Skip to main content

Network Protocol Attacks

Denial of Service (against availability)

Make the service unavailable to legitimate users.

Killer Packets

Ping of Death

Pathological ICMP echo request that exploit a memory error in the protocol implementation.

gazillions of machines can be crashed by sending IP packets that exceed the maximum legal length (65535 octets)

Teardrop

Exploit vulnerabilities in the TCP reassembly.

Fragmented packets with overlapping offsets.

While reassembling, kernel can hang/crash.

Land Attack

A long time ago, in a Windows 95 far, far away, a packet with

  • src IP == dst IP
  • SYN flag set

could loop and lock up a TCP/IP stack.

Flooding

SYN Flood Attack

We recall how the TCP/IP three way handshake:

Attacker generates a high volume of SYN requests with spoofed source address.

Many half-open TCP/IP connections fill the queue.

SYN requests from legitimate clients dropped.

Mitigation: SYN-cookies avoid this: reply with SYN+ACK but discard the half-open connection, and wait for a subsequent ACK.

Distributed DoS (DDoS)

Botnet: network of compromised computers, called bots (i.e., infected by malware).

C&C: dedicated command-and-control infrastructure so that the attacker (botmaster) can send commands to the bots.

Various uses (e.g., spamming, phishing, info stealing), including DDoS-ing.

Smurf

The attacker sends ICMP packets with spoofed sender (victim) to a broadcast address.

Sniffing (against confidentiality)

Abusive reading of network packets.

Normally, a network interface card (NIC) intercepts and passes to the OS only the packets directed to that host's IP.

Promiscuous mode: the NIC passess to the OS any packet read off of the wire.

When hubs where used instead of switches it was very easy to sniff.

Hubs broadcast traffic to every host. NICs can be in promiscuous mode. Broadcast domain.

Switches selectively relay traffic to the wire corresponding to the correct NIC (ARP address based).

Spoofing (against integrity and authenticity)

Forging network packets.

ARP spoofing

The ARP maps 32-bits IPv4 addresses to 48-bits hardware, or MAC, addresses.

  • ARP request "where is 192.168.0.1?"
  • ARP reply "192.168.0.1 is at b4:e9:b0:c9:81:03"

First come, first trusted! An attacker can forge replies easily: lack of authentication.

Possible Mitigations

  • Check responses before trusting (if conflicts of addresses)
  • Add a SEQ/ID number in the request

Filling up a CAM Table

Switches use CAM tables to know (i.e., cache) which MAC addresses are on which ports

Dsniff (macof) can generate ~155k spoofed packets a minute: fills the CAM table in seconds (MAC flooding).

CAM table full: cannot cache ARP replies and must forward everything to every port (like a hub does).

PG42