Module 3 Summary:

IP PDU Details:

IP was designed as a Layer 3 connectionless protocol. The IPv4 header consists of several
fields while the IPv6 header contains fewer fields. It is important for security analysts to
understand the different fields in both the IPv4 and IPv6 headers.
IP Vulnerabili es:

There are different types of attacks that target IP. Common IP-related attacks include:

 ICMP attacks
 Denial-of-Service (DoS) attacks
 Distributed Denial-of-Service (DoS) attacks
 Address spoofing attacks
 Man-in-the-middle attack (MiTM)
 Session hijacking

ICMP was developed to carry diagnostic messages and to report error conditions when
routes, hosts, and ports are unavailable. Threat actors use ICMP for reconnaissance and
scanning attacks. Threat actors also use ICMP for DoS and DDoS attacks. Threat actors
often use amplification and reflection techniques to create DoS attacks. Threat actors also
use resource exhaustion attacks to consume the resources of a target host to either crash it
or to consume the resources of a network. IP address spoofing attacks occur when a threat
actor creates packets with false source IP address information to either hide the identity of
the sender, or to pose as another legitimate user. Address spoofing attacks can be non-blind
spoofing to hijack a session, or blind spoofing to create a DoS attack. MAC address spoofing
attacks are used when threat actors have access to the internal network.

TCP and UDP Vulnerabili es:

TCP segment and UDP datagram information appear immediately after the IP header. It is
important to understand Layer 4 headers and their functions in data communication. TCP
provides reliable delivery, flow control, and stateful communication. TCP stateful
communication between two parties occurs during the TCP three-way handshake. Threat
actors can conduct a variety of TCP related attacks:

 TCP port scans

 TCP SYN Flood attack
 TCP Reset Attack
 TCP Session Hijacking attack

The UDP segment (i.e., datagram) is much smaller than the TCP segment, which makes it
very desirable for use by protocols that make simple request and reply transactions such as
DNS, DHCP, SNMP, and others. Threat actors can conduct UDP flood attacks which sweep
through all the known UDP ports on a server trying to find closed ports. This can create a
DoS situation.