Types of Attacks And Mitigation

This Document will be helpful for CCIE Security V4 study and also for those who are learning Ethical Hacking

LAND Attack
Attacker sends TCP packet with SYN bit set. Packet source and packet destination addresses are of victims. Mitigation: Filter internal networks on the edge using ACLs and uRPF.

VLAN Hopping Attack

Scenario 1: Attacket plugs to the network with the rogue switch. Attacker configures it to establish trunk with other network switches. Once trunk is up, attacker will be able to gain access to any VLAN available on the trunk port. Scenario 2: attacker sends 802.1q frames with multiple vlan tags. Outside VLAN tag is for padding, and inside tag is of victim's VLAN. Mitigation: avoid using VLAN 1, explicitly configure "access" mode on all of the non-trunk ports.

ARP Spoofing Attack

When victim sends ARP Request message requesting MAC of 1.2.3.4 IP address, attacker replies "I'm 1.2.3.4 and my MAC is a.b.c.d", pretending that they are that IP address. Gratuitous ARP is a feature that sends ARP request or reply without being ask for it. So attacker can send Gratuitous ARP and all the hosts will store that information. Mitigation: clear cache, DHCP snooping, Dynamic ARP Inspection

Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

MAC Spoofing Attack

Attacker impersonates as victim's MAC address. Mitigation: "ip source guard" consults dhcp snooping table and if entry is not there, then blocks it.

Control Plain Attack

Attacker adds router to the network while injecting /32 bit mask address, and then acts as extra hop router to redirect traffic to the "fake" resource. Mitigation: routing protocol authentication, limit # of BGP prefixes per peer. Filter unexpected routes.

IP Spoofing Attack
Attacker send packet with spoofed source address. Mitigation: uRPF, block RFC1918, RFC2827, RFC3330, BOGON Ingress Filtering.
Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

Smurf Attack
1) Attacker send ICMP echo request packet with src: victim_ip, dst: broadcast address. It can be 0.0.0.0 255.255.255.255, but it can also be specific for particular subnet, for example: 192.168.1.0/24, broadcast = 192.168.1.255. Mitigation: "no ip directed broadcast" or Limit broadcast storms at interfaces of the switches

Fraggle attack
Same as SMURF attack, but using UDP sockets. Mitigation: Policing using CAR/MQS, Blockhole Filtering.

SYN Flodding Attack

Attacker starts TCP three way handshake with victim (TCP SYN). Victim replies with SYN/ACK, but attacker does not return ACK, therefore causing half-open connection. Mitigation: TCP Intercept (bad idea...router becomes target), IOS CBAC, ASA/PIX Connection limits. 1) Use Firewall NAT feature to limit tcp embryonic connections. 2) Block the host sending syn packets only

Fragment Attack
Attackers sends tiny fragmented packets, causing network devices to use more CPU resources, which in turn might cause Denial of Service. Mitigation: IP Virtual Reassembly feature. ACL to block fragmented packets. # int Fa0/1 # ip virtual reassembly
Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

When you activate virtual-reassembly on interface, using the command ip virtual-reassembly, IOS starts tracking all incoming fragmented packets. The code delays fragmented packets until it receives all of them, or until the maximum reassembly timeout expires. Another option is to deny fragmented packets:

#ip access-list ALLOW_ONLY_NON_FRAGMENTS_HTTP_PACKETS # deny ip any host 1.2.3.4 fragments # permit tcp any host 1.2.3.4 eq www

DDOS (Distributed Denial of Service) Attack

Its a big flood of ICMP attack at the targeted machine, attacker installs a software in many machines and trigger them to attack at one machine Solution: 1) IP verify unicast reverse-path This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet. The effect of Unicast RPF is that it stops SMURF attacks (and other attacks that depend on source IP address spoofing) at the ISP's POP (lease and dial-up). This protects your network and customers, as well as the rest of the Internet. To use unicast RPF, enable "CEF switching" or "CEF distributed switching" in the router. There is no need to configure the input interface for CEF switching. As long as CEF is running on the router, individual interfaces can be configured with other switching modes. RPF is an input side function that enabled on an interface or sub-interface and operates on packets received by the router. 2) CRC rate limit 3) Access-lists 4) Flood control

DNS Cashe Poising:

Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

Any attacker could resolve your DNS name and find out the IP address and could redirect the internet traffic towards him. We cannot control this attack. Source routing attack: This is a protocol exploit that is used by hackers to reach private IP addresses on an internal network by routing traffic through another machine that can be reached from both the Internet and the local network [7, 8]. TCP/IP to allow those sending network data to route the packets through a specific network point for better performance supports source routing. Administrators to map their networks or to troubleshoot routing problems also use it.

Trojan attacks:
Trojans are programs that masquerade as something else and allow hackers to take control of your machine, browse your drives, upload or download data, etc. For example, in 1999, a Trojan program file called Picture.exe was designed to collect personal data from the hard disk of an infiltrated computer and send it to a specific e-mail address. So-called Trojan ports are popular avenues of attack for these programs. Registry attack: In this type of attack, a remote user connects to a Windows machines registry and changes the registry settings. To prevent such an attack, configure permissions so that the every one group does not have access. Password hijacking attacks: The easiest way to gain unauthorized access to a protected system is to find a legitimate password. This can be done via social engineering (getting authorized users to divulge their passwords via persuasion, intimidation, or trickery) or using brute force method.

IGMP KOD
An IGMP based denial-of-service attack that depletes the stack's large envelopes and also has source IP address spoofing. KOD (Kiss of Death) is a denial-of-service attack, which results in "Blue Screen" error message (so called "blue screen of death") or instantaneous reboot of computer. KOD send to victim's computer malformed IGMP (Internet Group Management Protocol) packets causing TCP/IP stacks to fail.
Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

DOS attack
In computer security, a denial-of-service attack (DOS) is an attempt to make a computer resource unavailable to its intended users. Typically the targets are high-profile web servers, and the attack attempts to make the hosted web pages unavailable on the internet. It is a computer crime that violates the Internet proper use policy as indicated by the internet Architecture Board (IAB). DOS attacks have two general forms: i) Force the victim computer(s) to reset or consume its resources such that it can no longer provide its intended service. ii) Obstruct the communication media between the intended users and the victim so that they can no longer communicate adequately. A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include: _ flooding a network, thereby preventing legitimate network traffic; _ Disrupting service to a specific system or person. _ Attacks can be directed at any network device, including attacks on routing devices and web, electronic mail, or Domain Name System Servers. _ Consumption of computational resources, such as bandwidth, disk space, or CPU time

DOS conceal
Vulnerability exists in the conceal firewall product that causes the vulnerable system to reboot or Lock up when a large number of spoofed UDP packets are received by the firewall. The way this Attack kills the machine happens in 2 ways If Conceal is set for "learning" mode the flooding packets from all the different IPs and Ports will cause the program to continuously attempt to write more and more new rules. This Eventually uses up all the resources and results in a freeze and eventually a reboot. If Conceal is set to log attacks, once again because of the number of packets the system Resources are eaten up and the machine dies.

DOS bloop
It is a denial Of Service attack that sends random spoofed ICMP packets. ICMP flooding is Probably the most common type of Denial of Service attack, since nearly all websites reply to ICMP packets, its easy to use ICMP flooding to shut them down. The result of the attack is Freezes the users machine or a CPU usage will rise to extreme lag potential. ICMP flooding works by sending a lot of ICMP packets to the target machine, for each packet Sent the remote computer has to reply to each one, meaning it would exhaust the machines
Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

Bandwidth so a legitimate user could not access the server. ICMP packets are better known as Pings, they are used to see if a remote computer is online.

NMAP
NMAP was the source of strange new scan patterns started being detected by the SHADOW ID Systems located throughout the Internet. This scans signature is characterized by SYN packets Sent to apparently random destination ports over some discreet range of values. At the end of These scans we typically see several packets to high numbered TCP and UDP ports, followed by A small number of packets to a common destination port. The two basic scan types used most in NMAP [8, 9] are TCP connect () scanning and SYN scanning also known as half-open, or stealth Scanning.

DNS solinger
Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) Protocols that provides an openly re-distributable reference implementation of the major Components of the Domain Name System. BIND SOLINGER vulnerability could allow remote Attackers to hang the service for periods up to 120 seconds by initiating abnormal TCP Connections to the daemon. In some systems, it is possible to set the system wide solinger Timeout to a lower value, however this may have unexpected consequences with other Applications. Attacking Tools 1) NMAP 2) Nessus 3) Metasploit 4) Pass-the-hash 5) Hydra 6) Cain & Abel 7) Jhon the riper 8) Snort 9) Kismet 10) Hping3 11) Unicorn

Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

Glossary uRPF - Unicast Reverse Path Forwarding. uRFC will drop packets that are coming from the path that was not learned by routing protocol, or that the direction it is coming from is not matching routing path. There are 2 modes. "strict" - is when packet arrives on the interface that is not on reverse routing path, then it is dropped. "loose" - is when packet arrives and source is not in routing table, then it dropped. Also, if route is pointing to null0 interface, it is also dropped. uRPF requires CEF to work. strict# ip verify unicast reverse-path loose# ip verify unicast source reachable-via any loose# ip verify unicast source reachable-via rx 199 loose# access-list 199 deny ip 192.168.201 0.0.0.63 any log-input loose# access-list 199 permit ip 192.168.201.64 0.0.0.63 any log-input Packets with a source address of 192.168.201.10 arriving at interface Ethernet 0 are dropped because of the deny statement in ACL 199. Packets with a source address of 192.168.201.100 arriving at interface Ethernet 0 are forwarded RFC1918 - 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 RFC2827 - Internal network subnets. For example: 150.1.0.0/16 RFC3330 - 127.0.0.0/8, 192.0.2.0/24, 224.0.0.0/3, 255.255.255.255/32 Native VLAN - is a VLAN where all untagged frames are matched. On trunks native VLAN does not get encapsulated with ISL or dot1q. vlan dot1q tag native is afeature that tags all outgoing frames with Native VLAN ID, but all incoming frames without tag are dropped. DHCP Snooping - is a feature that creates table that maps IP address to MAC address on per interface basis, and then it will drop DHCP messages that do not appear inside DHCP snooping table. #ip dhcp snooping #ip dhcp snooping vlan 10 #int Fa0/3 #ip dhcp snooping trust // DHCP server port #int Fa0/24 #ip dhcp snooping trust // allow DHCP on port leading to the switch with DHCP server. If no DHCP Snooping is available, then we can use VLAN ACLs to block DHCP replies from all sources except DHCP server.

Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

Blackhole Filtering - is a configuration within BGP that allows to forward traffic to null0 interface. It is invoked by adding static route on the trigger router, and then it will propagate to all other routers within you AS, which will cause all of them to forward traffic from or to specific subnet to the blackhole. To trigger blackholing process: TriggerRT# ip route -victims_ip- -victims_mask- Null0 Trigger router configuration: TriggerRT# route-map RTBF permit 10 TriggerRT# match tag 999 TriggerRT# set local-preference 2000 TriggerRT# set ip next-hop 192.0.2.1 TriggerRT# route-map RTBF deny 20 TriggerRT# redistribute static route-map RTBF On Edge BGP router you will need to have static route to blackhole address: EdgeRT# ip route 192.0.2.1 255.255.255.255 Null0 Proxy ARP - is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. To prevent hosts using this feature, issue: Router(config)#interface ethernet 0 Router(config-if)# no ip proxy-arp IP Redirects - ICMP redirect messages are used by routers to notify the hosts on the data link that a better route is available for a particular destination. To prevent attacker from using this feature, issue: Router(config)#interface ethernet 0 Router(config-if)# no ip redirects ICMP Rate Limiting - when you see U.U.U reply for your ICMP echo requests, then it means that somewhere on the path you were rate-limited using "# ip icmp rate-limit unreachable -ms-" command. Netflow Statistics - is a useful tool in network security troubleshooting. R1-6509Ea#show ip cache flow ------------------------------------------------------------------------------MSFC:
Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

IP packet size distribution (36621 total packets): 1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480 .407 .259 .308 .005 .001 .000 .000 .017 .000 .000 .000 .000 .000 .000 .000 512 544 576 1024 1536 2048 2560 3072 3584 4096 4608 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 .000 IP Flow Switching Cache, 4456704 bytes 33 active, 65503 inactive, 17877 added 140689 ager polls, 0 flow alloc failures Active flows timeout in 30 minutes Inactive flows timeout in 15 seconds IP Sub Flow Cache, 270664 bytes 33 active, 16351 inactive, 17877 added, 17877 added to flow 0 alloc failures, 0 force free 1 chunk, 1 chunk added last clearing of statistics never Protocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec) -------Flows /Sec /Flow /Pkt /Sec /Flow /Flow TCP-Telnet 88 0.0 101 41 0.0 18.8 14.3 TCP-FTP 3 0.0 1 40 0.0 0.0 15.4 TCP-WWW 7 0.0 2 124 0.0 0.0 9.6 TCP-SMTP 3 0.0 1 40 0.0 0.0 15.4 TCP-other 180 0.0 1 43 0.0 0.0 15.0 UDP-DNS 13732 0.0 1 28 0.0 0.5 18.5 UDP-NTP 2 0.0 1 76 0.0 0.0 15.4 UDP-other 2185 0.0 4 88 0.0 11.0 15.5 ICMP 1639 0.0 1 82 0.0 0.0 15.4 IP-other 5 0.0 47 131 0.0 222.2 15.4 Total: 17844 0.0 2 51 0.0 1.9 17.8 SrcIf Vl1000 Vl2 Vl2 Vl2 Vl2 Vl2 Vl2 Vl2 Vl2 Vl2 Vl2 SrcIPaddress DstIf 10.88.226.3 Null 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local 10.89.236.132 Local DstIPaddress Pr SrcP DstP Pkts 224.0.0.10 58 0000 0000 166 10.89.236.151 06 0791 008B 1 10.89.236.151 06 07D2 008B 1 10.89.236.151 06 0738 008B 1 10.89.236.151 06 0704 008B 1 10.89.236.151 06 0760 008B 1 10.89.236.151 06 06A0 008B 1 10.89.236.151 06 06B9 008B 1 10.89.236.151 06 06D5 008B 1 10.89.236.151 06 061F 008B 1 10.89.236.151 06 0663 008B 1

Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.

Vl2 10.89.236.132 Local 10.89.236.151 06 067D 008B 1 Vl2 10.89.236.132 Local 10.89.236.151 06 0672 008B 1 Vl2 10.89.236.132 Local 10.89.236.151 06 06B0 01BD 1 Vl2 10.89.236.132 Local 10.89.236.152 06 06A9 01BD 1 Vl2 10.89.236.132 Local 10.89.236.153 06 06FE 01BD 1 Vl2 10.89.236.132 Local 10.89.236.154 06 06F0 01BD 1 Vl2 10.89.236.132 Local 10.89.236.155 06 06F4 01BD 1 Vl2 10.89.236.132 Local 10.89.236.156 06 0609 01BD 1 Vl2 10.89.236.132 Local 10.89.236.157 06 0600 01BD 1 Vl2 10.89.236.132 Local 10.89.236.158 06 0603 01BD 1 Vl2 10.89.236.132 Local 10.89.236.159 06 07A7 01BD 1 --------------- Output Truncated -----------------------------R1-6509Ea#show ip cache flow | include SrcIf|008B|01BD SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Vl2 10.89.236.132 Local 10.89.236.151 06 0791 008B Vl2 10.89.236.132 Local 10.89.236.152 06 07D2 008B Vl2 10.89.236.132 Local 10.89.236.153 06 0738 008B Vl2 10.89.236.132 Local 10.89.236.155 06 0704 008B Vl2 10.89.236.132 Local 10.89.236.156 06 0760 008B Vl2 10.89.236.132 Local 10.89.236.157 06 06A0 008B Vl2 10.89.236.132 Local 10.89.236.158 06 06B9 008B Vl2 10.89.236.132 Local 10.89.236.159 06 06D5 008B Vl2 10.89.236.132 Local 10.89.236.160 06 061F 008B Vl2 10.89.236.132 Local 10.89.236.161 06 0663 008B Vl2 10.89.236.132 Local 10.89.236.162 06 067D 008B Vl2 10.89.236.132 Local 10.89.236.163 06 0672 008B Vl2 10.89.236.132 Local 10.89.236.164 06 0641 008B Vl2 10.89.236.132 Local 10.89.236.165 06 065F 008B Vl2 10.89.236.132 Local 10.89.236.151 06 06B8 01BD Vl2 10.89.236.132 Local 10.89.236.152 06 06A5 01BD Vl2 10.89.236.132 Local 10.89.236.153 06 06D9 01BD Vl2 10.89.236.132 Local 10.89.236.154 06 06DA 01BD Vl2 10.89.236.132 Local 10.89.236.155 06 06CC 01BD Vl2 10.89.236.132 Local 10.89.236.156 06 06C6 01BD Vl2 10.89.236.132 Local 10.89.236.157 06 0611 01BD Vl2 10.89.236.132 Local 10.89.236.158 06 0630 01BD Vl2 10.89.236.132 Local 10.89.236.159 06 0631 01BD Vl2 10.89.236.132 Local 10.89.236.160 06 0677 01BD --------------- Output Truncated ------------------------------

1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Disclaimer: This material is copied from other websites, books and Wikipedia. INECERT doesnt take any responsibility of any copyright breaches. We are only advertising for information purposes only. This is given for Free. NOT FOR SALE. You can copy or share this material.