Cybreach Consulting Prendre RDV
Back to articles
Vulnerabilities

Network attacks: DNS/NTP amplification, ICMP, IP spoofing and anonymous sessions

Network vulnerabilities exploit behaviours inherent to communication protocols. Unlike application vulnerabilities that require a flaw in the code, network vulnerabilities often arise from features designed for availability and flexibility that can be repurposed for malicious ends.

DNS and NTP amplification

Amplification attacks use third-party servers to amplify attack traffic towards a victim. The attacker sends small requests (with the victim's IP as source) to servers that generate large responses. For DNS amplification, a 60-byte request can generate a 3000-byte response (50x factor). For NTP with the monlist command, the factor can exceed 200x.

Mitigation: disable recursion on public DNS servers (only respond to legitimate clients), disable the monlist command on NTP, deploy BCP38 (filtering packets with a forged source address at the router level).

ICMP redirects and source routing

ICMP redirects allow a router to ask a host to modify its routing table. An attacker positioned on the network can send fake ICMP Redirect messages to divert traffic through themselves (man-in-the-middle attack). IP source routing allows the sender to specify the path the packet should take, which can be used to bypass network filters.

Disabling ICMP redirects (Linux)

# Désactiver l'acceptation des redirections ICMP
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0

# Désactiver le routage par source
sysctl -w net.ipv4.conf.all.accept_source_route=0

# Rendre permanent dans /etc/sysctl.conf :
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0

NBNS broadcast and LLMNR poisoning

NetBIOS Name Service (NBNS) and Link-Local Multicast Name Resolution (LLMNR) are name resolution protocols that use broadcast on the local network. When a host can't find a name in DNS, it may broadcast a NBNS/LLMNR query to all hosts on the local network. An attacker positioned on the network can respond to these queries with their own address, then capture the NTLM authentication attempts that follow.

Anonymous network sessions (null session SMB)

SMB (Server Message Block) historically supported "null" sessions: unauthenticated connections allowing enumeration of shares, users, and host policies. Although disabled in modern Windows versions by default, legacy configurations may re-enable them. An attacker can exploit these sessions to retrieve the domain user list without authentication, facilitating targeted attacks.

TCP SYN cookie protection

SYN flood attacks inundate a server with TCP SYN packets without completing the handshake, exhausting resources allocated to pending connections. SYN cookies allow the server to not allocate state for each received SYN connection, resisting this attack type. On Linux, SYN cookies are automatically enabled when the connection queue is saturated, but they can be permanently enabled.

Permanently enabling SYN cookies

# /etc/sysctl.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096

A question after reading?

Want to assess the network security of your infrastructure? Send a message.

Or book a 30-minute scoping call directly

Book a call