Threats and Countermeasures

Information Gathering

Information gathering can reveal detailed information about network topology, system configuration, and network devices. An attacker uses this information to mount pointed attacks at the discovered vulnerabilities.

Vulnerabilities

Common vulnerabilities that make your network susceptible to an attack include:

• The inherently insecure nature of the TCP/IP protocol suite

• Configuration information provided by banners

• Exposed services that should be blocked

Attacks

Common information-gathering attacks include:

• Using Tracert to detect network topology

• Using Telnet to open ports for banner grabbing

• Using port scans to detect open ports

• Using broadcast requests to enumerate hosts on a subnet

Countermeasures

You can employ the following countermeasures:

• Use generic service banners that do not give away configuration information such as software versions or names .

• Use firewalls to mask services that should not be publicly exposed.

Sniffing

Sniffing , also called eavesdropping , is the act of monitoring network traffic for data, such as clear-text passwords or configuration information. With a simple packet sniffer, all plaintext traffic can be read easily. Also, lightweight hashing algorithms can be cracked and the payload that was thought to be safe can be deciphered.

Vulnerabilities

Common vulnerabilities that make your network susceptible to data sniffing include:

• Weak physical security

• Lack of encryption when sending sensitive data

• Services that communicate in plain text or weak encryption or hashing

Attacks

The attacker places packet sniffing tools on the network to capture all traffic.

Countermeasures

Countermeasures include the following:

• Strong physical security that prevents rogue devices from being placed on the network

• Encrypted credentials and application traffic over the network

Spoofing

Spoofing , also called identity obfuscation , is a means to hide one's true identity on the network. A fake source address is used that does not represent the actual packet originator's address. Spoofing can be used to hide the original source of an attack or to work around network access control lists (ACLs) that are in place to limit host access based on source address rules.

Vulnerabilities

Common vulnerabilities that make your network susceptible to spoofing include:

• The inherently insecure nature of the TCP/IP protocol suite

• Lack of ingress and egress filtering. Ingress filtering is the filtering of any IP packets with untrusted source addresses before they have a chance to enter and affect your system or network. Egress filtering is the process of filtering outbound traffic from your network.

Attacks

An attacker can use several tools to modify outgoing packets so that they appear to originate from an alternate network or host.

Countermeasures

You can use ingress and egress filtering on perimeter routers.

Session Hijacking

With session hijacking, also known as man in the middle attacks, the attacker uses an application that masquerades as either the client or the server. This results in either the server or the client being tricked into thinking that the upstream host is the legitimate host. However, the upstream host is actually an attacker's host that is manipulating the network so that it appears to be the desired destination. Session hijacking can be used to obtain logon information that can then be used to gain access to a system or to confidential information.

Vulnerabilities

Common vulnerabilities that make your network susceptible to session hijacking include:

• Weak physical security

• The inherent insecurity of the TCP/IP protocol suite

• Unencrypted communication

Attacks

An attacker can use several tools to combine spoofing, routing changes, and packet manipulation.

Countermeasures

Countermeasures include the following:

• Session encryption

• Stateful inspection at the firewall

Denial of Service

A denial of service attack is the act of denying legitimate users access to a server or services. Network-layer denial of service attacks usually try to deny service by flooding the network with traffic, which consumes the available bandwidth and resources.

Vulnerabilities

Vulnerabilities that increase the opportunities for denial of service include:

• The inherent insecurity of the TCP/IP protocol suite

• Weak router and switch configuration

• Unencrypted communication

• Service software bugs

Attacks

• Common denial of service attacks include:

• Brute force packet floods, such as cascading broadcast attacks

• SYN flood attacks

• Service exploits, such as buffer overflows

Countermeasures

Countermeasures include:

• Filtering broadcast requests

• Filtering Internet Control Message Protocol (ICMP) requests

• Patching and updating of service software