A Model of Network Attacks

Previous page
Table of content
Next page

A Model of Network Attacks

This breakdown of phases in a network-based system compromise is my own taxonomy. I find it a handy way of categorizing the methods attackers use to gain access to a system and to hide their traces.

Types of Attack

There are two major categories of attacks on network machines. The first is the denial-of-service (DoS) attack. This is analogous to the civil disobedience protester shouting so you cannot communicate. This type of attack is most annoying when you are the vicitim, but it doesn't actually damage your system or the data on it.

The second major category is the system compromise. This is where a remote attacker actually gains access to at least read data from your system that you did not intend that party to read. At most the attacker may gain complete control of your system. Obviously, this second category is the more serious.

Phases of Network-Based Attacks

An attack leading to a system compromise is conducted in phases.

Reconnaissance

The first phase is reconnaissance. This comes in two flavors, passive and active. Passive reconnaissance is watching network traffic to discover hosts , addresses, resources, users, etc. Chapter 11 , on sniffing, tells you about tools that may be used to do passive reconnaissance. It is very hard to detect passive network sniffing. Luckily the ability to do passive sniffing requires close proximity to the target network (or a network adjacent to the target network: Do you or should you trust your ISP?).

Active reconnaissance is where the attacker actively sends data to your network in an attempt to learn its extent, hosts, users, vulnerabilities, and so on. Tools like nmap have powerful features both for exploring networks and for obscuring the source of the attacks. You don't need such tools, however. Ping, Telnet, and finger can be used. E-mail can be used. Active reconnaissance can also be "bottom," or outright espionage.

Think I'm paranoid ? Let me tell you a little story. I have, in my consulting career, done security analysis of corporate networks. My partner got us a job trying to break into a small company's network. They never met me. We spent a little time (the time it takes to run a traceroute to their Web site) identifying their ISP. I used my color printer to make a little ID badge with that ISP's logo on it. I laminated it at the public library. The next day I paid a visit to that company with a laptop over my shoulder. I showed my badge and said I needed to change some configurations on their router. I was taken to the closet where it was stored. I plugged my laptop into their backbone. The laptop was running a little C program that captures the first 1k of data on any socket connected to port 23 (the Telnet port). I fiddled a bit with their router, not changing anything. After about 10 minutes, I asked their network guy to have everyone log in to their main machine to test. Most people did. I thanked them and left.

A couple of days later my partner went back and threw down a list of user accounts and passwords. They were flabbergasted (actually, they may not have been, but I have always wanted to use the word flabbergasted in a book) and had no idea how my partner had done it.

Now, I will be the first to admit that this was some time ago, when people on average were much less sophisticated about network security than they are today. Also, this was a small company with light technical expertise. But the lesson still holds. Not all your risks are technological!

Compromise

After reconnaissance comes the compromise phase. At this point the attacker knows some specific information about your network and the systems on it. He (or she) has selected one or more known vulnerabilities. He will now exploit one or more of these weaknesses to compromise one or more accounts on the system.

Obfuscation

The next phase is obfuscation. Here the attacker will try to eliminate all evidence of the intrusion.

Entrenchment

The next phase is entrenchment. Here the attacker will both enlarge the set of compromised accounts and systems and create additional holes to come through if the initial routes are found and blocked.

At this point you are pretty much done for. Your only chance to get the attacker out and keep them out is to disconnect from the Net, wipe all the machines, and install from scratch, being sure this time to apply all of those annoying security updates from your vendors .

Obviously, the earlier you can detect and head off an attack, the better. Once the entrenchment phase has been reached, it is very difficult to get the intruders out, because they generally have all the power your system administrators have, and have probably compromised multiple systems in multiple ways. The only certain way to get rid of them is to disconnect from the outside world and start from scratch, loading everything off read-only media. Even this is problematic if you have data and code you must restore from backups . Unless you know exactly when your system was compromised and have a backup that hasn't been mounted since before that date of compromise, you have no trustworthy copy of that code or data. This chapter and the next are about preventing this dilemma. This chapter covers detecting compromise. The next covers a better place to stop them: during reconnaissance.

 


Previous page
Table of content
Next page
Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257
Authors: Michael Schwarz, Jeremy Anderson, Peter Curtis, Steven Murphy
BUY ON AMAZON
Java I/O
Crystal Reports 9 on Oracle (Database Professionals)
Project Management JumpStart
Programming Microsoft ASP.NET 3.5
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy