FAQ TOC |
Previous Section |
Next Section
Normally, the route a packet takes from its source to its destination
is determined by the routers between the source and destination. The
packet itself only says where it wants to go (the destination
address), and nothing about how it expects to get there.
There is an optional way for the sender of a packet (the source) to
include information in the packet that tells the route the packet
should take to get to its destination; thus the name ``source routing''.
For a firewall, source routing is noteworthy, since an attacker can
generate traffic claiming to be from a system ``inside'' the firewall.
In general, such traffic wouldn't route to the firewall properly, but
with the source routing option, all the routers between the attacker's
machine and the target will return traffic along the reverse path of
the source route. Implementing such an attack is quite easy; so
firewall builders should not discount it as unlikely to happen.
In practice, source routing is very little used. In fact, generally
the main legitimate use is in debugging network problems or routing
traffic over specific links for congestion control for specialized
situations. When building a firewall, source routing should be blocked
at some point. Most commercial routers incorporate the ability to
block source routing specifically, and many versions of Unix that
might be used to build firewall bastion hosts have the ability to
disable or ignore source routed traffic.
An ICMP Redirect tells the recipient system to over-ride something in
its routing table. It is legitimately used by routers to tell hosts
that the host is using a non-optimal or defunct route to a particular
destination, i.e. the host is sending it to the wrong router. The
wrong router sends the host back an ICMP Redirect packet that tells
the host what the correct route should be. If you can forge ICMP
Redirect packets, and if your target host pays attention to them, you
can alter the routing tables on the host and possibly subvert the
security of the host by causing traffic to flow via a path the network
manager didn't intend. ICMP Redirects also may be employed for denial
of service attacks, where a host is sent a route that loses it
connectivity, or is sent an ICMP Network Unreachable packet telling it
that it can no longer access a particular network.
Many firewall builders screen ICMP traffic from their network, since
it limits the ability of outsiders to ping hosts, or modify their routing tables.
Before you decide to completely block ICMP, you should be aware of how
the TCP protocol does ``Path MTU Discovery'', to make certain that you
don't break connectivity to other sites. If you can't safely block it
everywhere, you can consider allowing selected types of ICMP to
selected routing devices. If you don't block it, you should at least
ensure that your routers and hosts don't respond to broadcast ping packets.
Denial of service is when someone decides to make your network or
firewall useless by disrupting it, crashing it, jamming it, or
flooding it. The problem with denial of service on the Internet is
that it is impossible to prevent. The reason has to do with the
distributed nature of the network: every network node is connected via
other networks which in turn connect to other networks, etc. A
firewall administrator or ISP only has control of a few of the local
elements within reach. An attacker can always disrupt a connection
``upstream'' from where the victim controls it. In other words, if
someone wanted to take a network off the air, they could do it either
by taking the network off the air, or by taking the networks it
connects to off the air, ad infinitum. There are many, many, ways
someone can deny service, ranging from the complex to the brute-force.
If you are considering using Internet for a service which is
absolutely time or mission critical, you should consider your
fall-back position in the event that the network is down or damaged.
TCP/IP's UDP echo service is trivially abused to get two servers to
flood a network segment with echo packets. You should consider
commenting out unused entries in /etc/inetd.conf of Unix hosts,
adding no ip small-servers to Cisco routers, or the equivalent for your components.
Each site is a little different from every other in terms of what
attacks are likely to be used against it. Some recurring themes do arise, though.
This is where a spammer will take many thousands of copies of a
message and send it to a huge list of email addresses. Because these
lists are often so bad, and in order to increase the speed of
operation for the spammer, many have resorted to simply sending all of
their mail to an SMTP server that will take care of actually delivering the mail.
Of course, all of the bounces, spam complaints, hate mail, and bad PR
come for the site that was used as a relay. There is a very real cost
associated with this, mostly in paying people to clean up the mess afterward.
The Mail Abuse Prevention System
![[*]](foot_motif.gif)
Transport Security Initiative
maintains a complete description of the problem, and how to configure
about every mailer on the planet to protect against this attack.
Various versions of web servers, mail servers, and other Internet
service software contain bugs that allow remote (Internet) users to do
things ranging from gain control of the machine to making that
application crash and just about everything in between.
The exposure to this risk can be reduced by running only necessary
services, keeping up to date on patches, and using products that have
been around a while.
Again, these are typically initiated by users remotely. Operating
systems that are relatively new to IP networking tend to be more
problematic, as more mature operating systems have had time to find
and eliminate their bugs. An attacker can often make the target
equipment continuously reboot, crash, lose the ability to talk to the
network, or replace files on the machine.
Here, running as few operating system services as possible can help.
Also, having a packet filter in front of the operating system can
reduce the exposure to a large number of these types of attacks.
And, of course, chosing a stable operating system will help here as
well. When selecting an OS, don't be fooled into believing that ``the
pricier, the better''. Free operating systems are often much more
robust than their commercial counterparts
FAQ TOC |
Previous Section |
Next Section
