Device Evasions
This is the last installment of the year-long series on cyber attacks. As we know, network infrastructure is protected by security devices such as routers and firewalls. So far, it was believed that such devices were enough to secure the perimeter. This b
By DEfinItIon, EvAsIon Is tHE proCEss oF AvoIDInG or BypAssInG An oBJECt or A sItuAtIon. In tECHnICAl tErms, EvAsIon Is A tECHnIquE By wHICH An AttACkEr BypAssEs A sECurIty systEm In tHE CyBEr sECurIty spACE. THE systEm mAy typICAlly ConsIst oF routErs, firEwAlls, nEtwork swItCHEs AnD IntrusIon DEtECtIon DEvICEs. As wE All know, routErs sEGrEGAtE nEtworks; firEwAlls BloCk unwAntED IP ADDrEss AnD TCP port CommunICAtIons, wHErEAs IntrusIon DEtECtIon DEvICEs ADD A lAyEr oF IntEllIGEnCE BAsED on AnomAly DEtECtIon tECHnIquEs. A FEw yEArs BACk, wHEn tHEsE tECHnIquEs wErE ImplEmEntED nEtwork ADmInIstrAtors CoulD sAFEly sAy tHAt tHEIr InFrAstruCturE wAs sECurE. HowEvEr, tHE lAws oF HumAn nAturE tEll us tHAt A tHIEF Is AlwAys A stEp AHEAD oF tHE Cops! WHIlE tHEsE DEvICEs sEEm to tHwArt tHE AttACks For somE tImE, tHEy HAvE mADE CyBEr CrImInAls morE AGGrEssIvE AnD HAvE promptED tHEm to ComE up wItH wAys to pEnEtrAtE AnD BrEAk Down tHE sECurIty pErImEtEr. AttACkErs usE EvAsIon mEtHoDs In orDEr to stEAl DAtA, DIsrupt IT nEtworks or plAnt soFtwArE ExploIts.
As sHown In FIGurE 1, A typICAl sECurE InFrAstruCturE ContAIns At lEAst A routEr, wItH A swItCH AnD A firEwAll Also InCorporAtED. To lEArn morE ABout DEvICE EvAsIons, lEt’s ConCEntrAtE on tHEsE tHrEE DEvICEs, AnD CovEr A BIt ABout IDS systEms too. LEt’s Also lEArn How EACH oF tHEsE DEvICEs CAn BE BrokEn Into, AnD finAlly, How to sECurE tHEm to protECt
the infrastructure. Device evasion is a highly technical and systematic approach to penetrating a network.
Router evasion
Often, routers are the first devices accessible from outside a firm’s network. Routers maintain their own routing tables, which store the paths to destination IP ranges, with a cost metric. The routing table is checked every time a TCP/ IP packet is processed prior to being sent to the desired destination. Besides this, routers implement intelligent algorithms to speed up the routing process. The router device thus acts as a first line of defence from the cybersecurity perimeter standpoint. In earlier articles in this series, we learnt about denial of service (DoS) attacks, IP spoofing attacks, man-in-the-middle attacks and packet-crafting attacks. All these attack vectors can either fool a router into routing malicious packets into the target network, or can simply render it functionally useless, thus disrupting the whole network. Besides this, there are a few router-specific techniques too, which are mentioned below.
Route hijacking: In this method, the attacker first sniffs the traffic originating from a router. Based on the information gathered, the router is then supplied with bogus source and destination IP addresses, which are spoofed purposely to trick the router. As the router tracks these and updates its routing table, this process can become very overwhelming to the router, causing its routing table to overflow and get corrupted. This is similar to a DoS attack, but can take much less time, in practice. An expert attacker can further exploit this situation by feeding the vulnerable router with its own IP segment, and waiting for the routing table to get built up again. The very first routing protocol, called RIP, didn’t have a built-in authentication mechanism to verify the authenticity of the routes being updated. Hence, a forged RIP packet can easily disrupt the routing table, and this scenario becomes seriously dangerous if multiple routers are connected together using the RIP protocol. Modern routers usually don’t fall prey to this attack; however, an improperly configured router can still be vulnerable.
IoS penetration: Like any other network device, a router runs its own operating system, which can be vulnerable to attacks. For example, most wireless routers and early-generation industry-grade routers were running on a compromised kernel OS. Attackers with a thorough knowledge of such vulnerabilities can write scripts and programmatically subject the device to DoS or other dangerous attacks, such as remote code execution. Once the OS has been penetrated, attackers can remotely run commands to change critical configurations and settings. Attackers can route traffic to malicious servers to steal and corrupt data, and cause even more damage.
Firewall evasion
It is a common practice to host a firewall behind a router; however, many mid-sized firms running only one office may completely remove the router, turning the firewall into the first line of defence. As compared to the router, a firewall acts as a strong opposition to attacks because its kernel functionality is designed for this, causing serious challenges to attackers wanting to get past a well-configured firewall.
As we know, a firewall is a rule-based device that allows or disallows traffic entering or exiting a security perimeter. When a source address initiates a connection with a host behind a firewall, the firewall rules intercept the connection, interpret it and take appropriate action. This also tells us that the TCP handshake actually happened between the source and firewall. In case the connection being established is not allowed, based on the rules configured, the firewall drops the connection by sending a TCP RST signal to the source. If the connection is allowed, it initiates a connection with the destination and performs the packet transfer. This also shows us that the source and destination IP addresses, as well as the ports, are very important from the firewall’s standpoint. With this fundamental theory in mind, let’s look at few firewall-specific evasion attacks.
Firewall request spoofing: If the attackers can spoof their packets to make them look like they are coming from the internal network segment of the firewall, an improperly configured firewall may allow those through the system. Similar effects can be achieved by spoofing the MAC address, in case the firewall is keeping a track of all internal MAC addresses.
Firewall DoS: Modern firewalls intercept each packet and apply more intelligent checks on them than their predecessors, before letting them through to the network. Typical checks by anti- virus and anti- spyware algorithms, attack anomalies, etc, are performed on each packet. This feature, though tremendously useful, is exploited by attackers in some cases. Apart from sending an overwhelming number of requests, there are a few other tricks used by attackers. In one case, a malicious request to a known destination host listening on a known port is sent multiple times, but with the source IP and port of that packet spoofed to a non- existent host. There is no way for the firewall to know this, and hence this results
in an internal connection to the destination that gets updated in the firewall’s own tracking table. Since the source does not exist, such requests keep on piling up, thus exhausting the firewall resources. In another case, the source address is spoofed to be one of the internal network IP range, and the MAC address is spoofed. This causes the destination host to call for a MAC address RARP request, causing turbulence on the internal network. It is important to note that a firewall DoS attack can disrupt internal- to- external network traffic, and can even take down the internal network.
Packet forging: In one of the previous articles in this series, we learnt about packet crafting. The same technique can be used against firewalls. In one case, a packet can be crafted to have a bad TCP checksum, which the firewall has to calculate every time, before taking a decision on the packet, thus causing sluggishness. In another case, the datalength parameter in the TCP packet can be filled with a very big number, which tricks the firewall into waiting for the entire data chunk to arrive. This can eventually exhaust the firewall’s internal memory.
Rule exploitation: Attackers know by experience that, in many cases, a firewall is not configured correctly. For example, it is commonly found that TCP packet rules are set up, whereas the administrator simply forgets to deal with UDP packets, letting those get through the firewall. It has also been found that many firewalls are configured with port 80 being open bi-directionally, whereas it should be open only from the external network to the internal network. Modern black-hats (attackers) often write scripts to detect such mis-configurations—and on finding one, they gather enough data to exploit those further.
IDS and switch evasion
Today’s IT infrastructures always try to go beyond firewalls, by implementing Layer-3 switches as well as intrusion detection systems. A Layer-3 switch contains some great features, such as compartmentalised virtual networks, network bandwidth quality of service, MAC registration, etc. An IDS system works by applying attack anomaly algorithms on the packet traffic in a network. While each of those have their advantages, the techniques used to invade a router and firewall apply to them too. At the heart of all these techniques is packet crafting and packet spoofing, so that these devices are fooled into treating those packets as legitimate—and thus the attack is not sensed, suspected or detected.
One common technique to evade an IDS system is forceful signature embossing. An IDS system learns as time goes by, and updates its own database of anomaly signatures, which further helps in deciding which request is legitimate and which is not. Attackers send multiple spoofed packets over a long period of time, to a destination host running a known TCP service. The packets are sent in well-formed as well as malformed patterns. The IDS drops the malformed ones, but eventually ‘learns’ it as an acceptable behaviour based on historic patterns. Once this state is attained, the attacker storms the IDS with malformed packets to the host, thus achieving the goal of disrupting the system. This also shows us that an IDS is a great idea, but a mis-configured IDS can be equivalent to having almost no security at all.
For switches and IDS systems, DoS attacks planted at Layer-2 or Layer-3 are possible. Switches are configured to deal with such situations; however, attackers scan networks to find out the weakest link, which is usually the misconfigured device, and use it as a target. The operating system of switches, too, can be compromised, as attackers can take control of these switches remotely. This is, however, not so easy in case of IDS systems, making these an important network component from the cyber security perspective.
Protecting FOSS systems
There are many flavours of open source routers running on Ubuntu and other distros. The same is true for firewalls and intrusion detection systems. While we have discussed the devices, it is important to note here that the FOSS systems behind the perimeter of these devices should be properly configured and monitored for network attack anomalies. At the network layer, Linux FOSS systems come with a built-in feature called source address verification. This is a kernel feature which, when turned on, starts dropping packets that appear to be arriving from the internal network, but in reality are not. Most of the latest kernels in distros, such as Ubuntu and CentOS, support it. This feature helps to reduce the chances of packet spoofing.
Summary
This article concludes this series on cyber security. We all love FOSS, and can enjoy and benefit from it even more only if it is cyber-secured. Thanks for all the great feedback received so far, and the encouraging words via email and social networks. Device evasion is a new trend in network attacks and is being increasingly used to break into corporate IT infrastructure for malicious reasons; it should be taken very seriously by network administrators and the IT senior management.