IP Vulnerabilities and Threats CCNA

IP Vulnerabilities and Threats

IP Vulnerabilities and Threats


This topic explain how IP vulnerabilities are exploited by threat actors.. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 3 of the Cisco CCNA 3 course, for a better follow up of the course you can go to the CCNA 3 section to guide you through an order.

Video – Common IP and ICMP Attacks

There are even more types of attacks than the ones discussed in the previous topics. Some specifically target IP vulnerabilities, as you will learn in this topic.

Click Play in the figure to view a video about common IP and ICMP attacks.

IPv4 and IPv6

IP does not validate whether the source IP address contained in a packet actually came from that source. For this reason, threat actors can send packets using a spoofed source IP address. Threat actors can also tamper with the other fields in the IP header to carry out their attacks. Security analysts must understand the different fields in both the IPv4 and IPv6 headers.

Some of the more common IP related attacks are shown in the table.

IP Attack Techniques Description
ICMP attacks Threat actors use Internet Control Message Protocol (ICMP) echo packets (pings) to discover subnets and hosts on a protected network, to generate DoS flood attacks, and to alter host routing tables.
Amplification and reflection attacks Threat actors attempt to prevent legitimate users from accessing information or services using DoS and DDoS attacks.
Address spoofing attacks Threat actors spoof the source IP address in an IP packet to perform blind spoofing or non-blind spoofing.
Man-in-the-middle attack (MITM) Threat actors position themselves between a source and destination to transparently monitor, capture, and control the communication. They could eavesdrop by inspecting captured packets, or alter packets and forward them to their original destination.
Session hijacking Threat actors gain access to the physical network, and then use an MITM attack to hijack a session.

ICMP Attacks

Threat actors use ICMP for reconnaissance and scanning attacks. They can launch information-gathering attacks to map out a network topology, discover which hosts are active (reachable), identify the host operating system (OS fingerprinting), and determine the state of a firewall. Threat actors also use ICMP for DoS attacks.

Note: ICMP for IPv4 (ICMPv4) and ICMP for IPv6 (ICMPv6) are susceptible to similar types of attacks.

Networks should have strict ICMP access control list (ACL) filtering on the network edge to avoid ICMP probing from the internet. Security analysts should be able to detect ICMP-related attacks by looking at captured traffic and log files. In the case of large networks, security devices such as firewalls and intrusion detection systems (IDS) detect such attacks and generate alerts to the security analysts.

Common ICMP messages of interest to threat actors are listed in the table.

ICMP Messages used by Hackers Description
ICMP echo request and echo reply This is used to perform host verification and DoS attacks.
ICMP unreachable This is used to perform network reconnaissance and scanning attacks.
ICMP mask reply This is used to map an internal IP network.
ICMP redirects This is used to lure a target host into sending all traffic through a compromised device and create a MITM attack.
ICMP router discovery This is used to inject bogus route entries into the routing table of a target host.

Video – Amplification, Reflection, and Spoofing Attacks

Click Play in the figure to view a video about amplification, reflection, and spoofing attacks.

Amplification and Reflection Attacks

Threat actors often use amplification and reflection techniques to create DoS attacks. The example in the figure illustrates how an amplification and reflection technique called a Smurf attack is used to overwhelm a target host.

Amplification and Reflection Attacks
Amplification and Reflection Attacks

Note: Newer forms of amplification and reflection attacks such as DNS-based reflection and amplification attacks and Network Time Protocol (NTP) amplification attacks are now being used.

Threat actors also use resource exhaustion attacks. These attacks consume the resources of a target host to either to crash it or to consume the resources of a network.

Address Spoofing Attacks

IP address spoofing attacks occur when a threat actor creates packets with false source IP address information to either hide the identity of the sender, or to pose as another legitimate user. The threat actor can then gain access to otherwise inaccessible data or circumvent security configurations. Spoofing is usually incorporated into another attack such as a Smurf attack.

Spoofing attacks can be non-blind or blind:

  • Non-blind spoofing – The threat actor can see the traffic that is being sent between the host and the target. The threat actor uses non-blind spoofing to inspect the reply packet from the target victim. Non-blind spoofing determines the state of a firewall and sequence-number prediction. It can also hijack an authorized session.
  • Blind spoofing – The threat actor cannot see the traffic that is being sent between the host and the target. Blind spoofing is used in DoS attacks.

MAC address spoofing attacks are used when threat actors have access to the internal network. Threat actors alter the MAC address of their host to match another known MAC address of a target host, as shown in the figure. The attacking host then sends a frame throughout the network with the newly-configured MAC address. When the switch receives the frame, it examines the source MAC address.

Threat Actor Spoofs a Server’s MAC Address

Threat Actor Spoofs
Threat Actor Spoofs

The switch overwrites the current CAM table entry and assigns the MAC address to the new port, as shown in the figure. It then forwards frames destined for the target host to the attacking host.

A server and a threat actor are connected to the same switch. The server has a MAC address of AABBCC and is connected to port 1. The threat actor is connected to port 2 and has a spoofed MAC address of AABBCC. A callout below the switch reads: The device with MAC address AABBCC has moved to Port 2. I must adjust my MAC address table accordingly. A diagram above the switch indicates that it has mapped AABBCC to port 2. Port 1 does not have a mapping.

Switch Updates CAM Table with Spoofed Address

Application or service spoofing is another spoofing example. A threat actor can connect a rogue DHCP server to create an MITM condition.

Spoofed Address
Spoofed Address

Application or service spoofing is another spoofing example. A threat actor can connect a rogue DHCP server to create an MITM condition.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

More Goodies
Traditional WAN Connectivity
Traditional WAN Connectivity