25-04-2011, 02:09 PM
[attachment=12754]
Network Attacks
Introduction
A network attack can be defined as any method, process or means used to maliciously attempt to compromise the security of the network.
This individuals performing network attacks a are called hackers or crackers.
There are many common network attacks.
Why network attacks?
As data can be modified or destroyed network attacks are very dangerous.
Take a example as we all know that CBI site was hacked by Pakistan cyber army recently. Imagine what all they could have done with the sensitive data. It could have become a national issues if the things had gone beyond hand.
Or take another example of our college, if some one hacks into our network drive and deletes data. Imagine the pain to do it all back!!
Content
Why Security ?
Common network attacks
defense against network attacks
Secure home network
Safe web server
Safety while surfing net
Why we need security?
Good news: Your employees and partners can now access your critical business information
Bad news: Your employees and partners can now access your critical business information
Why we need security?
FBI:
40% of security loss due to insider information leak
Loss due to insider information leak has increased on average 49% per year for the last 5 years
Pricewaterhouse-Coopers:
Average loss of $50 M per incident due to information theft
Some Statistics
Main issues
Security never stops
New threats constantly emerge
Security is concerned with risk management
Lack of well understood security policy.
Too much reliance on technology alone for security.
Some products are weak if looked from security point of view.
IP Spoofing
Exploits trust relationships between routers
This is a difficult attack to launch since the communication set up is based on an initial sequence number for packets. Systems no longer use numbers sequentially. Identifying the algorithm used for numbering packets during set up is important.
Common Attacks
SYN flooding attack
This exploits how the 3-way handshake of TCP services for opening a session works.
SYN packets are sent to the target node with spoofed source IP addresses.
The node under attack sends an ACK packet and waits for response.
Since the request has not been processed, it takes up memory.
Many such SYN packets clog the system and take up memory
Eventually the attacked node is unable to process any requests as it runs out of memory storage space.
Land attack
Similar to SYN attack
Uses the target address as the source address as well.
Causes an infinite loop under the SYN/ACK process.
Eavesdropping
In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret (read) the traffic.
When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, your data can be read by others as it traverses the network.
Smurf attack
A large number of PING requests with spoofed IP addresses are generated from within the target network
Each ping request is broadcast, resulting in a large number of responses from all nodes on the network
Clogs the network and prevents legitimate requests from being processed
Ping of death
A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 56 bytes in size (or 84 bytes when IP header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer.
Generally, sending a 65,536 byte ping packet is illegal according to the IP protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.
ARP Poisoning
ARP = Address Resolution Protocol
ARP is used by routers extensively to find the destination node. Routers have IP addresses (32-bits). In order to deliver the packet to the destination node, the router broadcasts the IP address of the destination and obtains the MAC address (48-bits).
ARP Poisoning
Hosts store the IP-to-MAC address mapping in the ARP table. ARP Poisoning means that the ARP communication is intercepted by redirection from a router.
Example:
Assume router’s IP is 10.1.1.0
Host’s IP is 10.1.1.1
Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to requests from 10.1.1.0 with its MAC address
From this point on all packets meant for 10.1.1.1 is routed to 10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table
ARP Poisoning
ARP Poisoning tools are:
ARPoison
Ettercap
Parasite
DNS Spoofing
DNS server could be a simple machine placed behind a firewall
Usually it is isolated from the rest of the nodes in functionality
Hacker gets access to the DNS server and changes in the lookup table the mapping. For example, nytimes.com is supposed to point to 199.239.136.200. The hacker could redirect it to his web server instead.
Social Engineering
It is hacker-speak to convince others to share confidential information with them.
Social engineering
Dictionary attack
Has an idea of the message
Exhaustive search to find the original corresponding to the hash
Credit cards use 16 digits
255 = 1016
This is within the realm of possibility for today’s computers to do an exhaustive search
Compromised-Key
A key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. This is called compromised key attack
Application-Layer Attack
An application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls and can do the following:
Read, add, delete, or modify your data or operating system.
Introduce a virus program.
Introduce a sniffer program to analyze your network and gain information that can eventually be used to crash or to corrupt your systems and network.
Abnormally terminate your data applications or operating systems.
Disable other security controls to enable future attacks.
DHCP ATTACK
Because the IP address number in a DHCP scope is limited, an unauthorized user could initiate a denial of service (DoS) attack by requesting or obtaining a large numbers of IP addresses.
A network attacker could use a rogue DHCP server to offer incorrect IP addresses to your DHCP clients.
A denial of service (DoS) attack can be launched through an unauthorized user performing a large number of DNS dynamic updates via the DHCP server.
Software Exploitation
Malicious software, also known as malware, includes worms, viruses, and Trojan horses
How do these propagate?
Virus is meant to replicate itself into executables (e.g., Melissa)
Worm is meant to propagate itself across the network (e.g., Nimda, Code Red)
Trojan horse is meant to entice the unsuspecting user to execute a worm (e.g., I Love You)
Virus
Vital information of resource under siege.
Virus self-replicates.
It can destroy data, modify data.
Worms
Worm is a self-contained program that tries to exploit buffer overflows and remotely attack a victim’s computer
Code Red and Code Red II are two of the well-known worms
There is not much of a distinction made between viruses and worms
Network Defense
As we have seen the network attacks, it becomes important to protect our network.
Take a example that someone hacks into our network drive and deleted all the data.
In the field of networking, the specialist area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.
Security Management for networks is different for all kinds of situations. A small home or an office would only require basic security while large businesses will require high maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.
Tunneling
Tunneling is also referred to as encapsulation because the original packet is hidden or encapsulated inside of a new packet. A tunnel is the logical data path through which the encapsulated packets travel to their destination.
Two types
A) AH tunneling
B) ESP Tunneling
AH Tunneling
Prevention
ESP Tunneling
Eavesdropping
Implement Internet Protocol Security (IPSec) to secure and encrypt IP data before it is sent over the network.
Implement security policies and procedures to prevent attackers from attaching a sniffer on the network.
Install antivirus software to protect the corporate network from Trojans. Trojans are typically used to discover and capture sensitive, valuable information, such as user credentials.
DOS
Implement and enforce strong password policies.
Back up system configuration data regularly.
Disable or remove all unnecessary network services.
Implement disk quotas for your user and service accounts.
Configure filtering on your routers and patch operating systems.
Sniffer attack
To protect against sniffers, implement Internet Protocol Security (IPSec) to encrypt network traffic so that any captured information cannot be interpreted.
DHCP ATTACK
Implement firewalls
Close all open unused ports
If necessary, use VPN tunnels.
You can use MAC address filters.
Security Requirements for different data types
Public data: This category includes all data which is already publicly available on the company's Web site or news bulletins. Because the data is already publicly available, no risk is typically associated with the data being stolen. You do however need to maintain and ensure the integrity of public data.
Private data: Data that falls within this category is usually well-known within your organization's environment but is not well-known to the outside public. A typical example of data that falls within this category is data on the corporate intranet.
Confidential data: Data that falls within this category is data such as private customer information that should be protected from unauthorized access. The organization would almost always suffer some sort of loss if confidential data is intercepted.
Secret data: This is data which can be considered more confidential and sensitive in nature than confidential data. Secret data consists of trade secrets, new product and business strategy information, and patent information. Secret data should have the highest levels of security.
Predicting Network Threats
To protect your network infrastructure, you need to be able to predict the types of network threats to which it is vulnerable. This should include an analysis of the risks that each identified network threat imposes on the network infrastructure.
A model known as STRIDE is used by security experts to classify network threats:
Creating an Incidence Response Plan
The terminology, incident response, refers to planned actions in response to a network attack or any similar event that affects systems, networks and company data. An Incident Response plan is aimed at outlining the response procedures that should take place when a network is being attacked or security is being compromised.
Network Attacks
Introduction
A network attack can be defined as any method, process or means used to maliciously attempt to compromise the security of the network.
This individuals performing network attacks a are called hackers or crackers.
There are many common network attacks.
Why network attacks?
As data can be modified or destroyed network attacks are very dangerous.
Take a example as we all know that CBI site was hacked by Pakistan cyber army recently. Imagine what all they could have done with the sensitive data. It could have become a national issues if the things had gone beyond hand.
Or take another example of our college, if some one hacks into our network drive and deletes data. Imagine the pain to do it all back!!
Content
Why Security ?
Common network attacks
defense against network attacks
Secure home network
Safe web server
Safety while surfing net
Why we need security?
Good news: Your employees and partners can now access your critical business information
Bad news: Your employees and partners can now access your critical business information
Why we need security?
FBI:
40% of security loss due to insider information leak
Loss due to insider information leak has increased on average 49% per year for the last 5 years
Pricewaterhouse-Coopers:
Average loss of $50 M per incident due to information theft
Some Statistics
Main issues
Security never stops
New threats constantly emerge
Security is concerned with risk management
Lack of well understood security policy.
Too much reliance on technology alone for security.
Some products are weak if looked from security point of view.
IP Spoofing
Exploits trust relationships between routers
This is a difficult attack to launch since the communication set up is based on an initial sequence number for packets. Systems no longer use numbers sequentially. Identifying the algorithm used for numbering packets during set up is important.
Common Attacks
SYN flooding attack
This exploits how the 3-way handshake of TCP services for opening a session works.
SYN packets are sent to the target node with spoofed source IP addresses.
The node under attack sends an ACK packet and waits for response.
Since the request has not been processed, it takes up memory.
Many such SYN packets clog the system and take up memory
Eventually the attacked node is unable to process any requests as it runs out of memory storage space.
Land attack
Similar to SYN attack
Uses the target address as the source address as well.
Causes an infinite loop under the SYN/ACK process.
Eavesdropping
In general, the majority of network communications occur in an unsecured or "cleartext" format, which allows an attacker who has gained access to data paths in your network to "listen in" or interpret (read) the traffic.
When an attacker is eavesdropping on your communications, it is referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is generally the biggest security problem that administrators face in an enterprise. Without strong encryption services that are based on cryptography, your data can be read by others as it traverses the network.
Smurf attack
A large number of PING requests with spoofed IP addresses are generated from within the target network
Each ping request is broadcast, resulting in a large number of responses from all nodes on the network
Clogs the network and prevents legitimate requests from being processed
Ping of death
A ping of death (abbreviated "POD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 56 bytes in size (or 84 bytes when IP header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer.
Generally, sending a 65,536 byte ping packet is illegal according to the IP protocol, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash.
ARP Poisoning
ARP = Address Resolution Protocol
ARP is used by routers extensively to find the destination node. Routers have IP addresses (32-bits). In order to deliver the packet to the destination node, the router broadcasts the IP address of the destination and obtains the MAC address (48-bits).
ARP Poisoning
Hosts store the IP-to-MAC address mapping in the ARP table. ARP Poisoning means that the ARP communication is intercepted by redirection from a router.
Example:
Assume router’s IP is 10.1.1.0
Host’s IP is 10.1.1.1
Malicious host with IP 10.1.1.2 spoofs 10.1.1.1 and replies to requests from 10.1.1.0 with its MAC address
From this point on all packets meant for 10.1.1.1 is routed to 10.1.1.2 because the router has the MAC address of 10.1.1.2 in its routing table
ARP Poisoning
ARP Poisoning tools are:
ARPoison
Ettercap
Parasite
DNS Spoofing
DNS server could be a simple machine placed behind a firewall
Usually it is isolated from the rest of the nodes in functionality
Hacker gets access to the DNS server and changes in the lookup table the mapping. For example, nytimes.com is supposed to point to 199.239.136.200. The hacker could redirect it to his web server instead.
Social Engineering
It is hacker-speak to convince others to share confidential information with them.
Social engineering
Dictionary attack
Has an idea of the message
Exhaustive search to find the original corresponding to the hash
Credit cards use 16 digits
255 = 1016
This is within the realm of possibility for today’s computers to do an exhaustive search
Compromised-Key
A key is a secret code or number necessary to interpret secured information. Although obtaining a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker obtains a key, that key is referred to as a compromised key.
An attacker uses the compromised key to gain access to a secured communication without the sender or receiver being aware of the attack. This is called compromised key attack
Application-Layer Attack
An application-layer attack targets application servers by deliberately causing a fault in a server's operating system or applications. This results in the attacker gaining the ability to bypass normal access controls and can do the following:
Read, add, delete, or modify your data or operating system.
Introduce a virus program.
Introduce a sniffer program to analyze your network and gain information that can eventually be used to crash or to corrupt your systems and network.
Abnormally terminate your data applications or operating systems.
Disable other security controls to enable future attacks.
DHCP ATTACK
Because the IP address number in a DHCP scope is limited, an unauthorized user could initiate a denial of service (DoS) attack by requesting or obtaining a large numbers of IP addresses.
A network attacker could use a rogue DHCP server to offer incorrect IP addresses to your DHCP clients.
A denial of service (DoS) attack can be launched through an unauthorized user performing a large number of DNS dynamic updates via the DHCP server.
Software Exploitation
Malicious software, also known as malware, includes worms, viruses, and Trojan horses
How do these propagate?
Virus is meant to replicate itself into executables (e.g., Melissa)
Worm is meant to propagate itself across the network (e.g., Nimda, Code Red)
Trojan horse is meant to entice the unsuspecting user to execute a worm (e.g., I Love You)
Virus
Vital information of resource under siege.
Virus self-replicates.
It can destroy data, modify data.
Worms
Worm is a self-contained program that tries to exploit buffer overflows and remotely attack a victim’s computer
Code Red and Code Red II are two of the well-known worms
There is not much of a distinction made between viruses and worms
Network Defense
As we have seen the network attacks, it becomes important to protect our network.
Take a example that someone hacks into our network drive and deleted all the data.
In the field of networking, the specialist area of network security consists of the provisions and policies adopted by the network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of the computer network and network-accessible resources.
Security Management for networks is different for all kinds of situations. A small home or an office would only require basic security while large businesses will require high maintenance and advanced software and hardware to prevent malicious attacks from hacking and spamming.
Tunneling
Tunneling is also referred to as encapsulation because the original packet is hidden or encapsulated inside of a new packet. A tunnel is the logical data path through which the encapsulated packets travel to their destination.
Two types
A) AH tunneling
B) ESP Tunneling
AH Tunneling
Prevention
ESP Tunneling
Eavesdropping
Implement Internet Protocol Security (IPSec) to secure and encrypt IP data before it is sent over the network.
Implement security policies and procedures to prevent attackers from attaching a sniffer on the network.
Install antivirus software to protect the corporate network from Trojans. Trojans are typically used to discover and capture sensitive, valuable information, such as user credentials.
DOS
Implement and enforce strong password policies.
Back up system configuration data regularly.
Disable or remove all unnecessary network services.
Implement disk quotas for your user and service accounts.
Configure filtering on your routers and patch operating systems.
Sniffer attack
To protect against sniffers, implement Internet Protocol Security (IPSec) to encrypt network traffic so that any captured information cannot be interpreted.
DHCP ATTACK
Implement firewalls
Close all open unused ports
If necessary, use VPN tunnels.
You can use MAC address filters.
Security Requirements for different data types
Public data: This category includes all data which is already publicly available on the company's Web site or news bulletins. Because the data is already publicly available, no risk is typically associated with the data being stolen. You do however need to maintain and ensure the integrity of public data.
Private data: Data that falls within this category is usually well-known within your organization's environment but is not well-known to the outside public. A typical example of data that falls within this category is data on the corporate intranet.
Confidential data: Data that falls within this category is data such as private customer information that should be protected from unauthorized access. The organization would almost always suffer some sort of loss if confidential data is intercepted.
Secret data: This is data which can be considered more confidential and sensitive in nature than confidential data. Secret data consists of trade secrets, new product and business strategy information, and patent information. Secret data should have the highest levels of security.
Predicting Network Threats
To protect your network infrastructure, you need to be able to predict the types of network threats to which it is vulnerable. This should include an analysis of the risks that each identified network threat imposes on the network infrastructure.
A model known as STRIDE is used by security experts to classify network threats:
Creating an Incidence Response Plan
The terminology, incident response, refers to planned actions in response to a network attack or any similar event that affects systems, networks and company data. An Incident Response plan is aimed at outlining the response procedures that should take place when a network is being attacked or security is being compromised.