Aim: To study the attacks due to vulnerabilities in TCP/IP protocol suite
Attacks on physical layer:
1. Fiber/Cable cuts: Fiber and cable cut can be done to prevent authorized user from accessing network.
2. Wireless link jamming: This is done in order to prevent user to use wireless link.
3. Rogue access points: This refers to installation of unauthorized wireless access point to tap into network resources.
4. High voltage and electromagnetic fields can also interfere with data transmitting through copper wire.
5. Eavesdropping (sniffing): This is done to listen network traffic.
Attacks on data link layer
- Denial of Service attacks
A Denial of Service attack is a type of attack that exploits weaknesses in protocols and services by exhausting resources, causing service disruption or Quality of Service (QoS) degradation. Its main goal is to affect availability of the targeted service. If an attacker can launch a DoS attack that affects L2 networking devices, a single residential user might cause havoc to all others using services on the same network. The effect of such an attack could encompass many users, depending on the architecture and layout of the network.
- CAM table overflow attack
A switch's CAM table contains network information such as MAC addresses available on physical switch ports and associated VLAN parameters. CAM Table Overflows occur when an influx of MAC addresses are flooded into the table and the CAM table threshold is reached. This causes the switch to act like a hub, flooding the network with traffic out all ports. The flooding caused by a CAM Table Overflow is limited to the source VLAN, thus does not affect other VLANs on the network.
- MAC address spoofing
MAC address spoofing is another major threat to data link layer. Through MAC address spoofing an attacker can change his mac address to the mac address of a different machine in the network. Due to which the switch will start sending frames to the attackers machine. Mac address spoofing can also be used to bypass several security measures, taken by ISP's to block users. In Linux Mac address spoofing can be done very easily through command line. Mac address spoofing can also be done in windows.
- DHCP related attacks
Another vulnerable protocol which can be compromised using Data Link layer is DHCP. DHCP is mainly used to automatically obtain the network configuration details, for a host. The details are like Ip address,gateway,dns server details etc. Normally the ip address provided by the dhcp server, is on a lease basis, which will expire after a certain period of time, during this period the dhcp server will not allocate the same address to any other clients. DHCP server's maintain a list of ip's that are already allocated,and the ip's that are not allocated. So this poses a denial of service attack risk, if an attacker sends large number of dhcp request with spoofed mac address to the dhcp server to consume all the available ip addresses.Such kind of a denial of service attack against DHCP server is called ip pool starvation attack.At this point of time, the DHCP server cannot allocate any ip address to the new hosts in the network(becuase all the ip pool addresses are consumed by the attacker's spoofed dhcp requests). So the attacker will change himself to a dhcp server(if you have read my post on dhcp prototcol , you will come to know that , a network can have multiple dhcp servers), and will allot ip's and gateway as per his wish, to monitor the entire network traffic. DHCP ip pool starvation attack can be prevented by using switch's port security features.
- ARP Attacks:
Similar to the switch's CAM table, each and every machine contain's an ARP table. ARP stands for Address Resolution Protocol. This table consists of ip to mac address mapping. Whenever you try to reach a computer on your network, the first thing that your computer does is to look its ARP table to find, the destination MAC address corresponding to the destination IP address. An attacker can send broadcasts with spoofed mac and ip address's, so that the machine's in the network will update their arp table entry with the attacker's spoofed address and MAC.
Network layer attacks
- Ping of death attack
A ping of death (abbreviated "PoD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 56 bytes in size (or 84 bytes when the Internet Protocol [IP] header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit has affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers. However, most systems since 1997–1998 have been fixed, so this bug is mostly historical. Generally, sending a 65,536-byte ping packet would violate the Internet Protocol as written in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash. In recent years a different kind of ping attack has become widespread—ping flooding simply floods the victim with so much ping traffic that normal traffic fails to reach the system
- ICMP flood attack
A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. To combat denial of service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering.
- Overlapping fragment attack
The IP fragment overlapped exploit occurs when two fragments contained within the same IP datagram have offsets that indicate that they overlap each other in positioning within the datagram. This could mean that either fragment A is being completely overwritten by fragment B, or that fragment A is partially being overwritten by fragment B. Some operating systems do not properly handle fragments that overlap in this manner and may throw exceptions or behave in other undesirable ways upon receipt of overlapping fragments. This is the basis for the teardrop Denial of service attacks.
Transport layer attacks
Port scan attack
A port scanner is a software application designed to probe a server or host for open ports. This is often used by administrators to verify security policies of their networks and by attackers to identify running services on a host with the view to compromise it. A port scan or portscan can be defined as an attack that sends client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service, although the majority of uses of a port scan are not attacks and are simple probes to determine services available on a remote machine. To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service, for example, an SQL-based computer worm may portsweep looking for hosts listening on TCP port 1433.
SYN flood attack
A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.
UDP flood attack
A UDP flood attack is a denial-of-service (DoS) attack using the User Datagram Protocol (UDP), a sessionless/connectionless computer networking protocol.
Using UDP for denial-of-service attacks is not as straightforward as with the Transmission Control Protocol (TCP). However, a UDP flood attack can be initiated by sending a large number of UDP packets to random ports on a remote host. As a result, the distant host will:
· Check for the application listening at that port;
· See that no application listens at that port;
· Reply with an ICMP Destination Unreachable packet.
Thus, for a large number of UDP packets, the victimized system will be forced into sending many ICMP packets, eventually leading it to be unreachable by other clients. The attacker(s) may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach them, and anonymizing their network location(s). Most operating systems mitigate this part of the attack by limiting the rate at which ICMP responses are sent.
Application layer attacks
Session Hijacking
session hijacking, sometimes also known as cookie hijacking is the exploitation of a valid computer session—sometimes also called a session key—to gain unauthorized access to information or services in a computer system. In particular, it is used to refer to the theft of a magic cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker using an intermediary computer or with access to the saved cookies on the victim's computer. A popular method is using source-routed IP packets. This allows a hacker at point A on the network to participate in a conversation between B and C by encouraging the IP packets to pass through its machine.If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of the two machines. Thus, the hacker can send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is known as a "man-in-the-middle attack".
SQL Injection attacks
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
Cross Site scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
Root traversal attacks on web server
Directory traversal attacks are used to attempt to access files not intended to be accessed, i.e., files that are not under the root directory, explained below, on a server. Directory traversal attacks are also known as ../ (dot dot slash) attacks, directory climbing, and backtracking.
A Web site uses a server to store and give access to the files that contain web content. These publicly accessible files are stored in what is typically called the "web document root" or simply "root" directory. A directory is another word for what shows up as a folder in the Microsoft Windows operating system. Directories allow hierarchical organization of files and other directories.
By exploiting a directory traversal vulnerability, an attacker can access files in directories other than the root directory. This can be harmful, since access to restricted files containing passwords or other private information may compromise the web server.
Conclusion – Thus we have studied the attacks due to vulnerabilities in TCP/IP protocol suite