Attack and Defense | Network+ Study Guide

You can view the interaction between a hacker and a network administrator in different ways. You can see a harmless game of cat and mouse or a terrorist attack on national security. In either case, a person attempts to break into or crash your system. You, as the network administrator, work at preventing and tracking the attacks.

Hacker Tools: Common Network Attacks

Network attacks that are directed by a hacker are called directed attacks. For example, a hacker sending a WinNuke packet (generated by the WinNuke utility, discussed later in this chapter) to a specific machine is considered a directed attack. Viruses are traditionally not directed attacks. The virus is unknowingly copied from user to user. Viruses are some of the most prevalent attacks used on the Internet. In this section, we’ll discuss some of the techniques that hackers commonly use to attack a network. Then, in the next section, we’ll discuss some tools and procedures you can use to defend against them.

Note

Traditional viruses are covered in Chapter 9, “Fault Tolerance and Disaster Recovery.”

IP Spoofing

IP spoofing is the process of sending packets with a fake source address, pretending that the packet is coming from within the network that the hacker is trying to attack. The address can be considered stolen from the hacker’s target network. A router (even a packet-filtering router) is going to treat this packet as coming from within the network and will let it pass; however, a firewall can prevent this type of packet from passing into the secured network. In Figure 8.6, a hacker is attempting an IP spoof. Notice that the hacker with the spoofed IP address is denied access to the network by the firewall.

click to expand
Figure 8.6: IP spoofing

The Ping of Death

The Ping of Death is a type of denial of service (DoS) attack. A DoS attack prevents any users, even legitimate ones, from using the system. Ping is primarily used to see if a computer is responding to IP requests. Normally, when you ping a remote host, four normal-sized ICMP (Internet Control Message Protocol) packets are sent to the remote host to see if it is available. In a Ping of Death attack, a very large ICMP packet is sent to the remote host, whose buffer is flooded by this packet. Typically, this causes a system to reboot or hang. Patches to prevent a Ping of Death attack from working are available for most operating systems.

WinNuke

WinNuke is a Windows program that sends special TCP/IP packets with an invalid TCP header. Windows 95/98 and Windows NT/2000 computers will crash when they receive one of these packets because of the way the Windows 95/98 or Windows NT/2000 TCP/IP stack handles bad data in the TCP header. Instead of returning an error code or rejecting the bad data (Microsoft calls it out-of-band data), it sends the computer to the Blue Screen of Death (BSoD). Figuratively speaking, the hacker causes the computer to blow up, or to be nuked. This type of attack does not affect Unix boxes and NetWare servers.

Tip

There is a patch to solve this particular problem, making machines invulnerable to WinNuke attacks. You can obtain it by going to Microsoft’s support website at http://support.microsoft.com/
servicedesks/technet/ and searching for WinNuke.

SYN Flood

A SYN flood is also a denial of service attack because it can barrage the receiving machine with dozens of meaningless packets. In normal communications, a workstation that wants to open a TCP/IP communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server automatically responds to the request, indicating that it is ready to start communicating. Only new communications use SYN flags. If you are in the middle of a file download, SYNs are not used. A new SYN packet is used only if you lose your connection and must reestablish communications.

To initiate a SYN flood, a hacker sends a barrage of SYN packets. The receiving station normally can’t help itself and tries to respond to each SYN request for a connection. The receiving device soon expends its resources trying to reply, and all incoming connections are rejected until all current connections can be answered. The victim machine cannot respond to any other requests because its buffers are overfilled, and it therefore rejects all packets, including valid requests for connections. Patches that can help with this problem are available for the various network operating systems.

Real World Scenario: Why We Have Firewalls

In the early days of the Internet, firewalls weren’t necessary. Internet users more or less behaved themselves and operated on the honor system. Plus, there were very few Fortune 500 companies who connected their entire corporate network to the Internet. However, as the Internet grew, many large companies realized they could communicate better if they connected their network directly to the Internet. At the same time, some users realized they could gain wealth or other consideration by getting into a company’s network and stealing data from it. Firewalls were designed in response to this threat. As the saying goes, a few bad apples spoil the whole bunch.

Intruder Detection: Defense Techniques

There are three main types of intruder detection and defense:

Active detection involves constantly scanning the network for possible break-ins.
Passive detection involves logging all network events to a file.
Proactive defense involves using tools to shore up your network walls against attack.

Active Detection

Active detection is analogous to a security guard walking down the hallway rattling doors. The guard is checking for a break-in. Special network software can search for hackers trying known attack methods, including suspicious activity as they travel over the network. Some sophisticated active systems actually take action, such as shutting down the communications sessions that the hacker is using, as well as e-mailing or paging you. Some packages actually go as far as trying to cripple the computer from which the hacker is attacking. Cisco’s NetRanger, Memco’s SessionWall, and Snort are all forms of active intrusion-detection software.

Warning

Because SATAN is free, both sides have access to it. Consequently, hackers can (and often do) use SATAN to look for security holes. Many other intrusiondetection programs will also look for SATAN-type intrusions.

Passive Detection

Video cameras are an example of passive intrusion-detection systems. Their counterparts in networking are files that log events that occur on the network. Tripwire for Unix systems is one of the earliest programs of this type. With passive detection systems, files and data are looked at, and checksums are calculated for each file and piece of data. These checksums are then stored in a log file. If the network administrator notices a security breach on the network, he or she can access the log files to find clues regarding the security breach.

Proactive Defense

The main feature of the proactive defense is to make sure your network is invulnerable to attack. You can do this through research and maintenance. You must stay current on all known security holes on your network. You can use tools such as SATAN to find the holes in your security walls and plug them with software patches. Unfortunately, before you can patch a hole, it must be discovered. And the war against attackers is ongoing. As soon as you patch a hole, the hacker will find and exploit two other weaknesses. It usually takes some time for a patch to be developed and, in that time, companies lose resources to a hacker.