Types of Network Attacks 2


Access Attacks
Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information.
Password Attacks
Password attacks can be implemented using a packet sniffer to yield user accounts and passwords that are transmitted as clear text. Password attacks usually refer to repeated attempts to log in to a shared resource, such as a server or router, to identify a user account, password, or both. These repeated attempts are called dictionary attacks or brute-force attacks.
To conduct a dictionary attack, attackers can use tools such as L0phtCrack or Cain. These programs repeatedly attempt to log in as a user using words derived from a dictionary. Dictionary attacks often succeed because users have a tendency to choose simple passwords that are short, single words or are simple variations that are easy to predict, such as adding the number 1 to a word.
Another password attack method uses rainbow tables. A rainbow table is precomputed series of passwords which is constructed by building chains of possible plaintext passwords. Each chain is developed by starting with a randomly selected "guess" of the plaintext password and then successively applying variations on it. The attack software will apply the passwords in the rainbow table until it solves the password. To conduct a rainbow table attack, attackers can use a tool such as L0phtCrack.
A brute-force attack tool is more sophisticated because it searches exhaustively using combinations of character sets to compute every possible password made up of those characters. The downside is that more time is required for completion of this type of attack. Brute-force attack tools have been known to solve simple passwords in less than a minute. Longer, more complex passwords may take days or weeks to resolve.
Password attacks can be mitigated by educating users to use long, complex passwords.
Trust Exploitation
The goal of a trust exploitation attack is to compromise a trusted host, using it to stage attacks on other hosts in a network. If a host in a network of a company is protected by a firewall (inside host), but is accessible to a trusted host outside the firewall (outside host), the inside host can be attacked through the trusted outside host.
The means used by attackers to gain access to the trusted outside host as well as the details of trust exploitation are not discussed in this chapter. For information about trust exploitation, refer to the course Networking Academy Network Security course.
Trust exploitation-based attacks can be mitigated through tight constraints on trust levels within a network, for example, private VLANs can be deployed in public-service segments where multiple public servers are available. Systems on the outside of a firewall should never be absolutely trusted by systems on the inside of a firewall. Such trust should be limited to specific protocols and should be authenticated by something other than an IP address, where possible.
Port Redirection
A port redirection attack is a type of trust exploitation attack that uses a compromised host to pass traffic through a firewall that would otherwise be blocked.
Consider a firewall with three interfaces and a host on each interface. The host on the outside can reach the host on the public services segment, but not the host on the inside. This publicly accessible segment is commonly referred to as a demilitarized zone (DMZ). The host on the public services segment can reach the host on both the outside and the inside. If attackers were able to compromise the public services segment host, they could install software to redirect traffic from the outside host directly to the inside host. Although neither communication violates the rules implemented in the firewall, the outside host has now achieved connectivity to the inside host through the port redirection process on the public services host. An example of a utility that can provide this type of access is netcat.
Port redirection can be mitigated primarily through the use of proper trust models, which are network specific (as mentioned earlier). When a system is under attack, a host-based intrusion detection system (IDS) can help detect an attacker and prevent installation of such utilities on a host.
Man-in-the-Middle Attack
A man-in-the-middle (MITM) attack is carried out by attackers that manage to position themselves between two legitimate hosts. The attacker may allow the normal transactions between hosts to occur, and only periodically manipulate the conversation between the two.
There are many ways that an attacker gets position between two hosts. The details of these methods are beyond the scope of this course, but a brief description of one popular method, the transparent proxy, helps illustrate the nature of MITM attacks.
In a transparent proxy attack, an attacker may catch a victim with a phishing e-mail or by defacing a website. Then the URL of a legitimate website has the attackers URL added to the front of it (prepended). For instance http:www.legitimate.com becomes http:www.attacker.com/http://www.legitimate.com.
1. When a victim requests a webpage, the host of the victim makes the request to the host of the attacker's.
2. The attacker's host receives the request and fetches the real page from the legitimate website.
3. The attacker can alter the legitimate webpage and apply any transformations to the data they want to make.
4. The attacker forwards the requested page to the victim.
Other sorts of MITM attacks are potentially even more harmful. If attackers manage to get into a strategic position, they can steal information, hijack an ongoing session to gain access to private network resources, conduct DoS attacks, corrupt transmitted data, or introduce new information into network sessions.
WAN MITM attack mitigation is achieved by using VPN tunnels, which allow the attacker to see only the encrypted, undecipherable text. LAN MITM attacks use such tools as ettercap and ARP poisoning. Most LAN MITM attack mitigation can usually be mitigated by configuring port security on LAN switches.
DoS Attacks
DoS attacks are the most publicized form of attack and also among the most difficult to eliminate. Even within the attacker community, DoS attacks are regarded as trivial and considered bad form, because they require so little effort to execute. But because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators.
DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by consuming system resources. The following are some examples of common DoS threats:
A ping of death attack gained popularity back in the late 1990s. It took advantage of vulnerabilities in older operating systems. This attack modified the IP portion of a ping packet header to indicate that there is more data in the packet than there actually was. A ping is normally 64 to 84 bytes, while a ping of death could be up to 65,535 bytes. Sending a ping of this size may crash an older target computer. Most networks are no longer susceptible to this type of attack.
A SYN flood attack exploits the TCP three-way handshake. It involves sending multiple SYN requests (1,000+) to a targeted server. The server replies with the usual SYN-ACK response, but the malicious host never responds with the final ACK to complete the handshake. This ties up the server until it eventually runs out of resources and cannot respond to a valid host request.
Other types of DoS attacks include:
E-mail bombs - Programs send bulk e-mails to individuals, lists, or domains, monopolizing e-mail services.
Malicious applets - These attacks are Java, JavaScript, or ActiveX programs that cause destruction or tie up computer resources.
DDos Attacks
Distributed DoS (DDoS) attacks are designed to saturate network links with illegitimate data. This data can overwhelm an Internet link, causing legitimate traffic to be dropped. DDoS uses attack methods similar to standard DoS attacks, but operates on a much larger scale. Typically, hundreds or thousands of attack points attempt to overwhelm a target.
Typically, there are three components to a DDoS attack.
There is a Client who is typically a person who launches the attack.
A Handler is a compromised host that is running the attacker program and each Handler is capable of controlling multiple Agents
An Agent is a compromised host that is running the attacker program and is responsible for generating a stream of packets that is directed toward the intended victim
Examples of DDoS attacks include the following:
SMURF attack
Tribe flood network (TFN)
Stacheldraht
MyDoom
The Smurf attack uses spoofed broadcast ping messages to flood a target system. It starts with an attacker sending a large number of ICMP echo requests to the network broadcast address from valid spoofed source IP addresses. A router could perform the Layer 3 broadcast-to-Layer 2 broadcast function, most hosts will each respond with an ICMP echo reply, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, there could potentially be hundreds of machines replying to each echo packet.
For example, assume that the network has 100 hosts and that the attacker has a high performance T1 link. The attacker sends a 768 kb/s stream of ICMP echo requests packets with a spoofed source address of the victim to the broadcast address of a targeted network (referred to as a bounce site). These ping packets hit the bounce site on the broadcast network of 100 hosts, and each of them takes the packet and responds to it, creating 100 outbound ping replies. A total of 76.8 megabits per second (Mb/s) of bandwidth is used outbound from the bounce site after the traffic is multiplied. This is then sent to the victim or the spoofed source of the originating packets.
Turning off directed broadcast capability in the network infrastructure prevents the network from being used as a bounce site. Directed broadcast capability is now turned off by default in Cisco IOS software since version 12.0.
DoS and DDoS attacks can be mitigated by implementing special anti-spoof and anti-DoS access control lists. ISPs can also implement traffic rate, limiting the amount of nonessential traffic that crosses network segments. A common example is to limit the amount of ICMP traffic that is allowed into a network, because this traffic is used only for diagnostic purposes.
Details of the operation of these attacks is beyond the scope of this course. For more information, refer to the Networking Academy Network Security course.
Malicious Code Attacks
The primary vulnerabilities for end-user workstations are worm, virus, and Trojan horse attacks.
A worm executes code and installs copies of itself in the memory of the infected computer, which can, in turn, infect other hosts.
A virus is malicious software that is attached to another program for the purpose of executing a particular unwanted function on a workstation.
A Trojan horse is different from a worm or virus only in that the entire application was written to look like something else, when in fact it is an attack tool.
Worms
The anatomy of a worm attack is as follows:
The enabling vulnerability-A worm installs itself by exploiting known vulnerabilities in systems, such as naive end users who open unverified executable attachments in e-mails.
Propagation mechanism-After gaining access to a host, a worm copies itself to that host and then selects new targets.
Payload-Once a host is infected with a worm, the attacker has access to the host, often as a privileged user. Attackers could use a local exploit to escalate their privilege level to administrator.
Typically, worms are self-contained programs that attack a system and try to exploit a specific vulnerability in the target. Upon successful exploitation of the vulnerability, the worm copies its program from the attacking host to the newly exploited system to begin the cycle again. In January 2007, a worm infected the popular MySpace community. Unsuspecting users enabled propagation of the worm, which began to replicate itself on user sites with the defacement "w0rm.EricAndrew".
Worm attack mitigation requires diligence on the part of system and network administration staff. Coordination between system administration, network engineering, and security operations personnel is critical in responding effectively to a worm incident. The following are the recommended steps for worm attack mitigation:
Containment-Contain the spread of the worm in and within the network. Compartmentalize uninfected parts of the network.
Inoculation-Start patching all systems and, if possible, scanning for vulnerable systems.
Quarantine-Track down each infected machine inside the network. Disconnect, remove, or block infected machines from the network.
Treatment-Clean and patch each infected system. Some worms may require complete core system reinstallations to clean the system.
Viruses and Trojan Horses
A virus is malicious software that is attached to another program to execute a particular unwanted function on a workstation. An example is a program that is attached to command.com (the primary interpreter for Windows systems) and deletes certain files and infects any other versions of command.com that it can find.
A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. An example of a Trojan horse is a software application that runs a simple game on a workstation. While the user is occupied with the game, the Trojan horse mails a copy of itself to every address in the user's address book. The other users receive the game and play it, thereby spreading the Trojan horse to the addresses in each address book.
A virus normally requires a delivery mechanism-a vector-such as a zip file or some other executable file attached to an e-mail, to carry the virus code from one system to another. The key element that distinguishes a computer worm from a computer virus is that human interaction is required to facilitate the spread of a virus.
These kinds of applications can be contained through the effective use of antivirus software at the user level, and potentially at the network level. Antivirus software can detect most viruses and many Trojan horse applications and prevent them from spreading in the network. Keeping up to date with the latest developments in these sorts of attacks can also lead to a more effective posture toward these attacks. As new virus or Trojan applications are released, enterprises need to keep current with the latest versions of antivirus software.
Sub7, or subseven, is a common Trojan horse that installs a backdoor program on user systems. It is popular for both unstructured and structured attacks. As an unstructured threat, inexperienced attackers can use the program to cause mouse cursers to disappear. As a structured threat, crackers can use it to install keystroke loggers (programs that record all user keystrokes) to capture sensitive information.

0 comments:

Post a Comment

 

NBA Live Streaming. Copyright 2008 All Rights Reserved Revolution Two Church theme by Brian Gardner Converted into Blogger Template by Bloganol dot com | Distributed by Blogger Templates Blog