Table of Contents
Advertisement
Router Advertisement
Router Solicit
Smurf
Snork
TCP Bad Sequence
TCP FIN Scan
In this attack, the attacker uses ICMP to redirect the network router function to some other
host. If that host can not provide router services, a DoS of network communications occurs
as routing stops. This can also be modified to single out a specific system, so that only that
system is subject to attack (because only that system sees the 'false' router). By providing
router services from a compromised host, the attacker can also place themselves in a man-
in-the-middle situation and take control of any open channel at will (as mentioned earlier,
this is often used with TCP packet forgery and spoofing to intercept and change open
TELNET sessions).
The ICMP Router Solicitation scan is used to actively find routers on a network. Of course,
a hacker could set up a protocol analyzer to detect routers as they broadcast routing
information on the network. In some instances, however, routers may not send updates. For
example, if the local network does not have other routers, the router may be configured to
not send routing information packets onto the local network.
ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts
onto the network, and routers must respond (as defined in RFC 1122).
By sending ICMP Router Solicitation packets (ICMP type 9) on the network and listening for
ICMP Router Discovery replies (ICMP type 10), hackers can build a list of all of the routers
that exist on a network segment. Hackers often use this scan to locate routers that do not
reply to ICMP echo requests.
The Smurf DoS Attack sends ICMP echo requests to a list of broadcast addresses in a row,
and then repeats the requests, thus flooding the network.
The Snork DoS attack uses UDP packet broadcasts to consume network and system
resources.
Enables a TCP Bad Sequence denial of service check in the firewall.
Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the
target device reacts to a transaction close request for a TCP port (even though no
connection may exist before these close requests are made). This type of scan can get
through basic firewalls and boundary routers that filter on incoming TCP packets with the
Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the
TCP FIN flag setting.
If the target device's TCP port is closed, the target device sends a TCP RST packet in reply.
If the target device's TCP port is open, the target device discards the FIN and sends no reply.
Security Configuration
8 - 5
Hide quick links:
Advertisement
Table of Contents
