Chapter3_2

Question 1

We are now in the network layer ( IP, BGP, RIP); WE are looking at the vulnerabilities

Answer 1

TRue

Question 2

IP Function

Answer 2

IP is used for routing :
 IP host knows location of router (gateway)
 IP gateway must know route to other networks

Question 3

Vulnerability in IP

Answer 3

No source IP authentication imples it is easy to override using raw sockets
 Libnet: a library for formatting raw packets with arbitrary IP headers

Question 4

Attack usng IP

Answer 4

: Anyone who owns their machine can send
packets with arbitrary source IP (IP spoofing)
 … response will be sent back to forged source IP

This can lead to anonymous DOS attacks

Question 5

What happens in IP fragmentation

Answer 5

Routers divide an IP datagram into several smaller fragments based on Maximum Transmission Unit

Question 6

Fragment uses same header format as

Answer 6

datagram

Question 7

Each fragment is routed

Answer 7

independently

Question 8

All the IP fragments of a datagram will be

assembled

Answer 8

before the datagram is delivered to the

layers above

Question 9

Where IP fragments are assembled

Answer 9

destination.

Question 10

Why IP reassembly uses a timer

Answer 10

IP reassembly uses a timer. If timer expires and there are still missing fragments, all the fragments will be discarded.

Question 11

IP Fragmentation Vulnerabilities

Answer 11

 IP of source is not authenticated
 Nothing in the IP header is checked for authenticity
 Only checking done on checksum

Question 12

Vulnerability: IP Fragmentation Attack: “Ping of death”

Answer 12

someone discovered that many operating systems,
routers, etc. can be crashed/rebooted by sending a single
malformed packet
 It turns out that sending an IP packet larger than
65,535 bytes would crash the system

It allows sending packet bigger than what IP allows, which
blows up most fixed buffer size implementations (buffer
overflow attack)

Question 13

“Ping of death” Defense:

Answer 13

patch the implementations

Question 14

IP Fragmentation Attacks Denial of Service Attack

Answer 14

1st fragment: offset = 0
 2nd fragment: offset = 64800
 Result: The target machine will allocate 64 kilobytes
of memory, which is typically held for 15 to 255
seconds. Windows 2000, XP, and almost all versions
of Unix are vulnerable.

Question 15

IP Fragmentation Attacks TearDrop

Answer 15

Send a packet with:
 offset = 0
 payload size N
 More Fragments bit on
 Second packet:
 More Fragments bit off
 offset + payload size < N
 i.e., the 2nd fragment fits entirely inside the first one.
 When OS tries to put these two fragments
together, it crashes.

Question 16

IP Fragmentation Attacks Overlapping Attacks Against Firewalls

Answer 16

If the fragment size is made small enough to force some of a TCP
packet’s TCP header fields into the second fragment, filter rules that
specify patterns for those fields will not match.
 If the filtering implementation does not enforce a minimum fragment size,
a disallowed packet might be passed because it didn’t hit a match in the
filter

Question 17

IP Spoofing Attack

Answer 17

Any host can send packets pretending to be from any IP

address

Question 18

Egress (outgoing) Filtering

Answer 18

Remove packets that couldn’t be coming from your network;

however it doesn’t benefit you directly, so few people do it.

Question 19

 Ingress (incoming) Filtering:

Answer 19

remove packets from

invalid (e.g. local) addresses.

Question 20

IP Spoofing

Answer 20

Victim attempts to reply to the spoofed address
through the router
 Since attacker is on
same LAN, he can
see the response
and reply again
 This needs to be
done faster than
the router returning
“ICMP Unreachable

Question 21

ICMP: Internet Control Message Protocol

Answer 21

ICMP is a special-purpose protocol:
 Defines error or control messages that can be sent
to/by routers or hosts
• Unreachable host, network, protocol, etc.
• Time-to-live counter expiry

Question 22

ICMP: Vulnerabilities

The Internet Control Message Protocol is a supporting protocol in the Internet protocol suite. It is used to send error messages and operational information

Answer 22

 Mapping Network Topology
 Smurf Attack
 Ping of Death
 ICMP Redirect Attack

Question 23

ICMP: Mapping Network Topology

Answer 23

 Sending ICMP echo requests to network in order to discover target network.

Question 24

ICMP: Smurf Attack

Answer 24

 Ping a broadcast address, with the (spoofed) IP of a
victim as source address
 All hosts on the network respond to the victim
 The victim is overwhelmed

Question 25

ICMP Redirect Attack

Answer 25

 Ask a host to send their packet to the target “router”.
 Useful for man-in-the-middle attacks
 Winfreeze attack: essentially causes a susceptible host to attack itself
 ICMP Redirect using Router spoofed IP: YOU are the quickest
link to host Z
 Host changes its routing table for Z to itself
 Host sends packets to itself in an infinite loop

Question 26

e

Answer 26

e

Question 27

IP Routing: Vulnerabilities

Answer 27

 Common attack: Routing manipulation
 Advertise false routes (can propagate everywhere)
 Causes traffic to go through compromised hosts
 E.g., attacking BGP routing tables: attacker can cause entire
Internet to send traffic for a victim IP to attacker’s address
 Implications:
 Path manipulation
 Denial of service (link cutting attack)
 Connection hijacking
 Defense:
 Authenticate data, but this causes a problem: inefficiency
(complexity, overhead, etc.)

Question 28

Routing Attacks

 Source routing

Answer 28

 Source of the packet specifies a particular route: It is an IP
option which allows the originator of a packet to specify what path
that packet will take, and what path return packets sent back to
the originator will take.
• For example, because the automatic route is dead
 Attacker can spoof source IP address and use source routing to
direct response through a compromised host
 Use source routing to access non-routable IP via gateway
 Solution: reject packets with source routing!
• More heavy-duty: allow source route only via trusted gateways
 Routing Information Protocol (RIP)
 Use bogus routing updates to intercept traffic
• RIP implicitly assumes that routers are trusted
 “Black hole” attacks and many others

Question 29

BGP Issues

Answer 29

BGP Issues
 BGP convergence problems
 Protocol allows policy flexibility
 Some legal policies prevent convergence
 Even shortest-path policy converges slowly
 Incentive for dishonesty
 ISP pays for some routes, others free
 Security problems
 Potential for disruptive attacks

Question 30

Wormhole Attack on BGP

Answer 30

 Multiple colluding malicious BGP routers exchange BGP
update messages over a tunneled connection
 Routers can claim better paths than actually exist

Question 31

BGP Attacks Blackholing:

Answer 31

ccurs when a prefix is unreachable from a
large portion of the Internet.
 false route advertisements that aim to attract traffic to a
particular router and then drop it.
 Redirection occurs when traffic owing to a particular
network is forced to take a different path and to
reach an incorrect, potentially also compromised,
destination

Question 32

BGP Attacks Subversion

Answer 32

Subversion is a special case of redirection
 Attacker forces the traffic to pass through a certain link with
the objective of eavesdropping or modifying the data.
 Traffic is still forwarded to the correct destination, making
the attack more difficult to detect.

Question 33

Protecting BGP

Answer 33

Simple authentication of packet sources and packet integrity is not enough