1 00:00:02,330 --> 00:00:07,370 How can TCAP and UDP protocols be used in an attack targeting remote computer systems 2 00:00:10,960 --> 00:00:18,730 in one of the previous modules we discussed an attack method called the idle scan scan uses zombie machines 3 00:00:18,730 --> 00:00:23,620 which provide the attacker with IP address sequences. 4 00:00:23,630 --> 00:00:28,310 This is one of the vulnerabilities of the fourth layer. 5 00:00:28,530 --> 00:00:33,510 If the sequence is predictable in many computer systems the numbers grow incrementally. 6 00:00:33,510 --> 00:00:38,340 You can first send the packet to the zombie and then you can send the packets to the computer you want 7 00:00:38,340 --> 00:00:46,180 to scan using IP addresses of the zombie victim of this scanning exchange communications only with the 8 00:00:46,180 --> 00:00:52,750 zombie whether or not the packet was sent can be deduced from the successive sequential numbers of the 9 00:00:52,750 --> 00:00:53,910 IP protocol. 10 00:00:55,210 --> 00:01:02,990 If the number is higher it means the packet was received and the reset response was sent your documents 11 00:01:02,990 --> 00:01:07,400 did not specify the details of the mechanism that generates the sequential numbers. 12 00:01:08,830 --> 00:01:17,670 It concerns not only IP numbers but also TCAP numbers. 13 00:01:17,850 --> 00:01:24,530 Some years ago a very popular type of attack consisted of terminating a TCAP session. 14 00:01:24,560 --> 00:01:30,520 There were many programs that allowed the attacker to hijack a TCAP session in order to for example 15 00:01:30,520 --> 00:01:37,650 throw someone out of a chat if the attacker had access to the medium and was able to notice that two 16 00:01:37,650 --> 00:01:40,540 machines exchange data in the TCAP session. 17 00:01:40,770 --> 00:01:46,980 The attacker could get the sequential numbers of the packets as we already mentioned. 18 00:01:47,050 --> 00:01:54,390 These numbers are sent to ensure that the delivery is complete if the numbers were sequential. 19 00:01:54,490 --> 00:01:59,470 The attacker could send packets to the target host impersonating the host that initiated the session 20 00:02:02,010 --> 00:02:03,070 the attacker could send. 21 00:02:03,070 --> 00:02:06,460 For example the reset packet. 22 00:02:06,680 --> 00:02:08,890 The result was that the remote computer logged. 23 00:02:08,900 --> 00:02:16,130 Given the user off of a chat session or some other device this problem was solved a long time ago. 24 00:02:18,210 --> 00:02:22,620 None of the modern operating systems use easily predictable sequential numbers. 25 00:02:24,170 --> 00:02:29,090 There are still many mechanisms used to generate those numbers. 26 00:02:29,120 --> 00:02:31,310 Some are better some are worse. 27 00:02:35,080 --> 00:02:40,870 The main threat connected with the fourth layer of the OSA model comes from the possibility to collect 28 00:02:40,870 --> 00:02:45,540 information about the configuration of the remote hosts and services running on them. 29 00:02:48,170 --> 00:02:53,560 This is due to the fact that conventionally certain services always listen on the same ports 30 00:02:57,220 --> 00:02:59,220 are learning which ports are open. 31 00:02:59,360 --> 00:03:06,950 You get to know which services are running on the remote host in a minute you'll see a demonstration 32 00:03:06,950 --> 00:03:08,870 on how you can use this information. 33 00:03:11,050 --> 00:03:15,010 What can you do to get protected against threats connected with the Protocols of the third layer of 34 00:03:15,010 --> 00:03:22,950 the Esai model you can employ two elements of a general computer system security strategy limit the 35 00:03:22,950 --> 00:03:25,270 risk affected area. 36 00:03:25,380 --> 00:03:33,360 The first way to do so is by blocking ports you don't use the second monitor your network for port scan 37 00:03:33,370 --> 00:03:34,110 attacks.