Classification of Network Attacks

Network attacks have three major categories:

• Reconnaissance

• Access

• DoS

Reconnaissance attacks are associated with unauthorized discovery and mapping of network resources. A typical example of a reconnaissance attack is a ping sweep. Attackers can use ping sweeps to identify what IP addresses are responding to the ping. Once they identify active IP addresses, they can start determining what services and ports are open on those IP addresses.

A reconnaissance attack is the first step toward an access attack or a DoS attack.

An access attack is associated with unauthorized data retrieval. Data retrieval is classified as reading, writing, copying, deleting, or even moving files or any type of data. Examples are access to the company database and manipulation of a single table or view. Modifying users' privileges on a system is another form of access attack.

Access attacks lead to system access. Attackers gain access by exploiting vulnerabilities of the targeted system.

A DoS attack is when a hacker disables or corrupts services and resources residing on the network. Typical examples of DoS attacks are the ping of death, and a TCP SYN attack. Both of these attacks are common and lead to a saturation of network resources. A saturation of network resources means that those resources are not available to authorized users. The other example is when someone executes a TCP SYN attack against a corporate Web server. The server uses some of its resources for dealing with half-open TCP sessions, and responses to legitimate user requests slow down.

These three types of network attacks spawn different threats toward an organization's network security. There are four types of threats to your organization's network security. These threats are unstructured or structured and external or internal.

An unstructured threat is basically somebody who has limited knowledge of applications and operating systems. However, he knows how to use a computer. This type of person can easily find hacking tools on the Internet and use these tools to create devastating effects. Basically, these people are script kiddies ; they use somebody else's tools to do their dirty work.

A structured threat is initiated by an individual who has an intimate understanding of applications and operating systems. These individuals not only write their own code but also know exactly how to break into computers because of their sophisticated knowledge and abilities . These individuals pose the most danger to the organization because they are highly motivated and technically competent. Structured attacks come from some person or program against a particular weakness or vulnerability, generally following a reconnaissance attack.

An external threat is simply an individual who has not been granted rights to access corporate resources. However, with the right tools, she intends to access these resources whether or not you want her to. An external threat can come from a structured individual or unstructured individual.

An internal threat is initiated by a user who has been granted access to corporate resources. However, don't let the term internal fool you. It doesn't matter whether the individual is sitting at a desk in the corporate office or at his hotel room in France. As long as the user has been granted rights to access corporate resources, no matter where he is located, he is an internal threat. An internal threat can either be a structured individual or unstructured individual. We have internal threats also when a user has physical access to the internal network. An example is when a user plugs a network cable into the corporate LAN switch to access information on network.

Common Types of Attacks and Mitigation Techniques

Attackers use many types of tools and attacks to compromise security on the network. In the next several sections, we discuss some of the most common types of tools and attacks.

Packet Sniffing and Mitigation

Packet sniffers are terrific network-management applications. You can use them to troubleshoot and isolate problems in the network to correct those issues. You can also use them to create a network baseline. What a packet sniffer does is capture packets that traverse the network by putting the network information card (NIC) in promiscuous mode. Promiscuous mode allows a network device to intercept and read each network packet that arrives in its entirety. Once in promiscuous mode, the sniffer can capture all the packets crossing the wire. Not only do sniffers capture packets, but they also decode the packets, thereby exposing those packets to anyone who can read. If your passwords are sent in cleartext across the network or within an email, packet sniffers can capture those packets and clearly display the passwords contained within them. Some packet sniffers can also replay packets once they are captured. The goal is to manipulate the data in the captured packets and replay those packets, thereby inserting falsified data onto the network. As you can tell, a packet sniffer can be a dangerous type of application in the wrong hands.

Cisco categorizes sniffers into two types: general-purpose sniffers and sniffers designed for attack purposes only. General-purpose sniffers capture all-purpose packets and are included in some operating systems. Attack sniffers are designed to capture a portion of packets, usually the first 300 to 400 bytes of a packet. They are designed to capture login information such as usernames and passwords.

You can use several techniques to mitigate the threats posed by both types of packet sniffers. The most effective technique is to use cryptography and password authentication using encryption. With cryptography, the packets traveling the network are no longer readable by humans and no longer decodable by packet sniffers. Other mitigation techniques include using a switched infrastructure and using strong authentication. With strong authentication, you use such things are one-time passwords (OTPs). A one-time password is good for one use and one use only. It really doesn't matter if a hacker steals that password because it cannot be used again. You can also use antisniffer tools to detect those users on your network who might be sniffing packets. Antisniffing tools attempt to detect delays or changes in the response times of host machines. By detecting these changes, antisniffing tools can identify who might be sniffing on your network.

IP Spoofing and Mitigation

IP spoofing is an attack in which a hacker changes the source IP address of a packet in an attempt to pretend to be either a trusted internal host or a trusted external host. By pretending to be a trusted host, the hacker is attempting to bypass network security and either capture sensitive data by rerouting packets or create havoc on the network through a DoS attack.

Although you can reduce them, you cannot eliminate spoofing threats. IP spoofing works only when your organization relies solely on IP-address “based authentication. The best type of authentication to use to defeat spoofing is cryptographic encryption of data.

Mitigation techniques for spoofing include RFC 2827, "Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing," and RFC 1918, "Address Allocation for Private Internets." RFC 2827 filtering prevents any traffic from leaving your network if the source IP address is not part of the internal IP addresses that you use on your network. For instance, if your internal IP addressing space is 30.100.1.0/24, you need to ensure that the only outbound traffic allowed has a source IP address within the 30.100.1.0/24 address space.

For inbound traffic to your network, you need to ensure that the source IP address of packets is not internal to your network. If your internal IP addressing space is 30.100.1.0/24, you should never see an inbound packet with a source IP address in the 30.100.1.0/24 address space. Only outbound packets should have a source IP address within that space.

DoS and Mitigation

A DoS is an attack whose goal is to simply deny access to resources. If your organization's circuit to the Internet is at 100% capacity because of a DoS, the company's e-commerce servers are not accessible to outside customers.

A DoS attack relies on protocol weaknesses, application weaknesses, configuration weaknesses, technology weaknesses, or just pure flooding. One type of DoS attack is a SYN flood. TCP uses a three-way handshake to establish a session. By exploiting this handshake, an attacker can cause a DoS.

A DoS is the most difficult type of attack to completely eliminate.

DDoS Attack

A DDoS is exactly like a DoS attack with one exception: the extent of the attack is different. Although a DoS might be a single host attacking, a DDoS can comes from hundreds or thousands of hosts . The typical way that this attack works is three-fold . First, the attacker usually looks for PCs that have broadband connections. Then, the hacker needs to compromise the PCs and install agent software, which is used to allow the hacker to remotely control the PCs. Finally, at the hacker's command, the zombie PCs (those with the agent software installed) simultaneously launch a DoS attack. Again, the goal of the DoS or DDoS attack is to deny access to resources by legitimate users. DDoS is even harder to eliminate.

You can mitigate DoS/DDoS attacks with three techniques. First, you need to work with your Internet service provider (ISP) to implement traffic rate limiting. By using rate limiting, your ISP drops DoS/DDoS traffic before that traffic crosses the circuit to your network. Second, you need to properly configure your firewalls and routers to deal with DoS/DDoS attacks. Last, you need to implement IP spoof filtering, as discussed previously. For example, you can limit the number of half-open sessions to your servers.

Password Attack and Mitigation

One type of password attack is simple: a dictionary password attack. This type of password attack simply uses a dictionary to discover a user's password. If a user does not have a password based upon dictionary words, an attacker can use a brute-force password attack. A brute-force attack attempts to "guess" a user's password by trying every possible alphanumeric and special character string until it discovers the password. As mentioned previously, packet sniffers can decode packets into plaintext and thereby discover a user's password. Finally, Trojan horses can log every keystroke that a user makes and thereby discover the password. However, the Trojan horse must be installed on a user's system before the logging can take place.

Some of the techniques used to mitigation password attacks involve using OTPs. OTPs are passwords that a user can use only once. It really does not matter if an attacker sniffs the wire and discovers the user's OTP. Another technique is to simply disable a user's account after a specific number of login-attempt failures. This process not only alerts the network administrator to possible password attacks, but it also helps eliminate the effectiveness of brute-force and dictionary password attacks. Finally, Cisco recommends the use of "strong" passwords to mitigate the threat posed by this type of attack. Using an operating-system “specific feature to lock down user accounts automatically after a specific number of login attempt failures is another technique you can deploy to protect your network.

The Cisco definition of a strong password is a password that meets all the following criteria: contains at least eight characters, contains a password containing uppercase and lowercase alphabetical characters, contains numeric characters, and contains special characters .

Application Layer Attack and Mitigation

An application layer attack is not a single attack but can comprise multiple attacks. With application attacks, hackers attempt to exploit a vulnerability that exists within an application, regardless of whether that vulnerability is known or unknown.

You are probably familiar with vulnerabilities within Microsoft's Internet Information Server (IIS), Exchange email server, and Windows operating system. However, as much as some want to believe that it is only big, bad Microsoft who has security holes within it products, that is not that case. Many other vendors also have vulnerabilities within their products, regardless of whether those products are software based or hardware based. Some commonly used products that have vulnerabilities are Apache, the many variants of Linux and Unix, sendmail, and countless others that have bugs and holes which attackers can exploit. Just surf on over to http://www.sans.org or http://www.cert.org to see pages and pages of security issues with numerous applications.

You can never completely eliminate application layer attacks because vulnerabilities are continually discovered by security professionals and by hackers.

Some of the mitigation techniques to reduce the risks associated with these types of attacks involve using intrusion-detection system (IDS) devices to monitor your network. A host-based IDS application prevents malicious calls to the operating system and to applications before the call is made. One of the biggest ways to mitigate these attacks is to keep your operating systems and applications current with the latest patches. Also, it's a great idea to subscribe to security mailing lists and Web sites to ensure that you know when new vulnerabilities are discovered.

A vulnerability is a hole that exists within an operating system or application. An exploit is an attack that a hacker uses to take advantage of a vulnerability.

Man-in-the-Middle Attack and Mitigation

A man-in-the-middle attack is when a hacker intercepts data transmission between the source of the transmission and its destination. Usually, hackers use packet sniffers to intercept the packets. Not only can the hacker steal information within the packets, he can also perform traffic analysis, change the data within the packets, hijack the session that is intercepted, and cause a DoS attack. The most effective way to mitigate this type of attack involves cryptography. As discussed earlier, when packets are encrypted, they are not readable by humans or by packet sniffers until authorized individuals decrypt those packets. There are multiple methods , whether using IPSec to encrypt entire connections or using Secure Shell (SSH) or Secure Socket Layer (SSL) for application-specific encryption.

Reconnaissance and Mitigation

Performing reconnaissance and launching an attack have a thin line of distinction. With reconnaissance, hackers gather information they could possibly use in future attacks. Think of reconnaissance like a burglar who cases a neighborhood prior to breaking into a house. The things that a hacker is looking for are the IP addresses used by a company; ports that are open on servers and through the firewall; and of course hostnames to IP addresses, information available through Domain Name System (DNS). Just like application layer attacks, reconnaissance attacks can never entirely be prevented. However, through the use of IDS devices, both at the network layer and at the host layer, you can become aware of when these types of information-gathering activities occur.

Trust Exploitation and Mitigation

Trust exploitation occurs when a hacker can take advantage of the various trust relationships that are available within a network. For instance, if you have a Web server on your corporate demilitarized zone (DMZ) and you allow this Web server to initiate connections on its own to the internal network, a hacker can potentially gain access to and compromise your internal network by compromising your Web server within the DMZ. The key to understanding trust relationships is to understand how devices within your network communicate and to ensure that communication occurs within given security parameters. To mitigate trust-exploitation attacks, do not let systems such as servers be fully trusted when they are not within the internal network. Depending upon how communication needs to take place with those external servers, those servers probably should not be able to initiate connections on their own to the outside network or the internal network. You should only trust the protocols on your network that are required in your business environment, and once again, you should not rely solely upon IP address authentication. Even an internal network faces a threat of thrust exploitation, and administrators need to make configuration changes to mitigate it. For example, a corporate file server doesn't need access to the billing server.

The administrators can mitigate trust exploitation by applying access control lists (ACLs) on Layer 3 devices and firewalls, using host-based IDSs, and using private VLANs on switches. Private VLANs prevent hosts on the same subnet from communicating unless it is necessary.

Port Redirection and Mitigation

Port redirection is an attack that a hacker uses to bypass the security mechanisms you have put into place. For instance, if you do not allow Telnet into your internal network if it is initiated from the outside, a hacker might compromise a server within the DMZ that allows Telnet and then initiate a connection via another port number from the compromised server to the internal network. In essence, the hacker is Telnetting to the compromised host on the external segment and then redirecting the port number to bypass security mechanisms and gain access to the internal network. The way to mitigate port redirection involves host-based IDSs and also proper trust models. For instance, if you do not allow Telnet into your internal network when it is initiated from the outside, a hacker might compromise a server within the DMZ (for example, a public Web server), from which he is allowed to Telnet to the interesting internal server. Then, he can install a piece of software that will redirect Telnet sessions from the outside to the internal server.

Unauthorized Access and Mitigation

Unauthorized access is not a specific type of attack, but it essentially refers to the majority of attacks that hackers use today. Unauthorized access is obviously when a hacker gains access to resources that she does not have rights to access. Both internal users and external users initiate this type of attack. It has been proven that internal users perform most network attacks, with the percentage estimated to be between 60 and 80. The way to mitigate access attacks is to implement various security mechanisms to ensure that the attacker cannot compromise hosts.

Virus and Trojan Horse and Mitigation

We're all familiar with the concept of viruses and the devastating impact that viruses can have on networks and systems. Trojan horses also can have a detrimental impact on network security. A number of Trojan horse applications not only capture every keystroke that a user makes but can also email that information to the attacker. Trojan horses can also function as backdoors into your system, whereby the hacker can remotely control compromised hosts. The key to understanding a Trojan horse is that it attempts to mimic a regular program to capture information and also compromise your system. The main mitigation techniques for both viruses and Trojan horses involve antivirus software and installing current patches. It is extremely important that your antivirus software be up-to-date.