Translate

Thursday, 29 August 2013

Layer 3 (Network Layer) Attack and Mitigation

With the likes of protocols like IP(Internet Protocol) lets us take a look into what Layer 3 Network Layer attacks and their mitigation procedures looks like:

  • IP Spoofing
  • Routing (RIP) Attacks
  • ICMP Attacks
  • PING Flood (ICMP Flood)
  • Ping of Death Attack
  • Teardrop Attack
  • Packet Sniffing

IP Spoofing:
IP Spoofing is changing the source ip address while sending to the destination with some trusted IP. A way to mislead the receiver on the origin of the information sent. Method can be used in Spamming and to perpetrate Denial of Service.
Tools:

  • Engage Packet Builder v2.20 - Scriptable packet builder for Windows
  • HPing v2.0.0 - Command-line oriented TCP/IP packet assembler/analyzer
  • Nemesis v1.4 beta3 - Command-line portable IP stack
  • LSRscan v1.0 - Loose Source Route Scanning Tool
  • Scapy v2.0.0.10 - Interactive packet manipulation tool

Mitigations:

  • Implement Input access-lists; they should filter at the ingress interfaces. 
  • Unicast Reverse Path Forwarding (uRPF) is a common technique used to mitigate source address spoofing by discarding the IP Packets that lack a verifiable IP source address in the IP Routing Table.
  • IP Source Guard is a Layer 2 security feature that prevents IP spoofing attacks by restricting IP traffic on untrusted Layer 2 ports to clients with an assigned IP address.

Routing (RIP) Attack:
Routing Information Protocol (RIP) is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. The original version of RIP has no built in authentication, and the information provided in a RIP packet is often used without verifying it. An attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine instead.
Tools:

  • RPAK (Routing Protocol Attack Kit)- contains tools for RIP, RIP2, IGRP and OSPF.  

Mitigations:

  • The version 2 of RIP was enhanced with a simple password authentication algorithm, which makes RIP attack harder to happen.
  • IPSec VPN provides a way to keep routing information encrypted among the routers implemented the IPsec VPN.

ICMP Attack:
ICMP is used by the IP layer to send one-way informational messages to a host. There is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets. An attacker sends forged ICMP echo packets to vulnerable networks' broadcast addresses. All the systems on those networks send ICMP echo replies to the victim, consuming the target system's available bandwidth and creating a denial of service (DoS) to legitimate traffic.
Tools:

  • icmp-reset - Blindly resetting arbitrary TCP connections (icmp-reset.tar.gz)
  • icmp-quench - Blindly reducing the throughput of an arbitrary TCP connections (icmp-quench.tar.gz)
  • icmp-mtu - Blindly reducing the performance of an arbitrary TCP connections (icmp-mtu.tar.gz)

Mitigations:

  • Most ICMP attacks can be effectively reduced by deploying Firewalls at critical locations of a network to filter un-wanted traffic and from any destinations.
  • In addition, to keep a reasonable balance between services and security, you should configure your ICMP parameters in your network devices as follows:
            - Allow ping ICMP Echo-Request outbound and Echo-Reply messages inbound.

            - Allow traceroute TTL-Exceeded and Port-Unreachable messages inbound.
            - Allow path MTU ICMP Fragmentation-DF-Set messages inbound.
            - Blocking other types of ICMP traffic.

PING Flood (ICMP Flood):
PING is one of the most common uses of ICMP which sends an ICMP "Echo Request" to a host, and waits for that host to send back an ICMP "Echo Reply" message. Attacker simply sends a huge number of "ICMP Echo Requests" typically overloading its victim that it expends all its resources responding until it can no longer process valid network traffic.
Tools:

  • Trinoo
  • Tribe Flood Network (TFN)
  • Stacheldraht

Mitigations:

  • The most obvious way to mitigate an ICMP/PING Flood is to block ICMP altogether at perimeter of your network via firewall filters.
  • By limiting the rate at which a single source can send ICMP Packets. This threshold is per second.


Ping of Death Attack:
The principle of ping of death simply involves creating an IP datagram whose total size exceeds the maximum authorized size (65,536 bytes). When such a packet is sent to a system with a vulnerable TCP/IP stack, it will cause the system to crash.
Tools:

  • CPU DEATH PING 2.0

Mitigations:

  • All the recent and latest OS are not vulnerable to this attack.


Teardrop Attack:
The principle of the Teardrop attack involves inserting false offset information into fragmented packets. As a result, during reassembly, there are empty or overlapping fragments that can cause the system to be unstable.
Tools:

  • Nessus API: Packet forgery

Mitigations:

  • A simple reboot is the preferred remedy after this happen.
  • Recent systems are no longer vulnerable to this attack.


Packet Sniffing:
Because most network applications distribute network packets in clear text, a packet sniffing tool can exploit information passed in clear text providing the hacker with sensitive information such as user account names and passwords.
Tools:

  • Wireshark
  • TCPdump

Mitigations:

  • Authentication - Using strong authentication, such as one-time passwords.
  • Cryptography - The most effective method for countering packet sniffers does renders them irrelevant.
  • Switched Infrastructure - Deploy a switched infrastructure to counter the use of packet sniffers in your environment.
  • Anti-sniffer tools - Use these tools to employ software and hardware designed to detect the use of sniffers on a network.

No comments: