network | IPNET

New DOS attacks threaten wireless data networks

Forget spam, viruses, worms, malware and phishing. These threats are apparently old school when compared to a new class of denial-of-service (DOS) attacks that threaten wireless data networks.

The latest wireless network threats were outlined in a talk here Thursday by Krishan Sabnani, vice president of networking research at Bell Labs, at the Cyber Infrastructure Protection Conference at City College of New York.

Sabnani said the latest wireless data network threats are the result of inherent weaknesses in Mobile IP, a protocol that uses tunneling and complex network triangulation to allow mobile devices to move freely from one network to another.

“We need to especially monitor the mobile networks – with limited bandwidth and terminal battery—for DOS attacks,” Sabnani said.

Here are five wireless data network threats outlined by Sabnani:

1. Signaling DOS

2. Battery Drain

3. Peer-to-Peer Applications

4. Malfunctioning Air Card

5. Excessive Port Scanning

Read the full article on NetworkWorld.com…

Cisco: DoS protection using TCP Intercept

Every now and then, all network engineers have to deal with some kind of network attack. Usually, the attack does not target the network devices, but the machines that provide services (e.g. www, database hosting…), because it’s more easy to find on the Internet a script that is probing port 80 for example, which by the way any kiddie can use, than to corrupt BGP in order to act as man-in-the-middle. Anyway, in front on the machine being attacked, there is a network device and even if the network component is not the target it can be affected (e.g. high traffic encounter during a denial-of-service attack). So, beside the fact that we have to protect the network components, we have the duty (at least moral) to help the team that is managing the servers to mitigate the attack.

For those of you who are not familiar I will explain shortly what is a Denial-of-Service (DoS) attack. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, web hosting and so on. One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. This extreme external communications requests can be achieved using ICMP flood, peer-to-peer attack, teardrop attack, nuke, application level floor and many other (too many…) methods and the purpose of this is the consuming of resources on the target machine so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

On method to prevent DoS attacks is to limit on the network device ( network router) the amount of connection which is allowed to pass to a server by using TCP Intercept. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection.

The main steps to enable TCP Intercept are:

1. Define an IP extended access list
2. Enable TCP intercept
3. Fine tune TCP intercept parameter

The TCP intercept can operate in either active intercept mode or passive watch mode. The default is intercept mode.
In intercept mode, the software actively intercepts each incoming connection request (SYN) and responds on behalf of the server with an ACK and SYN, then waits for an ACK of the SYN from the client. When that ACK is received, the original SYN is set to the server and the software performs a three-way handshake with the server. When this is complete, the two half-connections are joined.

In watch mode, connection requests are allowed to pass through the router to the server but are watched until they become established. If they fail to become established within a definite interval, the software sends a Reset to the server to clear up its state.

In the following topology we have the Server (10.10.10.100) and the possible Attacker (10.10.20.100). In the middle we have the router called R1 which is reponsible to mitigate the attack to port 80 on the Server. For this I would chose to apply the following configuration:

access-list 101 permit tcp any host 10.10.10.100 eq 80

ip tcp intercept mode intercept
ip tcp intercept list 101
ip tcp intercept max-incomplete high 150
ip tcp intercept max-incomplete low 100
ip tcp intercept drop-mode oldest

Some explanation for the line above. We create an access-list matching the traffic from anywhere to the Server. We set the TCP intercept mode to intercept (this is not need actually, because it’s the default mode; I put it here just for the sanity of the example). When the connections are over 150 (…max-incomplete high 600) the router will start to drop connections starting with the oldest ones (..drop-mode oldest). As soon as the connection will be under 100, the router will cease to drop the connections. This are just values used for this example.

To check the TCP intercept you can use the following commands on the Cisco router:

show tcp intercept connections
show tcp intercept statistics

To check a live example of what you should see if your TCP Intercept configuration is working properly please click on the image below. The test is done in Dynamips environment with 2 VMware machines (client and server) using Ubuntu and a Cisco 3640 series router.

Cisco: How to achieve network redundancy with 2 interfaces

Sometime ago, during my preparation for Cisco CCIE certification, I encountered a task that I had to admit made me think a little bit, even I should see the solution from the first minute. The idea, at least as I see it, is that as much as you learn for some certification you start to see only the complex and painful part of the networking and this made me skip over the simplest solution. Something like, I learn to fly to the moon but I forget how to step on earth…

Before I start please have a look to this network topology. The task was having some statement that due to the monthly cost, R1 should use only one line (Frame-Relay) to communicate to the networks behind R2 (I took in this example Loopback0: 2.2.2.2 /32) and in case that the R1’s protocol interface to Frame-Relay cloud is going, the connection to R3 should become active and traffic should flow through there. The scope was to achive some redundancy from R1 to the rest of the network. As I said before the solution was much more simplest that I start initially to think of and you can see it immediately.

Regarding the routing since this is not the main point discussed here, I just add 2 static routes on R1 to 2.2.2.2; one route through R2 and another one through R3 (with higher distance metric). Of course I put the necessary static routes and tracking on R2 and R3.

One advice if you want to try this on your own with this topology. Do not manually shutdown the main interface to enable the backup one, as it will not work. For testing you have to find a way that the main interface is down, but not administratively down. This is just not to get angry that this method is not working.