Time
1 hour 53 minutes
Difficulty
Beginner
CEU/CPE
3

Video Description

As the title of this section implies, we look exclusively at the protocols at layer 3 and the multitude of threats targeting them. Layer 3 protocols are commonly referred to as the 'I' protocols, though this isn't completely accurate, it suffices for the scope of the CISSP exam. In addition to the IP addressing protocol at layer 3, there is the"IP Helper" protocol ICMP and its various messages that are used by networking diagnostic utilities such as ping and traceroute. We point out that this protocol and its associate messages remains a double-edged sword that is frequently exploited by attackers. We then go on to examine some of the major layer 3 protocol threats. We'll look at Loki attacks which create a convert channel for sneaking data through in the ICMP header. And no discussion of layer 3 threats would be complete without mentioning smurf and DDoS attacks utilizing spoofed ping requests. These may be shopworn attacks that savvy network admins thwart by blocking incoming ICMP messages and directed broadcasts, however, they are still quite prevalent and their impact is no less devastating to their hapless victims.

Video Transcription

00:04
we talked about the hardware at Layer three and now we'll look at some of the software. Ah, specifically the layer three protocols. So of course I p works at layer three. We talked about that is being necessary with routers, but also something to remember for the exam.
00:21
Every protocol that starts with the letter I
00:25
for this exam functions that layer three with one exception, which is I'm app and I map is Internet mail application protocol. It's later seven. And listen, for those of you that are deep into Cisco Land, I understand
00:39
that when you really get underneath the hood, it's very difficult to say this is exactly layer three and
00:46
you could make all these different arguments. We're gonna keep it very light and very kind of superficial in nature. So the layer three protocols start with I accept. I meant so I p sec i g and P I g r key. I see MP ice a camp
01:03
I any of those guys that start with the letter I wanna put it, lay your three,
01:10
and by the way, let me just address that again for second. Um, the deeper you go, I don't want to make it sound like we're just going to say these air layer three even though they're not later three. What I want to stress here is the deeper you go into O s, I model in the further you pull things apart, the more you realize that the S I model wasn't really designed
01:30
to be a box that you stick protocols and devices in that there's a lot more flexibility and there is a lot more.
01:37
Um,
01:38
there's a lot more to it than that. Okay. But I'm gonna keep things on par for the exam. And, um, like I said, the layer three protocols start with I With the exception of I'm out. Okay, So
01:53
because of that layer three is a layer which there are many attacks directed at ah, Specifically, if you look at I c m p Internet control messaging protocol beaten up a lot, lots of exploits of icmp.
02:10
Um, so I would really pay attention here to this layer
02:15
when we talk about ah icmp as I mentioned, it's the protocol behind pink and trace route path Piggott lease and windows. So attacks that exploit that anything that has ping in its name Ping of Death. King floods Those exploit ICMP
02:32
so they would be considered later. Three. Tax
02:36
The low key attack The Loki attack is directed at at carrying out a covert channel. So information is stored in the I, C and P header, which is not where information supposed to be stored. So it's a way of sneaking information through hacking inspection.
02:54
It's a covert channel in a covert channels. Simply any path for communications that wasn't intended to be used for communication.
03:02
Ah, Smurf attack And these attacks. Most of these attacks are quite old, but they're still on the exam. And they're still important because we want to know why we do the things that we do by default and the things that we do by default. Well,
03:17
we don't allow huge pings through. We don't allow numerous things through. We don't allow directed broadcasts. We block icmp at the firewall. So you know, if you're if you've been around for a while and you're looking at some of these attacks, you're going touch. These are dated. Yeah, they are, but they're still testing
03:35
aren't so smart. Attack. What the smurf attack does
03:38
is, um, it's ah, distributed denial of service so I might find a system that I want to take off line. Let's see, I say I was gonna target Google, for instance. Um so what I would do is I would find an unsuspecting network. Okay, these guys are not intentionally part of the attack.
03:59
What I'll do is I will ping the broadcast address of that unsuspecting network,
04:03
but I smoothed the source of that pink packet to look like it comes from Target. But from Google. Remember, When you get a ping, he reply. So if I send a ping to the broadcast address that hits every sect, that every system on the network and they all reply to the source
04:21
which has been spoofed to look like it's Google, so they all respond back to Google. That's the way the Smurf attack would work. Now, there many elements in place that we do today to keep a Smurf attack on being successful. First of all, we block icmp.
04:34
Second of all, we blocked directed broadcasts, and the directly broadcast is when someone from outside your network
04:44
tries to broadcast inside your network. There is no good reason for that to be happening. So we walked, directed, broadcast on the fire while we don't allow icmp packets and and those are just a couple of the ways that we mitigate Smurf attacks, but definitely some exploits here. All of these air layer three attacks.

Up Next

Communication & Network Security

Domain 4 focuses specifically on the basic network and telecommunications concepts. This includes, but is not limited to: secure network architecture design ...

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor