How to set up smartphones and PCs. Informational portal
  • home
  • Windows Phone
  • Computer attacks and technologies for their detection. What is network attack

Computer attacks and technologies for their detection. What is network attack

03.08.2019 Windows Phone

Mailbombing
The oldest type of attacks. Increases significantly traffic and the number of messages sent, which generates a service failure. It causes paralysis not only your mail, but also the work of the mail server itself. Efficiency such attacks are considered zero these days, since now provider has the ability to establish limitation traffic from one sender.

Buffer overflow
The principle of this type of attack is - software bugs at which memory violates its own boundaries. This, in turn, forces either end the process emergency, or execute an arbitrary binary code, where the current account is used. If the account is an administrator, then these actions allow get full access to the system.

Viruses, Trojans, email worms, sniffers
This type of attack combines various third party programs... Appointment and operating principle such a program can be extremely varied, so it makes no sense to dwell on each of them in detail. All these programs have in common that their main purpose is access and " infection" systems.

Network intelligence
The attack type does not in itself provide for any destructive effect. Intelligence means only collection of information an intruder - port scanning, DNS query, computer protection check and system check... Usually intelligence service is carried out before a serious targeted attack.

Sniffing packets
The principle of operation is based on the features of the network card. Packages received by it are forwarded for processing, where special applications interact with them. As a result, the attacker gains access not only to information about the structure of the computing system, but also directly transmitted information - passwords, messages and other files.

IP spoofing
Type of attacks on local area networks, when computer attacker uses IP address included in this local net... An attack is possible if system security provides identification of the type of IP address, excluding additional conditions.

Man-in-the-middle
The attacker intercepts link between the two applications, resulting in access to all information passing through this channel. The target of the attack is not only theft, but also falsification information... An example of such attacks can serve usage like annexes for cheating in online games: information about a game event generated by the client side is transmitted to the server. On its way is placed program-interceptor, which changes the information at the request of the attacker and sends it to the server instead of the one sent by the game client program.

Injection
Also a fairly wide type of attacks, general principle which - implementation of information systems with third-party pieces of program code during data transfer, where the code does not actually interfere with the operation of the application, but at the same time performs the action necessary for the attacker.

Denial of service
DoS (from English Denial of Service) — attack, which aims to make the server not respond to requests. This type of attack does not directly imply obtaining some secret information, but is used in order to paralyze the operation of targeted services. For example, some programs, due to errors in their code, can throw exceptions, and when services are disabled, they can execute code provided by an attacker or avalanche attacks when the server is unable to process all incoming packets.

DDoS(from the English. Distributed Denial of Service- distributed DoS) - subtype DoS attacks having the same purpose what u DoS, but produced not from one computer, but from several computers in the network... In these types attacks used by either occurrence errors generating refusal service or protection actuation causing blocking work service, and as a result also refusal in service. DDoS used where conventional DoS ineffective. To do this, several computers are combined, and each produces DoS attack on the victim's system. Together it's called DDoS attack.

Methods for protecting against network attacks.
There are many ways to protect against intruders, including antiviruses, firewalls, various built-in filters and so on. The most effective is the professionalism of the user. Should not open suspicious sites (links), files in letters from the sender of the "mysterious stranger" type. Before opening attachments from familiar addresses, you should ask for confirmation in some other way than mail. As a rule, computer skills and literacy courses offered by almost any organization can help with this. This, however, will not replace protective mechanisms and programs. It is worth remembering that the technology of network attacks does not stand still and therefore should be carried out as often as possible. update antivirus as well as carry out full checks of computers.

Consult with the specialists of the computer company "KLiK" to prevent all possible hacker attacks and virus infections.

I told a little about who hackers are, but in this article I want to continue this topic and write about the types of hacker attacks and give recommendations on how to prevent them.

By attack(attack) on an information system is an action or a sequence of interconnected actions of an intruder that lead to the implementation of a threat by exploiting the vulnerabilities of this information system. Let's start studying attacks:

Fishing

Fishing (or Phishing). Its purpose is to get information from users (passwords, credit card numbers, etc.) or money. This technique is aimed not at one user, but at many. For example, letters supposedly from the technical support service are sent to all known clients of a bank. The letters usually contain a request to send the password to the account, allegedly due to some technical work. Such letters are usually very believable and competently composed, which, perhaps, captivates gullible users.

You can learn more about phishing in the article ““.

Recommendations: Paranoia is the best defense. Do not trust anything suspicious, do not give your data to anyone. Administrators do not need to know your password if it is for accessing their server. They completely control the server and can see the password themselves or change it.

Social engineering

Social engineering is not a technical but a psychological technique. Using the data obtained during the inventory, an attacker can call any user (for example, a corporate network) on behalf of the administrator and try to find out from him, for example, a password. This becomes possible when, in large networks, users do not know all employees, and even more so they cannot always accurately recognize them by phone. In addition, complex psychological techniques are used, so the chance of success greatly increases.

Recommendations: the same. If there really is a need, then provide the necessary data personally. If you wrote down the password on paper, do not leave it anywhere and, if possible, destroy it, and do not just throw it in the trash can.

DoS

DoS (Denial of Service). This is not a single attack, but the result of an attack; used to disable the system or individual programs. To do this, the cracker forms a request to a program in a special way, after which it ceases to function. A restart is required to return the program to a working state.

Smurf

Smurf (an attack aimed at bugs in the implementation of the TCP-IP protocol). Now this type of attack is considered exotic, but earlier, when the TCP-IP protocol was quite new, it contained a number of errors that allowed, for example, spoofing IP addresses. However, this type of attack is still used today. Some experts point out TCP Smurf, UDP Smurf, ICMP Smurf. Of course, this division is based on the type of packages.

UDP Storm

UDP Storm - used when at least two UDP ports are open on the victim, each of which sends a response to the sender. For example, port 37 with the time server sends the current date and time to the request. The cracker sends a UDP packet to one of the victim's ports, but specifies the victim's address and the victim's second open UDP port as the sender. Then the ports start to respond to each other endlessly, which decreases performance. The storm will end as soon as one of the packets is lost (for example, due to resource overload).

UDP Bomb

UDP Bomb - the cracker sends a UDP packet to the system with incorrect service data fields. The data can be corrupted in any way (for example, incorrect field length, structure). It can crash. Recommendations: update the software.

Mail bombing

Mail Bombing. If the attacked computer has a mail server, then a huge amount of mail messages are sent to it in order to disable it. In addition, such messages are stored on the server's hard disk and can fill it up, which can cause DoS. Of course, now this attack is more of a story, but in some cases it can still be used. Recommendations: competent configuration of the mail server.

Sniffing

Sniffing (Sniffing or wiretapping). In the event that hubs are installed instead of switches in the network, the received packets are sent to all computers in the network, and then the computers determine this packet for them or not.

If an attacker gains access to a computer that is included in such a network, or gains access to the network directly, then all information transmitted within the network segment, including passwords, will become available. The attacker will simply put the network card in listening mode and will accept all packets, regardless of whether they were intended for him.

IP Hijack

IP Hijack (IP hijack). If there is physical access to the network, then the attacker can "cut" into the network cable and act as an intermediary in the transmission of packets, thereby listening to all traffic between the two computers. This is a very inconvenient way, which often does not justify itself, except in cases when no other way can be implemented. Such an inclusion is inconvenient in itself, although there are devices that slightly simplify this task, in particular, they monitor the numbering of packets in order to avoid failure and possible detection of an intrusion into the channel.

Dummy DNS Server

Dummy DNS Server (dummy DNS Server). If the network settings are set to automatic mode, then when connected to the network, the computer "asks" who will be its DNS server, to which it will subsequently send DNS queries. With physical access to the network, an attacker can intercept such a broadcast request and reply that his computer will be a DNS server. After that, he will be able to send the deceived victim along any route. For example, a victim wants to go to a bank's website and transfer money, a hacker can send it to his computer, where a password entry form will be faked. After that, the password will belong to the cracker. A rather complicated method, because the attacker needs to answer the victim before the DNS server.

IP-Spoofing

IP-Spoofing (Spoofing or Spoofing of IP addresses). The attacker replaces his real IP with a fake one. This is necessary if only certain IP addresses have access to the resource. An attacker needs to change his real IP to "privileged" or "trusted" in order to gain access. This method can be used in a different way. After two computers have established a connection with each other by checking passwords, an attacker can overload network resources on the victim with specially generated packets. Thus, he can redirect traffic to himself and thus bypass the authentication procedure.

Recommendations: The threat will be reduced by decreasing the response time for a response packet with the SYN and ACK flags set, as well as increasing the maximum number of SYN requests to establish a connection in the queue (tcp_max_backlog). You can also use SYN-Cookies.

Software vulnerabilities

Software vulnerabilities. Exploitation of bugs in software. The effect can be different. From obtaining non-essential information to gaining complete control over the system. Software bug attacks are the most popular of all times. Old bugs are fixed with new versions, but new bugs appear in new versions that can be used again.

Viruses

The most common problem known to the common user. The point is the introduction of a malicious program into the user's computer. The consequences can be different and depend on the type of virus that infects the computer. But in general - from stealing information to sending spam, organizing DDoS attacks, as well as gaining full control over a computer. In addition to the file attached to the letter, viruses can get into the computer through some OS vulnerabilities.

There is still no precise definition of the term "attack" (invasion, attack). Every security professional interprets it differently. I consider the following definition to be the most correct and complete.

By attack the deliberate actions of an intruder that exploit vulnerabilities of the information system and lead to a violation of the availability, integrity and confidentiality of the processed information are called on an information system.

If we eliminate the vulnerabilities of the information system, we will also eliminate the possibility of carrying out attacks.

It is currently considered unknown how many attack methods exist. They say that there is still no serious mathematical research in this area. But back in 1996, Fred Cohen described the mathematical foundations of viral technology. This work proved that the number of viruses is infinite. Obviously, the number of attacks is infinite, since viruses are a subset of many attacks.

Attack models

Traditional attack model is built according to the principle (Fig. 1) or (Fig. 2), i.e. the attack comes from a single source. Developers of network security tools (firewalls, intrusion detection systems, etc.) are focused on the traditional attack model. At various points of the protected network, agents (sensors) of the protection system are installed, which transmit information to the central management console. This makes it easier to scale the system, provide ease of remote management, etc. However, this model does not cope with the relatively recently (in 1998) detected threat - distributed attacks.
Figure 1. One-to-one relationship

The distributed attack model uses different principles. Unlike the traditional model in a distributed model relations (Fig. 3) and (Fig. 4) are used.

Distributed attacks are based on the "classic" denial-of-service attacks, more specifically a subset of them known as Flood attacks or Storm attacks(these terms can be translated as "storm", "flood" or "avalanche"). The meaning of these attacks is to send a large number of packets to the attacked host. The attacked node can fail, because it "drowns" in the avalanche of sent packets and will not be able to process the requests of authorized users. This is how SYN-Flood, Smurf, UDP Flood, Targa3, etc. attacks work. However, if the bandwidth of the channel to the attacked node exceeds the bandwidth of the attacker or the attacked node is configured incorrectly, then such an attack will not lead to "success". For example, these attacks are useless to try to disrupt your ISP. But a distributed attack no longer occurs from one point on the Internet, but from several at once, which leads to a sharp increase in traffic and disabling the attacked host. For example, according to Russia-Online, within two days, starting from 9 am on December 28, 2000, Armenia's largest Internet provider "Arminco" was subjected to a distributed attack. In this case, more than 50 machines from different countries joined the attack and sent meaningless messages to the "Arminco" address. It was impossible to establish who organized this attack and what country the hacker was in. Although it was mainly "Arminko" that was attacked, the entire highway connecting Armenia with the World Wide Web was congested. On December 30, thanks to the cooperation of "Arminco" and another provider - "ArmenTel" - the connection was completely restored. Despite this, the computer attack continued, but with less intensity.

Stages of attacks

The following stages of attack implementation can be distinguished:

Usually, when they talk about an attack, they mean exactly the second stage, forgetting about the first and the last. Gathering information and completing an attack ("covering up the tracks"), in turn, can also be an attack and can be divided into three stages (see Fig. 5).
Figure 5. Stages of an attack

Gathering information is the main stage in the implementation of an attack. It is at this stage that the effectiveness of the attacker's work is the key to the "success" of the attack. First, the target of the attack is selected and information about it is collected (type and version of the operating system, open ports and running network services, installed system and application software and its configuration, etc.). Then the most vulnerable points of the attacked system are identified, the impact on which leads to the desired result for the attacker. The attacker tries to identify all communication channels of the attack target with other hosts. This will allow not only choosing the type of attack to be implemented, but also the source of its implementation. For example, the attacked host communicates with two servers running Unix and Windows NT. The attacked node has a trusted relationship with one server, but not with another. The server through which the attacker implements the attack determines which attack will be used, which means of implementation will be chosen, and so on. Then, depending on the information received and the desired result, the attack that gives the greatest effect is selected. For instance:
SYN Flood, Teardrop, UDP Bomb - to disrupt the functioning of the node;
CGI script - to penetrate the site and steal information;
PHF - for stealing a password file and remote password guessing, etc.

Traditional defenses, such as firewalls or filtering mechanisms in routers, take effect only at the second stage of an attack, completely "forgetting" about the first and third. This leads to the fact that the attack is often very difficult to stop, even with the presence of powerful and expensive means of defense. An example of this is distributed attacks. It would be logical for the means of protection to start working at the first stage, i.e. would prevent the possibility of collecting information about the attacked system. This would make it possible, if not completely to prevent the attack, then at least significantly complicate the work of the attacker. Traditional means also do not allow detecting already committed attacks and assessing the damage after their implementation, i.e. do not work in the third stage of the attack. Consequently, it is impossible to define measures to prevent such attacks in the future.

Depending on the desired result, the intruder concentrates on one or another stage of the attack. For instance:
for denial of service, the attacked network is analyzed in detail, loopholes and weak points are looked for in it;
to steal information, the focus is on invisible penetration of the attacked nodes using previously discovered vulnerabilities.

Let's consider the main mechanisms for implementing attacks. This is necessary to understand how to detect these attacks. In addition, understanding the principles of attackers' actions is the key to successful network defense.

1. Gathering information

The first stage in the implementation of attacks is the collection of information about the attacked system or host. It includes such actions as determining the network topology, the type and version of the operating system of the attacked node, as well as the available network and other services, etc. These actions are implemented in various ways.

Exploring the environment

At this stage, the attacker explores the network environment around the intended target of the attack. Such areas, for example, include the sites of the "victim" ISP or sites of the remote office of the attacked company. At this stage, an attacker can try to determine the addresses of "trusted" systems (for example, the partner's network) and nodes that are directly connected for the purpose of the attack (for example, an ISP router), etc. Such actions are quite difficult to detect, since they are performed over a sufficiently long period of time and outside the area controlled by the protection means (firewalls, intrusion detection systems, etc.).

Network topology identification

There are two main methods used by attackers to determine the network topology:

  1. changing TTL (TTL modulation),
  2. record route.

The first method is used by traceroute for Unix and tracert for Windows. They use the Time to Live field in the IP packet header, which varies depending on the number of routers the packet has passed through. The ping utility can be used to record the route of the ICMP packet. Network topology can often be traced using SNMP, which is installed on many network devices that are not properly configured for security. Using RIP, you can try to get information about the routing table in the network, etc.

Many of these methods are used by modern management systems (eg HP OpenView, Cabletron SPECTRUM, MS Visio, etc.) to build network maps. And the same methods can be successfully applied by intruders to build a map of the attacked network.

Identifying nodes

Host identification is usually accomplished by sending the ICMP ECHO_REQUEST command using the ping utility. The ECHO_REPLY response message indicates that the node is available. There are freeware programs that automate and speed up the process of identifying large numbers of nodes in parallel, such as fping or nmap. The danger of this method is that the ECHO_REQUEST requests are not recorded by the standard means of the node. This requires the use of traffic analysis tools, firewalls, or intrusion detection systems.

This is the simplest method for identifying nodes. However, it has two drawbacks.

  1. Many network devices and programs block ICMP packets and do not allow them to enter the internal network (or vice versa, do not let them outside). For example, MS Proxy Server 2.0 does not allow packets to pass through the ICMP protocol. The result is an incomplete picture. On the other hand, blocking an ICMP packet tells the attacker that there is a "first line of defense" - routers, firewalls, etc.
  2. The use of ICMP requests makes it easy to find their source, which, of course, cannot be the task of an attacker.

There is another method for identifying nodes - using the "mixed" mode of the network card, which allows you to identify different nodes on a network segment. But it is not applicable in cases in which the traffic of the network segment is not available to the attacker from his own node, i.e. this method is applicable only on local networks. Another method of identifying nodes on a network is called DNS reconnaissance, which allows you to identify nodes on a corporate network by calling a name service server.

Service identification or port scanning

Service identification is usually done by port scanning. These ports are very often associated with services based on the TCP or UDP protocols. For instance:

  • open port 80 implies the presence of a web server,
  • 25th port - mail SMTP server,
  • 31337th - the server side of the BackOrifice Trojan horse,
  • 12345th or 12346th - the server side of the NetBus Trojan horse, etc.
Various programs can be used to identify services and scan ports, incl. and freely redistributable. For example nmap or netcat.

Operating system identification

The main mechanism for remote OS detection is the analysis of responses to queries, taking into account different implementations of the TCP / IP stack in different operating systems. Each OS has its own implementation of the TCP / IP protocol stack, which makes it possible, using special requests and responses to them, to determine which OS is installed on the remote node.

Another, less efficient and extremely limited way of identifying the OS of the nodes is to analyze the network services discovered at the previous stage. For example, an open port 139 allows us to conclude that the remote host is most likely running a Windows operating system. Various programs can be used to determine the OS. For example nmap or queso.

Defining the role of a node

The penultimate step at the stage of collecting information about the attacked host is to determine its role, for example, performing the functions of a firewall or Web server. This step is performed based on the information already collected about active services, hostnames, network topology, etc. For example, an open port 80 may indicate a Web server, blocking an ICMP packet indicates a potential firewall, and the DNS hostname proxy.domain.ru or fw.domain.ru speaks for itself.

Identifying host vulnerabilities

The last step is to search for vulnerabilities. At this step, an attacker uses various automated tools or manually identifies vulnerabilities that could be exploited to carry out an attack. Such automated tools can be ShadowSecurityScanner, nmap, Retina, etc.

2. Implementation of the attack

From this moment, an attempt to access the attacked node begins. In this case, access can be both direct, i.e. penetration of the node, and indirect, for example, when implementing a denial of service attack. Implementation of attacks in the case of direct access can also be divided into two stages:

  • penetration;
  • establishment of control.

Penetration

Penetration involves overcoming perimeter defenses (such as a firewall). This can be implemented in various ways. For example, exploiting a vulnerability in a computer service "looking" outward or by transmitting hostile content via e-mail (macro viruses) or via Java applets. Such content can use so-called "tunnels" in the firewall (not to be confused with VPN tunnels), through which an attacker then penetrates. The same stage can be attributed to the selection of an administrator password or another user using a specialized utility (for example, L0phtCrack or Crack).

Establishing control

After penetration, the attacker takes control of the attacked node. This can be accomplished by implementing a Trojan horse program (such as NetBus or BackOrifice). After establishing control over the desired node and "covering up" the traces, the attacker can carry out all the necessary unauthorized actions remotely without the knowledge of the owner of the attacked computer. At the same time, the establishment of control over a node of the corporate network must be preserved even after the operating system is restarted. This can be accomplished by replacing one of the boot files or by pasting a link to the hostile code in the startup files or the system registry. There is a known case when an attacker was able to reprogram the EEPROM of a network card and even after reinstalling the OS, he was able to re-implement unauthorized actions. A simpler modification of this example is to inject the required code or snippet into a network boot script (for example, for Novell Netware).

Purposes of Attack Implementation

The stage of completion of the attack is "covering up the traces" on the part of the attacker. This is usually accomplished by removing relevant entries from the host logs and other actions that return the attacked system to its original, "pre-attacked" state.

Attack classification

There are different types of attack classification. For example, the division into passive and active, external and internal, intentional and unintentional. However, in order not to confuse you with a large variety of classifications that are not very applicable in practice, I propose a more "vital" classification:

  1. Remote penetration... Attacks that allow remote control of a computer over a network. For example, NetBus or BackOrifice.
  2. Local penetration... An attack that leads to gaining unauthorized access to the host on which it is launched. For example, GetAdmin.
  3. Remote denial of service... Attacks that disrupt or overload a computer over the Internet. For example, Teardrop or trin00.
  4. Local denial of service... Attacks that disrupt or overload the computer on which they are carried out. An example of such an attack is a "hostile" applet that loads the CPU in an infinite loop, making it impossible to process requests from other applications.
  5. Network scanners... Programs that analyze the topology of a network and discover services available for attack. For example, the nmap system.
  6. Vulnerability scanners... Programs that look for vulnerabilities on network nodes and which can be used to implement attacks. For example, SATAN system or ShadowSecurityScanner.
  7. Password Crackers... Programs that "guess" user passwords. For example, L0phtCrack for Windows or Crack for Unix.
  8. Protocol analyzers (sniffers)... Programs that "listen" to network traffic. These programs can automatically search for information such as user IDs and passwords, credit card information, and more. For example, Microsoft Network Monitor, NetXRay from Network Associates, or LanExplorer.

Internet Security Systems, Inc. further reduced the number of possible categories, bringing them to 5:

  1. Information gathering.
  2. Unauthorized access attempts.
  3. Denial of service.
  4. Suspicious activity.
  5. System attack.

The first 4 categories relate to remote attacks, and the last to local attacks, implemented on the attacked host. It can be noted that this classification does not include a whole class of so-called "passive" attacks ("listening" traffic, "false DNS server", "ARP server spoofing", etc.).

The classification of attacks implemented in many intrusion detection systems cannot be categorical. For example, an attack whose implementation on a Unix operating system (for example, a statd buffer overflow) may have the most dire consequences (highest priority), may not be applicable at all to the Windows NT operating system or have a very low degree of risk. In addition, there is confusion in the names of attacks and vulnerabilities. The same attack may have different names for different vendors of intrusion detection systems.

One of the best vulnerability and attack databases is the X-Force database located at http://xforce.iss.net/. It can be accessed either by subscribing to the free X-Force Alert mailing list or by interactively searching the database on the ISS Web server.

Conclusion

Without vulnerabilities in the components of information systems, it would be impossible to implement many attacks and, therefore, traditional protection systems would be quite effective in coping with possible attacks. However, programs are written by people who make mistakes. As a result, vulnerabilities appear that are used by cybercriminals to carry out attacks. However, this is only half the trouble. If all attacks were built on a one-to-one basis, then it would be a stretch, but firewalls and other defense systems would be able to resist them too. But coordinated attacks have emerged, against which traditional means are no longer as effective. And then new technologies appear on the scene - attack detection technologies. The above systematization of data on attacks and the stages of their implementation provides the necessary basis for understanding attack detection technologies.

Computer attack detection tools

Attack detection technology should solve the following tasks:

  • Recognition of known attacks and warning of appropriate personnel about them.
  • "Understanding" the often incomprehensible sources of information about attacks.
  • Relieve or reduce the burden on security personnel from the routine operations of monitoring users, systems and networks that are components of the corporate network.
  • The ability to manage protections by non-security experts.
  • Control of all actions of the subjects of the corporate network (users, programs, processes, etc.).

Often intrusion detection systems can perform functions that significantly expand the range of their application. For instance,

  • Monitoring the effectiveness of firewalls. For example, installing an intrusion detection system after firewall(inside the corporate network) allows you to detect attacks that the ITU passes through and thereby identify missing rules on the firewall.
  • Control of hosts with uninstalled updates or hosts with outdated software.
  • Blocking and controlling access to certain Internet sites. Although intrusion detection systems are far from firewalls and access control systems for various URLs, for example, WEBsweeper, they can partially control and block access of some users of the corporate network to certain Internet resources, for example, to Web servers of pornographic content. This is necessary when the organization does not have the money to purchase both a firewall and an intrusion detection system, and the ITU functions are distributed between the intrusion detection system, a router and a proxy server. In addition, intrusion detection systems can monitor employee access to servers based on keywords. For example, sex, job, crack, etc.
  • Email control. Intrusion detection systems can be used to monitor unreliable employees who use e-mail to perform tasks outside their functional responsibilities, such as sending resumes. Some systems can detect viruses in mail messages and, although they are far from real anti-virus systems, they still perform this task quite efficiently.

The best use of the time and expertise of information security professionals is to identify and address the root cause of an attack, rather than the attack itself. By eliminating the causes of attacks, i.e. Having discovered and eliminated vulnerabilities, the administrator thereby eliminates the very fact of potential attacks. Otherwise, the attack will be repeated over and over again, constantly demanding the efforts and attention of the administrator.

Classification of intrusion detection systems

There are many different classifications of intrusion detection systems, but the most common classification is based on the implementation principle:

  1. host-based, that is, detecting attacks aimed at a specific network node,
  2. network-based, that is, detecting attacks aimed at the entire network or network segment.

Intrusion detection systems that monitor a single computer, as a rule, collect and analyze information from the logs of the operating system and various applications (Web server, DBMS, etc.). This is how the RealSecure OS Sensor functions. Recently, however, systems that are tightly integrated with the OS kernel have begun to proliferate, thereby providing a more efficient way of detecting security policy violations. Moreover, this integration can be implemented in two ways. First, all OS system calls can be monitored (this is how Entercept works) or all incoming / outgoing network traffic (this is how RealSecure Server Sensor works). In the latter case, the intrusion detection system captures all network traffic directly from the network card, bypassing the operating system, which reduces dependence on it and thereby increases the security of the intrusion detection system.

Network layer intrusion detection systems collect information from the network itself, that is, from network traffic. These systems can run on ordinary computers (for example, RealSecure Network Sensor), on specialized computers (for example, RealSecure for Nokia or Cisco Secure IDS 4210 and 4230), or integrated into routers or switches (for example, CiscoSecure IOS Integrated Software or Cisco Catalyst 6000 IDS Module). In the first two cases, the analyzed information is collected by capturing and analyzing packets using network interfaces in a promiscuous mode. In the latter case, traffic is captured from the bus of the network equipment.

Detection of attacks requires the fulfillment of one of two conditions - either an understanding of the expected behavior of the monitored object of the system or knowledge of all possible attacks and their modifications. In the first case, anomalous behavior detection technology is used, and in the second case, malicious behavior or abuse detection technology. The second technique is to describe an attack in the form of a pattern or signature and search for this pattern in a controlled space (for example, network traffic or logs). This technology is very similar to virus detection (antivirus systems are a prime example of an intrusion detection system), i.e. the system can detect all known attacks, but it is not well suited for detecting new, as yet unknown, attacks. The approach implemented in such systems is very simple and it is on it that practically all attack detection systems offered on the market are based.

Almost all intrusion detection systems are based on the signature approach.

Advantages of intrusion detection systems

The various advantages of host and network intrusion detection systems can be long enumerated. However, I will focus on only a few of them.

Switching allows large-scale networks to be managed like multiple small network segments. As a result, it can be difficult to determine the best place to install a system that detects attacks in network traffic. Span ports on switches can sometimes help, but not always. Site-specific attack detection provides more efficient operation in switched networks, as it allows you to place detection systems only on those sites where it is needed.

Network layer systems do not require intrusion detection software to be installed on every host. Since the number of sites in which IDS are installed to monitor the entire network is small, the cost of operating them on the enterprise network is lower than the cost of operating intrusion detection systems at the system level. In addition, only one sensor is needed to monitor a network segment, regardless of the number of nodes in that segment.

The network packet, having left the attacker's computer, can no longer be returned back. Systems operating at the network layer use live traffic to detect attacks in real time. Thus, an attacker cannot remove traces of his unauthorized activity. The analyzed data includes not only information about the attack method, but also information that can help in identifying the attacker and proving it in court. Since many hackers are familiar with the system logging mechanisms, they know how to manipulate these files to hide their traces, reducing the efficiency of the system-level systems that need this information in order to detect an attack.

Systems operating at the network level detect suspicious events and attacks as they occur, and therefore provide much faster notification and response than systems that analyze the logs. For example, a hacker initiating a TCP-based denial-of-service attack can be stopped by the Network Layer Intrusion Detection System sending a TCP packet with the Reset header set to terminate the connection to the attacking host before the attack causes disruption or damage to the attacked node. Log analysis systems do not recognize attacks until they are logged and respond after the log is written. By this time, the most critical systems or resources may already be compromised or disrupted by the system that triggers the intrusion detection system at the host level. Real-time notification allows you to quickly respond according to predefined parameters. The range of these responses ranges from allowing infiltration in surveillance mode to gather information about the attack and the attacker to immediately ending the attack.

Finally, network-level intrusion detection systems are independent of the operating systems installed on the corporate network, since they operate on network traffic exchanged by all nodes in the corporate network. The intrusion detection system does not care which OS generated a particular packet as long as it is in accordance with the standards supported by the detection system. For example, the network can run Windows 98, Windows NT, Windows 2000 and XP, Netware, Linux, MacOS, Solaris, etc., but if they communicate with each other via IP, then any of the intrusion detection systems that support this protocol, will be able to detect attacks directed at these operating systems.

Combining network and host-level intrusion detection systems will increase the security of your network.

Network intrusion detection systems and firewalls

Most often, network intrusion detection systems are attempted to replace firewalls, relying on the fact that the latter provide a very high level of security. Keep in mind, however, that firewalls are simply rule-based systems that allow or deny traffic through them. Even firewalls built using the "" technology do not make it possible to say with certainty whether the attack is present in the traffic they control or not. They can tell if the traffic matches the rule or not. For example, ITU is configured to block all connections except TCP connections on port 80 (i.e. HTTP traffic). So any traffic on port 80 is legal from the ITU point of view. On the other hand, intrusion detection also monitors traffic, but looks for signs of an attack. She cares little about which port the traffic is destined for. By default, all traffic to the Intrusion Detection System is suspect. That is, despite the fact that the intrusion detection system works with the same data source as the ITU, that is, with network traffic, they perform functions that complement each other. For example, the HTTP request "GET /../../../etc/passwd HTTP / 1.0". Almost any ITU allows this request to pass through itself. However, the intrusion detection system will easily detect this attack and block it.

The following analogy can be drawn. A firewall is a conventional turnstile installed at the main entrance to your network. But besides the main doors, there are other doors as well as windows. Masquerading as a real employee or gaining confidence in a security guard at the turnstile, an attacker can smuggle an explosive device or a pistol through the turnstile. Little of. An intruder can get in through the window. That is why intrusion detection systems are needed that enhance the protection provided by firewalls, which are, albeit a necessary, but clearly insufficient element of network security.

Firewall- not a panacea!

Variants of reactions to a detected attack

It is not enough to detect an attack - it is necessary to react to it accordingly. It is the response options that largely determine the effectiveness of the intrusion detection system. To date, the following response options are offered:

  • Notification to the console (including backup) of the intrusion detection system or to the console of an integrated system (such as a firewall).
  • Sound notification of the attack.
  • Generation of SNMP control sequences for network management systems.
  • Generating an email message about an attack.
  • Additional notifications by pager or fax. A very interesting, albeit rarely used feature. The notification about detection of unauthorized activity is sent not to the administrator, but to the attacker. According to the supporters of this response option, the violator, having learned that he was discovered, is forced to stop his actions.
  • Mandatory registration of detected events. The following can act as a logbook:
    • text file,
    • syslog (for example, in the Cisco Secure Integrated Software system),
    • a text file of a special format (for example, in the Snort system),
    • local MS Access database,
    • SQL database (for example, in the RealSecure system).
    It is only necessary to take into account that the volumes of the registered information require, as a rule, a SQL-base - MS SQL or Oracle.
  • Event trace, i.e. recording them in the sequence and at the speed with which the attacker implemented them. Then the administrator at any given time can replay (replay or playback) the necessary sequence of events at a given speed (in real time, with acceleration or deceleration) in order to analyze the activity of the attacker. This will allow you to understand his qualifications, the means of attack used, etc.
  • Interruption of the attacker's actions, i.e. termination of the connection. This can be done as:
    • interception of a connection (session hijacking) and sending a packet with the RST flag set to both participants in a network connection on behalf of each of them (in an intrusion detection system operating at the network level);
    • Blocking the user account of the attacker (in the host-level intrusion detection system). Such blocking can be carried out either for a specified period of time, or until the account is unlocked by the administrator. Depending on the privileges with which the intrusion detection system is launched, blocking can operate both within the target computer itself and within the entire network domain.
  • Reconfiguration of network equipment or firewalls. If an attack is detected on the router or firewall, a command is sent to change the access control list. Subsequently, all attempts to connect from the attacking host will be rejected. As well as blocking the attacker's account, the access control list can be changed either for a specified time interval or until the change is canceled by the administrator of the reconfigurable network equipment.
  • Blocking network traffic the way it is implemented in firewalls. This option allows you to restrict traffic, as well as recipients who can access the resources of the protected computer, allowing you to perform functions available in personal firewalls.

DDoS is currently one of the most accessible and widespread types of network attacks. A few weeks ago, the results of DDoS prevalence studies by Arbor Networks, Verisign Inc. were published.

The research results are impressive:
Cybercriminals conduct over 2000 DDoS attacks every day;
The cost of a weekly attack on an average data center is only $ 150;
More than half of the survey participants experienced problems due to DDoS;
One-tenth of the survey participants answered that their companies suffered from DDoS attacks more than six times in a year;
About half of the companies experienced problems due to DDoS, the average attack time was about 5 hours;
This type of attack is one of the main reasons for server shutdown and downtime.

The main types of DDoS attacks

In general, there are quite a few types of DDoS, and below we have tried to list most typical attacks, with a description of the principle of operation of each type of attack.

UDP flood

One of the most effective, and at the same time, simple types of attacks. The UDP protocol is used, which does not require establishing a session with sending any type of response. The attacker randomly attacks the server ports, sending out a huge amount of data packets. As a result, the machine starts checking if the port on which the packet arrives is being used by some application. And since there are a lot of such packages, a machine of any power simply cannot cope with the task. As a result, all the resources of the machine are "eaten", and the server "lays down".

The simplest way to defend against this type of attack is to block UDP traffic.

ICMP flood

The attacker constantly pings the victim's server, during which the latter constantly responds. There are a lot of pings, and as a result, server resources are consumed, and the machine becomes unavailable.

As a security measure, you can use blocking ICMP requests at the firewall level. Unfortunately, in this case, you will not be able to ping the machine for obvious reasons.

SYN flood

This type of attack involves sending a SYN packet to the victim's server. As a result, the server responds with a SYN-ACK packet, and the attacker's machine must send an ACK response, but it is not sent. The result is the opening and suspension of a huge number of connections, which are closed only after the timeout expires.

When the limit on the number of requests / responses is exceeded, the victim's server stops accepting packets of any type and becomes unavailable.

MAC flood

An unusual type of attack in which many types of network equipment are targeted. The attacker starts sending a large number of Ethernet packets with completely different MAC addresses. As a result, the switch begins to reserve a certain amount of resources for each of the packages, and if there are a lot of packages, then the switch selects all available requests and freezes. The worst case scenario is a failure of the routing table.

Ping of death

This type of attack is not a serious problem today, although it used to be a common attack. The meaning of this type of attack is a memory buffer overflow due to exceeding the maximum available IP packet size, and as a result, the server and network equipment refuses to service any type of packets.

Slowloris

A focused attack of this type allows small forces to achieve large results. In other words, using a server that is not the most powerful, you can "put" much more productive equipment. This does not require the use of other protocols. In this type of attack, the attacker's server opens the maximum number of HTTP connections, and tries to keep them open as long as possible.

Of course, the number of connections on the attacked server ends, and useful requests are no longer accepted and processed.

Reflected attacks

An unusual type of attack, when the attacker's server sends packets with a fake sender IP, and the sending goes to as many machines as possible. All servers affected by such actions send a response to the IP specified in the packet, as a result of which the recipient cannot cope with the load and "freezes". At the same time, the performance of the attacker's server can be 10 times lower than the planned attack power. A server that sends out 100 Mbps of spurious requests can completely kill the victim's server's gigabit channel.

Degradation

In this type of attack, the attacker's server simulates the actions of a real person or an entire audience. As an example of the simplest option, you can send requests for the same resource page, and do this thousands of times. The easiest way to solve the problem is to temporarily report an error with the blocking of the attacked page.

A more complex type of attack is a request for a large number of various server resources, including media files, pages, and everything else, as a result of which the victim's server stops working.

Complex attacks of this type are quite difficult to filter out, as a result, you have to use specialized programs and services.

Zero-day attack

This is the name for attacks that exploit hitherto unknown vulnerabilities / service weaknesses. To combat the problem, it is necessary to study this type of attack so that something can be done.

Conclusion: the most complex type of attack is combined, where various types of DDoS are used. The more difficult the combination, the more difficult it is to defend against it. A common problem for DDoS, or rather for DDoS victims, is the general availability of this type of attack. There are a large number of applications and services on the Web that allow powerful attacks to be carried out for free or almost free of charge.

There are four main categories of attacks:

· Access attacks;

· Modification attacks;

· Denial of service attacks;

• denial of commitment attacks.

Let's take a closer look at each category. There are many ways to carry out attacks: using specially designed tools, social engineering methods, through vulnerabilities in computer systems. Social engineering does not use technical means to gain unauthorized access to the system. An attacker obtains information through a simple phone call or infiltrates an organization under the guise of an employee. This type of attack is the most destructive.

Attacks aimed at capturing information stored in electronic form have one interesting feature: information is not stolen, but copied. It remains with the original owner, but the attacker also gets it. Thus, the owner of the information incurs losses, and it is very difficult to find the moment when this happened.

Access attacks

Access attack Is an attempt by an attacker to obtain information that he does not have permission to view. Such an attack can be carried out wherever information and means for its transmission exist. An access attack aims to violate the confidentiality of information. There are the following types of access attacks:

· Peeping;

· Eavesdropping;

· Interception.

Peeping(snooping) is the viewing of files or documents to find information of interest to the attacker. If documents are stored in the form of printouts, then an attacker will open desk drawers and rummage through them. If the information is in a computer system, it will scan file by file until it finds the information it needs.

Eavesdropping(eavesdropping) is an unauthorized wiretapping of a conversation in which the attacker is not a party. In order to obtain unauthorized access to information, in this case, the attacker must be close to it. Very often, he uses electronic devices. The introduction of wireless networks has increased the likelihood of successful wiretapping. Now the attacker does not need to be inside the system or physically connect the eavesdropping device to the network.

Unlike eavesdropping interception(interception) is an active attack. An attacker hijacks information as it travels to its destination. After analyzing the information, he makes a decision to allow or prohibit its further passage.

Access attacks take various forms depending on the way information is stored: in the form of paper documents or electronically on a computer. If the information needed by the attacker is stored in the form of paper documents, he will need access to these documents. They may be found in the following places: in filing cabinets, in drawers of desks or on desks, in a fax or printer in the trash, in an archive. Therefore, an attacker needs to physically infiltrate all of these places.

Thus, physical access is the key to obtaining data. It should be noted that strong protection of premises will protect data only from unauthorized persons, but not from employees of the organization or internal users.

Information in electronic form is stored: on workstations, on servers, in laptop computers, on floppy disks, on CDs, on backup magnetic tapes.

An attacker could simply steal a storage medium (floppy disk, CD, backup tape, or laptop). This is sometimes easier than accessing files stored on computers.

If the attacker has legal access to the system, he will analyze the files by simply opening them one by one. With the proper level of control over permissions, access for an illegal user will be denied, and access attempts will be recorded in the logs.

Correctly configured permissions will prevent accidental information leakage. However, a serious attacker will try to bypass the control system and gain access to the information they need. There are many vulnerabilities that will help him in this.

When information passes over the network, it can be accessed by listening to the transmission. An attacker does this by installing a network packet sniffer (sniffer) on the computer system. Typically, this is a computer configured to capture all network traffic (not just traffic directed to that computer). To do this, an attacker must elevate his authority in the system or connect to the network. The analyzer is configured to capture any information passing over the network, but especially user IDs and passwords.

Eavesdropping is also carried out in global computer networks such as leased lines and telephone connections. However, this type of interception requires appropriate equipment and special knowledge.

Interception is possible even in fiber-optic communication systems using specialized equipment, usually performed by a qualified attacker.

Information access using interception is one of the most difficult tasks for an attacker. To be successful, he must place his system on the transmission line between the sender and the recipient of the information. On the Internet, this is accomplished by changing the resolution of the name, which translates the computer name into an invalid address. Traffic is redirected to the attacker's system instead of to the actual destination. With the appropriate configuration of such a system, the sender will never know that his information has not reached the recipient.

Interception is also possible during a valid communication session. This type of attack is best suited for capturing interactive traffic. In this case, the attacker must be on the same network segment where the client and server are located. The attacker waits for a legitimate user to open a session on the server, and then, using specialized software, takes over the session while it is running.

Modification attacks

Modification attack Is an attempt to unauthorized change of information. Such an attack is possible wherever information exists or is transmitted. It is aimed at violating the integrity of information.

One type of modification attack is replacement existing information, such as a change in an employee's salary. A replacement attack targets both classified and public information.

Another type of attack is addition new data, for example, information about the history of past periods. In this case, an attacker performs an operation in the banking system, as a result of which funds from the client's account are transferred to his own account.

Attack deleting means moving existing data, such as canceling a transaction record from a bank's balance sheet, leaving the withdrawn funds in the account.

Like access attacks, modification attacks are performed against information stored as paper documents or electronically on a computer.

It is difficult to change documents so that no one notices: if there is a signature (for example, in a contract), you need to take care of its forgery, the sealed document must be carefully reassembled. If you have copies of the document, they also need to be redone, like the original one. And since it is almost impossible to find all copies, it is very easy to spot a fake.

It is very difficult to add or remove entries from the activity logs. First, the information in them is arranged in chronological order, so any change will be immediately noticed. The best way is to withdraw the document and replace it with a new one. This type of attack requires physical access to information.

It is much easier to modify information stored electronically. Given that the attacker has access to the system, such an operation leaves behind a minimum of evidence. In the absence of authorized access to files, the attacker must first provide himself with a login or change the parameters of the access control to the file.

Changing the database files or the list of transactions must be done very carefully. Transactions are numbered sequentially and the deletion or addition of incorrect transaction numbers will be noticed. In these cases, it is necessary to work thoroughly throughout the system to prevent detection.

Top related articles

Different mouse movement vertically and horizontally
Different mouse movement vertically and horizontally
How to compress textures in fallout 4
How to compress textures in fallout 4
It remains only to understand the required level
It remains only to understand the required level
Categories:
© 2021 bumotors.ru. How to set up smartphones and PCs. Informational portal.