(OSI) layer in the information flow. The attacker
attempts to compromise the protected system by manipulating the
application layer data. System management needs management
protocols. Like most other components, management protocols
have vulnerabilities that an attacker can exploit to gain
access to network resources. Attacks using intelligence or
insider information will be discussed in more detail later in
the course.
Content 5.2
Mitigating Network Attacks 5.2.2
Reconnaissance Attacks Reconnaissance is the unauthorized
discovery and mapping of systems, services, or vulnerabilities.
Reconnaissance is also known as information gathering, and in
most cases, precedes an access or DoS attack. First, the
malicious intruder typically conducts a ping sweep of the
target network to determine which IP addresses are alive. Then,
the intruder determines which services or ports are active on
the live IP addresses. From this information, the intruder
queries the ports to determine the type and version of the
application and operating system that is running on the target
host. In many cases, the intruders look for vulnerable services
that the intruder can exploit later when there is less
likelihood that anyone will be aware of the attack.
Reconnaissance is somewhat analogous to a thief surveying a
neighborhood for vulnerable homes, such as an unoccupied
residence or a house with an easy-to-open door or window to
break into. Reconnaissance attacks can consist of the following
as listed in Figure : - Packet sniffers
- Port
scans
- Ping sweeps
- Internet information
queries
Content 5.2
Mitigating Network Attacks 5.2.3 Packet
Sniffers Figure shows how an attacker uses a packet sniffer
to attack a network. A packet sniffer is a software application
that uses a network adapter card in promiscuous mode to capture
all network packets that are sent across a LAN. Packet sniffers
can only work in the same collision domain as the network being
attacked. Promiscuous mode is a mode in which the network
adapter card sends all packets that are received on the
physical network wire to an application for processing.
Plaintext is non-encrypted information. Some network
applications distribute network packets in plaintext. Because
the network packets are not encrypted, the packets can be
processed and understood by any application that can pick them
off the network and process them. A network protocol specifies
the protocol operations and packet format. Because the
specifications for network protocols, such as TCP/IP, are
widely published, a third party can easily interpret the
network packets and develop a packet sniffer. Numerous freeware
and shareware packet sniffers are available that do not require
the user to understand anything about the underlying
protocols. Note
In an Ethernet LAN, promiscuous mode
is a mode of operation in which every data frame that is
transmitted can be received and read by a network adapter.
Promiscuous mode is the opposite of nonpromiscuous mode.
Nonpromiscuous mode will only see packets specifically destined
to this host. This includes broadcasts and multicasts if the
host is part of that multicast group. Packet Sniffer
Mitigation
Figure shows how to mitigate
packet sniffer attacks. The techniques and tools that can be
used to mitigate packet sniffer attacks include:
- Authentication
- Cryptography
- Antisniffer
tools
- Switched infrastructure
Authentication
Using strong authentication is a
first option for defense against packet sniffers. Strong
authentication can be defined as a method of authenticating
users that cannot easily be circumvented. An example of common
strong authentication is One Time Password (OTP). OTP is a type
of two-factor authentication. Two-factor authentication
combines something you have with something you know. Automated
teller machines (ATMs) use two-factor authentication. A
customer needs both an ATM card and a personal identification
number (PIN) to complete transactions. With OTPs, you need a
PIN and your token card to authenticate to a device or software
application. A token card is a hardware or software device that
generates new, seemingly random, passwords at specified
intervals, usually 60 seconds. A user combines that password
with a PIN to create a unique password that works only for one
instance of authentication. If a hacker learns that password by
using a packet sniffer, the information is useless because the
password has already expired. This mitigation technique is
effective only against a sniffer implementation that is
designed to grab passwords. Sniffers that are deployed to learn
sensitive information (such as e-mail messages) will still be
effective. Cryptography
Rendering packet sniffers
irrelevant is the most effective method for countering packet
sniffers. Cryptography is even more effective than preventing
or detecting packet sniffers. If a communication channel is
cryptographically secure, the only data a packet sniffer
detects is cipher text (a seemingly random string of bits) and
not the original message. The Cisco deployment of network-level
cryptography is based on IPsec, which is a standard method that
networking devices use to communicate privately using IP. Other
cryptographic protocols for network management include Secure
Shell (SSH) and Secure Sockets Layer (SSL). Antisniffer
Tools
You can use software and hardware designed to
detect the use of sniffers on a network. Such software and
hardware does not completely eliminate the threat, but like
many network security tools, the software and hardware are part
of the overall mitigation system. Antisniffer tools detect
changes in the response time of hosts to determine whether the
hosts are processing more traffic than their own traffic loads
would indicate. One such network security software tool, called
AntiSniff, is available from Security Software Technologies.
Switched Infrastructure
This technology, which is
very common today, counters the use of packet sniffers in the
network environment. If an entire organization deploys switched
Ethernet, hackers can gain access only to the traffic that
flows on the specific port to which the hackers connect. A
switched infrastructure obviously does not eliminate the threat
of packet sniffers but can greatly reduce the sniffers’
effectiveness.
Content 5.2 Mitigating
Network Attacks 5.2.4 Port Scans and Ping
Sweeps An attacker uses port scans and ping sweeps through
the Internet as shown in Figure . As legitimate tools, port
scan and ping sweep applications run a series of tests against
hosts and devices to identify vulnerable services. The
information is gathered by examining IP addressing and port or
banner data from both TCP and User Datagram Protocol (UDP)
ports. In an illegitimate situation, a port scan can be a
series of messages that someone sends when attempting to break
into a computer to learn which computer network services the
computer provides. Each service is associated with a
“well-known” port number. Port scanning can be an automated
scan of a range of TCP or UDP port numbers on a host to detect
listening services. Port scanning, a favorite computer hacker
approach, provides information to the assailant as to where to
probe for weaknesses. Essentially, a port scan consists of
sending a message to each port, one port at a time. The kind of
response that the sender receives indicates whether the port is
used and can therefore be probed for weakness. A ping sweep, or
Internet Control Message Protocol (ICMP) sweep, is a basic
network scanning technique that determines which range of IP
addresses map to live hosts (computers). Whereas a single ping
tells you whether one specified host computer exists on the
network, a ping sweep consists of ICMP echo requests sent to
multiple hosts. If a given address is live, the address returns
an ICMP echo reply. Ping sweeps are among the older and slower