|
|
Security threats in the cyber space
A FEW weeks ago internet gateways suddenly stopped functioning for several hours, resulting in the disconnection of cyber communication all over the world. The scary fact is that it can happen again. This article reviews the possible security threats to internet and what protective measures can be taken to save total or near collapse of businesses all over the world.
The three major threats faced by world today are:
1. DoS (denial-of-service) attacks or DDoS (distributed-denial-of-service) attacks.
2. Spamming and e-mail bombing.
3. IP spoofing.
1. Denial of service attacks Bandwidth consumption Destruction of components Email bombing IP-Spoofing Deny invalid source IP Test your network to determine if it is an amplification site:
A “denial-of-service” attack is characterized by an explicit attempt to prevent legitimate users of a service from using that service.
Cyber space has a history of DoS attacks over a number of years, and they are more capable of causing harm than we think they are. Let take a look in greater detail:
— attempts to “flood” a network, thereby preventing legitimate network traffic;
— attempts to disrupt connections between two machines, thereby preventing access to a service;
— attempts to prevent a particular individual from accessing a service; and
— attempts to disrupt service to a specific system or person
Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack.
Illegitimate use of resources may also result in denial of service. For example, an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic.
Denial-of-service attacks can essentially disable your computer or your network. Depending on the nature of your enterprise, this can effectively disable your organization.
Some denial-of-service attacks can be executed with limited resources against a large, sophisticated site. This type of attack is sometimes called an “assymmetric attack.” For example, an attacker with an old PC and a slow modem may be able to disable much faster and more sophisticated machines or networks.
Modes of attack: Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
— Consumption of scarce, limited, or non-renewable resources
— Destruction or alteration of configuration information
— Physical destruction or alteration of network components.
Network connectivity: Denial-of-service attacks are most frequently executed against network connectivity. The goal is to prevent hosts or networks from communicating on the network. An example of this type of attack is the “SYN flood” attack. In this type of attack, the attacker begins the process of establishing a connection to the victim machine, but does it in such a way as to prevent the ultimate completion of the connection. In the meantime, the victim machine has reserved one of a limited number of data structures required to complete the impending connection. The result is that legitimate connections are denied while the victim machine is waiting to complete bogus “half-open” connections.
You should note that this type of attack does not depend on the attacker being able to consume your network bandwidth. In this case, the intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from a dial-up connection against a machine on a very fast network. (This is a good example of an asymmetric attack.)
Asymmetric attack or SYN flood: Most of the IRC junkies know or have heard of this term. When a system (called the client) attempts to establish a TCP connection to a system providing a service (the server), the client and server exchange a set sequence of messages. This connection technique applies to all TCP connections — telnet, web, email, etc.
When a system (called the client) attempts to establish a TCP connection to a system providing a service, the client and server exchange a set sequence of messages. The client system begins by sending a SYN message to the server. The server then acknowledges the SYN message by sending SYN-ACK message to the client. The client then finishes establishing the connection by responding with an ACK message. The connection between the client and the server is then open, and the service-specific data can be exchanged between the client and the server.
The potential for abuse arises at the point where the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message. This is what we mean by half-open connection. The server has built in its system memory a data structure describing all pending connections. This data structure is of finite size, and it can be made to overflow by intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages. This means that the final ACK message will never be sent to the victim server system.
The half-open connections data structure on the victim server system will eventually fill; then the system will be unable to accept any new incoming connections until the table is emptied out. Normally there is a timeout associated with a pending connection, so the half-open connections will eventually expire and the victim server system will recover. However, the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can expire the pending connections.
In most cases, the victim of such an attack will have difficulty in accepting any new incoming network connection. In these cases, the attack does not affect existing incoming connections or the ability to originate outgoing network connections.
However, in some cases, the system may exhaust memory, crash, or be rendered otherwise inoperative. The location of the attacking system is obscured because the source addresses in the SYN packets are often implausible. When the packet arrives at the victim server system, there is no way to determine its true source. Since the network forwards packets based on destination address, the only way to validate the source of a packet is to use input source filtering.
Basic prevention recommended:
— Connection time out.
— Deny tcp host
— Applying TTL filters on ports and packet.
An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect.
In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For instance, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes.
An intruder may also attempt to consume disk space in other ways, including
• Generating excessive numbers of mail messages.
• Intentionally generating errors that must be logged
• Placing files in anonymous ftp areas or network shares.
In general, anything that allows data to be written to disk can be used to execute a denial-of-service attack if there are no bounds on the amount of data that can be written.
Many sites have schemes in place to lock out an account after a certain number of failed login attempts. A typical set up locks out an account after three or five failed login attempts. An intruder may be able to use this scheme to prevent legitimate users from logging in. In some cases, even the privileged accounts, such as root or administrator, may be subject to this type of attack. Be sure you have a method to gain access to the systems under emergency circumstances.
There are other things that may be vulnerable to denial of service that you may wish to monitor. These include
— Printers
— CPU “processing outages”
— Tape devices
— Network connections
The primary concern with this type of attack is physical security. You should guard against unauthorized access to computers, routers, network wiring closets, network backbone segments, power and cooling stations, and any other critical components of your network.
Physical security is a prime component in guarding against many types of attacks in addition to denial of service.
Here are the recommendatio for averting such attacks:
— Use eight digits passwords with alpha numeric letters at least.
— Use encrypted password using CHAP authentication at least.
— Allow account lockouts.
Email bombing is characterized by abusers repeatedly sending an email message to a particular address at a specific victim site. In many instances, the messages will be large and constructed from meaningless data in an effort to consume additional system and network resources. Multiple accounts at the target site may be abused, increasing the denial of service impact.
Email spamming is a variant of bombing; it refers to sending email to hundreds or thousands of users (or to lists that expand to that many users). Email spamming can be made worse if recipients reply to the email, causing all the original addressees to receive the reply. It may also occur innocently, as a result of sending a message to mailing lists and not realizing that the list explodes to thousands of users, or as a result of a responder message that is setup incorrectly.
Unfortunately, at this time, there is no way to prevent email bombing, and it is impossible to predict the origin of the next attack. It is trivial to obtain access to large mailing lists or information resources that contain large volumes of email addresses that will provide destination email addresses for the spam.
Spamming and email abuse is banned. There are only very few option when it comes to fight spam and most lead to indirect approach. Basic prevention recommended:
— Filter out classified offenders sites and networks.
— Integrate antivirus software with the mailing system.
— Use data encryption and digital signatures to authenticate emails.
— Integrate word filter to the email system to make the system more effective fighting spasm.
To gain access, intruders create packets with spoofed source IP addresses. This exploits applications that use authentication based on IP addresses and leads to unauthorized user and possibly root access on the targeted system. It is possible to route packets through filtering-router firewalls if they are not configured to filter incoming packets whose source address is in the local domain. It is important to note that the described attack is possible even if no reply packets can reach the attacker.
Examples of configurations that are potentially vulnerable include:
— Routers to external networks that support multiple internal interfaces
— Routers with two interfaces that support subnetting on the internal network
— Proxy firewalls where the proxy applications use the source IP address for authentication
With the current IP protocol technology, it is impossible to eliminate IP-spoofed packets. However, you can take steps to reduce the number of IP-spoofed packets entering and exiting your network.
Currently, the best method is to install a filtering router that restricts the input to your external interface by not allowing a packet through if it has a source address from your internal network. In addition, you should filter outgoing packets that have a source address different from your internal network to prevent a source IP spoofing attack from originating from your site.
Stop spoofed IP Packets from Leaving Your Network:
To prevent your network from being the source of spoofed (i.e. forged) communications that are often used in DoS Attacks.
Ensure that your routers and firewalls are configured to forward IP packets only if those packets have the correct source IP address for your network. The correct source IP address(es) would consist of the IP network addresses that have been assigned to your site. It is important to do this throughout your network.
All organizations connected to the internet should only allow packets to leave their network with valid source IP addresses that belong to their network. This will minimize the chance that your network will be the source of a spoofed DoS attack. This will not prevent distributed DoS attacks coming from your network with valid source addresses.
— Preventing spoofed source IP address traffic can be accomplished with filtering on routers, firewalls, and hosts. Here is a generic example of what the filter needs to look like.
— Permit your sites valid source Addresses to the Internet
— Deny all other source addresses
— On the router(s) connected to your ISP(s), if the interface IP address on the link connecting to the ISP is not out of one of your site’s IP blocks, you should also permit packets with the interface IP address.
— Deny private and reserved source IP addresses
If you are unsure what address space is in use at your site, then you should at least deny Private (RFC 1918) and Reserved Source IP Addresses.
If you are using Network Address Translation (NAT), you need to make sure that you perform this filtering between your NAT device and your ISP, and you should also verify that your NAT device configuration only translates address used and authorized for your internal address space.
Denying private and reserved source IP addresses can be accomplished with filtering on routers, firewalls, and hosts.
To ensure that your network can not be used as a broadcast amplification site to flood other networks with DoS attacks such as the “smurf” attack. Configure all of your systems (routers, workstations, servers, etc.) so that they do not receive or forward directed broadcast traffic.
To test your network to see if it is acting as an amplification site you can use the “ping” command to send an ICMP Echo Request packet to the Network Base IP Address of your network(s) and the Broadcast IP Address of your network(s).
You will need to know your network base IP address and your broadcast IP address. You may find the CIDR Table
From a machine on the internet side of your router (that is, off your site) ping both the network base address (x.x.x.0 for a /24 aka Class C) and the broadcast address (x.x.x.255 for a /24 aka Class C) of an internal subnet with a number of machines on it.
A recommended article for reading and apply filter over various operating system and networking hardware:
The writer
