De­vice Eva­sions

This is the last in­stall­ment of the year-long se­ries on cy­ber at­tacks. As we know, net­work in­fra­struc­ture is pro­tected by se­cu­rity de­vices such as routers and fire­walls. So far, it was be­lieved that such de­vices were enough to se­cure the perime­ter. This b

OpenSource For You - - ADMIN - By: Prashant Phatak The au­thor has over 20 years of ex­pe­ri­ence in IT hard­ware, net­work­ing, Web tech­nolo­gies and IT se­cu­rity. Prashant is MCSE and MCDBA cer­ti­fied, and also an F5 load bal­ancer ex­pert. In the IT se­cu­rity world, he is an eth­i­cal hacker and a

By DEf­i­nI­tIon, EvA­sIon Is tHE proCEss oF AvoID­InG or By­pAss­InG An oB­JECt or A sIt­u­A­tIon. In tECH­nI­CAl tErms, EvA­sIon Is A tECH­nIquE By wHICH An At­tACkEr By­pAssEs A sE­Cu­rIty sys­tEm In tHE Cy­BEr sE­Cu­rIty spACE. THE sys­tEm mAy typ­I­CAlly Con­sIst oF routErs, firE­wAlls, nEt­work swItCHEs AnD In­tru­sIon DE­tEC­tIon DE­vICEs. As wE All know, routErs sEG­rE­GAtE nEt­works; firE­wAlls BloCk un­wAntED IP AD­DrEss AnD TCP port Com­mu­nI­CA­tIons, wHErEAs In­tru­sIon DE­tEC­tIon DE­vICEs ADD A lAyEr oF In­tEl­lI­GEnCE BAsED on Anom­Aly DE­tEC­tIon tECH­nIquEs. A FEw yEArs BACk, wHEn tHEsE tECH­nIquEs wErE Im­plE­mEntED nEt­work AD­mIn­Is­trA­tors CoulD sAFEly sAy tHAt tHEIr In­FrA­struC­turE wAs sE­CurE. How­EvEr, tHE lAws oF Hu­mAn nA­turE tEll us tHAt A tHIEF Is Al­wAys A stEp AHEAD oF tHE Cops! WHIlE tHEsE DE­vICEs sEEm to tHwArt tHE At­tACks For somE tImE, tHEy HAvE mADE Cy­BEr CrIm­I­nAls morE AG­GrEs­sIvE AnD HAvE promptED tHEm to ComE up wItH wAys to pEn­E­trAtE AnD BrEAk Down tHE sE­Cu­rIty pErImE­tEr. At­tACk­Ers usE EvA­sIon mEtH­oDs In or­DEr to stEAl DAtA, DIs­rupt IT nEt­works or plAnt soFt­wArE Ex­ploIts.

As sHown In FIG­urE 1, A typ­I­CAl sE­CurE In­FrA­struC­turE Con­tAIns At lEAst A routEr, wItH A swItCH AnD A firE­wAll Also In­Cor­po­rAtED. To lEArn morE ABout DE­vICE EvA­sIons, lEt’s Con­CEn­trAtE on tHEsE tHrEE DE­vICEs, AnD CovEr A BIt ABout IDS sys­tEms too. LEt’s Also lEArn How EACH oF tHEsE DE­vICEs CAn BE Bro­kEn Into, AnD fi­nAlly, How to sE­CurE tHEm to pro­tECt

the in­fra­struc­ture. De­vice eva­sion is a highly tech­ni­cal and sys­tem­atic ap­proach to pen­e­trat­ing a net­work.

Router eva­sion

Of­ten, routers are the first de­vices ac­ces­si­ble from out­side a firm’s net­work. Routers main­tain their own rout­ing tables, which store the paths to des­ti­na­tion IP ranges, with a cost met­ric. The rout­ing ta­ble is checked ev­ery time a TCP/ IP packet is pro­cessed prior to be­ing sent to the de­sired des­ti­na­tion. Be­sides this, routers im­ple­ment in­tel­li­gent al­go­rithms to speed up the rout­ing process. The router de­vice thus acts as a first line of de­fence from the cy­ber­se­cu­rity perime­ter stand­point. In ear­lier ar­ti­cles in this se­ries, we learnt about de­nial of ser­vice (DoS) at­tacks, IP spoof­ing at­tacks, man-in-the-mid­dle at­tacks and packet-craft­ing at­tacks. All these at­tack vec­tors can ei­ther fool a router into rout­ing ma­li­cious pack­ets into the tar­get net­work, or can sim­ply ren­der it func­tion­ally use­less, thus dis­rupt­ing the whole net­work. Be­sides this, there are a few router-spe­cific tech­niques too, which are men­tioned be­low.

Route hi­jack­ing: In this method, the at­tacker first sniffs the traf­fic orig­i­nat­ing from a router. Based on the in­for­ma­tion gath­ered, the router is then sup­plied with bo­gus source and des­ti­na­tion IP ad­dresses, which are spoofed pur­posely to trick the router. As the router tracks these and up­dates its rout­ing ta­ble, this process can be­come very over­whelm­ing to the router, caus­ing its rout­ing ta­ble to over­flow and get cor­rupted. This is sim­i­lar to a DoS at­tack, but can take much less time, in prac­tice. An ex­pert at­tacker can fur­ther ex­ploit this sit­u­a­tion by feed­ing the vul­ner­a­ble router with its own IP seg­ment, and wait­ing for the rout­ing ta­ble to get built up again. The very first rout­ing pro­to­col, called RIP, didn’t have a built-in authentication mech­a­nism to ver­ify the au­then­tic­ity of the routes be­ing updated. Hence, a forged RIP packet can eas­ily dis­rupt the rout­ing ta­ble, and this sce­nario be­comes se­ri­ously dan­ger­ous if mul­ti­ple routers are con­nected to­gether us­ing the RIP pro­to­col. Mod­ern routers usu­ally don’t fall prey to this at­tack; how­ever, an im­prop­erly con­fig­ured router can still be vul­ner­a­ble.

IoS pen­e­tra­tion: Like any other net­work de­vice, a router runs its own oper­at­ing sys­tem, which can be vul­ner­a­ble to at­tacks. For ex­am­ple, most wire­less routers and early-gen­er­a­tion in­dus­try-grade routers were run­ning on a com­pro­mised ker­nel OS. At­tack­ers with a thor­ough knowl­edge of such vul­ner­a­bil­i­ties can write scripts and pro­gram­mat­i­cally sub­ject the de­vice to DoS or other dan­ger­ous at­tacks, such as re­mote code ex­e­cu­tion. Once the OS has been pen­e­trated, at­tack­ers can re­motely run com­mands to change crit­i­cal con­fig­u­ra­tions and set­tings. At­tack­ers can route traf­fic to ma­li­cious servers to steal and cor­rupt data, and cause even more dam­age.

Fire­wall eva­sion

It is a com­mon prac­tice to host a fire­wall be­hind a router; how­ever, many mid-sized firms run­ning only one of­fice may com­pletely re­move the router, turn­ing the fire­wall into the first line of de­fence. As com­pared to the router, a fire­wall acts as a strong op­po­si­tion to at­tacks be­cause its ker­nel func­tion­al­ity is de­signed for this, caus­ing se­ri­ous chal­lenges to at­tack­ers want­ing to get past a well-con­fig­ured fire­wall.

As we know, a fire­wall is a rule-based de­vice that al­lows or dis­al­lows traf­fic en­ter­ing or ex­it­ing a se­cu­rity perime­ter. When a source ad­dress ini­ti­ates a con­nec­tion with a host be­hind a fire­wall, the fire­wall rules in­ter­cept the con­nec­tion, in­ter­pret it and take ap­pro­pri­ate ac­tion. This also tells us that the TCP hand­shake ac­tu­ally hap­pened be­tween the source and fire­wall. In case the con­nec­tion be­ing es­tab­lished is not al­lowed, based on the rules con­fig­ured, the fire­wall drops the con­nec­tion by send­ing a TCP RST sig­nal to the source. If the con­nec­tion is al­lowed, it ini­ti­ates a con­nec­tion with the des­ti­na­tion and per­forms the packet trans­fer. This also shows us that the source and des­ti­na­tion IP ad­dresses, as well as the ports, are very im­por­tant from the fire­wall’s stand­point. With this fun­da­men­tal the­ory in mind, let’s look at few fire­wall-spe­cific eva­sion at­tacks.

Fire­wall re­quest spoof­ing: If the at­tack­ers can spoof their pack­ets to make them look like they are com­ing from the in­ter­nal net­work seg­ment of the fire­wall, an im­prop­erly con­fig­ured fire­wall may al­low those through the sys­tem. Sim­i­lar ef­fects can be achieved by spoof­ing the MAC ad­dress, in case the fire­wall is keep­ing a track of all in­ter­nal MAC ad­dresses.

Fire­wall DoS: Mod­ern fire­walls in­ter­cept each packet and ap­ply more in­tel­li­gent checks on them than their pre­de­ces­sors, be­fore let­ting them through to the net­work. Typ­i­cal checks by anti- virus and anti- spy­ware al­go­rithms, at­tack anom­alies, etc, are per­formed on each packet. This fea­ture, though tremen­dously use­ful, is ex­ploited by at­tack­ers in some cases. Apart from send­ing an over­whelm­ing num­ber of re­quests, there are a few other tricks used by at­tack­ers. In one case, a ma­li­cious re­quest to a known des­ti­na­tion host lis­ten­ing on a known port is sent mul­ti­ple times, but with the source IP and port of that packet spoofed to a non- ex­is­tent host. There is no way for the fire­wall to know this, and hence this re­sults

in an in­ter­nal con­nec­tion to the des­ti­na­tion that gets updated in the fire­wall’s own track­ing ta­ble. Since the source does not ex­ist, such re­quests keep on pil­ing up, thus ex­haust­ing the fire­wall re­sources. In an­other case, the source ad­dress is spoofed to be one of the in­ter­nal net­work IP range, and the MAC ad­dress is spoofed. This causes the des­ti­na­tion host to call for a MAC ad­dress RARP re­quest, caus­ing tur­bu­lence on the in­ter­nal net­work. It is im­por­tant to note that a fire­wall DoS at­tack can dis­rupt in­ter­nal- to- ex­ter­nal net­work traf­fic, and can even take down the in­ter­nal net­work.

Packet forg­ing: In one of the pre­vi­ous ar­ti­cles in this se­ries, we learnt about packet craft­ing. The same tech­nique can be used against fire­walls. In one case, a packet can be crafted to have a bad TCP check­sum, which the fire­wall has to cal­cu­late ev­ery time, be­fore tak­ing a de­ci­sion on the packet, thus caus­ing slug­gish­ness. In an­other case, the datal­ength pa­ram­e­ter in the TCP packet can be filled with a very big num­ber, which tricks the fire­wall into wait­ing for the en­tire data chunk to arrive. This can even­tu­ally ex­haust the fire­wall’s in­ter­nal mem­ory.

Rule ex­ploita­tion: At­tack­ers know by ex­pe­ri­ence that, in many cases, a fire­wall is not con­fig­ured cor­rectly. For ex­am­ple, it is com­monly found that TCP packet rules are set up, whereas the ad­min­is­tra­tor sim­ply for­gets to deal with UDP pack­ets, let­ting those get through the fire­wall. It has also been found that many fire­walls are con­fig­ured with port 80 be­ing open bi-di­rec­tion­ally, whereas it should be open only from the ex­ter­nal net­work to the in­ter­nal net­work. Mod­ern black-hats (at­tack­ers) of­ten write scripts to de­tect such mis-con­fig­u­ra­tions—and on find­ing one, they gather enough data to ex­ploit those fur­ther.

IDS and switch eva­sion

To­day’s IT in­fra­struc­tures al­ways try to go be­yond fire­walls, by im­ple­ment­ing Layer-3 switches as well as in­tru­sion de­tec­tion sys­tems. A Layer-3 switch con­tains some great fea­tures, such as com­part­men­talised vir­tual net­works, net­work band­width qual­ity of ser­vice, MAC reg­is­tra­tion, etc. An IDS sys­tem works by ap­ply­ing at­tack anom­aly al­go­rithms on the packet traf­fic in a net­work. While each of those have their ad­van­tages, the tech­niques used to in­vade a router and fire­wall ap­ply to them too. At the heart of all these tech­niques is packet craft­ing and packet spoof­ing, so that these de­vices are fooled into treat­ing those pack­ets as le­git­i­mate—and thus the at­tack is not sensed, sus­pected or de­tected.

One com­mon tech­nique to evade an IDS sys­tem is force­ful sig­na­ture em­boss­ing. An IDS sys­tem learns as time goes by, and up­dates its own data­base of anom­aly sig­na­tures, which fur­ther helps in de­cid­ing which re­quest is le­git­i­mate and which is not. At­tack­ers send mul­ti­ple spoofed pack­ets over a long pe­riod of time, to a des­ti­na­tion host run­ning a known TCP ser­vice. The pack­ets are sent in well-formed as well as mal­formed pat­terns. The IDS drops the mal­formed ones, but even­tu­ally ‘learns’ it as an ac­cept­able be­hav­iour based on his­toric pat­terns. Once this state is at­tained, the at­tacker storms the IDS with mal­formed pack­ets to the host, thus achiev­ing the goal of dis­rupt­ing the sys­tem. This also shows us that an IDS is a great idea, but a mis-con­fig­ured IDS can be equiv­a­lent to hav­ing al­most no se­cu­rity at all.

For switches and IDS sys­tems, DoS at­tacks planted at Layer-2 or Layer-3 are pos­si­ble. Switches are con­fig­ured to deal with such sit­u­a­tions; how­ever, at­tack­ers scan net­works to find out the weak­est link, which is usu­ally the mis­con­fig­ured de­vice, and use it as a tar­get. The oper­at­ing sys­tem of switches, too, can be com­pro­mised, as at­tack­ers can take con­trol of these switches re­motely. This is, how­ever, not so easy in case of IDS sys­tems, mak­ing these an im­por­tant net­work com­po­nent from the cy­ber se­cu­rity per­spec­tive.

Pro­tect­ing FOSS sys­tems

There are many flavours of open source routers run­ning on Ubuntu and other dis­tros. The same is true for fire­walls and in­tru­sion de­tec­tion sys­tems. While we have dis­cussed the de­vices, it is im­por­tant to note here that the FOSS sys­tems be­hind the perime­ter of these de­vices should be prop­erly con­fig­ured and mon­i­tored for net­work at­tack anom­alies. At the net­work layer, Linux FOSS sys­tems come with a built-in fea­ture called source ad­dress ver­i­fi­ca­tion. This is a ker­nel fea­ture which, when turned on, starts drop­ping pack­ets that ap­pear to be ar­riv­ing from the in­ter­nal net­work, but in re­al­ity are not. Most of the lat­est ker­nels in dis­tros, such as Ubuntu and Cen­tOS, sup­port it. This fea­ture helps to re­duce the chances of packet spoof­ing.


This ar­ti­cle con­cludes this se­ries on cy­ber se­cu­rity. We all love FOSS, and can en­joy and ben­e­fit from it even more only if it is cy­ber-se­cured. Thanks for all the great feed­back re­ceived so far, and the en­cour­ag­ing words via email and so­cial net­works. De­vice eva­sion is a new trend in net­work at­tacks and is be­ing in­creas­ingly used to break into cor­po­rate IT in­fra­struc­ture for ma­li­cious rea­sons; it should be taken very se­ri­ously by net­work ad­min­is­tra­tors and the IT se­nior man­age­ment.

Router Fire­wall Fig­ure 1: Typ­i­cal net­work con­fig­u­ra­tion Switch Typ­i­cal Net­work Con­fig­u­ra­tion


Newspapers in English

Newspapers from India

© PressReader. All rights reserved.