Sniffing

The most frequent exploit is simple sniffing of network traffic. When some military and Internet sites were invaded in 1994, it was because users were sending passwords in the clear across untrusted networks. Poorly configured gateways or publicly visible servers would first be compromised by using a buffer overflow attack against an available network application or by guessing passwords. After a normal use account was hacked on the system, a root program vulnerability would give the intruder full access. Sometimes, the vulnerability required a carefully designed buffer overflow attack, but often privileged programs were buggy enough to allow nonprivileged users to execute any arbitrary command.

When full control was available, the attacker would plant Trojan Horse programs to hide any evidence. This plant would be followed by installing a network sniffer program for capturing other passwords as users would authenticate to or from remote connections.

Address Impersonation

Identity in IP is based on the 32-bit source node network address. No authentication is provided in IP for these network addresses. A physical computer might have more than one network adapter installed, and as such, this system will have multiple IP addresses (one for each adapter). On multiuser systems, only a privileged user can change the IP addresses defined for the adapters. The operating system also provides programming interfaces that can be used to talk directly to the IP layer. However, only privileged users are allowed to create IP packets and place them directly on the IP stack for delivery.

If you have a personal computer or you are the superuser on a system, you can directly place packets on the IP layer. This means that you can set the source IP address field in the packet to any value you desire. The ability to spoof or impersonate IP addresses is one of the greatest threats to network communications. You do not need to be a network programmer to accomplish impersonation. Tools are readily available on the Internet for you to create arbitrary IP packets and send them out across the Internet.

Impersonation Attacks

What kinds of mischief can you create if you can spoof IP addresses? The answers range from moderately annoying to very serious.

Single Message Attacks

Because any user with a PC can send out an arbitrary IP packet, some denial-of-service attacks are launched by sending only a single packet. The attacker does not need to worry about receiving or handling responses from other nodes.

An old phone trick entails calling successive pizza delivery services and ordering pizzas to be delivered to another person. This attack is an example of impersonating the destination address. Caller ID, call backs, and customer log records appear in the arsenals of restaurants today to prevent this prank. However, in the days when it did succeed, this trick was nasty.

A similar attack increased in frequency on the Internet in early January, 1998. The older version of the attack was launched by faking a source address and sending numerous ICMP packets to different destination addresses. The common ICMP message to send is Echo Request, implemented at the application layer by the ping program. ICMP Echo Request and ping are patterned after the radar. A probe is sent out on the network to test the existence of a particular node by specifying a destination address. If you have access to the ping source code, it is easy to enhance it to cycle through several destination addresses or to ask for a source address. The result is an annoying hacker tool. The node that receives the Echo Request sends an ICMP Echo Reply to the source address that appears in the packet. Instead of getting a few dozen pizzas at the spoofed door, the victim of the attack receives the electronic equivalent—thousands of Echo Reply messages.

The denial-of-service threat caused by this prank reached a new level on the Internet when the ICMP Echo was sent with a broadcast address for the destination. The source address was spoofed as before. To flood a site with network traffic, send ICMP Echo to address 9.8.255.255. The gateway at subnet 9.8 would forward the request to subnets in its network and essentially to every node at the site. The poor node whose address had been impersonated would receive Echo Reply messages from many nodes and probably be unable to perform any useful functions. The network on which this source node was sitting also would experience performance degradation. Also, each of the networks receiving the Echo Request would be congested as all of the nodes tried to send Echo Reply messages. Quite a big mess can be created with relatively few messages. The defenses against this threat require configuration changes in the router or firewall gateway connecting the networks to the Internet. Blocking inbound ICMP requests at the firewall or router, particularly broadcast requests, will help defend against this problem.

Other ICMP messages are sent for flow control of a session, and these also can deny network services to network users. Single message attacks are not limited to ICMP, though.

The Internet and other IP networks are heavily dependent on other service protocols for routing, name resolution (DNS), and gateway configuration changes. Each of these services is provided on the Internet by many dedicated machines that exchange information for keeping the Internet available. Some of these protocols were originally designed to accept unidirectional messages for push updates of information such as routing tables. An attacker could inject a network packet instructing one of these nodes to modify a table entry to assist with future hacking. For example, a packet could tell a DNS nameserver to use the hacker’s network address instead of the true authentication server. Passwords could be stolen for future use if this were to happen. The attack succeeds because early versions of these service protocols relied exclusively on address-based authentication.

Today, more secure versions of these network services employ cryptographic techniques for authentication. Also, careful configurations of controlled networks including routers and firewalls also help protect these sensitive public nodes from frequent attacks.