SUSTENTACIÓN TEÓRICA SOBRE EL USO DE LA TI PARA

Land

In a LAND Attack, hackers flood SYN packets into the network with a spoofed source IP address of the targeted system. This makes it appear as if the host computer sent the packets to itself, making the system unavailable while the target system tries to respond to itself.

IP Spoofing

IP Spoofing may be used to break into systems, to hide the hacker's identity, or to magnify the effect of the DoS attack. IP Spoofing is a technique used to gain unauthorized access to computers by tricking a router or firewall into thinking that the communications are coming from within the trusted network. To engage in IP spoofing, a hacker must modify the packet headers so that it appears that the packets originate from a trusted host and should be allowed through the router or firewall. The Prestige blocks all IP Spoofing attempts.

Menu 21.2 - Firewall Setup

The firewall protects against Denial of Service (DOS) attacks when it is active. The default Policy sets

1. allow all sessions originating from the LAN to the WAN and 2. deny all sessions originating from the WAN to the LAN You may define additional Policy rules or modify existing ones but please exercise extreme caution in doing so

Active: No

LAN-to-WAN Set Name: ACL Default Set WAN-to-LAN Set Name: ACL Default Set

Please configure the Firewall function through Prestige Web Configurator.

ICMP Echo

A brute-force attack, such as a "Smurf" attack, targets a feature in the IP specification known as directed or subnet broadcasting, to quickly flood the target network with useless data. A Smurf hacker floods a router with Internet Control Message Protocol (ICMP) echo request packets (pings). Since the destination IP address of each packet is the broadcast address of the network, the router will broadcast the ICMP echo request packet to all hosts on the network. If there are numerous hosts, this will create a large amount of ICMP echo request and response traffic. If a hacker chooses to spoof the source IP address of the ICMP echo request packet, the resulting ICMP traffic will not only clog up the "intermediary" network, but will also congest the network of the spoofed source IP address, known as the "victim" network. This flood of broadcast traffic consumes all available bandwidth, making communications impossible.

ICMP Vulnerability

ICMP is an error-reporting protocol that works in concert with IP. The following ICMP types trigger an alert: Table 14-1 ICMP Commands That Trigger Alerts

5 REDIRECT

13 TIMESTAMP_REQUEST

14 TIMESTAMP_REPLY

17 ADDRESS_MASK_REQUEST

18 ADDRESS_MASK_REPLY

Illegal Commands (NetBIOS and SMTP)

The only legal NetBIOS commands are the following - all others are illegal. Table 14-2 Legal NetBIOS Commands

MESSAGE REQUEST: POSITIVE: NEGATIVE: RETARGET: KEEPALIVE

All SMTP commands are illegal except for those displayed in the following tables. Table 14-3 Legal SMTP Commands

DATA EHLO EXPN HELO HELP MAIL NOOP QUIT

Traceroute

Traceroute is a utility used to determine the path a packet takes between two endpoints. Sometimes when a packet filter firewall is configured incorrectly an attacker can traceroute the firewall gaining knowledge of the network topology inside the firewall.

Teardrop

Teardrop attacks exploit weaknesses in the reassembly of IP packet fragments. As data is transmitted through a network, IP packets are often broken up into smaller chunks. Each fragment looks like the original IP packet except that it contains an offset field that says, for instance, "This fragment is carrying bytes 200 through 400 of the original (non fragmented) IP packet." The Teardrop program creates a series of IP fragments with overlapping offset fields. When these fragments are reassembled at the destination, some systems will crash, hang, or reboot.

SYN Flood

SYN Attack floods a targeted system with a series of SYN packets. Each packet causes the targeted system to issue a SYN-ACK response. While the targeted system waits for the ACK that follows the SYN-ACK, it queues up all outstanding SYN-ACK responses on what is known as a backlog queue. SYN-ACKs are moved off the queue only when an ACK comes back or when an internal timer (which is set at relatively long intervals) terminates the three-way handshake. Once the queue is full, the system will ignore all incoming SYN requests, making the system unavailable for legitimate users.

Attack types and some background are described in more detail in Chapter 13.

Figure 14-4 View Firewall Log

Each log consists of two lines, showing the information described in the following table.

# time Packet Infomation reason action

124 Jan 1 70 From:192.168.1.2 To: 10.100.6.45 not match none 00:01:30 TCP src port:01060 dest port:00119 <2,01>protocol

125 Jan 1 70 From:192.168.1.2 To: 10.100.6.66 match block 22:10:10 UDP src port:01053 dest port:00053 <1,02>

126 Jan 1 70 From:192.168.1.2 To: 10.100.6.66 not match none 23:10:30 UDP src port:01054 dest port:00053 <1,02>dest port

127 Jan 1 70 From:192.168.1.2 To: 10.100.6.45 attack block 23:20:30 ICMP type:00008 code:00000 land

Table 14-4 View Firewall Log

Field Description

# This is the index number of the firewall log. 128 entries are available numbered from 0 to 127. Once they are all used, the log will wrap around and the old logs will be lost.

mm:dd:yy e.g., Jan 1 70 Time This is the time the log was recorded in this format.

You must configure Menu 24.10 for real time; otherwise the clock started at Jan 1 70, 00:00:00 the last time the P312 was reset.

hh:mm:ss e.g., 00:00:00

From and To IP addresses Packet

Information

This field lists packet information such as protocol and src/dest port numbers (TCP, UDP), OR protocol, type

and code (ICMP). protocol and port numbers.

not match <1,01> dest IP

This means this packet does not match the destination IP address in set 1, rule 1. Other reasons (instead of dest IP) are src IP, dest port, src port and protocol. Reason This field states the reason for the log;

i.e., was the rule matched, not matched, or was there an attack. The set and rule coordinates (<X, Y> where X=1,2; Y=00~10) follow with a simple

explanation. There are two policy sets; set 1 (X = 1) is for LAN to WAN rules and set 2 (X = 2) for WAN to LAN rules. Y represents the rule in the set. You can configure up to 10 rules in any set (Y = 01 to 10). Rule number 00 is the default rule.

attack land

This is a log for a DoS attack - in this case a land attack. Other attack types are ip spoofing, icmp echo, icmpvulnerability, NetBIOS, smtpillegal command, traceroute, teardrop, or syn flood. Action This field displays whether the packet was blocked, forwarded or neither (block,

forward or none). None means that no action is dictated by this rule.