The term backscatter refers to the response SYN/ACK packets that a SYN-flooded host will send in response to receiving the SYN packets. If the source address of the original SYN packet is spoofed, the SYN/ACKs will be sent to that spoofed address, which may use all the network bandwidth for the spoofed host or network. Backscatter [...]

We now turn to TCP-specific abuses. As we’ve seen, it is relatively difficult to spoof a full TCP connection, unless the hacker controls a router in the route between the two system, so traffic that travels on a fully established connection can be presumed to be between the two systems indicated. This means that an [...]

Surprisingly, the UDP checksum is only optionally computed. If this 16-bit field is exactly 0, it signifies that the UDP checksum wasn’t computed on transmission and shouldn’t be checked upon reception. As UDP was originally intended as a lightweight protocol on much smaller and slower systems than modern equipment, a performance advantage was gained by [...]

For both TCP and UDP, port 0 traffic is considered unusual, since it is officially a reserved port and shouldn’t be used for any network communications. Any port 0 traffic is probably not legitimate, since the packets are probably generated synthetically. Why the prohibition against using port 0? Although the original motivation for not allowing this [...]

The Internet timestamp option requests the timestamp from the system’s perspective, in a return packet. This has limited value, but it may give a potential attacker an idea of the level of system administration on the target. With all the other malicious traffic out there, the use of this option is fairly benign, but in [...]

Loose and strict source routing are used to specify the actual route that a packet is expected to take while traveling from source to destination. Strict source routing specifies the exact route, hop by hop, that the packet must take. Loose source routing also specifies the route that the packet must take, but there may [...]

The record route option in the IP header was designed to provide a mechanism to determine the route that the packet took from source to destination. Each hop a packet takes will, if the header contains space, record the IP address of the router. This option has no obvious use, as modern tools, such as [...]

Packet reassembly resulting from fragmentation is not as straightforward as might be expected. There are several problems with fragments: Malicious hosts can use a combination of retransmission and TTL games to fool an IDS into believing that it has seen the traffic that a host has seen, when, in fact, the IDS could be mistaken. Ideally [...]

Packet reassembly resulting from fragmentation is not as straightforward as might be expected. There are several problems with fragments: Duplicate fragments If duplicate fragments are received with differing content, which fragment is saved? The first? The second? Should both be discarded? Systems exist that implement all of these strategies. Overlapping fragments If a fragment is received whose [...]

The IP header contains a 16-bit total packet length field, giving a maximum packet length of 65,535 bytes. Also in the header is the IHL field, which specifies the size of the header in 32-bit words. Logically, therefore, we would expect the data portion of the packet to be the difference between the values in these [...]

Spoofed packets can also be used to cause an amplification effect if they are sent to a broadcast address. For instance, a typical private network might have a range of 192.168.1.0 to 192.168.1.255. Although there are a total of 256 addresses in this range, the lowest and highest addresses are reserved for network use. The [...]

Unless the attacker also controls a point on the return path to the alleged sender, they will have no knowledge of the critical information required to establish a TCP connection. In particular, without knowing the sequence number in the returned SYN/ACK packet, a valid connection cannot be established. If, however, the attacker has a system [...]

There are some IP addresses which should not, under normal circumstances, be seen crossing the perimeter to or from the Internet. The term ingress filtering refers to the process of filtering our obviously bogus addresses entering into a network, while egress filtering refers to outbound traffic. A simple example would be that an enterprise with [...]

IP is the unreliable transport protocol used to carry all the upper-level protocols on the Internet. IP provides the transport and delivery of datagrams but does not provide mechanisms to verify that datagrams from a host are actually from that host. In actuality, this is an almost impossible problem to solve, as nearly every host [...]

Along the same vein as MAC spoofing, ARP response packets can be spoofed to redirect traffic or disrupt it. Imagine that system A wants to communicate with system B, so it sends out an ARP request asking, in effect has B’s IP address, please send your hardware address. A hacker on system C who sees this [...]

Traffic can be disrupted on a network if two Ethernet adapters have exactly the same hardware (or MAC – Media Access Control) addresses. If all adapters are from major, recognized vendors, this problem is unlikely to occur, as each vendor is assigned a block of addresses from which they assign a unique address to each [...]

We should discuss the differences between switched and unswitched networks. Unswitched networks, built on Ethernet hub technology, transmit all traffic to all ports on the hub. The hub itself is a relatively unsophisticated device that merely regenerates the traffic to all ports and resolves packet collisions. ARP packets go to all hosts connected to the hub. A [...]

ARP (Address Resolution Protocol) is used by hosts to determine the hardware address corresponding to a desired IP address so that systems can communicate. There is no authentication of either the request or the response, so it is fortunate that ARP requests are confined to the local subnet. However, if a system is compromised by an [...]

Because the higher layers depend on those below them, it is easy to imagine that a subversion of lower-level protocols will have a profound impact on the higher levels. Fortunately, though, most of these subversions cause a denial of service, meaning that some or all of the services depending on these lower levels will fail [...]

Some important applications straddle the line between the network level and the application level. These notably include IDS applications and firewalls, which are applications that must be intimately familiar with the lower-level workings of network protocols. As these applications exist to protect important computer assets (and, in fact, are important assets themselves), some attacks specifically [...]