CCIE Security: Theory – Section 4

More notes!

4.0 Threats, Vulnerability Analysis, and Mitigation

4.1 Recognize and mitigate common attacks
4.1.a ICMP attacks and PING floods

ICMP – network layer, can be used to send payloads.
ICMP tunnelling – establishes a tunnel between client and server, uses ICMP echo requests and replies. Undetectable for proxy-based firewall. Deep packet inspection should detect. Can use Hping to test:

hping -c 1 -n <destination> -e "Secret message" -1

If want to detect then normal echo request is 42 bytes – this tunnel will be longer. Use IDS/IPS rule to look for data in ICMP data header.

Common program is LOKI.

Smurf Attack – when type 8 sent (echo request) a type 0 is sent back (echo reply). In Smurf attack attacker will spoof the source address of the ICMP packet and send a broadcast to all computers. Network gets congested.

Filters on routers to counteract spoofing. Filter broadcasts on L3 devices.
“no ip directed-broadcast”

Fraggle attack – same as Smurf but uses UDP. prevention is the same.

ICMP also used for information gathering. Because TTL is decremented you can map out where devices are in the network.

Port scan – can find open ports.

OS fingerprinting – If ICMP reply contains TTL of 128 = Windows, if TTL = 64 then Linux-based. Then can use timestamp to work out the version (no timestamp reply on Windows server/NT), timestamp reply on Win 98, 2000, ME – not sure about recent.

ICMP router discovery – will discover IP address of neighboring routers. Using Router Advertisements or Router Solicitations.  RA – type 9, code 0. Router discovery protocol has no authentication. Can be used in MITM attacks.

Digital certificates, block all type 9 and type 10 ICMP packets.

Teardrop – Will crash or reboot machines, exploits overlapping IP fragments – each fragment has originals IP packets header & field w/ bytes contained. Destination tries to reassemble it cannot be done.

PING flood – overwhelming of ICMP echo requests.

4.1.b MITM

Rouge APs

Need to add more here 🙂

4.1.c Replay

Valid data transmission repeated or delayed. can be used w/ MITM to sniff authentication traffic and elevate privileges.

Use session tokens, OTP, Message Authentication Codes (MAC), timestamping.

4.1.d Spoofing

ARP spoofing – attacker sends spoofed ARP messages, to associate attacker’s MAC w/ IP address of legitimate host – can be used to form MITM attacks.

Dynamic ARP – Uses a trusted database. DHCP snooping can be used to build the trusted database, or can be built by manual configuration (from the CLI).

Legitimate uses in Proxy ARP. w/ gratuitous ARP requests.

IP address spoofing – USED in DoS – Botnet use makes IP address spoofing less pronounced.

Packet filtering can defend against IP address spoofing, w/ ingress filtering and egress filtering. Block packets from outside w/ inside source address, or block packet from inside w/ source address not from the inside.
TCP uses sequence numbers to ensure arriving packets are part of established connection.

4.1.e Backdoor

Unauthorized remote access. Worms such as Sobig & Mydoom can do this as well as dedicated software (Back Orifice)

4.1.f Botnets

A Botnet is a collection of similar programs that work together to execute specific tasks
Server is command-and-control (C&C), Often uses IRC, Twitter or IM to relay commands to bots.

4.1.g Wireless attacks

Sniffing – Kismet
Probing & discoveryActive probing – attacker sends probe requests w/out SSID. Passive probing – listening on all channels for all sent and received – netstumbler – active, kismet passive.

Surveillance – kismet / airodump – can save in pcap. can gather WEP traffic and pass to aircrack (if enough WEP IVs).

4.1.h DoS and DDoS attacks

ICMP flood
SYN Flood– forged sender address, causes half-open connections by sending SYN/ACK, waiting for ACK which it never gets. Half-open connections saturate the number of connections.
HTTP POST – uses content-length then sends really slowly – server has to wait, slowing down the server.
Reflected DDOS – send packets w/ spoofed IP (target machine) relies will flood the target – Smurf attack is one form of this.

Block IPs on firewalls, use deep packet inspection
ACLs & rate limiting on switches & routers
Black-hole traffic
Storm control (level is the % of total available bandwidth of the port) monitors the broadcast, multicast and unicast traffic, can help

4.1.i Virus and worm outbreaks

Virus – modifies other programs and can attach themselves to other programs or replicate on execution
Worm – standalone malicious program that copies itself from one host to another over a network and carries other programs (payload)

ACLs, packet-filters, nullrouting.

Trojan horse – Appears to have one function but actually performs a different function

4.1.j Header attacks

HTTP header injection – headers dynamically generated based on user input, can allow for HTTP response splitting, session fixation, XSS and malicious redirect attacks.
TCP reset – header has RST flag (reset) – usually set to 0. If set to 1 then indicates receiving computer should immediately stop using the TCP connection. Can be forged by 3rd machine to kill connection.
Sequence attacks – intercept communication – uses number prediction

4.1.k Tunnelling attacks

SSH tunnelling – uses TCP forwarding:

ssh -f user@remote -L 2000:localhost 25 -N
telnet localhost 2000
send spam!

Set “AllowTCPForwarding no” on ssh config

DNS tunnelling – website blocked by proxy – use DNS tunnelling – data encapsulated in DNS query and reply – using base32 and base64 encoding.


4.2 Software and OS exploits

Can be used for privilege escalation, or pivoting – using compromised system to attack another – avoiding firewall etc.

4.3 Security and attack tools

Kali linux / Backtrack
Burp suite


4.4 Generic network intrusion prevention concepts

Signature-based – monitors packets for pre-configured/pre-determined attack patterns
Statistical anomaly-based – creates baseline – bandwidth, application use, protocol use, etc – alerts on anomaly.
Stateful protocol analysis – identifies deviations of protocol states

Can sit in-line, or can have traffic passed to it (SPAN etc). can send alarms, drop traffic, reset connections, blocking IP addresses. Can correct CRC errors, unfragmented packet streams, prevent TCP sequencing issues etc.

4.5 Packet filtering

Basic Packet Filter – Allow or block traffic based on address and port. Will pass, drop (silent discard), or reject (send error response).

Stateful filters work up to L4 – Stateful Packet inspection – retains enough of packet to determine the state (new connection, existing connection)

Application layer – can understand applications and protocols – can detect of unwanted protocol is trying to bypass firewall on allowed port. Deeper inspection – IPS/WAF can mitigate.

4.6 Content filtering and packet inspection

Deep Packet Inspection – examines data & optionally the header of a packet. Combines IPS/IDP w/ stateful firewall.

4.7 Endpoint and posture assessment

Network Admission Control (NAC) – users must authenticate, and can be quarantined if AV not up to date etc.
802.1x, MS AD, Cisco NAC, can be implemented as part of AnyConnect

4.8 QoS marking attacks

Change QoS markings on packet to benefit from QoS – better class of service.
Configuration & provisioning – hackers target the provisioning system, changing the QoS configuration
Data forwarding – injects traffic with QoS markings (DSCP)