methods used to scan a network. As an attack tool, a ping sweep sends ICMP (RFC 792) echo requests, or pings, to a range of IP addresses with the goal of finding hosts that can be probed for vulnerabilities. Port Scan and Ping Sweep Mitigation
Port scanning and ping sweeping is not a crime and there is no way to stop these scans and sweeps when a computer is connected to the Internet. Accessing an Internet server opens a port, which opens a door to the computer. However, there are ways to prevent damage to the system, as shown in Figure . Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on edge routers. However, when these services are turned off, network diagnostic data is lost. Port scans can easily be run without full ping sweeps; the scans simply take longer because they need to scan IP addresses that might not be live. Network-based IPS and host-based IPS (HIPS) can usually notify you when a reconnaissance attack is under way. This warning allows you to better prepare for the coming attack or to notify the Internet service provider (ISP) that is hosting the system that is launching the reconnaissance probe. ISPs compare incoming traffic to the intrusion detection system (IDS) or the IPS signatures in the IPS database. Signatures are characteristics of particular traffic patterns. A signature, such as “several packets to different destination ports from the same source address within a short period of time,” can be used to detect port scans. Another such signature could be “SYN to a non-listening port.” A stealth scan is more difficult to detect, and many intrusion detection and prevention systems will not notice this scan taking place. Discovering stealth scans requires kernel-level work. Internet Information Queries
Figure shows how attackers use existing Internet tools for network reconnaissance. DNS queries can reveal information such as who owns a particular domain and what addresses have been assigned to that domain. Ping sweeps of addresses revealed by DNS queries can present a picture of the live hosts in a particular environment. After such a list is generated, port scanning tools can cycle through all well-known ports to provide a complete list of all services that are running on the hosts that the ping sweep discovered. Hackers can examine the characteristics of the applications that are running on the hosts, which can lead to specific information that is useful when the hacker attempts to compromise that service. IP address queries can reveal information such as who owns a particular IP address or range of addresses and which domain is associated with the addresses.
Content 5.2 Mitigating Network Attacks 5.2.5 Access Attacks and Mitigation Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. Access attacks can be performed in different ways. Figure lists these most typical categories of access attacks: Password Attacks
Password attacks, described in Figure , can be implemented using several methods, including brute-force attacks, Trojan horse programs, IP spoofing, and packet sniffers. Although packet sniffers and IP spoofing can yield user accounts and passwords, password attacks usually refer to repeated attempts to identify a user account, password, or both. These repeated attempts are called brute-force attacks. A brute-force attack is often performed using a program that runs across the network and attempts to log in to a shared resource, such as a server. When an attacker gains access to a resource, the attacker has the same access rights as the user whose account has been compromised. If this account has sufficient privileges, the attacker can create a back door for future access without concern for any status and password changes to the compromised user account. Password Attack Example
As with packet sniffer and IP spoofing attacks, a brute-force password attack can provide access to accounts that can be used to modify critical network files and services. Figure shows an example of a password attack. This attack compromises network integrity when an attacker attaches the router password and then uses that information to modify the routing tables for your network. By doing so, the attacker can route all network packets to himself or herself before the packets are transmitted to the packets’ final destination. In such a case, an attacker can monitor all network traffic, effectively becoming a man in the middle. One security risk is the fact that passwords are stored as plaintext. To overcome this risk, passwords should be encrypted. On most systems, passwords are run through an encryption algorithm to generate a one-way hash. A one-way hash is a string of characters that cannot be reversed into the string’s original text. The hash is not the encrypted password, but rather a result of the algorithm. The strength of the hash lies in the fact that the hash value can only be recreated by using the original user and password information, and the fact that it is impossible to retrieve the original information from the hash. This strength makes hashes perfect for encoding passwords for storage. In granting authorization, the hashes are calculated and compared rather than using the plain password. To use this encryption method, you supply an account and password during the login process, and the algorithm generates a one-way hash. This hash is compared to the hash stored on the system. If they are the same, the system assumes that the proper password was supplied. For example, L0phtCrack (LC5 was the most recent version) was a Windows NT password-auditing tool used to compute Windows NT user passwords from the cryptographic hashes that are stored in the system registry. L0phtCrack computed the password from a variety of sources using a variety of methods. The result was a state-of-the-art tool you could use for recovering passwords. However, it has since had support discontinued. Password Attack Mitigation
There are four password attack mitigation techniques, summarized in Figure :