Vulnerability Analysis and Penetration Testing

End Assignment

Submitted by Basu Ojha

16BCI0130

1. Trivial File Transfer Protocol (RFC &83)

Trivial File Transfer Protocol (TFTP) is a relatively simple protocol that is used for transferring
files. TFTP uses the User Datagram Protocol (UDP) to send and receive data from one end to
another.
Attack: Attackers have created a new DDoS reflection and amplification method that abuses
TFTP. The following is the details of the attack:
1. Peak bandwidth: 1.2 Gigabits per second
2. Peak packets per second: 176.4 Thousand Packets per second
3. Attack Vector: TFTP Reflection
4. Source port: 69(TFTP)
5. Destination port: Random

The targeted users of the TFTP reflection DDoS are flooded with RRQ(read request) DATA
responses. The attack tool will now make a default request for a file, "/x" in this case from the
TFTP server. The victim TFTP server then returns data to the requesting target host as a
consequence of this request regardless of the filename mismatch. The request is forged and
manipulated in a way that forces the victim TFTP server to respond back to the malicious actors
intended target IP. TFTP sends back the data in specific block sizes, by default this is 512 bytes
of data + an additional 4 bytes of options (516 total bytes). The largest replies detected in attacks
have contained 1,460 bytes all together as part of the payload. This basically puts amplification
at 36.86 and 104.29 for those two payloads respectively without taking IP and UDP headers into
consideration.
Mitigation:
1. For those hosting TFTP servers: - Assess the need to have UDP port 69 exposed to the
internet. This should be firewalled and only allowed to trusted sources.
2. Snort or a similar IDS can be used to detect for the abuse of TFTP servers in your
network.
3. Upstream filtering of UDP source port 69 can be applied if possible
4. A DDoS mitigation provider can also be leveraged to absorb attack traffic generated

2. SNMP
Simple Network Management Protocol is an Internet Standard protocol for gathering and
establishing information about managed devices on IP networks and for altering that information
to change device behavior.
Attack:
An SNMP reflection is a type of Distributed Denial of Service (DDoS) attack that is reminiscent
of earlier generations of DNS amplification attacks. SNMP reflection attacks can produce attack
volumes of hundreds of gigabits per second, which can be focused at attack targets from multiple
broadband networks. Attacks are occasionally hours in duration, are highly-disruptive to attack
targets, and can be very challenging to mitigate.
SNMP reflection involves producing a flood of responses to a single spoofed IP address. During
an SNMP reflection attack, the perpetrator sends out a large number of SNMP queries with a
forged IP address to many connected devices that, in turn, reply to that forged address. The
attack volume rises as more and more devices continue to reply, until the target network is took
down under the shared volume of these SNMP responses. With amplification an SNMP
reflection attack can produce much higher traffic volumes, even from a relatively small input
stream, ultimately turning into a much more effective and more dangerous denial of service
threat. The amplification factor of a SNMP reflection attack be as high as x600 or even x1700,
according to some of the most recent reports of attack tools that abuse the GetBulk SNMP
operation.

Mitigation:
1. Ingress/egress packet filtering should be used. We can limit access to a given SNMP
server, making it accessible solely from a narrow range of IP addresses.
 2. Anycast technology can be used to balance the attack load across its global network of
high-powered scrubbing servers, where traffic undertakes a process of Deep Packet
Inspection (DIP) that screens out malicious DDoS traffic.
3. Incapsula DDoS protection can be immediately deployed on top of any network
infrastructure via a BGP announcement, which makes Incapsula the receiver of all
incoming traffic. Once deployed, Imperva’s proxy position guarantees that DDoS traffic
is filtered outside of the client’s network, while all good and clean traffic is progressed to
its end-destination through a secure GRE tunnel.

3. SMURF Attack
Smurf is a network layer distributed denial of service (DDoS) attack, termed after the
DDoS.Smurf malware that allows it execution. Smurf attacks are carried out by sending a slews
of ICMP Echo request packets. Smurf is an amplification attack vector that increases its damage
potential by exploiting characteristics of broadcast networks.
Attack:
Host A sends an ICMP Echo (ping) request to host B, activating an automatic response. The time
it takes for a reply to arrive is used as a measure of the virtual distance present between the two
hosts. In an IP broadcast network, a ping request is sent to every host to see if its active,
prompting a reply from each of the recipients. In Smurf attack the perpetrators take advantage of
this function to amplify their attack traffic.
A Smurf attack scenario can be broken down as follows:
1. Smurf malware is used to produce a fake Echo request containing a spoofed source IP,
which is truly the target server address.
2. The request is then sent to an intermediate IP broadcast network.
3. The request is transmitted to all of the network hosts on the network.
4. Each host sends an ICMP response to the spoofed source address.
5. With enough ICMP replies forwarded, the target server is taken down.
The amplification factor of the Smurf attack associates to the number of the hosts on the
intermediate network. For example, an IP broadcast network with 500 hosts will produce 500
responses for each fake Echo requests. Typically, each of the replies is of the same size as the
original ping request.

Mitigation:
1. Smurf attack mitigation relies on a mixture of capacity overprovisioning (CO) and an
existence of filtering services to identify and block illegal ICMP responses.
 2. Infrastructure Protection, one of Imperva DDoS mitigation solutions, uses BGP routing to
forward all incoming traffic through a worldwide network of scrubbing centers.
3. Through inspection of incoming traffic, all illegal packets—including unsolicited ICMP
responses—are recognized and blocked outside of your network.

4. UDP Attack
“UDP flood” is a type of Denial of Service (DoS) attack in which the attacker devastates random
ports on the targeted host with IP packets containing UDP datagrams. The receipt host checks for
applications associated with these datagrams and—finding none—sends back a “Destination
Unreachable” packet. As more and more UDP packets are acknowledged and answered, the
system becomes overwhelmed and unresponsive to other clients.
Attack:
As there is no initial handshake to form a valid connection, a high capacity of “best effort” traffic
can be push to UDP channels to any host, with no built-in protection to limit the rate of the UDP
DoS flood. UDP flood attacks are highly-effective and don’t require much resources.
Some UDP flood attacks can transform of DNS amplification attacks, also called “alphabet soup
attacks”. UDP does not describe specific packet formats, and thus allows attackers to create large
packets (sometimes over 8KB), fill them with junk text or numbers (hence the “alphabet soup”),
and push them out to the host under attack. When the attacked host obtains the garbage-filled
UDP packets to a given port, it looks for the application listening at that port, which is related
with the packet’s contents. When it finds that no associated application is listening, it replies
with an ICMP Destination Unreachable packet.

Mitigation:
1. Limiting the rate of ICMP responses can help.
2. UDP mitigation method also depend on on firewalls that filtered out or block malicious
UDP packets.
3. Imperva DDoS protection leverages Anycast technology can be used.
 4. Using scrubbing software, specifically designed for inline traffic processing and help in
identifying and filters out malicious DDoS packets, based on mixture of factors like IP
reputation, abnormal attributes and doubtful behavior.
5. The processing is achieved on-edge, and with zero delay, allowing only clean traffic to
reach the origin server.

5. TCP Attack
TCP SYN flood is a type of Distributed Denial of Service (DDoS) attack that exploits portion of
the normal TCP three-way handshake to capture resources on the targeted server and leave it
unresponsive. With SYN flood DDoS, the attacker sends TCP connection requests much faster
than the targeted machine can process them that would result in network saturation.
Attack:
In a SYN flood attack, the attacker directs repeated SYN packets to every port on the targeted
server, using a fake IP address. The server receives multiple requests which look legitimate to
establish communication. It replies to each attempt with a SYN-ACK packet from each open
port. The malicious attacker’s client either does not direct the expected ACK, or—if the IP
address is spoofed—never obtains the SYN-ACK in the first place. Both ways, the server under
attack will wait for acknowledgement of its SYN-ACK packet for some time.

During this time, the server cannot shut down the connection by sending an RST packet, and the
connection stays open. Before the connection requests can time out, another SYN packet will
arrive. This leaves a progressively big number of connections half-open – and indeed SYN flood
attacks are also referred to as “half-open” attacks. Eventually, as the server’s connection
overflow tables fill, service to genuine clients will be denied, and the server may even
malfunction or crash.
Mitigation:

1. Micro blocks—administrators can assign a micro-record (as few as 16 bytes) in the server
memory for each incoming SYN request instead of a complete connection object.
2. SYN cookies—using cryptographic hashing, the server directs its SYN-ACK response
with a sequence number (seqno) that is constructed from the client IP address, port
number, and possibly other unique identifying information. When the client responds,
this hash is included in the ACK packet. The server verifies the ACK, and only then
allocates memory for the connection.
3. RST cookies—for the first request from a given client, the server purposefully sends an
invalid SYN-ACK. This should result in the client generating an RST packet, which tells
the server something is wrong. If this is established, the server knows the request is
legitimate, logs the client, and accepts subsequent incoming connections from it.
4. Stack tweaking—administrators can tweak TCP stacks to mitigate the effect of SYN
floods. This can either involve lowering the timeout until a stack frees memory allocated
to a connection, or selectively dropping incoming connections.
5. Imperva filtering algorithm continuously examines incoming SYN requests, using SYN
cookies to selectively allocate resources to legitimate visitors.

6. Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) is a client/server protocol used to access,
manage and control directory information. It allows to read and edit directories over IP networks
and runs directly over TCP/IP using simple string formats for data transfer. It was first developed
as a front end to X.500 Directory Access Protocol. Lightweight Directory Access Protocol is also
known as RFC 1777.
Attack:
CLDAP, a variant of LDAP that uses UDP (User Datagram Protocol) for transport. The CLDAP
reflection method amplifies replies 50 times the size of the initial request on average, and thus it
allows it to be used to consistently produce attack traffic exceeding 1Gbps. This new reflection
and amplification method has since been confirmed by the Akamai Security Intelligence
Response Team (sirt) and has been observed producing Distributed Denial of Service (DDoS)
attacks, comparable to Domain Name System (dns) reflection in that most exceed 1 Gbps.
The largest DDoS attack using CLDAP reflection as the sole vector was observed and mitigated
by Akamai. Attributes of the attack were as follows:
Industry Vertical: Internet & Telecom
Peak Bandwidth: 24 Gigabits per second
Peak Packets per Second: 2 Million Packets per second
 Attack Vector: CLDAP
Source Port: 389
Destination Port: Random

Mitigation:
1. Ingress filtering is the key to protect from LDAP Reflection. If administrators did ingress
filtering of the CLDAP port from the internet, attackers would not be able to scan the
internet and generate a list of systems with UDP port 389 open and listening.
2. Security teams can also apply an alerting rule to the network's intrusion detection system
to alert of an attempt to use the server as part of a CLDAP reflection attack.

Powered by TCPDF (www.tcpdf.org)