Network Attacks and Countermeasures

Most attacks against networks are Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks in which the objective is to consume a network’s bandwidth so that network services become unavailable. But several other types of attacks exist, some of which are discussed in the following sections.

Bluejacking and bluesnarfing

With Bluetooth technology becoming wildly popular, several new attack methods have evolved, including bluejacking (sending anonymous, unsolicited messages to Bluetooth-enabled devices) and bluesnarfing (stealing personal data, such as contacts, pictures, and calendar information from a Bluetooth-enabled phone). Even worse, in a bluesnarfing attack, information about your cellular phone (such as its serial number) can be downloaded, then used to clone your phone.

Fraggle

A Fraggle attack is a variant of a Smurf attack (see the section “Smurf,” later in this chapter) that uses UDP Echo packets (UDP port 7) rather than ICMP packets. Cisco routers can be configured to disable the TCP and UDP services (known as TCP and UDP small servers) that are most commonly used in Fraggle attacks.

ICMP flood

In an ICMP flood attack, large numbers of ICMP packets (usually Echo Request) are sent to the target network to consume available bandwidth and/or system resources. Because ICMP isn’t required for normal network operations, the easiest defense is to drop ICMP packets at the router or filter them at the firewall.

Session hijacking (spoofing)

IP spoofing involves altering a TCP packet so that it appears to be coming from a known, trusted source, thus giving the attacker access to the network.

Smurf

A Smurf attack is a variation of the ICMP flood attack. (Check out the section “ICMP flood,” earlier in this section.) In a Smurf attack, ICMP Echo Request packets are sent to the broadcast address of a target network by using a spoofed IP address on the target network. The target, or bounce site, then transmits the ICMP Echo Request to all hosts on the network. Each host then responds with an Echo Reply packet, overwhelming the available bandwidth and/or system resources. Countermeasures against Smurf attacks include dropping ICMP packets at the router.

SYN flood

In a SYN flood attack, TCP packets with a spoofed source address request a connection (SYN bit set) to the target network. The target responds with a SYN-ACK packet, but the spoofed source never replies. Half-open connections are incomplete communication sessions awaiting completion of the TCP three-way handshake. These connections can quickly overwhelm a system’s resources while the system waits for the half-open connections to time out, which causes the system to crash or otherwise become unusable.

SYN floods are countered on Cisco routers by using two features: TCP Intercept, which effectively proxies for the half-open connections; and Committed Access Rate (CAR), which limits the bandwidth available to certain types of traffic. Checkpoint’s FW-1 firewall has a feature known as SYN Defender that functions in way similar to the Cisco TCP Intercept feature. Other defenses include changing the default maximum number of TCP half-open connections and reducing the timeout period on networked systems.

Teardrop

In a Teardrop attack, the Length and Fragmentation offset fields of sequential IP packets are modified, causing the target system to become confused and crash.

UDP flood

In a UDP flood attack, large numbers of UDP packets are sent to the target network to consume available bandwidth and/or system resources. UDP floods can generally be countered by dropping unnecessary UDP packets at the router. However, if the attack uses a required UDP port (such as DNS port 53), other countermeasures need to be employed.

Prep Test

1 A data network that operates across a relatively large geographic area defines what type of network?

A choice_circle LAN

B choice_circle MAN

C choice_circle CAN

D choice_circle WAN

2 The process of wrapping protocol information from one layer in the data section of another layer describes

A choice_circle Data encryption

B choice_circle Data encapsulation

C choice_circle Data hiding

D choice_circle TCP wrappers

3 The LLC and MAC are sub-layers of what OSI model layer?

A choice_circle Data Link

B choice_circle Network

C choice_circle Transport

D choice_circle Session

4 The Ethernet protocol is defined at what layer of the OSI model and in which IEEE standard?

A choice_circle Data Link Layer, 802.3

B choice_circle Network Layer, 802.3

C choice_circle Data Link Layer, 802.5

D choice_circle Network Layer, 802.5

5 All the following are examples of packet-switched WAN protocols, except

A choice_circle X.25

B choice_circle Frame Relay

C choice_circle ISDN

D choice_circle SMDS

6 Which of the following is an example of a Class C IP address?

A choice_circle 17.5.5.1

B choice_circle 127.0.0.1

C choice_circle 192.167.4.1

D choice_circle 224.0.0.1

7 The TCP/IP Protocol Model consists of the following four layers:

A choice_circle Application, Presentation, Session, Transport

B choice_circle Application, Session, Network, Physical

C choice_circle Application, Session, Transport, Internet

D choice_circle Application, Transport, Internet, Link

8 Which of the following firewall architectures employs external and internal routers, as well as a bastion host?

A choice_circle Screening router

B choice_circle Screened-subnet

C choice_circle Screened-host gateway

D choice_circle Dual-homed gateway

9 Which of the following is not a common VPN protocol standard?

A choice_circle IPSec

B choice_circle PPTP

C choice_circle TFTP

D choice_circle L2TP

10 A type of network attack in which TCP packets are sent from a spoofed source address with the SYN bit set describes

A choice_circle Smurf

B choice_circle Fraggle

C choice_circle Teardrop

D choice_circle SYN flood

Answers

1 D. WAN. A LAN operates across a relatively small geographic area. MANs and CANs are LAN variations. Review “Wide area network (WAN).”

2 B. Data encapsulation. Data encapsulation wraps protocol information from one layer in the data section of another layer. The other choices are incorrect. Review “The OSI Reference Model.”

3 A. Data Link. The Data Link Layer is the only layer of the OSI model that defines sub-layers (the Logical Link Control and Media Access Control sub-layers). Review “Data Link Layer (Layer 2).”

4 A. Data Link Layer, 802.3. LAN protocols are defined at the Data Link Layer. IEEE 802.5 defines the Token-Ring standard. Review “Data Link Layer (Layer 2).”

5 C. ISDN. ISDN is circuit-switched. Packet-switched network technologies include X.25, Frame Relay, SMDS, ATM, and VoIP. Review “WAN technologies and protocols.”

6 C. 192.167.4.1. 17.5.5.1 is a Class A address, 127.0.0.1 is an interface loopback address, and 224.0.0.1 is a multicast address (Class D). Review “Internet Protocol (IP).”

7 D. Application, Transport, Internet, Link (or Network). Review “The TCP/IP Model.”

8 B. Screened-subnet. The screened-subnet employs an external screening router, a dual-homed (or multi-homed) host, and a second internal screening router. Review “Firewall architectures.”

9 C. TFTP. TFTP is the Trivial File Transfer Protocol, a basic variation of the FTP protocol that provides limited file transfer capabilities. It has absolutely nothing to do with VPNs. Review “Virtual Private Networks (VPNs).”

10 D. SYN flood. Smurf attacks exploit vulnerabilities in the ICMP protocol. Fraggle attacks exploit vulnerabilities in the UDP protocol. A Teardrop attack exploits vulnerabilities in the TCP protocol by using the length and fragmentation offset fields. See “Network Attacks and Countermeasures.”

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.118.37.254