Beruflich Dokumente
Kultur Dokumente
Netrwork Security
The Internet is a packet switched network, meaning that the data is sent in discrete chunks known as packets. In contrast, the traditional telephone system is a circuit switched network. For each telephone call, a dedicated circuit-with dedicated bandwidth is established between the end points. Packet switched networks can make more efficient use of the available bandwidth, though there is some additional complexity involved, and things get particularly involved if circuit like behaviour is required.
Protocols can be classified in many different ways, but one classification that is particularly relevant in security is stateless versus stateful. Stateless protocols dont remember anything, while stateful protocols do have some memory. Many security problems are related to state
: A small network
TCP/IP Model
The Internet is based on the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite. TCP/IP protocol suite contains five main layers :
o o o o o application, transport, network (or Internet), data link and physical.
Unlike the protocol suite, there are no presentation and session layers in TCP/IP. The data unit initially created at the application layer (i.e. by an application, such as email, Web browser, etc.) is called as a message. A message is actually broken down into segments by the transport layer Note that the transport layer of TCP/IP contains two protocols : Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is often used.
Layers in the TCP/IP protocol suite Note that the presentation and session layers are not present in TCP/IP, but are shown for the comparison of TCP/IP with the OSI model.
The transport layer then adds its own header to the segment and gives it to the network layer. The network layer adds the IP header to this block and gives the result to the data link layer. The data link layer adds the frame header and gives it to the physical layer for transmission. At the physical layer the actual bits are transmitted as voltage pulses. An opposite process happens at the destination end, where each layer removes the previous layers header and finally the application layer receives the original message.
Message transfer from the source to the destination at different TCP/IP layer
First consider HTTP, the Hyper Text Transfer Protocol, which is used for communicating Web pages. Since HTTP is a stateless protocol, Web cookies were developed as a tasty way to maintain state. FTP is a File Transfer Protocol, which is used for receiving or sending files. SMTP is a simple Mail Transfer Protocol, which is used to transfer e-mail from the sender to the recipients email server. Telnet (Terminal Emulation Protocol), which is used for performing remote operations as if directly connected to the host from a terminal and others.
At the sending end of each transmission. TCP divides a stream of data into smaller units called segments. Each segment includes a sequence number for reordering after receipt, together with an acknowledgement number for the segments received. Segments are carried across the Internet inside of IP datagrams. At the receiving end, TCP collects each datagram as it comes in and reorders the transmission based on sequence numbers
SYN : the client requests Synchronization with the server SYN-ACK : the server acknowledges receipt of the SYN request. ACK : the client acknowledges the SYN-ACK. This third message can also include data. Connections are terminated by FIN (finish) or RST (reset) packet.
IP datagram
The Address Resolution Protocol (ARP) is used to associate an IP address with the physical address. On a typical physical network, such as a LAN, each device on a link is identified by a physical or station address usually imprinted on the network interface card (NIC). ARP is used to find the physical address of the node when its Internet address is known. The Reverse Address Resolution Protocol (RARP) allows a host to discover its Internet address when it knows only its physical address. It is used when a computer is connected to the network for the first time or when a diskless computer is booted. The Internet Control Message Protocol (ICMP) is a mechanism used by hosts and gateways to send notification of datagram problems back to the sender. ICMP sends query and error reporting messages. The Internet Group Message Protocol (IGMP) is used to facilitate the simultaneous transmission of a message to a group of recipients.
One data link layer protocol of particular importance is Ethernet. Ethernet is a multiple access protocol, meaning that it is used when many hosts are competing for a shared resource. Ethernet is used on a local area network, or LAN. In Ethernet, if two packets are transmitted by different hosts at the same time, they can collide, in which case both packets are corrupted. The packets must then be resent. The challenge is to efficiently handle collisions in a distributed environment. There are many possible approaches, but Ethernet is by far the most popular method.
TCP/IP Vulnerability
The TCP and IP protocols were designed when the Internet was small, and users generally trusted one another. The protocols lack many features that are desirable, or needed, on an insecure networks.
(2) Layer 2 : Data Link Layer : Layer 2 includes ATM, PPP, ethernet, and wireless LAN. Since ethernet is one of the most widely used protocols, the attacks with respect to it are MAC addresses used in etherent, wireless networks FDDI, bluetooth etc are unique identifiers attached to the networking equipment. It is a 48-bit long with initial 24 bit representing manufacturer code and remaining 24 bit assigned to interface produced by the manufacturer.
(2) Fake DHCP Server : Here the attacker sets a forged DHCP server, serving clients in the network with false details. For example, the forged DHCP server might give its own IP address as default gateway. Thus, all traffic of the network passes through the attacker PC, allowing it to-easily sniff the network packets.
(b) IP spoofing : IP spoofing is a method that attackers use when they wish to send packets with malicious content to a target machine and do not want to get identified. The victim is unaware that the packet is not from a trusted host and hence it accepts the packet and sends a response back to the source computer. The biggest challenge faced here is that the attacker must guess the proper sequence number to send the final ACK packet, as if it had come from a real source. If this step gets successful, the attacker may have a connection to the victims machine as long as the victims machine is active.
(c)
A Routing Information Protocol (RIP) is used to distribute routing information within networks such as advertising routes out from the local network, shortest paths. The original version of the RIP has no built-in authentication, and the information content in an RIP packet is used without verifying it. An attacker can forge an RIP packet, claiming that his host XYZ has the fastest path out of the network. All packets sent out from that network would then be routed through XYZ, where they could be modified or examined or even dropped.
(d) Fragmentation Attack : The fundamental problem is that the actual purpose of a packet is easily disguised by breaking it into fragments. The fragments can even overlap when reassembled, which further exacerbates this problem. The result is that the receiving host can only determine the purpose of a packet after it has received all of the fragments and reassembled the pieces.
(e)
ICMP Attacks :
The Internet Control Message Protocol (ICMP) is used to send the error messages. For example, a requested service is not available. The ICMP does not authenticate packets. Hence, it is easy to interpret them and transmit the spoofed ICMP packets. The denial of service attacks can be formulated using ICMP packets. ICMP packets that reset a connection between a source and a destination are :
Destination unreachable Time to live.
Destination unreachable ICMP packets specifies that because of a problem within a network, the packet cannot be transmitted to the destination computer. Time to live specifies for how much time the packet is active.
(c) TCP and UDP Port Scanning Techniques : Attackers perform a port scanning using commands (nmap), or various tools of a host machine, to find the open ports on a machine. After identifying the open ports on a machine, the attacker can launch variety of attacks through these open ports.
(d) Connection Hijacking : An attacker can allow normal authentication to proceed between the two hosts, and then seize control of the connection. There are two possible ways to do this : During the TCP, three-way handshake. In the middle of an established connection. Connection hijacking exploits a desynchronized state of TCP communication. When two hosts are desynchronized enough, they will ignore packets from each other. An attacker can then inject forged packets with the correct sequence numbers. The attacker might also modify, or add commands, to the communication. This requires the attacker to be located on the communication path between the two hosts, so that he may eavesdrop in order to replicate packets being sent.
(e) TCP SYN Attack : the TCP three-way handshake. While waiting for the ACK to the SYN ACK, a connection queue of finite size is maintained on the destination host that keeps a track of connections waiting to be completed. This queue typically empties quickly, because the ACK packet generally arrives a few milliseconds after the SYN ACK. The TCP SYN attack exploits this design flaw. An attacking source host generates TCP SYN packets with random source addresses towards a victim host. The victim destination host sends a SYN ACK back to the random source address and adds an entry to the connection queue. Since the SYN ACK is destined for a non-existent or incorrect host, the last part of the three-way handshake is never completed, and the entry remains in the connection queue until the timer expires, typically for about one minute. By generating a number of fake TCP SYN packets from random IP addresses at a rapid rate, it is possible to fill up the connection queue and deny TCP services to legitimate the users.
Port Scanning
some well-know TCP ports.
Port Number 7 18 Description ECHO Message Send Protocol (MSP)
20 21 23 25
37 53
69
80 :
HTTP
This is often used by network administrators to check the security of their networks and by hackers (attacker) to compromise it. Port scanning tells an attacker three things : which standard ports or services are running and responding on the target system, what operating system is installed on the target system, and what applications and versions of applications are present. This information is readily available for the asking from a networked system; it can be obtained quietly, anonymously, without identification or authentication, drawing little or no attention to the scan. To portscan a host is to scan for listening ports on a single target host. To portsweep is to scan multiple hosts for a specific listening port. The latter is typically used in searching for a specific service.
(b) TCP SYN/Half-Open (Secretive) : This type of scanning causes the scanner to send out a SYN packet to the target host. If the target host is listening on a particular port, it will respond with a SYN + ACK. If the target host is alive but not listening on a particular port, an RST packet will be received.
(c) FIN : In this method, a FIN packet is sent to a target host. If the target host is alive but not listening on a particular port, it will respond with an RST packet. However, if the target host is listening on a particular port, it will not respond. Note that Microsoft Windows hosts will send RST packets in all cases. This is of interest, because it helps identify the target hosts as Microsoft Windows host.
Protocol Flaws
Internet protocols are publicly posted for scrutiny by the entire Internet community. Each accepted protocol is known by its Request For Comment (RFC) number. Many problems with protocols have been identified by sharp reviewers and corrected before the protocol was established as a standard. But protocol definitions are made and reviewed by fallible humans. Likewise protocols are implemented by fallible humans. For example, TCP connections are established through sequence numbers. The client (initiator) sends a sequence number to open a connection, the server responds with that number and a sequence number of its own, and the client responds with the servers sequence number. Suppose someone can guess a clients next sequence numbers. That person could impersonate the client in an interchange. Sequence numbers are incremented regularly, so it can be easy to predict the next number.
roles of firewall
(a) Firewall has the ability to check HTML data for script tags and render scripts unexecutable by the browsers. (b) Firewalls forward external packets that claim to come from the internal network. (c) When dealing with fragments, the firewall has the ability to cache the forwarding decision that was made on the initial fragment and later apply it to the other fragments.
(3) Remote Access Server Exploits : Remote PC Access Server using authorization code, in order to verify if
Remote PC Access Client has been connected to the local server. The authorization code is 12 bytes long filled with next bytes order : Authorization code (Hex) : - 27 00 00 00 04 00 00 00 00 00 00 00 = 12 bytes An attacker can build a spoofed client program and use DoS attack to crash the remote server or remote system. If a local client sends authorization code to remote server, the remote server sends acknowledgement code back to the local client, after this process, by sending received packets from the remote server, the local client overflows the remote server. Thus, untrustworthy remote access servers provide one of the simplest means of access to the internal network. Users often connect to the Internet with little protection, thus exposing sensitive data to attack.
Reconnaissance of Network
(i) Port scan : (ii) Pinging : (iii) Social Engineering : (iv) Intelligence : (v) Operating System and Application Fingerprinting : (vi) Bulletin Boards and Chats : (vii) Availability of Documentation :
The accidental and malicious threats to availability or continued service are as follows :
(1) Transmission failure : Communications can fail for many reasons. For instance, a line is cut, or network noise makes a packet unrecognisable or undeliverable. A machine along the transmission path fails for hardware or software reasons. However, some failures cannot be easily repaired. A break in the single communications line to your computer (For example, from the network to your network interface card or telephone line to your modem) can be fixed only by establishment of an alternative link or repair of the damaged one. Anyone who can server, interrupts or overloads capacity to, can cause the denial of the service.
The electronic attacks that can cause a denial of service are as follows : (a) Connection flooding : If an attacker sends you as much data as your communications system can handle, you are prevented from receiving any other data. Even if an occasional packet reaches you from someone else, communication to you will be seriously degraded. ICMP or Internet Control Message Protocol. These protocols do not have associated user applications and are only used for the system diagnostics.
(i)
Echo-Chargen : Echo-chargen attack works between two hosts. Chargen is a protocol that generates a stream of packets, it is used to test the networks capacity. (ii) Ping of Death : A ping of death is a simple attack. Since ping requires the recipient to respond to the ping request, all the attacker needs to do is send a flood of pings to the intended victim
(iii)Smurf : (IMP) The smurf attack is a variation of a ping attack the attacker chooses a network of unwitting victims. The attacker spoofs the source address in the ping packet so that it appears to come from the victim Then, the attacker sends this request to the network in broadcast mode by setting the last byte of the address to all 1s; broadcast mode packets are distributed to all hosts on the network.
Smurf Attack
(iv) Syn Flood : Syn flood is a popular denial-of-service attack. This attack uses the TCP protocol suite, making the session-oriented nature of these protocols work against the victim
In the first stage, the attacker uses any convenient attack (such as exploiting a buffer overflow or tricking the victim of open and install unknown code from an e-mail attachment) to plant a Trojan horse on a target machine. The Trojan horse file may be named for a popular editor or utility, bound to a standard operating system service, or entered into the list of processes (daemons) activated at startup. It will not attract any attention, irrespective of its situation within the system.
The attacker repeats this process with many targets. Each of these target systems then becomes what is known as a zombie. The target systems carry out their normal work, unaware of the resident zombie.
Honey-Pots
A honeypot is a computer system or a network segment, loaded with server and devices and data. Honeypots may be protected with a firewall with some access. It has monitoring. Capability which is not made evident to the attacker.
Tyeps of honeypots :
i) low interaction or production honeypots are easy to use and install, captures only limited amount of information, and are used primarily by companies or corporations. ii) high interaction or research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military or government organizations.
Installing Honeypot : Honeypots can be set up inside or outside a firewall, although most are set up inside the firewall to magnetize the attackers. Setting up honeypots inside a firewall also gives a better control over the traffic to the Internet.
Honeypot solutions :
(i) Creating a Honeypot There are number of communities, tools, softwares and Websites available, which help you, guide you to create a honeypot. For creating our own honeypot, we need the following components and considerable configuration time : (a) A workstation or PC running UNIX or windows NT. (b) User accounts with network services like telent, ftp, sendmail, www, ssh etc. (c) Snort for Network Intrusion Detection. (d) Tripwire to monitor critical system files. (e) Regmon to monitor real time access to windows registry. (f) Any keystroke logging utility.
(ii) Commercial Honeypot Systems : There are a number of commercial honeypot systems available. Some of the commercial honeypot systems available are : (a) ManTrap by Resource Technologies (b) Tripwire (c) Specter by NETSEC (d) Deception Tool kit by Fred Cohen and Associates (Free).
Uses of honeypot :
Uses of honeypot : Honeypot can be used for the following reasons : (i) To watch what attackers do, inorder to learn about new attacks. (ii) To lure an attacker to a place in which you may be able to learn enough to identify and stop the attacker. (iii) To provide an alternative but diversionary playground, hoping that the attacker will leave your system alone.