Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou Ronnau

Similar presentations


Presentation on theme: "© 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou Ronnau"— Presentation transcript:

1 © 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou Ronnau

2 © 1999, Cisco Systems, Inc. Outline IP Refresher Attack Types Network Layer Attacks Transport Layer Attacks Application Layer Attacks

3 © 1999, Cisco Systems, Inc. Outline (cont.) Reconnaissance Initial Access Questions

4 © 1999, Cisco Systems, Inc. IP Refresher

5 © 1999, Cisco Systems, Inc. TCP/IP Protocol Stack Application Presentation Session Transport Network Data Link Physical Application Transport Internet Network Interface Ethernet, 802.3, 802.5, ATM, FDDI, and so on IP Conceptual LayersOSI Reference Model

6 © 1999, Cisco Systems, Inc. Internet Layer Refresher Application Transport Network Interface IP Datagram IP Layer Internet VERSHLEN Type of Service Total Length IDFlags Frag Offset TTL Protocol Header Checksum Src IP Address Dst IP Address IP Options Data Internet Control Message Protocol (ICMP) Internet Protocol (IP) Address Resolution Protocol (ARP) Reverse Address Resolution Protocol (RARP)

7 © 1999, Cisco Systems, Inc. Transport Layer Refresher Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Src Port Dst Port Seq #Ack #HLENReserved Code Bits Window TCP Segment Format Transport Layer Check Sum Urgent Ptr OptionData Src Port Dst Port Length UDP Segment Format Check Sum Data Application Network Interface Internet Transport

8 © 1999, Cisco Systems, Inc. Port Numbers TCPUDP 443 Application Layer Transport Layer Port Numbers TelnetSMTPDNSHTTPSSLDNSTFTP

9 © 1999, Cisco Systems, Inc. Transport Network Interface Internet Application Layer Refresher Web Browsing (HTTP, SSL) File Transfer (FTP, TFTP, NFS, File Sharing) (SMTP, POP2, POP3) Remote Login (Telnet, rlogin) Name Management (DNS) Microsoft Networking Services Application Layer Application

10 © 1999, Cisco Systems, Inc Attack Types

11 © 1999, Cisco Systems, Inc. Attack Types Context: (Header) Content: (Data) “Atomic” Single Packet “Composite” Multiple Packets Ping of Death Land Attack Port Sweep SYN Attack TCP Hijacking MS IE Attack Attacks Telnet Attacks Character Mode Attacks

12 © 1999, Cisco Systems, Inc. Attack Types (cont.) Reconnaissance Host scan, port scan, SMTP VRFY Access Spoofing, session hijacking Denial of service SYN attacks, ping-of-death, teardrop, WinNuke Privilege escalation MS IE%2ASP, ftp cwd ~root

13 © 1999, Cisco Systems, Inc. Demystifying Common Attacks Transport Internet Network Interface Java, ActiveX, and Script Execution EXPN WinNuke SYN Flood UDP Bomb Port Scan Landc Ping Flood Ping of Death IP Spoof Address Scanning Source Routing Sniffer/Decoding MAC Address Spoofing Application

14 © 1999, Cisco Systems, Inc Network Layer Attacks

15 © 1999, Cisco Systems, Inc. Application TCP IP Data Link Physical UDP IP IP Layer Attacks IP Options IP Fragmentation Bad IP packets Spoofed Addresses

16 © 1999, Cisco Systems, Inc. IP Fragmentation Attacks IP Fragment Attack Offset value too small Indicates unusually small packet May bypass some packet filter devices IP Fragments Overlap Offset value indicates overlap Teardrop attack Data... Options... Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength Frag Offset

17 © 1999, Cisco Systems, Inc. IP Fragmentation Routers and Internet Gateways are stateless devices Improperly fragmented packets are forwarded normally with other traffic Requires “Statefull inspection”

18 © 1999, Cisco Systems, Inc. Bad IP Packet Attacks Unknown IP Protocol Proto=invalid or undefined Impossible IP Packet Same source and destination Land attack Data Options Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength Proto Source IP Destination IP

19 © 1999, Cisco Systems, Inc. IP Address Spoofing Source IP address set to that of a trusted host or nonexistant host Access-lists applied at the source are the only protection Best applied at the connection to the Internet

20 © 1999, Cisco Systems, Inc. Spoofing: Access by Impersonation interface Serial 1 ip address ip access-group 111 in no ip directed-broadcast ! interface ethernet 0/0 ip address no ip directed-broadcast Access-list 111 deny ip any Access-list 111 deny ip any Access-list 111 permit ip any any IP (D= S= )

21 © 1999, Cisco Systems, Inc. Data... Options... Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength HEADERHEADER Options... PAYPAY IP Options IP Header –20 bytes IP Options –Adds up to 40 additional bytes –Only 8 valid options

22 © 1999, Cisco Systems, Inc. Copy: 0—don’t include options in packet fragments 1—include options in packet fragments Class: 0—Network Control 2—Debugging Option: one of eight valid options Length: number of bytes in option (if used by option) Parameters:parameters passed by the option Last option is always option 0. Copy: 0—don’t include options in packet fragments 1—include options in packet fragments Class: 0—Network Control 2—Debugging Option: one of eight valid options Length: number of bytes in option (if used by option) Parameters:parameters passed by the option Last option is always option 0. IP Options (cont.) CPClassOption # Length (if used)Parameters...x

23 © 1999, Cisco Systems, Inc. IP Options (cont.) option #2 rarely unused option #4 rarely unused option #7 used to record the route (gateways) that a packet has traversed option #8 rarely unused Option #Option Name 0End of Options 1No Operation 2Security 3Loose Source Rte 4Timestamp 7Record Route 8Stream ID 9Strict Source Rte

24 © 1999, Cisco Systems, Inc. IP Source Routing two options: #3 loose source routing and #9 strict source routing can be used to bypass filters (acls) some machines with multiple interfaces route s/r packets even with ip forwarding turned off router command:no ip source route

25 © 1999, Cisco Systems, Inc. Application TCP IP Data Link Physical UDP IP ICMP Attacks ICMP Traffic Records Ping Sweeps ICMP Attacks

26 © 1999, Cisco Systems, Inc. Type: 0—Echo Reply15—Information Request 8—Echo Request16—Information Reply 13—Timestamp Request17—Address Mask Request 14—Timestamp Reply18—Address Mask Reply Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Type: 0—Echo Reply15—Information Request 8—Echo Request16—Information Reply 13—Timestamp Request17—Address Mask Request 14—Timestamp Reply18—Address Mask Reply Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Identifier TypeCodeChecksum ICMP Query Message Data... Sequence # HEADERHEADER

27 © 1999, Cisco Systems, Inc. ICMP Query Message (cont.) Echo Reply Type=0 Echo Request Type=8 Timestamp Request Type=13 Timestamp Reply Type=14 Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

28 © 1999, Cisco Systems, Inc. Type: 3—Destination Unreachable11—Time Exceeded 4—Source Quench12—Parameter Problem 5—Redirect Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Type: 3—Destination Unreachable11—Time Exceeded 4—Source Quench12—Parameter Problem 5—Redirect Code: codes associated with each ICMP type Checksum: checksum value of header fields (exc. checksum) Unused TypeCodeChecksum ICMP Error Message HEADERHEADER IP Header + 8 bytes of Original Datagram Data

29 © 1999, Cisco Systems, Inc. ICMP Error Messages Unreachable Type=3 Source Quench Type=4 Redirect Type=5 Time Exceeded Type=11 Parameter Problem Type=12 Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

30 © 1999, Cisco Systems, Inc. ICMP Attacks Fragmented ICMP packet Flag=more fragments or Offset /= 0 ICMP Floods Many ICMP packets To single host Destination IP Source IP TTLProtoChecksum Identification FlgFrag Offset VerLenServLength ICMP TypeCodeChecksum IPHEADERIPHEADER ICMPICMP Length

31 © 1999, Cisco Systems, Inc. ICMP Attacks (cont.) ICMP Smurf attack Type=0 (echo reply) Many packets To single host ICMP Ping Of Death Flag=last fragment Offset*8 + Length > Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength Proto Type CodeChecksum IPHEADERIPHEADER ICMPICMP FlgFrag Offset

32 © 1999, Cisco Systems, Inc. Smurfs ICMP echo request with spoofed source address Destination address set to the network broadcast address of a network (so called ping amplifier) All hosts on the pinged network reply to the spoofed address interface command:no ip directed broadcast

33 © 1999, Cisco Systems, Inc. Ping of Death IP ping > bytes (ICMP echo request) Transmitted in fragments Crashes some operating systems on reassembly

34 © 1999, Cisco Systems, Inc. Loki Attack Loki is a tool used to hide hacker traffic inside ICMP tunnel. It requires root access. Loki ICMP tunnel Original Loki Phrack Issue 51 Modified Loki ICMP tunneling Modified Loki version

35 © 1999, Cisco Systems, Inc Transport Layer Attacks

36 © 1999, Cisco Systems, Inc. TCP Attacks TCP Traffic Records TCP Port Scans TCP Host Sweeps Mail Attacks FTP Attacks Web Attacks NetBIOS Attacks SYN Flood & TCP Hijack Attacks TCP Applications Application TCP IP Data Link Physical UDPTCP Application

37 © 1999, Cisco Systems, Inc. TCP Port Scans A TCP Port Scan occurs when one host searches for multiple TCP services on a single host. Common scans –use normal TCP-SYN Stealth scans –use FIN, SYN-FIN, null, or PUSH –and/or fragmented packets Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindow Flags ChecksumUrgent Pointer Dest Port

38 © 1999, Cisco Systems, Inc. TCP Port Scan Attacks Port Sweep SYNs to ports < 1024 Triggers when type of sweep can’t be determine SYN Port Sweep SYNs to any ports Frag SYN Port Sweep Fragmented SYNs to many ports FIN port sweep FINs to ports < 1024 Frag FIN port sweep Fragmented FINs to ports < 1024 High port sweep SYNs to ports > 1023 Triggers when type of sweep can’t be determined FIN High port sweep FINs to ports > 1023

39 © 1999, Cisco Systems, Inc. TCP Port Scan Attacks(cont.) Frag High FIN port sweep Fragmented FINs to ports > 1023 Null port sweep TCPs without SYN, FIN, ACK, or RST to any ports Frag Null port sweep Fragmented TCPs without SYN, FIN, ACK, or RST to any ports SYN FIN port sweep SYN-FINs to any port Frag SYN/FIN port sweep Fragmented SYN/FINs to any ports Queso sweep FIN, SYN/FIN, and a PUSH

40 © 1999, Cisco Systems, Inc. TCP Host Sweeps A TCP Host Sweep occurs when one host searches for a single TCP service on multiple hosts. Common scans –use normal TCP-SYN Stealth scans –use FIN, SYN-FIN, and null –and/or fragmented packets Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindow Flags ChecksumUrgent Pointer Dest Port

41 © 1999, Cisco Systems, Inc. TCP Host Sweep Attacks SYN host sweep SYNs to same port Frag SYN host sweep Fragmented SYNs to same port FIN host sweep FINs to same port Frag FIN host sweep Fragmented FINs to same port NULL host sweep TCPs without SYN, FIN, ACK, or RST to same port Frag NULL host sweep Fragmented packets without SYN, FIN, ACK, or RST to same port SYN/FIN host sweep SYN-FINs to same port Frag SYN/FIN host sweep SYN-FINs to same port

42 © 1999, Cisco Systems, Inc. SYN Flood and TCP Hijacks Half-Open SYN attack DoS-SYN flood attack Ports 21, 23, 25, and 80 TCP Hijacking Access-attempt to take over a TCP session

43 © 1999, Cisco Systems, Inc. TCP Intercept Protects Networks Against Syn floods Connection Transferred Connection Established Request Intercepted TCP SYN flooding can overwhelm server and cause it to deny service, exhaust memory or waste processor cycles TCP Intercept protects network by intercepting TCP connection requests and replying on behalf of destination Can be configured to passively monitor TCP connection requests and respond if connection fails to get established in configurable interval

44 © 1999, Cisco Systems, Inc. TCP Intercept Enable TCP Intercept (global configuration mode) access-list access-list-number {deny | permit} tcp any destination destination-wildcard ip tcp intercept list access-list-number Set the TCP Intercept Mode (global configuration mode) ip tcp intercept mode {intercept | watch} Set TCP Intercept Drop Mode ip tcp intercept drop-mode {oldest | random} ;def=oldest Change the TCP Intercept Timers ip tcp intercept watch-timeout seconds ;def=30 seconds

45 © 1999, Cisco Systems, Inc. TCP Hijacks TCP Hijacking Works by correctly guessing sequence numbers Newer O/S’s & firewalls eliminate problem by randomizing sequence numbers TCP Hijacking Simplex Mode One command followed by RST

46 © 1999, Cisco Systems, Inc. Land.c Attack Spoofed packet with SYN flag set Sent to open port SRC addr/port same as DST addr/port Many operating systems lock up

47 © 1999, Cisco Systems, Inc. UDP Attacks UDP Traffic Records UDP Port Scan UDP Attacks UDP Applications Application TCP IP Data Link Physical UDP Application

48 © 1999, Cisco Systems, Inc. UDP Port Scans UDP port scans One host searches for multiple UDP services on a single host Destination IP Source IP TTL UDP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP UDPUDP Source Port LengthChecksum Dest Port Data...

49 © 1999, Cisco Systems, Inc. UDP Attacks UDP flood (disabled) Many UDPs to same host UDP Bomb UDP length < IP length Snork Src=135, 7, or 19; Dest=135 Chargen DoS Src=7 & Dest=19 Destination IP Source IP TTL UDP Checksum IdentificationFlgFrag Offset VerLenServ Length IPIP UDPUDP Source Port Length Checksum Dest Port Data...

50 © 1999, Cisco Systems, Inc. Reflexive Access Lists Allows the packet filtering mechanism to remember state Reflexive ACLs are transparent until activated by matching traffic Protocol support— TCP, UDP establishedAlternative to established key word Available in Cisco IOS release 11.3

51 © 1999, Cisco Systems, Inc. Reflexive Access Lists Router monitors outgoing connection Creates dynamic permit inbound ACL using IP addresses and port numbers Source Port TCP Header IP Header Destination Addr Source Addr # 1 Intial Sequence# Destination Port Flag Ack # 2 : permit tcp eq telnet Syn

52 © 1999, Cisco Systems, Inc. Cisco IOS Firewall Feature Set Context-Based Access Control (CBAC) Stateful, per-application filtering Support for advanced protocols (H.323, SQLnet, RealAudio, etc.) Denial of Service detection and prevention Control downloading of Java applets Real-time alerts TCP/UDP transaction log Configuration and management Enhanced Security for the Intelligent Internet

53 © 1999, Cisco Systems, Inc. What Is “Context-Based Access Control” (CBAC)? Tracks state and context of network connections to secure traffic flow Inspects data coming into or leaving router Allows connections to be established by temporarily opening ports based on payload inspection Return packets authorized for particular connection only via temporary ACL

54 © 1999, Cisco Systems, Inc. Cisco IOS Context-Based Access Control (CBAC) Application Support Transparent support for common TCP/UDP internet services, including: WWW, Telnet, SNMP, finger, etc. FTP TFTP SMTP Java blocking BSD R-cmds Oracle SQL Net Remote Procedure Call (RPC) Multimedia applications: VDOnet’s VDO Live RealNetworks’ RealAudio Intel’s InternetVideo Phone (H.323) Microsoft’s NetMeeting (H.323) Xing Technologies’ Streamworks Whitepine’s CuSeeMe

55 © 1999, Cisco Systems, Inc. Cisco IOS Firewall Feature Set Per user authentication and authorization (“authentication proxy”) Intrusion detection technology IP Fragmentation defense Dynamic per-application port mapping Configurable alerts and audit trail SMTP-specific attack detection New CBAC application support MS-Networking, MS Netshow

56 © 1999, Cisco Systems, Inc. Cisco IOS Firewall: Authentication Proxy HTTP-initiated Authentication Valid for all types of application traffic Provides dynamic, per user authentication and authorization via TACACS+ and RADIUS protocols Works on any interface type for inbound or outbound traffic

57 © 1999, Cisco Systems, Inc. Cisco IOS Firewall: Authentication Proxy Operation User 3. Authenticate AAA Server Cisco IOS Firewall/Cisco 7200 series router S0E0 ISP and Internet 1. User HTTP request 2. Get Uid/Password 4. Download profile, build dynamic ACL on router 5. Refresh/reload URL User

58 © 1999, Cisco Systems, Inc. Application Layer Attacks

59 © 1999, Cisco Systems, Inc. Mail TCP port 25 Attacks include: Reconnaissance Access DOS Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=25 Data...

60 © 1999, Cisco Systems, Inc. Mail Attacks smail attack sendmail invalid recipient sendmail invalid sender sendmail reconnaissance Archaic sendmail attacks sendmail decode alias sendmail SPAM Majordomo exec bug MIME overflow bug Qmail Length Crash

61 © 1999, Cisco Systems, Inc. File Transfer Protocol (FTP) TCP port 21 Attacks include: Reconnaissance Access Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=21 Data...

62 © 1999, Cisco Systems, Inc. FTP Attacks FTP SITE command attempted FTP SYST command attempted FTP CWD ~root FTP Improper address specified FTP Improper port specified

63 © 1999, Cisco Systems, Inc. Web TCP port 80 Attacks include: Access Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=80 Data...

64 © 1999, Cisco Systems, Inc. Web Attacks phf attack General cgi-bin attack url file requested.lnk file requested.bat file requested HTML file has.url link HTML file has.lnk link HTML file has.bat link campas attack glimpse server attack IIS View Source Bug IIS Hex View Source Bug NPH-TEST-CGI Bug TEST-CGI Bug IIS DOT DOT VIEW Bug IIS DOT DOT EXECUTE Bug IIS DOT DOT DENIAL Bug

65 © 1999, Cisco Systems, Inc. Web Attacks (cont.) php view file Bug SGI wrap bug php buffer overflow IIS Long URL Crash View Source GGI Bug MLOG/MYLOG CGI Bug Handler CGI Bug Webgais Bug WebSendmail Bug Webdist Bug Htmlscript Bug Performer Bug WebSite win-c-sample buffer overflow WebSite uploader Novell convert bug finger attempt Count Overflow

66 © 1999, Cisco Systems, Inc. DNS Attacks UDP Port 53 Attacks include: Reconnaissance DNS HINFO Request Potential reconnaissance DNS Zone Transfer Request Potential reconnaissance DNS Zone Transfer from other port Different port than 53 DNS request for all records All records requested, not just one zone

67 © 1999, Cisco Systems, Inc. Application Exploit Attacks Sun Kill Telnet DOS port 23 Finger Bomb port 79 rlogin -froot port 513 Imap Authenticate Overflow port 143 Imap Login Overflow port 143 Pop Overflow port 110

68 © 1999, Cisco Systems, Inc. Application Exploit Attacks (cont.) Inn Overflow port 119 Inn Control Message port 119 IOS Telnet buffer overflow port 23 IOS Command History Exploit port 25 Cisco IOS Identity port 1999

69 © 1999, Cisco Systems, Inc. Server Message Blocks (SMB) Native NT file-sharing protocol Samba is UNIX port of SMB Common Internet File System (CIFS) –extension of SMB

70 © 1999, Cisco Systems, Inc. SMB TCP/UDP Ports Remote Procedure Call Service NetBIOS Name Service (UDP) NetBIOS Datagram Service (UDP) NetBIOS Session Service

71 © 1999, Cisco Systems, Inc. NetBIOS TCP Port 139 Attacks include: Reconnaissance Access DOS Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindowFlags ChecksumUrgent Pointer Dest Port=139 Data...

72 © 1999, Cisco Systems, Inc. NetBIOS Attacks NETBIOS OOB data NETBIOS Stat NETBIOS Session Setup Failure Windows Guest login Windows Null Account Name Windows Password File Access Windows Registry Access Windows RedButton

73 © 1999, Cisco Systems, Inc. Capture password file FTP “RETR passwd” loadmodule Attack Telnet “IFS=/” Rlogin “IFS=/" Planting.rhosts Telnet “+ +” Rlogin “+ +” Accessing shadow passwd Telnet “/etc/shadow” Rlogin “/etc/shadow” TCP Application Attacks TCP application attacks are attacks against various TCP applications.

74 © 1999, Cisco Systems, Inc. UDP Application Attacks Back Orifice port Tftp passwd file attempt port 69 Destination IP Source IP TTL UDP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP UDPUDP Source Port LengthChecksum Dest Port Data...

75 © 1999, Cisco Systems, Inc. RPC Services Applications do not use well-known ports Use portmapper –Registers applications –TCP/UDP port 111 Attacks include Reconnaissance Access DOS 2488 GET PORT # USE PORT # NFS REQUEST 2049 CLIENT SERVER

76 © 1999, Cisco Systems, Inc. RPC Attacks RPC port registration Remotely registering a service that is not running RPC port unregistration Remotely unregistering a running service RPC dump rpcinfo -p Proxied RPC request Bypassess RPC authentication

77 © 1999, Cisco Systems, Inc. RPC Attacks (cont.) RPC Port Sweeps Request service on many ports on same host Stealth reconnaissance RSTATD RUSERSD NFS MOUNTD YPPASSWD SELECTION SVC REXD STATUS TTDB

78 © 1999, Cisco Systems, Inc. RPC Attacks (cont.) Portmapper Requests Requests for services known to be exploited In most cases should not be used If needed, filter signatures ypserv ypbind yppasswd ypupdated ypxfrd mountd rexd

79 © 1999, Cisco Systems, Inc. RPC Attack (cont.) rexd attempt Accessing rexd Allows remotely running commands Should not be allowed Unknown by some administrators RPC Services with Buffer Overflow Vulnerabilities: statd ttdb mountd

80 © 1999, Cisco Systems, Inc. Ident Attacks Ident is a protocol to prevent hostname, address, and username spoofing. TCP port 113 Ident buffer overflow IDENT reply too large Ident newline IDENT reply with newline plus more data Ident improper request IDENT request too long or non-existent ports

81 © 1999, Cisco Systems, Inc. IP Servers on Routers Router commands to turn off services no service tcp-small-servers no service udp-small-servers

82 © 1999, Cisco Systems, Inc. Trust Exploits Spoofing Trusted User Spoofing Trusted Host Planting ~/.rhosts or hosts.equiv via Alternate Methods

83 © 1999, Cisco Systems, Inc. Reconnaissance

84 © 1999, Cisco Systems, Inc. Reconnaissance Unauthorized discovery and mapping of systems, services, or vulnerabilities

85 © 1999, Cisco Systems, Inc. Reconnaissance Methods Common commands or administrative utilities –nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, srvinfo, dumpacl, and so on Hacker tools –SATAN, NMAP, custom scripts, and so on

86 © 1999, Cisco Systems, Inc. Discovering the Targets Know thy target –Domain name, IP Address space (i.e victim.com, X.X) –whois, nslookup Ping Sweeps –Network mapping –Identify potential targets

87 © 1999, Cisco Systems, Inc. Ping Sweeps ICMP network sweep with Echo Type=8 ICMP network sweep with Timestamp Type=13 ICMP network sweep with Address Mask Type=17 Destination IP Source IP TTLProtoChecksum IdentificationFlgFrag Offset VerLenServLength ICMP Type CodeChecksum IPHEADERIPHEADER ICMPICMP

88 © 1999, Cisco Systems, Inc. Port Scans Port Scans (Probing) –Determine services being offered (e.g. telnet, ftp, http, etc.) Post Port Scan –Determine Operating System Information –Determine other information (e.g. usernames, hostnames, etc.)

89 © 1999, Cisco Systems, Inc. TCP Port Scans Many O/S’s haven’t implemented TCP/IP according to the letter of the “law” (rfc’s) They respond differently to TCP packets with various flags set Destination IP Source IP TTL TCP Checksum IdentificationFlgFrag Offset VerLenServLength IPIP TCPTCP Source Port Source Sequence Number Acknowledge Sequence Num LenResWindow Flags ChecksumUrgent Pointer Dest Port

90 © 1999, Cisco Systems, Inc. Network Address Translation Inside Network INTERNET Outside Network Hides internal addresses Provides dynamic or static translation of private addresses to registered IP addresses Supports true NAT, Overload (same as PAT), and Inside Local IP Address Inside Global IP Address

91 © 1999, Cisco Systems, Inc. Network Address Translation Each translation consumes approximately 160 bytes of memory PAT (overload) translations limited to 4000 entries Supports any TCP/UDP application that does not carry source and/or destination IP addresses in the payload Application support for those that DO carry source and/or destination IP address in payload ICMP, FTP (including port and pasv commands), NetBIOS over TCP/IP (datagram, name, and session services), RealAudio, CuSeeMe, StreamWorks, DNS ‘A’ and ‘PTR’ records, NetMeeting, VDOLive, Vxtreme, IP Multicast (source address translation only)

92 © 1999, Cisco Systems, Inc. Initial Access

93 © 1999, Cisco Systems, Inc. Access Unauthorized data manipulation, system access, or privileged escalation

94 © 1999, Cisco Systems, Inc. Access Methods Exploit easily guessed passwords –Brute force –Cracking tools Exploit mis-administered services –IP services (anonymous ftp, tftp, remote registry access, nis, and so on) –Trust relationships (spoofing, r-services, and so on) –File sharing (NFS, Windows File Sharing)

95 © 1999, Cisco Systems, Inc. Access Methods (cont.) Exploit application holes –Mishandled input data Access outside application domain, buffer overflows, race conditions –Protocol weaknesses Fragmentation, TCP session hijack Trojan horses –Programs to plant a backdoor into a host

96 © 1999, Cisco Systems, Inc. Backdoors BackOrifice –Win 95/98 Server Only –Windows and Unix clients –Configurable Ports (Default UDP 31337) –Encrypted communications BackOrifice—ButtPlugs –Allow new features to be added easily

97 © 1999, Cisco Systems, Inc. Backdoors (cont) NetBus (Freeware) –Remote administration tool –Listens on TCP Ports 12345, –Trojan program –Runs on Win95/98 and NT

98 © 1999, Cisco Systems, Inc. Denial of Service Methods Resource Overload –Disk space, bandwidth, buffers,... –Ping flood: smurf,... –SYN floods: neptune, synk4,... –Packet storms: UDP bombs, fraggle,... Out of Band Data Crash –Oversized packets: ping of death, … –Overlapped packets: winnuke,... –Un-handled data: teardrop,...

99 © 1999, Cisco Systems, Inc. Other Areas to Consider Disable: IP helper addresses: no ip helper IP broadcasting: no ip broadcast-address, no ip directed- broadcast source routing: no ip source-route r-commands: no ip rcmd rcp-enable no ip rsh-enable IDENT: no ip identd CDP: no cdp run dynamic circuits: no frame-relay inverse-arp other “features” no proxy-arp, no ip redirects

100 © 1999, Cisco Systems, Inc. More Info

101 © 1999, Cisco Systems, Inc. In Summary …. May You Live in Interesting Times!!

102 © 1999, Cisco Systems, Inc.


Download ppt "© 1999, Cisco Systems, Inc. 1-1 Securing Routers Against Hackers and Denial of Service Attacks Lou Ronnau"

Similar presentations


Ads by Google