# Module 3: Attacking the Foundation :::success Here is a cheat sheet generated from the course content using ChatGPT. It recaps the main concepts of each module, definitions and examples. At the end of (almost) each part, you will find a link to online related flashcards. ::: ### 3.1 IP PDU Details --- #### 3.1.1 IPv4 and IPv6 - **Internet Protocol (IP)**: IP is a Layer 3 connectionless protocol designed for routing packets from a source to a destination across interconnected networks. IP does not track packet flow or validate source addresses, allowing threat actors to spoof IP addresses and manipulate header fields. - **IPv4 vs. IPv6**: Both protocols support packet delivery, but IPv6 introduces enhancements like a simplified header structure and support for larger address spaces. Security analysts need to understand IP header fields to detect and analyze potential attacks. --- #### 3.1.2 IPv4 Packet Header The IPv4 header consists of multiple fields critical for packet delivery and handling. It is 20 bytes minimum in length.  **IPv4 Header Fields**: - **Version**: A 4-bit field set to `0100` for IPv4 packets. - **Internet Header Length (IHL)**: Specifies the length of the IP header (minimum 20 bytes). - **Differentiated Services (DS)**: An 8-bit field used to prioritize packets, with DSCP (6 bits) and ECN (2 bits) to handle network congestion. - **Total Length**: The entire packet length, including both header and payload, with a maximum of 65,535 bytes. - **Identification, Flags, and Fragment Offset**: Fields used for packet fragmentation, which may be necessary if a route cannot handle the packet size. - **Time-to-Live (TTL)**: Limits packet lifetime, decreasing by one at each router. When TTL reaches zero, the packet is discarded, and an ICMP "Time Exceeded" message is sent. - **Protocol**: Specifies the upper-layer protocol carried by the packet, e.g., ICMP (1), TCP (6), or UDP (17). - **Header Checksum**: Ensures header integrity by detecting errors introduced during transmission. - **Source IPv4 Address**: A 32-bit address identifying the source of the packet. - **Destination IPv4 Address**: A 32-bit address identifying the packet’s intended recipient. - **Options and Padding**: An optional field for additional data, padded to ensure the header length is a multiple of 32 bits. --- #### 3.1.4 IPv6 Packet Header The IPv6 header is simplified compared to IPv4, with eight fixed fields spanning 40 bytes, followed by optional extension headers for additional network layer information.  **IPv6 Header Fields**: - **Version**: A 4-bit field set to `0110`, indicating an IPv6 packet. - **Traffic Class**: An 8-bit field equivalent to IPv4’s Differentiated Services (DS), used for prioritizing packets. - **Flow Label**: A 20-bit field allowing routers to handle packets with the same flow label consistently. - **Payload Length**: Specifies the length of the IPv6 packet payload (data portion). - **Next Header**: Identifies the protocol type of the payload (similar to IPv4’s Protocol field). - **Hop Limit**: The equivalent of IPv4’s TTL, decremented by each router. When it reaches zero, the packet is discarded with an ICMPv6 "Time Exceeded" message. - **Source IPv6 Address**: A 128-bit address identifying the source host. - **Destination IPv6 Address**: A 128-bit address identifying the destination host. **Extension Headers (EH)**: IPv6 may include EHs between the header and payload for fragmentation, security, mobility support, and more. Unlike IPv4, IPv6 routers do not fragment packets; fragmentation must be managed by the sending host. >[!Warning]Recap >IP was designed as a Layer 3 connectionless protocol. The IPv4 header consists of several fields while the IPv6 header contains fewer fields. It is important for security analysts to understand the different fields in both the IPv4 and IPv6 headers. ### 3.2 IP Vulnerabilities --- #### 3.2.1 Common IP-Related Attacks IP protocols are frequently targeted by various attacks due to their essential role in network communication. - **ICMP Attacks**: Attackers misuse ICMP packets (e.g., pings) for reconnaissance, generating DoS floods, or modifying routing tables. - **Denial-of-Service (DoS) Attacks**: Attackers overwhelm a system to prevent legitimate users from accessing services. - **Distributed Denial-of-Service (DDoS) Attacks**: Similar to DoS but involves multiple coordinated sources attacking simultaneously. - **Address Spoofing Attacks**: Attackers falsify source IP addresses to disguise identity or pose as a trusted source. - **Man-in-the-Middle (MitM) Attacks**: Attackers intercept and manipulate data between two parties without their knowledge. - **Session Hijacking**: Attackers gain access to a network and take over an active session by using MitM tactics. --- #### 3.2.2 ICMP Attacks ICMP is used for diagnostic messaging and connectivity checks, but attackers exploit it for network reconnaissance, scanning, and DoS attacks.  - **Common ICMP Attack Techniques**: - **ICMP Echo Request and Reply**: Used to verify hosts and launch DoS attacks. - **ICMP Unreachable**: Allows attackers to map network topology. - **ICMP Mask Reply**: Helps in mapping an internal network. - **ICMP Redirects**: Redirects traffic through a compromised device, setting up a MitM attack. - **ICMP Router Discovery**: Injects fake routing entries in a target's routing table. **Defense**: Organizations should use ICMP filtering at network edges to prevent external probing. Firewalls and intrusion detection systems (IDS) are vital for identifying ICMP-related attacks. --- #### 3.2.4 Amplification and Reflection Attacks Amplification and reflection are common DoS techniques where attackers leverage external sources to amplify attack traffic toward a target.  - **Smurf Attack**: - **Amplification**: The attacker sends ICMP echo requests with the victim’s IP as the source to many hosts. - **Reflection**: These hosts reply to the victim’s IP, overwhelming the target with traffic. - **Modern Amplification Variants**: DNS-based and NTP-based amplification attacks are increasingly used, generating massive volumes of attack traffic. **Resource Exhaustion**: These attacks deplete the target’s resources, causing crashes or network disruptions. --- #### 3.2.5 Address Spoofing Attacks Spoofing involves falsifying IP or MAC addresses to disguise an attacker’s identity or mimic a legitimate user. - **Types of Spoofing**: - **IP Address Spoofing**: - **Non-blind Spoofing**: The attacker can see the target's response packets, allowing for session hijacking and firewall evasion. - **Blind Spoofing**: The attacker cannot see responses but uses spoofed IPs to carry out DoS attacks. - **MAC Address Spoofing**: Common on local networks; attackers alter their MAC address to match a legitimate device, disrupting network communication. **Example**: Attackers on the same network as a server spoof the server’s MAC address, causing switches to reroute traffic to the attacker’s device. *Threat Actor Spoofs a server's MAC Address*  *Switch Updates CAM Table with Spoofed Address*  - **Application/Service Spoofing**: Attackers set up rogue DHCP servers, creating MitM opportunities by assigning incorrect network configurations. >[!Warning]Recap >There are different types of attacks that target IP. Common IP-related attacks include: >- ICMP attacks >- Denial-of-Service (DoS) attacks >- Distributed Denial-of-Service (DoS) attacks >- Address spoofing attacks >- Man-in-the-middle attack (MiTM) >- Session hijacking > >ICMP was developed to carry diagnostic messages and to report error conditions when routes, hosts, and ports are unavailable. Threat actors use ICMP for reconnaissance and scanning attacks. Threat actors also use ICMP for DoS and DDoS attacks. Threat actors often use amplification and reflection techniques to create DoS attacks. Threat actors also use resource exhaustion attacks to consume the resources of a target host to either crash it or to consume the resources of a network. IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user. Address spoofing attacks can be non-blind spoofing to hijack a session, or blind spoofing to create a DoS attack. MAC address spoofing attacks are used when threat actors have access to the internal network. :::danger **Check Your Understanding** :ballot_box_with_check: You can find the answers to the quiz by clicking [here](https://itexamanswers.net/3-6-7-check-your-understanding-ip-vulnerabilities-and-threats-answers.html). ::: ### 3.3 TCP and UDP Vulnerabilities --- #### 3.3.1 TCP Segment Header TCP segments immediately follow the IP header and contain fields essential for communication control and reliability.  **TCP Segment Fields**: - **Source Port** (16 bits): The sender’s port number. - **Destination Port** (16 bits): The receiver’s port number. - **Sequence Number** (32 bits): Tracks the order of packets in a transmission. - **Acknowledgment Number** (32 bits): Confirms receipt of data. - **Header Length** (4 bits): Specifies the size of the TCP header. - **Control Bits** (6 bits): Include important flags: - **URG**: Urgent pointer significant. - **ACK**: Acknowledgment field significant. - **PSH**: Push data immediately. - **RST**: Reset the connection. - **SYN**: Synchronize sequence numbers to start a connection. - **FIN**: No more data from the sender, ending the connection. - **Window** (16 bits): Size of the sender’s receive window. - **Checksum** (16 bits): Verifies header integrity. - **Urgent Pointer** (16 bits): Points to urgent data. - **Options**: Optional settings for advanced functionality. --- #### 3.3.2 TCP Services TCP provides several key services to ensure reliable, ordered data delivery: - **Reliable Delivery**: Uses acknowledgments and retransmissions to ensure packet delivery. - **Flow Control**: Regulates data flow to prevent congestion by allowing multiple segments to be acknowledged in a single packet. - **Stateful Communication**: Manages connections through the three-way handshake: - **Step 1**: Client initiates connection with a SYN packet. - **Step 2**: Server responds with SYN-ACK. - **Step 3**: Client acknowledges with an ACK, establishing the session.  --- #### 3.3.3 TCP Attacks TCP’s reliance on port connections makes it vulnerable to certain attacks: - **TCP SYN Flood Attack**: - Exploits the three-way handshake. Attackers send numerous SYN requests to a server with spoofed IPs, causing the server to send SYN-ACK responses and await acknowledgments that never arrive. - The result is a server overwhelmed by half-open connections, denying access to legitimate users.  - **TCP Reset Attack**: - Terminates TCP connections by sending a spoofed packet with the RST (reset) flag to one or both endpoints, immediately ending the session. *Terminating a TCP Connection*  - **TCP Session Hijacking**: - An advanced attack where an attacker takes over an active session by spoofing IP addresses, predicting sequence numbers, and injecting malicious packets. --- #### 3.3.4 UDP Segment Header and Operation UDP is a connectionless transport protocol with a simpler header structure, making it faster but less reliable than TCP. UDP is used in protocols like DNS, DHCP, and SNMP.  **UDP Segment Structure**: - **Source Port** (16 bits): Port of the sending application. - **Destination Port** (16 bits): Port of the receiving application. - **Length** (16 bits): Length of the entire UDP segment. - **Checksum** (16 bits): Verifies data integrity (optional). UDP’s low overhead is ideal for simple request-response transactions or real-time applications like VoIP. However, UDP lacks built-in reliability, encryption, and retransmission mechanisms, which TCP offers. --- #### 3.3.5 UDP Attacks UDP’s connectionless nature makes it susceptible to specific attack types: - **UDP Flood Attack**: - A DoS variant where attackers flood a server with UDP packets, usually targeting closed ports. Each closed port responds with an ICMP "port unreachable" message, consuming bandwidth and potentially overwhelming the target. - Commonly conducted with tools like UDP Unicorn or Low Orbit Ion Cannon. - **UDP Packet Manipulation**: - Attackers can intercept and alter UDP data packets due to a lack of default encryption. While the checksum field can detect data alterations, it is optional, allowing attackers to modify data and recalculate the checksum undetected. >[!Warning]Recap >TCP segment and UDP datagram information appear immediately after the IP header. It is important to understand Layer 4 headers and their functions in data communication. TCP provides reliable delivery, flow control, and stateful communication. TCP stateful communication between two parties occurs during the TCP three-way handshake. Threat actors can conduct a variety of TCP related attacks: >- TCP port scans >- TCP SYN Flood attack >- TCP Reset Attack >- TCP Session Hijacking attack > >The UDP segment (i.e., datagram) is much smaller than the TCP segment, which makes it very desirable for use by protocols that make simple request and reply transactions such as DNS, DHCP, SNMP, and others. Threat actors can conduct UDP flood attacks which sweep through all the known UDP ports on a server trying to find closed ports. This can create a DoS situation.