Vulnerabilities, Attacks, and Common Exploits

Vulnerabilities, Attacks, and Common Exploits 371

The intruder in Figure 8-1 attacks the authorized users and hosts (or bastion host) behind a router by a number of methods, including the following:

•Ping of death—Attack that sends an improperly large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash. The IP protocol header field is set to 1, the last fragment bit is set, and the data length is greater than 65,535, which is greater than the maximum allowable IP packet size.

•TCP SYN Flood attacks—This form of DoS attack randomly opens up a number of TCP ports ensuring that network devices are using CPU cycles for bogus requests. By tying up valuable resources on the remote host, the CPU is tied up with bogus requests, and legitimate users experience poor network response or are denied access. This type of attack can make the host unusable.

•E-mail attacks—This form of DoS attack sends a random number of e-mails to a host. E-mail attacks try to fill an inbox with bogus e-mails, ensuring that the end user cannot send mail while thousands (or an e-mail bomb) of e-mails are received.

•CPU-intensive attacks—This DoS attack ties up systems’ resources by using programs such as TROJAN (a program designed to capture username/passwords from a network), or enabling viruses to disable remote systems.

•Teardrop—Exploits an overlapping IP fragment implementation bug in various operating systems. The bug causes the TCP/IP fragmentation reassembly code to improperly handle overlapping IP fragments causing the host to hang or crash.

•DNS poisoning—The attacker exploits the DNS server, causing the server to return a false IP address to a domain name query.

•UDP Bomb—Sends illegal length field in the packet header, causing Kernel panic and crash.

•Distributed Denial Of Service (DDoS)—These DoS attacks are run by multiple hosts. The attacker first compromises vulnerable hosts using various tools and techniques. Then, the actual DOS attack on a target is run from the pool of all the compromised hosts.

•Chargen attacks—Establish a User Datagram Protocol (UDP) service by producing a high-character input. This can cause congestion on a network.

•Attacks via dialup (out of band)—Applications such as Windows 95 have built-in vulnerabilities on data port 139 (known as WinNuke) if the intruders can ascertain the IP address.

•Land.C attacks—A program designed to send TCP SYN packets (TCP SYN is used in the TCP connection phase) that specifies the target’s host address as both source and destination. This program can use TCP port 113 or 139 (source/destination), which can also cause a system to stop functioning.

372 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

DoS attacks are designed to send traffic to host systems so that they cannot respond to legitimate traffic by overwhelming the end device through a number of incomplete and illegal connections or requests. DoS attacks send more traffic than is possible to process and can send excessive mail requests, excessive UDP packets, and excessive Internet Control Message Protocol (ICMP) pings with very large data packet sizes to render a remote host unusable.

Many other known and unknown attacking methods and terms exist. Here are a few more you should be aware of for the written exam:

•Spoof attack—The attacker creates IP packets with an address found (or spoofed) from a legitimate source. This attack is powerful in situations where a router is connects to the Internet with one or more internal addresses. The real solution to this form of attack is to track down the source device and stop the attack.

•Smurf attack—Named after its exploit program and one of the most recent in the category of network-level attacks against hosts. In this attack, an intruder sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, which all have a victim’s spoofed source address. For more details, go to www.cert.org/advisories/CA-1998-01.html.

Smurf attacks include a primary and secondary victim and are extremely potent damaging to any IP network. Smurf attacks result in a large number of broadcast ICMP networks, and if routers are configured to forward, broadcasts can result in a degraded network and poor performance between the primary and secondary device. A quick solution is to disable IP-directed broadcasts.

•Man in the middle attack—Just as with packet sniffers and IP spoofing attacks, a bruteforce password attack can provide access to accounts that can be used to modify critical network files and services. An example that compromises your network’s integrity is an attacker modifying your network’s routing tables. By doing so, the attacker ensures that all network packets are routed to him before they are transmitted to their final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle.

•Birthday attack—Refers to a class of brute-force attacks. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than 50 percent; such a result is called a birthday paradox.

Intrusion Detection System

Intrusion detection systems (IDS) are designed to detect and thwart network attacks. Based on their location, they can be either of the following:

•Network IDS—Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature.

•Host IDS—Examines operating system information such as logs or system process, against a base line. When the system deviates from the normal values because of an attack, alarms are generated.

Intrusion Detection System 373

Chapter 6 defines some of the intrusion detection mechanisms you can use in an IP network, namely NetRanger.

Cisco IDS delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-Business application attacks.

Recently, Cisco announced a number of new products to support IDS:

•Cisco IDS Host Sensor 2.5—Bolsters enterprise security by delivering unparalleled levels of protection and customization to customers

•Cisco IDS 4250 Appliance Sensor—Raises the performance bar for high-throughput gigabit protection in a performance-upgradable IDS chassis

•Cisco IDS 4235 Appliance Sensor—Provides enterprise-class intrusion protection at new price/performance levels

•Cisco IDS 3.1 Sensor Software—Delivers powerful web-based, embedded device management, graphical security analysis, and data mining capabilities

NOTE In addition to the Cisco IDS 4200 series of IDS appliances, Cisco also has the following IDS sensors:

•IOS with IDS feature set for routers

•Catalyst 6500 IDS module for switch-based sensor

•PIX Firewall with version 6.x with built-in IDS sensor

•Cisco IDS Host sensor for Windows, Solaris OS, and web servers, such as IIS and Apache

You are not expected to know these details for the written exam; they are presented here for completeness only.

Each Cisco IDS sensor can be configured to support a number of different signatures. A Signature Engine is a component of the Cisco IDS sensor designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values. Exploit signatures are an identifiable pattern of attack detected by your network device, such as a Cisco IDS Host sensor.

Table 8-1 displays the signature lists and descriptions available with Cisco IDS version 3.1.

IDS can be used, for example, to detect spam e-mail and still allow regular e-mail. Most ISPs do not detect or remove spam e-mail, so it is up to the security administrator to ensure that spam e-mail is not permitted or used as a DoS attack.

374 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

Table 8-1 Cisco IDS Signature Engines*

*The information in Table 8-1 is from Table 1 at the Cisco web page, www.cisco.com/en/US/partner/products/sw/ secursw/ps2113/prod_technical_reference09186a00800d9dd5.html#56785.