(OSI) layer in the information flow. The attacker attempts to compromise the protected system by manipulating the application layer data. System management needs management protocols. Like most other components, management protocols have vulnerabilities that an attacker can exploit to gain access to network resources. Attacks using intelligence or insider information will be discussed in more detail later in the course.
Content 5.2 Mitigating Network Attacks 5.2.2 Reconnaissance Attacks Reconnaissance is the unauthorized discovery and mapping of systems, services, or vulnerabilities. Reconnaissance is also known as information gathering, and in most cases, precedes an access or DoS attack. First, the malicious intruder typically conducts a ping sweep of the target network to determine which IP addresses are alive. Then, the intruder determines which services or ports are active on the live IP addresses. From this information, the intruder queries the ports to determine the type and version of the application and operating system that is running on the target host. In many cases, the intruders look for vulnerable services that the intruder can exploit later when there is less likelihood that anyone will be aware of the attack. Reconnaissance is somewhat analogous to a thief surveying a neighborhood for vulnerable homes, such as an unoccupied residence or a house with an easy-to-open door or window to break into. Reconnaissance attacks can consist of the following as listed in Figure :
Content 5.2 Mitigating Network Attacks 5.2.3 Packet Sniffers Figure shows how an attacker uses a packet sniffer to attack a network. A packet sniffer is a software application that uses a network adapter card in promiscuous mode to capture all network packets that are sent across a LAN. Packet sniffers can only work in the same collision domain as the network being attacked. Promiscuous mode is a mode in which the network adapter card sends all packets that are received on the physical network wire to an application for processing.
Plaintext is non-encrypted information. Some network applications distribute network packets in plaintext. Because the network packets are not encrypted, the packets can be processed and understood by any application that can pick them off the network and process them. A network protocol specifies the protocol operations and packet format. Because the specifications for network protocols, such as TCP/IP, are widely published, a third party can easily interpret the network packets and develop a packet sniffer. Numerous freeware and shareware packet sniffers are available that do not require the user to understand anything about the underlying protocols. Note
In an Ethernet LAN, promiscuous mode is a mode of operation in which every data frame that is transmitted can be received and read by a network adapter. Promiscuous mode is the opposite of nonpromiscuous mode. Nonpromiscuous mode will only see packets specifically destined to this host. This includes broadcasts and multicasts if the host is part of that multicast group. Packet Sniffer Mitigation
Figure shows how to mitigate packet sniffer attacks. The techniques and tools that can be used to mitigate packet sniffer attacks include: Authentication
Using strong authentication is a first option for defense against packet sniffers. Strong authentication can be defined as a method of authenticating users that cannot easily be circumvented. An example of common strong authentication is One Time Password (OTP). OTP is a type of two-factor authentication. Two-factor authentication combines something you have with something you know. Automated teller machines (ATMs) use two-factor authentication. A customer needs both an ATM card and a personal identification number (PIN) to complete transactions. With OTPs, you need a PIN and your token card to authenticate to a device or software application. A token card is a hardware or software device that generates new, seemingly random, passwords at specified intervals, usually 60 seconds. A user combines that password with a PIN to create a unique password that works only for one instance of authentication. If a hacker learns that password by using a packet sniffer, the information is useless because the password has already expired. This mitigation technique is effective only against a sniffer implementation that is designed to grab passwords. Sniffers that are deployed to learn sensitive information (such as e-mail messages) will still be effective. Cryptography
Rendering packet sniffers irrelevant is the most effective method for countering packet sniffers. Cryptography is even more effective than preventing or detecting packet sniffers. If a communication channel is cryptographically secure, the only data a packet sniffer detects is cipher text (a seemingly random string of bits) and not the original message. The Cisco deployment of network-level cryptography is based on IPsec, which is a standard method that networking devices use to communicate privately using IP. Other cryptographic protocols for network management include Secure Shell (SSH) and Secure Sockets Layer (SSL). Antisniffer Tools
You can use software and hardware designed to detect the use of sniffers on a network. Such software and hardware does not completely eliminate the threat, but like many network security tools, the software and hardware are part of the overall mitigation system. Antisniffer tools detect changes in the response time of hosts to determine whether the hosts are processing more traffic than their own traffic loads would indicate. One such network security software tool, called AntiSniff, is available from Security Software Technologies. Switched Infrastructure
This technology, which is very common today, counters the use of packet sniffers in the network environment. If an entire organization deploys switched Ethernet, hackers can gain access only to the traffic that flows on the specific port to which the hackers connect. A switched infrastructure obviously does not eliminate the threat of packet sniffers but can greatly reduce the sniffers’ effectiveness.
Content 5.2 Mitigating Network Attacks 5.2.4 Port Scans and Ping Sweeps An attacker uses port scans and ping sweeps through the Internet as shown in Figure . As legitimate tools, port scan and ping sweep applications run a series of tests against hosts and devices to identify vulnerable services. The information is gathered by examining IP addressing and port or banner data from both TCP and User Datagram Protocol (UDP) ports. In an illegitimate situation, a port scan can be a series of messages that someone sends when attempting to break into a computer to learn which computer network services the computer provides. Each service is associated with a “well-known” port number. Port scanning can be an automated scan of a range of TCP or UDP port numbers on a host to detect listening services. Port scanning, a favorite computer hacker approach, provides information to the assailant as to where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one port at a time. The kind of response that the sender receives indicates whether the port is used and can therefore be probed for weakness. A ping sweep, or Internet Control Message Protocol (ICMP) sweep, is a basic network scanning technique that determines which range of IP addresses map to live hosts (computers). Whereas a single ping tells you whether one specified host computer exists on the network, a ping sweep consists of ICMP echo requests sent to multiple hosts. If a given address is live, the address returns an ICMP echo reply. Ping sweeps are among the older and slower