IP Network Security Issues
Network security threat analysis.
To organize communications in a heterogeneous network environment, a set of TCP / IP protocols is used, which ensures compatibility between computers of different types. Compatibility is one of the main advantages of TCP/IP, which is why most computer networks support these protocols. In addition, TCP / IP protocols provide access to the resources of the global Internet.
Due to its popularity, TCP/IP has become the de facto standard for internetworking. However, the ubiquity of the TCP/IP protocol stack has also exposed its weaknesses. When creating their brainchild, the architects of the TCP / IP stack saw no reason to worry too much about protecting the networks built on top of it. Therefore, the specifications of early versions of the IP protocol lacked security requirements, which led to the initial vulnerability of its implementation.
The rapid growth in the popularity of Internet technologies is accompanied by an increase in serious threats of disclosure of personal data, critical corporate resources, state secrets, etc.
Every day, hackers and other intruders threaten network information resources, trying to gain access to them using special attacks. These attacks are becoming more sophisticated in impact and easier to execute. Two main factors contribute to this.
First, it is the ubiquitous penetration of the Internet. Today, millions of computers are connected to this network. With many millions of computers connected to the Internet in the near future, the likelihood of hackers gaining access to vulnerable computers and computer networks is constantly increasing. In addition, the widespread use of the Internet allows hackers to share information on a global scale.
The second is the ubiquity of easy-to-use operating systems and development environments. This factor sharply reduces the requirements for the level of knowledge of the attacker. Previously, a hacker required good knowledge and programming skills in order to create and distribute malware. Now, in order to access the hacking tool, you just need to know the IP address of the desired site, and to carry out the attack, just click the mouse.
The problems of ensuring information security in corporate computer networks are due to security threats to local workstations, local networks and attacks on corporate networks that have access to public data networks.
Network attacks are as varied as the systems they target. Some attacks are very difficult. Others are capable of being carried out by an ordinary operator, without even imagining what consequences his activity may have.
The intruder, carrying out an attack, usually sets himself the following goals:
v violation of the confidentiality of transmitted information;
v violation of the integrity and reliability of the transmitted information;
v violation of the operability of the system as a whole or its individual parts.
From a security point of view, distributed systems are characterized primarily by the presence of remote attacks , since the components of distributed systems usually use open data transmission channels and the intruder can not only passively listen to the transmitted information, but also modify the transmitted traffic (active impact). And if the active impact on traffic can be recorded, then the passive impact is practically undetectable. But since in the course of functioning of distributed systems the exchange of service information between system components is also carried out via open data transmission channels, service information becomes the same object of attack as user data.
The difficulty of detecting the fact of a remote attack brings this type of illegal actions to the first place in terms of the degree of danger, since it prevents a timely response to the threat, as a result of which the attacker has an increased chance of successfully implementing the attack.
The security of a local network, compared with the security of internetworking, differs in that in this case, the most important place is taken by registered user violations , since, in general, the data transmission channels of the local network are located in a controlled area and protection against unauthorized connection to them is implemented by administrative methods.
In practice, IP networks are vulnerable to a number of methods of unauthorized intrusion into the communication process. With the development of computer and network technologies (for example, with the advent of mobile Java applications and ActiveX controls), the list of possible types of network attacks on IP networks is constantly expanding [Galitsky A.V., Ryabko S.D., Shangin V.F. Protection of information in the network - analysis of technologies and synthesis of solutions. Moscow: DMK Press, 2004].
Consider the most common types of network attacks.
Eavesdropping (sniffing). For the most part, data is transmitted over computer networks in an unsecured format (clear text), which allows an attacker who gains access to the data lines on your network to eavesdrop or read the traffic. used for eavesdropping on computer networks. sniffer. Packet sniffer is an application program that intercepts all network packets transmitted through a specific domain.
Currently, sniffers work in networks on a completely legal basis. They are used for troubleshooting and traffic analysis. However, due to the fact that some network applications transmit data in text format (Telnet, FTP, SMTP, POP3, etc.), using a sniffer can reveal useful and sometimes confidential information (for example, usernames and passwords).
Password sniffing transmitted over the network in unencrypted form by "eavesdropping" on the channel is a type of eavesdropping attack. Interception of names and passwords creates a great danger, since users often use the same login and password for many applications and systems. Many users generally have one password to access all resources and applications. If the application is running in client/server mode and the authentication data is sent over the network in a readable text format, this information is likely to be used to access other corporate or external resources.
In the worst case, a hacker gains access to a user resource at the system level and uses it to create new user attributes that can be used at any time to access the network and its resources.
You can prevent the threat of packet sniffing by using the following
measures and means:
v the use of one-time passwords for authentication;
v installation of hardware or software that recognizes
sniffers;
v application of cryptographic protection of communication channels.
Data change. An attacker who was able to read
your data, will be able to take the next step - to change them. Data in
package can be changed even if the attacker knows nothing
about the sender or the recipient. Even if you do not need strict
confidentiality of all transmitted data, you probably do not want
to have them changed along the way.
Network traffic analysis. The purpose of attacks like this
types are listening to communication channels and analyzing transmitted
data and service information in order to study the topology and architecture
building a system, obtaining critical user information
(for example, user passwords or credit card numbers transmitted
open). Protocols such as FTP are susceptible to attacks of this type.
or Telnet, the peculiarity of which is that the user name and password
transmitted within these protocols in the clear.
Replacing a trusted subject. Most networks and operating
system uses the computer's IP address to determine whether the
this is the address you want. In some cases, incorrect
assignment of an IP address (substitution of the sender's IP address with another address) - such
method of attack is called address falsification(IP spoofing).
IP spoofing occurs when an attacker, whether inside or outside a corporation, poses as a legitimate user. An attacker can use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed to access certain network resources. An attacker can also use special programs that form IP packets in such a way that they look like they are coming from authorized internal addresses on the corporate network.
IP spoofing attacks are often the starting point for other attacks. A classic example is an attack like " denial of service"(DoS), which begins with someone else's address, hiding the true identity of the hacker. Typically, IP spoofing is limited to inserting false information or malicious commands into a normal data stream transmitted between a client and server application or over a communication channel between peers.
The threat of spoofing can be mitigated (but not eliminated) by the following measures:
v correct configuration of access control from the external network;
v stop attempts to spoof foreign networks by users of their own network.
It should be kept in mind that IP spoofing can be performed on the condition that users are authenticated based on IP addresses, so the introduction of additional methods of user authentication (based on one-time passwords or other cryptographic methods) helps prevent IP spoofing attacks.
Mediation. A brokering attack involves active eavesdropping, interception, and manipulation of transmitted data by an invisible intermediate node. When computers communicate at low network levels, they cannot always determine with whom they are communicating.
Mediation in the exchange of unencrypted keys (Man-in-the-Middle attack). To carry out a Man-in-the-Middle attack, an attacker needs access to packets transmitted over the network. Such access to all packets transmitted from the ISP provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack.
In a more general case, Man-in-the-Middle attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, to distort transmitted data and entering unauthorized information into network sessions.
Man-m-the-Middle attacks can only be effectively combated with the help of cryptography. To counter this type of attack, the PKI (Public Key Infrastructure) public key management infrastructure is used.
Session hijacking. At the end of the initial authentication procedure, the connection established by the legitimate user, for example, with a mail server, is switched by the attacker to a new host, and the original server is instructed to close the connection. As a result, the "interlocutor" of the legitimate user is imperceptibly substituted.
After gaining access to the network, the attacking intruder has great opportunities:
v it may send incorrect data to applications and network services, causing them to crash or malfunction;
v it can also flood a computer or an entire network with traffic until the system crashes due to overload;
v Finally, an attacker can block traffic, resulting in the loss of access for authorized users to network resources.
Denial of Service (DoS). This attack is different from other types of attacks. It is not intended to gain access to your network or extract any information from this network. A DoS attack renders an organization's network unusable for normal use by exceeding the limits of network, operating system, or application functionality. Essentially, this attack denies ordinary users access to resources or computers on an organization's network.
Most DoS attacks rely on common system architecture weaknesses. In the case of some server applications (such as a Web server or FTP server), DoS attacks can take all the connections available to these applications and keep them busy, preventing
service to ordinary users. DoS attacks can use common Internet protocols such as TCP and ICMP (Internet Control Message Protocol).
DoS attacks are difficult to prevent as they require coordination with the ISP. If the traffic intended to flood your network is not stopped at the provider, then at the entrance to the network you will no longer be able to do this, because the entire bandwidth will be occupied.
If this type of attack is carried out simultaneously through many devices, we say about distributed denial of service attack DDoS(distributed DoS).
The ease of implementation of DoS attacks and the enormous damage they cause to organizations and users, attracts close attention to these attacks by network security administrators.
Password attacks. The purpose of these attacks is to take over the password and login of a legitimate user. Attackers can carry out password attacks using methods such as:
v M IP address spoofing (IP spoofing);
v eavesdropping (sniffing);
v simple iteration.
IP spoofing and packet sniffing have been discussed above. These methods allow you to get hold of the user's password and login if they are transmitted in clear text over an insecure channel.
Often, hackers try to guess the password and login, using numerous access attempts for this. This approach is called brute-force attack(brute force attack). This attack uses a special program that tries to access a shared resource (for example, a server). If, as a result, an attacker manages to guess the password, he gains access to resources as a regular user. If this user has significant access privileges, an attacker can create a "pass" for himself for future access, which will work even if the user changes his password and login.
Means of interception, selection and cracking of passwords are now considered practically legal and are officially released by a fairly large number of companies. They are marketed as security auditing and password recovery software and can be legally purchased from the developers.
Password attacks can be avoided by not using plain text passwords. The use of one-time passwords and cryptographic authentication can practically negate the threat of such attacks. Unfortunately, not all applications, hosts, and devices support these authentication methods.
When using regular passwords, you need to come up with a password that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters (#, $, &, %, etc.).
Key Guessing. A cryptographic key is a code or number needed to decrypt protected information. Although it is difficult to find the access key and requires a lot of resources, it is nevertheless possible. In particular, a special program that implements the brute force method can be used to determine the key value. A key that an attacker gains access to is called a compromised key. An attacker uses a compromised key to gain access to secure transmitted data without the knowledge of the sender and recipient. The key makes it possible to decrypt and modify the data.
Application layer attacks. These attacks can be carried out in several ways. The most common of these is to exploit known weaknesses in server software (FTP, HTTP, Web server).
The main problem with application layer attacks is that they often use ports that are allowed to pass through the firewall.
Application level attacks are widely published to enable administrators to correct the problem with corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to learn.
It is not possible to completely eliminate application layer attacks. Hackers are constantly discovering and publishing new vulnerabilities in application programs on their websites on the Internet.
This is where good system administration is important. To reduce vulnerability to this type of attack, you can take the following steps:
v analyze operating system log files and network log files using special analytical applications;
v track CERT data on application weaknesses;
v use the latest versions of operating systems and applications and the latest correction modules (patches);
v use IDS (Intrusion Detection Systems) attack detection systems.
network intelligence is the collection of information about the network using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible.
Network reconnaissance is done in the form of DNS queries,
echo testing (ping sweep) and port scanning. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging DNS-discovered addresses allows you to see which hosts are actually running in a given environment. Given a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. As a result, information is obtained that can be used for hacking.
It is impossible to completely get rid of network intelligence. If, for example, you disable ICMP ping and echo reply on peripheral routers, you will get rid of pinging, but you will lose the data needed to diagnose network failures. You can also scan ports without pinging them first. It will just take longer, since non-existent IP addresses will also have to be scanned.
Network and host-level IDS systems usually do a good job of notifying the administrator of ongoing network reconnaissance, which allows them to better prepare for an upcoming attack and alert the provider (ISP) on whose network a system is installed that is showing excessive curiosity.
Abuse of trust. This type of action is not an attack in the full sense of the word. It is a malicious exploitation of the trust relationships that exist on the network. A typical example of such abuse is the situation at the edge of a corporate network. This segment typically hosts DNS, SMTP, and HTTP servers. Since they all belong to the same segment, a breach of one of them leads to a breach of all the others, as these servers trust other systems on their network.
You can reduce the risk of breach of trust by controlling the levels of trust within your network more tightly. Systems outside the firewall should never be absolutely trusted by systems behind the firewall.
Trust relationships should be limited to certain protocols and, if possible, be authenticated not only by IP addresses, but also by other parameters. Malicious programs. Such programs include computer viruses, network worms, Trojan horses.
Viruses are malicious programs that inject themselves into other programs to perform some undesirable function on the end user's workstation. A virus is usually designed by attackers in such a way as to remain undetected in a computer system for as long as possible. The initial dormant period of viruses is the mechanism of their survival. The virus manifests itself in full at a specific moment in time when some call event occurs, for example, Friday the 13th, a known date, etc.
A type of virus program is network worm, which is distributed over the global network and does not leave its copy on magnetic media. The term is used to refer to programs that, like tapeworms, travel across a computer network from one system to another. The worm uses network support mechanisms to determine which host can be hit. Then, using the same mechanisms, the worm transfers its body to this node and either activates or waits for suitable conditions for activation. Network worms are a dangerous type of malware, since any of the millions of computers connected to the global Internet can become the object of their attack. To protect against the worm, you must take precautions against unauthorized access to the internal network.
Computer viruses are related to the so-called "Trojan horses"(Trojans). A Trojan horse is a program that looks like a useful application, but actually performs harmful functions (destruction of software
security, copying and sending files with confidential data to an attacker, etc.). The danger of a "Trojan horse" lies in an additional block of commands inserted into the original harmless program, which is then provided to AS users. This block of commands can be triggered upon the occurrence of any condition (date, system state) or by an external command. A user who runs such a program endangers both his files and the entire AS as a whole.
According to the Sophos Security Threat Management Report, in the first half of 2006 the number of Trojans distributed outnumbered viruses and worms by four times, up from a doubling in the first six months of 2005. Sophos also reports the emergence of a new species " Trojans, known as ransomware. Such programs steal data from infected computers, and then the user is asked to pay a certain ransom for them.
End user workstations are very vulnerable to viruses, worms and Trojan horses.
A feature of modern malware is their focus on specific application software, which has become the de facto standard for most users, primarily Microsoft Internet Explorer and Microsoft Outlook. The mass creation of viruses for Microsoft products is explained not only by the low level of security and reliability of programs, but also by the global distribution of these products. Authors of malicious software are increasingly beginning to explore "holes" in popular DBMSs, middleware, and corporate business applications built on top of these systems.
Viruses, worms and Trojans are constantly evolving, and polymorphism is the main trend in their development. Today it is already quite difficult to draw a line between a virus, a worm and a Trojan, they use almost the same mechanisms, the only difference is in the degree of this use. The device of malicious software has become so unified today that, for example, it is almost impossible to distinguish between a mail virus and a worm with destructive functions. Even "Trojan" programs have a replication function (as one of the means of counteracting anti-virus tools), so if you wish, they can be called viruses (with a distribution mechanism in the form of disguise as application programs).
To protect against these malicious programs, it is necessary to apply a number of measures:
v exclusion of unauthorized access to executable files;
v testing purchased software;
v integrity control of executable files and system areas;
v creation of a closed program execution environment.
Viruses, worms and Trojan horses are fought with effective antivirus software that works at the user level and possibly at the network level. As new viruses, worms, and Trojan horses emerge, new databases of antivirus tools and applications need to be installed.
Spam and phishing belong to non-software threats. The prevalence of these two threats has increased significantly in recent times.
spam, which now exceeds 80% of the total volume of mail traffic, can pose a threat to the availability of information by blocking mail servers, or be used to distribute malicious software.
Phishing(phishing) is a relatively new type of Internet fraud, the purpose of which is to obtain the identity of users. This includes the theft of passwords, credit card numbers, bank accounts, PIN codes and other confidential information that gives access to the user's money. Phishing exploits not the technical flaws of the software, but the gullibility of Internet users. The term phishing itself, consonant with fishing (fishing), stands for password harvesting fishing - password fishing. Indeed, phishing is very similar to fishing. An attacker throws a bait on the Internet and "catches all the fish" - Internet users who will bite on this bait.
An attacker creates an almost exact copy of the site of the selected bank (electronic payment system, auction, etc.). Then, using spam technology, a letter is sent by e-mail, composed in such a way as to be as similar as possible to a real letter from the selected bank. When compiling the letter, bank logos, names and surnames of real bank managers are used. In such a letter, as a rule, it is reported that due to a change in the software in the Internet banking system, the user needs to confirm or change his credentials. The reason for changing the data may be a failure of the bank's software or an attack by hackers. The presence of a believable legend that encourages the user to take the necessary actions is an indispensable component of the success of phishing scammers. In all cases, the purpose of such letters is the same - to force the user to click on the link provided, and then enter their confidential data (passwords, account numbers, PIN codes) on the bank's false website (electronic payment system, auction). Having entered a false site, the user enters his confidential data in the appropriate lines, and then the scammers get access, at best, to his mailbox, at worst, to his electronic account.
Phishing technologies are being improved, social engineering methods are being applied. They try to scare the client, come up with a critical reason for him to give out his confidential data. As a rule, messages contain threats, for example, to block the account if the recipient does not comply with the requirements set out in the message.
There was a conjugated with phishing concept - farming . This is also a scam that aims to obtain users' personal data, but not through mail, but directly through official websites. Farmers replace the digital addresses of legitimate Web sites on DNS servers with fake ones, as a result of which users are redirected to fraudulent sites. This type of fraud is even more dangerous, since it is almost impossible to notice a fake.
Currently, scammers often use "Trojan" programs. The task of the phisher in this case is greatly simplified - it is enough to force the user to move to the phishing site and "pick up" a program that will independently find everything that is needed on the victim's hard drive. Along with the "Trojan" programs began to be used and keyloggers. Fake sites download spyware that tracks keystrokes on victims' computers. When using this approach, it is not necessary to find contacts with clients of a particular bank or company, and therefore phishers began to fake general-purpose sites, such as news feeds and search engines.
The success of phishing scams is facilitated by the low level of user awareness of the rules of operation of the companies on whose behalf the criminals act. In particular, about 5% of users do not know a simple fact: banks do not send letters asking them to confirm their credit card number and PIN code online.
According to analysts (www.cnews.ru), the damage caused by phishers to the global economy in 2003 amounted to $14 billion, and a year later it reached $44 billion. According to Symantec statistics, in mid-2004, the company's filters blocked up to 9 million emails with phishing content every week. By the end of the year, 33 mln.
Spam filters remain the main defense against phishing. Unfortunately, anti-phishing software tools are of limited effectiveness, since attackers primarily exploit human psychology rather than software flaws. Technical security tools are being actively developed, primarily plug-ins for popular browsers. The essence of protection is to block sites that are blacklisted by fraudulent resources. The next step could be systems for generating one-time passwords for Internet access to bank accounts and accounts in payment systems, the widespread distribution of additional levels of protection through a combination of password entry using a hardware USB key.
The listed attacks on IP networks are possible for a number of reasons:
v use of public data channels. Critical data is transmitted over the network unencrypted;
v Vulnerabilities in the authentication procedures implemented in the TCP/IP stack. Identification information at the IP layer is transmitted in the clear;
v the absence in the basic version of the TCP / IP protocol stack of mechanisms that ensure the confidentiality and integrity of transmitted messages;
v The sender is authenticated by its IP address. The authentication procedure is performed only at the connection establishment stage, and further the authenticity of the received packets is not checked;
v the lack of control over the route of messages on the Internet, which makes remote network attacks virtually unpunished.
Types of attacks
Penetration into a computer network is carried out in the form of attacks.
An attack is an event in which outsiders try to get inside someone else's networks. A modern network attack often involves exploiting software vulnerabilities. Some of the most common in the early 2000s were targeted denial of service attacks, DoS (Dental of Service) and distributed DDoS (Distributed DoS) attacks. A DoS attack makes the object of attack inaccessible for normal use by exceeding the allowable limits of the operation of such a network device. DoS - the attack refers to a point (concentrated), as it comes from one source. In the case of distributed DDoS, the attack is carried out from many sources distributed in space, often belonging to different networks. A few years ago, the term “malicious program code of the military-industrial complex” began to be used, which refers to viruses, worms, Trojans, tools for network attacks, spamming, and other actions that are undesirable for the user. Given the diverse nature of threats, modern protection systems have become multi-level and complex. Network worms spread their copies over computer networks using e-mail, messaging. The most common Trojans today that perform unauthorized actions: they destroy data, use computer resources for malicious purposes. Spyware is one of the most dangerous Trojans. It collects information about all user actions, and then transfers this information to attackers without them noticing. The year 2007 can be called the year of "death" of non-commercial malware. No one develops these programs for self-expression anymore. It can be noted that in 2007 not a single malicious program would have had financial underpinnings. One of the new malware is the Storm Worm, which appeared in January 2007. To spread, the worm used both traditional means, such as e-mail, and distribution in the form of video files. The technique of hiding one's presence in the system (rootkits) can be used not only in Trojans, but also in file viruses. Malicious programs now seek to survive on the system even after they are detected.
One of the dangerous ways to hide their presence is to use the technology of infecting the boot sector of the hard disk - the so-called "bootkits". Such a malicious program can gain control even before the main part of the OS is loaded.
The range of security problems is no longer limited to the task of protecting against viruses, which we had to deal with about five years ago. The danger of internal leaks of information has become more serious than external threats. In addition, since the beginning of the 21st century, the purpose of computer crime has become the theft of economic information, bank accounts, disruption of competitors' information systems, and mass mailing of advertising. No less, and sometimes even greater threat to corporate IT systems is posed by insiders - company employees who have access to confidential information and use it for unfavorable purposes. Many experts believe that the damage caused by insiders is no less significant than that caused by malware. It is characteristic that a significant part of information leaks occurs not through the fault of the malicious actions of employees, but because of their inattention. The main technical means of combating such factors should be means of authentication and administration of access to data. However, the number of incidents continues to grow (by about 30% per year in recent years). Gradually, leak/insider protection tools are beginning to be integrated into the overall information protection system. In conclusion, we present a generalized classification of network threats (Fig. 11.3)
Lecture 33 Types and types of network attacks
Lecture 33
Topic: Types and types of network attacks
Remote network attack - information destructive impact on a distributed computing system, carried out programmatically via communication channels.
Introduction
To organize communications in a heterogeneous network environment, a set of TCP / IP protocols are used, ensuring compatibility between computers of different types. This set of protocols has gained popularity due to interoperability and access to the resources of the global Internet and has become a standard for internetworking. However, the ubiquity of the TCP/IP protocol stack has also exposed its weaknesses. In particular, because of this, distributed systems are susceptible to remote attacks, since their components usually use open data transmission channels, and the intruder can not only passively listen to the transmitted information, but also modify the transmitted traffic.
The difficulty of detecting a remote attack and the relative ease of conducting it (due to the excessive functionality of modern systems) brings this type of illegal actions to the first place in terms of danger and prevents a timely response to an implemented threat, as a result of which the attacker has an increased chance of a successful attack.
Classification of attacks
By the nature of the impact
passive
Active
A passive impact on a distributed computing system (DCS) is some impact that does not directly affect the operation of the system, but at the same time is capable of violating its security policy. The absence of a direct influence on the operation of the RCS leads precisely to the fact that the passive remote impact (PUV) is difficult to detect. A possible example of a typical PUV in a WAN is listening to a communication channel in a network.
Active impact on the RCS - an impact that has a direct impact on the operation of the system itself (disruption of performance, changes in the configuration of the RCS, etc.), which violates the security policy adopted in it. Active influences are almost all types of remote attacks. This is due to the fact that the very nature of the damaging impact includes an active principle. The obvious difference between active and passive impact is the fundamental possibility of its detection, since as a result of its implementation, some changes occur in the system. With a passive impact, there are absolutely no traces left (due to the fact that the attacker views someone else's message in the system, nothing actually changes at the same moment).
According to the purpose of the impact
Violation of the functioning of the system (access to the system)
Violation of the integrity of information resources (IR)
IR privacy breach
This feature, according to which the classification is made, is, in fact, a direct projection of the three basic types of threats - denial of service, disclosure, and violation of integrity.
The main goal pursued in almost any attack is obtaining unauthorized access to information. There are two fundamental options for obtaining information: distortion and interception. The option of intercepting information means gaining access to it without the possibility of changing it. The interception of information leads, therefore, to a violation of its confidentiality. Listening to a channel on the network is an example of intercepting information. In this case, there is illegitimate access to information without possible options for its substitution. It is also obvious that the violation of the confidentiality of information refers to passive influences.
The possibility of information substitution should be understood either as complete control over the flow of information between system objects, or the possibility of transmitting various messages on behalf of someone else. Therefore, it is clear that the substitution of information leads to a violation of its integrity. Such information destroying influence is a characteristic example of active influence. An example of a remote attack designed to violate the integrity of information can be a remote attack (UA) "False RCS object".
By the presence of feedback with the attacked object
with feedback
Open loop (unidirectional attack)
The attacker sends some requests to the attacked object, to which he expects to receive a response. Consequently, a feedback appears between the attacker and the attacked, allowing the first to adequately respond to all sorts of changes in the attacked object. This is the essence of a remote attack carried out in the presence of feedback from the attacking object. Such attacks are most typical for RVS.
Open loop attacks are characterized by the fact that they do not need to respond to changes in the attacked object. Such attacks are usually carried out by sending single requests to the attacked object. The attacker does not need answers to these requests. Such an UA can also be called a unidirectional UA. An example of unidirectional attacks is a typical UA "DoS attack".
According to the condition of the beginning of the implementation of the impact
Remote influence, as well as any other, can begin to be carried out only under certain conditions. There are three types of such conditional attacks in RCS:
Attack on request from the attacked object
Attack on the occurrence of an expected event on the attacked object
Unconditional attack
The impact from the attacker will begin on the condition that the potential target of the attack transmits a request of a certain type. Such an attack can be called an attack on demand from the attacked object. This type of UA is most typical for RVS. An example of such queries on the Internet is DNS and ARP queries, and in Novell NetWare, a SAP query.
An attack on the occurrence of an expected event on the attacked object. The attacker continuously monitors the state of the OS of the remote attack target and starts the impact when a specific event occurs in this system. The attacked object itself is the initiator of the attack. An example of such an event would be a termination of a user's session with the server without issuing a LOGOUT command on Novell NetWare.
An unconditional attack is carried out immediately and regardless of the state of the operating system and the attacked object. Therefore, the attacker is the initiator of the attack in this case.
In case of violation of the normal operation of the system, other goals are pursued and the attacker is not expected to gain illegal access to data. Its purpose is to disable the operating system on the attacked object and the impossibility of access for other objects of the system to the resources of this object. An example of this type of attack is the DoS attack.
By the location of the subject of the attack relative to the attacked object
Intrasegment
Intersegment
Some definitions:
The source of the attack (the subject of the attack) is a program (possibly an operator) that conducts the attack and makes a direct impact.
Host (host) - a computer that is an element of the network.
A router is a device that provides routing of packets in a network.
A subnetwork is a group of hosts that are part of the global network, differing in that the router allocates the same subnet number for them. You can also say that a subnet is a logical grouping of hosts through a router. Hosts within the same subnet can communicate directly with each other without using a router.
A network segment is an association of hosts at the physical level.
From the point of view of a remote attack, the relative position of the subject and the object of attack, that is, whether they are in different or in the same segments, is extremely important. During an intra-segment attack, the subject and object of the attack are located in the same segment. In the case of an inter-segment attack, the subject and object of the attack are located in different network segments. This classification feature makes it possible to judge the so-called "degree of remoteness" of the attack.
Further, it will be shown that in practice an intra-segment attack is much easier to implement than an inter-segment one. We also note that an inter-segment remote attack is much more dangerous than an intra-segment one. This is due to the fact that in the case of an inter-segment attack, its object and the directly attacking one can be at a distance of many thousands of kilometers from each other, which can significantly impede measures to repel the attack.
According to the level of the ISO/OSI reference model at which the impact is made
Physical
ducted
network
Transport
session
Representative
Applied
The International Organization for Standardization (ISO) has adopted the ISO 7498 standard, which describes Open Systems Interconnection (OSI), to which RCS also belongs. Each network exchange protocol, as well as each network program, can somehow be projected onto the reference 7-layer OSI model. Such a multi-level projection makes it possible to describe in terms of the OSI model the functions used in a network protocol or program. UA is a network program, and it is logical to consider it from the point of view of projection on the ISO/OSI reference model.
Brief description of some network attacks
Data fragmentation
When transmitting an IP data packet over a network, this packet may be divided into several fragments. Subsequently, upon reaching the destination, the packet is restored from these fragments. An attacker can initiate the sending of a large number of fragments, which leads to an overflow of program buffers on the receiving side and, in some cases, to a system crash.
Ping flooding attack
This attack requires the attacker to access fast Internet channels.
The ping program sends an ICMP ECHO REQUEST packet with the time and its ID in it. The kernel of the receiving machine responds to such a request with an ICMP ECHO REPLY packet. Having received it, ping gives the speed of the packet.
In the standard mode of operation, packets are sent at certain intervals, practically without loading the network. But in "aggressive" mode, a stream of ICMP echo request/reply packets can cause congestion on a small line, depriving it of its ability to transmit useful information.
Non-standard protocols encapsulated in IP
An IP packet contains a field specifying the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use a non-standard value of this field to transfer data that will not be recorded by standard information flow control tools.
smurf attack
The smurf attack consists of sending ICMP broadcast requests to the network on behalf of the victim computer.
As a result, computers that have received such broadcast packets respond to the victim computer, which leads to a significant decrease in the bandwidth of the communication channel and, in some cases, to complete isolation of the attacked network. The smurf attack is exceptionally effective and widespread.
Countermeasures: to recognize this attack, it is necessary to analyze the channel load and determine the reasons for the decrease in throughput.
DNS spoofing attack
The result of this attack is the introduction of an imposed correspondence between the IP address and the domain name in the cache of the DNS server. As a result of the successful implementation of such an attack, all users of the DNS server will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some DNS exchange parameters.
Counteraction: to detect such an attack, it is necessary to analyze the content of DNS traffic or use DNSSEC.
IP spoofing attack
A large number of attacks on the Internet are associated with the substitution of the original IP address. Such attacks include syslog spoofing, which consists in sending a message to the victim computer on behalf of another computer on the internal network. Since the syslog protocol is used for system logging, by sending false messages to the victim computer, you can impose information or cover up traces of unauthorized access.
Countermeasures: IP address spoofing attacks can be detected by monitoring the receipt on one of the interfaces of a packet with the source address of the same interface or by monitoring the receipt of packets with IP addresses of the internal network on an external interface.
Package imposition
An attacker sends packets to the network with a false return address. Using this attack, an attacker can switch to his computer connections established between other computers. In this case, the attacker's access rights become equal to the rights of the user whose connection to the server was switched to the attacker's computer.
Sniffing - listening to a channel
It is possible only in the local network segment.
Almost all network cards support the ability to intercept packets transmitted over a common LAN channel. In this case, the workstation can receive packets addressed to other computers on the same network segment. Thus, the entire information exchange in the network segment becomes available to the attacker. To successfully implement this attack, the attacker's computer must be located on the same local network segment as the attacked computer.
Packet sniffing on the router
The router's network software has access to all network packets transmitted through this router, which allows packet sniffing. To implement this attack, an attacker must have privileged access to at least one network router. Since there are usually a lot of packets transmitted through the router, their total interception is almost impossible. However, individual packets may well be intercepted and stored for later analysis by an attacker. The most effective interception of FTP packets containing user passwords, as well as e-mail.
Imposing a false route on a host using the ICMP protocol
On the Internet, there is a special protocol ICMP (Internet Control Message Protocol), one of the functions of which is to inform hosts about changing the current router. This control message is called redirect. It is possible for any host on a network segment to send a false redirect message on behalf of the router to the attacked host. As a result, the current routing table of the host changes and, in the future, all network traffic of this host will pass, for example, through the host that sent the false redirect message. Thus, it is possible to actively impose a false route within one segment of the Internet.
Along with normal data sent over a TCP connection, the standard also provides for the transmission of urgent (Out Of Band) data. At the level of TCP packet formats, this is expressed in a non-zero urgent pointer. Most PCs with Windows installed have a NetBIOS network protocol that uses three IP ports for its needs: 137, 138, 139. If you connect to a Windows machine on port 139 and send a few bytes of OutOfBand data there, then the NetBIOS implementation will not knowing what to do with this data, simply hangs up or reboots the machine. For Windows 95, this usually looks like a blue text screen, reporting an error in the TCP/IP driver, and the inability to work with the network until the OS is rebooted. NT 4.0 without service packs reboots, NT 4.0 with ServicePack 2 crashes into a blue screen. Judging by the information from the network, both Windows NT 3.51 and Windows 3.11 for Workgroups are susceptible to such an attack.
Sending data to port 139 causes NT 4.0 to reboot, or a blue screen of death with Service Pack 2 installed. Sending data to port 135 and some other ports causes a significant load on the RPCSS.EXE process. On Windows NT WorkStation, this leads to a significant slowdown, Windows NT Server is practically frozen.
Trusted host change
Successful implementation of remote attacks of this type will allow an attacker to conduct a session with the server on behalf of a trusted host. (Trusted host - a station legally connected to the server). The implementation of this type of attack usually consists in sending exchange packets from the attacker's station on behalf of a trusted station under his control.
Attack detection technologies
Network and information technologies are changing so rapidly that static security mechanisms, which include access control systems, ME, authentication systems, in many cases cannot provide effective protection. Therefore, dynamic methods are required to quickly detect and prevent security breaches. One technology that can detect violations that cannot be identified using traditional access control models is intrusion detection technology.
Essentially, the intrusion detection process is the process of evaluating suspicious activities that occur on a corporate network. In other words, intrusion detection is the process of identifying and responding to suspicious activity directed at computing or network resources.
Methods for analyzing network information
The effectiveness of an intrusion detection system largely depends on the methods used to analyze the information received. The first intrusion detection systems developed in the early 1980s used statistical intrusion detection methods. Currently, a number of new methods have been added to statistical analysis, starting with expert systems and fuzzy logic and ending with the use of neural networks.
Statistical method
The main advantages of the statistical approach are the use of the already developed and proven apparatus of mathematical statistics and adaptation to the behavior of the subject.
First, profiles are determined for all subjects of the analyzed system. Any deviation of the used profile from the reference is considered unauthorized activity. Statistical methods are universal, since analysis does not require knowledge about possible attacks and the vulnerabilities they exploit. However, problems arise when using these methods:
"Statistical" systems are not sensitive to the order of events; in some cases, the same events, depending on the order in which they occur, may characterize anomalous or normal activity;
It is difficult to set the boundary (threshold) values of the characteristics monitored by the attack detection system in order to adequately identify anomalous activity;
"Statistical" systems can be "trained" by adversaries over time so that attacking actions are considered normal.
It should also be taken into account that statistical methods are not applicable in those cases when there is no pattern of typical behavior for the user or when unauthorized actions are typical for the user.
Expert systems
Expert systems consist of a set of rules that capture the knowledge of a human expert. The use of expert systems is a common method for detecting attacks, in which information about attacks is formulated in the form of rules. These rules can be written, for example, as a sequence of actions or as a signature. When any of these rules is met, a decision is made on the presence of unauthorized activity. An important advantage of this approach is the almost complete absence of false alarms.
The expert system database should contain scenarios for the majority of currently known attacks. In order to remain constantly up-to-date, expert systems require constant updating of the database. While expert systems offer a good opportunity to review the data in the logs, required updates can either be ignored or manually performed by the administrator. At a minimum, this leads to an expert system with reduced capabilities. In the worst case, the lack of proper maintenance reduces the security of the entire network, misleading its users about the actual level of security.
The main disadvantage is the inability to repel unknown attacks. At the same time, even a small change in an already known attack can become a serious obstacle to the functioning of an intrusion detection system.
Neural networks
Most modern intrusion detection methods use some form of rule-based analysis of the controlled space or a statistical approach. The controlled space can be logs or network traffic. The analysis relies on a set of predefined rules that are created by the administrator or by the intrusion detection system itself.
Any division of an attack over time or among multiple attackers is difficult for expert systems to detect. Due to the wide variety of attacks and hackers, even special constant updates of the expert system rules database will never guarantee accurate identification of the entire range of attacks.
The use of neural networks is one of the ways to overcome these problems of expert systems. Unlike expert systems that can give the user a definite answer about the compliance of the characteristics under consideration with the rules laid down in the database, a neural network analyzes information and provides an opportunity to assess whether the data is consistent with the characteristics that it has learned to recognize. While the degree of matching of the neural network representation can reach 100%, the reliability of the choice depends entirely on the quality of the system in the analysis of examples of the task.
First, the neural network is trained to correctly identify on a pre-selected sample of domain examples. The reaction of the neural network is analyzed and the system is adjusted in such a way as to achieve satisfactory results. In addition to the initial training period, the neural network gains experience over time as it analyzes data related to the domain.
An important advantage of neural networks in abuse detection is their ability to "learn" the characteristics of deliberate attacks and identify elements that are not similar to those seen in the network before.
Each of the described methods has a number of advantages and disadvantages, so now it is practically difficult to find a system that implements only one of the described methods. Typically, these methods are used in combination.
Mailbombing
The oldest type of attacks. Significantly increases traffic and the number of messages sent, which generates a failure in the service. It causes paralysis not only your mail, but also the work of the mail server itself. Efficiency such attacks are considered zero today, because now provider has the ability to install limitation traffic from one sender.
Buffer overflow
The principle of this type of attack is software errors, at which memory violates its own boundaries. This, in turn, forces either end the process emergency, or execute an arbitrary binary code, where the current account is used. If the account is an administrator, then these actions allow get full access to the system.
Viruses, Trojans, worms, sniffers
This type of attack combines various third party programs. Appointment and operating principle such a program can be extremely diverse, so it makes no sense to dwell on each of them in detail. What all these programs have in common is that their main goal is access and " infection" systems.
network intelligence
The type of attack by itself does not provide for any destructive action. Intelligence means only collection of information intruder - port scan, DNS query, computer security check and system check. Usually intelligence service carried out before a serious targeted attack.
Packet sniffing
The principle of operation is based on the features of the network card. Packets received by it are sent for processing, where special applications interact with them. As a result, the attacker gains access not only to information about the structure of the computer system, but also directly transmitted information - passwords, messages and other files.
IP spoofing
Type of attacks on local networks, when a computer attacker uses IP address included in this local net. An attack is possible if system security provides for identification of the IP address type, excluding additional conditions.
Man-in-the-middle
Attacker intercepts link between two applications, resulting in access to all information passing through this channel. The purpose of the attack is not only theft, but also falsification information. An example of such attacks can serve usage similar applications for cheating in online games: information about the game event generated by the client side is transmitted to the server. On her way is placed program-interceptor, which changes the information at the request of the attacker and sends it to the server instead of the one sent by the game client program.
Injection
Also quite a wide type of attacks, general principle which - implementation of information systems with third-party pieces of program code during data transfer, where the code does not actually interfere with the operation of the application, but at the same time performs the action necessary for the attacker.
Denial of Service
DoS (from English. Denial of Service) — attack, which has the purpose of making the server not respond to requests. This type of attack does not directly involve obtaining some secret information, but is used to paralyze the operation of targeted services. For example, some programs can cause exceptions due to errors in their code, and when services are disabled, they can execute code provided by an attacker or flood attacks when the server is unable to process all incoming packets.
DDoS(from English. Distributed Denial of Service- distributed DoS) - subtype DoS attacks having the same goal what and DoS, but produced not from one computer, but from several computers in networks. In these types attacks used either occurrence errors that generate refusal service, or protection operation, causing blocking work service, and as a result also refusal in service. DDoS used where normal DoS inefficient. To do this, several computers are combined, and each produces DoS attack on the victim's system. Together it's called DDoS attack.
Ways to protect against network attacks.
There are many ways to protect against intruders, including antiviruses, firewalls, various built-in filters etc. The most effective is the professionalism of the user. Shouldn't open suspicious sites (links), files in emails from a mysterious stranger type sender. Before opening attachments from familiar addresses, you should ask for confirmation in any way other than mail. As a rule, computer proficiency and literacy courses, conducted in almost any organization, can help with this. This, however, will not replace protective mechanisms and programs. It is worth remembering that the technology of network attacks does not stand still and therefore it should be carried out as often as possible. update antivirus, as well as conduct full scans of computers.
Consult with the specialists of the computer company "KliK" to prevent all possible hacker attacks and virus infections.
There are four main categories of attacks:
Access attacks
Modification attacks
denial of service attacks
denial attacks.
Let's take a closer look at each category. There are many ways to carry out attacks: using specially designed tools, social engineering methods, through vulnerabilities in computer systems. Social engineering does not use technical means to gain unauthorized access to the system. An attacker obtains information through a simple phone call or infiltrates an organization under the guise of an employee. Attacks of this kind are the most destructive.
Attacks aimed at capturing information stored in electronic form have one interesting feature: the information is not stolen, but copied. It remains with the original owner, but the attacker also gets it. Thus, the owner of the information bears losses, and it is very difficult to detect the moment when this happened.
Access attacks
Access attack is an attempt by an attacker to obtain information that they do not have permission to view. The implementation of such an attack is possible wherever there is information and means for its transmission. An access attack is aimed at violating the confidentiality of information. There are the following types of access attacks:
· peeping;
eavesdropping
interception.
peeping(snooping) is the viewing of files or documents in order to find information of interest to the attacker. If the documents are stored as printouts, then the attacker will open the desk drawers and rummage through them. If the information is in a computer system, then he will go through file by file until he finds the information he needs.
Eavesdropping(eavesdropping) is unauthorized wiretapping of a conversation in which the attacker is not a participant. To obtain unauthorized access to information, in this case, the attacker must be close to it. Very often, he uses electronic devices. The introduction of wireless networks has increased the likelihood of successful eavesdropping. Now the attacker does not need to be inside the system or physically connect the listening device to the network.
Unlike eavesdropping. interception(interception) is an active attack. An attacker captures information in the process of its transmission to its destination. After analyzing the information, he makes a decision to allow or prohibit its further passage.
Access attacks take various forms depending on how information is stored: in the form of paper documents or electronically on a computer. If the information needed by the attacker is stored in the form of paper documents, he will need access to these documents. They may be found in the following places: in file cabinets, in desk drawers or on desks, in a fax or printer in the trash, in the archive. Therefore, an attacker needs to physically penetrate all these places.
Thus, physical access is the key to obtaining data. It should be noted that reliable protection of the premises will protect data only from unauthorized persons, but not from employees of the organization or internal users.
Information is stored electronically: at workstations, on servers, in portable computers, on floppy disks, on CDs, on backup magnetic tapes.
An attacker can simply steal a storage medium (floppy disk, CD, backup tape, or laptop computer). Sometimes this is easier than accessing files stored on computers.
If an attacker has legal access to the system, he will analyze the files by simply opening them one by one. With the right level of control over permissions, access for an illegal user will be denied, and access attempts will be logged.
Properly configured permissions will prevent accidental information leakage. However, a serious attacker will try to bypass the control system and gain access to the necessary information. There are a large number of vulnerabilities that will help him in this.
When passing information over the network, you can access it by listening to the transmission. The attacker does this by installing a network packet sniffer (sniffer) on the computer system. This is usually a computer configured to capture all network traffic (not just traffic directed to this computer). To do this, the attacker must elevate their privileges in the system or connect to the network. The analyzer is configured to capture any information passing through the network, but especially user IDs and passwords.
Eavesdropping is also carried out in global computer networks such as leased lines and telephone connections. However, this type of interception requires appropriate equipment and special knowledge.
Interception is possible even in fiber-optic communication systems using specialized equipment, usually performed by a skilled attacker.
Information access using interception is one of the most difficult tasks for an attacker. To be successful, he must place his system in the transmission line between the sender and receiver of information. On the Internet, this is done by changing name resolution, which translates the computer name into an invalid address. Traffic is redirected to the attacker's system instead of the real destination. With the appropriate configuration of such a system, the sender will never know that his information has not reached the recipient.
Interception is also possible during an actual communication session. This type of attack is best suited for capturing interactive traffic. In this case, the attacker must be on the same network segment as the client and server. The attacker waits for a legitimate user to open a session on the server, and then, using specialized software, takes the session already in the process.
Modification attacks
Modification attack is an unauthorized attempt to change information. Such an attack is possible wherever information exists or is transmitted. It is aimed at violating the integrity of information.
One type of modification attack is replacement existing information, such as a change in an employee's salary. The substitution attack is directed against both secret and publicly available information.
Another type of attack is addition new data, for example, information about the history of past periods. In this case, the attacker performs an operation in the banking system, as a result of which funds from the client's account are transferred to his own account.
Attack removal means moving existing data, such as deleting a transaction from a bank's balance sheet, leaving funds withdrawn from the account to remain there.
Like access attacks, modification attacks are performed against information stored in paper documents or electronically on a computer.
Documents are difficult to change so that no one notices: if there is a signature (for example, in a contract), you need to take care of its forgery, the fastened document must be carefully reassembled. If there are copies of the document, they also need to be redone, like the original one. And since it is almost impossible to find all copies, it is very easy to spot a fake.
It is very difficult to add or remove entries from the activity logs. Firstly, the information in them is arranged in chronological order, so any change will be immediately noticed. The best way is to remove the document and replace it with a new one. These types of attacks require physical access to information.
Modifying information stored electronically is much easier. Given that the attacker has access to the system, such an operation leaves behind a minimum of evidence. In the absence of authorized access to the files, the attacker must first secure a login to the system or change the file access control settings.
Modifying the database files or the transaction list must be done very carefully. Transactions are numbered sequentially and deletion or addition of incorrect transaction numbers will be noticed. In these cases, you need to work hard on the entire system to prevent detection.
