Attacks Ronnau

Securing Routers Against Hackers and Denial of Service Attacks
Lou Ronnau lpr@cisco.com
1999, Cisco Systems, Inc.
1-1
Outline
IP Refresher Attack Types Network Layer Attacks Transport Layer Attacks Application Layer Attacks
www.cisco.com
Outline (cont.)
Reconnaissance Initial Access Questions
www.cisco.com
IP Refresher
www.cisco.com
TCP/IP Protocol Stack
OSI Reference Model Application Presentation Session Transport Network Data Link Physical
IP Conceptual Layers
Application
Transport Internet Network Interface

Ethernet, 802.3, 802.5, ATM, FDDI, and so on
www.cisco.com
Internet Layer Refresher

IP Layer
Application
IP Datagram VERS HLEN Type of Service Total Length ID Flags Frag Offset Data TTL Internet Control Message Protocol (ICMP)
Internet Protocol (IP)

Address Resolution Protocol (ARP) Reverse Address Resolution Protocol (RARP)
Protocol
Header Src IP Checksum Address
Dst IP IP Address Options
www.cisco.com
Transport Layer Refresher

Transport Layer
Application Transport Internet Network Interface
TCP Segment Format
Src Port Dst Port Seq # Ack # HLEN Reserved Code Window Bits Check Sum Urgent Ptr Option Data
Transmission Control Protocol (TCP) User Datagram Protocol (UDP)
UDP Segment Format

Src Port Dst Port Length Check Sum Data
www.cisco.com
Port Numbers
Application Layer
Telnet SMTP DNS HTTP SSL DNS TFTP
Transport Layer
23
25
53
80 443
53 69
TCP
UDP
Port Numbers
www.cisco.com
Application Layer Refresher

Application Layer
Application
Web Browsing (HTTP, SSL)
File Transfer (FTP, TFTP, NFS, File Sharing)

E-Mail (SMTP, POP2, POP3) Remote Login (Telnet, rlogin) Name Management (DNS) Microsoft Networking Services
www.cisco.com
Attack Types
1-10
Attack Types
Ping of Death
Context: (Header)
Port Sweep SYN Attack TCP Hijacking
Land Attack
Content: (Data)
MS IE Attack
E-mail Attacks
Atomic Single Packet
Telnet Attacks
Character Mode Attacks
Composite Multiple Packets
www.cisco.com
Attack Types (cont.)

Reconnaissance
Host scan, port scan, SMTP VRFY
Access
Spoofing, session hijacking
Denial of service
SYN attacks, ping-of-death, teardrop, WinNuke
Privilege escalation
MS IE%2ASP, ftp cwd ~root
www.cisco.com
Demystifying Common Attacks

Application Transport Internet
Java, ActiveX, and Script Execution E-Mail EXPN WinNuke SYN Flood UDP Bomb Port Scan Landc Ping Flood Ping of Death IP Spoof Address Scanning Source Routing Sniffer/Decoding MAC Address Spoofing
Network Interface
www.cisco.com
Network Layer Attacks

1999, Cisco Systems, Inc. 1-14
IP Layer Attacks
Application
IP Options IP Fragmentation Bad IP packets Spoofed Addresses

TCP IP Data Link Physical UDP
www.cisco.com
IP Fragmentation Attacks
IP Fragment Attack
Offset value too small Indicates unusually small packet May bypass some packet filter devices
Ver Len Serv Length Flg Frag Offset Frag Offset Checksum
Identification TTL Proto
Source IP Destination IP Options . . . Data . . .
IP Fragments Overlap
Offset value indicates overlap Teardrop attack
www.cisco.com
IP Fragmentation
Routers and Internet Gateways are stateless devices Improperly fragmented packets are forwarded normally with other traffic Requires Statefull inspection
www.cisco.com
Bad IP Packet Attacks

Ver Len Serv Length Flg Frag Offset Checksum
Identification
Unknown IP Protocol
Proto=invalid or undefined
TTL
Proto Proto
Source IP Source IP Destination IP DestinationIP Options Data
Impossible IP Packet
Same source and destination Land attack
www.cisco.com
IP Address Spoofing
Source IP address set to that of a trusted host or nonexistant host Access-lists applied at the source are the only protection Best applied at the connection to the Internet
www.cisco.com
Spoofing: Access by Impersonation

interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directed-broadcast Access-list 111 deny ip 127.0.0.0 0.255.255.255 any Access-list 111 deny ip 10.1.0.0 0.0.255.255 any Access-list 111 permit ip any any
172.16.42.84
10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1)
www.cisco.com
IP Options
Ver Len H E A D E R Serv Length Flg Frag Offset Checksum
Identification
IP Header
20 bytes
TTL
Proto
Source IP Destination IP Options Options .. ....
IP Options
Adds up to 40 additional bytes Only 8 valid options
P A Y
Data . . .
www.cisco.com
IP Options (cont.)
0 1 2 3 4 5 6 7 Option # 0 1 2 3 4 5 6 7 Length (if used) 0 1 2 3 4 5 6 7 Parameters... 0 x 1 2 0 0 3 4 5 6 7 0 0 0 0 0
CP Class
Copy:
0dont include options in packet fragments
1include options in packet fragments
Class:
0Network Control 2Debugging
Option: one of eight valid options
Length: number of bytes in option (if used by option) Parameters: parameters passed by the option Last option is always option 0.
www.cisco.com
IP Options (cont.)
option #2 rarely unused option #4 rarely unused
option #7 used to record the route (gateways) that a packet has traversed option #8 rarely unused
Option # 0 1 2 3 4 7 8 9
Option Name End of Options No Operation Security Loose Source Rte Timestamp Record Route Stream ID Strict Source Rte
www.cisco.com
IP Source Routing
two options: #3 loose source routing and #9 strict source routing can be used to bypass filters (acls) some machines with multiple interfaces route s/r packets even with ip forwarding turned off router command:no ip source route
www.cisco.com
ICMP Attacks
Application
ICMP Traffic Records
Ping Sweeps ICMP Attacks
TCP IP
UDP
Data Link Physical
www.cisco.com
ICMP Query Message

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
H E A D E R
Type
Code
Checksum
Identifier
Data . . .
Sequence #
Type:
0Echo Reply 8Echo Request 13Timestamp Request 14Timestamp Reply 15Information Request 16Information Reply 17Address Mask Request 18Address Mask Reply
Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum)
www.cisco.com
ICMP Query Message (cont.)

Echo Reply
Type=0
Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP Type I Type C M P Code Checksum
Echo Request
Type=8
Timestamp Request
Type=13
Timestamp Reply
Type=14
www.cisco.com
ICMP Error Message

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
H E A D E R
Type
Code
Checksum
Unused
IP Header + 8 bytes of Original Datagram Data
Type:
3Destination Unreachable 4Source Quench 5Redirect 11Time Exceeded 12Parameter Problem
Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum)
www.cisco.com
ICMP Error Messages

Unreachable
Type=3
Source Quench
Type=4
Redirect
Type=5
Time Exceeded
Type=11
Parameter Problem
Type=12
www.cisco.com
ICMP Attacks
Length Length I Ver Len Serv P Identification Flg Frag Offset H Proto Checksum ICMP E TTL A Source IP D E R Destination IP I C M P Type Code Checksum
Fragmented ICMP packet

Flag=more fragments or Offset /= 0
ICMP Floods
Many ICMP packets To single host
www.cisco.com
ICMP Attacks (cont.)

Length I Ver Len Serv P Identification Flg Frag Offset Frag Offset H Proto Checksum Proto E TTL A Source IP D E R Destination IP Type I Type C M P Code Checksum
ICMP Smurf attack

Type=0 (echo reply) Many packets To single host
ICMP Ping Of Death

Flag=last fragment Offset*8 + Length > 65535
www.cisco.com
Smurfs
ICMP echo request with spoofed source address
Destination address set to the network broadcast address of a network (so called ping amplifier) All hosts on the pinged network reply to the spoofed address interface command:no ip directed broadcast
www.cisco.com
Ping of Death
IP ping > 65535 bytes (ICMP echo request) Transmitted in fragments Crashes some operating systems on reassembly
www.cisco.com
Loki Attack
Loki ICMP tunnel
Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access.
Original Loki Phrack Issue 51
Modified Loki ICMP tunneling

Modified Loki version
www.cisco.com
Transport Layer Attacks

1999, Cisco Systems, Inc. 1-35
TCP Attacks
TCP Traffic Records TCP Port Scans
TCP Host Sweeps Mail Attacks

FTP Attacks Web Attacks NetBIOS Attacks SYN Flood & TCP Hijack Attacks TCP Applications
Application
TCP IP
UDP
Data Link Physical
www.cisco.com
TCP Port Scans

A TCP Port Scan occurs when one host searches for multiple TCP services on a single host.
Ver Len I P TTL Serv Flg Length Frag Offset Checksum
Identification
TCP
Source IP
Common scans
use normal TCP-SYN
Destination IP Source Port Dest Port

Source Sequence Number T C Acknowledge Sequence Num P Len Res Flags Window Checksum Urgent Pointer
Stealth scans
use FIN, SYN-FIN, null, or PUSH and/or fragmented packets
www.cisco.com
TCP Port Scan Attacks

FIN port sweep
Port Sweep
SYNs to ports < 1024 Triggers when type of sweep cant be determine
FINs to ports < 1024
Frag FIN port sweep

Fragmented FINs to ports < 1024
SYN Port Sweep

SYNs to any ports
High port sweep

SYNs to ports > 1023 Triggers when type of sweep cant be determined
Frag SYN Port Sweep

Fragmented SYNs to many ports
FIN High port sweep

FINs to ports > 1023
www.cisco.com
TCP Port Scan Attacks(cont.)

Frag High FIN port sweep
Fragmented FINs to ports > 1023
SYN FIN port sweep

SYN-FINs to any port
Frag SYN/FIN port sweep Null port sweep

TCPs without SYN, FIN, ACK, or RST to any ports Fragmented SYN/FINs to any ports
Queso sweep Frag Null port sweep

Fragmented TCPs without SYN, FIN, ACK, or RST to any ports
www.cisco.com
FIN, SYN/FIN, and a PUSH
TCP Host Sweeps

A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts.
Common scans
use normal TCP-SYN
Identification
TCP
Source IP

Stealth scans
use FIN, SYN-FIN, and null
and/or fragmented packets
www.cisco.com
TCP Host Sweep Attacks

SYN host sweep
SYNs to same port
NULL host sweep

TCPs without SYN, FIN, ACK, or RST to same port
Frag SYN host sweep

Fragmented SYNs to same port
Frag NULL host sweep

Fragmented packets without SYN, FIN, ACK, or RST to same port
FIN host sweep

FINs to same port
SYN/FIN host sweep

SYN-FINs to same port
Frag FIN host sweep

Fragmented FINs to same port
Frag SYN/FIN host sweep

SYN-FINs to same port
www.cisco.com
SYN Flood and TCP Hijacks
Half-Open SYN attack

DoS-SYN flood attack Ports 21, 23, 25, and 80
TCP Hijacking
Access-attempt to take over a TCP session
www.cisco.com
TCP Intercept Protects Networks Against Syn floods
Request Intercepted
Connection Established
Connection Transferred
TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval
www.cisco.com
TCP Intercept
Enable TCP Intercept (global configuration mode)
access-list access-list-number {deny | permit} tcp any destination destination-wildcard ip tcp intercept list access-list-number
Set the TCP Intercept Mode (global configuration mode)

ip tcp intercept mode {intercept | watch}
Set TCP Intercept Drop Mode

ip tcp intercept drop-mode {oldest | random} ;def=oldest
Change the TCP Intercept Timers

ip tcp intercept watch-timeout seconds ;def=30 seconds
www.cisco.com
TCP Hijacks
TCP Hijacking Works by correctly guessing sequence numbers Newer O/Ss & firewalls eliminate problem by randomizing sequence numbers TCP Hijacking Simplex Mode
One command followed by RST
www.cisco.com
Land.c Attack
Spoofed packet with SYN flag set Sent to open port SRC addr/port same as DST addr/port Many operating systems lock up
www.cisco.com
UDP Attacks
Application
UDP Traffic Records UDP Port Scan UDP Attacks UDP Applications
TCP IP Data Link Physical UDP
www.cisco.com
UDP Port Scans
Ver Len I P TTL
Serv
Length
Identification
Flg
Frag Offset
Checksum
UDP
UDP port scans

One host searches for multiple UDP services on a single host
Source IP
U D P

Length Data . . . Checksum
www.cisco.com
UDP Attacks
UDP flood (disabled)
Many UDPs to same host I P
Ver Len TTL
Serv
Length
Flg Frag Offset
Checksum
Identification
UDP
UDP Bomb
UDP length < IP length
Source IP
Snork
Src=135, 7, or 19; Dest=135
U D P
Destination IP Source Port Dest Port Checksum Length

Data . . .
Chargen DoS
Src=7 & Dest=19
www.cisco.com
Reflexive Access Lists
Allows the packet filtering mechanism to remember state Reflexive ACLs are transparent until activated by matching traffic
Protocol support TCP, UDP Alternative to established key word Available in Cisco IOS release 11.3
www.cisco.com
Reflexive Access Lists

Source Addr Destination Addr Source Port Destination Port Intial Sequence# Ack Flag 192.34.56.8
200.150.50.111
TCP Header IP Header
1026 23
49091
Syn
# 2 : permit tcp 200.150.50.111 192.34.56.8 eq telnet
#1
Router monitors outgoing connection Creates dynamic permit inbound ACL using IP addresses and port numbers
www.cisco.com
Cisco IOS Firewall Feature Set

Enhanced Security for the Intelligent Internet
Context-Based Access Control (CBAC)
Stateful, per-application filtering Support for advanced protocols (H.323, SQLnet, RealAudio, etc.)
Denial of Service detection and prevention Control downloading of Java applets Real-time alerts TCP/UDP transaction log Configuration and management
www.cisco.com
What Is Context-Based Access Control (CBAC)?

Tracks state and context of network connections to secure traffic flow Inspects data coming into or leaving router Allows connections to be established by temporarily opening ports based on payload inspection Return packets authorized for particular connection only via temporary ACL
www.cisco.com
Cisco IOS Context-Based Access Control (CBAC) Application Support

Transparent support for common TCP/UDP internet services, including: FTP TFTP SMTP Java blocking BSD R-cmds Oracle SQL Net Remote Procedure Call (RPC) Multimedia applications:
VDOnets VDO Live
RealNetworks RealAudio Intels InternetVideo Phone (H.323)
WWW, Telnet, SNMP, finger, etc.
Microsofts NetMeeting (H.323)

Xing Technologies Streamworks Whitepines CuSeeMe
www.cisco.com
Cisco IOS Firewall Feature Set

Per user authentication and authorization (authentication proxy) Intrusion detection technology IP Fragmentation defense Dynamic per-application port mapping Configurable alerts and audit trail SMTP-specific attack detection New CBAC application support
MS-Networking, MS Netshow
www.cisco.com
Cisco IOS Firewall: Authentication Proxy

HTTP-initiated Authentication Valid for all types of application traffic Provides dynamic, per user authentication and authorization via TACACS+ and RADIUS protocols Works on any interface type for inbound or outbound traffic
www.cisco.com
Cisco IOS Firewall: Authentication Proxy Operation

1. User HTTP request 2. Get Uid/Password E0 Cisco IOS Firewall/Cisco 7200 series router
S0
User
User
5. Refresh/reload URL
ISP and Internet
3. Authenticate
AAA Server
4. Download profile, build dynamic ACL on router
www.cisco.com
Application Layer Attacks

www.cisco.com
Mail
Ver Len I P TTL Serv Flg Length Frag Offset Checksum Identification
TCP port 25 Attacks include:

Reconnaissance Access DOS
TCP
Source IP
Destination IP Source Port
Dest Port=25
Data . . .
www.cisco.com
Mail Attacks
smail attack sendmail invalid recipient sendmail invalid sender sendmail reconnaissance Archaic sendmail attacks sendmail decode alias sendmail SPAM Majordomo exec bug MIME overflow bug Qmail Length Crash
www.cisco.com
File Transfer Protocol (FTP)

Ver Len Serv Flg Length Frag Offset Checksum Identification TTL
I P
TCP
TCP port 21
Source IP Destination IP Source Port
Attacks include:
Reconnaissance Access
Dest Port=21
Data . . .
www.cisco.com
FTP Attacks
FTP SITE command attempted FTP SYST command attempted FTP CWD ~root FTP Improper address specified FTP Improper port specified
www.cisco.com
Web
I P
TCP
TCP port 80 Attacks include:

Access
Dest Port=80
Data . . .
www.cisco.com
Web Attacks
phf attack General cgi-bin attack url file requested glimpse server attack IIS View Source Bug
IIS Hex View Source Bug

NPH-TEST-CGI Bug TEST-CGI Bug
.lnk file requested

.bat file requested HTML file has .url link
IIS DOT DOT VIEW Bug

IIS DOT DOT EXECUTE Bug IIS DOT DOT DENIAL Bug
HTML file has .lnk link

HTML file has .bat link campas attack
www.cisco.com
Web Attacks (cont.)

php view file Bug SGI wrap bug php buffer overflow IIS Long URL Crash Webdist Bug Htmlscript Bug Performer Bug WebSite win-c-sample buffer overflow WebSite uploader Novell convert bug finger attempt Count Overflow
View Source GGI Bug

MLOG/MYLOG CGI Bug Handler CGI Bug
Webgais Bug
WebSendmail Bug
www.cisco.com
DNS Attacks
DNS HINFO Request
Potential reconnaissance
UDP Port 53 Attacks include:

Reconnaissance
DNS Zone Transfer Request

Potential reconnaissance
DNS Zone Transfer from other port

Different port than 53
DNS request for all records

All records requested, not just one zone
www.cisco.com
Application Exploit Attacks

Sun Kill Telnet DOS
port 23
Imap Authenticate Overflow

port 143
Finger Bomb
port 79
Imap Login Overflow

port 143
rlogin -froot
port 513
Pop Overflow
port 110
www.cisco.com
Application Exploit Attacks (cont.)

Inn Overflow
port 119
IOS Command History Exploit

port 25
Inn Control Message

port 119
Cisco IOS Identity

port 1999
IOS Telnet buffer overflow

port 23
www.cisco.com
Server Message Blocks (SMB)
Native NT file-sharing protocol
Samba is UNIX port of SMB

Common Internet File System (CIFS)
extension of SMB
www.cisco.com
SMB TCP/UDP Ports
135 - Remote Procedure Call Service
137 - NetBIOS Name Service (UDP)

138 - NetBIOS Datagram Service (UDP) 139 - NetBIOS Session Service
www.cisco.com
NetBIOS
TCP Port 139 Attacks include:

I P
TCP
Dest Port=139
Data . . .
www.cisco.com
NetBIOS Attacks
NETBIOS OOB data
NETBIOS Stat NETBIOS Session Setup Failure Windows Guest login Windows Null Account Name Windows Password File Access Windows Registry Access Windows RedButton
www.cisco.com
TCP Application Attacks

Capture password file
FTP RETR passwd
loadmodule Attack
Telnet IFS=/
TCP application attacks are attacks against various TCP applications.
Rlogin IFS=/"
Planting .rhosts
Telnet + +
Rlogin + +
Accessing shadow passwd

Telnet /etc/shadow Rlogin /etc/shadow
www.cisco.com
UDP Application Attacks
Ver Len
Serv
Length
Back Orifice
port 31337
I P
Identification
TTL
Flg
Frag Offset
Checksum
UDP
Source IP Destination IP Source Port Length
Tftp passwd file attempt

port 69 U D P
Dest Port
Checksum
Data . . .
www.cisco.com
RPC Services
Applications do not use well-known ports
Use portmapper
Registers applications TCP/UDP port 111
CLIENT SERVER
2488 GET PORT # 111
Attacks include
2488 USE PORT # 2049
111
2488
NFS REQUEST
2049
www.cisco.com
RPC Attacks
RPC port registration
Remotely registering a service that is not running
RPC dump
rpcinfo -p <host>
Proxied RPC request RPC port unregistration

Remotely unregistering a running service Bypassess RPC authentication
www.cisco.com
RPC Attacks (cont.)

RSTATD RUSERSD
RPC Port Sweeps

Request service on many ports on same host Stealth reconnaissance
NFS MOUNTD YPPASSWD SELECTION SVC REXD STATUS TTDB
www.cisco.com
RPC Attacks (cont.)

ypserv
Portmapper Requests
Requests for services known to be exploited In most cases should not be used If needed, filter signatures
ypbind yppasswd ypupdated ypxfrd mountd rexd
www.cisco.com
RPC Attack (cont.)

rexd attempt
Accessing rexd Allows remotely running commands Should not be allowed Unknown by some administrators
RPC Services with Buffer Overflow Vulnerabilities:

statd ttdb mountd
www.cisco.com
Ident Attacks
Ident buffer overflow
IDENT reply too large
Ident is a protocol to prevent hostname, address, and username spoofing.

TCP port 113
Ident newline
IDENT reply with newline plus more data
Ident improper request

IDENT request too long or non-existent ports
www.cisco.com
IP Servers on Routers
Router commands to turn off services no service tcp-small-servers no service udp-small-servers
www.cisco.com
Trust Exploits
Spoofing Trusted User
Spoofing Trusted Host

Planting ~/.rhosts or hosts.equiv via Alternate Methods
www.cisco.com
Reconnaissance
www.cisco.com
Reconnaissance
Unauthorized discovery and mapping of systems, services, or vulnerabilities
www.cisco.com
Reconnaissance Methods
Common commands or administrative utilities

nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl, and so on
Hacker tools
SATAN, NMAP, custom scripts, and so on
www.cisco.com
Discovering the Targets
Know thy target

Domain name, IP Address space (i.e victim.com, 192.168.X.X) whois, nslookup
Ping Sweeps
Network mapping Identify potential targets
www.cisco.com
Ping Sweeps
ICMP network sweep with Echo
Type=8
ICMP network sweep with Timestamp

Type=13
ICMP network sweep with Address Mask

Type=17
www.cisco.com
Port Scans
Port Scans (Probing)

Determine services being offered (e.g. telnet, ftp, http, etc.)
Post Port Scan

Determine Operating System Information Determine other information (e.g. usernames, hostnames, etc.)
www.cisco.com
TCP Port Scans

Many O/Ss havent implemented TCP/IP according to the letter of the law (rfcs) They respond differently to TCP packets with various flags set
Identification
TCP
Source IP

www.cisco.com
Network Address Translation

Inside Network Outside Network 132.22.2.1 INTERNET 10.1.1.2
Inside Local IP Address
10.1.1.2 10.1.1.3
Inside Global IP Address

132.22.2.100 132.22.2.101
Hides internal addresses Provides dynamic or static translation of private addresses to registered IP addresses Supports true NAT, Overload (same as PAT), and
www.cisco.com
Network Address Translation

Each translation consumes approximately 160 bytes of memory
PAT (overload) translations limited to 4000 entries

Supports any TCP/UDP application that does not carry source and/or destination IP addresses in the payload Application support for those that DO carry source and/or destination IP address in payload
ICMP, FTP (including port and pasv commands), NetBIOS over TCP/IP (datagram, name, and session services), RealAudio, CuSeeMe, StreamWorks, DNS A and PTR records, NetMeeting, VDOLive, Vxtreme, IP Multicast (source address translation only)
www.cisco.com
Initial Access
www.cisco.com
Access
Unauthorized data manipulation, system access, or privileged escalation
www.cisco.com
Access Methods
Exploit easily guessed passwords
Brute force Cracking tools
Exploit mis-administered services

IP services (anonymous ftp, tftp, remote registry access, nis, and so on) Trust relationships (spoofing, r-services, and so on) File sharing (NFS, Windows File Sharing)
www.cisco.com
Access Methods (cont.)

Exploit application holes
Mishandled input data Access outside application domain, buffer overflows, race conditions Protocol weaknesses Fragmentation, TCP session hijack
Trojan horses
Programs to plant a backdoor into a host
www.cisco.com
Backdoors
BackOrifice
Win 95/98 Server Only Windows and Unix clients Configurable Ports (Default UDP 31337) Encrypted communications
BackOrificeButtPlugs
Allow new features to be added easily
www.cisco.com
Backdoors (cont)
NetBus (Freeware)
Remote administration tool Listens on TCP Ports 12345, 12346 Trojan program Runs on Win95/98 and NT
www.cisco.com
Denial of Service Methods

Resource Overload
Disk space, bandwidth, buffers, ... Ping flood: smurf, ... SYN floods: neptune, synk4, ... Packet storms: UDP bombs, fraggle, ...
Out of Band Data Crash

Oversized packets: ping of death, Overlapped packets: winnuke, ... Un-handled data: teardrop, ...
www.cisco.com
Other Areas to Consider
Disable:
IP helper addresses: no ip helper IP broadcasting: no ip broadcast-address, no ip directedbroadcast source routing: no ip source-route r-commands: no ip rcmd rcp-enable no ip rsh-enable IDENT: no ip identd CDP: no cdp run dynamic circuits: no frame-relay inverse-arp other features no proxy-arp, no ip redirects
www.cisco.com
More Info
http://www.2600.com/ http://www.cultdeadcow.com/ http://www.l0pht.com/ http://www.hackernews.com/ http://www.cert.org/ http://www.sans.org/ http://www.rootshell.com/ http://www.securityfocus.com/ http://www.cisco.com/security
www.cisco.com
In Summary .
May You Live in Interesting Times!!

www.cisco.com
www.cisco.com

Attacks Ronnau

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Attacks Ronnau

Hochgeladen von

Copyright:

Verfügbare Formate

Securing Routers Against Hackers and Denial of Service Attacks

Lou Ronnau lpr@cisco.com

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Reconnaissance Initial Access Questions

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

TCP/IP Protocol Stack

Transport Internet Network Interface

1999, Cisco Systems, Inc.

Internet Layer Refresher

Internet Protocol (IP)

Header Src IP Checksum Address

Dst IP IP Address Options

1999, Cisco Systems, Inc.

Transport Layer Refresher

Transmission Control Protocol (TCP) User Datagram Protocol (UDP)

UDP Segment Format

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Application Layer Refresher

File Transfer (FTP, TFTP, NFS, File Sharing)

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Port Sweep SYN Attack TCP Hijacking

1999, Cisco Systems, Inc.

Attack Types (cont.)

Demystifying Common Attacks

1999, Cisco Systems, Inc.

Network Layer Attacks

IP Options IP Fragmentation Bad IP packets Spoofed Addresses

1999, Cisco Systems, Inc.

Identification TTL Proto

Source IP Destination IP Options . . . Data . . .

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Bad IP Packet Attacks

Source IP Source IP Destination IP DestinationIP Options Data

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

Spoofing: Access by Impersonation

10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1)

1999, Cisco Systems, Inc.

Source IP Destination IP Options Options .. ....

1999, Cisco Systems, Inc.

1include options in packet fragments

Option: one of eight valid options

1999, Cisco Systems, Inc.

1999, Cisco Systems, Inc.

ICMP Traffic Records

Ping Sweeps ICMP Attacks

Data Link Physical

1999, Cisco Systems, Inc.

ICMP Query Message

ICMP Query Message (cont.)

ICMP Error Message

ICMP Error Messages

Fragmented ICMP packet

1999, Cisco Systems, Inc.

ICMP Attacks (cont.)

ICMP Smurf attack

ICMP Ping Of Death

1999, Cisco Systems, Inc.