How to set up smartphones and PCs. Informational portal
  • home
  • Advice
  • Types of network attacks and main vulnerabilities. Classification of network attacks

Types of network attacks and main vulnerabilities. Classification of network attacks

11.08.2019 Advice
Buffer overflows are an integral part of many types of malicious attacks. Overflow attacks come in many flavors. One of the most dangerous involves entering into a dialog box, in addition to text, executable code attached to it. Such input can lead to writing this code on top of the executable program, which sooner or later will cause its execution. The consequences are not hard to imagine.

"Passive" attacks using, for example, sniffer, are especially dangerous, because, firstly, they are practically undetectable, and secondly, they are undertaken from the local network (external Firewall is powerless).

Viruses- Malicious programs capable of self-copying and self-sending. Back in December 1994, I received a warning about the spread of network viruses (good times and xxx-1) over the Internet:

Hours, days, weeks, and sometimes months pass from the moment of creation until the moment a virus is detected. It depends on how quickly the effects of infection manifest themselves. The longer this time, the more computers are infected. After detecting the fact of infection and the spread of a new type of virus, it takes from a couple of hours (for example, for Email_Worm.Win32.Bagle.bj) to three weeks ( [email protected]) to identify the signature, create an antidote and include its signature in the database of the antiviral program. Temporary life cycle diagram the virus is shown in Fig. 12.1 ("Network Security", v.2005, Issue 6, June 2005, p 16-18). In 2004 alone, 10,000 new virus signatures were registered. The Blaster worm infected 90% of machines in 10 minutes. During this time, the anti-virus group must detect the object, qualify and develop countermeasures. It is clear that this is unrealistic. So the antivirus program is not so much a means of counteraction as sedative... The same considerations are true for all other types of attacks. When the signature of an attack becomes known, the attack itself is usually not dangerous, since countermeasures have already been developed and the vulnerability is covered. It is for this reason that such attention is paid to the software update (patch) management system.

Some viruses and worms have built-in SMTP programs designed to send them out, and hatches for unhindered entry into the infected machine. The newest versions are equipped with means of suppressing the activity of other viruses or worms. Thus, entire networks of infected machines (BotNet) can be created, ready to launch, for example, a DDoS attack on command. To control such zombie machines, the protocol can be used IRC(Internet Relay Chart). This messaging system is supported by a large number of servers and therefore such a channel is usually difficult to track and log. This is also facilitated by the fact that most systems control inbound traffic more closely than outbound traffic. It should be borne in mind that, in addition to DoS attacks, an infected machine can serve to scan other computers and send SPAM, to store illegal software products, to control the machine itself and steal documents stored there, to reveal passwords and keys used by the owner. The damage from the Blaster virus is estimated at $ 475,000.

Unfortunately, no reliable means of detecting new viruses (whose signature is not known).


Rice. 12.1.

In 2005, another threat was identified - the spread of viruses and network worms using search engine robots (bots), based on IRC.

The bots programs are not always dangerous, some of their varieties are used to collect data, in particular, about customer preferences, and in the Google search engine they work to collect and index documents. But in the hands of a hacker, these programs turn into dangerous weapons. The most famous attack was launched in 2005, although preparations and "first experiments" began in September 2004. The program looked for machines with specific vulnerabilities, in particular, LSASS (Local Security Authority Subsystem Service, Windows). The security subsystem LSASS itself has proven itself vulnerable to buffer overflow attacks. Although the vulnerability has already been patched, the number of non-upgraded machines remains significant. After an intrusion, a hacker usually uses IRC to perform the operations he wants (opening a specific port, sending SPAM, starting a scan for other potential victims). A new feature of such programs is that they are embedded in the operating system in such a way (rootkit) that they cannot be detected, since they are located in the OS kernel zone. If an antivirus program tries to access a specific area of ​​memory in order to detect malicious code, the rootkit intercepts the request and sends a notification to the testing program that everything is in order. To make matters worse, bot programs can modify content.

During the operation of computer systems, various problems often arise. Some are by mistake, and some are the result of malicious acts. In any case, damage is done. Therefore, we will call such events attacks, regardless of the reasons for their occurrence.

There are four main categories of attacks:

  • access attacks;
  • modification attacks;
  • denial of service attacks;
  • disclaimer attacks.

Let's take a closer look at each category. There are many ways to carry out attacks: using specially designed tools, social engineering methods, through vulnerabilities in computer systems. Social engineering does not use technical means to gain unauthorized access to the system. An attacker obtains information through a simple phone call or infiltrates an organization under the guise of an employee. This type of attack is the most destructive.

Attacks aimed at capturing information stored in electronic form have one interesting feature: information is not stolen, but copied. It remains with the original owner, but the attacker also gets it. Thus, the owner of the information incurs losses, and it is very difficult to find the moment when this happened.

Defining an Access Attack

An access attack is an attempt by an attacker to obtain information that they do not have permission to view. The implementation of such an attack is possible wherever there is information and the means for its transmission (Fig. 2.1). An access attack aims to violate the confidentiality of information.


Rice. 2.1.

Peeping

Snooping is the browsing of files or documents to find information of interest to an attacker. If documents are stored in the form of printouts, then an attacker will open desk drawers and rummage through them. If the information is in a computer system, it will scan file by file until it finds the information it needs.

Eavesdropping

When someone is listening to a conversation that they are not a party to, this is called eavesdropping. To obtain unauthorized access to information

The Internet completely changes our way of life: work, study, leisure. These changes will take place both in areas already known to us (e-commerce, access to information in real time, expanding communication capabilities, etc.), and in those areas that we do not yet have an idea of.

The time may come when the corporation will make all its phone calls over the Internet, and completely free of charge. In private life, it is possible that special Web sites may appear, with the help of which parents can at any time find out how their children are doing. Our society is just beginning to realize the limitless possibilities of the Internet.

Introduction

Along with the tremendous growth in popularity of the Internet, there is an unprecedented danger of disclosing personal data, critical corporate resources, state secrets, etc.

Every day, hackers threaten these resources, trying to gain access to them using special attacks, which gradually become, on the one hand, more sophisticated, and on the other, easier to execute. This is facilitated by two main factors.

First, it is the ubiquitous penetration of the Internet. Today, millions of devices are connected to the Internet, and many millions of devices will be connected to the Internet in the near future, so the likelihood of hackers accessing vulnerable devices is constantly growing.

In addition, the widespread use of the Internet allows hackers to exchange information on a global scale. A simple search for keywords like "hacker", "hack", "hack", "crack" or "phreak" will give you thousands of sites, many of which you can find malicious codes and how to use them.

Second, there is a widespread adoption of easy-to-use operating systems and development environments. This factor dramatically reduces the level of knowledge and skills required by the hacker. Previously, in order to create and distribute easy-to-use applications, a hacker had to have good programming skills.

Now, in order to gain access to the hacking tool, you only need to know the IP address of the desired site, and to carry out an attack, it is enough to click the mouse.

Classification of network attacks

Network attacks are as diverse as the systems against which they are directed. Some attacks are very complex, others are within the power of an ordinary operator, who does not even know what the consequences of his activity can lead to. To assess the types of attacks, it is necessary to know some of the inherent limitations of the TPC / IP protocol. Net

The Internet was created for communication between government agencies and universities in order to assist educational process and scientific research. The creators of this network had no idea how widespread it would be. As a result, early Internet Protocol (IP) specifications lacked security requirements. This is why many IP implementations are inherently vulnerable.

Over the years, after many requests (Request for Comments, RFCs), IP security has finally begun to be implemented. However, due to the fact that initially the security tools for the IP protocol were not developed, all its implementations began to be supplemented by a variety of network procedures, services and products that reduce the risks inherent in this protocol. Next, we will take a quick look at the types of attacks that are commonly used against IP networks and list ways to combat them.

Packet sniffer

A packet sniffer is an application program that uses a network card operating in promiscuous mode (in this mode, all packets received over physical channels are sent to the application by the network adapter for processing).

At the same time, the sniffer intercepts all network packets that are transmitted through a specific domain. Currently, sniffers operate on networks on a completely legal basis. They are used for troubleshooting and traffic analysis. However, due to the fact that some network applications transmit data in text format ( Telnet, FTP, SMTP, POP3, etc..), with the help of a sniffer, you can find out useful and sometimes confidential information (for example, usernames and passwords).

Interception of usernames and passwords is very dangerous because users often use the same username and password for multiple applications and systems. Many users generally have a single password to access all resources and applications.

If the application is running in client-server mode, and authentication data is transmitted over the network in a readable text format, then this information can most likely be used to access other corporate or external resources. Hackers know too well and exploit human weaknesses (attack methods are often based on social engineering methods).

They are perfectly aware that we use the same password to access many resources, and therefore they often manage, having learned our password, to gain access to important information. In the worst case, a hacker gains access to a user resource at the system level and with its help creates a new user who can be used at any time to access the Network and its resources.

You can mitigate the packet sniffing threat by using the following tools:

Authentication. Strong authentications are the most important way to protect against packet sniffing. By "strong" we mean authentication methods that are difficult to bypass. An example of such authentication is One-Time Passwords (OTP).

OTP is a two-factor authentication technology that combines what you have with what you know. A typical example of two-factor authentication is the operation of an ordinary ATM, which recognizes you, firstly, by your plastic card, and secondly, by the PIN code you enter. For authentication in the OTP system, a PIN code and your personal card are also required.

A token is a hardware or software tool that randomly generates a unique one-time one-time password. If a hacker finds out this password using a sniffer, then this information will be useless, since at that moment the password will already be used and withdrawn from use.

Note that this anti-sniffing method is only effective in cases where passwords are intercepted. Sniffers that intercept other information (for example, e-mail messages) do not lose their effectiveness.

Switched infrastructure... Another way to combat packet sniffing in your network environment is to build a switched infrastructure. If, for example, an entire organization is using switched Ethernet, hackers can only access traffic on the port to which they are connected. The switched infrastructure does not eliminate the threat of sniffing, but it significantly reduces its severity.

Anti-sniffers. The third way to combat sniffing is to install hardware or software that can recognize the sniffers running on your network. These tools cannot completely eliminate the threat, but like many other network security tools, they are included in the overall defense system. Anti-sniffers measure host responsiveness and determine if hosts have to handle unnecessary traffic. One such product, supplied by LOpht Heavy Industries, is called AntiSniff.

Cryptography. This most effective way to deal with packet sniffing, although it does not prevent eavesdropping and does not recognize the work of sniffers, it makes this work useless. If the communication channel is cryptographically secure, then the hacker does not intercept the message, but the ciphertext (that is, an incomprehensible sequence of bits). Cisco network layer cryptography is based on IPSec, which is a standard method for secure communication between devices using IP. Other cryptographic network management protocols include SSH (Secure Shell) and SSL (Secure Socket Layer).

IP spoofing

IP spoofing occurs when a hacker, whether inside or outside of a corporation, impersonates an authorized user. This can be done in two ways: a hacker can either use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources.

IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack that starts with someone else's address that hides the true identity of the hacker.

Typically, IP spoofing is limited to inserting false information or malicious commands into the normal data stream between client and server applications or peer-to-peer communications.

For two-way communication, a hacker must modify all routing tables to direct traffic to a spoofed IP address. Some hackers, however, do not even try to get a response from applications - if the main task is to get an important file from the system, then the responses of applications do not matter.

If the hacker manages to change the routing tables and direct traffic to a false IP address, he will receive all the packets and can respond to them as if he were an authorized user.

The spoofing threat can be mitigated (but not eliminated) by using the following measures:

  • Access control... The easiest way to prevent IP spoofing is to properly configure access control. To reduce the effectiveness of IP spoofing, configure access control to cut off any traffic coming from the external network with a source address that must be located inside your network.

    However, this helps to combat IP spoofing when only internal addresses are authorized; if some addresses of the external network are also authorized, this method becomes ineffective;

  • Filtering RFC 2827. You can prevent users of your network from spoofing other people's networks (and become a good network citizen). This requires rejecting any outbound traffic whose source address is not one of your organization's IP addresses.

    This type of filtering, known as RFC 2827, can also be performed by your ISP. As a result, all traffic that does not have a source address expected on a particular interface is discarded. For example, if the ISP provides a connection to an IP address of 15.1.1.0/24, it can configure the filter so that only traffic coming from 15.1.1.0/24 is allowed from that interface to the ISP's router.

Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible. In addition, the further away from the filtered devices, the more difficult it is to perform accurate filtration. For example, RFC 2827 filtering at the access router level requires all traffic to pass from the main network address (10.0.0.0/8), while at the distribution level (in this architecture) you can limit traffic more precisely (address - 10.1.5.0/24).

The most effective method for dealing with IP spoofing is the same as for packet sniffing: the attack must be made completely ineffective. IP spoofing can only function if authentication is based on IP addresses.

Therefore, the introduction of additional authentication methods makes such attacks useless. The best type of additional authentication is cryptographic. If this is not possible, two-factor authentication using one-time passwords can give good results.

Denial of service

Denial of Service (DoS) is without doubt the most well-known form of hacker attacks. In addition, against this type of attack, it is most difficult to create one hundred percent defense. DoS attacks are considered child's play among hackers, and their use causes contemptuous grins, since the organization of DoS requires a minimum of knowledge and skills.

However, it is the simplicity of implementation and the sheer magnitude of the harm that is causing DoS to draw the scrutiny of network security administrators. If you would like to learn more about DoS attacks, you should consider the more well-known varieties, which are:

  • TCP SYN Flood;
  • Ping of Death;
  • Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K);
  • Trinco;
  • Stacheldracht;
  • Trinity.

An excellent source of security information is the Computer Emergency Response Team (CERT), which has excellent work on countering DoS attacks.

DoS attacks are different from other types of attacks. They are not aimed at gaining access to your network, nor at obtaining any information from that network, but a DoS attack makes your network unavailable for normal use by exceeding the acceptable limits for the functioning of the network, operating system or application.

For some server-side applications (such as a Web server or FTP server), DoS attacks can take all the connections available to those applications and keep them busy, preventing ordinary users from serving. DoS attacks can use common Internet protocols such as TCP and ICMP ( Internet Control Message Protocol).

Most DoS attacks are not targeted at software bugs or security holes, but at general weaknesses in the system architecture. Some attacks nullify network performance by flooding the network with unwanted and unnecessary packets or by giving false information about the current state of network resources.

This type of attack is difficult to prevent as it requires coordination with the provider. If you do not stop the traffic from the provider intended to overflow your network, then you will not be able to do this at the entrance to the network, since the entire bandwidth will be occupied. When this type of attack is carried out simultaneously through multiple devices, we are talking about a distributed DoS (DDoS) attack.

The threat of DoS attacks can be mitigated in three ways:

  • Anti-spoofing functions... Correctly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. At a minimum, these features should include RFC 2827 filtering. Unless a hacker can disguise his true identity, he is unlikely to launch an attack.
  • Anti-DoS functions. Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These functions often limit the number of half-open channels at any given time.
  • Traffic rate limiting... The organization can ask the ISP to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic passing through your network. A typical example is limiting the amount of ICMP traffic that is used for diagnostic purposes only. (D) DoS attacks often use ICMP.

Password attacks

Hackers can conduct password attacks using a variety of techniques, such as brute force attacks, Trojan horses, IP spoofing, and packet sniffing. Although the username and password can often be obtained through IP spoofing and packet sniffing, hackers often try to guess the password and username using numerous access attempts. This approach is called a brute force attack.

Often, a special program is used for such an attack, which tries to gain access to a shared resource (for example, a server). If, as a result, the hacker is given access to resources, then he gets it as an ordinary user, whose password was chosen.

If this user has significant access privileges, the hacker can create a "passage" for himself for future access, which will be valid even if the user changes his password and login.

Another problem arises when users use the same (albeit very good) password to access many systems: corporate, personal, and Internet systems. Since the strength of the password is equal to the strength of the weakest host, a hacker who learns the password through this host gains access to all other systems where the same password is used.

Password attacks can be avoided by not using passwords in plain text. One-time passwords and / or cryptographic authentication can virtually negate the threat of such attacks. Unfortunately, not all applications, hosts and devices support the above authentication methods.

When using regular passwords, try to come up with one that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters (#,%, $, etc.).

The best passwords are hard to guess and hard to remember, forcing users to write them down on paper. To avoid this, users and administrators can use a number of the latest technological advances.

For example, there are application programs that encrypt a list of passwords that you can store in your Pocket PC. As a result, the user only needs to remember one complex password, while all the rest will be reliably protected by the application.

There are several methods for the administrator to combat password guessing. One is to use the L0phtCrack tool, which is often used by hackers to guess passwords in Windows NT. This tool will quickly show you if it is easy to guess the password the user has chosen. More information can be obtained at http://www.l0phtcrack.com/.

Man-in-the-Middle attacks

For a Man-in-the-Middle attack, a hacker needs access to packets on the network. Such access to all packets transmitted from the provider to any other network can, for example, be obtained by an employee of this provider. This type of attack often uses packet sniffers, transport protocols, and routing protocols.

Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, for analyzing traffic and obtaining information about the network and its users, for carrying out DoS attacks, distorting transmitted data and introducing unauthorized information into network sessions.

Man-in-the-Middle attacks can be effectively combated only with the help of cryptography. If a hacker intercepts the data of an encrypted session, it will not be the intercepted message that will appear on his screen, but a meaningless set of characters. Note that if a hacker obtains information about a cryptographic session (for example, a session key), then this can make a Man-in-the-Middle attack possible even in an encrypted environment.

Application Layer Attacks

Application layer attacks can be carried out in several ways. The most common of these is exploiting well-known weaknesses in server software (sendmail, HTTP, FTP). Using these weaknesses, hackers can gain access to the computer on behalf of the user running the application (usually this is not a simple user, but a privileged administrator with system access rights).

Application-level attacks are widely publicized to give administrators the ability to fix the problem with corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to improve.

The main problem with application layer attacks is that hackers often use ports that are allowed to pass through the firewall. For example, a hacker exploiting a known weakness in a Web server often uses TCP port 80 in an attack. Since the Web server provides users with Web pages, the firewall must provide access to that port. From the point of view of the firewall, the attack is treated as standard traffic on port 80.

Application-layer attacks cannot be completely ruled out. Hackers are constantly discovering and publishing new vulnerabilities in application programs on the Internet. The most important thing here is good system administration. Here are some steps you can take to reduce your vulnerability to this type of attack:

  • read operating system log files and network log files and / or analyze them using special analytical applications;
  • Subscribe to the Application Weakness Distribution Service: Bugtrad (http://www.securityfocus.com).

Network intelligence

Network intelligence is the collection of information about a network using publicly available data and applications. When preparing an attack against a network, a hacker, as a rule, tries to obtain as much information about it as possible. Network reconnaissance is done in the form of DNS queries, pings, and port scans.

DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging DNS-exposed addresses allows you to see which hosts are actually running in your environment. After obtaining a list of hosts, a hacker uses port scanning tools to compile a complete list of services supported by those hosts. Finally, the hacker analyzes the characteristics of the applications running on the hosts. As a result, he extracts information that can be used for hacking.

It is impossible to completely get rid of network intelligence. If, for example, you disable ICMP echo and echo reply on peripheral routers, you will get rid of the pings, but you will lose the data needed to diagnose network failures.

In addition, you can scan ports without pinging first — it just takes longer, as you will have to scan non-existent IP addresses as well. IDS systems at the network and host level usually do a good job of notifying the administrator about ongoing network intelligence, which allows you to better prepare for an impending attack and alert the ISP on whose network the system is showing excessive curiosity:

  1. use the latest versions of operating systems and applications and the latest correction modules (patches);
  2. In addition to system administration, use Attack Detection Systems (IDS) - two complementary ID technologies:
    • Network IDS (NIDS) monitors all packets passing through a specific domain. When the NIDS system sees a packet or series of packets that match the signature of a known or probable attack, it generates an alarm and / or terminates the session;
    • IDS (HIDS) protects the host with software agents. This system only fights attacks against a single host.

IDSs operate using attack signatures, which are profiles of specific attacks or attack types. Signatures define the conditions under which traffic is considered hacker. Analogs of IDS in the physical world can be considered a warning system or a surveillance camera.

The biggest disadvantage of IDS is their ability to generate alarms. Careful configuration is required to minimize false alarms and ensure the correct functioning of the IDS system on the network.

Abuse of trust

Strictly speaking, this type of action is not in the full sense of the word an attack or assault. It is a malicious use of trust relationships that exist on the network. A classic example of such abuse is the situation at the edge of the corporate network.

This segment often hosts DNS, SMTP and HTTP servers. Since they all belong to the same segment, hacking any of them leads to hacking all the others, since these servers trust other systems on their network.

Another example is a system installed on the outside of a firewall that has a relationship of trust with a system installed on the inside. If an external system is compromised, the hacker can use the trust relationship to infiltrate the system protected by the firewall.

The risk of a breach of trust can be mitigated by tighter control of trust levels within your network. Systems outside the firewall should not, under any circumstances, be completely trusted by the systems protected by the firewall.

Trust relationships should be limited to certain protocols and, if possible, be authenticated not only by IP addresses, but also by other parameters.

Port forwarding

Port forwarding is a form of abuse of trust in which a compromised host is used to pass traffic through the firewall that would otherwise be rejected. Imagine a firewall with three interfaces, each of which has a specific host connected to it.

The external host can connect to the shared host (DMZ), but not to the one installed on the inside of the firewall. A shared host can connect to both an internal and an external host. If a hacker takes over a shared host, he can install software on it that redirects traffic from the external host directly to the internal host.

Although this does not violate any rules in force on the screen, the external host, as a result of the redirection, gains direct access to the protected host. An example of an application that can provide this access is netcat. More information can be found at http://www.avian.org.

The primary way to deal with port forwarding is to use strong trust models (see the previous section). In addition, an IDS host system (HIDS) can prevent a hacker from installing his software on a host.

Unauthorized access

Unauthorized access cannot be categorized as a separate type of attack, since most network attacks are carried out precisely to gain unauthorized access. To pick up a Telnet login, a hacker must first get a Telnet prompt on his system. After connecting to the Telnet port, the message "authorization required to use this resource" (" Authorization is required to use this resource.»).

If after that the hacker continues to try to access, they will be considered unauthorized. The source of such attacks can be located both inside the network and outside.

Ways to combat unauthorized access are quite simple. The main thing here is to reduce or completely eliminate the hacker's ability to gain access to the system using an unauthorized protocol.

As an example, consider preventing hackers from accessing the Telnet port on a server that provides Web services to external users. Without access to this port, a hacker cannot attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.

Viruses and Trojan Horse Applications

End-user workstations are highly vulnerable to viruses and Trojan horses. Viruses are malicious programs that are embedded in other programs to perform a certain unwanted function on an end user's workstation. An example is a virus that registers itself in the command.com file (the main Windows interpreter) and erases other files and infects all other versions of command.com it finds.

A Trojan horse is not a plug-in, but a real program that at first glance appears to be a useful application, but in fact plays a harmful role. An example of a typical Trojan horse is a program that looks like a simple game to the user's workstation.

However, while the user is playing the game, the program sends a copy of itself by e-mail to each subscriber entered in that user's address book. All subscribers receive the game by mail, prompting its further distribution.

This article is for those who first encountered the need to establish a remote connection to a MySQL database. The article talks about the difficulties that ...

Almost every site with registration has a "Remember password" form, with its help you can get a forgotten password not E-Mail. Sending a password is not entirely safe, ...

Kaspersky Internet Security protects your computer from network attacks.

Network attack Is an invasion of the operating system of a remote computer. Attackers launch network attacks to take control of the operating system, cause it to denial of service, or gain access to protected information.

Network attacks are malicious actions that are performed by the attackers themselves (such as port scanning, password guessing), as well as actions that are performed by malware installed on the attacked computer (such as transferring protected information to an attacker). Malicious programs involved in network attacks include some Trojans, DoS attack tools, malicious scripts, and network worms.

Network attacks can be roughly divided into the following types:

  • Port scan... This type of network attack is usually a preparatory stage for a more dangerous network attack. An attacker scans the UDP and TCP ports used by network services on the attacked computer and determines the degree of vulnerability of the attacked computer to more dangerous types of network attacks. Port scanning also allows an attacker to identify the operating system on the attacked computer and select the appropriate network attacks for it.
  • DoS attacks, or network attacks causing denial of service. These are network attacks, as a result of which the attacked operating system becomes unstable or completely unusable.

    There are the following main types of DoS attacks:

    • Sending specially crafted network packets to a remote computer that are not expected by this computer, which cause the operating system to malfunction or stop.
    • Sending a large number of network packets to a remote computer in a short period of time. All the resources of the attacked computer are used to process network packets sent by the attacker, which stops the computer from performing its functions.
  • Network intrusion attacks... These are network attacks, the purpose of which is to "hijack" the operating system of the attacked computer. This is the most dangerous type of network attack, because if it successfully completes, the operating system is completely under the control of the attacker.

    This type of network attacks is used when an attacker needs to obtain confidential data from a remote computer (for example, bank card numbers or passwords) or use the remote computer for his own purposes (for example, to attack other computers from this computer) without the user's knowledge.

  1. On the Protection tab in the block Protection against network attacks uncheck the box.

You can also enable Network Attack Blocker in the Defense Center. Disabling computer protection or protection components significantly increases the risk of infecting your computer; therefore, information about disabling protection is displayed in the Protection Center.

Important: If you disabled Network Attack Blocker, then after restarting Kaspersky Internet Security or restarting the operating system, it will not turn on automatically and you will need to enable it manually.

When dangerous network activity is detected, Kaspersky Internet Security automatically adds the IP address of the attacking computer to the list of blocked computers, unless this computer is added to the list of trusted computers.

  1. On the menu bar, click on the program icon.
  2. In the menu that opens, select the Settings item.

    The program settings window will open.

  3. On the Protection tab in the block Protection against network attacks check the box Enable Network Attack Protection.
  4. Click on the Exclusions button.

    A window with a list of trusted computers and a list of blocked computers will open.

  5. Open the bookmark Locked computers.
  6. If you are sure that the blocked computer is not a threat, select its IP address from the list and click the Unblock button.

    A confirmation window will open.

  7. In the confirmation window, do one of the following:
    • If you want to unblock your computer, click on the Unblock button.

      Kaspersky Internet Security unblocks the IP address.

    • If you want Kaspersky Internet Security never to block the selected IP address, click the button Unblock and add to exceptions.

      Kaspersky Internet Security will unblock the IP address and add it to the list of trusted computers.

  8. Click on the Save button to save your changes.

You can create a list of trusted computers. Kaspersky Internet Security does not automatically block the IP addresses of these computers when it detects dangerous network activity outgoing from them.

When a network attack is detected, Kaspersky Internet Security saves information about it in a report.

  1. Open the Security menu.
  2. Select Reports.

    The Kaspersky Internet Security reports window will open.

  3. Open the bookmark Protection against network attacks.

Note: If the Network Attack Blocker component terminated with an error, you can view the report and try to restart the component. If you are unable to solve the problem, contact the Technical Support Service.

Lecture 33 Types and types of network attacks

Lecture 33

Topic: Types and types of network attacks

Remote network attack is an informational destructive effect on a distributed computing system, carried out programmatically through communication channels.

Introduction

To organize communications in a heterogeneous network environment, a set of TCP / IP protocols are used, ensuring compatibility between computers of different types. This set of protocols gained popularity due to compatibility and provision of access to the resources of the global Internet and became the standard for internetworking. However, the ubiquity of the TCP / IP stack has exposed its weaknesses as well. In particular, because of this, distributed systems are susceptible to remote attacks, since their components usually use open data transmission channels, and the intruder can not only passively listen to the transmitted information, but also modify the transmitted traffic.

The difficulty of detecting a remote attack and the relative ease of carrying out (due to the redundant functionality of modern systems) brings this type of illegal actions to the first place in terms of the degree of danger and impedes a timely response to the threat that has been implemented, as a result of which the attacker increases the chances of successful implementation of the attack.

Attack classification

By the nature of the impact

Passive

Active

A passive impact on a distributed computing system (DCS) is some kind of impact that does not directly affect the operation of the system, but at the same time, it can violate its security policy. The absence of a direct influence on the operation of the DCS leads precisely to the fact that the passive remote influence (PEL) is difficult to detect. A possible example of a typical RCS in a DCS is listening to a communication channel in a network.

An active impact on the DCS is an impact that has a direct impact on the operation of the system itself (malfunctioning, changing the DCS configuration, etc.), which violates the security policy adopted in it. Almost all types of remote attacks are active influences. This is due to the fact that an active principle is included in the very nature of the damaging impact. A clear difference between active and passive influence is the fundamental possibility of its detection, since as a result of its implementation, some changes occur in the system. With a passive influence, absolutely no traces remain (due to the fact that the attacker views someone else's message in the system, nothing actually changes at the same moment).

By the purpose of the impact

Violation of the functioning of the system (access to the system)

Violation of the integrity of information resources (IR)

Violation of IR confidentiality

This criterion, by which the classification is made, is, in fact, a direct projection of the three basic types of threats - denial of service, disclosure and violation of integrity.

The main goal pursued in almost any attack is to gain unauthorized access to information. There are two basic options for obtaining information: distortion and interception. The option of intercepting information means gaining access to it without the possibility of changing it. Interception of information leads, therefore, to a breach of its confidentiality. Listening to a channel on the network is an example of information interception. In this case, there is illegitimate access to information without possible options for its substitution. It is also obvious that the violation of confidentiality of information refers to passive influences.

The ability to substitute information should be understood either as complete control over the flow of information between system objects, or the ability to transfer various messages on behalf of someone else. Therefore, it is clear that the substitution of information leads to a violation of its integrity. Such informational destructive influence is a typical example of active influence. An example of a remote attack designed to violate the integrity of information can be a remote attack (UA) "False object of the RCS".

By the presence of feedback with the attacked object

With feedback

Open loop (unidirectional attack)

The attacker sends some requests to the attacked object, to which he expects to receive a response. Consequently, a feedback appears between the attacker and the attacked, allowing the former to adequately respond to all kinds of changes on the attacked object. This is the essence of a remote attack carried out in the presence of feedback from the attacking object. Such attacks are most typical for RVS.

Open-loop attacks are characterized by the fact that they do not need to react to changes on the attacked object. Such attacks are usually carried out by sending single requests to the attacked object. The attacker does not need answers to these requests. This UA can also be called a unidirectional UA. An example of unidirectional attacks is a typical DoS attack.

By the condition of the beginning of the impact

Remote impact, like any other, can begin to be carried out only under certain conditions. There are three types of such conditional attacks in RVS:

On-demand attack from the attacked object

Attack upon the occurrence of the expected event on the attacked object

Unconditional attack

The attacker will begin to influence on the condition that the potential target of the attack sends a request of a certain type. Such an attack can be called a request attack from the attacked object. This type of UA is most typical for RVS. An example of such queries on the Internet is DNS and ARP queries, and in Novell NetWare, a SAP query.

Attack on the occurrence of the expected event on the attacked object. The attacker continuously monitors the OS state of the remote target of the attack and begins the impact when a specific event occurs in this system. The attacked object itself is the initiator of the attack. An example of such an event would be the interruption of a user session with the server without issuing a LOGOUT command in Novell NetWare.

An unconditional attack is carried out immediately and regardless of the state of the operating system and the attacked object. Therefore, the attacker is the initiator of the start of the attack in this case.

In the event of a malfunction of the system, other goals are pursued and an attacker is not expected to gain illegal access to data. Its purpose is to disable the OS on the attacked object and the impossibility of access for other objects in the system to the resources of this object. An example of this type of attack is the DoS attack UA.

By the location of the subject of the attack relative to the attacked object

Intra-segment

Intersegment

Some definitions:

The source of the attack (the subject of the attack) is the program (possibly the operator), leading the attack and carrying out direct action.

Host (host) - a computer that is an element of the network.

A router is a device that provides routing of packets on a network.

A subnetwork is a group of hosts that are part of a global network and are distinguished by the same subnet number assigned to them by the router. You can also say that a subnet is a logical association of hosts through a router. Hosts within the same subnet can communicate directly with each other without using a router.

A network segment is a grouping of hosts at the physical layer.

From the point of view of a remote attack, the relative position of the subject and the object of the attack is extremely important, that is, whether they are in different or in the same segments. During an intra-segment attack, the subject and object of the attack are located in the same segment. In the case of a cross-segment attack, the subject and the target of the attack are on different network segments. This classification feature makes it possible to judge the so-called "degree of remoteness" of the attack.

It will be shown below that practically an intra-segment attack is much easier to carry out than an intersegment one. Note also that a cross-segment remote attack poses a much greater danger than an intra-segment one. This is due to the fact that in the event of an intersegment attack, its object and the direct attacker can be located at a distance of many thousands of kilometers from each other, which can significantly impede measures to repel the attack.

By the level of the ISO / OSI reference model at which the impact is carried out

Physical

Duct

Network

Transport

Session

Representative

Applied

The International Organization for Standardization (ISO) adopted the ISO 7498 standard, which describes the interoperability of open systems (OSI), to which the PBC also belongs. Every network communication protocol, as well as every network program, can be somehow projected onto the 7-layer OSI reference model. Such a layered projection makes it possible to describe the functions used in a network protocol or program in terms of the OSI model. UA is a network program, and it is logical to consider it from the point of view of projection onto the ISO / OSI reference model.

A brief description of some network attacks

Data fragmentation

When transmitting an IP data packet over a network, this packet can be divided into several fragments. Subsequently, upon reaching the destination, the packet is recovered from these fragments. An attacker can initiate the sending of a large number of fragments, which leads to an overflow of software buffers on the receiving side and, in some cases, to an abnormal system termination.

Ping flooding attack

This attack requires the attacker to access fast Internet channels.

The ping program sends an ICMP ECHO REQUEST packet with the time and ID. The recipient machine's kernel responds to such a request with an ICMP ECHO REPLY packet. When ping receives it, it reports the speed of the packet.

In the standard operating mode, packets are sent out at intervals, practically not loading the network. But in "aggressive" mode, a stream of ICMP echo request / reply packets can overload a small line, depriving it of the ability to transmit useful information.

IP-encapsulated non-standard protocols

The IP packet contains a field that defines the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use a non-standard value of this field to transfer data that will not be captured by standard means of information flow control.

Smurf attack

The smurf attack consists of sending ICMP broadcasts to the network on behalf of the victim computer.

As a result, computers that have received such broadcast packets respond to the victim computer, which leads to a significant decrease in the bandwidth of the communication channel and, in some cases, to complete isolation of the attacked network. The smurf attack is extremely effective and widespread.

Countermeasures: To recognize this attack, it is necessary to analyze the channel load and determine the reasons for the decrease in throughput.

DNS spoofing attack

The result of this attack is the introduction of the forced correspondence between the IP address and the domain name in the DNS server cache. As a result of a successful implementation of such an attack, all users of the DNS server will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some DNS exchange parameters.

Countermeasures: to detect such an attack, it is necessary to analyze the content of DNS traffic or use DNSSEC.

IP spoofing attack

A large number of attacks on the Internet involve spoofing the original IP address. Such attacks also include syslog spoofing, which involves sending a message to a victim computer on behalf of another computer on the internal network. Since the syslog protocol is used to maintain system logs, it is possible to impose information or cover the traces of unauthorized access by sending false messages to the victim computer.

Counteraction: detection of attacks related to spoofing of IP addresses is possible by monitoring the receipt on one of the interfaces of a packet with the source address of the same interface or by monitoring the receipt of packets with IP addresses of the internal network on the external interface.

Enforcing packages

The attacker sends packets to the network with a false return address. With this attack, an attacker can switch connections between other computers to his computer. In this case, the attacker's access rights become equal to the rights of the user whose connection to the server was switched to the attacker's computer.

Sniffing - listening to a channel

Possible only in the local network segment.

Almost all network cards support the ability to capture packets transmitted over a common LAN channel. In this case, the workstation can receive packets addressed to other computers on the same network segment. Thus, all information exchange in the network segment becomes available to the attacker. For this attack to be successful, the attacker's computer must be located on the same LAN segment as the attacked computer.

Capturing packets on a router

The router's network software has access to all network packets transmitted through this router, which allows packet capture. To carry out this attack, an attacker must have privileged access to at least one router on the network. Since a lot of packets are usually transmitted through a router, their total interception is almost impossible. However, individual packets may well be intercepted and saved for later analysis by an attacker. The most effective interception of FTP packets containing user passwords, as well as e-mail.

Imposing a false route on a host using ICMP

On the Internet, there is a special ICMP (Internet Control Message Protocol) protocol, one of the functions of which is to inform hosts about changing the current router. This control message is called redirect. It is possible to send a false redirect message on behalf of the router to the attacked host from any host in the network segment. As a result, the host's current routing table changes and, in the future, all network traffic of this host will pass, for example, through the host that sent a false redirect message. Thus, it is possible to actively impose a false route within one segment of the Internet.

Along with the usual data sent over a TCP connection, the standard also provides for the transfer of urgent (Out Of Band) data. At the level of TCP packet formats, this is expressed as a nonzero urgent pointer. Most PCs with Windows installed have the NetBIOS network protocol, which uses three IP ports for its needs: 137, 138, 139. If you connect to a Windows machine on port 139 and send a few OutOfBand data bytes there, then the NetBIOS implementation will not knowing what to do with this data, it simply hangs up or reboots the machine. For Windows 95, this usually looks like a blue text screen reporting an error in the TCP / IP driver, and the inability to work with the network until the OS is rebooted. NT 4.0 reboots without service packs, NT 4.0 with ServicePack 2 pack drops into a blue screen. Judging by the information from the network, both Windows NT 3.51 and Windows 3.11 for Workgroups are susceptible to such an attack.

Sending data to port 139 results in a restart of NT 4.0, or a "blue screen of death" with Service Pack 2 installed. A similar sending of data to 135 and some other ports leads to a significant load of the RPCSS.EXE process. On Windows NT WorkStation, this leads to a significant slowdown, Windows NT Server practically freezes.

Trusted host spoofing

Successful remote attacks of this type would allow an attacker to log on to the server on behalf of a trusted host. (Trusted host is a station that has legally connected to the server). The implementation of this type of attack usually consists in sending exchange packets from the attacker's station on behalf of a trusted station under his control.

Attack detection technologies

Network and information technologies are changing so quickly that static protection mechanisms, which include access control systems, ME, authentication systems, in many cases cannot provide effective protection. Therefore, dynamic methods are required to quickly detect and prevent security breaches. One technology that can detect violations that cannot be identified using traditional access control models is intrusion detection technology.

Essentially, the intrusion detection process is the process of assessing suspicious activity that occurs on the corporate network. In other words, intrusion detection is the process of identifying and responding to suspicious activity directed at computing or network resources.

Methods for analyzing network information

The effectiveness of an intrusion detection system largely depends on the methods used to analyze the information received. The first intrusion detection systems developed in the early 1980s used statistical techniques to detect attacks. Currently, a number of new techniques have been added to statistical analysis, from expert systems and fuzzy logic to the use of neural networks.

Statistical method

The main advantages of the statistical approach are the use of the already developed and proven apparatus of mathematical statistics and adaptation to the behavior of the subject.

First, profiles are determined for all subjects of the analyzed system. Any deviation from the reference profile used is considered unauthorized activity. Statistical methods are universal, since analysis does not require knowledge of possible attacks and the vulnerabilities they use. However, when using these techniques, there are also problems:

"Statistical" systems are insensitive to the order of events; in some cases, the same events, depending on their order, may characterize abnormal or normal activity;

It is difficult to set the boundary (threshold) values ​​of the characteristics monitored by the intrusion detection system in order to adequately identify anomalous activity;

“Statistical” systems can be “trained” over time by attackers so that attacking actions are considered normal.

It should also be borne in mind that statistical methods are not applicable in cases where there is no pattern of typical behavior for the user or when unauthorized actions are typical for the user.

Expert systems

Expert systems are composed of a set of rules that encompass the knowledge of a human expert. The use of expert systems is a common method for detecting attacks, in which information about attacks is formulated in the form of rules. These rules can be written, for example, as a sequence of actions or as a signature. When any of these rules are followed, a decision is made about the presence of unauthorized activity. An important advantage of this approach is the almost complete absence of false alarms.

The database of the expert system should contain the scenarios of most of the currently known attacks. In order to remain constantly up-to-date, expert systems require constant database updates. Although expert systems offer a good opportunity to view the data in the logs, the required updates can either be ignored or performed manually by the administrator. At the very least, this leads to a weakened expert system. In the worst case, the lack of proper maintenance reduces the security of the entire network, misleading its users about the actual level of security.

The main disadvantage is the impossibility of repelling unknown attacks. At the same time, even a small change in an already known attack can become a serious obstacle to the functioning of the intrusion detection system.

Neural networks

Most modern attack detection methods use some form of rule-based or statistical analysis of controlled space. The monitored space can be logs or network traffic. The analysis relies on a set of predefined rules that are created by the administrator or by the intrusion detection system itself.

Any division of an attack in time or among several attackers is difficult to detect with expert systems. Due to the wide variety of attacks and hackers, even special constant updates to the database of the rules of the expert system will never guarantee accurate identification of the entire range of attacks.

The use of neural networks is one of the ways to overcome the indicated problems of expert systems. Unlike expert systems, which can give the user a definite answer about the correspondence of the considered characteristics to the rules laid down in the database, the neural network analyzes the information and provides an opportunity to assess whether the data is consistent with the characteristics that it has been taught to recognize. While the degree of correspondence of the neural network representation can reach 100%, the reliability of the choice depends entirely on the quality of the system in the analysis of examples of the task at hand.

First, the neural network is trained to correctly identify on a pre-selected sample of domain examples. The response of the neural network is analyzed and the system is tuned in such a way as to achieve satisfactory results. In addition to the initial training period, the neural network gains experience over time as it analyzes data related to the subject area.

An important advantage of neural networks in detecting abuse is their ability to "learn" the characteristics of deliberate attacks and identify elements that are not similar to those observed in the network before.

Each of the described methods has a number of advantages and disadvantages, so now it is practically difficult to find a system that implements only one of the described methods. Typically, these methods are used in combination.

Top related articles

Different mouse movement vertically and horizontally
Different mouse movement vertically and horizontally
How to compress textures in fallout 4
How to compress textures in fallout 4
It remains only to understand the required level
It remains only to understand the required level
Categories:
© 2021 bumotors.ru. How to set up smartphones and PCs. Informational portal.