Network Encroachment Methodologies
There are a number of methods that persons wishing to circumvent your network security can use in order to gain access to information. In order to protect against them, it's important for you to understand what each is, how they work, and the threats that they present for your network. While not comprehensive, here is a list of some of the more common methods used by intruders and attackers:
- Password Compromise
- Denial of Service Attacks
- Man in the Middle Attacks
- Application Level Attacks
- Key Compromise
Most data sent over the network is in "cleartext" (a.k.a. "plaintext") - that is, it's not encrypted to protect its confidentiality. That means anyone with a network "sniffer" (such as Network Monitor 3.x or 3rd party programs such as Wireshark) can easily read these clear text messages as they traverse the network.
Some server applications that maintain their own usernames and password lists allow for the logon information to cross the network in clear text format. The network snooper, using easily accessible sniffing programs, can plug into an available port in a hub or switch and access this information. As a matter of fact, most data is passed over the network via clear text, making it easy for the snooper to access information. Such information might include sensitive data such as credit card numbers, social security numbers, contents of personal email messages, and proprietary corporate secrets. The obvious solution to this problem is to encrypt data as it traverses the network, using technologies such as IPsec or SSL.
The source and destination IP addresses are a prerequisite for establishing sessions between computers on a TCP/IP based network. The act of IP "spoofing" involves falsely assuming the identity of a legitimate host computer on the network in order to gain access to computers on the internal network. Another term for spoofing is "impersonation". The intruder is "impersonating" a computer with a legitimate IP address.
To protect against IP spoofing in general, you can use IPsec for communications between machines on your network, use access control lists (ACLs) to block private IP addresses on the downstream interface, filter both inbound and outbound traffic and configure your routers and switches to block traffic that originates outside the LAN with addresses indicating they originated inside. You can also enable encryption on the router so outside computers that you trust can communicate with your internal computers.
TCP/IP Sequence Number Attack
A common spoofing based attack is the "TCP/IP Sequence number attack".The Transmission Control Protocol (TCP) is responsible for reliability of communications on a TCP/IP based network.. This includes acknowledgment of information sent to the destination host. In order to track bytes sent over the network, each segment is given a "sequence number". A sophisticated attacker can establish the sequencing pattern between two computers because the sequence pattern is not random.
First, the attacker must gain access to the network. After gaining access to the network he will connect to a server and analyze the sequence pattern between it and a legitimate host it is communicating with at the time. The TCP/IP Sequence Number Attacker then will attempt a connection to the server by spoofing (falsely assuming) a legitimate host's IP address. In order to prevent the legitimate host from responding, the spoofer will start a "denial of service attack" (discussed later) on the legitimate host.
Since the legitimate host cannot respond, the spoofer will wait for the server to send its reply and then he will respond with the correct sequence number. The server now believes that the spoofing computer is the legitimate host, and the spoofer now can begin data transfer.
For information about how to defend against TCP/IP sequence number attacks, see RFC 1948.
A user who has illegitimate access to network passwords is able to access resources they are not otherwise able to access. There are a number of ways an attacker can gain knowledge of passwords.
The attacker contacts an individual using an assumed identity. He then makes a request for a password from an individual that has access rights to the information of interest.
Many network applications allow the username and password to cross the network in clear text. The attacker can use a network sniffer application to intercept this information.
The "cracker" uses a number of different techniques to "guess" the password by trying all possible combinations until he hits upon the right one. Examples of cracking techniques include dictionary attacks and brute force attacks.
If an administrator password is compromised, the attacker will then have access to all resources on the network that are protected with access controls. The intruder now has access to the entire user account database. With this information he can access all files and folders, change routing information, and alter information unbeknownst is users that are dependent on that information.
Defending against password compromise involves a multi-faceted strategy. Educate users about social engineering and make rules regarding safeguarding of passwords. Set policies enforcing password complexity and length requirements. Require users to change passwords regularly. Implement multi-factor authentication so that an attacker will need more than just a password to gain access.
Denial of Service Attacks
There are a number of different types of Denial of Service attacks. All of these techniques have in common the ability to disrupt normal computer or operating system functioning on the targeted machine. These attacks can flood the network with useless packets, corrupt or exhaust memory resources, or exploit a weakness in a network application. A Distributed Denial of Service (DDoS) attack originates from multiple machines (for example, botnets compromised of dozens, hundreds or even thousands of "zombie" computers in disparate geographic areas).
Examples of traditional Denial of Service attacks that have been around for many years include:
- TCP SYN Attack
- SMURF Attack
- Teardrop Attack
- Ping of Death
TCP SYN Attack
When computers on a TCP/IP based network establish a session, they go through the "three-way handshake" process. This three-step handshake includes:
- The originating client sends a packet with the SYN flag set to "ON". This host includes a sequence number in the packet. The server will use this sequence number in the next step.
- The server will return a packet to the originating host with its SYN flag set to "ON". This packet will have a sequence number that is incremented by "1" over the number that was sent by the requesting computer.
- The client will respond to this request with a packet that will acknowledge the server's sequence number by incrementing the sequence number by "1"
Whenever a host requests a session with a server, the pair will go through the three way handshake process. The attacker can take advantage of this process by initiating multiple session requests that originate from bogus source IP addresses. The server keeps each open request in a queue as it is waiting for step 3 to occur. Entries into the queue are typically emptied every 60 seconds.
If the attacker is able to keep the queue filled, then legitimate connection requests will be denied. Hence, service is denied to legitimate users of email, web, ftp, and other IP related services.
Ping of Death
The Ping of death exploits features of the Internet Control Message Protocol (ICMP) and the Mean Transfer Unit (MTU) sizes of various network architectures. The Ping command issues an ICMP Echo Request and is returned an ICMP Echo reply by the destination host. The MTU defines the maximum size of a unit for a defined network architecture which varies with the media type.
If the size of a packet is larger than the MTU, the packet will be fragmented and then reassembled at the destination. It is possible to send a packet with more than the legal number of octets. When packets are fragmented, an "offset" value is included with the packet. This offset value is used to reassemble fragments at their destination. The attacker could include with the last fragment a legal offset and a larger packet size. This will exceed the legal number of octets in the data portion of the ICMP Echo request. When reassembly is attempted, the destination computer might respond by rebooting or crashing.
The SMURF attack attempts to disable the network by flooding the network with ICMP Echo Requests and Echo replies. The attacker will spoof a source IP address and then issue an ICMP Echo request to a broadcast address. This will cause all the machines on a segment to reply to the bogus request. If the attacker can maintain this attack for an extended period of time, no useful information can be passed though the network because of the flood of ICMP Echo Request and Reply messages traversing the wire.
The teardrop attack is executed using a program, such as teardrop.c, which causes fragmentation similar to that seem in the Ping of Death attack. It takes advantage of a weakness in the reassembly process and can cause a system to hang or crash.
Protecting against DoS and DDoS attacks
Protection against DoS and DDoS attacks should take a multi-layered approach. Firewalls can protect the network against simple flooding attacks. SYN floods can be prevented by using switches and routers that provide for traffic shaping, delayed binding (TCP splicing) and deep packet inspection. Intrusion Prevention Systems (IPS) can block some forms of DoS/DDoS attacks. There are also products made specifically to defend against DoS. These are called DoS Defense Systems or DDS.
Man in the Middle Attacks
A "Man in the Middle" attack is a situation when two parties believe that they are communicating only with each other, but in fact have an intermediary silently listening in on the communication. The Man in the Middle can intercede into the conversation by impersonating the identity of either the sender or receiver. During the attacker's intercession, he can alter or destroy messages during transit.
By using a network sniffer, the attacker can record and save messages for later use. This can allow the intruder to issue a subsequent replay attack. The "man in the middle", having recorded aspects of a conversation, can replay this information in order to get around network authentication mechanisms in the future. This is known as a "replay attack".
MITM attacks are often web-based, with the man in the middle intercepting communications between a client (browser) and the web server. Web-based MITM attacks can be prevented by using the latest versions of web browsers, which have built-in protective mechanisms, and by communicating on sites that use Extended Validation (EV) SSL certificates. Two-factor authentication should be used for sensitive communications; however, this won't completely protect against MITM because the MITM just waits for the user to authenticate with the smart card or token and is then authenticated as well and can initiate new transactions. Out-of-band authentication is the best protection, but expensive and involves high overhead.
Application Directed Attacks
Application oriented attacks seek to take advantage of weaknesses inherent in certain network applications. By exploiting weaknesses in these network applications, an intruder can:
- Corrupt or alter important operating system files
- Change the content of data files
- Cause the network application or the entire operating system to operate abnormally, or even "crash"
- Disrupt normal security and access controls maintained by the application or operating system
- Plant a program or programs that can return information back to the attacker. The infamous "Back Orifice" is an example of such an application.
These application level attacks provide the most fertile ground for the would-be intruder. Many network applications have not completed the degree of security assessment and testing that is required to optimize their immunity to attacks aimed against them.
Protecting against application level attacks is difficult because the vulnerabilities differ from one application to another. A general "defense in depth" approach to security, plus awareness of known vulnerabilities is the first step.
Compromised Key Attacks
A key is a number, or "cipher", that can be used to either verify the integrity of a communication or encrypt the contents of a communication. There are different types of keys. One type of key is known as a "shared secret." A sending computer will encrypt the contents of a message using the secret key, and the receiving computer with decrypt the message with the same secret key. Using this "shared secret", two computers can communicate in private.
Another type of "secret" key is the "private key". The "private" key can be used to confirm the identity of the sender. This is known as "signing" a message. When a recipient receives a message signed by someone's private key, he can be confident that the person who claims to have sent the message is indeed that person.
If an attacker somehow gains access to these keys, he can then communicate with an "assumed identity" by using someone else's private key. If he gains access to a "shared secret key", he can then decrypt messages that have been encrypted by that key.
When secret keys no longer remain secret, they are known as "compromised". After they are compromised they can no longer be used to secure identities and information. Discovering that a key has been compromised is often a difficult endeavor. Often the only way a compromised key is discovered is after some vital piece of information is found to be no longer secret, as you might see in cases of corporate espionage.
One measure for mitigating the damage that can be done by a compromised key include requiring multiple keys for signature production so that if a single key is compromised, it's not enough to successfully forge a signature. For more techniques that can be used against undetected key compromise, see this paper.
In this article, we went over several of the more common network encroachment and attack methods that can be used alone, or in conjunction with each other or with additional attacks to compromise a network. We provided some guidance on how to protect your network from each type of attack and/or how to mitigate the damage that could be done by an attacker.