1 / 102

Securing Routers Against Hackers and Denial of Service Attacks

Securing Routers Against Hackers and Denial of Service Attacks. Lou Ronnau lpr@cisco.com. Outline. IP Refresher Attack Types Network Layer Attacks Transport Layer Attacks Application Layer Attacks. Outline (cont.). Reconnaissance Initial Access Questions. IP Refresher.

thom
Télécharger la présentation

Securing Routers Against Hackers and Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Routers Against Hackers andDenial of Service Attacks Lou Ronnau lpr@cisco.com

  2. Outline • IP Refresher • Attack Types • Network Layer Attacks • Transport Layer Attacks • Application Layer Attacks

  3. Outline (cont.) • Reconnaissance • Initial Access • Questions

  4. IP Refresher

  5. TCP/IP Protocol Stack OSI Reference Model IP Conceptual Layers Application Presentation Application Session Transport Transport Network Internet Data Link Network Interface Ethernet, 802.3, 802.5, ATM, FDDI, and so on Physical

  6. Internet Layer Refresher IP Layer Internet Control Message Protocol (ICMP) Internet Protocol (IP) Address Resolution Protocol (ARP) Reverse Address Resolution Protocol (RARP) Application Transport Internet Network Interface IP Datagram Type of Service Total Length Frag Offset VERS HLEN ID Flags TTL Header Checksum Src IP Address Dst IP Address IP Options Data Protocol

  7. Transport Layer Refresher Transport Layer Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Application Transport Internet Network Interface TCP Segment Format Src Port Dst Port Code Bits Check Sum Urgent Ptr Seq # Ack # HLEN Reserved Window Option Data UDP Segment Format Src Port Dst Port Check Sum Length Data

  8. Port Numbers Application Layer Telnet SMTP DNS HTTP SSL DNS TFTP 23 25 53 80 443 53 69 Port Numbers Transport Layer TCP UDP

  9. Application Layer Refresher Application Layer Web Browsing(HTTP, SSL) File Transfer (FTP, TFTP, NFS, File Sharing) E-Mail (SMTP, POP2, POP3) Remote Login (Telnet, rlogin) Name Management (DNS) Microsoft Networking Services Application Transport Internet Network Interface

  10. Attack Types

  11. Attack Types Port Sweep SYN Attack TCP Hijacking Ping of Death Land Attack Context:(Header) Telnet Attacks Character Mode Attacks MS IE Attack E-mail Attacks Content:(Data) “Atomic” Single Packet “Composite” Multiple Packets

  12. Attack Types (cont.) • Reconnaissance • Host scan, port scan, SMTP VRFY • Access • Spoofing, session hijacking • Denial of service • SYN attacks, ping-of-death, teardrop, WinNuke • Privilege escalation • MS IE%2ASP, ftp cwd ~root

  13. Demystifying Common Attacks Java, ActiveX, and Script Execution E-Mail EXPN WinNuke Application SYN Flood UDP Bomb Port Scan Landc Transport Internet Network Interface Ping Flood Ping of Death IP Spoof Address Scanning Source Routing Sniffer/Decoding MAC Address Spoofing

  14. Network Layer Attacks

  15. IP Layer Attacks • IP Options • IP Fragmentation • Bad IP packets • Spoofed Addresses Application TCP UDP IP IP Data Link Physical

  16. IP Fragmentation Attacks • IP Fragment Attack • Offset value too small • Indicates unusually small packet • May bypass some packet filter devices • IP Fragments Overlap • Offset value indicates overlap • Teardrop attack Ver Len Serv Length Identification Flg Frag Offset Frag Offset TTL Proto Checksum Source IP Destination IP Options . . . Data . . .

  17. IP Fragmentation • Routers and Internet Gateways are stateless devices • Improperly fragmented packets are forwarded normally with other traffic • Requires “Statefull inspection”

  18. Bad IP Packet Attacks • Unknown IP Protocol • Proto=invalid or undefined • Impossible IP Packet • Same source and destination • Land attack Ver Len Serv Length Identification Flg Frag Offset TTL Proto Proto Checksum Source IP Source IP Destination IP Destination IP Options Data

  19. IP Address Spoofing • Source IP address set to that of a trusted host or nonexistant host • Access-lists applied at the source are the only protection • Best applied at the connection to the Internet

  20. Spoofing: Access by Impersonation interface Serial 1 ip address 172.26.139.2 255.255.255.252 ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address 10.1.1.100 255.255.0.0 no ip directed-broadcast Access-list 111 deny ip 127.0.0.0 0.255.255.255 any Access-list 111 deny ip 10.1.0.0 0.0.255.255 any Access-list 111 permit ip any any 172.16.42.84 10.1.1.2 IP (D=10.1.1.2 S=10.1.1.1)

  21. IP Options • IP Header • 20 bytes • IP Options • Adds up to 40additional bytes • Only 8 valid options H E A D E R Ver Len Serv Length Identification Flg Frag Offset TTL Proto Checksum Source IP Destination IP Options . . . Options . . . P A Y Data . . .

  22. IP Options (cont.) 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 CP Class Option # Length (if used) Parameters... x 0 0 0 0 0 0 0 • Copy: 0—don’t include options in packet fragments 1—include options in packet fragments • Class: 0—Network Control 2—Debugging • Option: one of eight valid options • Length: number of bytes in option (if used by option) • Parameters: parameters passed by the option • Last option is always option 0.

  23. IP Options (cont.) • option #2 rarely unused • option #4 rarely unused • option #7 used to record the route (gateways) that a packet has traversed • option #8 rarely unused • Option # Option Name • 0 End of Options • 1 No Operation • 2 Security • 3 Loose Source Rte • 4 Timestamp • 7 Record Route • 8 Stream ID • 9 Strict Source Rte

  24. IP Source Routing • two options: #3 loose source routing and #9 strict source routing • can be used to bypass filters (acls) • some machines with multiple interfaces route s/r packets even with ip forwarding turned off • router command:no ip source route

  25. ICMP Attacks • ICMP Traffic Records • Ping Sweeps • ICMP Attacks Application TCP UDP IP IP Data Link Physical

  26. ICMP Query Message 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 H E A D E R Type Code Checksum Identifier Sequence # Data . . . • Type: • 0—Echo Reply 15—Information Request • 8—Echo Request 16—Information Reply • 13—Timestamp Request 17—Address Mask Request • 14—Timestamp Reply 18—Address Mask Reply • Code: codes associated with each ICMP type • Checksum: checksum value of header fields (exc. checksum)

  27. ICMP Query Message (cont.) • Echo Reply • Type=0 • Echo Request • Type=8 • Timestamp Request • Type=13 • Timestamp Reply • Type=14 I P H E A D E R Ver Len Serv Length Identification Flg Frag Offset TTL Proto ICMP Checksum Source IP Destination IP I C M P Type Type Code Checksum

  28. ICMP Error Message 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 H E A D E R Type Code Checksum Unused IP Header+8 bytes of Original Datagram Data • Type: • 3—Destination Unreachable 11—Time Exceeded • 4—Source Quench 12—Parameter Problem • 5—Redirect • Code: codes associated with each ICMP type • Checksum: checksum value of header fields (exc. checksum)

  29. ICMP Error Messages • Unreachable • Type=3 • Source Quench • Type=4 • Redirect • Type=5 • Time Exceeded • Type=11 • Parameter Problem • Type=12 I P H E A D E R Ver Len Serv Length Identification Flg Frag Offset TTL Proto ICMP Checksum Source IP Destination IP I C M P Type Type Code Checksum

  30. ICMP Attacks • Fragmented ICMP packet • Flag=more fragments or Offset /= 0 • ICMP Floods • Many ICMP packets • To single host I P H E A D E R Ver Len Serv Length Length Identification Flg Frag Offset TTL Proto ICMP Checksum Source IP Destination IP I C M P Type Code Checksum

  31. ICMP Attacks (cont.) • ICMP Smurf attack • Type=0 (echo reply) • Many packets • To single host • ICMP Ping Of Death • Flag=last fragment • Offset*8 + Length > 65535 I P H E A D E R Ver Len Serv Length Identification Flg Flg Frag Offset Frag Offset TTL Proto Proto Checksum Source IP Destination IP I C M P Type Type Code Checksum

  32. Smurfs • ICMP echo request with spoofed source address • Destination address set to the network broadcast address of a network (so called ping amplifier) • All hosts on the pinged network reply to the spoofed address • interface command:no ip directed broadcast

  33. Ping of Death • IP ping > 65535 bytes (ICMP echo request) • Transmitted in fragments • Crashes some operating systems on reassembly

  34. Loki Attack • Loki ICMP tunnel • Original Loki • Phrack Issue 51 • Modified Loki ICMP tunneling • Modified Loki version • Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access.

  35. Transport Layer Attacks

  36. TCP Attacks • TCP Traffic Records • TCP Port Scans • TCP Host Sweeps • Mail Attacks • FTP Attacks • Web Attacks • NetBIOS Attacks • SYN Flood & TCP Hijack Attacks • TCP Applications Application Application TCP TCP UDP IP Data Link Physical

  37. TCP Port Scans • A TCP Port Scan occurs when one host searches for multiple TCP services on a single host. • Common scans • use normal TCP-SYN • Stealth scans • use FIN, SYN-FIN, null, or PUSH • and/or fragmented packets I P Ver Len Serv Length Identification Flg Frag Offset TTL TCP Checksum Source IP Destination IP T C P Source Port Dest Port Source Sequence Number Acknowledge Sequence Num Len Res Flags Window Checksum Urgent Pointer

  38. TCP Port Scan Attacks • FIN port sweep • FINs to ports < 1024 • Frag FIN port sweep • Fragmented FINs to ports < 1024 • High port sweep • SYNs to ports > 1023 • Triggers when type of sweep can’t be determined • FIN High port sweep • FINs to ports > 1023 • Port Sweep • SYNs to ports < 1024 • Triggers when type of sweep can’t be determine • SYN Port Sweep • SYNs to any ports • Frag SYN Port Sweep • Fragmented SYNs to many ports

  39. TCP Port Scan Attacks(cont.) • SYN FIN port sweep • SYN-FINs to any port • Frag SYN/FIN port sweep • Fragmented SYN/FINs to any ports • Queso sweep • FIN, SYN/FIN, and a PUSH • Frag High FIN port sweep • Fragmented FINs to ports > 1023 • Null port sweep • TCPs without SYN, FIN, ACK, or RST to any ports • Frag Null port sweep • Fragmented TCPs without SYN, FIN, ACK, or RST to any ports

  40. TCP Host Sweeps • A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts. • Common scans • use normal TCP-SYN • Stealth scans • use FIN, SYN-FIN, and null • and/or fragmented packets I P Ver Len Serv Length Identification Flg Frag Offset TTL TCP Checksum Source IP Destination IP T C P Source Port Dest Port Source Sequence Number Acknowledge Sequence Num Len Res Flags Window Checksum Urgent Pointer

  41. TCP Host Sweep Attacks • SYN host sweep • SYNs to same port • Frag SYN host sweep • Fragmented SYNs to same port • FIN host sweep • FINs to same port • Frag FIN host sweep • Fragmented FINs to same port • NULL host sweep • TCPs without SYN, FIN, ACK, or RST to same port • Frag NULL host sweep • Fragmented packets without SYN, FIN, ACK, or RST to same port • SYN/FIN host sweep • SYN-FINs to same port • Frag SYN/FIN host sweep • SYN-FINs to same port

  42. SYN Flood and TCP Hijacks • Half-Open SYN attack • DoS-SYN flood attack • Ports 21, 23, 25, and 80 • TCP Hijacking • Access-attempt to take over a TCP session

  43. TCP Intercept Protects Networks Against Syn floods Request Intercepted Connection Established Connection Transferred TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval

  44. TCP Intercept • Enable TCP Intercept (global configuration mode) • access-list access-list-number {deny | permit} tcp any destination destination-wildcard • ip tcp intercept list access-list-number • Set the TCP Intercept Mode (global configuration mode) • ip tcp intercept mode {intercept | watch} • Set TCP Intercept Drop Mode • ip tcp intercept drop-mode {oldest | random} ;def=oldest • Change the TCP Intercept Timers • ip tcp intercept watch-timeout seconds;def=30 seconds

  45. TCP Hijacks • TCP Hijacking • Works by correctly guessing sequence numbers • Newer O/S’s & firewalls eliminate problem by randomizing sequence numbers • TCP Hijacking Simplex Mode • One command followed by RST

  46. Land.c Attack • Spoofed packet with SYN flag set • Sent to open port • SRC addr/port same as DST addr/port • Many operating systems lock up

  47. UDP Attacks • UDP Traffic Records • UDP Port Scan • UDP Attacks • UDP Applications Application Application TCP UDP UDP IP Data Link Physical

  48. UDP Port Scans • UDP port scans • One host searches for multiple UDP services on a single host I P Ver Len Serv Length Identification Flg Frag Offset TTL UDP Checksum Source IP Destination IP U D P Source Port Dest Port Length Checksum Data . . .

  49. UDP Attacks • UDP flood (disabled) • Many UDPs to same host • UDP Bomb • UDP length < IP length • Snork • Src=135, 7, or 19; Dest=135 • Chargen DoS • Src=7 & Dest=19 I P Ver Len Serv Length Identification Flg Frag Offset TTL UDP Checksum Source IP Destination IP U D P Source Port Dest Port Length Checksum Data . . .

  50. Reflexive Access Lists • Protocol support—TCP, UDP • Alternative to established key word • Available in Cisco IOS release 11.3 • Allows the packet filtering mechanismto remember state • Reflexive ACLs are transparent until activated by matching traffic

More Related