Version 4.1 - 4.1 Common Attacks Part 1
There are 11 listed groups of "common attacks" listed in the blueprint. Most attacks exploit a vulnerability or utilize the way something responds by sending something it doesn't expect. Looking at the blueprint and estimating about 10 questions for section 4, you can probably expect two questions on just this section.
The list starts off with ICMP attacks and PING floods. ICMP is very interesting. It works a little differently than everything else. Most people think about ping and ping reply, but ICMP also responds to other protocols. Think of any other protocol - and if you attempt to reach a server on that port, but the port isn't listening on that port, an ICMP message will be the response. It's very useful, isn't it? Well, that usefulness can also be used against the network. The other interesting thing about ICMP is that the response has TWO HEADERS. There's the actual header of the response packet and then the header of the packet relating to the response.
"ICMP error messages contain a data section that includes a copy of the entire IPv4 header, plus the first eight bytes of data from the IPv4 packet that caused the error message. This data is used by the host to match the message to the appropriate process."
That may not be on the exam, but in practice - captures that include ICMP traffic can be very revealing when troubleshooting. So when possible, capture all the traffic and then filter the view to look at the traffic of interest.
Let's start with the important ICMP types and codes. I like the way Wikipedia displays the table under "Control Messages." ICMP messages normally have a "type" and then a "code."
The important ones are:
And let's not forget ICMP for IPv6! Here's a list of the important ones (all codes 0).
+ 2 Packet too big (from PMTUD)
+ 133 Router Solicitation
+ 134 Router Advertisement
+ 135 Neighbor Solicitation
+ 136 Neighbor Advertisement
Now let's look at ICMP attacks and PING floods.
The first type of attack is ICMP Tunneling. Echo request and echo reply are normally some bits of random text and are considered "insignificant." The whole point of echo and echo reply are to send a packet somewhere and determine if the target is "reachable." It was meant to test basic connectivity. Even when you're testing the path MTU, all that matters is the size of the packet, not the contents. That is how it is used NORMALLY.
So how would we misuse it? Well, the first thing you could do is to use this as a covert channel for messaging between two devices. You could use the ICMP payload to transfer data out of the network - or use the Request-Reply for a conversation between devices. If your firewall is blocking ICMP, usually it's blocking requests from the outside. Sometimes it doesn't block replies from the outside (to requests by a device inside) and many assume that traffic from the inside is legitimate and therefore allowed. So take this one step further. Say you have a piece of malware on your computer. You don't notice anything odd and all your programs continue to work properly. Yet, this piece of malware sends out pings every so often - and the payload is anything that is on your computer...or anything that your computer/account is allowed to access. So as you go to your bank's web page, all that information that is displayed to you is also "echoed" back to an attacker. Or perhaps it can be combined with a keylogger to send every key stroke (in the icmp payload) to the attacker's site (for later reassembly and retrieval). Hmm. Even a really long and secure password could be defeated by this. Two freely available programs that can do this are hping and loki. If you don't know what they are and how they work, you should look into this. Something that would mitigate this type of attack would be to inspect ICMP traffic (using an application-layer firewall or IPS/IDS).
Another way to use ICMP against itself is to actually use it normally - in an abnormal way. Any request gets a response. So overwhelm the host with requests and it becomes unusable because all it has time to do is perform the automatic response - or process a large number of responses. Which is the Smurf attack. If you send an echo request to the broadcast address, everyone on that subnet (within that broadcast domain) is going to respond. And if I send a lot of those and SPOOF the sending address, well - everyone is going to respond to the listed sending address. My computer can probably generate as many requests/replies as any other computer - but if I send as much as possible with a spoofed address and "everyone" replies back to that spoofed address - well, that's obviously overwhelming. The Fraggle attack is similar, but uses UDP instead (port 7 - echo and port 19 chargen [character generator]). Countermeasures for this are basic measures to prevent spoofing (filtering spoofed addresses at the router and firewall). You could also prevent your network in participating in this by using "no ip directed-broadcast" - which should already be part of your configuration (per best practices).
One of the other uses of ICMP in attacks is not really an attack itself, but to help launch other attacks (Reconnaissance). If you use "ping sweep" or many other programs, you can ping every address of a subnet and determine which are in use. Or you could use "nmap" to "test" the ports on a particular device to see if they are listening. Depending on the default ports that are listening (or perhaps their response), you can tell which operating system they are using. This is OS fingerprinting. And don't forget ICMP's use in traceroute. That can also give away quite a bit of information (all the L3 IP addresses in a path). Note that Windows uses ICMP for traceroute (tracert) and Linux uses UDP.
Invite of Death is "a type of attack on a VoIP-system that involves sending a malformed or otherwise malicious SIP INVITE request to a telephony server, resulting in a crash of that server." The thing that I found important about this is that someone can remotely crash the server "by sending a single malformed packet." This type of attack is a denial of service attack. The mitigation is to upgrade to a version of software that does not contain the vulnerability.
You should probably know about ping flooding and "Ping of Death." Ping flooding is just sending a large amount of requests to a system. [Think DDoS] And Ping of Death is a malformed ping with a very (very) large payload. This is normally an issue for older systems - newer systems (and firewalls) have checks that mitigate these issues. Also related is the Twinge attack. The name is based on the name of the program that sends spoofed ICMP packets.