1 CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure vulnerability exploitation scenarios. This article takes a step forward to describe a technically advanced attack that could badly impact networks because it is tough to detect. Packet crafting is a commonly used and yet complex method to exploit vulnerabilities and, hence, it is important for network administrators to know more about it, and also to understand the various ways to protect their infrastructure against it. We will also look at how to protect FOSS-based systems from a packet crafting attack. What is packet crafting? Crafting, by definition, means to make or create something skillfully. As we know, all the vulnerability assessment tools used by network administrators to test the security of their networks are both a blessing and a curse. This is because the same set of tools can also be used by evil hackers to find vulnerabilities and then exploit those to their benefit. Packet crafting, too, is not an exception to this rule, and since
2 it is a technically advanced yet complex type of vulnerability exploitation, it is difficult to detect and diagnose. Let s look at a TCP packet and its fields in detail, in order to understand a packet crafting attack better. Refer to Figure 1, which shows a basic Ethernet packet as well as the TCPIP packet frame that rides on top of it. Figure 1: A basic Ethernet and TCPIP packet The Ethernet frame contains multiple fields that typically take care of Layer-2 communication, whereas the TCP and IP packet chunks carry data fields for the upper layers. The TCP part of the packet ensures a successful transport, while the IP packet contains source and destination addresses and ports. As mentioned in the previous articles of this series, we are aware that the TCP/IP communication comprises a three-way handshake (SYN, SYN-ACK, ACK), which sets up a communication channel between two network interface cards. The data flows between them through this channel, and it is terminated by using a FIN/FIN- ACK handshake. Earlier articles also covered the fact that each of these packet fields can be modified by attackers for their benefit. The source and destination IP address or ports are very commonly attacked fields in the denial of service and spoofing
3 attacks, as well as in network penetrations. Here, it is important to understand that it s not just these fields that could be modified, but in fact, each and every flag and field in a TCP frame and the underlying Ethernet frame can be modified or altered all for the purpose of network penetration. Please note that packet crafting and packet spoofing are often mistakenly assumed to be the same technique; however, they are very different from the impact standpoint. Spoofing is used by attackers to hide their identities and presence on the network. Spoofing is primarily used to gain network information such as open ports, running services, active hosts, etc., during which time the target host fails to trace the attacker. On the other hand, packet crafting takes a step further by trying to test the presence, functionality or the accuracy of target network s firewall rules, and intrusion detection systems. Packet crafting requires in-depth knowledge of TCP packets and how they work, and is more of a manually orchestrated attack than a programmatic one. This makes it a technically advanced way of trying to hack into networks. Packet crafting in action Packet crafting is a task that is methodically carried out to penetrate into a network s infrastructure. Please refer to Figure 2, which shows the four distinct steps involved in the packet crafting attack.
4 Figure 2: The steps involved in packet crafting Let s understand each of these steps a bit more in detail. Packet assembly This is the first step in the crafting process, wherein an attacker decides which network needs to be cracked, tries to gather possible vulnerability information and creates or fabricates the packets to be sent. This packet is then checked for accuracy, especially to ensure that the attack is as invisible on the network as possible, to go undetected. For example, the packet being created can have a spoofed source address and a dummy TCP sequence number. The assembly of a packet need not be done from scratch; a packet going over the wire can be captured and its contents can be modified to serve the hacking purpose. Packet editing In this step, usually a dry run on the assembled packet is tested and based on the results gathered, and the packet is tuned up or corrected before moving to the next step. In the editing phase, the focus is usually to gather the maximum amount of information by injecting the minimum number of packets into the network.
5 For example, to test how a firewall responds to malformed packets, a simple packet with a false source IP address and with ACK field bit set can be created. In ideal situations, the firewall should drop such a packet. Packet playing Once the correct packet or a stream of packets is created, packet playing sends it onto the network, and collects the resultant packets to perform further analysis and corelation. This is when an actual attack is performed. If the expected outcome is not achieved, hackers go back to the editing phase to change the attack scenario. Packet analysing In this process, the packet streams are gathered to decode the presented response by the target network. Attackers may use simple packet sniffing tools for this purpose, or can capture the packet streams in the form of a log file and analyse it. This step either provides evidence to the hackers that they were successful in penetration, or at least gives them enough inputs to tune up the attack, or change their methods. Packet crafting techniques As seen above, the whole idea behind packet crafting is to try to simulate an attack, thus learning the behaviour of various network devices in order to gain knowledge about the vulnerabilities. Crafting is typically used to invade into firewalls and intrusion detection devices, but can also be used to attack Web servers and other application gateways. Now let s discuss a few common packet crafting techniques. Ping fragmentation In this type, instead of a standard ICMP ping packet, a malformed ping packet is created with more than 65,535 bytes, which is the maximum allowed in a packet. This results in the destination system responding with an echo reply, which also consumes a larger packet frame and thus eventually results in a denial of service attack. One technique also sets an ACK flag in the packet, confusing the destination service, while in another type of attack, instead of a larger frame, a variable number of bytes are sent to overwhelm the system. Packet flag manipulation
6 As we discussed before, there are multiple fields in the TCP datagram. One of the fields contains flags or bits, which could be set programmatically. For example, a SYN flag can be set and the packet can be sent over the wire to a destination to establish a valid TCP communication. This would be a healthy way of initiating a TCP handshake; however, it can be exploited by sending a RST or FIN packet, which can confuse the destination system. Older firewalls are known to be susceptible to FIN attacks, because they cannot properly differentiate between a valid packet and a bogus FIN packet. In another variety, a malformed SYN-ACK packet or ACK packet can cause a similar effect. Packet duplication Here, attackers capture a series of packets and simply resend it over the network. This causes confusion at the destination system, which assumes that the previous session was not properly answered or terminated. A typical example of this attack is when a duplicate ACK or FIN packet is sent without modifying any other content of the packet frame. This method is commonly used in a denial of service attack. Protocol manipulation This is mainly used to test firewall vulnerabilities. Here the TCP and UDP flags are both set in a packet to confuse the firewall rule set. If the firewall is one of the latest, it can identify such a packet as a malformed one and will simply drop it. However, for legacy firewalls, if there are multiple rules set to handle TCP and UDP packets, both rules get executed causing an erroneous effect, which can lead to the firewall shutting down. Another way is to not set the TCP or UDP flag at all this tricks the switch devices managed by Layer 3. Half open packets In this method, attackers initiate a connection with a target host using a SYN packet. The target sends Syn-ACK; however, the hackers do not respond to it, and instead create a spoofed packet by changing the source IP and sending another SYN packet. This process continues, till the target host exhausts its resources, thus becoming a denial of service victim. Protecting FOSS systems
7 As mentioned earlier, the packet crafting attack is a tough one to tackle. Despite this, there are ways to protect FOSS networks. The simple and correct method is to use packet crafting tools themselves, to test the infrastructure. The first step is to understand the network, and create security testing scenarios to test critical security components such as firewalls, routers, IDS systems, etc. Tools such as Hping and TCPReplay could be used to fabricate packets and send them to gather statistics and logs. A packet sniffer and analyser such as Wireshark can be used for this purpose. Firewalls and IDS systems built on FOSS technology should be tested on Layer-2 through to Layer-7. Performing such tests at regular intervals and staying up-to-date with the intrusion detection vulnerability signatures is the appropriate way to be protected. To protect FOSS Web servers, the latest Layer-7 content filtering firewall that is capable of performing a stateful packet inspection, and which is equipped to detect and shun a denial of service attack, should be implemented. Linux distros lack a strong built-in security module to fight against packet crafting attacks. Hence, a properly designed perimeter defence system should be deployed to protect the infrastructure. Packet crafting is a good way to audit your network; however, it can be used by evil hackers to penetrate into a network, by exploiting vulnerabilities. Configure firewalls, switches and routers properly to prevent networks from crafting attacks. Packet crafting attacks typically can happen from outside the firm s local area network, which demands a carefully designed perimeter defence security system for network infrastructure.
Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics Mark Handley and Vern Paxson AT&T Center for Internet Research at ICSI (ACIRI) International Computer Science
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
A Tutorial on Network Security: Attacks and Controls Natarajan Meghanathan Associate Professor of Computer Science Jackson State University Jackson, MS 39217, USA Phone: 1-601-979-3661; Fax: 1-601-979-2478
Executive summary Cyber security has become a vital part of conducting business in today s world. The threats to organisations and individuals are real. Industrial Control Systems (ICSs) were originally
60 CERT Exercises Handbook 7. Exercise: Network Forensic Main Objective Targeted Audience Total Duration The objective of the exercise is to familiarize students with standard network monitoring tools,
1 DDoS Attack and Defense: Review of Some Traditional and Current Techniques Muhammad Aamir and Mustafa Ali Zaidi SZABIST, Karachi, Pakistan Abstract Distributed Denial of Service (DDoS) attacks exhaust
Report Number: I332-016R-2005 Security Guidance for Deploying IP Telephony Systems Systems and Network Attack Center (SNAC) Released: 14 February 2006 Version 1.01 SNAC.Guides@nsa.gov ii This Page Intentionally
3 Stateful Firewalls THE FOCUS OF THIS CHAPTER IS ON STATEFUL firewalls, a type of firewall that attempts to track the state of network connections when filtering packets.the stateful firewall s capabilities
Defeating Windows Personal Firewalls: Filtering Methodologies, Attacks, and Defenses Chris Ries Security Research Analyst VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 email@example.com
WIRELESS NETWORKING SECURITY Dec 2010 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without
95 95 9. Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule The main objective of the exercise is to teach incident handlers the key information and actions
Defense Readiness Strategies Security Audit Security audits measure an information system s performance against a list of criteria. Vulnerability Assessment A vulnerability assessment involves a comprehensive
Security Issues in Mobile Ad Hoc Networks - A Survey Wenjia Li and Anupam Joshi Department of Computer Science and Electrical Engineering University of Maryland, Baltimore County Abstract In this paper,
SYMANTEC ADVANCED THREAT RESEARCH The Teredo Protocol: Tunneling Past Network Security and Other Security Implications Dr. James Hoagland Principal Security Researcher Symantec Advanced Threat Research
LOAD BALANCING FOR HIGH-SPEED PARALLEL NETWORK INTRUSION DETECTION A Thesis Submitted to the Graduate School of the University of Notre Dame in Partial Fulfillment of the Requirements for the Degree of
9854_C034.qxd 7/1/2004 6:05 PM Page 1 34 Network Security and Secure Applications Christopher Kruegel University of California 34.1 Introduction...34-1 34.2 Security Attacks and Security Properties...34-2
INTRODUCING THE WATCHGUARD INTELLIGENT LAYERED SECURITY ARCHITECTURE: BETTER SECURITY FOR THE GROWING ENTERPRISE NOVEMBER 2005 WHY INTELLIGENT LAYERED SECURITY? The security landscape grows more complex
Barracuda Load Balancer Administrator s Guide Version 2.3 Barracuda Networks Inc. 3175 S. Winchester Blvd. Campbell, CA 95008 http://www.barracuda.com Copyright Notice Copyright 2004-2008, Barracuda Networks
Multi-Layered VoIP Security A DefensePro White Paper - Avi Chesla, VP Security Table of Content Abstract...3 What is VoIP...3 VoIP Protocols...4 VoIP Architecture...4 The VoIP Market & Standards...6 The
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
ANALYSIS OF PORT KNOCKING MECHANISM A MASTER S THESIS in Computer Engineering Atılım University by MEHMET ÜLKEM DEMİRCİOĞLU January 2009 ANALYSIS OF PORT KNOCKING MECHANISM A THESIS SUBMITTED TO THE GRADUATE
Bachelor s Thesis (UAS) Degree Program In Information Technology Specialization: Internet Technology 2012 SULAIMON ADENIJI ADEBAYO NETWORK SECURITY BACHELOR S THESIS ABSTRACT TURKU UNIVERSITY OF APPLIED
Computer Fraud & Security, May 2007 page 1/10 From Network Security To Content Filtering Network security has evolved dramatically in the last few years not only for what concerns the tools at our disposals
Network Monitoring Based on IP Data Flows Best Practice Document Produced by CESNET led working group on Network monitoring (CBPD131) Authors: Martin Žádník March 2010 TERENA 2010. All rights reserved.
Mobile Networks and Applications? (2003) 1 16 1 Intrusion Detection Techniques for Mobile Wireless Networks Yongguang Zhang HRL Laboratories LLC, Malibu, California E-mail: firstname.lastname@example.org Wenke Lee College