Win2K automatically monitors three counters that track the number of active TCP/IP ports and the number of ports in the half-open state to look for potential SYN attacks. When these counters exceed predefined thresholds, Win2K assumes that a SYN DoS attack is in progress. During a SYN DoS attack, TCP queries the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey to determine how to respond. The subkey's SynAttackProtect entry determines the number of retries and the retry interval that TCP uses to time out a connection request. The SynAttackProtect entry has the type REG_DWORD and the value 0, 1, or 2.
Set the value to 1 or 2 on systems that connect directly to the Internet. These settings reduce the number of SYN-ACK retransmissions and the interval between them, which reduces the time that a system waits to time out valid and malicious connection requests. For the best protection against SYN DoS attacks, set the value to 2.
Set the SynAttackProtect entry to 1 or 2 for systems directly accessible from the Internet, especially those you don't protect with a firewall. (To verify that your firewall provides SYN attack and Ping of Death protection, check with the vendor.) Remember that when you implement this deterrent, you change the way the system responds to both valid and DoS connection requests.
2. Guard Against Dead-Gateway Exploits
When you configure a system's TCP/IP settings manually, you enter an address, a subnet mask, and a default gateway. When the system receives a packet with a destination address that's not on the local subnet, IP forwards the packet to the gateway system. The gateway then routes the packet to another router or its final destination. When the gateway is operational, it always acknowledges receipt of such packets. When a system doesn't receive a response to 25 percent of the packets that it forwards to a gateway, it assumes that the gateway is nonfunctional, or "dead."
You can guard against router failure by configuring multiple default gateways on the Advanced Settings tab of the TCP/IP Properties dialog box. When you configure multiple gateways, Win2K automatically enables a dead-gateway detection feature that selects the next gateway in the list when it detects a dead gateway. This dynamic reconfiguration adds redundancy and fault tolerance to your network, but it introduces a vulnerability that a sophisticated attacker can exploit to redirect network traffic to a nonfunctional system or a system of the attacker's choice.
The registry contains two dead-gateway entries. The first, DeadGWDetectDefault in the \Tcpip\Parameters subkey, defines the default setting for dead-gateway detection. You use DeadGWDetectDefault to enable or disable dead-gateway detection for all TCP/IP interfaces. If necessary, you can use the second dead-gateway entry, EnableDeadGWDetect in the \Tcpip\Parameters\Interfaces\adapterclassID subkey to enable or disable dead-gateway detection for a specific adapter. When you enable dead-gateway detection, TCP directs IP to use a backup gateway if TCP retransmits a packet several times without receiving a response from the gateway. When you disable detection, you prevent TCP from forwarding packets to another gateway.
To manually enable or disable TCP dead-gateway detection for all interfaces, set DeadGWDetectDefault to 0 (disable) or 1 (enable). To enable or disable detection for an individual network adapter, add or modify DeadGWDetect in the adapter-specific (i.e., \Interfaces\adapterclass ID) subkey.
When you disable dead-gateway detection, you disable TCP's ability to dynamically reroute packets using alternate routers when the primary gateway dies. Preventing packets from leaving the local subnet shuts down all but local communication. For this reason, and because the dead-gateway detection exploit is difficult to implement and is much less common than SYN DoS and Ping of Death attacks, I recommend that you disable dead-gateway detection only on highly sensitive portions of your network.
3. Battle PMTU Exploits
As Table 1 shows, each physical network type, such as Ethernet or X.25, has a maximum frame size, called the Maximum Transmission Unit (MTU), that specifies the amount of data that network type can carry in one discrete unit. When messages traverse a network of different types (e.g., from Ethernet to Token Ring), the MTU on the source network type might be larger or smaller than the MTU on the destination network type.
When a 16KB network packet must cross a network with an MTU of 1500 bytes, systems on both networks exchange MTU information. The sending system then breaks (i.e., fragments) the message into multiple packets, each with a sequence number that indicates the order of the smaller packet within the original, larger message.
Packet fragmentation is a significant source of performance degradation. The sending system consumes CPU cycles and memory when it breaks the message into multiple segments, adds a sequence number, and transmits the smaller packet. The receiving system uses CPU cycles and memory as it waits for and buffers packet fragments, orders the packets based on the sequence numbers, and reassembles the frame.
Win2K includes a performance-enhancing algorithm called the Path MTU (PMTU) that identifies the smallest MTU between a message's source and destination networks and formats the message in packets of that size. The PMTU optimization algorithm thus eliminates fragmentation at multiple routers along the path that connects the source and destination networks.
The PMTU-discovery process exposes a vulnerability that an attacker can exploit. Theoretically, an attacker can program a system to respond to the PMTU-discovery process with an MTU of 68 bytes, which is the smallest packet size that TCP/IP permits. Win2K then uses this value to package and forward all network messages to a target system outside the local subnet. The same attacker can then flood the sending system with hundreds or thousands of network packets addressed to the same target. If incoming messages arrive faster than the system can break them into 68-byte segments for forwarding to the destination machine, the attack can consume all resources on all the systems that handle the message.
Prev. page
1
[2]
3
next page 
