Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Security Part II: Attacks Layer 2 / 3 Attacks.

Similar presentations


Presentation on theme: "Network Security Part II: Attacks Layer 2 / 3 Attacks."— Presentation transcript:

1 Network Security Part II: Attacks Layer 2 / 3 Attacks

2 SECURITY INNOVATION ©2003Overview Layer 2 attack landscapeLayer 2 attack landscape MAC AttacksMAC Attacks VLAN hopping attacksVLAN hopping attacks ARP AttacksARP Attacks Spanning Tree attacksSpanning Tree attacks Layer 2 port authenticationLayer 2 port authentication Other attacksOther attacks

3 SECURITY INNOVATION ©2003 The redundant rats nest!

4 SECURITY INNOVATION ©2003Preliminaries All attacks and associated mitigation techniques assume a switched Ethernet network running IPAll attacks and associated mitigation techniques assume a switched Ethernet network running IP –If shared Ethernet is used (WLAN, Hub, etc.) the majority of these attack scenarios get much easier –Obviously, if you aren't using Ethernet as your L2 protocol some of these attacks may not be appropriate. However you may be vulnerable to different ones. Rapid deployment. Attacks that are theoretical can move to the practical in a matter of days and become widely distributed in weeks.Rapid deployment. Attacks that are theoretical can move to the practical in a matter of days and become widely distributed in weeks. Focus will be on L2 attacks and potential solutions.Focus will be on L2 attacks and potential solutions.

5 MAC Attacks

6 SECURITY INNOVATION ©2003 MAC Attacks

7 SECURITY INNOVATION ©2003 What is the CAM Table? Basically a really efficient lookup tableBasically a really efficient lookup table Present on all modern switchesPresent on all modern switches CAM == Content Addressable MemoryCAM == Content Addressable Memory For more information on the CAM table and how it is updated check out or more information on the CAM table and how it is updated check out or

8 SECURITY INNOVATION ©2003 What is the CAM Table? This internal table looks something like this:This internal table looks something like this: Port Ethernet Addresses Host or Uplink 101:00:af:34:53:62 Single host 201:e4:5f:2a:63:35 00:c1:24:ee:62:66... Switch or Hub 311:af:5a:69:08:63 00:17:72:e1:72:70... Switch or Hub 400:14:62:74:23:5a Single host

9 SECURITY INNOVATION ©2003 Normal CAM Behavior I A  B MAC B MAC C MAC A Port 1 A  B B Unknown… Flood the Frame I see traffic to B! MACACPort13 A  B Port 3 Port 2

10 SECURITY INNOVATION ©2003 Normal CAM Behavior II MAC B MAC C MAC A Port 2 Port 1 B  A A is on Port 1 Learn: B is on Port 2 Port 3 MACABCPort123 B  A

11 SECURITY INNOVATION ©2003 Normal CAM Behavior III Port 2 Port 3 A  B MAC B MAC C MAC A Port 1 A  B B is on Port 2 I see do Not see traffic to B! MACABCPort123

12 SECURITY INNOVATION ©2003 CAM Overflow I Theoretical attack made available to all….Theoretical attack made available to all…. macof tool since May 1999 macof tool since May 1999 –“dsniff” by Dug Song Based on CAM Tables limited sizeBased on CAM Tables limited size

13 SECURITY INNOVATION ©2003 CAM Overflow II Port 2 Port 1 X is on Port 3 Port 3 MACXYCPort333 B  A X  ? Y  ? Y is on Port 3

14 SECURITY INNOVATION ©2003 CAM Overflow III Port 2 Port 1 B Unknown… Flood the Frame Port 3 MACXYCPort333 A  B I see traffic to B!

15 SECURITY INNOVATION ©2003 Catalyst CAM Tables T Flooded! 1 A B C 2 D E F G 2 D E F G 3 H 3 H. I. I. J K. J K 16,000 L M N O P Q R S Catalyst switches use hash to place MAC in the CAM table 63 bits of source (MAC, VLAN, misc) creates a 17 bit hash value If the value is the same there are 8 buckets to place CAM entries, if all 8 are filled the packet is flooded

16 SECURITY INNOVATION ©2003 MAC Flooding Switches with Macof

17 SECURITY INNOVATION ©2003 CAM Table Full! Dsniff can generate 155,000 MAC entries on a switch per minute.Dsniff can generate 155,000 MAC entries on a switch per minute. Assuming a perfect hash function, the CAM table will be completely filled after 131,052 (approx. 16,000 x 8) entriesAssuming a perfect hash function, the CAM table will be completely filled after 131,052 (approx. 16,000 x 8) entries Once table is full, traffic without a CAM entry floods on the local VLAN, but NOT existing traffic with an existing CAM entry.Once table is full, traffic without a CAM entry floods on the local VLAN, but NOT existing traffic with an existing CAM entry. This attack will also fill CAM tables of adjacent switches.This attack will also fill CAM tables of adjacent switches. Snoop output on a non-SPAN port

18 SECURITY INNOVATION ©2003 MAC Flooding Attack Mitigation Port SecurityPort Security –Capabilities are dependent on the platform –Allows you to specify MAC addresses for each port, or to learn a certain number of MAC addresses per port –Upon detection of an invalid MAC the switch can be configured to block only the offending MAC or just shut down the port. –Port security prevents macof from flooding the CAM table.

19 VLAN Hopping Attacks

20 SECURITY INNOVATION ©2003 VLAN “Hopping” Attacks Trunk ports have access to all VLANs by defaultTrunk ports have access to all VLANs by default Used to route traffic for multiple VLANs across the same physical linkUsed to route traffic for multiple VLANs across the same physical link Encapsulation can be 802.1Q or ISLEncapsulation can be 802.1Q or ISL Trunk Port

21 SECURITY INNOVATION ©2003 Dynamic Trunk Protocol What is DTP?What is DTP? –Automates ISL/802.1Q trunk configuration –Operates between switches –Not supported on 2900XL or 3500XL DTP synchronizes the trunking mode on link endsDTP synchronizes the trunking mode on link ends DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non- Negotiate”.DTP state on ISL/1Q trunking port can be set to “Auto”, “On”, “Off”, “Desirable”, or “Non- Negotiate”. Dynamic Trunk Protocol DST MAC ccc.cccc0100.0ccc.cccc SNAP Proto 0x20040x2004

22 SECURITY INNOVATION ©2003 Basic VLAN Hopping Attack A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually required as well, or a rogue DTP speaking switch)A station can spoof as a switch with ISL or 802.1Q signaling (DTP signaling is usually required as well, or a rogue DTP speaking switch) The station is then member of all VLANsThe station is then member of all VLANs Requires a trunking favorable setting on the portRequires a trunking favorable setting on the port Trunk Port

23 SECURITY INNOVATION ©2003 Double Encapsulated 802.1q VLAN Hopping Attack Send double encapsulated 802.1Q framesSend double encapsulated 802.1Q frames Switch performs only one level of decapsulationSwitch performs only one level of decapsulation Unidirectional traffic onlyUnidirectional traffic only Works even if trunk ports are set to offWorks even if trunk ports are set to off Strip off First, and Send Back out Note: Only works if trunk has the same native VLAN as the attacker 802.1q, 802.1q 802.1q, Frame Frame

24 SECURITY INNOVATION ©2003 Double Encap 802.1Q Ethereal Capture Outer Tag, Attacker VLAN Inner Tag, Attacker VLAN

25 SECURITY INNOVATION ©2003 Disabling Auto-Trunking Defaults change depending on switch; always check.Defaults change depending on switch; always check.

26 SECURITY INNOVATION ©2003 Security for VLANS and Trunking Always use a dedicated VLAN ID for all trunk portsAlways use a dedicated VLAN ID for all trunk ports Disable unused ports and put them in an unused VLANDisable unused ports and put them in an unused VLAN Be paranoid: Do not use VLAN 1 for anythingBe paranoid: Do not use VLAN 1 for anything Set all user ports to non-trunking (DPT Off)Set all user ports to non-trunking (DPT Off)

27 ARP Attacks

28 SECURITY INNOVATION ©2003 ARP Refresher An ARP request message should be placed in a frame and broadcast to all computers on the networkAn ARP request message should be placed in a frame and broadcast to all computers on the network Each computer receives the request and examines the IP addressEach computer receives the request and examines the IP address The computer mentioned in the request sends a response; all other computers process and discard the request without sending a response.The computer mentioned in the request sends a response; all other computers process and discard the request without sending a response. VVZZYYXXWW VVZZYYXXWW VVZZYYXXWW

29 SECURITY INNOVATION ©2003 Gratuitous ARP Gratuitous ARP is used by hosts to “announce” their IP address to the local network and avoid duplicate IP addresses on the network; routers and other network hardware may use cache information gained from gratuitous ARPsGratuitous ARP is used by hosts to “announce” their IP address to the local network and avoid duplicate IP addresses on the network; routers and other network hardware may use cache information gained from gratuitous ARPs Gratuitous ARP is a broadcast packet (like an ARP request)Gratuitous ARP is a broadcast packet (like an ARP request) Host W: Hey everyone I’m host W and my IP address is: and my MAC address is 12:34:56:78:9A:BCHost W: Hey everyone I’m host W and my IP address is: and my MAC address is 12:34:56:78:9A:BC VVZZYYXXWW

30 SECURITY INNOVATION ©2003 Misuse of Gratuitous ARP ARP has no security or ownership of IP or MAC addressARP has no security or ownership of IP or MAC address What if we did the following?What if we did the following? Host W broadcasts I’m with MAC 12:34:56:78:9A:BCHost W broadcasts I’m with MAC 12:34:56:78:9A:BC (Wait 5 seconds)(Wait 5 seconds) Host W broadcasts I’m with MAC 12:34:56:78:9A:BCHost W broadcasts I’m with MAC 12:34:56:78:9A:BC Host Y.2 Host W.4 Host X /24.1

31 SECURITY INNOVATION ©2003 Hands On Example Host X and Y will likely ignore the message unless they currently have an ARP table entry for Host X and Y will likely ignore the message unless they currently have an ARP table entry for When host Y requests the MAC of the real router will reply and communications will work until host W sends a gratuitous ARP againWhen host Y requests the MAC of the real router will reply and communications will work until host W sends a gratuitous ARP again Even a static ARP entry for on Y will get overwritten by the gratuitous ARP on some OSs (NT4 and Win2k)Even a static ARP entry for on Y will get overwritten by the gratuitous ARP on some OSs (NT4 and Win2k) Host Y.2 Host W.4 Host X /24.1

32 SECURITY INNOVATION ©2003Dsniff ARP SpoofingARP Spoofing MAC floodingMAC flooding Selective sniffingSelective sniffing SSH/SSL interceptionSSH/SSL interception

33 SECURITY INNOVATION ©2003 Hands On - Arpspoof

34 SECURITY INNOVATION ©2003Arpspoof All traffic now flows through machine running dsniff in a half-duplex mannerAll traffic now flows through machine running dsniff in a half-duplex manner Port security does not helpPort security does not help Note that the attack could be generated in the opposite direction by spoofing the destination host when the router sends its ARP requestNote that the attack could be generated in the opposite direction by spoofing the destination host when the router sends its ARP request Attack could be more selective and spoof just one victimAttack could be more selective and spoof just one victim

35 SECURITY INNOVATION ©2003 Selective Sniffing Once the dsniff box has started the arpspoof process, the magic begins:Once the dsniff box has started the arpspoof process, the magic begins: Supports more than 30 standardized/proprietary protocols FTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, Microsoft SQLFTP, Telnet, SMTP, HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP, MS-CHAP, NFS, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase, Microsoft SQL

36 SECURITY INNOVATION ©2003 SSL/SSH Interception Using dnsspoof all web sites can resolve to the dsniff host IP address:Using dnsspoof all web sites can resolve to the dsniff host IP address: Once that happens you can proxy all web connections through the dsniff hostOnce that happens you can proxy all web connections through the dsniff host

37 SECURITY INNOVATION ©2003 SSL/SSH Interception Using dsniff (webmitm) most SSL sessions can be intercepted and bogus certificate credentials can be presentedUsing dsniff (webmitm) most SSL sessions can be intercepted and bogus certificate credentials can be presented

38 SECURITY INNOVATION ©2003 SSL/SSH Interception Upon inspection they will look invalid but they would likely fool most usersUpon inspection they will look invalid but they would likely fool most users invalid

39 SECURITY INNOVATION ©2003 The Evolution of dsniff: Ettercap Similar to dsniff though not as many protocols supported for sniffingSimilar to dsniff though not as many protocols supported for sniffing Can ARP spoof both sides of a session to achieve full-duplex sniffingCan ARP spoof both sides of a session to achieve full-duplex sniffing Allows command insertion into persistent TCP sessionsAllows command insertion into persistent TCP sessions Menu driven interfaceMenu driven interface

40 SECURITY INNOVATION ©2003 It Doesn’t Get Much Easier…

41 SECURITY INNOVATION ©2003 ARP Spoof Mitigation: Private VLANs PVLANs isolate traffic in specific communities to create distinct “networks” within a normal VLANPVLANs isolate traffic in specific communities to create distinct “networks” within a normal VLAN Note: Most inter-host communication is disabled with PVLANS turned onNote: Most inter-host communication is disabled with PVLANS turned on PVLANs isolate traffic in specific communities to create distinct “networks” within a normal VLANPVLANs isolate traffic in specific communities to create distinct “networks” within a normal VLAN Note: Most inter-host communication is disabled with PVLANS turned onNote: Most inter-host communication is disabled with PVLANS turned on Community ‘A’ Community ‘B’ Isolated Ports Promiscuous Port Primary VLAN Community VLAN Isolated VLAN Only One Subnet!

42 SECURITY INNOVATION ©2003 ARP Spoof Mitigation Some IDS systems will watch for an unusually high amount of ARPSome IDS systems will watch for an unusually high amount of ARP ARPWatch is a freely available tool that will track IP/MAC address pairingsARPWatch is a freely available tool that will track IP/MAC address pairings Consider static ARP for critical routers and hosts (potential administrative pain)Consider static ARP for critical routers and hosts (potential administrative pain)

43 Spanning Tree Attacks

44 SECURITY INNOVATION ©2003 Spanning Tree Basics STP purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure STP purpose: To maintain loop-free topologies in a redundant Layer 2 infrastructure A switch is elected as Root Root selection is based on the lowest configured priority of any switch X X B B F F F F F F F F F F B B Root A ‘Tree-Like’ loop-free topology is established from the perspective of the root bridge A A STP is very simple. Messages are sent using Bridge Protocol Data Units (BPDUs). Basic messages include: configuration, topology change notification/acknowledgement (TCN/TCA); most have no “payload”. Avoiding loops ensures broadcast traffic does not become storms

45 SECURITY INNOVATION ©2003 Spanning Tree Attacks and Methods Standard 802.1d STP takes seconds to deal with a failure or root bridge change (ha ha ha… DoS served here)Standard 802.1d STP takes seconds to deal with a failure or root bridge change (ha ha ha… DoS served here) –Generally only devices affected by the failure notice the issue –PortFast and UplinkFast can greatly improve this Sending BPDUs from the attacker can force these changes and create a DoS condition on the networkSending BPDUs from the attacker can force these changes and create a DoS condition on the network As a link with macof: the TCN message will result in the CAM table aging all entries in 15 seconds if they do not communicate (the default is 300 seconds)As a link with macof: the TCN message will result in the CAM table aging all entries in 15 seconds if they do not communicate (the default is 300 seconds) Easy to create the DoS condition. Depending on the topology it could yield additional packets for the attackerEasy to create the DoS condition. Depending on the topology it could yield additional packets for the attacker

46 SECURITY INNOVATION ©2003 Spanning Tree Attack Example I Send BPDU messages to become root bridgeSend BPDU messages to become root bridge STP Root Access Switches STP Attacker FF FF FFFFXX FF BB

47 SECURITY INNOVATION ©2003 Spanning Tree Attack Example II Send BPDU messages to become root bridgeSend BPDU messages to become root bridge –The attacker then sees frames he shouldn’t –MITM, DoS, etc. all possible –Ant attack is very sensitive to the original topology, trunking, PVST, etc. Although STP takes link speed into consideration, it is always done from the perspective of the root bridge. Taking a Gb backbone to half duplex 10 Mb has been verified.Although STP takes link speed into consideration, it is always done from the perspective of the root bridge. Taking a Gb backbone to half duplex 10 Mb has been verified. Requires the attacker to be dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host)Requires the attacker to be dual homed to two different switches (with a hub, it can be done with just one interface on the attacking host) Attacker FF FF FF FF FF XXBBRootRoot Access Switches

48 SECURITY INNOVATION ©2003 Knowledge Applied Goal: See traffic on the backbone but interesting hosts have static ARP entries and are very chatty (macof will likely never steal their CAM entry)Goal: See traffic on the backbone but interesting hosts have static ARP entries and are very chatty (macof will likely never steal their CAM entry) Step 1: MAC flood access switchStep 1: MAC flood access switch Step 2: Run bridging software (i.e. brconfig) on attacking host; advertise as a priority zero bridgeStep 2: Run bridging software (i.e. brconfig) on attacking host; advertise as a priority zero bridge –Attacker becomes root bridge –Spanning tree recalculates –GE backbone becomes FE –Cam table on access switch is full (from macof); there is no room at the inn for the chatty servers. Traffic is flooded. STP Attacker FF FF FF FF FF XXBBRootRoot Access Switch FEFE GEGE FEFE

49 SECURITY INNOVATION ©2003 STP Attack Mitigation Don’t disable STP, introducing a loop would become another attack.Don’t disable STP, introducing a loop would become another attack. BPDU GuardBPDU Guard –Disables ports using portfast upon detection of a BPDU message on the port –Globally enabled on all ports running portfast Root GuardRoot Guard –Disables ports who would become the root bridge due to their BPDU advertisement –Configured on a per port basis

50 SECURITY INNOVATION ©2003 VLAN Trunking Protocol (VTP) Used to distribute VLAN configuration among switchesUsed to distribute VLAN configuration among switches VTP is used only over trunk portsVTP is used only over trunk ports VTP can cause more problems than it solves, consider if it is really neededVTP can cause more problems than it solves, consider if it is really needed If needed use the VTP MD5 digest:If needed use the VTP MD5 digest:

51 SECURITY INNOVATION ©2003 Potential VTP Attacks After becoming a trunk port, an attacker could send VTP messages as a server with no VLANs configured. All VLANs would be deleted across the entire VTP domainAfter becoming a trunk port, an attacker could send VTP messages as a server with no VLANs configured. All VLANs would be deleted across the entire VTP domain Disabling VTP:Disabling VTP:

52 Other Attacks

53 SECURITY INNOVATION ©2003 Cisco Discovery Protocol (CDP) Runs at layer 2 and allows Cisco devices to chat with one anotherRuns at layer 2 and allows Cisco devices to chat with one another Can be used to learn sensible information about the CDP sender (IP address, software version, router model….)Can be used to learn sensible information about the CDP sender (IP address, software version, router model….) CDP is in the clear and unauthenticatedCDP is in the clear and unauthenticated Considering disabling CDP, or being very selective in its use in security sensitive environments (backbone vs user port may be a good distinction)Considering disabling CDP, or being very selective in its use in security sensitive environments (backbone vs user port may be a good distinction)

54 SECURITY INNOVATION ©2003 CDP Attacks Besides the information gathering benefit CDP offers an attacker, there was a vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus packets.Besides the information gathering benefit CDP offers an attacker, there was a vulnerability in CDP that allowed Cisco devices to run out of memory and potentially crash if you sent it tons of bogus packets. Problem was due to a software implementation problem. A flaw in the memory allocation for the CDP process (basically there was no upper limit).Problem was due to a software implementation problem. A flaw in the memory allocation for the CDP process (basically there was no upper limit).

55 SECURITY INNOVATION ©2003 DHCP Starvation Attacks Anyplace where macof works, you can DoS a network by requesting all of the available DHCP addressesAnyplace where macof works, you can DoS a network by requesting all of the available DHCP addresses With or without the DoS, an attacker could use a rogue DHCP server to provide addresses to clientsWith or without the DoS, an attacker could use a rogue DHCP server to provide addresses to clients Since DHCP responses include DNS servers and default gateway entries, guess where the attacker would point these unsuspecting users?Since DHCP responses include DNS servers and default gateway entries, guess where the attacker would point these unsuspecting users? All the MITM attacks are now possibleAll the MITM attacks are now possible

56 SECURITY INNOVATION ©2003 Private VLAN Attacks I Attacker Mac:A IP:1 Victim Mac:B IP:2 Router Mac:C IP:3 Promiscuous Port Isolated port S:A1 D:B2 XX PVLANs Work Drop Packet

57 SECURITY INNOVATION ©2003 Private VLAN Attacks II Only allows unidirectional traffic (Victim will ARP for A and fail)Only allows unidirectional traffic (Victim will ARP for A and fail) If both hosts were compromised, setting static ARP entries for each other via the router will allow bi-directional trafficIf both hosts were compromised, setting static ARP entries for each other via the router will allow bi-directional traffic Most firewalls will not forward the packet like a routerMost firewalls will not forward the packet like a router This is not a PVLAN vulnerability as it enforces the rules!This is not a PVLAN vulnerability as it enforces the rules! Attacker Mac:A IP:1 Victim Mac:B IP:2 Router Mac:C IP:3 Promiscuous Port Isolated port S:A1 D:B2 S:A1 D:C2 S:A1 D:B2 PVLANs Work Drop Packet Routers Route: Forward Packet

58 SECURITY INNOVATION ©2003 PVLAN Attack Mitigation Setup ACL on ingress router port:Setup ACL on ingress router port: All known PVLAN exploits will now failAll known PVLAN exploits will now fail VLAN ACL could also be usedVLAN ACL could also be used

59 SECURITY INNOVATION ©2003 Multicast Brute-Force Failover Analysis Send random Ethernet multicast frames to a switch interface attempting to get frames to another VLANSend random Ethernet multicast frames to a switch interface attempting to get frames to another VLAN M-cast Nice Try

60 SECURITY INNOVATION ©2003 Random Frame Stress Attack Send random frames to a switch interface attempting to get frames to another VLANSend random frames to a switch interface attempting to get frames to another VLAN Frame Nice Try

61 SECURITY INNOVATION ©2003 Switch Management Management can be your weakest linkManagement can be your weakest link All the great mitigation techniques we talked about arent worth much if the attacker telnets into your switch and disables themAll the great mitigation techniques we talked about arent worth much if the attacker telnets into your switch and disables them Most of the network management protocols are insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.)Most of the network management protocols are insecure (syslog, SNMOP, TFTP, Telnet, FTP, etc.) Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc.). Where impossible, consider out of band management.Consider secure variants of these protocols as they become available (SSH, SCP, SSL, OTP etc.). Where impossible, consider out of band management. Always use a dedicated VLAN ID for all trunksAlways use a dedicated VLAN ID for all trunks Be paranoid: do not use VLAN 1 for anythingBe paranoid: do not use VLAN 1 for anything Set all user ports to non trunkingSet all user ports to non trunking

62 SECURITY INNOVATION ©2003 Hacking Cisco Cisco Bugtraq Vulnerabilities (est) (est) - 94

63 SECURITY INNOVATION ©2003 Hacking Routers Example Exploits: HTTP Authentication VulnerabilityHTTP Authentication Vulnerability –using a URL of where $NUMBER is an integer between 16 and 99, it is possible for a remote user to gain full administrative access. NTP VulnerabilityNTP Vulnerability –By sending a crafted NTP control packet, it is possible to trigger a buffer overflow in the NTP daemon SNMP Parsing VulnerabilitySNMP Parsing Vulnerability –Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload. In some cases, access-list statements on the SNMP service do not protect the device

64 SECURITY INNOVATION ©2003 Hacking Routers When a router is hacked it allows an attacker to DoS or disable the router & network…DoS or disable the router & network… Compromise other routers…Compromise other routers… Bypass firewalls, IDS systems, etc…Bypass firewalls, IDS systems, etc… Monitor and record all outgoing an incoming traffic…Monitor and record all outgoing an incoming traffic… Redirect whatever traffic they desire…Redirect whatever traffic they desire…


Download ppt "Network Security Part II: Attacks Layer 2 / 3 Attacks."

Similar presentations


Ads by Google