Describe, Recognize, or Select Basic Weaknesses in TCP/IP Networking
The level of security on any TCP/IP-enabled network depends entirely on the capabilities and design of the operating systems or software used on the network. In fact, the way that any implementation of TCP/IP (or other network resources) handles security depends entirely on how TCP/IP is designed. TCP/IP security issues include how a particular implementation performs connection handshaking, monitors established connections, and handles errors between systems on a network. Also, additional security features or models may be applied alongside or on top of core TCP/IP protocols, such as IP Security, Secure Sockets Layer (SSL), and so forth.
Numerous TCP/IP protocol implementations and related services can become the focus of attack when weaknesses or vulnerabilities are uncovered and exploited. Sometimes, a server that is otherwise bulletproof one day may become vulnerable the next when a new exploit is documented in its TCP/IP implementation, a related service, or some application that uses TCP/IP that runs on that server. Constant vigilance and attention to security mailing lists and notification agents for the systems and software you use is a key ingredient in maintaining good security. This applies to TCP/IP as much as it does to other key aspects of system and network capability and behavior.
The following TCP/IP behaviors, issues, and elements are likely to be covered on the TICSA exam:
It's essential to understand the TCP handshake process, as documented in Summary Tables 7, 8, and 9, for opening and closing TCP connections. See the attacks list later in this section for related attack information.
Table 7. TCP Handshake Flags Flag Type Explanation SYN Synchronizes sequence numbers used to identify packets between a sender and a receiver FIN Indicates that there is no additional data to be transmitted from sender to receiver ACK Identifies acknowledgment data contained within a packet TCP/IP uses its own four-layer reference model, sometimes called the DARPA model, which maps to the seven-layer OSI Network Reference model. It's important to understand all layers in each of the two models, the functions each one provides, and how they relate to each other. This is covered in detail in Chapter 2, “Fundamentals of TCP/IP.”
To a certain extent, keeping TCP/IP secure depends on applying necessary operating system and application patches from their respective vendors. Patches are used to fix problems not found in testing or to add features (in some cases).
This is a common technique for dealing with security vulnerabilities as soon as possible after they're discovered in the wild.
Best practices for opening TCP and UDP port numbers are to (a) limit the number of ports that are open only to services in use and (b) to control access to those ports (and to all dynamically assigned ports) as tightly as possible. Another way to understand these injunctions might be stated as “Install no unnecessary TCP/IP services” (that prevents the associated ports from being used at all).
SMTP is among the TCP/IP services that can be useful to hackers, because they can impersonate (or subvert) innocent third-party addresses to inundate servers or addresses with bogus mail called spam. Various techniques to disguise the true origination of email messages—especially those with malicious attachments—enable hackers to spread such malware with ease. Likewise, by flooding mail servers with spam, hackers can mount DoS attacks against such servers. Constant patching, denial of message routing, antivirus checking, and “bad-address blocking” are common techniques used to manage email security and prevent attacks.
FTP is not often attacked directly, but provides services useful to attackers anyway, because it permits files to be copied to compromised hosts. This is the preferred technique for loading Trojan horses or hacker tools onto partially compromised systems under attack. Likewise, because FTP servers sometimes allow users to gain access to files and directories outside the server's immediate control, it's essential to configure default folders on drives or partitions completely separate from the operating system and other key file system containers.
Finally, proper security for anonymous FTP user access means explicitly denying anonymous access to all file system containers outside the FTP server's purview.
HTTP is the protocol that supports Web servers. As the most heavily used protocol on the Internet, it is also the protocol (and service) most likely to be attacked. Proper security requires limiting or controlling access to dynamic content (such as Java applets or ActiveX controls) to thereby limit exposure to malicious code. Otherwise, the posture is similar to that for SMTP, where constant patching, antivirus checking, and so forth are essential to maintaining security. Microsoft's IIS and its Internet Explorer (server and client, respectively) are particularly prone to repeated and frequent exploits and patches.
NAT (network address translation) permits a single external valid IP address to be shared within a pool of internal IP addresses. NAT also works with private IP addresses (as defined in RFC 1918), which may not be routed on the public Internet. External viewers see only the external IP address; internal addresses remain hidden. Because private IP addresses are invalid as source or destination addresses on the public Internet, combining NAT with private IP addressing helps improve security overall. Private IP addresses are described in Table 10. NAT devices can also be configured to perform “one-to-one mapping” so that each internal IP address is mapped to a different external IP address. This avoids potential performance problems that can occur when large numbers of internal IP addresses share a single external IP address.
Table 10. Private IP Addresses (As per RFC 1918) Class Address Range Networks Total Private Hosts Class A 10.0.0.0 1 16,777,214 Class B 172.16.0.0–172.31.0.0 16 1,048,544 Class C 192.168.0.0–192.168.255.0 256 65,024 The Secure Sockets Layer provides encryption services for data moving between a client and server to secure data transmission, typically between a Web browser (client) and a Web server. Because encryption imposes extra processing overhead, SSL is usually reserved for e-commerce transaction pages or other HTTP documents that require stronger security and confidentiality or privacy. Most modern Web browsers and servers support SSL.
It's important to be familiar with the following well-known TCP/IP attacks, and how they may be remediated:
Various well-known TCP exploits either flood a server with handshake requests or initiate numerous handshake requests that are never completed to launch DoS attacks.
In a SYN Flood attack, large numbers of SYN requests are transmitted but never completed. Because the server allocates resources for each pending connection request, enough uncompleted SYNs (the large number explains the attack name) can consume sufficient server resources to make the machine unavailable. Modern boundary devices limit the number of pending SYNs allowed, and identify and block potential sources of flood attacks.
The Land attack also uses SYN packets maliciously. In this case, an attacker creates TCP/IP packets with identical source and destination addresses. When certain operating systems receive Land packets (which never occur naturally), they go into an infinite loop and crash. This requires a manual reboot to restore system operation. Firewalls and screening routers may be configured to recognize and drop all Land packets fairly easily.
Session hijacking (a type of man-in-the-middle attack, because it allows the attacker to come between a sender and a receiver) can occur when attackers successfully guess ISNs, and replace the original user communications with their own packets. This explains why random ISNs are routinely used in current TCP implementations (which greatly lowers the probability of a successful hijack).
The ICMP protocol plays an important role in the Ping of Death (PoD), Tribal Flood Network (TFN) programs, and Winnuke. PoD simply inundates a server with extremely large Ping requests that consume all available resources, thereby causing DoS conditions. TFN refers to a series of programs that flood a server or network with various types of ICMP traffic. Winnuke uses a specially formatted Ping request to bring down the network connection and crash older Windows computers (especially Windows 95). The Smurf attack and its variants use a specially formatted ICMP echo packet to inundate a target machine with Ping replies. This explains why many boundary devices do not respond to Ping requests, or forward them into their internal networks.
In a TCP/IP environment, when a networking device encounters a TCP segment that is too large to be transmitted unaltered, it breaks it up into fragments and uses a fragment numbering and offset system to facilitate reassembly at its destination. The Teardrop attack exploits vulnerability in this mechanism by creating packet fragments with overlapping or nonadjacent offset values designed to confuse the receiving system. Sometimes, this can cause outright system crashes or excessive consumption of system resources that translate into a DoS attack.
Countermeasures for TCP/IP-Based Attacks
Many such attacks depend on vulnerabilities discovered in specific TCP/IP protocols stack implementations associated with specific operating system releases. Normally, updating such operating systems to newer versions stymies known attacks; otherwise, it may be necessary to apply specific patches or fixes designed to correct the programming errors that made those vulnerabilities possible.
Because so many TCP/IP attacks depend on target machines accepting bogus traffic as if it were real, it's also essential to use antispoofing mechanisms as part of your network defenses. Spoofing means that an IP packet presents a source or destination address that is fabricated rather than real. Careful crafting of router or firewall filters can block a great deal of spoofed traffic. Filters to drop any packet that claims to originate inside a network that arrives on an external interface are routine, as are filters for Land packets (where the source and destination address are identical).
Egress filtering is related to antispoofing rules, except that it focuses on outbound traffic rather than inbound traffic. Egress filtering essentially boils down to permitting only packets with valid source addresses from leaving your internal networks (thereby dropping any spoofed packets that may originate inside your network). This won't protect you from attack, but is a good-neighbor practice that prevents your systems from being used to stage attacks on other networks.
Network Reconnaissance Often Precedes Attack
It's possible to recognize signs of hacker reconnaissance that often presages potential intrusion attempts. Most IDSs can detect and report on such activities, which are worth watching closely. IP reconnaissance usually includes the following techniques:
IP Sweep. A simple network scan in which a series of hit-or-miss Ping packets check all possible IP addresses on a subnet. Those systems that respond to this sweep—and most IP hosts respond to Ping requests by default—mark themselves for further reconnaissance activities. These results identify potential hosts to attack.
Port Scans. A scan that targets a single system with a series of packets aimed at specific port addresses. Results of the scan provide at least a partial list of services active on a given system. These results identify potential services whose vulnerabilities may be exploited (if not already patched).
Signature Detection. A scan that relies on tools that can identify specific service implementations on a host at a greater level of detail than that available from a port scan. By looking for characteristic banners, behaviors, or clues (which provide the signatures that may be detected), these tools help hackers zero in on known vulnerabilities and exploits associated with specific services, versions, operating systems, and so forth.
Reconnaissance Countermeasures
A properly configured firewall is the best defense against network reconnaissance. It's possible to deflect most reconnaissance efforts simply by blocking external hosts from passing ICMP requests to internal networks. For additional protection, individual hosts can also be configured to ignore ICMP requests.
An IDS can detect and report on reconnaissance efforts, and can sometimes even backtrace their putative origins (the best hackers seldom provide sufficient information to reveal their true source addresses, however). But observing an increased level of reconnaissance through an IDS can provide warning of potential attack, and can raise your vigilance regarding other potential signs of attack or intrusion.