In my previous article, I have talked about some of the facts that you need to know about network security. This article talks about some of the facts that you need to know about IP Vulnerabilities in Networking. Follow me as we are going to look at that in this article. There are different types of attacks that target IP. The table lists some of the more common IP-related attacks.
|ICMP attacks||Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and alter host routing tables.|
|Denial-of-Service (DoS) attacks||Threat actors attempt to prevent legitimate users from accessing information or services.|
|Distributed Denial-of-Service (DDoS) attacks||Similar to a DoS attack, but features a simultaneous, coordinated attack from multiple source machines.|
|Address spoofing attacks||Threat actors spoof the source IP address in an attempt to perform blind spoofing or non-blind spoofing.|
|Man-in-the-middle attack (MiTM)||Threat actors position themselves between a source and destination to transparently monitor, capture and control the communication. They could simply eavesdrop by inspecting captured packets or alter packets and forward them to their original destination.|
|Session hijacking||Threat actors gain access to the physical network, and then use a MiTM attack to hijack a session.|
ICMP was developed to carry diagnostic messages and to report error conditions when routes, hosts, and ports are unavailable. ICMP messages are generated by devices when a network error or outage occurs. The ping command is a user-generated ICMP message, called an echo request, that is used to verify connectivity to a destination.
Threat actors use ICMP for reconnaissance and scanning attacks. This enables them to launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall.
Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.
The figure shows an attacker and p c on the left and a p c labeled victim on the right. The attacker sends an ICMP echo request (spoofed). The victim computer replies with an ICMP echo reply. A question mark is shown under the attacker. The attacker sends an ICMP echo request (spoofed) again. The victim computer sends another ICMP echo reply with a question mark under the attacker. The attackers send another ICMP echo request (spoofed) to the victim’s computer and the victim’s computer responds with an ICMP echo reply. There is the same question mark under the attacker icon.
Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.
The table lists common ICMP messages of interest to threat actors.
|ICMP echo request and echo reply||This is used to perform host verification and DoS attacks.|
|ICMP unreachable||This is used to perform network reconnaissance and scanning attacks.|
|ICMP mask reply||This is used to map an internal IP network.|
|ICMP redirects||This is used to lure a target host into sending all traffic through a compromised device and create a MiTM attack.|
|ICMP router discovery||This is used to inject bogus route entries into the routing table of a target host.|
Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files. In the case of large networks, security devices, such as firewalls and intrusion detection systems (IDS), should detect such attacks and generate alerts to the security analysts.
Amplification and Reflection Attacks
Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.
Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and Network Time Protocol (NTP) amplification attacks are now being used.
Threat actors also use resource exhaustion attacks. These attacks consume the resources of a target host to either to crash it or consume the resources of a network.
Address Spoofing Attacks
IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender or to pose as another legitimate user. The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations. Spoofing is usually incorporated into another attack such as a Smurf attack.
Spoofing attacks can be non-blind or blind:
- Non-blind spoofing – The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.
- Blind spoofing – The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.
MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure. The attacking host then sends a frame throughout the network with the newly-configured MAC address. When the switch receives the frame, it examines the source MAC address.
A server and a threat actor are connected to the same switch. The server has a MAC address of AABBCC and is connected to port 1. The threat actor is connected to port 2 and has a spoofed MAC address of AABBCC. A callout from the threat actor reads: I have changed the MAC address on my computer to match the server. A diagram above the switch indicates that it has mapped AABBCC to port 1. Port 2 does not have a mapping.
Threat Actor Spoofs a Server’s MAC Address
The switch overwrites the current CAM table entry and assigns the MAC address to the new port, as shown in the figure. It then forwards frames destined for the target host to the attacking host.
A server and a threat actor are connected to the same switch. The server has a MAC address of AABBCC and is connected to port 1. The threat actor is connected to port 2 and has a spoofed MAC address of AABBCC. A callout below the switch reads: The device with MAC address AABBCC has moved to Port 2. I must adjust my MAC address table accordingly. A diagram above the switch indicates that it has mapped AABBCC to port 2. Port 1 does not have a mapping.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
Download Our App.
Follow Us On Telegram
CEHNigeria On Google Playstore
GET SEOPOZ . OUTSMART YOUR BLOG COMPETITORS
Join Our Whatsapp Group
Follow Us On Twitter and I will Follow Back
Follow Us On Twitter
Kindly follow me on Twitter and I promise I will follow back. Aside you will get updated when we post new articles.