Internet/Network Gotchas

The following forty five (45) Internet/network security gotchas are taken from Firewalls and Internet Security – Repelling the Wily Hacker, Second Edition (ISBN: 0-201-63344-X) by William R. Cheswick, et. al.

  1. IP source addresses aren’t trustable.
  2. Fragmented packets have been abused to avoid security checks.
  3. ARP-spoofing can lead to session-hijacking.
  4. Sequence number attacks can be used to subvert address-based authentication.
  5. It is easy to spoof UDP packets.
  6. ICMP Redirect messages can subvert routing tables.
  7. IP source routing can address-based authentication.
  8. It is easy to generate bogus RIP messages.
  9. The inverse DNS tree can be used for name-spoofing.
  10. The DNS cache can be contaminated to foil cross-checks.
  11. IPv6 network numbers may change frequently.
  12. IPv6 host addresses change frequently, too.
  13. WEP is useless.
  14. Attackers have the luxury of using nonstandard equipment.
  15. Return addresses in mail aren’t reliable, and this fact is easily forgotten.
  16. Don’t blindly execute MIME messages.
  17. Don’t trust RPC‘s machine name field.
  18. Rpcbind can call RPC services for its caller.
  19. NIS can often be persuaded to give out password files.
  20. It is sometimes possible to direct machines to phony NIS servers.
  21. If misconfigured, TFTP will had over sensitive files.
  22. Don’t make ftp‘s home directory writable by ftp.
  23. Don’t put a real password file in the anonymous ftp area.
  24. It is easy to wiretap telnet sessions.
  25. The r commands rely on address-based authentication.
  26. Be careful about interpreting WWW format information.
  27. WWW servers should be careful about URLs.
  28. Poorly written query scripts pose a danger to WWW servers.
  29. The MBone can be used to route through some firewalls.
  30. Scalable security administration of peer-to-peer nodes is difficult.
  31. An attacker anywhere on the Internet can probe for X11 servers.
  32. UDP-based services can be abused to create broadcast storms.
  33. Web servers shouldn’t believe uploaded state variables.
  34. Signed code is not necessarily safe code.
  35. [Client-side script] is dangerous.
  36. Users are ill-equipped to make correct security choices.
  37. Humans choose lousy passwords.
  38. There are lots of ways to grab /etc/passwd.
  39. There is no absolute remedy for a denial-of-service attack.
  40. Hackers plant sniffers.
  41. Network monitoring tools can be very dangerous on an exposed machine.
  42. Don’t believe port numbers supplied by outside machines.
  43. It is all but impossible to permit most UDP traffic through a packet filter safely.
  44. A tunnel can be built on top of almost any transport mechanism.
  45. If the connection is vital, don’t use a public network.