Support This Book
Part III: Hands-On Labs Chapter 3

Layer 3 Attack Labs

IP spoofing, ICMP attacks, routing exploitation, and network layer defense exercises

Chapter 3: Layer 3 Attack Labs

Lab Overview

These labs explore network layer attacks including IP spoofing, ICMP exploitation, and routing analysis.

Lab 3.1: IP Header Analysis

Objective

Understand IP header structure and identify spoofing indicators.

Difficulty: Beginner | Time: 20 minutes

Instructions

Part 1: Capture IP Packets

# Capture any IP traffic
tshark -i eth0 -c 100 -w ip_analysis.pcap

Part 2: Analyze Headers

In Wireshark, expand IP layer:

Key fields:
- Version (4 or 6)
- Header Length
- TTL (Time To Live)
- Protocol (6=TCP, 17=UDP, 1=ICMP)
- Source Address
- Destination Address
- Checksum

Part 3: TTL Analysis

# Different OS have different default TTL
# Linux: 64
# Windows: 128
# Cisco: 255

# Filter by TTL range
ip.ttl < 64 and ip.ttl > 0

Verification

  • Identified all major IP header fields
  • Noted TTL values
  • Identified protocol numbers

Lab 3.2: IP Spoofing Detection

Objective

Detect spoofed IP packets.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Generate Spoofed Traffic

#!/usr/bin/env python3
"""
IP Spoofing Demo - Generate spoofed ICMP
Run on YOUR lab network only
"""
from scapy.all import IP, ICMP, send

# Spoofed ping
packet = IP(src="192.168.100.200", dst="192.168.1.100") / ICMP()
send(packet, verbose=True)

print("Sent spoofed ICMP from 192.168.100.200")

Part 2: Detect in Capture

# On target machine
sudo tcpdump -i eth0 icmp -nn

# Look for:
# - Source IP that doesn't match ARP resolution
# - Source IP from unexpected subnet

Part 3: Identify Impossible Sources

Spoofing Indicators:

1. Martian addresses from external:
   - 10.0.0.0/8
   - 172.16.0.0/12
   - 192.168.0.0/16
   - 127.0.0.0/8

2. Source = Destination

3. Source from unexpected network

Wireshark filter:
ip.src == 10.0.0.0/8 or ip.src == 172.16.0.0/12

Verification

  • Generated spoofed packet
  • Detected in capture
  • Identified spoofing indicators

Lab 3.3: ICMP Analysis

Objective

Analyze ICMP messages for reconnaissance and attack indicators.

Difficulty: Beginner | Time: 30 minutes

Instructions

Part 1: Generate ICMP Traffic

# Echo request/reply
ping -c 4 google.com

# Traceroute (generates TTL exceeded)
traceroute google.com

# Port unreachable (ping closed UDP port)
nc -u -v 192.168.1.1 33434

Part 2: Analyze ICMP Types

Wireshark filter: icmp

ICMP Types to identify:
- Type 0: Echo Reply
- Type 3: Destination Unreachable
  - Code 0: Network unreachable
  - Code 1: Host unreachable
  - Code 3: Port unreachable
- Type 8: Echo Request
- Type 11: Time Exceeded (traceroute)

Filter examples:
icmp.type == 8  # Ping requests
icmp.type == 3  # Unreachable
icmp.type == 11 # TTL exceeded

Part 3: Reconnaissance Indicators

Suspicious ICMP patterns:
- Ping sweep: Many Type 8 to sequential IPs
- Traceroute mapping: Many Type 8 with varying TTL
- Port scan indication: Type 3 Code 3 responses

Verification

  • Generated each ICMP type
  • Identified types in Wireshark
  • Recognized reconnaissance patterns

Lab 3.4: IP Fragmentation Analysis

Objective

Understand IP fragmentation and evasion techniques.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Generate Fragmented Traffic

# Send large ping (will be fragmented)
ping -s 3000 -c 1 192.168.1.1

# Capture and analyze
# Wireshark filter: ip.frag_offset > 0

Part 2: Analyze Fragment Headers

Fragment fields:
- More Fragments (MF) flag
- Fragment Offset
- Identification (same for all fragments)

First fragment:
- MF = 1, Offset = 0
- Contains beginning of data

Middle fragments:
- MF = 1, Offset > 0

Last fragment:
- MF = 0, Offset > 0

Part 3: Detect Fragment Attacks

Suspicious fragmentation:
- Overlapping offsets (Teardrop)
- Tiny fragments (evasion)
- Fragment flood (DoS)

Filter:
ip.flags.mf == 1  # More fragments
ip.frag_offset > 0  # Fragment

Verification

  • Generated fragmented traffic
  • Identified fragment fields
  • Recognized suspicious patterns

Lab 3.5: Routing Analysis

Objective

Analyze routing behavior and identify anomalies.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Trace Network Path

# Standard traceroute
traceroute -n google.com

# TCP traceroute (better through firewalls)
sudo tcptraceroute google.com

# Record results

Part 2: Analyze in Wireshark

# Capture traceroute
tshark -i eth0 -f "icmp or udp port 33434-33500" -w trace.pcap &
traceroute -n 8.8.8.8
In Wireshark:
- Filter: icmp.type == 11 or icmp.type == 0
- Note each hop's IP
- Identify any anomalies (unexpected paths)

Part 3: Path Change Detection

# Run traceroute multiple times
# Compare paths
# Different paths might indicate:
# - Load balancing (normal)
# - BGP changes (investigate)
# - Hijacking (critical)

Verification

  • Completed traceroute analysis
  • Captured TTL exceeded messages
  • Documented network path

Lab 3.6: Detecting Network Attacks

Objective

Build detection rules for Layer 3 attacks.

Difficulty: Intermediate | Time: 30 minutes

Instructions

Part 1: Detection Signatures

# Snort/Suricata rules for Layer 3 attacks

# ICMP Flood detection
alert icmp any any -> any any (msg:"ICMP Flood"; 
    threshold:type both, track by_src, count 100, seconds 10; 
    sid:1000001;)

# Land Attack (src=dst)
alert ip any any -> any any (msg:"Land Attack"; 
    sameip; sid:1000002;)

# IP Spoofing - Impossible source
alert ip 10.0.0.0/8 any -> $EXTERNAL_NET any (msg:"Spoofed Internal IP"; 
    sid:1000003;)

Part 2: Create Detection Script

#!/usr/bin/env python3
"""
Simple Layer 3 anomaly detector
"""
from scapy.all import sniff, IP, ICMP

def analyze_packet(pkt):
    if IP in pkt:
        src = pkt[IP].src
        dst = pkt[IP].dst
        
        # Land attack detection
        if src == dst:
            print(f"[!] Land Attack: {src} == {dst}")
        
        # Private IP from external (simplified)
        if src.startswith("10.") or src.startswith("192.168."):
            # In real scenario, check interface direction
            print(f"[?] Potential spoof: {src} -> {dst}")

# Capture packets
sniff(filter="ip", prn=analyze_packet, count=100)

Verification

  • Wrote detection rules
  • Tested against sample traffic
  • Documented detection logic

Lab Summary

Skills Acquired

  • IP header analysis
  • Spoofing detection
  • ICMP type identification
  • Fragmentation analysis
  • Route tracing
  • Detection rule creation

Defense Recommendations

AttackDetectionPrevention
IP SpoofingImpossible source IPsuRPF, BCP38
ICMP FloodRate thresholdsICMP rate limiting
FragmentationOffset analysisFragment reassembly