Threats and challenges faced by IP network routers

IP network routers are still commonly used. So I studied the threats and challenges faced by the IP network routers. I would like to share with you here, hoping to help you. Today's era is the network era. The IP network routers that emerged at the end of the 20th century have created a miracle in the history of human science and technology at an unprecedented speed, there is also a trend to replace the already existing 100 years of circuit switching network. However, from the perspective of telecom networks, IP network routers still have problems such as security, service quality, and operation mode.

Among them, the security of the IP network router is a very important aspect. The openness of the IP network router makes the security problem very complicated. This article focuses on analyzing the security threats faced by the IP network router and discussing the test of the security function of the router device.

Security threats to IP network routers

The biggest advantage of an IP network router is its openness and maximum support for terminal intelligence, which makes it available to a variety of services and applications. But at the same time, the openness of the IP network and the intelligence of the terminal also make the IP network router face unprecedented security threats. There are two security threats to IP network routers. One is the security of hosts (including user hosts and application servers), and the other is the network itself (mainly network devices, including routers and switches) security. The security threats perceived by user hosts are mainly attacks against specific operating systems (mainly Windows systems), known as viruses. Network devices are mainly faced with TCP/IP-based attacks. This article mainly discusses the security of the network itself, that is, the network device (mainly the router) itself. Vro devices can be divided into data planes, control/signaling planes, and management planes. They can also be divided by TCP/IP protocol levels from the perspective of protocol systems.

(1) For the data plane, its function is to process the data stream that enters the device. It may be subject to traffic-based attacks, such as large traffic attacks and malformed packet attacks. The main purpose of these attacks is to take up the processing time of the CPU of the device, so that normal data traffic cannot be processed and the availability of the device is reduced. Because the data plane is responsible for forwarding user data, it will also be attacked against user data, mainly for Malicious theft, modification, and deletion of user data, this damages the confidentiality and integrity of user data.

(2) For routers, the main function of the control/signaling plane is to exchange routing information. This plane is mainly threatened by the theft of route information and forgery of IP addresses, which may cause leakage or misuse of network route information.

(3) For the system management plane, threats come from two aspects: one is the vulnerability of the protocols used by system management (such as Telnet and HTTP), and the other is not strictly managed, such as the leakage of the device management account.

1. Data plane

(1) LAND attack. LAND attacks use vulnerabilities in TCP protocol implementation in some systems to create TCPSYN packets. The source IP address and TCP port number of these packets are the same as the destination IP address and TCP port number, in this way, the system will initiate a TCP connection to itself, resulting in unnecessary consumption of system resources.

(2) SYNF1ood attack. SYNF1ood attacks use the three-way handshake mechanism of the TCP protocol to send a large number of SYN request packets from the attacked host to the attacked device. The source address of these packets is an inaccessible host address, after the attacked device sends a SYNACK packet, it starts to wait for a large number of ACK packets that are impossible to reach, resulting in a large amount of system resources.

(3) Smurf attacks. Smurf attacks are DoS attacks using ICMP protocol. This attack spoofed the source address of the ICMP Echo Request (Ping) packet into the address of the attacked device. The destination address is the broadcast address in the network, such a large number of ICMP response packets will greatly increase the load on the attacked devices and networks. If UDP is used in the attack, the request message is transformed into a Fraggle attack.

(4) PingF1ood attack. PingF1ood attacks send a large number of Ping packets continuously from a high-bandwidth connection to a low-bandwidth connection. The attacked device will respond to each Ping packet, this reduces the available bandwidth of the network.

(5) Teardrop Attack. Teardrop attacks use the fragmentation/reorganization mechanism of IP packets to send forged fragmented IP packets, and set the Offset field indicated in the IP packet header to a duplicate value, this causes the system to be suspended or even down when the attacked device processes these multipart packets.

(6) Ping of Death attack. The Ping of Death attack sends a Ping packet with a packet length of more than 65535 to cause an error in the memory allocation of the attacked device, resulting in paralysis of the device.

In addition to DoS attacks, network devices also face a large number of malformed packets and error messages, which consume a large amount of processing power from network devices, ping of Death attacks can also be seen as a form of malformed packets. At the same time, user data on the network may also be maliciously monitored or intercepted. Currently, the effective prevention method is to use the IPSec protocol to encrypt user data.

2. control/signaling plane

The attack on the control/signaling plane mainly uses illegal or unauthorized routing devices to establish a route Neighbor Relationship with valid devices in the network to obtain routing information in the network. Encryption and authentication through the routing protocol can effectively prevent such attacks. Currently, r12002, OSPF, and IS-IS support for plaintext authentication and MD5 encryption, BGP, LDP and other protocols rely on MD5 encryption and authentication of TCP to ensure the security of protocol packets.

3. Management plane

Currently, the remote management of devices mainly uses Telnet and Web methods, while Telnet and HTTP protocols do not provide security functions. user data, user accounts, and passwords are transmitted in plain text, it is easy to be stolen by listeners and vulnerable to Man-In-the-Middle attacks. To solve the remote management problem of network devices, SSH and SSL protocols are primarily used. SSH (Secure Shell) is a reliable protocol that provides security for remote login sessions and other network services. The SSH protocol can effectively prevent information leakage during Remote Management. The SSL (Secure Socket Layer) protocol can encrypt the communication between the browser and the Web server during remote management using the Web method.

Network security and device testing

The current router test mainly targets the basic capabilities of the device, such as functions, protocols, and performance. With the increasing security requirements on the IP network router, the vro itself also needs to support a variety of security capabilities. Therefore, it is necessary to enhance the test of the security capabilities of the vro in the test. The test of the router capability can also be considered in three layers: data plane, control/signaling plane, and management plane.

(1) Test the anti-DoS attack capability. It mainly uses the instrument to simulate attack traffic and verify the processing of attack traffic by the tested device. Devices under test should discard abnormal traffic and generate alarm logs.
(2) Test the ACL function. The verification device can provide rich ACL functions to filter illegal traffic.
(3) test protection against IP address spoofing. It is mainly used to test the URPF (Unicast Reverse Path Forwarding, Unicast Reverse Path Forwarding) function. The device to be tested should have the URPF function, that is, the device can check the source address of the data packet and check whether the source address matches the source interface of the data packet in the FIB table, this packet is discarded if no matching table item exists.
(4) Test the IPSec protocol. Verify that the device supports the IPSec protocol to ensure the confidentiality of user data.
(5) test protocol control. The tested device should be able to disable some protocol ports that may cause attacks or filter some protocol packets that may cause security risks to the network, such as closing UDP Response Request ports and filtering source route data packets.