[ LiB ] |
Intrusion detection systems rely on the analysis of attack tools and structure. This analysis, sometimes referred to as attack taxonomy , is key to effectively implementing an IDS on your network. Hackers can use any of the following tools or methods to launch an attack:
Packet sniffers
IP spoofing
Password attacks
Man-in-the-middle attacks
Application layer attacks
Viruses
Management protocols
The following sections discuss each of these tools and methods.
Packet sniffers are tools that are used to capture and analyze network traffic for monitoring and maintenance purposes and can be based on software, hardware, or both. Although common and intended for network monitoring and maintenance purposes, packet sniffers can compromise the network when used for malicious purposes. Table 2.1 describes attacks based on packet sniffers, lists examples, and provides ways to mitigate the risks of these types of attacks.
Description | Example | Mitigation |
---|---|---|
Network adapter card in promiscuous mode to capture all packets passing through a local area network (LAN) Exploit cleartext data transfer used by FTP, Telnet, Simple Network Management Protocol (SNMP), Hypertext Transfer Protocol (HTTP), and PostOffice Protocol (POP) | Monitoring of user ID and password data from File Transfer Protocol (FTP), Telnet, and database access Internal threat presented by network administrators using a legitimate tool for prohibited purposes | Authentication OTP Switches instead of hubs Antisniffer tools Encryption: IP Security (IPSec), Secure Socket Layer (SSL), Secure Shell (SSH) |
IP spoofing describes a technique where an attacker gains access to your network by pretending to be from a source that is trusted within your network. IP spoofing, like packet sniffers, can be employed from both within the network and outside its boundaries. Table 2.2 describes attacks based on IP spoofing, lists examples, and provides ways to mitigate the risks of these types of attacks.
Description | Examples | Mitigation |
---|---|---|
Exploits IP addressbased authentication by using legitimate internal or external IP addresses to access network resources | Can be used in conjunction with changes to routing tables to allow packets to be routed to the spoofed IP address | Access control lists (ACLs): deny external traffic with a source address that falls within the range of internal addresses Encrypted authentication OTP RFC 2827 filtering |
Password attacks , not surprisingly, use any of the tools shown in Table 2.3 to acquire login and password information. If the hacker gets access to an administrator account, he or she can use these privileges to leave open a back door for future access to system resources. Table 2.3 describes password attacks, lists examples, and provides ways to mitigate the risks of these types of attacks.
Tools | Example | Mitigation |
---|---|---|
Brute force Trojan horse programs IP spoofing Packet sniffers exploiting cleartext login traffic | Dictionary hacking, a quick method where a dictionary of hashed passwords is compared against password hashes of user accounts to crack simple passwords. Brute-force password computation, where the hash is computed for every password possible for a given set of characters , such as AZ plus 09. This attack is very slow. | Policy enforcement: Disallow the same password on multiple systems Disable accounts after unsuccessful logins Require OTP or encrypted passwords Require "strong" passwords |
Strong passwords have at least eight characters and contain uppercase and lowercase letters , numbers , and special characters. |
A hacker attacking a network by accessing packets as they traverse a network is performing what's called a man-in-the-middle attack . Sniffers and routing and transport protocols are often used as tools for preventing and detecting man-in-the-middle attacks. Table 2.4 describes man-in-the-middle attacks, lists examples, and provides ways to mitigate the risks of these types of attacks.
Include | Example | Mitigation |
---|---|---|
Data theft or corruption Session hijacking Traffic analysis | A systems integration consultant using a packet sniffer to analyze traffic from a specific host computer | Data encryption neutralizes a man-in-the-middle attack by rendering the traffic meaningless to the attacker. |
Application attacks take advantage of Layer 7 vulnerabilities, such as FTP, sendmail, HTTP, and PostScript, and typically use well-known ports to traverse a firewall. Application layer attacks will always be a threat because new weaknesses in commonly used programs are continuously being discovered .
Table 2.5 describes application layer attacks and gives examples and mitigation techniques.
Attack Type | Example | Mitigation |
---|---|---|
Exploitation of HTTP, HTML, ActiveX controls, and Java applets to launch malicious programs from a user's browser Trojan horse attacks, where a common application is replaced with one that performs an attack function | A Trojan horse program that ooks to the user llike a valid login sequence, using recognized prompts and banners; as the user "logs in," the information is captured and transmitted to the hacker. | Stay aware of application vulnerabilities Read and analyze log files Test and install patches Automate the process with an IDS |
A Trojan horse uses an application that mimics a legitimate application component to gain "backdoor" access into a host. |
A computer virus , much like a biological virus that is contained within a cell , attaches itself to a program that is used to transmit the virus to users' workstations. When the program is executed, the virus is released and carries out an attack on the end-user workstation.
A Trojan horse is similar to a virus; rather than use a different program as a means of transmission, a Trojan horse mimics a legitimate program to gain access to end-user workstations.
Worms such as Nimda and Slammer, which multiply and self-propagate themselves throughout a network, are also notorious for their efficiency in causing a great deal of damage to large networks.
Antivirus software implemented at the host or network level can detect and in most cases contain the spread of viruses.
Management protocols , because they're used to configure, monitor, and log network devices and their activities, provide hackers with the opportunity to cause serious damage. Table 2.6 summarizes common management protocols, their weaknesses, and ways to prevent hackers from taking advantage of these necessary tools.
Protocol | Weaknesses | Mitigation |
---|---|---|
Configuration management protocols such as Telnet and HTTP, used for device-level configuration | Telnet and HTTP traffic is transmitted in cleartext, potentially exposing any sensitive information if the traffic is intercepted. | Encryption: IPSec, SSH, or SSL ACLs to allow only management servers to connect to network devices Logging to record failed connection attempts RFC 2827 filtering |
SNMP, used for centralized management of network devices | SNMP uses passwords called community strings to transmit messages. Community strings are typically transmitted in cleartext. SNMP can be configured to allow read-write access, allowing a hacker to reconfigure a network device. | Use device-level access control to limit the management hosts that are allowed access via SNMP. Configure SNMP with read-only community strings. |
Syslog, data generated by a device that is configured for logging | Syslog data is sent as cleartext on UDP port 514. Lack of packet-level integrity checking. Syslog data can be altered or flooded with false data as a distraction during an attack. | Encrypt syslog traffic RFC 2827 filtering at the perimeter router when allowing syslog access from outside hosts ACLs to filter access to the syslog server |
Trivial File Transfer Protocol (TFTP), used to back up network device configuration files to a TFTP server | TFTP traffic is sent as cleartext. Configuration files, if intercepted, will be exposed. | Encrypt TFTP traffic with an IPSec tunnel when possible |
Network Time Protocol (NTP), used for clock synchronization | Valid digital certificates can be forced to expire by changing network clocks. Network attacks can be masked by changing device clocks and logging timestamps. Public NTP servers often require no authentication. | Use a private network clock as the NTP server Use NTP version 3 and above, which allow encrypted authentication Use ACLs to control which devices are allowed to synchronized clocks with other network devices |
[ LiB ] |