KEMBAR78
Hacking Cisco | PPT
Uploaded byguestd05b31
PPT, PDF5,618 views

Hacking Cisco

The document discusses various reconnaissance and access attacks against Cisco networks, as well as countermeasures. It covers passive sniffing, port scans, ping sweeps, password attacks, trust exploitation, IP spoofing, DHCP/ARP attacks, and DoS/DDoS attacks. Defenses include switched networks, encryption, firewall rules, DHCP snooping, dynamic ARP inspection, rate limiting, and storm control.

Downloaded 721 times
Hacking Cisco Networks and Countermeasures
Overview Reconnaissance Attacks Passive Sniffing Ping Sweeps Port Scans (tcp&udp) Active Attacks Password attacks Trust exploitation Port redirection External Attacks IP Spoofing DoS, DDoS Attacks Internal Attacks DHCP and ARP Attacks
Reconnaissance Attacks Reconnaissance refers to the overall act of learning information about a target network by using readily available information and applications. Reconnaissance attacks include these attacks: Packet sniffers Port scans Ping sweeps Internet information queries
Packet Sniffers A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features: Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP. Packet sniffers must be on the same collision domain as the machine that they are targeting. Packet sniffers can be used legitimately or can be designed specifically for attack. Host A Host B Router A Router B
Passive Sniffing
Packet Sniffer Attack Mitigation Here are some packet sniffer mitigation techniques and tools: Authentication Switched infrastructure Antisniffer tools Cryptography Host A Host B Router A Router B
Port Scans and Ping Sweeps Port scan and ping sweep attacks: Identify all services on the network Identify all hosts and devices on the network Identify the operating systems on the network Identify vulnerabilities on the network
Ping Sweep with NMAP
Ping Sweep (cont.)
Blocking Ping Sweeps access-list 102 deny icmp any any echo access-list 102 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 102 in
Seems like it worked but ???
We give out too much information…
To block messages originating from the blocking router… access-list 103 permit icmp any any unreachable class-map match-all STOPSHARING match access-group 103! policy-map STOPSHARING class STOPSHARING drop class class-default control-plane service-policy output STOPSHARING
Same result…
But this time we don’t share info…
Simple UDP Port Scan
Destination Unreachable (Port)
How to block… access-list 101 deny icmp any any unreachable access-list 101 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 101 out
We don’t send any unreachable messages…
After Blocking everything seems open, some obscurity for scanner…
Port scans and ping sweeps cannot be prevented without compromising network capabilities. Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
Internet Information Queries Sample IP address query Attackers can use Internet tools such as whois as a weapon.
Access Attacks Intruders use access attacks on networks or systems for the these reasons: Retrieve data Gain access Escalate their access privileges Access attacks include: Password attacks Trust exploitation Port redirection
Password Attacks Hackers implement password attacks using: Brute-force attacks Trojan horse programs IP spoofing Packet sniffers
Password Attack Example The bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.
For Routing Protocols…
Simple Cracking with Cain…
Trust Exploitation A hacker leverages existing trust relationships. Several trust models exist: Microsoft Windows: Domains Active directory Linux and UNIX: NIS NIS+ System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A . Trust relationships: System A trusts System B. System B trusts everyone. System A trusts everyone.
Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
Port Redirection Configuration On HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe Then telnet from Attacker machine telnet 10.1.2.1 80
Here we are connected to the internal switch…
IP Spoofing IP spoofing occurs when a hacker inside or outside a network impersonates a trusted source. IP spoofing uses trusted internal IP addresses or trusted external IP addresses. Attackers use IP spoofing for many reasons: To gain root access To inject malicious data or commands into an existing data stream To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables To crash servers by overloading memory (DoS) As a step in a larger attack
IP Spoofing—Types of Attack IP spoofing attacks are either: Nonblind spoofing The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim). Blind spoofing The attacker calculates sequence numbers. IP spoofing can lead to these types of attacks: Man-in-the-middle attack DoS attack Distributed DoS (DDoS) attack
Let’s see in action
Here we drive router to reply to the other host..
Man-in-the-Middle Attacks A man-in-the-middle attack requires that the hacker has access to network packets that come across a network. A man-in-the-middle attack is implemented using the following: Network packet sniffers (nonblind attack) Routing and transport protocols (blind attack) Host A Host B Router A Router B Data in Clear Text
IP Spoofing Attack Mitigation The threat of IP spoofing can be reduced, but not eliminated, using these measures: Strong access control at the router ACLs on outbound interface ACLs on inbound interface Data encryption Additional authentication requirements Host A Host B Router A ISP Router B IPSec tunnel
DoS Attacks A DoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. DoS attack techniques almost always use IP spoofing.
TCP SYN Flooding DoS Attack AttackerTCP Client ------------- Client Ports 1024 – 65535 Victim TCP Server ------------- Service Ports 1–1024 80 ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Three-Way Handshake 1 SYN 2 SYN and ACK TCP Server ------------- Service Ports 1 – 1024 80 1 SYN 3 ACK 2 SYN and ACK
DDoS Attacks DoS Attack DoS and DDoS attacks have these characteristics: They are not generally targeted to gain access. They aim at making a service unavailable. They require very little effort to execute. They are difficult to eliminate. DDoS Attack Attacker Victim Attack Control Mechanism Victim Zombie Zombie Zombie
DDoS Example Handler Systems Client System The client issues commands to handlers that control agents in a mass attack. The cracker looks for targets. The cracker installs software to scan, compromise, and infect agents with zombies. Agents are loaded with remote control attack software. Agent Systems
SYN Flooding Attack
Let’s be more creative…
We put almost 1 million packets in one minute period on the wire, not so bad….
CPU Consumption..
DoS and DDoS Attack Mitigation Reduce DoS and DDoS attacks by: Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs Using antivirus software to find zombie agents Using anti-DoS features on routers and firewalls ip verify unicast reverse-path interface command ACLs to filter all private Internet address space (RFC 1918) Using traffic rate limiting at the ISP level Use class-based traffic policing on ICMP packets Use SYN rate limiting
Rate Limiting What rate limiting does: Allows network managers to set bandwidth thresholds for users and by traffic type Benefits: Prevents the deliberate or accidental flooding of the network Keeps traffic flowing smoothly Rate Limiting for Different Classes of Users Network Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
Example: ICMP rate limiting access-list 170 permit icmp any any Interface f0/0 rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop
Spoofing the DHCP Server An attacker activates a DHCP server on a network segment. The client broadcasts a request for DHCP configuration information. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. Client Rogue DHCP Attacker Legitimate DHCP Server
Everything starts with starvation…
Storm Control can be in help… Interface fastethernet 0/1 storm-control broadcast level 10.00 8.00
DHCP Snooping DHCP snooping allows the configuration of ports as trusted or untrusted . Trusted ports can send DHCP requests and acknowledgements. Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Use the ip dhcp snooping command. Client Rogue DHCP Attacker Legitimate DHCP Server
DHCP Snooping Configuration ip dhcp snooping ip dhcp snooping vlan 20 interface FastEthernet0/13 switchport access vlan 20 ip dhcp snooping trust Switch#sh ip dhcp snooping binnding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/24 00:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23 Total number of bindings: 2
ARP Spoofing: Man-in-the-Middle Attacks 10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B 10.1.1.2 = MAC C.C.C.C ARP Table in Host B 10.1.1.1 = MAC B.B.B.B 10.1.1.2 = MAC A.A.A.A ARP Table in Host C C IP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies 10.1.1.1 bound to C.C.C.C 10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
Mitigating Man-in-the-Middle Attacks with DAI MAC or IP Tracking Built on DHCP Snooping 10.1.1.1 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP 10.1.1.2 DAI Function:
DAI in Action A binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1 10.1.1.2
DAI Configuration… ip arp inspection vlan 20 ip arp inspection vlan 20 logging dhcp-bindings all ip arp inspection validate src-mac
Questions & Discussion ? ? ? ? ? ? ? ? ? ? ? ? ? ?
Thank you…

More Related Content

PPTX
Owasp
bypenetration Tester
 
PDF
Nmap
byFat-Thing Gabriel-Culley
 
PPTX
Heartbleed
byShyam Bahadur Sunari Magar
 
PPTX
Ppt on sql injection
byashish20012
 
PPTX
Red Team Apocalypse
byBeau Bullock
 
PDF
Nmap basics
byitmind4u
 
PDF
Ch 10: Hacking Web Servers
bySam Bowne
 
PPT
Web security
bySubhash Basistha
 
Owasp
bypenetration Tester
 
Nmap
byFat-Thing Gabriel-Culley
 
Heartbleed
byShyam Bahadur Sunari Magar
 
Ppt on sql injection
byashish20012
 
Red Team Apocalypse
byBeau Bullock
 
Nmap basics
byitmind4u
 
Ch 10: Hacking Web Servers
bySam Bowne
 
Web security
bySubhash Basistha
 

What's hot

PPTX
Virtual LAN
byLilesh Pathe
 
PPTX
Password craking techniques
byأحلام انصارى
 
PPT
Web application attack and audit framework (w3af)
byAbhishek Choksi
 
PDF
Fastapi
byVikasYadav314092
 
PDF
Sql Injection and XSS
byMike Crabb
 
PDF
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
PPTX
Network Security- port security.pptx
bySulSya
 
PPTX
Sql injection
byZidh
 
PDF
Footprinting
byDuah John
 
PPTX
Wireless penetration testing
byKamlesh Dhanwani
 
PDF
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
byDirkjanMollema
 
PPTX
Introduction to Offensive Security.pptx
byMaaitrayoDas
 
PPTX
Web application attacks
byhruth
 
PPTX
Introduction To Ethical Hacking
byRaghav Bisht
 
Virtual LAN
byLilesh Pathe
 
Password craking techniques
byأحلام انصارى
 
Web application attack and audit framework (w3af)
byAbhishek Choksi
 
Fastapi
byVikasYadav314092
 
Sql Injection and XSS
byMike Crabb
 
Linux Hardening - nullhyd
byn|u - The Open Security Community
 
Network Security- port security.pptx
bySulSya
 
Sql injection
byZidh
 
Footprinting
byDuah John
 
Wireless penetration testing
byKamlesh Dhanwani
 
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...
byDirkjanMollema
 
Introduction to Offensive Security.pptx
byMaaitrayoDas
 
Web application attacks
byhruth
 
Introduction To Ethical Hacking
byRaghav Bisht
 

Viewers also liked

PPTX
Packet sniffing in switched LANs
byIshraq Al Fataftah
 
PPTX
Packet sniffers
byKunal Thakur
 
PDF
En CCNA Security v11_ch01
byAjith Pathirana
 
PPTX
Attacks
byNitin Birari
 
PDF
Module 1 introduction to Linux
byTushar B Kute
 
PPT
Presentation1
byichasalwaa
 
PDF
Multilayer Campus Architectures and Design Principles
byCisco Canada
 
PPT
Hacking Cisco Networks and Countermeasures
bydkaya
 
PPT
Debs 2011 tutorial on non functional properties of event processing
byOpher Etzion
 
PDF
Comparative Analysis of Personal Firewalls
byAndrej Šimko
 
PPTX
Access control attacks by nor liyana binti azman
byHafiza Abas
 
PPTX
Session hijacking
byVishal Punjabi
 
PDF
Installing Complex Event Processing On Linux
byOsama Mustafa
 
PPTX
Reactconf 2014 - Event Stream Processing
byAndy Piper
 
PDF
Tutorial in DEBS 2008 - Event Processing Patterns
byOpher Etzion
 
PPT
Chapter 12
bycclay3
 
PPSX
CyberLab CCEH Session - 3 Scanning Networks
byCyberLab
 
PPT
Complex Event Processing with Esper and WSO2 ESB
byPrabath Siriwardena
 
PDF
Ceh v8 labs module 03 scanning networks
byAsep Sopyan
 
PPT
Debs2009 Event Processing Languages Tutorial
byOpher Etzion
 
Packet sniffing in switched LANs
byIshraq Al Fataftah
 
Packet sniffers
byKunal Thakur
 
En CCNA Security v11_ch01
byAjith Pathirana
 
Attacks
byNitin Birari
 
Module 1 introduction to Linux
byTushar B Kute
 
Presentation1
byichasalwaa
 
Multilayer Campus Architectures and Design Principles
byCisco Canada
 
Hacking Cisco Networks and Countermeasures
bydkaya
 
Debs 2011 tutorial on non functional properties of event processing
byOpher Etzion
 
Comparative Analysis of Personal Firewalls
byAndrej Šimko
 
Access control attacks by nor liyana binti azman
byHafiza Abas
 
Session hijacking
byVishal Punjabi
 
Installing Complex Event Processing On Linux
byOsama Mustafa
 
Reactconf 2014 - Event Stream Processing
byAndy Piper
 
Tutorial in DEBS 2008 - Event Processing Patterns
byOpher Etzion
 
Chapter 12
bycclay3
 
CyberLab CCEH Session - 3 Scanning Networks
byCyberLab
 
Complex Event Processing with Esper and WSO2 ESB
byPrabath Siriwardena
 
Ceh v8 labs module 03 scanning networks
byAsep Sopyan
 
Debs2009 Event Processing Languages Tutorial
byOpher Etzion
 

Similar to Hacking Cisco

PPTX
Network security
byVenkat Karanam
 
PPT
CS10NETWOKSecurityhdhgsfdhsdheahgqergd.ppt
bymohammednisath
 
PPTX
Endpoint Security - - IP layer Attacks and Vulnerabilities
byabigailjudith8
 
PPT
Mitigating Layer2 Attacks
bydkaya
 
PPTX
packet sniffing with Wireshark and its implementation.pptx
byRohitAhuja58
 
PDF
Network security
byTelematika Open Session
 
PPTX
Attacks and Malicious Software - Information security
byMuhammadAli854909
 
PPT
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
PPTX
Lecture 7 Attacker and there tools.pptx
byAsmaaLafi1
 
PPT
How hackers attack networks
byAdeel Javaid
 
PPTX
640-554 IT Certification and Career Paths
byhibaehed
 
PPTX
Attacks and their mitigations
byMukesh Chaudhari
 
PPT
6005679.ppt
byAlmaOraevi
 
PPT
26 security2
bycongiodiqua
 
PPT
NETWORK SECURITY
byVinil Patel
 
PPTX
Network security
bymustafa aadel
 
PPT
Types Of Attack.
byGreater Noida Institute Of Technology
 
PPSX
Network security
bysyed mehdi raza
 
PPT
Security attacks
byTejaswi Potluri
 
PPT
26-security2.ppt
bysumita02
 
Network security
byVenkat Karanam
 
CS10NETWOKSecurityhdhgsfdhsdheahgqergd.ppt
bymohammednisath
 
Endpoint Security - - IP layer Attacks and Vulnerabilities
byabigailjudith8
 
Mitigating Layer2 Attacks
bydkaya
 
packet sniffing with Wireshark and its implementation.pptx
byRohitAhuja58
 
Network security
byTelematika Open Session
 
Attacks and Malicious Software - Information security
byMuhammadAli854909
 
Lecture7-8-Network Protocls attack in cyber.ppt
byMuhammadSaleemKhan26
 
Lecture 7 Attacker and there tools.pptx
byAsmaaLafi1
 
How hackers attack networks
byAdeel Javaid
 
640-554 IT Certification and Career Paths
byhibaehed
 
Attacks and their mitigations
byMukesh Chaudhari
 
6005679.ppt
byAlmaOraevi
 
26 security2
bycongiodiqua
 
NETWORK SECURITY
byVinil Patel
 
Network security
bymustafa aadel
 
Types Of Attack.
byGreater Noida Institute Of Technology
 
Network security
bysyed mehdi raza
 
Security attacks
byTejaswi Potluri
 
26-security2.ppt
bysumita02
 

Hacking Cisco

  • 1.
    Hacking Cisco Networksand Countermeasures
  • 2.
    Overview Reconnaissance AttacksPassive Sniffing Ping Sweeps Port Scans (tcp&udp) Active Attacks Password attacks Trust exploitation Port redirection External Attacks IP Spoofing DoS, DDoS Attacks Internal Attacks DHCP and ARP Attacks
  • 3.
    Reconnaissance Attacks Reconnaissancerefers to the overall act of learning information about a target network by using readily available information and applications. Reconnaissance attacks include these attacks: Packet sniffers Port scans Ping sweeps Internet information queries
  • 4.
    Packet Sniffers Apacket sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets. There are packet sniffer features: Packet sniffers exploit information passed in clear text. Protocols that pass information in clear text are Telnet, FTP, SNMP, Post Office Protocol (POP), and HTTP. Packet sniffers must be on the same collision domain as the machine that they are targeting. Packet sniffers can be used legitimately or can be designed specifically for attack. Host A Host B Router A Router B
  • 5.
  • 6.
    Packet Sniffer AttackMitigation Here are some packet sniffer mitigation techniques and tools: Authentication Switched infrastructure Antisniffer tools Cryptography Host A Host B Router A Router B
  • 7.
    Port Scans andPing Sweeps Port scan and ping sweep attacks: Identify all services on the network Identify all hosts and devices on the network Identify the operating systems on the network Identify vulnerabilities on the network
  • 8.
  • 9.
  • 10.
    Blocking Ping Sweepsaccess-list 102 deny icmp any any echo access-list 102 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 102 in
  • 11.
    Seems like itworked but ???
  • 12.
    We give outtoo much information…
  • 13.
    To block messagesoriginating from the blocking router… access-list 103 permit icmp any any unreachable class-map match-all STOPSHARING match access-group 103! policy-map STOPSHARING class STOPSHARING drop class class-default control-plane service-policy output STOPSHARING
  • 14.
  • 15.
    But this timewe don’t share info…
  • 16.
  • 17.
  • 18.
    How to block…access-list 101 deny icmp any any unreachable access-list 101 permit ip any any interface FastEthernet0/0 ip address 10.1.1.254 255.255.255.0 ip access-group 101 out
  • 19.
    We don’t sendany unreachable messages…
  • 20.
    After Blocking everythingseems open, some obscurity for scanner…
  • 21.
    Port scans andping sweeps cannot be prevented without compromising network capabilities. Port Scan and Ping Sweep Attack Mitigation However, damage can be mitigated using IPS at the network and host levels. Workstation with HIPS Laptop with HIPS Scan Port Shared Connection IDS and IPS
  • 22.
    Internet Information QueriesSample IP address query Attackers can use Internet tools such as whois as a weapon.
  • 23.
    Access Attacks Intrudersuse access attacks on networks or systems for the these reasons: Retrieve data Gain access Escalate their access privileges Access attacks include: Password attacks Trust exploitation Port redirection
  • 24.
    Password Attacks Hackersimplement password attacks using: Brute-force attacks Trojan horse programs IP spoofing Packet sniffers
  • 25.
    Password Attack ExampleThe bgp_md5crack tool is used for cracking a secret used for RFC2385 based packet signing and authentication. It is designed for offline cracking, means to work on a sniffed, correct signed packet. This packet can either be directly sniffed of the wire or be provided in a pcap file.
  • 26.
  • 27.
  • 28.
    Trust Exploitation Ahacker leverages existing trust relationships. Several trust models exist: Microsoft Windows: Domains Active directory Linux and UNIX: NIS NIS+ System A User = psmith; Pat Smith System B is compromised by a hacker. User = psmith; Pat Smith Hacker User = psmith; Pat Smithson A hacker gains access to System A . Trust relationships: System A trusts System B. System B trusts everyone. System A trusts everyone.
  • 29.
    Port Redirection HostB Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
  • 30.
    Port Redirection ConfigurationOn HOSTA we create a named pipe using the mkfifo commands: #pipe will be the name of our named pipe mkfifo pipe We then create our two way tunnel using Netcat on HOSTA: nc -lvp 25 <pipe | nc -t 10.1.2.253 23 >pipe Then telnet from Attacker machine telnet 10.1.2.1 80
  • 31.
    Here we areconnected to the internal switch…
  • 32.
    IP Spoofing IPspoofing occurs when a hacker inside or outside a network impersonates a trusted source. IP spoofing uses trusted internal IP addresses or trusted external IP addresses. Attackers use IP spoofing for many reasons: To gain root access To inject malicious data or commands into an existing data stream To divert network packets to the hacker who can then reply as a trusted user by changing the routing tables To crash servers by overloading memory (DoS) As a step in a larger attack
  • 33.
    IP Spoofing—Types ofAttack IP spoofing attacks are either: Nonblind spoofing The attacker sniffs sequence numbers (i.e., from inside the subnet of the victim). Blind spoofing The attacker calculates sequence numbers. IP spoofing can lead to these types of attacks: Man-in-the-middle attack DoS attack Distributed DoS (DDoS) attack
  • 34.
  • 35.
    Here we driverouter to reply to the other host..
  • 36.
    Man-in-the-Middle Attacks Aman-in-the-middle attack requires that the hacker has access to network packets that come across a network. A man-in-the-middle attack is implemented using the following: Network packet sniffers (nonblind attack) Routing and transport protocols (blind attack) Host A Host B Router A Router B Data in Clear Text
  • 37.
    IP Spoofing AttackMitigation The threat of IP spoofing can be reduced, but not eliminated, using these measures: Strong access control at the router ACLs on outbound interface ACLs on inbound interface Data encryption Additional authentication requirements Host A Host B Router A ISP Router B IPSec tunnel
  • 38.
    DoS Attacks ADoS attack damages or corrupts your computer system or denies you and others access to your networks, systems, or services. DoS attack techniques almost always use IP spoofing.
  • 39.
    TCP SYN FloodingDoS Attack AttackerTCP Client ------------- Client Ports 1024 – 65535 Victim TCP Server ------------- Service Ports 1–1024 80 ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Three-Way Handshake 1 SYN 2 SYN and ACK TCP Server ------------- Service Ports 1 – 1024 80 1 SYN 3 ACK 2 SYN and ACK
  • 40.
    DDoS Attacks DoSAttack DoS and DDoS attacks have these characteristics: They are not generally targeted to gain access. They aim at making a service unavailable. They require very little effort to execute. They are difficult to eliminate. DDoS Attack Attacker Victim Attack Control Mechanism Victim Zombie Zombie Zombie
  • 41.
    DDoS Example HandlerSystems Client System The client issues commands to handlers that control agents in a mass attack. The cracker looks for targets. The cracker installs software to scan, compromise, and infect agents with zombies. Agents are loaded with remote control attack software. Agent Systems
  • 42.
  • 43.
    Let’s be morecreative…
  • 44.
    We put almost1 million packets in one minute period on the wire, not so bad….
  • 45.
  • 46.
    DoS and DDoSAttack Mitigation Reduce DoS and DDoS attacks by: Protecting yourself against IP spoofing with ingress- and egress-filtering ACLs Using antivirus software to find zombie agents Using anti-DoS features on routers and firewalls ip verify unicast reverse-path interface command ACLs to filter all private Internet address space (RFC 1918) Using traffic rate limiting at the ISP level Use class-based traffic policing on ICMP packets Use SYN rate limiting
  • 47.
    Rate Limiting Whatrate limiting does: Allows network managers to set bandwidth thresholds for users and by traffic type Benefits: Prevents the deliberate or accidental flooding of the network Keeps traffic flowing smoothly Rate Limiting for Different Classes of Users Network Manager Teachers Students 2 Mbps 10 Mbps 50 Mbps Otherwise, there can be a deliberate or accidental slowdown or freezing of the network.
  • 48.
    Example: ICMP ratelimiting access-list 170 permit icmp any any Interface f0/0 rate-limit input access-group 170 128000 16000 24000 conform-action transmit exceed-action drop
  • 49.
    Spoofing the DHCPServer An attacker activates a DHCP server on a network segment. The client broadcasts a request for DHCP configuration information. The rogue DHCP server responds before the legitimate DHCP server can respond, assigning attacker-defined IP configuration information. Host packets are redirected to the attacker address as it emulates a default gateway for the erroneous DHCP address provided to the client. Client Rogue DHCP Attacker Legitimate DHCP Server
  • 50.
  • 51.
    Storm Control canbe in help… Interface fastethernet 0/1 storm-control broadcast level 10.00 8.00
  • 52.
    DHCP Snooping DHCPsnooping allows the configuration of ports as trusted or untrusted . Trusted ports can send DHCP requests and acknowledgements. Untrusted ports can forward only DHCP requests. DHCP snooping enables the switch to build a DHCP binding table that maps a client MAC address, IP address, VLAN, and port ID. Use the ip dhcp snooping command. Client Rogue DHCP Attacker Legitimate DHCP Server
  • 53.
    DHCP Snooping Configurationip dhcp snooping ip dhcp snooping vlan 20 interface FastEthernet0/13 switchport access vlan 20 ip dhcp snooping trust Switch#sh ip dhcp snooping binnding MacAddress IpAddress Lease(sec) Type VLAN Interface ------------------ --------------- ---------- ------------- ---- -------------------- 00:14:A8:96:2C:40 10.1.2.12 86371 dhcp-snooping 20 FastEthernet0/24 00:14:6A:1D:B8:00 10.1.2.13 86371 dhcp-snooping 20 FastEthernet0/23 Total number of bindings: 2
  • 54.
    ARP Spoofing: Man-in-the-MiddleAttacks 10.1.1.1 = MAC C.C.C.C ARP Table in Host A IP 10.1.1.2 MAC A.A.A.A A B 10.1.1.2 = MAC C.C.C.C ARP Table in Host B 10.1.1.1 = MAC B.B.B.B 10.1.1.2 = MAC A.A.A.A ARP Table in Host C C IP 10.1.1.3 MAC C.C.C.C 1. IP 10.1.1.2 ? MAC for 10.1.1.1 2. Legitimate ARP reply 10.1.1.1 = MAC B.B.B.B 3. Subsequent gratuitous ARP replies overwrite legitimate replies 10.1.1.1 bound to C.C.C.C 10.1.1.2 bound to C.C.C.C Attacker IP 10.1.1.1 MAC B.B.B.B A B C A = host A B = host B C = host C
  • 55.
    Mitigating Man-in-the-Middle Attackswith DAI MAC or IP Tracking Built on DHCP Snooping 10.1.1.1 DHCP Server DHCP Discovery (BCAST) DHCP Offer (UCAST) DAI provides protection against attacks such as ARP poisoning using spoofing tools such as ettercap, dsniff, and arpspoof. Track Discovery Track DHCP Offer MAC or IP Track Subsequent ARPs for MAC or IP 10.1.1.2 DAI Function:
  • 56.
    DAI in ActionA binding table containing IP-address and MAC-address associations is dynamically populated using DHCP snooping. 10.1.1.1 10.1.1.2 GARP is sent to attempt to change the IP address to MAC bindings. Gateway is 10.1.1.1 Attacker is not gateway according to this binding table I am your gateway: 10.1.1.1 10.1.1.2
  • 57.
    DAI Configuration… iparp inspection vlan 20 ip arp inspection vlan 20 logging dhcp-bindings all ip arp inspection validate src-mac
  • 58.
    Questions & Discussion? ? ? ? ? ? ? ? ? ? ? ? ? ?
  • 59.

Editor's Notes

  • #4 Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • #7 AntiSniff - http://www.securitysoftwaretech.com/antisniff/ Check Promiscuous Mode (CPM) – ftp://ftp.cert.org/pub/tools/cpm IFSTATUS - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ LiSt Open Files (lsof) - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof Neped - http://www.attrition.org/security/newbie/security/sniffer/neped.c Promisc - http://www.attrition.org/security/newbie/security/sniffer/promisc.c SNORT - http://www.snort.org
  • #8 AntiSniff - http://www.securitysoftwaretech.com/antisniff/ Check Promiscuous Mode (CPM) – ftp://ftp.cert.org/pub/tools/cpm IFSTATUS - ftp://ftp.cerias.purdue.edu/pub/tools/unix/sysutils/ifstatus/ LiSt Open Files (lsof) - ftp://vic.cc.purdue.edu/pub/tools/unix/lsof Neped - http://www.attrition.org/security/newbie/security/sniffer/neped.c Promisc - http://www.attrition.org/security/newbie/security/sniffer/promisc.c SNORT - http://www.snort.org
  • #22 Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • #24 Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt
  • #29 Windows Domain Models - http://is-it-true.org/nt/atips/atips307.shtml Linux/UNIX Trusts - http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/hosts.equiv.htm
  • #30 Allows traffic entering a compromised machine on a particular port (that is, TCP/22-SSH) to be redirected to a different machine on a different port (TCP/23-Telnet) Allows an attacker to exploit trust relationships to circumvent the firewall for all hosts once he controls one host. Root kit based install allows the redirection process, files, and connections to be hidden.
  • #38 IP Spoofing – an attacker sends a message to a target host with an IP address indicating that the message is coming from a trusted host. The attacker must know the IP address of a trusted host in order to modify the packet headers so that it appears that the packets are coming from that host. TCP Session Hijacking – an attacker sniffs for packets being sent from a client to a server in order to identify the two hosts&apos; IP addresses and relative port numbers. Using this information an attacker modifies his packet headers to spoof TCP/IP packets from the client. The attacker then waits to receive an ACK packet from the client communicating with the server (which contains the sequence number of the next packet the client is expecting). The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. This results in a RST which disconnects the legitimate client. The attacker takes over communications with the server spoofing the expected sequence number from the ACK that was previously sent from the legitimate client to the server. IP Fragmentation – Firewalls that support stateful inspection of established connections analyze packets to see if they are being received in the proper sequence. In the case of IP fragments, the firewall attempts to reassemble all fragments prior to forwarding them on to the final destination. If an attacker sends repeated incomplete or out-of-order fragmented packets to the firewall it will log and wait for all remaining fragments to be received before handling the connection. As a result, system resources are exhausted due to logging and the firewall is subject to a denial of service. Also, some Intrusion Detection Systems (IDS) do not handle IP fragmentation, Out-of-Order fragmentation, TCP segment overlap, and Out-of-Order TCP segments properly; which results in packets slipping through because the IDS failed to alarm!!!
  • #39 Mstream - http://staff.washington.edu/dittrich/misc/mstream.analysis.txt Stacheldraht - http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt Trin00 - http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt TFN - http://staff.washington.edu/dittrich/misc/tfn.analysis.txt