chapter 7 network security 7.1. internet...
TRANSCRIPT
![Page 1: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/1.jpg)
CIS 442 Computer security
Chapter 7
Network security
7.1. Internet Vulnerabilities
A network vulnerability is an inherent weakness in the design,
implementation, or use of a hardware component or a software routine.
A vulnerability invites attacks and makes the network susceptible to threats.
A threat is anything that can disrupt the operation of the network. A threat can
even be accidental or an act of nature, but threats are mostly intentional.
A threat can damage the network, slow it down, or make it unavailable. Any
type of rogue software represents a threat.
An attack is a specific approach employed to exploit a known vulnerability.
A passive attack is designed to monitor and record network activity in an
attempt to collect information to be used later in an active attack
Examples of passive attacks are packet sniffing (page 226) and traffic
analysis.
Passive attacks are difficult to detect.
7.2. Port Scanning
When two programs on different computers exchange data, all the data
packets sent between the programs have (among other specifications) the
same port No.
Accessing a network opens a port and is similar to opening a door. This
makes ports especially important for network security.
When data packets arrive at a computer from different sources, each stream
of packets uses a port number. A port is identified by a 16-bit integer and
there can be up to 216 − 1 = 65,535 ports.
There are three classes of ports, well known (0 through 1023), registered
(1024 through 49,151), and dynamic/private (49,152 through 65,535).
![Page 2: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/2.jpg)
The well-known ports are assigned by [IANA port 04] and are normally used
by operating system processes. Some examples are FTP (port 21), TELNET
(port 23), SMTP (port 25), and HTTP (port 80).
Registered ports are typically used by user applications (as opposed to
operating system processes) when they have to contact a server, but such
ports can also identify named services that have been registered by a third
party.
Dynamic/private ports are used by user applications, but their use is rare.
Such ports do not have any meaning outside of any particular TCP
connection.
A port scanner is a program that listens to data arriving at and departing from
certain ports on a computer.
Port scanning has legitimate uses in managing networks, but is also used
heavily by hackers to gather information that identifies open doors to the
computer.
Information collected by port scanners is used to identify operating system
utilities installed in the computer, and exploit known vulnerabilities in those
utilities in order to break into the computer.
Port scanners are implemented by sophisticated hackers who make them
available on the Internet.
![Page 3: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/3.jpg)
There are several types of port scanners as follows:
Vanilla: The scanner attempts to connect to all I/O ports.
Strobe: A specialized scan looking only for certain services to exploit.
Fragmented packets: The scanner sends fragments of packets. Such
fragments can sometimes get through certain packet filters in a firewall.
UDP: The scanner looks for open UDP ports.
Sweep: The scanner connects to the same port on several (even many)
computers.
FTP bounce: The scanner goes through an FTP server (to appear legitimate).
Stealth scan: The scanner partly disables the log service of the operating
system, so it (the operating system) can no longer record the scanner’s
activities.
Web site [dslreports 04] offers a free service looking for port scanners.
Nmap (Network Mapper) from [insecure 04] is a free open source utility for
network exploration and security auditing. Among other checks, it looks for
port scanners.
![Page 4: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/4.jpg)
Spoofs
The term spoof means to pretend to be someone else, to falsify one’s identity,
or to cover tracks. It is no wonder that various spoofing methods are used by
hackers to gain access or to obtain information.
This section describes various techniques for spoofing over a network.
IP spoofing. A computer may be protected from attack by restricting the IP
addresses that may send it data. A router may have a list of IP numbers and it
allows only data from these numbers to enter the computer.
A hacker who has this list may spoof the router by sending data that appears
to have come from a legitimate IP address. Someone who doesn’t have the
list may discover an allowed IP number by sending the computer data packets
with consecutive IP numbers until a packet gains entry to the computer.
Defending against spoofing is never perfect, because it involves built-in
weaknesses in the TCP protocol. However, a full understanding of the
problem, combined with a few simple precautions, can reduce this threat.
The defense involves two main techniques as follows:
Filtering. If the computer is part of a local area network, the network has a
range of IP addresses. When data is sent outside a local network (uploading),
the filter software at the router should block any source IP outside the range
of the local network.
This prevents someone in the local network from sending spoofed data
outside the local network.
When data is received (download), the filter should block any packets with
source IPs that are within the range of the local network.
Encryption and Authentication. There are Internet protocols that specify
the details of data encryption and how to authenticate messages.
While imperfect, such protocols may help to eliminate simple IP spoofing
attacks.
![Page 5: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/5.jpg)
Sequence number spoofing
The TCP protocol specifies the use of sequence numbers within data packets.
Each data byte has a sequence number, and the receiver must acknowledge
the sequence number of the last contiguous byte it has received.
When TCP connection between two computers (server and client) is
established, the server selects an initial sequence number (ISN) and
communicates it to the client by means of the three-step protocol.
The ISN becomes the sequence number of the first byte of the first packet.
If the packet contains N data bytes, then the last byte has sequence number
ISN+N−1. Thus, the first data byte of the next packet has sequence number
ISN + N and this number is included by the server in the packet’s TCP
header. For each packet received, the client sends an acknowledge where,
among other items of information, it indicates the sequence number of the
last contiguous byte it has received.
This tells the server how much of the data has been received by the client as
one contiguous block.
Session hijacking
This type of attack occurs when a hacker gains privileged access to a network
device, such as a router, that serves as a gateway between the server and
client.
The hacker can, in such a case, use
IP spoofing to take over the entire session of data transmission and send any
information, rogue programs, and corrupt data to the client’s computer.
Most authentication in the TCP/IP protocol takes place at the time the
connection is established, and this can be exploited by a hacker to gain access
to a machine by, for example, using source-routed IP packets.
This allows a hacker at node A on the network to participate in a data
exchange between B and C by placing himself in the middle and routing the
IP packets to pass through his machine.
![Page 6: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/6.jpg)
DNS
A domain name server (DNS) is a computer used specifically for networking.
It has a dictionary with IP addresses and the corresponding URLs.
When a computer wants to send data, it has to prepare packets with the IP
address of the receiving computer.
The human user normally knows the URL (a meaningful string), so the
sending application has to connect to the DNS first, send it the URL, and
receive the corresponding IP address.
Only then can the application send data with the proper IP and TCP headers.
This is why, when we want to browse a certain URL, the browser often
displays the message ―looking for. . . ” for a few seconds.
One threat related to DNS is man in the middle (MIM). A hacker may register
a domain name, such as aple.com, that is similar to an existing popular URL.
When a user mistypes aple instead of apple, the browser receives from the
DNS computer the IP address of the hacker’s site, and connects to that site.
Now the hacker is in control. His site can display information similar to that
displayed by the real site, while also sending its own malicious software.
The hacker can even retrieve from apple.com the web pages the user wants,
then forward them, perhaps modified, to the user.
Another option is for the hacker to insert himself ―inline‖ between a user and
a Web site using a sniffing program to intercept the exchange of data between
them.
![Page 7: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/7.jpg)
DNS poisoning
Another threat related to DNS is DNS poisoning. In the past, the most
common DNS software was the Berkeley Internet name daemon (BIND).
Early versions of this software had weaknesses that made it easy for a hacker
to modify the IP addresses associated with any URLs.
Once a hacker changes the IP associated with, say apple.com. Anyone trying
to connect to that URL will be connected to the hacker’s site, with potentially
disastrous results.
A well-known example of DNS poisoning is the defacing, in 2001, of the
Web site of RSA Security [RSAsecurity 04].
The anonymous hijacker rerouted visitors from RSAsecurity.com to a fake
site that looked like the RSA site but was different in significant ways. \
Anyone who noticed the differences in the Web site, assumed that RSA
Security, an important developer of encryption techniques and products, had
been compromised. In fact, only the DNS was attacked and corrupted.
Spam
• Spam is unwanted, unsolicited email sent in bulk to many unwilling recipients.
• Most of it is commercial advertising for dubious products, get-rich-quick
schemes, or quasi-legal or health services.
• In April 2009, Microsoft’s biannual report on the state of computer security
estimated that 97.3% of email traffic was unwanted spam (or malicious email
like phishing attacks and outright viruses).
• Surprisingly this was down a bit from the first half of 2008, when total spam
volume reached a whopping 98.4% of all email sent.
• Also in April 2009, Google estimated that about 94% of all email traffic
monitored by its Postini services in 2009 represents spam.
![Page 8: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/8.jpg)
• A central computer dedicated to sending and receiving email for a large
organization can be attacked by sending its many users massive quantities of
identical email messages.
• This consumes valuable network bandwidth, it overloads the CPU, eats up disk
space on the email server, and can cause it to crash (by overflowing some data
structure) or freeze (by keeping the CPU permanently occupied with receiving,
logging, sending, and forwarding the spam messages).
• URLs such as Specialham.com and Spamforum.biz (both now defunct), which
are hosted mostly in Russia and China (but also in Florida), may not look very
useful or interesting to a casual visitor or even to security-conscious persons
such as readers of this book, but are familiar and very useful to spammers.
• These sites also carry advertisements for bullet-proof hosting (ISPs, most of
them Chinese, that allow spam) and allow spammers to exchange news and
information.
• The news is mostly about steps taken by ISPs and law makers and enforcers in
various countries to make the lives of spammers more difficult.
• Much information is offered on ISPs and networks that close their eyes to spam
in return for the high revenues obtained from spammers.
![Page 9: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/9.jpg)
Spamhaus maintains a register of known spam operations (ROKSO) database with
names, addresses, and much information on the top 200 spammers. In early June
2005, the top ten were the following:
• Alan Ralsky. Operating mostly in Michigan, United States. One of his
companies is Additional Benefits, LLC. Michael Lindsay. Mostly in California,
United States. Companies are iMedia Networks, InterNetco Communications,
and GalaxyNET Telecom.
• Andrew Westmoreland with partner Kai Bannon. In Florida and Texas,
United States. Operate under Internet Access Group, Inc.
• Jeffrey A. Peters, CEO of JTel.net (or CPU Solutions) Corp. Located in St
Petersburg, Florida. Mr. Peters disappeared from the spamming business long
enough for his spamhous ROKSO records to expire during 2004, but has
reappeared in early 2005.
• Alexey Panov. Claims to live in Russia. Company is Trendlogic GMBH
located in Germany. Email [email protected].
• Ivo Ottavio Reali Camargo. Operating from his office in Florianopolis, Santa
Carina, Brazil.
• Ruslan Ibragimov. Moscow, Russia. Web address send-safe.com.
![Page 10: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/10.jpg)
The four main reasons why spam is so bad are as follows:
1. It is easy to send. All that a spammer needs is spam software and a fast
Internet connection Such a connection may send a flood of millions of
identical messages a day, while costing only about $100 a day.
2. Many spam messages ask the user to click on a link to be removed from
the mailing list. As many of us have found, clicking to be removed from such
a list at best verifies to the spammer that the email address exists and at worst
may result in a virus infection.
3. Spammers tend to use computing resources illegally or even to steal them
outright. A spammer may employ an Internet attack to get hold of a PC, then
use that PC to forward its spam messages
4. Spam is trash. We have all seen messages advertising worthless merchandis
and deceptive or fraudulent services.
• One scam to avoid is contests. Contests are very often used as bait to lure
unsuspecting users to submit their names, physical addresses, telephone
numbers, and email addresses.
• Your chance of winning in a real contest are so small, and the number of fake
contests is so large, that it’s not worth it to participate in them. The same is true
for sites offering prizes.
• The best policy is to ignore contests and prizes.
• Another important technique of collecting email addresses is harvesting them
(some prefer the term scavenging) from the Who is data base at [Network
solutions 04].
• Internet search engines are common and very useful. Such an engine works by
crawling the Internet, locating Web pages, and saving and indexing them.
• Along the same lines, spammers use spambots, software that crawls the Web,
examining Web pages looking for email addresses, and harvesting them for
future abuse or for sale.
![Page 11: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/11.jpg)
• An obvious (but alas, not ideal) protection is to obfuscate all email addresses in
a Web page. Instead of writing an email address in your Web site in a form
such as [email protected], it is better to have something like
leopold bloom at ulysses dot name.
• There are commercial services that provide relief from spam for their members
by blocking it.
• A typical spam-relief service maintains a list of approved senders and asks each
of its members to provide their own list of approved senders. The service ―sits‖
between the member and the member’s mail server, and the member uses the
same email software to send and receive messages.
• A simple technique to reduce spam is to open several alternate email address.
When one gets flooded with spam, tell your correspondents to use another one.
• There are several large companies, such as Yahoo and Hotmail, that provide
free email addresses, but they are frequently targets of massive spam and
various attacks.
• A common sense idea is to avoid giving out your email address as much as
possible.
• If you have a Web site with your address, try to write it in the form john at abc
dot com or a similar format.
• If you set up a message board or a discussion group, try to display just part of
any email address.
![Page 12: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/12.jpg)
Zombies.
Certain types of malware are used to capture control of a computer and
command it remotely. Such a captured machine is known as a zombie and a set
of zombies is termed a botnet.
• A botnet is an ideal means of hiding the identity of a perpetrator and security
experts see more and bigger botnets all the time. It is known that DoS attacks
are often carried out after the attacker has gained control of many computers
and turned them into zombies.
• A targeted Web site is flooded with a vast number of meaningless messages
sent by computers whose innocent users know nothing about the attack. The
attack keeps legitimate users from using the site, causing inconvenience to
users and monetary losses to the site’s owners.
• Such an attack is referred to as distributed denial of service (DDoS).
• Zombies are also used by spammers to hide their identities. A spammer who
controls a zombie computer, sends this slave a (normally stolen) list of email
addresses and instructs it to send a message (or several messages) hawking
useless merchandise, fraudulent schemes, or unwanted services to all the
addresses. Zombies are less destructive than viruses or other types of rogue
software because they rarely damage data.
• Even if you don’t reply to spam, there are ways for the spammer to verify that
you have received and opened it. Some examples are:
• If you have your email program set to preview messages (i.e., to show you the
contents of the message in a window below the list of email), the spammer may
be able to verify that the email has been received.
• If you click on a link to unsubscribe from a mailing list, you have confirmed to
the spammer that your email address is active. The spammer can then sell your
address to others.
![Page 13: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/13.jpg)
• Spammers can include a ―web bug‖ in an email. This is a link that connects to
the spammer’s Web site as soon as the email is read o previewed.
• If you want to avoid letting spammers know that their mail go through, follow
the advice given here.
How to avoid spam
• Use anti-spam software, update and run it regularly. This software can
significantly reduce unwanted email, especially if it is programmed to receive
feedback from the user/reader and employ it to learn (from the subject line or
sender’s address) which messages are spam.
• Never buy anything advertised by unsolicited email because this only
encourages future spam.
• Once your email address becomes known to the seller, it will be added to the
huge address lists that are sold to other spammers, with the result that you’ll
receive even more junk email.
• Worse still, responding to spam advertises you as a sucker and opens you to
further fraud and identity theft attempts.
• If the sender’s name sounds unfamiliar, delete the email without any hesitation.
Most spam is just a nuisance, but often it includes viruses and other nasty
software.
• Never respond to spam messages or click on any links in them. Replying to
spam—even to unsubscribe from it—confirms to the spammer that your email
address is a valid one, thereby encouraging more spam.
• Opt out of any further information or free or attractive offers. When you fill out
forms on the Web, uncheck any checkboxes that offer further information or
offers.
![Page 14: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/14.jpg)
• Don’t use the preview mode in your email viewer. Spammers can verify that a
message has been previewed, even if it hasn’t been opened because the preview
effectively opens the email.) Knowing that you have read their messages
encourages the spammers.
• Try to decide whether an email message is spam based only on the subject line
and sender’s name and address. Use the bcc field if you email many people at
once. The bcc (blind carbon copy) field hides the list of recipients from any
individual recipient. If you include the addresses in the To field, spammers may
harvest them and add them to mailing lists.
• Restrict the use of your email address on the Internet. Don’t publish it on Web
sites, newsgroup lists or other online public forums.
• Spammers have software that crawls the internet to find addresses in such
places, harvest them, and add them to mailing lists.
• Give your main address only to those you trust (and even then be ready for
your address to be discovered and abused by spammers).
• Always have several secondary email addresses ready. (Those are easy to open
at sites such as Yahoo, Gmail, and emailaddresses.com) When you fill out Web
registration forms or surveys on sites with which you don’t want further
contact, use a secondary email address.
• If the secondary address is flooded by spam, simply close it. This protects your
main address from spam.
![Page 15: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/15.jpg)
Denial of Service
• Many Internet attacks try to obtain private data or to damage data. In contrast, a
denial-of-service attack aims to shut down an entire network, a single server, or
a particular Web site.
• The attack tries to prevent legitimate users of a service from using that service.
• This can be done by one of the following methods:
• Flood a network with traffic. This makes it hard or impossible for legitimate
users to send or receive data.
• Disrupt connections between two computers. This prevents remote access to
the machines.
• Attempt to prevent a particular user from accessing a service.
• Disrupt or prevent network access to a particular computer or network.
• A hacker may open an account at an ftp site, then store data and retrieve it
repeatedly, thereby consuming disk space and monopolizing network services
at the site.
There are three types of denial-of-service
1. consumption of scarce or nonrenewable resources,
2. destruction or alteration of network information, and
3. physical destruction or alteration of network components.
• The first type, consumption of scarce resources, relies on the fact that
computers and networks need resources such as electrical power, CPU time,
memory space, disk space, and network connections.
• The easiest resource for a hacker to consume is network connectivity. It is
possible to tie up the network connections of a computer, such that it waits for
some data that never arrives, so it remains hung up. All that the hacker has to do
is start opening a connection to a network server but never complete this process.
![Page 16: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/16.jpg)
• The victim server has reserved a port and a data structure for the connection,
but the port remains half open.
• The hacker (or a group of coordinated attackers) can very quickly tie up all the
available ports of a server. In the meantime, other users, legitimate or not, who try
to establish connections are denied access. Such an attack is called a SYN flood.
• Even someone with only a slow computer and slow modem can stop a large
server very quickly. Here is a detailed description of this threat.
• A typical client/server network consists of a server (a computer with files that
are useful to a group of users) and many clients (users who want access to
those files).
• When a client tries to connect to the server, both the client and the server have
to execute a connection protocol.
• They have to exchange certain messages that establish the connection. This is
true for all the TCP connections, such as email, telnet, and http.
• In its simplest form, the protocol starts when the client sends a SYN message
to the server. If the server is ready to open a connection, it sends back a SYN-
ACK message, expecting to receive an ACK message from the client. When
this is done, communication can start.
• Echo (defined in [RFC-862 04]) uses UDP and TCP port 7 and is employed as
a debugging tool. It sends any data packets received from a source back to that
source.
• An infiltrator can create a DoS attack by spoofing an IP address and causing
two computers to send packets with random data to each other.
• In more detail, by connecting a host’s chargen service to the echo service on
the same or on a different computer, all affected computers may be effectively
choked because of the huge number of packets produced and sent.
![Page 17: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/17.jpg)
• In addition, if several computers are connected in this way, the network
connecting them may also become congested and deny service to any other
computers whose network traffic needs to be forwarded by that network.
• An attacker may also generate a huge number of data packets and send them to
a target computer. This is a bandwidth consumption attack that may involve a
group of intruders.
• An attacker may also consume massive amounts of disk space by, for example,
generating many email messages, generating errors that have to be logged, and
reading huge files from anonymous ftp servers and writing them on the disk.
• When the disk is full, this attack stops, but when the user needs more disk
space later, the operating system issues an error message (disk full).
• An intruder may be able to cause an operating system to crash or to become
unstable by sending unexpected data over the network.
• A well-known example of such an attack is called the ping of death.
• Hackers have discovered that such an attack is particularly ―successful‖ when
the large data packets are sent as part of the Internet control message protocol
(ICMP). ICMP is a component of the TCP/IP protocol that transmits error and
control messages between computers.
• Two specific data packets specified by ICMP are ECHO_REQUEST and
ECHO_RESPONSE. These are commonly sent by a computer to determine
whether a remote computer is reachable via th network and are commonly
known as ―ping,‖ which gave this particular attack its name (the name ―smurf
attack‖ is also sometimes used).
• The original ping program was written as part of UNIX by Mike Muuss and
generated so much interest that the ping concept became part of the Internet
protocol.
![Page 18: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/18.jpg)
• If your operating system is experiencing frequent crashes with no apparent
cause, it could be the result of this type of attack.
• The obvious defense against the ping of death is to patch the low-level routine
that sends data packets to never send large packets, and patch the routine that
receives packets to ignore packets that are too large. In practice, this should be
done by the makers of the operating system and issued as a security patch.
• The second type of DoS threat involves destruction or alteration of network
information.
• An attacker may be able to change the IP number of a victim’s personal
computer, change the registration of the operating system, or change
prerecorded telephone numbers used by the modem to call outside servers.
• The third type of DoS threat involves physical destruction or alteration of
network components.
• This can be done by an intruder physically appearing in a computer center and
disabling, breaking, or disconnecting cables and other hardware devices.
• A hacker may also climb a utility pole and disconnect telephone lines or
television cables, thereby disrupting service to users in the neighborhood.
![Page 19: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/19.jpg)
Firewall Basics
A firewall is a combination of software and hardware that decides what kinds
of requests and what specific data packets can pass to and from a computer or
a local network.
A firewall for a personal computer is normally fully implemented by
software, whereas a small network of computers often found in a home
(typically consisting of 2–3 computers and a printer) may use a hardware
firewall that’s built into the network’s router.
The main task of a firewall is to block certain requests for data transfer, and
the firewall makes these decisions based on rules.
A firewall starts with some built-in (default) rules, and its user/owner can
add, delete, and modify rules.
We can say that a firewall enforces an access policy through the rules, and a
rule tells the firewall what properties of a data packet to examine and how to
decide whether to let the packet through or not.
A typical firewall performs the following tasks:
1. limit incoming data, so that data coming from certain senders (or that has
certain properties) will be blocked,
2. limit outgoing data, so a program will not be able to send data outside (to call
home) without the owner’s knowledge,
3. generate and save a log of all its activities, especially on data packets it has
blocked, and
4. do all this fast and be transparent to the user.
![Page 20: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/20.jpg)
A firewall rule specifies a set of conditions and what action to take when a
condition occurs. A complex rule can check several conditions, while a
simple rule is limited to just one condition. Rules can also be hierarchical.
In such a case, each rule is simple and checks one condition, but a rule can
have several child rules, each checking one condition. This way, each rule is
simple, but the overall performance can be complex.
A sophisticated firewall may maintain simple statistics on the data packets
that satisfy each rule.
When a packet satisfies a rule, its idle time is set to zero, its match count is
incremented by 1, and its byte count is incremented by the size of the packet.
Such statistics can be useful to the computer owner and to the network
administrator, and can also be used in rules.
For example, if a rule hasn’t detected data from a certain sender within a
specified idle time, the action of the rule is executed (even though no data
packet has been received) and may send a probe to the sender or may alert the
user that the sender isn’t responding fast enough.
Examples of actions are ―delete,‖ to delete a data packet, ―pass,‖ to let it
through (into or out of the computer), ―drop,‖ to drop the connection (I case
of a DoS attack that tries to hang up the connection), and ―log,‖ to log the
data packet and then apply the next rule to it.
(For incoming data packets, the ―drop‖ action sends a TCP RESET command
to the sender, while for an outgoing packet the same action sends a small TCP
FIN packet.)
A modern firewall may also include rules for checking the data of a data
packet, not just the fields of its header.
This useful feature is referred to as content filtering. The user may instruct
the firewall to block all incoming (and perhaps all outgoing) data packets that
contain a certain string of characters.
![Page 21: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/21.jpg)
This can block common viruses and worms that have already been detected
and analyzed.
An advanced firewall should also be able to recognize ethernet hardware
addresses (the so-called MAC addresses), so that the rules would be able to
distinguish between outside traffic and local traffic.
Another advanced task is to limit the amount of data (the bandwidth)
allocated to certain users or to certain applications. This way, a firewall can
help in bandwidth management
Other threts:
Router attacks
A router is an important component of a computer network, even a small
network used in a home. Even if there is only one computer, a router is still
useful.
Routers are designed to be easy to use, which also makes them vulnerable to
attacks. This has been realized back in 2006, and has been exploited by
wrongdoers since (and perhaps also before).
Perhaps the simplest attack on a router is to change the DNS server it uses.
Every time the computer user wants to connect to the Internet, the
URL typed by the user has to be translated to an IP address. There are many
DNS servers that maintain lists of pairs (URL, IP), and they supply the
needed IP addresses.
Sending the router to a malicious DNS server can be the key to a whole slew
of other attacks.
![Page 22: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/22.jpg)
When a router, used or new, is set for the first time before it is used, the user
should do the following:
Reset the router (even a brand new one) to its factory state.
Update the router with the latest firmware available in the manufacturer’s
website.
Change the default password to a new, secure one.
The router may have features to support devices that you don’t have.
Turn those features off.
Turn off all features that allow the device to be administered from anything
other than the device(s) plugged directly into the router.
The URL-shortening threat
There are many sites and even more files. Each file on the Internet (as also on
a computer) must have a unique name, which is why many URLs are long.
Special
URL-shortening services exist to alleviate this problem. Examples are
tinyurl.com, bit (.ly), and is (.gd).
These services are useful but they also pose a security threat. Someone sends
you a short URL that should take you to an interesting site whose URL is
long. Instead, the short URL takes you to an infected website.
This threat can be prevented by checking a short URL before using it.
Website http://longurl.org/ does just that. You paste a short URL, the free
service checks it and lets you know where this URL really takes you.
There are also many Twitter clients, such as TweetDeck and Mixero, that
have a preview function that shows the long form of a shortened URL. Such
services illustrate the compromise between security and convenience.
It takes time to check a short URL, but this is time well spent.
![Page 23: Chapter 7 Network security 7.1. Internet Vulnerabilitiesinfotechyu.weebly.com/uploads/1/6/0/9/16099096/cis_442_chapter_7... · ports can also identify named services that have been](https://reader033.vdocument.in/reader033/viewer/2022042213/5eb87a1764447d07f22d1ccd/html5/thumbnails/23.jpg)
Flash weakness
Adobe Flash is a popular multimedia application for adding animation and
interactivity to Web pages.
Originally designed and implemented in 1996 by Jonathan Gay who called it
SmartSketch, the program was acquired by Macromedia in the same year and
its name changed to Flash. Since 2007, it has been developed and distributed
by Adobe Systems.
Flash is commonly used to create animation, advertisements, and other
videos that are included inWeb pages. In July 2009, a weakness (that became
known as zero-day vulnerability) was discovered in Flash player versions 9
and 10 by an anonymous hacker. This became public knowledge, and was
exploited by other miscreants.
This weakness makes it possible to include a malicious, specially-constructed
Flash video in a Web site, such that simply surfing to the site causes harm.
The user does not even have to click on anything; as soon as the video comes
up it releases its payload.