methods used to scan a network. As an attack tool,
a ping sweep sends ICMP (RFC 792) echo requests, or pings, to a
range of IP addresses with the goal of finding hosts that can
be probed for vulnerabilities. Port Scan and Ping Sweep
Mitigation
Port scanning and ping sweeping is not a
crime and there is no way to stop these scans and sweeps when a
computer is connected to the Internet. Accessing an Internet
server opens a port, which opens a door to the computer.
However, there are ways to prevent damage to the system, as
shown in Figure . Ping sweeps can be stopped if ICMP echo and
echo-reply are turned off on edge routers. However, when these
services are turned off, network diagnostic data is lost. Port
scans can easily be run without full ping sweeps; the scans
simply take longer because they need to scan IP addresses that
might not be live. Network-based IPS and host-based IPS (HIPS)
can usually notify you when a reconnaissance attack is under
way. This warning allows you to better prepare for the coming
attack or to notify the Internet service provider (ISP) that is
hosting the system that is launching the reconnaissance probe.
ISPs compare incoming traffic to the intrusion detection system
(IDS) or the IPS signatures in the IPS database. Signatures
are characteristics of particular traffic patterns. A
signature, such as “several packets to different destination
ports from the same source address within a short period of
time,” can be used to detect port scans. Another such signature
could be “SYN to a non-listening port.” A stealth scan is more
difficult to detect, and many intrusion detection and
prevention systems will not notice this scan taking place.
Discovering stealth scans requires kernel-level work.
Internet Information Queries
Figure shows how
attackers use existing Internet tools for network
reconnaissance. DNS queries can reveal information such as who
owns a particular domain and what addresses have been assigned
to that domain. Ping sweeps of addresses revealed by DNS
queries can present a picture of the live hosts in a particular
environment. After such a list is generated, port scanning
tools can cycle through all well-known ports to provide a
complete list of all services that are running on the hosts
that the ping sweep discovered. Hackers can examine the
characteristics of the applications that are running on the
hosts, which can lead to specific information that is useful
when the hacker attempts to compromise that service. IP address
queries can reveal information such as who owns a particular IP
address or range of addresses and which domain is associated
with the addresses.
Content 5.2
Mitigating Network Attacks 5.2.5 Access
Attacks and Mitigation Access attacks exploit known
vulnerabilities in authentication services, FTP services, and
web services to gain entry to web accounts, confidential
databases, and other sensitive information. Access attacks can
be performed in different ways. Figure lists
these most typical categories of access attacks: -
Password attacks: An attacker attempts to guess system
passwords. A common example is a dictionary attack.
-
Trust exploitation: An attacker uses privileges granted
to a system in an unauthorized way, possibly leading to
compromise of the target.
- Port redirection: A
compromised system is used as a jump-off point for attacks
against other targets. An intrusion tool is installed on the
compromised system for session redirection.
-
Man-in-the-middle attacks: Attackers place themselves in
the middle of communications between two legitimate entities in
order to read or even modify the data that passes between the
two parties.
- Buffer overflow: A program writes
data beyond the allocated end of a buffer in memory. Buffer
overflows usually arise as a consequence of a bug and the
improper use of languages such as C or C++ that are not
“memory-safe.” One consequence of the overflow is that valid
data can be overwritten. Buffer overflows are also a commonly
exploited computer security risk—program control data often
sits in memory areas adjacent to data buffers, and by means of
a buffer overflow condition the computer can be made to execute
arbitrary and potentially malicious code.
Password Attacks
Password attacks, described in
Figure , can be implemented using several methods, including
brute-force attacks, Trojan horse programs, IP spoofing, and
packet sniffers. Although packet sniffers and IP spoofing can
yield user accounts and passwords, password attacks usually
refer to repeated attempts to identify a user account,
password, or both. These repeated attempts are called
brute-force attacks. A brute-force attack is often performed
using a program that runs across the network and attempts to
log in to a shared resource, such as a server. When an attacker
gains access to a resource, the attacker has the same access
rights as the user whose account has been compromised. If this
account has sufficient privileges, the attacker can create a
back door for future access without concern for any status and
password changes to the compromised user account. Password
Attack Example
As with packet sniffer and IP spoofing
attacks, a brute-force password attack can provide access to
accounts that can be used to modify critical network files and
services. Figure shows an example of a password attack. This
attack compromises network integrity when an attacker attaches
the router password and then uses that information to modify
the routing tables for your network. By doing so, the attacker
can route all network packets to himself or herself before the
packets are transmitted to the packets’ final destination. In
such a case, an attacker can monitor all network traffic,
effectively becoming a man in the middle. One security risk is
the fact that passwords are stored as plaintext. To overcome
this risk, passwords should be encrypted. On most systems,
passwords are run through an encryption algorithm to generate a
one-way hash. A one-way hash is a string of characters that
cannot be reversed into the string’s original text. The hash is
not the encrypted password, but rather a result of the
algorithm. The strength of the hash lies in the fact that the
hash value can only be recreated by using the original user and
password information, and the fact that it is impossible to
retrieve the original information from the hash. This strength
makes hashes perfect for encoding passwords for storage. In
granting authorization, the hashes are calculated and compared
rather than using the plain password. To use this encryption
method, you supply an account and password during the login
process, and the algorithm generates a one-way hash. This hash
is compared to the hash stored on the system. If they are the
same, the system assumes that the proper password was
supplied. For example, L0phtCrack (LC5 was the most
recent version) was a Windows NT password-auditing tool used to
compute Windows NT user passwords from the cryptographic hashes
that are stored in the system registry. L0phtCrack computed the
password from a variety of sources using a variety of methods.
The result was a state-of-the-art tool you could use for
recovering passwords. However, it has since had support
discontinued. Password Attack Mitigation
There are
four password attack mitigation techniques, summarized in
Figure : - Do not allow users to have the same password
on multiple systems. Most users use the same password for each
system they access.
- Disable accounts after a specific
number of unsuccessful logins. This practice helps to prevent
continuous password attempts.
- Do not use plaintext
passwords. Use of either an OTP or encrypted password is
recommended.
- Use strong passwords. Strong passwords
are at least eight characters long and contain uppercase
letters, lowercase letters, numbers, and special characters.
Many systems now provide strong password support and can