From: gladston@br.ibm.com
Date: Sun May 29 2005 - 15:38:30 GMT-3
Hi,
I have heard that question before. I remember that was one simple answer. I think it is an lab from DOiT, isn't is?
Well, I am trying to remember that single answer without success. I will search my docs.
While that, hope you get more feedback.
One point. I do not believe just one command could avoid port scan. Hope Security experts tell us more about this.
A single UDP packet destinated to different port (as the one used by traceroute) would discover enabled services.
So, disabling unreachable ports would avoid this can. But blocking unreachable ports would cause other problems. For example, an application would not know immediately that the service is not available.
This article shows more examples of using ICMP for attacks:
=================
quoted
The ICMP Timestamp (type 13) will elicit a Timestamp Reply, but only from Unix systems (Microsoft has not implemented this functionality into its IP stacks). Getting a response to a Timestamp Request not only tells you that a system is up but also that it is not running a Microsoft operating system.
Arkin points out in his paper that Microsoft stacks can also be identified using ICMP Echo Requests. Some ICMP types also have subtypes, called codes, but not ICMP Echo Requests or Replies. If, however, you send an Echo Request with a code value set, Microsoft stacks clear the code in the response, but not Unix stacks. There are also differences in how IP stacks handle IP header errors, which can elicit Parameter Problem messages (type 12). Thus, it's possible to identify both Unix and Windows stacks using ICMP.
ICMP Address Mask Re-quests (type 16) should only be answered by routers, using an Address Mask Reply (type 17). The Address Mask Request can identify routers as well as collect subnet information, which is useful in mapping networks. As this ICMP type should only be used by local hosts looking for the subnet masks, it is an obvious candidate for blocking at firewalls. Router vendors should design router software so that it only responds to requests from neighboring networks.
Redirects (type 5) are used to adjust routing tables. Imagine that your desktop is on a subnet with two routers, each leading to different networks. Your system will be configured to treat one of these routers as the default router, but when packets that should be sent to the other router arrive at the default router's address, this router will send an ICMP Redirect to your host, adjusting its routing table. Depending on the information available to the router, it can send one of four codes-for example, a Host Redirect (code 0) or a Network Redirect (code 1).
If an attacker can send your system ICMP Redirects, he or she can also adjust your routing table, causing a DoS attack. Cisco Systems routers, for example, will not forward ICMP Redirect messages from other networks, blocking this attack remotely (but not locally). However, this is also an example of an ICMP type that should never pass through a firewall.
Source Quench (type 4) is not used for probing, but could be used for DoS attacks. Source Quench tells the traffic sender to slow down the rate it sends packets to the receiver. While it makes sense to permit Source Quench messages to public servers, it makes no sense to permit these ICMP messages into your internal network.
The Time Exceeded (type 11, code 0) message, which is normally used for error handling, can be used to map networks. IP headers include a Time-To-Live (TTL) value that gets decremented each time the IP packet passes through an IP layer. TTL prevents packets from looping forever; it starts with a value no greater than 255 and eventually becomes zero. An attacker who wants to map a network can use traceroute to send packets with the TTL set artificially low. This causes intermediate routers to send back Time Exceeded messages that include their own source addresses; this is the information you see displayed when you use traceroute (or the Microsoft version, tracert).
A less-obvious use of Time Exceeded messages has to do with its other subtype (code 1). This subtype signals a sending host that not all fragments were received, and that the fragment reassembly time was exceeded. Arkin points out that this can be used to scan by sending only the first fragment, then waiting for the Time Exceeded message to be sent back. This technique can also be used for mapping ports, although it relies on the systems and ports being accessible through a firewall.
One of the most interesting ideas suggested in Arkin's paper has to do with mapping using Destination Unreachable (type 3) messages. The Destination Unreachable type has 15 subtypes (codes) that distinguish exactly what is unreachable, and sometimes why. For example, a router can report that a network, system, or a port on that system is unreachable, and it can also report that it is Administratively Prohibited-in other words, blocked by a firewall or packet filter.
It makes sense to permit Destination Unreachable messages to pass inbound through your firewall. Blocking these messages means that Internet applications like Netscape Navigator or Internet Explorer will hang until a failed connection attempt times out, instead of receiving the Destination Unreachable message and relaying that information to the user.
http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=8702910&classroom=
=================================
FIN and SYN can be used for port scanning:
==================
quoted
Another use for the FIN flag is in TCP service scanning when the query host sends FIN packets at service ports on the target host. If the port is open, no response will be made. If the port is closed, the host will respond with an RST packet. Ports that fail to respond are open; ports that send an RST are closed. The advantage to FIN scanning over SYN scanning is that it is undetectable. However, certain TCP/IP implementations respond to all FIN packets with RST packets, making this method unreliable in some cases.
http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci838703,00.html
===================
This site shows other examples using TCP and UDP:
net-services.ufl.edu/~security/itsa/attacks-ronnau.ppt
Hope that helps. Sorry for not giving a direct answer, but when it comes to ccie field, it is better to be armed with more information.
If the task directs us for something about scan using SYN or FIN, maybe a Reflexive access-list would be the solution (if reflexive is allowed), not allowing this from untrusted interfaces.
If the task says something about attacks using ICMP, maybe blocking specific types/codes would be the solution.
If the task says something about redirect, disabling redirect messages would be one option.
This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:03 GMT-3