In my previous article, I have talked about some of the facts that you need to know about network security. This article talks about some of the facts that you need to know about IP Vulnerabilities in Networking. Follow me as we are going to look at that in this article.
There are different types of attacks that target IP. The table lists some of the more common IP-related attacks.
IP Attacks
Description
ICMP attacks
Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and alter host routing tables.
Denial-of-Service (DoS) attacks
Threat actors attempt to prevent legitimate users from accessing information or services.
Distributed Denial-of-Service (DDoS) attacks
Similar to a DoS attack, but features a simultaneous, coordinated attack from multiple source machines.
Address spoofing attacks
Threat actors spoof the source IP address in an attempt to perform blind spoofing or non-blind spoofing.
Man-in-the-middle attack (MiTM)
Threat actors position themselves between a source and destination to transparently monitor, capture and control the communication. They could simply eavesdrop by inspecting captured packets or alter packets and forward them to their original destination.
Session hijacking
Threat actors gain access to the physical network, and then use a MiTM attack to hijack a session.
ICMP Attacks
ICMP was developed to carry diagnostic messages and to report error conditions when routes, hosts, and ports are unavailable. ICMP messages are generated by devices when a network error or outage occurs.
The ping command is a user-generated ICMP message, called an echo request, that is used to verify connectivity to a destination. Threat actors use ICMP for reconnaissance and scanning attacks. This enables them to launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall.
Threat actors also use ICMP for DoS and DDoS attacks, as shown in the ICMP flood attack in the figure.
The figure shows an attacker and PC on the left and a PC labelled victim on the right. The attacker sends an ICMP echo request (spoofed). The victim computer replies with an ICMP echo reply. A question mark is shown under the attacker. The attacker sends an ICMP echo request (spoofed) again. The victim computer sends another ICMP echo reply with a question mark under the attacker. The attackers send another ICMP echo request (spoofed) to the victim’s computer and the victim’s computer responds with an ICMP echo reply. There is the same question mark under the attacker icon.
ICMP Flood
Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks. The table lists common ICMP messages of interest to threat actors.
ICMP Message
Description
ICMP echo request and echo reply
This is used to perform host verification and DoS attacks.
ICMP unreachable
This is used to perform network reconnaissance and scanning attacks.
ICMP mask reply
This is used to map an internal IP network.
ICMP redirects
This is used to lure a target host into sending all traffic through a compromised device and create a MiTM attack.
ICMP router discovery
This is used to inject bogus route entries into the routing table of a target host.
Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files.
In the case of large networks, security devices, such as firewalls and intrusion detection systems (IDS), should detect such attacks and generate alerts to the security analysts.
Amplification and Reflection Attacks
Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.
Amplification – The threat actor forwards ICMP echo request messages to many hosts. These messages contain the source IP address of the victim.
Reflection – These hosts all reply to the spoofed IP address of the victim to overwhelm it.
Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and Network Time Protocol (NTP) amplification attacks are now being used. Threat actors also use resource exhaustion attacks. These attacks consume the resources of a target host to either crash it or consume the resources of a network.
Address Spoofing Attacks
IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender or to pose as another legitimate user. The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations. Spoofing is usually incorporated into another attack such as a Smurf attack. Spoofing attacks can be non-blind or blind:
Non-blind spoofing – The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.
Blind spoofing – The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.
MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure. The attacking host then sends a frame throughout the network with the newly-configured MAC address. When the switch receives the frame, it examines the source MAC address.
A server and a threat actor are connected to the same switch. The server has a MAC address of AABBCC and is connected to port 1. The threat actor is connected to port 2 and has a spoofed MAC address of AABBCC. A callout from the threat actor reads: I have changed the MAC address on my computer to match the server. A diagram above the switch indicates that it has mapped AABBCC to port 1. Port 2 does not have a mapping.
Threat Actor Spoofs a Server’s MAC Address
The switch overwrites the current CAM table entry and assigns the MAC address to the new port, as shown in the figure. It then forwards frames destined for the target host to the attacking host.
A server and a threat actor are connected to the same switch. The server has a MAC address of AABBCC and is connected to port 1. The threat actor is connected to port 2 and has a spoofed MAC address of AABBCC. A callout below the switch reads:
The device with MAC address AABBCC has moved to Port 2. I must adjust my MAC address table accordingly. A diagram above the switch indicates that it has mapped AABBCC to port 2. Port 1 does not have a mapping.
Action Point PS: If you would like to have an online course on any of the courses that you found on this blog, I will be glad to do that on an individual and corporate level, I will be very glad to do that I have trained several individuals and groups and they are doing well in their various fields of endeavour. Some of those that I have trained includes staffs of Dangote Refinery, FCMB, Zenith Bank, New Horizons Nigeria among others. Please come on Whatsapp and let’s talk about your training. You can reach me on Whatsapp HERE. Please note that I will be using Microsoft Team to facilitate the training.
I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you can drop your comment. Thanks in anticipation.
CRMNUGGETS is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.
Adeniyi Salau is a highly dedicated and committed Blogger of repute. He likes sharing his IT knowledge with others. My desire is to impact as many lives as possible with my IT skills. You can download my mobile APP. Download the ICTLOAD APP on Google Playstore. Thanks.
Leave a Reply