homuskratNetworking and Communications

Nov 20, 2013 (4 years and 7 months ago)




MMD © Oct2012


Enable Passwords On Cisco Routers Via Enable
Password And Enable Secret

Access Control Lists (ACLs)

How to Prevent Denial of Service Attacks

How Kerberos Authentication Works

Enable Passwords On Cisco Routers Via
Enable Password And Enable Secret

The two most basic of passwords a Cisco router can
provide support for is the

enable password


enable secret


Depending on the IOS version, administrators will likely
only need to setup the

enable secret



Access Control Lists (ACLs) allow a router to

packets based on a variety of criteria.

Three basic steps to configure Standard Access List

Use the access
list global configuration command to create
an entry in a standard ACL.

Use the interface configuration command to select an
interface to which to apply the ACL.

Use the ip access
group interface configuration command to
activate the existing ACL on an interface.


With Access Lists you will have a variety of uses for the
wild card masks:

Match a specific host,

Match an entire subnet,

Match an IP range, or

Match Everyone and anyone

How to Prevent Denial of Service

The denial of service
) attack
is statistically the most
used malicious attack out of them all

Literally anyone can bring down a website with a simple
command prompt. The question is

how do you protect
against an attack that can cripple your network or
website in a matter of minutes

If you are going to protect against an attack, you first have
to know how it works.

must familiarize yourself with the different variations,
methods, and plans of attacks that hackers use.

are at least seven different classifications of
known today.

DoS: Ping Flood

The most basic of attacks is the ping flood attack.

It relies on the ICMP echo command, more popularly
known as ping .

In legitimate situations the ping command is used by
network administrators to test connectivity between two

In the ping flood attack, it is used to flood large amounts
of data packets to the victim’s computer in an attempt to
overload it.

DoS: Ping Flood

Two Exploitable Commands Using Ping



command tells the prompt to send the request a
specified amount of times. The default is four packets, but we
sent five.



command tells the prompt how much data to send
for each packet. The maximum is 65,500 bytes, while the
default is just 32.

DoS: Ping Flood

This type of attack is generally useless on larger networks
or websites.

because only one computer is being used to flood the victim’s

If we were to use a group of computers, then the attack would
become a distributed denial of service attack, or DDoS.

The most common cure to the ping flood attack is
simply ban the IP address
from accessing your

DoS: Ping of Death

The ping of death attack, or PoD, can cripple a network
based on a flaw in the TCP/IP system. The maximum size
for a packet is 65,535 bytes.

If one were to send a packet larger than that, the
receiving computer would ultimately crash from

DoS: Ping of Death

Sending a ping of this size is against the rules of the
TCP/IP protocol, but hackers can bypass this by cleverly
sending the packets in fragments.

When the fragments are assembled on the receiving
computer, the overall packet size is too great.

This will cause a buffer over
flow and crash the device.

DoS: Ping of Death

Luckily, most devices created after 1998 are immune to
this kind of attack. If you are running a network with
outdated devices this will indeed be a possible threat to
your network. In this case, upgrade your devices if

DoS: Smurf Attack

When conducting a smurf attack, attackers will use spoof
their IP address to be the same as the victim’s IP address.

This will cause great confusion on the victim’s network,
and a
massive flood
of traffic will be sent to the victim’s
networking device, if done correctly.

DoS: Smurf Attack

Most firewalls protect against smurf attacks, but there are
several things you can do. If you have access to the router
your network or website is on, simply tell it to not
forward packets to broadcast addresses.

In a Cisco router, simply use the command:

no ip directed

DoS: Fraggle

A Fraggle attack is exactly the same as a smurf attack,
except that it uses the user datagram protocol, or UDP,
rather than TCP.

Fraggle attacks, like smurf attacks, are starting to become
outdated and are commonly stopped by most firewalls or

This attack is generally less powerful than the smurf
attack, since the TCP protocol is much more widely used
than the UDP protocol.

DoS: SYN Flood Attack

The SYN flood attack takes advantage of the TCP three
way handshake.

This method operates two separate ways.

Both methods attempt to start a three
way handshake,
but not complete it.

DoS: SYN Flood Attack

DoS: SYN Flood Attack

The first attack method can be achieved when the
attacker sends a synchronize request, or SYN, with a
spoofed IP address.

When the server tries to send back a SYN
ACK request,
or synchronize
acknowledge request, it will obviously not
get a response.

This means that the server never obtains the client’s ACK
request, and resources are left half

DoS: SYN Flood Attack

Alternatively, the attacker can just choose to not send the
acknowledgement request. Both of these methods stall
the server, who is patiently waiting for the ACK request.

DoS: Teardrop

In the teardrop attack, packet fragments are sent in a
jumbled and confused order.

When the receiving device attempts to reassemble them,
it obviously won’t know how to handle the request.

Older versions of operating systems will simply just crash
when this occurs.

Operating systems such as Windows NT, Windows 95,
and even Linux versions prior to version 2.1.63 are
vulnerable to the teardrop attack.


A distributed denial of service attack, or DDoS, is much
like the ping flood method, only multiple computers are
being used.

The computers that are being used may or may not be
aware of the fact that they are attacking a website or

Trojans and viruses commonly give the hacker control of
a computer, and thus, the ability to use them for attack.

In this case the victim computers are called



A DDoS attack is very tough to overcome. The first thing to
do is to contact your hosting provider or internet service
provider, depending on what is under attack.

They will usually be able to filter out the bulk of the traffic
based on where it’s coming from. For more large
scale attacks,
you’ll have to become more creative.


If you have access to your router, and are running a
Cisco brand, enter the following command into your
router command prompt:

No ip verify unicast reverse

This will ensure that attackers can’t spoof their IP

Options in DDoS Prevention

Hire a security company to assess and repair the damage

Buy an intrusion detection system (IDS)

How Kerberos Authentication Works

If you are running Windows 2000 or later, you are indeed
running Kerberos by default.

Advantage of Kerberos: to help combat security concerns

FTP and Telnet use plaintext passwords. These passwords
are easy to intercept with the right tools.

Anyone with a simple packet sniffer and packet analyzer
can obtain an FTP or telnet logon with ease. With that
kind of sensitive information being transmitted, the need
for Kerberos is obvious.

Sure FTP and Telnet related logons are easy to intercept,
but then again so is every other connection any of your
applications has to the internet.

How Kerberos Authentication Works

Kerberos operates by encrypting data with a symmetric

A symmetric key is a type of authentication where both
the client and server agree to use a single
encryption/decryption key for sending or receiving data.

When working with the encryption key, the details are
actually sent to a key distribution center, or KDC, instead
of sending the details directly between each computer.

8 steps to do this:


authentication service
, or AS, receives the request by
the client and verifies that the client is indeed the computer
it claims to be

How Kerberos Authentication Works

Upon verification, a


is created. This puts the
current time in a user session, along with an expiration date.
The default expiration date of a timestamp is 8 hours. The
encryption key is then created. The timestamp ensures that
when 8 hours is up, the encryption key is useless.


The key is sent back to the client in the form of a

granting ticket
, or TGT. This is a simple ticket that is issued
by the authentication service. It is used for authenticating the
client for future reference.

The client submits the ticket
granting ticket to the

granting server
, or TGS, to get authenticated.

The TGS creates an encrypted key with a timestamp, and
grants the client a service ticket.

How Kerberos Authentication Works

The client decrypts the ticket, tells the TGS it has done so,
and then sends its own encrypted key to the service.

The service decrypts the key, and makes sure the timestamp
is still valid. If it is, the service contacts the key distribution
center to receive a session that is returned to the client.

The client decrypts the ticket. If the keys are still valid,
communication is initiated between client and server.

The client is authenticated until the session expires.