The attack from inside is much easier to carrying out then from the outside through the Internet. But as yo will see, the attacker is not on the lose position and still have a lot of tools to make the admins life difficult. Let’s have a look on what kind of attacks may the intruder carry on and what is their influence on the network resources..
1. Non blind IP spoofing
The Attacker, Receiver and Victim are in the same network segment (layer 2). Attacker has to predict TCP sequence numbers and sends towards the Receiver last ACK packet before Victim do that. When the Receiver gets last ACK TCP packet starts to trust that IP address of the Victim has MAC address of Attacker. From now on if the Receiver wants to communicate with the IP address which belonges to Victim, unconsciously sends packets towards the Attacker.
2. Blind IP spoofing with Source Routing
The principles are similar to non-blind IP Spoofing, but the Attacker is behind the router, somewhere in the Internet for example. How is that possible, that the Attacker sends information with an IP address that belongs to the inside network if he is placed on external interface of the router with NAT? Does the router shouldn’t reject this packet? Not necessarily. First of all the router is not interested in of the source IP address. The only important information for its, is how to deliver the packet to the required network. In this way we may send the packet with any source address that we want. We may prevent this behaviour thanks to Unicast Reverse Path Forwarding uRPF, where the router checks on which interface is accessible the source IP of sent packet and if discover on inside, the packet will be rejected. There is also another mechanism that may be used by the attacker which is called SOURCE ROUTING and consists in modification of an IPv4 header. Source routing impose on the router forwarding the packet in specified direction via specified path. The Attacker specifies the path of the packet. There are 2 kinds of Source Routing : LOOSE – relies more on routing protocols implemented on the routers, but also on a few specified hops and STRICT – when the Attacker specifies the exact path of the packet. It enables us ommiting the routers on the path to the destination that have implemented security solutions. How does the source is implemented ? In IPv4 header there is a field called “IP Options” one of the option is source routing, that at the beginning has been implemented as a diagnostic tool. Of course we may turn off checking this field on the routing as a security slution.
3. DoS ( TCP Synch Flood)
The Attacker initiate TCP session and sends 100 thousands of TCP SYN packets towards the Server, but as an own IP address sends IP address of the Victim. The Server responds with SYN ACK but sends these IP packets towards the VICTIM. Two links which lead to the Server and the Victim are saturated, besides the Server has to answer to TCP SYN packets, finally further using of the Server is not possible.
4. DDoS (Distributed Denial of Service) – Tribe Flood Network and ICMP Ping of Death
Difference between DoS and DDoS consists in the number of used devices. “Smurfs” are nothing more than unaware hosts which have been used to bad things. The Attacker sends one PING towards the “Smurfs” hosts, Smurfs send 2000 PINGs of death towards the Server – Victim what makes the Server useless. It is called Tribe Flood Network attack. The other thing that might be done is sending “jumbo” ICMP packet, usually ICMP packet has 64 bytes what happens if we send thousands of packets with 64000 bytes size instead of 64 bytes ? Router will not be able to service our questions! Attacker is able to send ICMP request even if is placed in different subnet thanks to “IP direct-broadcast” (shuld be always turned of on the interface).