Your Network Under FireCommon Attacks

If all you had to worry about were virus and Trojan horse programs, life would be so much simpler. Just deploy a good antivirus application and monitor the alerts or log files the application produces. When a virus does creep into your network, use the appropriate software to remove it. In some situations in which time is of the essence and you don't have time to wait for a vendor to come up with a fix for a newly discovered virus, you can reconstruct the server by either re-creating it on another system or restoring data from backups . You also can reformat the hard disk of the infected system and reinstall your operating system and applications.

However, after the Internet becomes an important part of your business's bottom line, there are other potential problems you need to worry about in addition to virus and Trojan horse programs.

Denial-of-Service Attacks

A denial-of-service attack is characterized by the goal of the attack. The attack's purpose is to cripple routers, servers, or other computers by consuming resources at a pace that makes them effectively unavailable for the ordinary user to perform required functions.

A denial-of-service attack can use different common methods to accomplish its purpose. For example, flooding a server or network with a huge amount of network traffic results in a slow response for all nodes connected to the network. When bogus packets (usually created by an application designed specifically to produce large numbers of packets) are coming into a network or server at a very fast rate, ordinary users will have a hard time getting their legitimate network packets delivered. Indeed, if a router becomes overwhelmed with enough traffic, it might simply start dropping packets because it cannot keep up with the pace. Another method commonly used is to send malformed packets that can cause problems such as buffer overruns and take advantage of other shortcomings in the operating system of the router or server.

Other resources can be targets also. For example, a Trojan horse program can be designed to do nothing except consume CPU cycles as fast as possible when it is activated. Thus, other programs running on the server will slow to a crawl, or possibly not function, if they cannot obtain CPU cycles. Most operating systems allow for the concept of prioritizing certain processes. For example, the operating system itself must have access to the CPU and can interrupt a user process when needed because the operating-system component runs at a higher priority than an ordinary user process. If a destructive program has been planted in your network, and if your password file has been decrypted, it's easy to run a process at a high priority by using an administrative account that has the necessary privileges.

Another method of denying access to resources can take the form of changing configuration information so that the resource will not function properly. Changing router table information, for example, can make sites unreachable. Changing user account information can make it impossible for users to log on to a server. Changing configuration files (or Registry key values, in the case of an operating system such as Windows 2000/2003) can render applications or services unavailable.

Distributed Denial-of-Service Attacks

In the preceding section we talked about denial-of-service attacks. When you have to worry about only one computer trying to overload your system, you can usually block the particular incoming address at the router and then start the process of tracking down the criminal who has damaged your network.

But what do you do if you suddenly find yourself under attack by not one computer but several hundred or several thousand computers? This sort of attack is known as a distributed denial-of-service attack because the " attackers " are multiple computers that can be coming at you from anywhere on the Internet. This is almost the worst thing that can happen to your network from the Internet.

Several years ago a program called Trin00 was developed, and it has been followed by newer versions, such as the Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K). These are not the only tools that can be used for a distributed denial-of-service attack, but they have been used many times to cause problems on the Internet.

As you can see in Figure 48.1, a distributed denial-of-service attack is an organized attack that uses a central controlling computer to direct other computers to perform the actual attack on your network.

In Figure 48.1 you can see that setting up this sort of attack is not necessarily an easy thing to do. Several steps are involved:

1. The perpetrator first infiltrates other innocent, unprotected computers and plants a program on them to be used later.

2. To make it difficult to track down the source of the original machine that sets off the attack, these infected computers are usually organized into a hierarchy. In Figure 48.1 you can see that a single attacker plants a "handler" program on some of the computers that have been infiltrated and "agent" programs on others.

3. The attacker sends a command to the handlers, who in turn send a command to the computers that actually perform the attack on your network.

4. You suffer! And, of course, you stay up all night with your staff trying to remedy the situation.

The reason this type of attack is becoming more prevalent is that more and more people are connecting to the Internethome users as well as businesses. In a business network, you take precautions to secure your computers. Home users rarely secure their computers, not because they're stupid but because they simply are not aware that dialing up to an Internet connection exposes their computers to intrusion from anywhere in the world. With broadband connections such as cable and DSL modems providing an "always online" connection, innocent home computer users might have no idea that while they are peacefully sleeping, some hacker is downloading a program to their computer that's still online.

As you can see, no matter what you do to secure the servers and workstations inside your network, there's nothing you can do about the millions of home users who are connected to the Internet with no firewall protection. It's really a horrifying thing to consider that innocent users connected to the Internet can be unwilling participants in an attack on your network!

Another factor that makes this type of attack so deadly is that the attacker doesn't have to be in any hurry. I can only assume that someone who would perform this attack is doing it for some sick form of pleasure . The hacker can spend hours, weeks, or even months breaking into unprotected computers and planting the seeds of destruction that will be activated later.

SYN Flooding

As you may recall, the SYN (synchronization) bit is used during the initial setup of a TCP/IP connection. It's part of the three-way handshake. When a computer receives a request to open a new TCP session, the initial packet has the SYN bit set. The computer receiving this packet will set aside buffers in memory and create data structures that will be used to manage the TCP session. However, computers are limited in memory and can handle only so many sessions simultaneously.

The SYN-flooding attack just sends the first SYN packet that is intended to begin the setup of a TCP connection. The perpetrator ignores the responses received from the server, leaving half-open connections on the server that is under attack. The SYN-flooding attack sends a constant stream of packets with the SYN bit set. The targeted computer creates the necessary data structures in memory until finally it runs out. Again, the behavior of the computer will depend on the operating system. It might crash, it might hang, or it might simply just slow down and try to keep handling the incoming packets. Even if the system continues to run, the odds of a legitimate user being able to establish a TCP connection become almost impossible. The server is overwhelmed by these half-open connections it is trying to create at a rapid rate.

Whatever the target computer)does, however, there will come a point where no memory is available to run user programs or even to run the operating system itself efficiently .

The best defense against this sort of attack is to have a good firewall in place that can detect an odd stream of SYN packets coming in at a rapid rate and simply discard them. In addition, newer versions of most operating systems have been patched or modified to detect this rapid incoming flood of SYN packets and alert the administrator.

ICMP Redirects

The Internet Control Message Protocol (ICMP) is used for many purposes, but one important function is to send a message to a router (or a server acting as a router) to tell the router to change entries in the routing table. Once again, if your router doesn't have the correct routing information, it won't be able to deliver network packets. ICMP redirects were created with the best of intentions. Suppose, for example, in Figure 48.2, that Router A sends a packet to Router B as the first hop the packet needs to take to eventually get to Router Z. If Router B knows there is a more direct route (using Router D), it uses an ICMP redirect to tell Router A the more efficient route.

This can happen under many different circumstances. In the simple example shown in Figure 48.2, it's possible that Router A has just been brought back online and knows about Router B, but hasn't yet updated its table to include Router D. In this situation, Router B, which has been up and running for some time, knows of the more direct path, so it sends the ICMP redirect message to Router A telling it to update its routing table.

Unfortunately, it's easy to download tools from the Internet that can be used to generate ICMP packets, and this can be used against you to wreak havoc on your routing tables. For this reason, many administrators use filtering rules on routers that connect to external networks to drop any incoming ICMP redirect packets. ICMP redirect messages can be very useful within your network, but you shouldn't trust this information from routers that are not under your control.

The Ping of Death

Almost anyone who has ever dealt with networks has heard of this famous method of attack. The Ping of Death is basically a method of crashing your system by sending a packet that is excessive in size. The ping program is an extremely useful tool and is one of the first tools you should use when trying to determine whether connectivity exists between two machines. However, to sum up the information here, the ping utility sends a small packet (typically 64 bytes in size) to a remote IP address. The packet is an ICMP ECHO packet. The server that receives this packet normally responds with an ICMP REPLY packet. This simple exchange of packets proves that, although you might be having other problems communicating with the remote machine, the network path between the two systems does exist and is working.

However (keeping in mind that TCP/IP was not originally designed with security as a main issue), once again mean people found a way to exploit this utility by simply modifying the ping program to send extremely large packets (say, 65,536 bytes). Most networks won't transmit a packet this large as a single unit. For example, most Ethernet packets range up to around 1,500 bytes. However, larger packets can be sent, using a process in which the original packet is fragmented into smaller packets that can pass through the network devices that connect one computer to another. When packets get fragmented , the receiving end usually stores the information as the fragments come in, and when the last fragment arrives, the data is reassembled into the original packet size. Operating systems typically use registers or set aside memory locations that are sized according to their expected use. If the receiving system knows that it's illegal to create a packet in excess of a certain size, the variable that is set aside (and the buffer space to store the packet) can't hold a number larger than it was created to hold. For example, a single byte (8 bits) can be used in binary to store a number of up to 255. The Ping of Death takes advantage of this by sending a packet (fragmented into manageable chunks ) to the target system. When the target system attempts to reassemble the packet, lots of things can happen, depending on the operating system. If a variable overflows (that is, it's not large enough to hold the size of the packet that's being reassembled) or if the buffer space set aside for the packet is not large enough to hold the entire reassembled packet, it is possible for the incoming packet data to cross the buffer boundary and write over other important data.

When this happens, the behavior of the operating system is hard to predict. What area of memory was overwritten? What happens when the variable that stores the size of the packet can't hold the value that the local component of the ping program is trying to store there? Well, usually the computer will hang, crash, or behave in some other undesirable way.

Users have known about this attack method for several years, and most operating systems have been fortified to prevent this attack from succeeding. However, there are still legacy systems (Windows 95, older versions of Unix, and so on) out there performing useful functions. Older systems are extremely vulnerable to this type of attack.

If you are worried about the Ping of Death, check with your vendor to determine whether any patches or firmware upgrades are available to remedy this problem.

Forged Email

Email is probably the most popular application used on the Internet. All people can have an email account, whether or not they have a computer at home. You can sign up for email accounts at several sites, such as Microsoft's Hotmail or Yahoo's email service, and use a computer at your school, at a library, or even at work to access the account.

Email messages, like Trojan horse programs, aren't always what they seem to be. Just because the FROM line contains the name of someone you know doesn't mean that the email actually came from that person. It's a simple matter when configuring an email account to use any name you want. And with the online email services that don't require you to use an email client (these services typically use an HTML interfacea Web browser), it can be difficult to determine where an email actually originated.

There are even programs freely available on the Net that allow you to create bogus email messages that appear perfectly normal in all respects. Although any intelligent person would probably not, in this day and age, open an email attachment from someone they do not know, they most likely would open an attachment from a friend. After all, if you can't trust your friends

The problem is that email is easily forged and can be used to get a program into your network. As a rule, delete spam and other email from sources you don't recognize.

One of the more insidious things that can be done through email has occurred with alarming frequency in recent years. Worm viruses spread through email can read your address book, replicate themselves by mailing a copy of the virus code to everyone in your address book, and then start wreaking havoc on your system! About the only thing you can do in this situation is to disconnect the computer (or computers) from the network and clean out the mail store with a good virus program. If you have a mail server in your network, disconnect it and do the same. Until you've assured yourself that every computer in your network is free of such worm viruses, don't reconnect to the Internet, or any other part of your corporate network.

Password Protection and SecurID and Smart Cards

Passwords and usernames have been the traditional method for authenticating a user to a computer operating system. There are much better methods you can use for environments that demand a high degree of security, such as smart cards and SecurID cards.

Smart card devices are synchronized with software that runs on the host computer. To log on, the user simply consults the password code, which changes at regular intervals, generated by the smart card. Because the application on the host computer is operating to change the account password using the same algorithm as the smart card, a user's account password can be different every time she logs in. As long as the smart card and the application on the computer are kept in sync, it becomes very improbable for someone to "steal" your password. And most smart cards have passwords that can be used only one time. This means that even if someone happens to glance at the current password on your smart card, after you've used the password to log in, it can't be reused and abused.

SecurID cards are based on digital certificates and require the user to enter a PIN for their use.

Network Back Doors

One of the best reasons I can think of for not allowing noncommercial shareware on a network is that if you can't trust the vendor, you can't trust the application. There are literally thousands of useful programs you can download from the Internet that can be used productively on a network. However, isn't it better to simply purchase a commercial product from a reliable, known vendor who has a good technical support staff?

A back door into a network can be an application that was downloaded by an innocent user who is unaware that the program, in addition to doing what it says it does, also does other things, such as mailing out your user authorization files to some other computer on the Internet.

Shareware programs are not the only method used to create a back door into your network or host computer. Once again, you must consider the amount of trust you have in your users and use good judgment when granting privileges and access permissions to users. Delegating authority to others to make management easier is a great concept. Delegating these privileges to an unhappy employee is not a good idea. The problem is that it's not always easy to tell a happy employee from one who is not. Suppose you have a technician who performs router maintenance activities. You have to trust that the employee is correctly programming the access control lists and other items on the routers.

However, there is an easy solution to this type of problem. Delegate the ability to manage the routers in your network to more than one person and establish a process of regularly reviewing router configurations. Trust no one! But maybe you can trust several people!

TCP/IP and UDP Ports

Ports are used along with an IP address to create a "socket" that uniquely identifies an end point in an IP connection. Whereas the IP address provides a unique identifier for the host computer, the port identifies the specific application for which the connection is to be used. When configuring routers, proxy servers, and other similar devices, use this simple rule: Disable all ports, and then enable only those you actually need to use. In most cases it's easy to disable a port in one direction or in both directions. That is, you can restrict incoming or outgoing network traffic by port. That's why you need to turn off all ports except the ones you specifically use. You don't just lock one door in your house, do you? You lock them all. Even if a particular door is rarely used, it should be locked because you never know when someone is going to try to enter. This analogy holds true for TCP and UDP port numbers.

Using Modems in a Secure Manner

One reason you need a modem on a computer in your network today is to provide remote access capabilities for users who work from remote locations and need access to the corporate network. Allowing individual employees to have a modem on their desktop computer is just asking for trouble. Instead, use a separate server to set up a remote access service, using a reasonable number of modems to satisfy the needs of your remote clients . Remote access servers are typically very configurablethat is, you can provide additional authentication mechanisms, such as callback. With most operating systems, you also can grant dial-in access only to those users who need it. Finally, regularly review any log files created by remote access server modem banks to be sure that you have indeed configured the server correctly and that no unknown users are getting in.

Another solution for remote users is to use Virtual Private Networking (VPN) services. Windows 2000 Advanced Server and Windows 2003 Servers can be set up to allow users to create an encrypted communication tunnel through the Internet. Many routers also provide this functionality. The days of the modem are numbered. Home users in the near future will most likely demand broadband access, using cable or DSL modems rather than the typical modem that connects to the public switched-telephone network.