Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
CCIE Self Study CCIE Security Exam Certification Guide - Cisco press.pdf
10.23 Mб

Vulnerabilities, Attacks, and Common Exploits 369

Vulnerabilities, Attacks, and Common Exploits

This section covers some of the vulnerabilities in TCP/IP and the tools used to exploit IP networks.

TCP/IP is an open standard protocol, which means that both network administrators and intruders are aware of the TCP/IP architecture and vulnerabilities.

NOTE There are a number of network vulnerabilities, such as password protection, lack of authentication mechanism, use of unprotected routing protocols, and firewall holes. This section concentrates on TCP/IP vulnerabilities.

Network intruders can capture, manipulate, and replay data. Intruders typically try to cause as much damage to a network as possible by using the following methods:

Vandalizing—Accessing the web server and altering web pages.

Manipulating data—Altering the files on a network device.

Masquerading—Manipulating TCP/IP segments to pretend to be at a valid IP address.

Session replay—Capturing, altering, and replaying a sequence of packets to causes unauthorized access. This method identifies weaknesses in authentication.

Session hijacking—Defining himself with a valid IP address after a session has been established to the real IP address by spoofing IP packets and manipulating the sequence number in IP packets.

Rerouting—Routing packets from one source to an intruder source; altering routing updates to send IP packets to an incorrect destination, allowing the intruder to read and use the IP data inappropriately.

The following are some of the attacking methods intruders use:

Probes and scans

Denial-of-Service (DoS) attacks (covered in more detail later)


Malicious code (such as viruses)

As described in Chapter 6, “Operating Systems and Cisco Security Applications,” network scanners and tools are available to both network administrators and intruders. These tools can be used and placed at strategic points in the network to gain access to sensitive data. NetSonar, for example, can be used to find network vulnerabilities and can, therefore, be used by intruders to do as much harm as it does network administrators good if you aren’t aware of these vulnerabilities.

370 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

DoS attacks are the most common form of attack used by intruders and can take many forms. The intruder’s goal is to ultimately deny access to authorized users and tie up valuable system resources.

Figure 8-1 displays several techniques deployed in DoS attacks.

Figure 8-1 Forms of Denial of Service Attack

Denial of Service (DoS)

attacks include

-TCP SYN flood attacks -WinNuke -Land.C

-Ping of Death

-Chargen Attacks

-DNS Poisoning

Private Network

Host or

Bastion Hosts


Vulnerable Cisco

IOS Router



Figure 8-1 displays a typical network scenario with a router connected to the Internet and all users have access to hosts in a public domain. A bastion host is a computer or host, such as a UNIX host, that plays a critical role in enforcing any organization’s network security policy.

Bastion hosts are typically highly secured (including physically in secure computer rooms), as these hosts are vulnerable to attacks because they are exposed to untrusted or unknown networks and are the first line of defense. Bastion hosts often provide services to Internet users, such as Web services (WWW), and public access systems, such as FTP or SMTP mail. Because these computers are likely to be attacked, they are often referred to as sacrificial hosts.

Vulnerabilities, Attacks, and Common Exploits 371

The intruder in Figure 8-1 attacks the authorized users and hosts (or bastion host) behind a router by a number of methods, including the following:

Ping of death—Attack that sends an improperly large ICMP echo request packet with the intent of overflowing the input buffers of the destination machine and causing it to crash. The IP protocol header field is set to 1, the last fragment bit is set, and the data length is greater than 65,535, which is greater than the maximum allowable IP packet size.

TCP SYN Flood attacks—This form of DoS attack randomly opens up a number of TCP ports ensuring that network devices are using CPU cycles for bogus requests. By tying up valuable resources on the remote host, the CPU is tied up with bogus requests, and legitimate users experience poor network response or are denied access. This type of attack can make the host unusable.

E-mail attacks—This form of DoS attack sends a random number of e-mails to a host. E-mail attacks try to fill an inbox with bogus e-mails, ensuring that the end user cannot send mail while thousands (or an e-mail bomb) of e-mails are received.

CPU-intensive attacks—This DoS attack ties up systems’ resources by using programs such as TROJAN (a program designed to capture username/passwords from a network), or enabling viruses to disable remote systems.

Teardrop—Exploits an overlapping IP fragment implementation bug in various operating systems. The bug causes the TCP/IP fragmentation reassembly code to improperly handle overlapping IP fragments causing the host to hang or crash.

DNS poisoning—The attacker exploits the DNS server, causing the server to return a false IP address to a domain name query.

UDP Bomb—Sends illegal length field in the packet header, causing Kernel panic and crash.

Distributed Denial Of Service (DDoS)—These DoS attacks are run by multiple hosts. The attacker first compromises vulnerable hosts using various tools and techniques. Then, the actual DOS attack on a target is run from the pool of all the compromised hosts.

Chargen attacks—Establish a User Datagram Protocol (UDP) service by producing a high-character input. This can cause congestion on a network.

Attacks via dialup (out of band)—Applications such as Windows 95 have built-in vulnerabilities on data port 139 (known as WinNuke) if the intruders can ascertain the IP address.

Land.C attacks—A program designed to send TCP SYN packets (TCP SYN is used in the TCP connection phase) that specifies the target’s host address as both source and destination. This program can use TCP port 113 or 139 (source/destination), which can also cause a system to stop functioning.

372 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

DoS attacks are designed to send traffic to host systems so that they cannot respond to legitimate traffic by overwhelming the end device through a number of incomplete and illegal connections or requests. DoS attacks send more traffic than is possible to process and can send excessive mail requests, excessive UDP packets, and excessive Internet Control Message Protocol (ICMP) pings with very large data packet sizes to render a remote host unusable.

Many other known and unknown attacking methods and terms exist. Here are a few more you should be aware of for the written exam:

Spoof attack—The attacker creates IP packets with an address found (or spoofed) from a legitimate source. This attack is powerful in situations where a router is connects to the Internet with one or more internal addresses. The real solution to this form of attack is to track down the source device and stop the attack.

Smurf attack—Named after its exploit program and one of the most recent in the category of network-level attacks against hosts. In this attack, an intruder sends a large amount of ICMP echo (ping) traffic to IP broadcast addresses, which all have a victim’s spoofed source address. For more details, go to www.cert.org/advisories/CA-1998-01.html.

Smurf attacks include a primary and secondary victim and are extremely potent damaging to any IP network. Smurf attacks result in a large number of broadcast ICMP networks, and if routers are configured to forward, broadcasts can result in a degraded network and poor performance between the primary and secondary device. A quick solution is to disable IP-directed broadcasts.

Man in the middle attack—Just as with packet sniffers and IP spoofing attacks, a bruteforce password attack can provide access to accounts that can be used to modify critical network files and services. An example that compromises your network’s integrity is an attacker modifying your network’s routing tables. By doing so, the attacker ensures that all network packets are routed to him before they are transmitted to their final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle.

Birthday attack—Refers to a class of brute-force attacks. It gets its name from the surprising fact that the probability that two or more people in a group of 23 share the same birthday is greater than 50 percent; such a result is called a birthday paradox.

Intrusion Detection System

Intrusion detection systems (IDS) are designed to detect and thwart network attacks. Based on their location, they can be either of the following:

Network IDS—Examines or sniffs every packet flowing across the network and generates an alarm upon detection of a network attack signature.

Host IDS—Examines operating system information such as logs or system process, against a base line. When the system deviates from the normal values because of an attack, alarms are generated.

Intrusion Detection System 373

Chapter 6 defines some of the intrusion detection mechanisms you can use in an IP network, namely NetRanger.

Cisco IDS delivers a comprehensive, pervasive security solution for combating unauthorized intrusions, malicious Internet worms, and bandwidth and e-Business application attacks.

Recently, Cisco announced a number of new products to support IDS:

Cisco IDS Host Sensor 2.5—Bolsters enterprise security by delivering unparalleled levels of protection and customization to customers

Cisco IDS 4250 Appliance Sensor—Raises the performance bar for high-throughput gigabit protection in a performance-upgradable IDS chassis

Cisco IDS 4235 Appliance Sensor—Provides enterprise-class intrusion protection at new price/performance levels

Cisco IDS 3.1 Sensor Software—Delivers powerful web-based, embedded device management, graphical security analysis, and data mining capabilities

NOTE In addition to the Cisco IDS 4200 series of IDS appliances, Cisco also has the following IDS sensors:

IOS with IDS feature set for routers

Catalyst 6500 IDS module for switch-based sensor

PIX Firewall with version 6.x with built-in IDS sensor

Cisco IDS Host sensor for Windows, Solaris OS, and web servers, such as IIS and Apache

You are not expected to know these details for the written exam; they are presented here for completeness only.

Each Cisco IDS sensor can be configured to support a number of different signatures. A Signature Engine is a component of the Cisco IDS sensor designed to support many signatures in a certain category. An engine is composed of a parser and an inspector. Each engine has a set of legal parameters that have allowable ranges or sets of values. Exploit signatures are an identifiable pattern of attack detected by your network device, such as a Cisco IDS Host sensor.

Table 8-1 displays the signature lists and descriptions available with Cisco IDS version 3.1.

IDS can be used, for example, to detect spam e-mail and still allow regular e-mail. Most ISPs do not detect or remove spam e-mail, so it is up to the security administrator to ensure that spam e-mail is not permitted or used as a DoS attack.

374 Chapter 8: Network Security Policies, Vulnerabilities, and Protection

Table 8-1 Cisco IDS Signature Engines*

Signature Engine





Simple ICMP alarms based on the following parameters: type, code,


sequence, and ID




Simple alarms based on the decoding of Layer 3 options




Simple Layer 3 IP alarms




Simple TCP packet alarms based on the following parameters: port,


destination, and flags




Simple UDP packet alarms based on the following parameters: port,


direction, and data length




ICMP floods directed at a single host




UDP floods directed at a single host




Multiprotocol floods directed at a network segment




Connections to multiple ports using TCP SYN




Domain Name Service (DNS) packet analyzer on TCP port 53 (includes


compression handler)




UDP-based DNS signatures




Remote Procedure Call (RPC) program number sent to port mapper




Simple RPC alarms based on the following parameters: program,


procedure, and length




Stateful HTTP protocol decode-based string search (includes anti-evasive


URL deobfuscation)




Specialized STRING.TCP alarms for Web traffic (includes anti-evasive


URL deobfuscation)




Generic ICMP-based string search engine




Generic TCP-based string search engine




Generic UDP-based string search engine




A single host sweeping a range of nodes using ICMP




A single host sweeping a range of nodes using TCP




TCP connections to multiple destination ports between two nodes




UDP connections to multiple destination ports between two nodes




Connections to multiple ports with RPC requests between two nodes



*The information in Table 8-1 is from Table 1 at the Cisco web page, www.cisco.com/en/US/partner/products/sw/ secursw/ps2113/prod_technical_reference09186a00800d9dd5.html#56785.

Соседние файлы в предмете Сети и Телекоммуникации