attacks ronnau
TRANSCRIPT
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 1/102
© 1999, Cisco Systems, Inc. 1-1
Securing Routers Against Hackers and
Denial of Service Attacks
Lou Ronnau
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 2/102
© 1999, Cisco Systems, Inc. www.cisco.com
Outline
IP Refresher
Attack Types
Network Layer Attacks
Transport Layer AttacksApplication Layer Attacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 3/102
© 1999, Cisco Systems, Inc. www.cisco.com
Outline (cont.)
ReconnaissanceInitial Access
Questions
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 4/102
© 1999, Cisco Systems, Inc. www.cisco.com
IP Refresher
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 5/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP/IP Protocol Stack
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Transport
Internet
NetworkInterface
Ethernet, 802.3, 802.5,ATM, FDDI, and so on
IP Conceptual LayersOSI Reference Model
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 6/102
© 1999, Cisco Systems, Inc. www.cisco.com
Internet Layer Refresher
Application
Transport
NetworkInterface
IP Datagram
IP Layer
Internet
VERS HLENType ofService
TotalLength
ID FlagsFrag
OffsetTTL
ProtocolHeader
ChecksumSrc IP
AddressDst IP
AddressIP
OptionsData
Internet ControlMessage Protocol(ICMP)
Internet Protocol (IP)
Address ResolutionProtocol (ARP)
Reverse AddressResolution Protocol(RARP)
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 7/102 © 1999, Cisco Systems, Inc. www.cisco.com
Transport Layer Refresher
TransmissionControl Protocol(TCP)
User DatagramProtocol (UDP)
Src
Port
Dst
Port Seq # Ack # HLEN Reserved
Code
Bits Window
TCP Segment Format
Transport Layer
Check
Sum
Urgent
Ptr Option Data
SrcPort
DstPort
Length
UDP Segment Format
CheckSum
Data
Application
NetworkInterface
Internet
Transport
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 8/102 © 1999, Cisco Systems, Inc. www.cisco.com
Port Numbers
TCP UDP
443
Application
Layer
TransportLayer
Port
Numbers
Telnet SMTP DNS HTTP SSL DNS TFTP
23 25 53 80 6953
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 9/102 © 1999, Cisco Systems, Inc. www.cisco.com
Transport
NetworkInterface
Internet
Application LayerRefresher
Web Browsing(HTTP, SSL)
File Transfer (FTP,TFTP, NFS, FileSharing)
E-Mail (SMTP, POP2,POP3)
Remote Login (Telnet,rlogin)
Name Management(DNS)
Microsoft NetworkingServices
Application Layer
Application
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 10/102 © 1999, Cisco Systems, Inc. 1-10
Attack Types
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 11/102 © 1999, Cisco Systems, Inc. www.cisco.com
Attack Types
Context:
(Header)
Content:(Data)
“Atomic” Single Packet
“Composite” Multiple Packets
Ping of Death
Land Attack
Port Sweep
SYN Attack
TCP Hijacking
MS IE Attack
E-mail Attacks
Telnet Attacks
Character Mode
Attacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 12/102 © 1999, Cisco Systems, Inc. www.cisco.com
Attack Types (cont.)
Reconnaissance
• Host scan, port scan, SMTP VRFY
Access• Spoofing, session hijacking
Denial of service
• SYN attacks, ping-of-death, teardrop,WinNuke
Privilege escalation
• MS IE%2ASP, ftp cwd ~root
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 13/102 © 1999, Cisco Systems, Inc. www.cisco.com
Demystifying CommonAttacks
Transport
Internet
NetworkInterface
Java, ActiveX, and Script Execution
E-Mail EXPN
WinNuke
SYN Flood
UDP Bomb
Port Scan
Landc
Ping Flood
Ping of Death
IP Spoof
Address Scanning
Source Routing
Sniffer/Decoding
MAC Address Spoofing
Application
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 14/102 © 1999, Cisco Systems, Inc. 1-14
Network Layer
Attacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 15/102 © 1999, Cisco Systems, Inc. www.cisco.com
Application
TCP
IP
Data Link Physical
UDP
IP
IP Layer Attacks
• IP Options
• IP Fragmentation
• Bad IP packets
• Spoofed Addresses
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 16/102 © 1999, Cisco Systems, Inc. www.cisco.com
IP Fragmentation Attacks
IP Fragment Attack
• Offset value too small
• Indicates unusually small
packet
• May bypass some packetfilter devices
IP Fragments Overlap• Offset value indicates
overlap
• Teardrop attack
Data . . .
Options . . .
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
Frag Offset
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 17/102 © 1999, Cisco Systems, Inc. www.cisco.com
IP Fragmentation
Routers and Internet Gateways
are stateless devicesImproperly fragmented packetsare forwarded normally with
other trafficRequires “Statefull inspection”
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 18/102 © 1999, Cisco Systems, Inc. www.cisco.com
Bad IP Packet Attacks
Unknown IP Protocol
• Proto=invalid or undefined
Impossible IP Packet
• Same source and
destination• Land attack
Data
Options
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
Proto
Source IP
Destination IP
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 19/102 © 1999, Cisco Systems, Inc. www.cisco.com
IP Address Spoofing
Source IP address set to that of a
trusted host or nonexistant hostAccess-lists applied at the source are the only protection
Best applied at the connection tothe Internet
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 20/102 © 1999, Cisco Systems, Inc. www.cisco.com
Spoofing: Access by Impersonation
interface Serial 1ip address 172.26.139.2 255.255.255.252
ip access-group 111 inno ip directed-broadcast!interface ethernet 0/0ip address 10.1.1.100 255.255.0.0no ip directed-broadcast
Access-list 111 deny ip 127.0.0.0 0.255.255.255 anyAccess-list 111 deny ip 10.1.0.0 0.0.255.255 anyAccess-list 111 permit ip any any
IP (D=10.1.1.2 S=10.1.1.1)
10.1.1.2
172.16.42.84
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 21/102 © 1999, Cisco Systems, Inc. www.cisco.com
Data . . .
Options . . .
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
H
E
A
D
E
R
Options . . .
P
A
Y
IP Options
• IP Header
– 20 bytes
• IP Options
– Adds up to 40additional bytes
– Only 8 valid options
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 22/102 © 1999, Cisco Systems, Inc. www.cisco.com
Copy:
0—don’t include options in packet fragments
1—include options in packet fragments
Class:
0—Network Control
2—Debugging
Option: one of eight valid options
Length: number of bytes in option (if used by option)
Parameters: parameters passed by the option
Last option is always option 0.
IP Options (cont.)
0 1 2 3 4 5 6 7
CP Class Option #
0 1 2 3 4 5 6 7
Length (if used) Parameters... x 0 0 0 0 0 0 0
0 1 2 3 4 5 6 70 1 2 3 4 5 6 7
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 23/102 © 1999, Cisco Systems, Inc. www.cisco.com
IP Options (cont.)
option #2 rarely unused
option #4 rarely unused
option #7 used to recordthe route (gateways) that apacket has traversed
option #8 rarely unused
Option # Option Name
0 End of Options
1 No Operation2 Security
3 Loose Source Rte
4 Timestamp
7 Record Route
8 Stream ID9 Strict Source Rte
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 24/102 © 1999, Cisco Systems, Inc. www.cisco.com
IP Source Routing
two options: #3 loose sourcerouting and #9 strict source routing
can be used to bypass filters (acls)some machines with multipleinterfaces route s/r packets even
with ip forwarding turned offrouter command:no ip source route
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 25/102 © 1999, Cisco Systems, Inc. www.cisco.com
Application
TCP
IP
Data Link
Physical
UDP
IP
ICMP Attacks
• ICMP Traffic Records
• Ping Sweeps
• ICMP Attacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 26/102 © 1999, Cisco Systems, Inc. www.cisco.com
Type:0—Echo Reply 15—Information Request
8—Echo Request 16—Information Reply13—Timestamp Request 17—Address Mask Request14—Timestamp Reply 18—Address Mask Reply
Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)
Identifier
Type Code Checksum
ICMP Query Message
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Data . . .
Sequence #
H
E
A
D
ER
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 27/102 © 1999, Cisco Systems, Inc. www.cisco.com
ICMP Query Message (cont.)
Echo Reply
• Type=0
Echo Request• Type=8
Timestamp Request
• Type=13
Timestamp Reply
• Type=14
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
TypeType Code Checksum
I
P
H
E
A
D
E
R
I
CM
P
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 28/102
© 1999, Cisco Systems, Inc. www.cisco.com
Type:
3—Destination Unreachable 11—Time Exceeded4—Source Quench 12—Parameter Problem5—Redirect
Code: codes associated with each ICMP typeChecksum: checksum value of header fields (exc. checksum)
Unused
Type Code Checksum
ICMP Error Message
H
E
A
D
ER
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
IP Header
+
8 bytes of Original Datagram Data
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 29/102
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP Error Messages
Unreachable
• Type=3
Source Quench
• Type=4
Redirect
• Type=5
Time Exceeded• Type=11
Parameter Problem
• Type=12
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
TypeType Code Checksum
I
P
H
E
A
D
E
R
I
CM
P
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 30/102
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP Attacks
Fragmented ICMP packet
• Flag=more fragments orOffset /= 0
ICMP Floods
• Many ICMP packets
• To single host
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
Type Code Checksum
I
P
H
E
A
D
E
R
I
CM
P
Length
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 31/102
© 1999, Cisco Systems, Inc. www.cisco.com
ICMP Attacks (cont.)
ICMP Smurf attack
• Type=0 (echo reply)
• Many packets
• To single host
ICMP Ping Of Death
• Flag=last fragment
• Offset*8 + Length > 65535
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
Proto
TypeType Code Checksum
I
P
H
E
A
D
E
R
I
CM
P
Flg Frag Offset
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 32/102
© 1999, Cisco Systems, Inc. www.cisco.com
Smurfs
ICMP echo request with spoofed sourceaddress
Destination address set to the network
broadcast address of a network (so called pingamplifier)
All hosts on the pinged network reply to the
spoofed addressinterface command:no ip directed broadcast
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 33/102
© 1999, Cisco Systems, Inc. www.cisco.com
Ping of Death
IP ping > 65535 bytes (ICMP echo
request)Transmitted in fragments
Crashes some operating systems
on reassembly
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 34/102
© 1999, Cisco Systems, Inc. www.cisco.com
Loki Attack
Loki is a tool used
to hide hackertraffic inside ICMPtunnel. It requiresroot access.
Loki ICMP tunnel
• Original Loki
• Phrack Issue 51
Modified Loki ICMP
tunneling• Modified Loki version
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 35/102
© 1999, Cisco Systems, Inc. 1-35
Transport LayerAttacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 36/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Attacks
• TCP Traffic Records
• TCP Port Scans
• TCP Host Sweeps
• Mail Attacks
• FTP Attacks
• Web Attacks
• NetBIOS Attacks
• SYN Flood & TCP HijackAttacks
• TCP Applications
Application
TCP
IP
Data Link
Physical
UDPTCP
Application
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 37/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port Scans
A TCP Port Scan occurswhen one host searchesfor multiple TCP
services on a single host.
• Common scans
– use normal TCP-SYN
• Stealth scans
– use FIN, SYN-FIN, null, orPUSH
– and/or fragmented packets
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 38/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port Scan Attacks
Port Sweep
• SYNs to ports < 1024
• Triggers when type of sweep
can’t be determine
SYN Port Sweep
• SYNs to any ports
Frag SYN Port Sweep
• Fragmented SYNs to manyports
FIN port sweep• FINs to ports < 1024
Frag FIN port sweep
• Fragmented FINs to ports< 1024
High port sweep
• SYNs to ports > 1023
• Triggers when type of sweepcan’t be determined
FIN High port sweep
• FINs to ports > 1023
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 39/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port Scan Attacks(cont.)
Frag High FIN port sweep
• Fragmented FINs to ports >1023
Null port sweep
• TCPs without SYN, FIN, ACK,or RST to any ports
Frag Null port sweep
• Fragmented TCPs withoutSYN, FIN, ACK, or RST to anyports
SYN FIN port sweep
• SYN-FINs to any port
Frag SYN/FIN port sweep • Fragmented SYN/FINs to any
ports
Queso sweep
• FIN, SYN/FIN, and a PUSH
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 40/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Host Sweeps
A TCP Host Sweepoccurs when one hostsearches for a single
TCP service on multiple hosts.
• Common scans
– use normal TCP-SYN
• Stealth scans – use FIN, SYN-FIN, and null
– and/or fragmented packets
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 41/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Host Sweep Attacks
SYN host sweep
• SYNs to same port
Frag SYN host sweep
• Fragmented SYNs to same port
FIN host sweep
• FINs to same port
Frag FIN host sweep• Fragmented FINs to same port
NULL host sweep
• TCPs without SYN, FIN, ACK, or RSTto same port
Frag NULL host sweep• Fragmented packets without SYN,
FIN, ACK, or RST to same port
SYN/FIN host sweep
• SYN-FINs to same port
Frag SYN/FIN host sweep
• SYN-FINs to same port
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 42/102
© 1999, Cisco Systems, Inc. www.cisco.com
SYN Flood and TCP Hijacks
Half-Open SYN attack
• DoS-SYN flood attack
• Ports 21, 23, 25, and 80
TCP Hijacking• Access-attempt to take over a TCP session
TCP I P N k A i
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 43/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Intercept Protects Networks AgainstSyn floods
Connection Transferred
ConnectionEstablished
RequestIntercepted
TCP SYN flooding can overwhelm server and cause it to denyservice, exhaust memory or waste processor cycles
TCP Intercept protects network by intercepting TCP connection
requests and replying on behalf of destinationCan be configured to passively monitor TCP connection requests
and respond if connection fails to get established in configurableinterval
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 44/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Intercept
Enable TCP Intercept (global configuration mode)
• access-list access-list-number {deny | permit} tcp any destinationdestination-wildcard
• ip tcp intercept list access-list-numberSet the TCP Intercept Mode (global configurationmode)
• ip tcp intercept mode {intercept | watch}
Set TCP Intercept Drop Mode• ip tcp intercept drop-mode {oldest | random} ;def=oldest
Change the TCP Intercept Timers
• ip tcp intercept watch-timeout seconds ;def=30 seconds
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 45/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Hijacks
TCP Hijacking
Works by correctly guessing sequencenumbers
Newer O/S’s & firewalls eliminateproblem by randomizing sequencenumbers
TCP Hijacking Simplex Mode• One command followed by RST
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 46/102
© 1999, Cisco Systems, Inc. www.cisco.com
Land.c Attack
Spoofed packet with SYN flag set
Sent to open port
SRC addr/port same as DSTaddr/port
Many operating systems lock up
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 47/102
© 1999, Cisco Systems, Inc. www.cisco.com
UDP Attacks
• UDP Traffic Records• UDP Port Scan
• UDP Attacks
• UDP Applications
Application
TCP
IP
Data Link
Physical
UDPUDP
Application
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 48/102
© 1999, Cisco Systems, Inc. www.cisco.com
UDP Port Scans
UDP port scans
• One host searches formultiple UDP serviceson a single host
Destination IP
Source IP
TTL UDP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
U
D
P
Source Port
Length Checksum
Dest Port
Data . . .
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 49/102
© 1999, Cisco Systems, Inc. www.cisco.com
UDP Attacks
UDP flood (disabled)
• Many UDPs to same host
UDP Bomb• UDP length < IP length
Snork
• Src=135, 7, or 19; Dest=135
Chargen DoS
• Src=7 & Dest=19
Destination IP
Source IP
TTL UDP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
U
D
P
Source Port
Length Checksum
Dest Port
Data . . .
R fl i A Li
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 50/102
© 1999, Cisco Systems, Inc. www.cisco.com
Reflexive Access Lists
Allows the packet filteringmechanism
to remember stateReflexive ACLs aretransparent until activatedby matching traffic
• Protocol support—TCP, UDP
• Alternative toestablished key word
• Available in Cisco IOS
release 11.3
R fl i A Li t
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 51/102
© 1999, Cisco Systems, Inc. www.cisco.com
Reflexive Access Lists
Router monitors outgoing connectionCreates dynamic permit inbound ACL using IP
addresses and port numbers
Source Port
TCP Header
IP HeaderDestination Addr
Source Addr
# 1
Intial Sequence#
Destination Port
Flag
Ack # 2 : permit tcp 200.150.50.111192.34.56.8 eq telnet
200.150.50.111192.34.56.8
1026
23
49091
Syn
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 52/102
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall Feature Set
Context-Based Access Control (CBAC)• Stateful, per-application filtering
• Support for advanced protocols(H.323, SQLnet, RealAudio, etc.)
Denial of Service detection and prevention
Control downloading of Java applets
Real-time alerts
TCP/UDP transaction log
Configuration and management
Enhanced Security for the Intelligent Internet
What Is “Context Based
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 53/102
© 1999, Cisco Systems, Inc. www.cisco.com
What Is “Context-BasedAccess Control” (CBAC)?
Tracks state and context of network connectionsto secure traffic flow
Inspects data coming into or
leaving router
Allows connections to beestablished by temporarily opening ports based onpayload inspection
Return packets authorized for particularconnection only via temporary ACL
Cisco IOS Conte t Based Access
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 54/102
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Context-Based AccessControl (CBAC) Application Support
Transparent support forcommon TCP/UDP internetservices, including:
• WWW, Telnet, SNMP, finger, etc.
FTPTFTP
SMTP
Java blocking
BSD R-cmdsOracle SQL Net
Remote Procedure Call (RPC)
Multimedia applications:
• VDOnet’s VDO Live
• RealNetworks’ RealAudio
• Intel’s InternetVideo Phone(H.323)
• Microsoft’s NetMeeting (H.323)
• Xing Technologies’Streamworks
• Whitepine’s CuSeeMe
Cisco IOS Fire all Feat re Set
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 55/102
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall Feature Set
Per user authentication and authorization(“authentication proxy”)
Intrusion detection technology
IP Fragmentation defense
Dynamic per-application port mapping
Configurable alerts and audit trail
SMTP-specific attack detection
New CBAC application support• MS-Networking, MS Netshow
Cisco IOS Firewall:
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 56/102
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall:Authentication Proxy
HTTP-initiated Authentication
Valid for all types of application traffic
Provides dynamic, per user authentication andauthorization via TACACS+ and RADIUS protocols
Works on any interface type for inbound oroutbound traffic
Cisco IOS Firewall:
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 57/102
© 1999, Cisco Systems, Inc. www.cisco.com
Cisco IOS Firewall:Authentication Proxy Operation
User
3. Authenticate
AAAServer
Cisco IOSFirewall/Cisco
7200 seriesrouter
S0E0ISP
andInternet
1. User HTTP request
2. Get Uid/Password
4. Download profile, build dynamic ACL on router
5. Refresh/reload URL
User
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 58/102
© 1999, Cisco Systems, Inc. www.cisco.com
Application LayerAttacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 59/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP port 25
Attacks include:
• Reconnaissance
• Access
• DOS
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=25
Data . . .
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 60/102
© 1999, Cisco Systems, Inc. www.cisco.com
Mail Attacks
smail attack
sendmail invalid recipient
sendmail invalid sender
sendmail reconnaissance
Archaic sendmail attacks
sendmail decode alias
sendmail SPAM
Majordomo exec bug
MIME overflow bug
Qmail Length Crash
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 61/102
© 1999, Cisco Systems, Inc. www.cisco.com
File Transfer Protocol (FTP)
TCP port 21Attacks include:
• Reconnaissance
• Access
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=21
Data . . .
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 62/102
© 1999, Cisco Systems, Inc. www.cisco.com
FTP Attacks
FTP SITE command attempted
FTP SYST command attemptedFTP CWD ~root
FTP Improper address specified
FTP Improper port specified
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 63/102
© 1999, Cisco Systems, Inc. www.cisco.com
Web
TCP port 80
Attacks include:
• Access
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=80
Data . . .
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 64/102
© 1999, Cisco Systems, Inc. www.cisco.com
Web Attacks
phf attack
General cgi-bin attack
url file requested
.lnk file requested
.bat file requested
HTML file has .url link
HTML file has .lnk link
HTML file has .bat link
campas attack
glimpse server attack
IIS View Source Bug
IIS Hex View Source Bug
NPH-TEST-CGI Bug
TEST-CGI Bug
IIS DOT DOT VIEW Bug
IIS DOT DOT EXECUTE Bug
IIS DOT DOT DENIAL Bug
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 65/102
© 1999, Cisco Systems, Inc. www.cisco.com
Web Attacks (cont.)
php view file Bug
SGI wrap bug
php buffer overflow
IIS Long URL Crash
View Source GGI Bug
MLOG/MYLOG CGI Bug
Handler CGI Bug
Webgais Bug
WebSendmail Bug
Webdist Bug
Htmlscript Bug
Performer Bug
WebSite win-c-sample buffer
overflow
WebSite uploader
Novell convert bug
finger attempt
Count Overflow
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 66/102
© 1999, Cisco Systems, Inc. www.cisco.com
DNS Attacks
UDP Port 53
Attacks include:• Reconnaissance
DNS HINFO Request
• Potential reconnaissance
DNS Zone Transfer Request
• Potential reconnaissance
DNS Zone Transfer from other port
• Different port than 53
DNS request for all records
• All records requested, not just one zone
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 67/102
© 1999, Cisco Systems, Inc. www.cisco.com
Application Exploit Attacks
Sun Kill Telnet DOS
• port 23
Finger Bomb
• port 79
rlogin -froot• port 513
Imap AuthenticateOverflow
• port 143
Imap Login Overflow
• port 143
Pop Overflow
• port 110
Application Exploit Attacks
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 68/102
© 1999, Cisco Systems, Inc. www.cisco.com
Application Exploit Attacks(cont.)
Inn Overflow
• port 119
Inn Control Message• port 119
IOS Telnet buffer
overflow• port 23
IOS Command HistoryExploit
• port 25
Cisco IOS Identity
• port 1999
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 69/102
© 1999, Cisco Systems, Inc. www.cisco.com
Server Message Blocks (SMB)
• Native NT file-sharing protocol• Samba is UNIX port of SMB
• Common Internet File System (CIFS)
– extension of SMB
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 70/102
© 1999, Cisco Systems, Inc. www.cisco.com
SMB TCP/UDP Ports
• 135 - Remote Procedure Call Service• 137 - NetBIOS Name Service (UDP)
• 138 - NetBIOS Datagram Service (UDP)
• 139 - NetBIOS Session Service
OS
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 71/102
© 1999, Cisco Systems, Inc. www.cisco.com
NetBIOS
TCP Port 139
Attacks include:
• Reconnaissance
• Access
• DOS
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port=139
Data . . .
N BIOS A k
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 72/102
© 1999, Cisco Systems, Inc. www.cisco.com
NetBIOS Attacks
NETBIOS OOB data
NETBIOS Stat
NETBIOS Session Setup Failure
Windows Guest login
Windows Null Account Name
Windows Password File Access
Windows Registry Access
Windows RedButton
TCP A li i A k
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 73/102
© 1999, Cisco Systems, Inc. www.cisco.com
Capture password file• FTP “RETR passwd”
loadmodule Attack
• Telnet “IFS=/”
• Rlogin “IFS=/"
Planting .rhosts
• Telnet “+ +”
• Rlogin “+ +”
Accessing shadow passwd• Telnet “/etc/shadow”
• Rlogin “/etc/shadow”
TCP Application Attacks
TCP applicationattacks are attacksagainst various TCPapplications.
UDP A li i A k
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 74/102
© 1999, Cisco Systems, Inc. www.cisco.com
UDP Application Attacks
Back Orifice
• port 31337
Tftp passwd file attempt
• port 69
Destination IP
Source IP
TTL UDP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
U
D
P
Source Port
Length Checksum
Dest Port
Data . . .
RPC S i
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 75/102
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Services
Applications do not usewell-known ports
• Use portmapper
– Registers applications – TCP/UDP port 111
Attacks include
• Reconnaissance
• Access
• DOS
2488 GET PORT # 111
2488 USE PORT # 2049 111
2488 NFS REQUEST 2049
CLIENTSERVER
RPC Att k
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 76/102
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attacks
RPC port registration
• Remotely registering aservice that is not running
RPC port unregistration
• Remotely unregistering arunning service
RPC dump
• rpcinfo -p <host>
Proxied RPC request• Bypassess RPC
authentication
RPC Att k ( t )
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 77/102
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attacks (cont.)
RPC Port Sweeps
• Request service onmany ports on samehost
• Stealthreconnaissance
RSTATD
RUSERSD
NFSMOUNTD
YPPASSWD
SELECTION SVC
REXD
STATUS
TTDB
RPC Att k ( t )
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 78/102
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attacks (cont.)
Portmapper Requests
• Requests for servicesknown to be exploited
• In most cases should notbe used
• If needed, filter signatures
ypserv
ypbind
yppasswd
ypupdated
ypxfrd
mountd
rexd
RPC Att k ( t )
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 79/102
© 1999, Cisco Systems, Inc. www.cisco.com
RPC Attack (cont.)
rexd attempt
• Accessing rexd
• Allows remotelyrunning commands
• Should not be allowed
• Unknown by someadministrators
RPC Services withBuffer Overflow
Vulnerabilities:•statd
•ttdb
•mountd
Id t Att k
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 80/102
© 1999, Cisco Systems, Inc. www.cisco.com
Ident Attacks
Ident is a protocol toprevent hostname,address, andusername spoofing.
• TCP port 113
Ident buffer overflow
• IDENT reply too large
Ident newline
• IDENT reply with newlineplus more data
Ident improper request
• IDENT request too long ornon-existent ports
IP Servers on Routers
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 81/102
© 1999, Cisco Systems, Inc. www.cisco.com
IP Servers on Routers
Router commands to turn off
services
no service tcp-small-servers
no service udp-small-servers
Tr st E ploits
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 82/102
© 1999, Cisco Systems, Inc. www.cisco.com
Trust Exploits
• Spoofing Trusted User• Spoofing Trusted Host
• Planting ~/.rhosts or hosts.equiv viaAlternate Methods
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 83/102
© 1999, Cisco Systems, Inc. www.cisco.com
Reconnaissance
Reconnaissance
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 84/102
© 1999, Cisco Systems, Inc. www.cisco.com
Reconnaissance
Unauthorizeddiscovery andmapping of systems,services, or
vulnerabilities
Reconnaissance Methods
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 85/102
© 1999, Cisco Systems, Inc. www.cisco.com
Reconnaissance Methods
• Common commands or administrative
utilities – nslookup, ping, netcat, telnet, finger, rpcinfo, File
Explorer, srvinfo, dumpacl, and so on
• Hacker tools
– SATAN, NMAP, custom scripts, and so on
Discovering the Targets
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 86/102
© 1999, Cisco Systems, Inc. www.cisco.com
Discovering the Targets
• Know thy target
– Domain name, IP Address space(i.e victim.com, 192.168.X.X)
– whois, nslookup
• Ping Sweeps
– Network mapping – Identify potential targets
Ping Sweeps
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 87/102
© 1999, Cisco Systems, Inc. www.cisco.com
Ping Sweeps
ICMP network sweep withEcho
• Type=8
ICMP network sweep withTimestamp
• Type=13
ICMP network sweep with
Address Mask• Type=17
Destination IP
Source IP
TTL Proto Checksum
Identification Flg Frag Offset
Ver Len Serv Length
ICMP
TypeType Code Checksum
I
P
H
E
AD
E
R
I
CM
P
Port Scans
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 88/102
© 1999, Cisco Systems, Inc. www.cisco.com
Port Scans
• Port Scans (Probing)
– Determine services being offered(e.g. telnet, ftp, http, etc.)
• Post Port Scan
– Determine Operating System Information
– Determine other information(e.g. usernames, hostnames, etc.)
TCP Port Scans
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 89/102
© 1999, Cisco Systems, Inc. www.cisco.com
TCP Port Scans
Many O/S’s haven’timplemented TCP/IPaccording to the letterof the “law” (rfc’s)
They respond differentlyto TCP packets withvarious flags set
Destination IP
Source IP
TTL TCP Checksum
Identification Flg Frag Offset
Ver Len Serv Length
I
P
T
C
P
Source Port
Source Sequence Number
Acknowledge Sequence Num
Len Res WindowFlags
Checksum Urgent Pointer
Dest Port
Network Address Translation
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 90/102
© 1999, Cisco Systems, Inc. www.cisco.com
Network Address Translation
Inside Network
10.1.1.2
132.22.2.1
INTERNET
Outside Network
• Hides internal addresses
• Provides dynamic or static translation of private addresses to registered IPaddresses
• Supports true NAT, Overload (same as PAT), and
Inside LocalIP Address
Inside GlobalIP Address
10.1.1.210.1.1.3
132.22.2.100132.22.2.101
Network Address Translation
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 91/102
© 1999, Cisco Systems, Inc. www.cisco.com
Network Address Translation
Each translation consumes approximately 160 bytes ofmemory
PAT (overload) translations limited to 4000 entries
Supports any TCP/UDP application that does not carrysource and/or destination IP addresses in the payload
Application support for those that DO carry source and/ordestination IP address in payload
• ICMP, FTP (including port and pasv commands), NetBIOS over TCP/IP
(datagram, name, and session services), RealAudio, CuSeeMe,StreamWorks, DNS ‘A’ and ‘PTR’ records, NetMeeting, VDOLive,Vxtreme, IP Multicast (source address translation only)
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 92/102
© 1999, Cisco Systems, Inc. www.cisco.com
Initial Access
Access
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 93/102
© 1999, Cisco Systems, Inc. www.cisco.com
Access
Unauthorized datamanipulation, systemaccess, or privilegedescalation
Access Methods
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 94/102
© 1999, Cisco Systems, Inc. www.cisco.com
Access Methods
• Exploit easily guessed passwords
– Brute force
– Cracking tools
• Exploit mis-administered services
– IP services (anonymous ftp, tftp, remote registryaccess, nis, and so on)
– Trust relationships (spoofing, r-services, and soon)
– File sharing (NFS, Windows File Sharing)
Access Methods (cont )
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 95/102
© 1999, Cisco Systems, Inc. www.cisco.com
Access Methods (cont.)
• Exploit application holes
– Mishandled input data
• Access outside application domain, bufferoverflows, race conditions
– Protocol weaknesses
• Fragmentation, TCP session hijack
• Trojan horses
– Programs to plant a backdoor into a host
Backdoors
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 96/102
© 1999, Cisco Systems, Inc. www.cisco.com
Backdoors
• BackOrifice
– Win 95/98 Server Only
– Windows and Unix clients
– Configurable Ports (Default UDP 31337)
– Encrypted communications
• BackOrifice—ButtPlugs – Allow new features to be added easily
Backdoors (cont)
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 97/102
© 1999, Cisco Systems, Inc. www.cisco.com
Backdoors (cont)
• NetBus (Freeware)
– Remote administration tool
– Listens on TCP Ports 12345, 12346
– Trojan program
– Runs on Win95/98 and NT
Denial of Service Methods
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 98/102
© 1999, Cisco Systems, Inc. www.cisco.com
Denial of Service Methods
• Resource Overload
– Disk space, bandwidth, buffers, ...
– Ping flood: smurf, ...
– SYN floods: neptune, synk4, ...
– Packet storms: UDP bombs, fraggle, ...
• Out of Band Data Crash
– Oversized packets: ping of death, … – Overlapped packets: winnuke, ...
– Un-handled data: teardrop, ...
Other Areas to Consider
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 99/102
© 1999, Cisco Systems, Inc. www.cisco.com
Disable:•IP helper addresses: no ip helper
•IP broadcasting: no ip broadcast-address, no ip directed-
broadcast•source routing: no ip source-route
•r-commands: no ip rcmd rcp-enable
•no ip rsh-enable
•IDENT: no ip identd
•CDP: no cdp run
•dynamic circuits: no frame-relay inverse-arp
•other “features” no proxy-arp, no ip redirects
More Info
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 100/102
© 1999, Cisco Systems, Inc. www.cisco.com
•http://www.2600.com/
•http://www.cultdeadcow.com/
•http://www.l0pht.com/
•http://www.hackernews.com/•http://www.cert.org/
•http://www.sans.org/
•http://www.rootshell.com/
•http://www.securityfocus.com/
•http://www.cisco.com/security
In Summary
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 101/102
© 1999, Cisco Systems, Inc. www.cisco.com
In Summary ….
May You Live in Interesting
Times!!
5/12/2018 Attacks Ronnau - slidepdf.com
http://slidepdf.com/reader/full/attacks-ronnau 102/102