Hacker Tools: Common Network Attacks
Hacker Tools: Common Network Attacks
Network attacks that are directed by a hacker are called directed attacks. For example, a hacker sending a WinNuke packet (generated by the WinNuke utility, discussed later in this chapter) to a specific machine is considered a directed attack. Viruses are traditionally not directed attacks. The virus is unknowingly copied from user to user. Viruses are some of the most prevalent attacks used on the Internet. In this section, we’ll discuss some of the techniques that hackers commonly use to attack a network
IP Spoofing
IP spoofing is the process of sending packets with a fake source address, pretending that the packet is coming from within the network that the hacker is trying to attack. The address can be considered stolen from the hacker’s target network. A router (even a packet-filtering router) is going to treat this packet as coming from within the network and will let it pass; however, a firewall can prevent this type of packet from passing into the secured network.
The Ping of Death
The Ping of Death is a type of denial of service (DoS) attack. A DoS attack prevents any users, even legitimate ones, from using the system. Ping is primarily used to see if a computer is responding to IP requests. Normally, when you ping a remote host, four normal-sized ICMP (Internet Control Message Protocol) packets are sent to the remote host to see if it is available. In a Ping of Death attack, a very large ICMP packet is sent to the remote host, whose buffer is flooded by this packet. Typically, this causes a system to reboot or hang. Patches to prevent a Ping of Death attack from working are available for most operating systems.
WinNuke
WinNuke is a Windows program that sends special TCP/IP packets with an invalid TCP header. Windows 95/98 and Windows NT/2000 computers will crash when they receive one of these packets because of the way the Windows 95/98 or Windows NT/2000 TCP/IP stack handles bad data in the TCP header. Instead of returning an error code or rejecting the bad data (Microsoft calls it out-of-band data), it sends the computer to the Blue Screen of Death (BSoD). Figuratively speaking, the hacker causes the computer to blow up, or to be nuked. This type of attack does not affect Unix boxes and NetWare servers.
Tip There is a patch to solve this particular problem, making machines invulnerable to WinNuke attacks. You can obtain it by going to Microsoft’s support website at http://support.microsoft.com/
servicedesks/technet/ and searching for WinNuke.
SYN Flood
A SYN flood is also a denial of service attack because it can barrage the receiving machine with dozens of meaningless packets. In normal communications, a workstation that wants to open a TCP/IP communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server automatically responds to the request, indicating that it is ready to start communicating. Only new communications use SYN flags. If you are in the middle of a file download, SYNs are not used. A new SYN packet is used only if you lose your connection and must reestablish communications.
To initiate a SYN flood, a hacker sends a barrage of SYN packets. The receiving station normally can’t help itself and tries to respond to each SYN request for a connection. The receiving device soon expends its resources trying to reply, and all incoming connections are rejected until all current connections can be answered. The victim machine cannot respond to any other requests because its buffers are overfilled, and it therefore rejects all packets, including valid requests for connections. Patches that can help with this problem are available for the various network operating systems.
Intruder Detection: Defense Techniques
Intruder Detection: Defense Techniques
There are three main types of intruder detection and defense:
- Active detection involves constantly scanning the network for possible break-ins.
- Passive detection involves logging all network events to a file.
- Proactive defense involves using tools to shore up your network walls against attack.
Active Detection
Active detection is analogous to a security guard walking down the hallway rattling doors. The guard is checking for a break-in. Special network software can search for hackers trying known attack methods, including suspicious activity as they travel over the network. Some sophisticated active systems actually take action, such as shutting down the communications sessions that the hacker is using, as well as e-mailing or paging you. Some packages actually go as far as trying to cripple the computer from which the hacker is attacking. Cisco’s NetRanger, Memco’s SessionWall, and Snort are all forms of active intrusion-detection software.
Warning Because SATAN is free, both sides have access to it. Consequently, hackers can (and often do) use SATAN to look for security holes. Many other intrusiondetection programs will also look for SATAN-type intrusions.
Passive Detection
Video cameras are an example of passive intrusion-detection systems. Their counterparts in networking are files that log events that occur on the network. Tripwire for Unix systems is one of the earliest programs of this type. With passive detection systems, files and data are looked at, and checksums are calculated for each file and piece of data. These checksums are then stored in a log file. If the network administrator notices a security breach on the network, he or she can access the log files to find clues regarding the security breach.
Proactive Defense
The main feature of the proactive defense is to make sure your network is invulnerable to attack. You can do this through research and maintenance. You must stay current on all known security holes on your network. You can use tools such as SATAN to find the holes in your security walls and plug them with software patches. Unfortunately, before you can patch a hole, it must be discovered. And the war against attackers is ongoing. As soon as you patch a hole, the hacker will find and exploit two other weaknesses. It usually takes some time for a patch to be developed and, in that time, companies lose resources to a hacker.
Other Common Security Policies
Security policies can cover hundreds of items. Here are some of the more common:
Notification What good is a security policy if no one knows about it? Give users a copy of the security policy when you give them their usernames and passwords. Computers should also display a shortened version of the policy when a user attempts to connect. For example, “ Unauthorized access is prohibited and will be prosecuted to the fullest extent of the law.” One hacker argued that since a computer did not tell him otherwise, anyone was free to connect to and use the system.
Equipment Access Disable all unused network ports so that nonemployees who happen to be in the building cannot connect a laptop to an unused port and gain access to the network. Also, place all network equipment under lock and key.
Wiring Network wires should not run along the floor where they can be easily accessed. Routers, switches, and concentrators should also not be hooked up in open office space. They should be in locked closets or rooms, with access to those rooms controlled by badge-swiping systems.
Door Locks/Swipe Mechanisms Be sure that only a few, key people know the combination to the cipher lock on data center doors or that only the appropriate people have badges that will allow access to the data center. Change lock combinations often, and never leave server room doors open or unlocked.
Badges Require everyone to wear an ID badge, including contractors and visitors, and assign appropriate access levels to contractors, visitors, and employees.
Tracking Require badge access to all entrances to buildings and internal computer rooms. Track and record all entry and exit to these rooms.
Passwords Reset passwords at least every month. Train everyone on how to create strong passwords. Set BIOS passwords on every client and server computer to prevent BIOS changes.
Monitor Viewing Block computer monitors so that visitors or people looking through windows can’t see them. Be sure that unauthorized users/ persons cannot see security guard stations and server monitors.
Accounts Each user should have their own, unique user account, and employees should not share user accounts. Even temporary employees should have their own account. Otherwise, you will not be able to isolate a security breach.
Testing Review and audit your network security at least once a year.
Background Checks Do background checks on all network support staff. This may include calling their previous employers, verifying their college degrees, requiring a drug test, and checking for any criminal background.
Firewalls Use a firewall to protect all Internet connections, and use the appropriate proxies and dynamic packet-filtering equipment to control access to the network. Your firewall should provide as much security as your company requires and your budget allows.
Intrusion Detection Use intrusion-detection and logging software to determine a breach of security. Be sure that you are logging the events you want to monitor.
Cameras Cameras should cover all entrances to the building and the entire parking lot. Be sure that cameras are in weather-proof and tamperproof housings, and review the output at a security monitoring office. Record everything on extended-length tape recorders.
Mail Servers Provide each person with their own e-mail mailbox, and attach an individual network account to each mailbox. If several people need to access a mailbox, do not give all of them the password to a single network account. Assign privileges to each person’s network account. You can then track activity to a single person, even with a generic address such as info@mycompany.com.
DMZ Use a demilitarized zone for all publicly viewable servers, including web servers, FTP servers, and e-mail relay servers. Do not put them outside the firewall. Servers outside the firewall defeat the purpose of the firewall.
Mail Relay Use a mail-relay server for e-mail. E-mail traffic should not go straight to your production servers. That would enable a hacker to directly access your server as well. Use a relay server in a DMZ.
Patches Make sure that the latest security updates are installed after being properly tested on a non-production computer.
Backups Store backup tape cartridges securely, not on a shelf or table within reach of someone working at the server. Lock tapes in a waterproof, fireproof safe, and keep at least some of your backups offsite.
Modems Do not allow desktop modems for any reason. They allow users to get to the Internet without your knowledge. Restrict modem access to approved server-based modem pools.
Guards In some cases, security guards are necessary. Guards should not patrol the same station all the time. As people become familiar with an environment and situation, they tend to become less observant about that environment. Thus, it makes sense to rotate guards to keep their concentration at the highest possible levels. Guards should receive sufficient breaks to ensure alertness. All patrol areas should be covered during shift changes, rotations, and breaks. Guards should also receive periodic training. Test to ensure that guards can recognize a threat and take appropriate action.
Warning Covering all these bases does not ensure that your network or facility is secure. This is just a starting point to head you in the right direction.
Re: Networking Guide 7 - Network Access and Security
Various nice Network access and security Techniques given in the post are really awesome. I hope by implementing the encrypting and decryption techniques and other security techniques, I can provide the best security for my website.