is unable to process the requests often due to a buffer overflow and hence it will hang or reboot
In many cases such is the overwhelming effect of this type of attack that it will cause the target to appear to simply grind to a halt in attempting to process the flood of incoming reply PINGs from the bounce site.
Another consequence can be that the target machine’s CPU processing queue, internal counters, out of sequence processing units and cache simply cannot cope with the flood and the CPU will register processing queue errors which can cause the CPU to continually flush its processing pipeline and buffers continuously with the result that the CPU will suddenly appear to be running at 100% up until such time as it overheats and becomes an unusable blob of silicone.
Fortunately; modern CPUs have thermal regulatory mechanisms that usually prevent total obliteration of the CPU due to this type of processing strain and loop running but many older systems and those with thermal throttling turned off will often die.
Countering a smurf attack is not as hard as one might expect. A correctly configured “stateful” firewall device will know that the massive influx of ICMP Ping replies was never requested never requested by any devices internal to it and so it will drop these packets.
Also configuring your firewall to deny external ICMP traffic access to your internal network will work just as effectively. Once again this may make remote administration and connectivity testing a little more difficult than would otherwise be the case but this is a small price to pay for a respectable degree of immunity to this type of attack.
Other Protocol Based Attacks
There are a number of other commonly instigated attacks that exploit other protocols and areas whereby the packets produced by the TCP/IP protocol processing stack can be exploited, duped or interfered with for an attacker to achieve their malicious goals.
The important point here is that the actual manner in which an attack is implemented is largely dependent upon the attacker’s ultimate goal. Attacks perpetrated to cause a Denial of Service (DoS) attack are implemented using the same mechanisms as those in which an attacker might use to surreptitiously gain unauthorized access to a network and its resources for the purpose of stealing information. They ways they go about it are wherein the differences lie.
Session hijacking and fragmentation attacks are classic examples that I will now briefly describe in order to highlight why it is important to understand the attackers motivations and their goals as this is the only way that one can be truly prepared to proactively deal with these potential onslaughts.
IP Spoofing Attacks – IP spoofing involves an alteration of a packet at the TCP level, which is used to attack Internet-connected systems that provide various TCP/IP services. The attacker sends a packet with an IP source address of a known, trusted host. This target host may accept the packet and act upon it.
Unlike a Smurf attack; where spoofing is used to create a DoS attack, IP spoofing is used to convince a system that it is communicating with a known authenticated entity thereby allowing an intruder to gain access to the network and its resources.
In order for the attacker to gain the necessary pre-requisite knowledge relating to network resources, their allocations and the network or LAN’s internal IP addressing structure and thence to identify the IP address of a device suitable for spoofing the attacker will usually conduct a packet capture session where they capture all packets passed across the network.
After capturing enough packets they will then use various tools to analyze the captured packets. From this they may learn the host names, IP addresses and MAC Addresses of network devices. If your network does not encrypt all traffic by default you are easy game for this type of attacker.
Using strong encryption for all traffic placed onto transmission media regardless of the type of media and its location is the best way to counteract this type of attack. Faced with a whole bunch of encrypted packets most attackers will simply move on to easier targets and there are millions of them.
However: if the motivation for the attack is vengeance for some perceived wrong or simply industrial espionage then the attacker is most likely prepared to spend considerable time and resources in their efforts. Your job just got a whole lot harder.
TCP Sequence Number Attacks – TCP sequence number attacks exploit the communications session, which was established between the target and the trusted host that initiated the session. The intruder tricks the target into believing it is connected to a trusted host and then hijacks the session by predicting the target’s choice of an initial TCP sequence number. This session is then often used to launch various attacks on other hosts.
IP Fragmentation Attacks – IP fragmentation attacks use varied IP datagram fragmentation to disguise its TCP packets from a target’s IP filtering devices.
Tiny Fragmentation Attack – In a tiny fragment attack a would-be intruder deliberately sends the first part of their conversation as a very small undersized fragment. The result is that this forces some of the TCP header field into a second fragment. In this way the attacker might be able to by-pass a target network’s defenses and thus get their illegal packet fragments onto the target network.
The best countermeasure is to strictly enforce minimum fragment size requirements. With this done any under sized packets will be automatically dropped preventing them from ever getting onto your network.
Overlapping Fragmentation Attack – In many ways similar to a teardrop attack an overlapping fragment attack is yet another variation on a datagram’s zero-offset modification. Subsequent packets overwrite the initial packet’s destination address information and then the second packet is passed onto the target network.
Simply enforcing a minimum fragment offset for fragments with non-zero offsets is the easiest way to counter this type of attack.
Well that’s all for now. Next time I will deal with some more sophisticated and potentially massive protocol based attacks including Distributed Denial of Service and Distributed Reflected Denial of Service attacks using botnets and the like.
Leave Your Response