The Four Primary Types of Network Attack

Public Information

Employee names and e-mail addresses provide a good start in guessing the user name for an employee’s account. Common practice is to use an employee’s first initial and last name as the user name for their network computer account. E-mail addresses are also a common user name for computer accounts. Large companies usually have their phone numbers assigned in blocks from the local telephone company, and many large corporations have their own dialing prefix. By using this information, the intruder can begin war dialing all the company phone numbers looking for a dial-up server. Once a dial-up server is found, the intruder can begin guessing account user names based on an employee’s first initial and last name or their e-mail addresses. Brute force password crackers are freely available on the Internet. Once a user name has been guessed, it’s only a matter of time before a weak password can be cracked.

A war dialer is a program used to dial blocks of phone numbers until it finds a computer on the other end of the line. Once a computer is found, the war dialer application records the number dialed for later use by the intruder.

To use a user account on a server or a network, you must first have the user name and password. Discovering the user names is a fairly straightforward process described in the preceding paragraph. Attackers use password crackers to crack the passwords to user accounts. Some password crackers find the encrypted password files on the server and decrypt them. When a hacker is unable to retrieve the password files, then brute force password crackers are used. Brute force password crackers attempt to log in to a computer account over and over, using multiple password combinations. Some cracking software uses dictionary files, while others attempt every combination of each key on the keyboard—a time-consuming ordeal.

The following are commonly used password crackers:

Internet Protocol (IP) address information is publicly available via the ARIN and many other Internet registering authorities. From www.arin.net, anyone can begin a search using a single known IP address. The search will yield the complete block of IP addresses belonging to the company. Domain Naming Systems (DNS) is another publicly available system that can provide a wealth of information regarding the IP addressing and naming strategies of virtually any company connected to the Internet.

For a company to host its own e-mail, web, ftp, or any other service on the Internet, it must first have each of these servers listed within the DNS infrastructure. These DNS servers list the names of the servers, along with the IP addresses that can be used to access these services. To mitigate these risks, security conscious companies could choose to host these servers and services outside their private networks with a hosting company. This added security is usually rendered obsolete, however, by adding backend connections from the hosting facilities back to their private networks.

Electronic Reconnaissance

The attacker must perform electronic reconnaissance to find what systems and resources are on the network. Unless the attacker has prior knowledge of the target network, he or she must find where the company resources are logically located. Once the company IP addresses are known (see the preceding section, “Public Information”), the attacker can begin to probe and scan the network. The intruder can scan the network looking for vulnerable hosts, applications, or infrastructure equipment.

Scanning the network is typically done using a ping sweep utility that pings a range of IP addresses. The purpose of this scanning is to find what hosts are currently live on the network. The ping sweep identifies viable targets on the network. Once the IP address of viable hosts is known, the attacker can then begin to probe those hosts to gather additional information, such as the OS or applications running on those hosts.

Probing is attempting to discover information about the hosts that are on the network. Probing is accomplished by looking for open ports on the available host computers. Ports are like virtual doorways to the computer. For a computer to offer or use services on the network, it must first have an open port. Web servers typically use port 80, while FTP servers use port 21. An attacker can find out what services are running on a computer by discovering what ports that computer has opened.

TCP/IP uses port addresses to locate services running on host computers. The port numbers used by an application are that application’s address on that host. The address for a web application located on host 10.0.0.1 would be 10.0.0.1:80. This address specifies the host address 10.0.0.1 and the application address of 80. Most common applications use well-defined port numbers. A list of well-known port numbers managed by the Internet Assigned Number Authority (IANA) can be viewed at http://www.iana.org/ assignments/port-numbers.

The more ports that are open, the more potential for someone to exploit the services running on the host computer. Once the attacker knows which ports are open, he/or she can use this information further to discover the OS and the application servicing the port.

The purpose of this scanning and probing is to find weaknesses on the network. Intruders know the vulnerabilities of certain OSs and the applications they run. The intruder increases his or her chance of succeeding by finding the weakest point on the network and later attacking that vulnerability. The attacker continues to discover information about the network until they have a complete map of the hosts, servers, and weaknesses to exploit in the future.

Reconnaissance Tools

The most common and widely used hacking tools are reconnaissance tools. Many of these tools have been developed by hackers to aid them in their illicit activities. Other tools used by hackers are the same tools commonly used by network engineers to view problems on the network.

As security and intrusion detection have gotten more sophisticated, so has the software used by hackers. Intrusion-detection software looks for people looking at the network. Hackers know that scanning and probing a network is likely to create suspicion and might generate alarms. Because of this, hackers have begun to develop new software that attempts to hide the true purpose of its activity. Reconnaissance tools in common use today include the following:

Gaining Initial Access

In many cases, the first objective is to gain initial access, so additional reconnaissance can be conducted. This reconnaissance could include scouting out resources, IP addresses, and possibly running a network discovery (mapping) program or even a sniffer-type packet-capturing utility, hoping to capture administrative-level passwords.

War dialers can be used to dial a large number of phone numbers looking for modems. A new variation involves sitting in a parking lot or in a building across the street with a laptop and a wireless NIC, looking for unsecured or poorly secured access points.

Again, don’t overlook the person on the inside who already has access through an authorized user name and password. Whether connecting from outside or from an inside host, they have the first hurdles resolved.

Social Engineering

The term social engineering relative to security came from early hacking efforts on telephone systems and long-distance services. Social engineering is based on the concept of why risk breaking into a system by brute force or tools when you can get some friendly employee to help you do it? Social engineering is generally a hacker’s clever manipulation of an employee’s natural human tendencies to trust and want to be helpful.

More than one company with elaborate authentication processes, firewalls, virtual private networks (VPNs), and network monitoring software has been left wide open to an attack by an employee unwittingly giving away key information in an e-mail or by answering questions over the phone with someone they don’t know. This is one area where the would-be hacker can benefit from a friendly demeanor, a good smile, and knowledge of looking and acting like they belong.

Don’t make the mistake of thinking only lower-level employees are prone to this. The fear of appearing not to cooperate with an obviously important activity has led to the comprise of many a manager.

Password-Based Attacks

To use a user account on a server or network, you must first have the user name and password. Discovering the user names is a fairly straightforward process described in the preceding section. Attackers use password crackers to crack the passwords to user accounts. Some password crackers find the encrypted password files on the server and decrypt them. When a hacker is unable to retrieve the password files, then brute force password crackers are used. Brute force password crackers attempt to log in to a computer account over and over using multiple password combinations. Some cracking software uses dictionary files, while others attempt every combination of each key on the keyboard, a?time-consuming ordeal.

Commonly used password crackers include the following:

A good password system locks the account after a limited number of tries to thwart this type of attack. The successful hacker has the same access to resources as the users whose accounts they compromised to gain access to those resources.

General password security lapses can put a password in the hands of an intruder. This can be something as simple as passwords written on a desk pad, an appointment calendar, or an address book, to gaining access to a person’s home or laptop computer where the logon password is being remembered by the OS. More than one company’s security has been compromised by a child accessing the system from home or a friend’s house using a password appropriated from a parent.

One-time passwords (OTP) systems and/or cryptographic authentication can almost eliminate the threat of password attacks. OTPs involve using “something you have,” such as password-token generator software on your computer, plus something “you know,” such as a PIN number. The token software uses the PIN to generate what appears as a unique password. Once the token is used, it won’t work again, thwarting the intruder with a sniffer product.

If standard passwords must be used, strong passwords—those that would be difficult to guess—can help. Strong passwords should be at least eight characters long and contain both uppercase and lowercase letters, numbers, and special characters (such as 23!!pandA). While randomly generated passwords might be the best, they’re hard to remember and often lead users to write them down.

Gaining Trusted or Privileged Access

Once initial access has been accomplished, the hacker will attempt to exploit any privileges associated with that access, including the ability to get into shared resources. If the initial account has limited access permissions, the hacker will try to gain administrator privileges (root inUNIX). With the higher privileges, the hacker can expand their influence by creating additional accounts they have access to, clean up any logs or history of their activities, and install additional tools for reconnaissance.

DDos

DDoS attacks start by the attacker(s) placing Zombie (technically, “bot,” short for “robot”) programs in a series of compromised computers hooked by relatively high-bandwidth connections to the Internet. These Zombies are programmed to monitor specific Internet Relay Chat (IRC) chat rooms to receive further instructions. The Zombie attack is directed and coordinated by a Zombie Master, who sends instructions to the individual Zombie, who then begins generating a flood of malicious traffic aimed at the target. Figure 1-3 shows a DDoS attack.

Figure 1-3: DDoS attack involving Zombie remote hosts

Early DoS attacks on some famous web sites involved many computers on university campuses and even some from security agencies. These computers had unprotected security holes, were online around the clock, and provided large connections to the Internet. Today, DSL and cable modem connections make many home and small business computers more attractive as Zombie sites because they often lack the security features and staff to defend against the intrusion.

Some Zombies, once in place, download and install additional applications that can map the local network, capture passwords or keystrokes, and report findings to the instigators of the attacks.

DRDoS

The latest variation on the DoS, the DRDoS, involves one or more hosts sending a series of TCP SYN requests or ICMP ping requests to many unsuspecting, even thoroughly secure, hosts using the “spoofed” source address of the target. When these hosts respond to what appears to be a legitimate, nonthreatening request, they collectively create an unsupportable flood of packets aimed at the target. Figure 1-4 shows a DRDoS attack. Again, even if the target device(s) can determine what’s happening, only a cooperative ISP can block the traffic before it buries the target’s Internet connection.

Figure 1-4: DRDoS attack showing the interim hosts

If the originating source continues to vary the type of packets sent to the reflectors, the filters at the ISP have only temporary or limited usefulness before they need to be changed.

Well-Known DoS Attacks

Knowing about common, well-known attacks can be useful and interesting, and when someone indicates an attack is a variation of the Ping of Death, you will know what that means. Well-known attacks include the following:

• TCP SYN Flood Uses the TCP establishment handshake to conduct attacks by creating TCP “half-open” connections, tricking the target or reflector into thinking a session is being established.

• Ping of Death Sends one or more oversized ping packets to crash or disable servers and other computer systems. Sending illegal IP datagrams (larger than 65,536 bytes) is possible because of packet fragmentation during transmission. When the fragments are reassembled at the target, it can overflow the buffer and cause a reboot, crash, or hang.

• Trinoo A distributed tool (bot) used to launch coordinated UDP flood DoS attacks from many sources. A Trinoo network consists of a small number of masters and a large number of bots.

• Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K) Like Trinoo, variations of TFN use a distributed tool to launch coordinated DoS attacks from many sources against the target(s), often using spoofed source IP addresses. TFN bots can generate UDP flood attacks, TCP SYN flood, ICMP echo request flood, and ICMP directed broadcast (for example, smurf) DoS attacks.

• Stacheldraht (German for “barbed wire”) Combines features of the Trinoo DDoS tool with those of the original TFN, and adds encrypted communications between the attacker and stacheldraht masters and automated agent updates.

• Trinity Preys on Linux servers and uses IRC channels to unleash IP packet floods on targeted host machines

Terrorism, Act of War, and Legal Implications

Variations of the DoS attack are likely to be a major component of global terrorism and even a part of government-sponsored acts of aggression against its perceived enemies. The possible devastating that effect a massive distributed attack could have on a country’s command and control systems, financial systems, utility grids (power, telephone, transportation, and soon), and other services is something to remember.

While we hope most of us will never be in a position to directly defend against such an attack, it’s critical that the resources under our control do not become unwitting hosts to any kind of DDoS attack.

Many lawyers became quite computer savvy and versed in the areas of financial responsibility in preparation for the feeding frenzy they expected from the Year 2000 “bugs.” While that threat never materialized, many lawyers are now advising victims of DDoS attacks that the unwitting hosts of the attack bots might have financial liability because of not detecting and eliminating the devices. Security practices that allow these unauthorized residents to do their dirty deeds could carry a hefty price tag.

While the original hacker is careful to conceal their identity and address, they have a whole lot less interest in protecting the bot hosts. If, in fact, lawsuits against remote sites become common, it’s not inconceivable that the bot site might be the ultimate target of an attack.

Motivation and Good Sense

While many reasons or rationalizations exist that an individual or group of individuals might choose to launch a form of DoS attack on a network, one thing common to many attacks is anger. Real or imagined, the attacker blames the site, the owners of the site, or the users of the site for some slight, injustice, or wrong doing. Add to this the apparent anonymity the attacker enjoys, and it’s generally a no-win situation to provoke or even incur the interest of these individuals needlessly. The size and scope of the Internet means your site can literally fall prey to a “sniper” 12,000 miles way.

Attackers typically have the time, and the cost to them is close to zero. The target is in the opposite position: once the attacks begin, time is virtually nonexistent. The costs, direct and in lost business or reputation, start to soar. Be well aware that no Internet Police Department or anyone else is going to handle this for you.

Don’t make yourself a target. Practice good security measures and involve law enforcement in all criminal acts, but be forewarned that personal attacks and even belittling statements like script kiddies might precipitate a career of fighting these attacks. Sometimes, even protective security measures as a result of an attack within your network might escalate the attack.

Time isn’t as universal as many of us think. When a network is under attack and the administrator has brought in all the high-priced talent, added new technologies, and possibly even lined up law enforcement, it’s common to want the attack to continue long enough to identify and catch the attacker. Remember, other than anger or adrenalin, the hacker has nothing invested and could recognize they can even cause greater losses by being unpredictable. In most cases, the worst that can happen is that the hacker gets locked out.

Techniques to Counteract DoS Attacks

While the threat of DoS attacks can’t be eliminated, it can be reduced through the following three methods:

• Anti-DoS features Proper implementation and configuration of anti-DoS features available on routers and firewalls can help limit the effectiveness of an attack. These features could include limiting the number of half-open connections allowed at any given time or limiting the number of certain types that can originate from a source address.

• Antispoofing features Proper implementation and configuration of antispoofing features on routers and firewalls can help limit a hacker’s ability to mask their identity. RFC 2827 filtering should be configured at a minimum (see the upcoming section “IP Spoofing”).

• ISP traffic rate limiting The ISP agrees to filtering limits on the amount of nonessential traffic that can cross link(s) to the company at one time. The filtering might limit the volume of ICMP traffic, a common source of distributed denial of service (DDoS) attacks, into a network because it’s used only for diagnostic purposes.

IP Spoofing

An IP spoofing attack involves an external or internal hacker who pretends to be using a trusted computer by using the address of that computer. The hacker either uses an IP address within the range of trusted internal addresses for the network or an authorized external address that’s both trusted and allowed access specified network resources. IP spoofing is often a tool used as part of other attacks, such as any variation of DoS attack, to hide the hacker’s identity.

IP spoofing is often limited to the introduction of malicious data or commands into an existing data stream in a peer-to-peer network session. Spoofing a source address might enable data to be sent through a router interface with filtering based on the source address.

The threat of IP spoofing can be reduced, but not eliminated, through the following measures:

• RFC 2827 filtering Basically, RFC 2827 filtering means filtering out any IP addresses from coming into a network segment that should already be on that segment. If the entire 195.17.1.0 network is attached to a router interface, then no legitimate packets with source addresses in that network should be coming in through the router. This should be applied to edge routers for sure, but it can also be used on internal routers to prevent spoofing within the network. Similarly, limiting any outbound packets leaving the network to ones that have source addresses assigned to that network can prevent a network’s hosts from spoofing other networks. This could be the result of an attacker on the inside or a DoS bot on a local host participating in an attack on an outside host. If the company can get its ISP to perform RFC 2827 filtering on packets coming into the network, it would preserve the bandwidth of the link and kill some hack attempts.

  Note?

  Spoofing could be virtually eliminated if all ISPs filtered client traffic to allow only source addresses assigned to that client. If hackers can’t spoof it, this makes going undetected harder.

• RFC 1918 filtering RFC 1918 filtering means filtering out RFC-defined “private” addresses from entering or exiting the network segment. Because they have no business on the Internet, they shouldn’t be there. If private addresses are used in the network, RFC 2827 filtering will include them.

• Non-IP address authentication IP spoofing is worthwhile when devices use IP address–based authentication. If you use additional authentication methods, IP spoofing attacks lose much of their value. Cryptographic authentication is the strongest form of additional authentication, but if this isn’t possible, use strong, two-factor authentication, such as OTP.

Session Replay and Hijacking

Session replay is a form of a man-in-the-middle attack, where the intruder captures a packet sequence and modifies part of the data before forwarding it on normally. This type of attack relies on an inherent weakness in data traffic authentication.

Session hijacking is a form of a man-in-the-middle attack where the attacker takes over an IP session that’s underway by spoofing source and/or destination addressing and altering TCP sequence numbering. Typically, a packet sniffer is used to set up the hijacking by allowing the user to see the existing traffic.

Rerouting

Rerouting involves either gaining access to a router to change the route table entries, or spoofing the identity of routers or hosts so traffic is directed to a compromised device. Spoofing ARP replies is even possible. It causes a host to forward packets intended for a specific host or the default gateway to be forwarded instead to another local host. The new destination host can perform its assigned task and then forward the packet on to the correct destination.

Repudiation

Repudiation is the denial of having been a part of a data exchange. This repudiation might be to avoid responsibility for an action. Nonrepudiation is a security feature that helps ensure that data has been sent and received by the parties claiming to have sent and received it. Nonrepudiation guarantees that the sender of a message can’t later deny (repudiate) having sent the message. Similarly, the recipient can’t deny having received the message.

Methods for implementing nonrepudiation include the following:

• Digital signatures Unique identifier for an individual, much like a written signature

• Confirmation services The message transfer agent creates digital receipts indicating messages were sent and/or received

• Timestamps The date and time a document was composed, proving a document existed at a certain time