Network Security at the Network Layer (Layer 3: IP)

Every layer of communication has its own unique security challenges. The Network Layer (Layer 3 in the OSI model) is especially vulnerable for many Denial of Service attacks and information privacy problems. The most popular protocol used in the network layer is IP (Internet Protocol). The following are the key security risks at the Network Layer associated with the IP:
IP Spoofing: The intruder sends messages to a host with an IP address (not its own IP address) indicating that the message is coming from a trusted host to gain un-authorized access to the host or other hosts. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.
Routing (RIP) attacks : Routing Information Protocol (RIP) is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. RIP has no built in authentication, and the information provided in a RIP packet is often used without verifying it. An attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine instead.
ICMP Attacks: ICMP is used by the IP layer to send one-way informational messages to a host. There is no authentication in ICMP, which leads to attacks using ICMP that can result in a denial of service, or allowing the attacker to intercept packets. Denial of service attacks primarily use either the ICMP "Time exceeded" or "Destination unreachable" messages. Both of these ICMP messages can cause a host to immediately drop a connection. An attacker can make use of this by simply forging one of these ICMP messages, and sending it to one or both of the communicating hosts. Their connection will then be broken. The ICMP "Redirect" message is commonly used by gateways when a host has mistakenly assumed the destination is not on the local network. If an attacker forges an ICMP "Redirect" message, it can cause another host to send packets for certain connections through the attacker's host.
PING Flood (ICMP Flood) : PING is one of the most common uses of ICMP which sends an ICMP "Echo Request" to a host, and waits for that host to send back an ICMP "Echo Reply" message. Attacker simply sends a huge number of "ICMP Echo Requests" to the victim to cause its system crash or slow down. This is an easy attack because many ping utilities support this operation, and the hacker doesn't need much knowledge.
Ping of Death Attack: An attacker sends an ICMP ECHO request packet that is much larger than the maximum IP packet size to victim. Since the received ICMP echo request packet is bigger than the normal IP packet size, the victim cannot reassemble the packets. The OS may be crashed or rebooted as a result.
Teardrop Attack: An attacker using the program Teardrop to send IP fragments that cannot be reassembled properly by manipulating the offset value of packet and cause reboot or halt of victim system. Many other variants such as targa, SYNdrop, Boink, Nestea Bonk, TearDrop2 and NewTear are available. A simple reboot is the preferred remedy after this happen.
Packet Sniffing: Because most network applications distribute network packets in clear text, a packet sniffer can provide its user with meaningful and often sensitive information, such as user account names and passwords. A packet sniffer can provide an attacker with information that is queried from the database, as well as the user account names and passwords used to access the database. This cause serious information privacy problems as well as tools for crimes.
Like most of the network security problems, there are no silver bullet solution to FIX the problems, however, there are many technologies and solutions available to mitigate the above security problems and to monitor the network to reduce its damage if attack happens. The problems such as PING flood can be effectively reduced by deploying Firewalls at critical locations of a network to filter un-wanted traffic and from iffy destinations. By utilizing IPsec VPN at the network layer and by using session and user (or host) authentication and data encryption technologies at the data link layer, the risk of IP Spoofing and Packet Sniffing will be reduced significantly. IPv 6 in combination with IPsec provides better security mechanisms for the communication at the network level and above.

DarunGrim: A Patch Analysis and Binary Diffing Tool

DarunGrim is a binary diffing tool. DarunGrim is a free diffing tool which provides binary diffing functionality. Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers. This binary diffing technique is especially useful for Microsoft binaries. Not like other vendors they are releasing patch regularly and the patched vulnerabilities are relatively concentrated in small areas in the code. That makes the patched part more visible and apparent to the patch analyzers. There is a "eEye Binary Diffing Suites" released back in 2006 and it's widely used by security researchers to identify vulnerabilities. Even though it's free and opensource, it's powerful enough to be used for that vulnerabilities hunting purpose. DarunGrim2 is a C++ port of original python codes. DarunGrim2 is way faster than original DarunGrim. And DarunGrim3 is an advanced version of DarunGrim2 which provides nice file management UI. Binaries : http://github.com/ohjeongwook/DarunGrim/downloads
Source : http://github.com/ohjeongwook/DarunGrim Reference : http://www.darungrim.org/, http://exploitshop.wordpress.com