Archive for November, 2008

h1

Attacks

November 30, 2008

Security of a network and its systems involves protection against a variety of attacks. These attacks might affect only certain areas of your operations or disrupt them as a whole. Some attacks are an attempt to gain access or damage one particular user account or one server. Other attacks try to disrupt the entire network infrastructure itself or prevent customers from accessing a public Website.
Attacks are launched for a variety of reasons. A casual hacker might only be testing the security of the system and doing no damage at all. More malicious users could try to damage parts of your system or cause you to lose valuable data. Other unauthorized users might want access to confidential records, which can also be an act of corporate espionage.
The purpose of the attack isn’t the main concern. The main concern is how to prevent these attacks from succeeding. By being aware of the various types of attacks, tools, and resources used by malicious users, you’re protecting yourself with knowledge. By knowing where and how to expect attacks, you can install preventative measures to protect your system.

Network-Based Attacks
Of the type of attacks that can assault a network and computer system, many attacks are geared toward specific system accounts, system services, or applications. The most damaging and, obviously, the most poopular attacks by hackers involve disrupting the network itself. The network is the infrastructure that allows all systems and devices to communicate with each other, so disrupting those communication lines can be the most damaging attack a network can suffer.

Denial of Service
Denial of Service (DoS) attacks have been well-publicized recently because of their capability to easily deny access toa particular Web or Internet site. In a DoS attack, a hacker overloads a specific server with data, so it can’t process the data fast enough to keep up. System performance slows to a crawl because it simply can’t keep up with the flood of data being sent to it. This affects the Website’s capability to service legitimate requests because the client won’t receive any responses to their queries. This type of attack can also be performed on entire networks, as the DoS attack is targeted at the central router or firewall where all data passes through. The network traffic becomes so high that nothing can get in or out of the network. This type of attack is more common than attacking a single server because the network bandwidth is being attacked, which effectively denies access to all systems on that network rather than only one.
A more organized and devastating attack is a Distributed DoS attack, where the flood of data originates from multiple hosts at the same time. The combined effects quickly overload any server or network device. As opposed to a single origin of a DoS attack, a network administrator can’t pinpoint and deny access by the one host because the attacks will be coming from multiple hosts, distributed throughout the Internet. Usually, these originating hosts aren’t willfully engaged in the attack. Hackers can secretly install software on an insecure server somewhere else on the Internet and use that to remotely flood another host with data. This effectively hides the true origin of the attack, especially when the Internet Protocol (IP) addresses are spoofed to show a different originating address than the actual origin of the attack.
The most common form of attack uses simple TCP/IP protocol utilities such as Packet Internet Groper (ping). Ping is a command used to find out if a certain host (classified as a destination host) is functioning and communicating with the network. A user sends a ping or query packet to the destination host. The destination host sends back an acknowledgement that it is indeed working and on the network. Used in a DoS attack, a malicious user can send a continuous stream of rapid ping attempts. The host is then overloaded by having to acknowledge every ping, rendering it unable to process legitimate requests.
Another type of DoS attack is the synchronous idle character (SYN) flood. SYN is an aspect of the TCP/IP protocol that allows systems to synchronize with each other while communicating. One system sends a SYN packet and this is acknowledged by the other system. This process can be abused by a hacker by sending forged SYN packets to a host, which is unable to reply to the request because the return address is incorrect. This causes the host to halt communications while waiting for the other system to reply. If the host is flooded with a high number of forged SYN packets, it will be overloaded and unable to respond to legitimate requests.
DoS attacks can be difficult to stop and prevent, but some simple configuration changes on the local routers and firewalls can help prevent these types of attacks. The simplest way of protecting against ping flood types of attacks is to disable the Internet Control Message Protocol (ICMP) protocol at the firewall or router level, so the host won’t acknowledge any ping attempts from outside the network.
Other types of attacks, such as SYN floods, are caused by vulnerabilities in the network protocols themselves. The TCP/IP implementation of your operating system should be upgraded to the latest version by installing recent service packs and security patches. Some firewalls and other security products also contain the capability to detect network flood attacks, can actively block them, and can try to trace them back to a source.

Back Door
A Back Door traditionally is defined as a way for software programmers to access a program while bypassing its authentication schemes. The back door is coded in by the programmer during development so, at a later time, they can break into their own program without having to authenticate to the system through normal access methods. This is helpful to programmers because they needn’t access the program as they normally would in a typical user mode (where they’d be forced to enter authentication information, such as a username and password).
In hacking terms, a back door program is a program secretly installed on an unsuspecting computer user’s computer so the hacker can later access the user’s computer bypassing any security authentication systems. The back door program runs as a service on the user’s computer and listens on specific network ports not typically used by traditional network services. The hacker runs the client portion of the program on their computer, which then connects to the service on the target computer. Once the connection is established, the hacker can gain full access, including remotely controlling the system. Hackers usually don’t know what specific systems are running the back door, but their programs can scan a network’s IP addresses to see which ones are listening to the specific port for that back door.
Back door software is typically installed as a Trojan Horse as part of some other software package. A user might download a program from the Internet that contains the hidden back door software. To protect your computer against the programs, anti-virus programs can now detect the presence of these back door programs. Personal firewalls can also detect suspicious incoming and outgoing network traffic from your computer. Port-scanning software can also be used to identify any open ports on your system you don’t recognize. The open ports can be cross-referenced with lists of ports used by known back door programs.

Spoofing
One of the more popular methods for hacking a system is spoofing network addresses, which involves modifying the header of a network packet to use the source address of an external or internal host different from the original address. By spoofing the IP address, the destination host could be fooled into thinking the message is from a trusted source. The cause of this problem is that the architecture of Transmission Control Protocol/Internet Protocol (TCP/IP) has no built-in mechanism to verify the source and destination IP addresses of its network packets. A hacker can spoof the IP address to make it look like it’s coming from a different location. It can even be made to look like the IP address of an internal system.
IP spoofing is mainly used by hackers to hide their identity when attacking a network system, especially in a DoS-type attack. By spoofing the IP addresses of the incoming packets, network administrators could have a difficult time determining the real source of the attacks before they can set up a filter to block out that IP address.
Another use for spoofing is the capability to emulate a trusted internal system on the network. As an example, if a local server has an IP address of 192.168.17.5, and only accepts connections from that network, a hacker can modify the source address of the packet to mimic an internal address, such as 192.168.17.12. This way, the server thinks the packets are coming from an internal trusted host, not a system external to the network.
To help prevent spoofing attacks, your router or firewall might be able to filter incoming traffic to restrict network traffic coming into the external interface. By configuring the filter to prevent external packets originating from internal addresses, spoofed addresses can’t enter the network.

Smurf Attack
A Smurf Attack exploits the use of IP broadcast addressing the the Internet Control Message Protocol (ICMP) protocol. ICMP is used by networks, and also through administrative utilities, to exchange information about the state of the network. ICMP is used by the ping utility to contact other systems to see if they’re operational. The destination system returns an echo message in response to a ping message.
A hacker uses a smurf utility to build a network packet with a spoofed IP address that contains an ICMP ping message addressed to an IP broadcast address. A Broadcast Address is one that includes all nodes of a certain network and messages to that address will be seen by all of them. The ping echo responses are sent back to the target address. The amount of pings and echo responses can flood the network with traffic, causing systems on the network to be unresponsive.
To prevent smurf attacks, IP broadcast addressing should be disabled on the network router because this broadcast addressing is only used rarely.

TCP/IP Hijacking
Together with spoofing, an unauthorized user can also effectively hijack a network connection of another user. For example, by monitoring a network transmission, a hacker can analyze the source and destination IP addresses of the two computers. Once hackers know the IP address of one of the participants, they can knock them off their connection using a DoS or other type of attack, and then resume communications or by spoofing the IP address of the disconnected user. The other user is tricked into thinking they are still communicating with the original person. The only real way to prevent this sort of attack from occurring is having some sort of encryption mechanism, such as Internet Protocol Security (IPSec).

Man-in-the-Middle
A Man-in-the-Middle attack is exactly what the name says: a form of hijack attack. In-between the sender and the receiver of a communication, a person in the middle can intercept or listen in on the information being transferred. For example, if a person is talking to someone on the phone and another person listens to the conversation on another phone receiver in the house, this other person is the man-in-the-middle.
These types of attacks usually occur when a network communications line is compromised through the installation of a network packet sniffer, which can analyze network communications packet by packet. Many types of communications use plain, clear text and this is easily read by someone using a packet sniffer. During an encrypted communication, a hacker can intercept the authentication phase of a transmission and obtain the public encryption keys of the participants.
To prevent man-in-the-middle attacks, a unique server host key can be used to prove its identity to a client known as a host. This has been implemented in newer versions of the Secure Shell (SSH) protocol, which was vulnerable to man-in-the-middle attacks in the past.

Replay
A Replay attack occurs when an unauthorized user captures an encrypted or password-protected communication, breaks the encryption or password, and then sends the communication to its original destination, acting as the original sender.
This most often happens with certain types of authentication systems that issue authentication tickets, such as Kerberos. The hacker captures the ticket, breaks the encryption, and then resends the ticket to impersonate the original client.
To prevent reply attacks from succeeding, timestamps or sequence numbers can be implemented. This allows the authentication system to accept only network packets that contain the appropriate stamp or sequence number. If the time stamp is beyond a certain threshold, then the packet is discarded.

Birthday Attack
A Birthday Attack refers to a statistical, mathematical method of breaking an encryption key. The basis of the birthday attack is this: it’s easier for you to find two people who have the same birthday, rather than trying to find one person with a specific birth date. The odds are much more in favor of the former situation and you’ll discover the exact birth date of two people, instead of one.

Brute Force Attack
A Brute Force Attack is just that – an attempt to break a password or encryption scheme through simple repetition of attempts. A wide variety of utilities can perform these attacks. An actual person trying to log in through repeated use of different passwords could be there for many years before finding the combination. Modern hacking utilities can cycle through thousands of combinations of letters and numbers to guess a password.
To prevent brute force attacks on user accounts, the simplest and most efficient way is to set the limits on login attempts.

Dictionary Attack
A Dictionary Attack is a form of the brute force attack. By capturing an encrypted password file that contains all the login names and their corresponding passwords, an unauthorized user can run special programs that compare the file with a list of common, dictionary-based passwords.
By running a comparison of the of the encrypted password file with the hashed values of the common passwords, many users’ login accounts can be unlocked with the revealed passwords.

Social Engineering
The easiest way to discover someone’s password is to often simply ask her. Social Engineering is defined as using and manipulating human behavior to obtain a required result. A user can frequently be easily led to reveal her password or to provide personal information that might reveal her password.
The only way to protect against security abuses because of social engineering is user education, and emphasizing the need to follow security procedures at all times, even when dealing with someone you know within the company.