The term Computer Network is so complicated and the vast one. The more we try to conquer its depth the more we are exposed with the new boundaries. Therefore I thought to compile some of the resources that I’ve got access and publish it to my blog so that it will provide some benefits to the user regarding the possible threats and solutions of the Network Security. I’ve basically included this part because I’m also among the (so called) bad guys who love writing java apps for tracing the network system and accessing the flow of data between the ports via protocol hehe.
Note:
I expect that the people who are in forward reading this topic have at least basic knowledge of computer networking as I’m directly starting with the IP bypassing other terminologies.
Starting with the IP:
Well I guess, most of the network lovers are familiar to the word IP. It stands for “Internet Protocol” that operates in the network layer of OSI Model. This is the layer that allows the hosts to actually ``talk'' to each other. Such things as carrying datagram, mapping the Internet address (such as 207.20.13.14) to a physical network address (such as 08:23:4d:0a:ca:8f), and routing, which takes care of making sure that all of the devices that have Internet connectivity can find the way to each other.
IP got so many features and therefore it’s so much flexible in nature and as a result it has loop holes which can be the threat for Network Security and here I’m describing some of such threats in IP.
IP Attack:
A number of attacks against IP are possible. Typically, these exploit the fact that IP does not perform a robust mechanism for authentication, which is proving that a packet came from where it claims it did. A packet simply claims to originate from a given address, and there isn't a way to be sure that the host that sent the packet is telling the truth. This isn't necessarily a weakness, but it is an important point, because it means that the facility of host authentication has to be provided at a higher layer on the ISO/OSI Reference Model. Today, applications that require strong host authentication (such as cryptographic applications) do this at the application layer.
1. IP Spooling
This is where one host claims to have the IP address of another. Since many systems (such as router access control lists) define which packets may and which packets may not pass based on the sender's IP address, this is a useful technique to an attacker: he can send packets to a host, perhaps causing it to take some sort of action.
Additionally, some applications allow login based on the IP address of the person making the request (such as the Berkeley r-commands). These are both good examples how trusting untrustable layers can provide security that is -- at best -- weak.
2. IP Session Hijacking.
This is a relatively sophisticated attack, first described by Steve Bellovin. This is very dangerous, however, because there are now toolkits available in the underground community that allow otherwise unskilled bad-guy-wannabes to perpetrate this attack. IP Session Hijacking is an attack whereby a user's session is taken over, being in the control of the attacker. If the user was in the middle of email, the attacker is looking at the email, and then can execute any commands he wishes as the attacked user. The attacked user simply sees his session dropped, and may simply login again, perhaps not even noticing that the attacker is still logged in and doing things.
For the description of the attack, let's take example of large network of networks. In this attack, a user on host A is carrying on a session with host G. Perhaps this is a telnet session, where the user is reading his email, or using a Unix shell account from home. Somewhere in the network between A and G sits host H which is run by a naughty person. The naughty person on host H watches the traffic between A and G, and runs a tool which starts to impersonate A to G, and at the same time tells A to shut up, perhaps trying to convince it that G is no longer on the net (which might happen in the event of a crash, or major network outage). After a few seconds of this, if the attack is successful, naughty person has ``hijacked'' the session of our user. Anything that the user can do legitimately can now be done by the attacker, illegitimately. As far as G knows, nothing has happened.
Solution
This can be solved by replacing standard telnet-type applications with encrypted versions of the same thing or by blocking the telnet port (23) if you don’t use it. In this case, the attacker can still take over the session, but he'll see only ``gibberish'' because the session is encrypted. The attacker will not have the needed cryptographic key(s) to decrypt the data stream from G, and will, therefore, be unable to do anything with the session.
Ok now after know the threats regarding the IP, in this section of my blog, I will try to explain about other basic varieties of network threats as follows.
Denial-of-Service
DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address. These are the nastiest, because they're very easy to launch, difficult (sometimes impossible) to track, and it isn't easy to refuse the requests of the attacker, without also refusing legitimate requests for service.
The premise of a DoS attack is simple: send more requests to the machine than it can handle. There are toolkits available in the underground community that make this a simple matter of running a program and telling it which host to blast with requests. The attacker's program simply makes a connection on some service port, perhaps forging the packet's header information that says where the packet came from, and then dropping the connection. If the host is able to answer 20 requests per second, and the attacker is sending 50 per second, obviously the host will be unable to service all of the attacker's requests, much less any legitimate requests (hits on the web site running there, for example). Such attacks were fairly common in late 1996 and early 1997, but are now becoming less popular.
Some things that can be done to reduce the risk of being stung by a denial of service attack include
- Not running your visible-to-the-world servers at a level too close to capacity
- Using packet filtering to prevent obviously forged packets from entering into your network address space. Obviously forged packets would include those that claim to come from your own hosts, addresses reserved for private networks as defined in RFC 1918, and the loopback network (127.0.0.0).
- Keeping up-to-date on security-related patches for your hosts' operating systems.
Unauthorized Access
``Unauthorized access'' is a very high-level term that can refer to a number of different sorts of attacks. The goal of these attacks is to access some resource that your machine should not provide the attacker. For example, a host might be a web server, and should provide anyone with requested web pages. However, that host should not provide command shell access without being sure that the person making such a request is someone who should get it, such as a local administrator.
Executing Commands Illicitly
It's obviously undesirable for an unknown and untrusted person to be able to execute commands on your server machines. There are two main classifications of the severity of this problem: normal user access, and administrator access. A normal user can do a number of things on a system (such as read files, mail them to other people, etc.) that an attacker should not be able to do. This might, then, be all the access that an attacker needs. On the other hand, an attacker might wish to make configuration changes to a host (perhaps changing its IP address, putting a start-up script in place to cause the machine to shut down every time it starts, or something similar). In this case, the attacker will need to gain administrator privileges on the host.
Confidentiality Breaches
We need to examine the threat model: what is it that you're trying to protect yourself against? There is certain information that could be quite damaging if it fell into the hands of a competitor, an enemy, or the public. In these cases, it's possible that compromise of a normal user's account on the machine can be enough to cause damage (perhaps in the form of PR, or obtaining information that can be used against the company, etc.)
Where Do They Come From?
How, though, does an attacker gain access to your equipment? Through any connection that you have to the outside world. This includes Internet connections, dial-up modems, and even physical access. (How do you know that one of the temps that you've brought in to help with the data entry isn't really a system cracker looking for passwords, data phone numbers, vulnerabilities and anything else that can get him access to your equipment?)
In order to be able to adequately address security, all possible avenues of entry must be identified and evaluated. The security of that entry point must be consistent with your stated policy on acceptable risk levels.
Probable Solution
- Hope you have backups
- Don't put data where it doesn't need to be
- Avoid systems with single points of failure
- Stay current with relevant operating system patches
- Watch for relevant security advisories
- Try to be familiar and smart enough with security practices