index_197
UNCLASSIFIED
Testing and Security Validation
Version 1.0g
UNCLASSIFIED
197
6.3.2. Attack Tests
Attack testing can provide some assessment of the routers robustness, i.e., how the
router will perform under the stress of an attack.
WARNING: RUNNING ATTACK SCRIPTS AGAINST AN OPERATIONAL ROUTER MAY
DEGRADE ROUTER PERFORMANCE, OR EVEN CAUSE THE ROUTER TO CRASH !
If the filters are improperly configured, or not applied to the interface, some of
these attacks will have the same effect as a real attack from a malicious source.
DO NOT perform attack testing against an operational router without first
considering the possible consequences and having a recovery plan. If possible,
perform testing in a lab or testbed environment rather than the operational
environment. If you do perform testing on the operational network, make sure
that all attack testing is coordinated with those responsible for the network and
choose a test time when the network usage is likely to be low.
Connecting to an outside network exposes the internal network and the perimeter
router to many potential risks. One of the most important security concerns is access
to the router itself. Physical security of the router should provide protection from
close-in access. On the network, remote access must be limited using authenticated
logins or, if possible, remote logins should be disabled. To test the remote
availability, telnet to the router. The router should either refuse the request or prompt
for a password. For a more detailed discussion of Cisco router access security and
remote administration, consult Section 4.1, and the Cisco whitepaper Improving
Security on Cisco Routers [1].
Once access to the router has been secured, the network is still at risk of attack.
Some of the most common attacks on the internet are denial of service (DoS) attacks.
DoS attacks are typically based on high-bandwidth packet floods or other repetitive
packet streams. The easy availability and effectiveness of DoS scripts on the internet
make these attacks a favorite among hackers, particularly those without the skill to
create their own tools. For a general overview of DoS, visit the CERT site:
http://www.cert.org/tech_tips/denial_of_service.html. For more
information on the effects of DoS attacks, including recent developments and links to
specific DoS advisories, visit: http://www.cert.org/summaries/.
One very popular DoS attack is the smurf attack. This attack has at least two
victims a target system and one or more reflector systems. The attacker sends a
continuous stream of ICMP echo requests (pings) to the broadcast address of a
reflector subnet. The source address in these packets is falsified to be the address of
the ultimate target. Each packet generates a response from all hosts on the reflector
subnet, flooding the target and wasting bandwidth for both victims. The reflector
networks receiving these echo requests can prevent the attack by using the no ip
directed-broadcast command (see Section 4.2). For a detailed discussion of the
smurf attack, read Craig Huegens paper [9]