restrict a user to the use of strong passwords
only.
Content 5.2
Mitigating Network Attacks 5.2.6 Trust
Exploitation Figure illustrates the concept of trust
exploitation. Although not an attack in itself, trust
exploitation refers to an individual taking advantage of a
trust relationship within a network. An example of when trust
exploitation takes place is when a perimeter network is
connected to a corporate network. These network segments often
contain DNS, Simple Mail Transfer Protocol (SMTP), and HTTP
servers. Because these servers all reside on the same segment,
a compromise of one system can lead to the compromise of other
systems if those other systems also trust systems that are
attached to the same network. Another example of trust
exploitation is a Demilitarized Zone (DMZ) host that has a
trust relationship with an inside host that is connected to the
inside firewall interface. The inside host trusts the DMZ host.
When the DMZ host is compromised, the attacker can leverage
that trust relationship to attack the inside host.
Note
A DMZ is a dedicated part of a network designed
to secure communications between the inside and outside
network. Trust Exploitation Attack Mitigation
You
can mitigate trust exploitation-based attacks through tight
constraints on trust levels within a network as shown in Figure
. Systems that are inside a firewall should never absolutely
trust systems that are outside a firewall. Absolute trust
should be limited to specific protocols and, where possible,
should be validated by something other than an IP address. In
the DMZ example in the introduction to this topic, the hacker
connected to the Internet has already exploited some
vulnerability of the DMZ host connected to the DMZ interface of
the firewall. The hacker controls the entire DMZ host. The
hacker’s next goal is to compromise the inside host that is
connected to the inside (trusted) interface of the firewall. To
attack the inside host from the DMZ host, the hacker needs to
find the protocols that are permitted from the DMZ to the
inside interface. Once the protocols are known, the attacker
searches for vulnerabilities on the inside host. You can stop
this attack if your firewall allows only minimum or no
connectivity from the DMZ to the inside interface. Port
Redirection
A port redirection attack is a type of
trust exploitation attack that uses a compromised host to pass
traffic through a firewall that would otherwise have been
dropped. Port redirection bypasses the firewall rule sets by
changing the normal source port for a type of network traffic.
Figure shows a firewall with three interfaces and a host on
each interface. The host outside the network can reach the host
on the public services segment (Host A), but not the host on
the inside (Host B). The host on the public services segment
can reach the host on both the outside and the inside. If
hackers are able to compromise the public services segment
host, they can install software to redirect traffic from the
outside host directly to the inside host. Though neither
communication violates the rules that are implemented in the
firewall, the outside host has now achieved connectivity to the
inside host through the port redirection process on the public
services host. An example of an application that provides that
type of access is Netcat. You can mitigate port redirection by
using proper trust models that are network-specific. Assuming a
system is under attack, an IPS can help detect a hacker and
prevent installation of such utilities on a host.
Man-in-the-Middle Attacks
Man-in-the-middle attacks
have these purposes: - Theft of information
-
Hijacking of an ongoing session to gain access to your internal
network resources
- Traffic analysis to obtain
information about your network and network users
-
DoS
- Corruption of transmitted data
-
Introduction of new information into network sessions
An example of a man-in-the-middle attack is when someone
working for your ISP gains access to all network packets that
transfer between your network and any other network.
Man-in-the-middle attackers can keep from disrupting the
traffic and can thereby keep from setting off alarms. These
attackers use their position to stealthily extract information
from the network. You can mitigate man-in-the-middle attacks by
encrypting traffic in a VPN tunnel. Encryption allows the
hacker to see only cipher text.
Content
5.2 Mitigating Network Attacks
5.2.7 DoS and DDoS Attacks and Mitigation A
DDoS attack and the simpler version of a DoS attack on a
server, send extremely large numbers of requests over a network
or the Internet. These many requests cause the target server to
run well below optimum speeds. Consequently, the attacked
server becomes unavailable for legitimate access and use. By
overloading system resources, DoS and DDoS attacks crash
applications and processes by executing exploits or a
combination of exploits. DoS and DDoS attacks are the most
publicized form of attack and are among the most difficult to
completely eliminate. The hacker community regards DoS attacks
as trivial and considers them unsophisticated because the
attack requires so little effort to execute. Nevertheless,
because of this attack’s ease of implementation and potentially
significant damage, DoS attacks deserve special attention from
security administrators. DoS attacks can target various
vulnerabilities. A common type of DoS attack is DDoS using a
spoofed source IP address. Figure summarizes the
characteristics of DoS and DDoS attacks. DDoS Attack
Risks
Figure lists some of the risks associated with
DoS attacks: - Downtime and productivity
loss.
- Revenue loss from sales and support
services during the outage: Companies that use websites for
commerce, vital support services, or the core business, such as
a news service or search engine, stand to lose the most from a
DDoS attack.
- Lost customer loyalty: If a
customer uses a competitor’s website during the preferred
supplier’s DDoS-related outage, the customer might transfer his
or her loyalty to the competitor, resulting in ongoing revenue
loss.
- Theft of information: Hackers sometimes
launch DDoS attacks as a diversion while they snoop through
confidential customer or company information, such as credit
card numbers or intellectual property.
-
Extortion: Attackers offer to stop (or not initiate) a
DDoS attack for a cash payment.
- Stock price
manipulation: For certain types of businesses, an
unavailable website sends the stock price down. Attackers can
launch a DDoS attack to profit from day trading.
-
Malicious competition: Attackers can launch DDoS attacks
against competitors.
DoS and DDoS attacks are
different from most other attacks because they do not target
access to your network or the information on your network.
These attacks focus on making a service unavailable for normal
use. Exhausting some resource limitation on the network or
within an operating system or application accomplishes the
desired result. These attacks require little effort to execute
because the attacks typically take advantage of protocol
weaknesses or because the attacks emulate traffic that would
normally be allowed into a network. DoS and DDoS attacks are
among the most difficult to completely eliminate because of the
way these attacks use protocol weaknesses and native or
legitimate traffic in order to attack a network. For all known
DoS and DDoS attacks, there are software fixes that you can
install to limit the damage that the attacks cause. However, as
with viruses, hackers are constantly developing new DoS and
DDoS attacks. DDoS Example
DDoS attacks are the next
generation of DoS attacks on the Internet, though this type of
attack is not new. UDP and TCP SYN flooding (sending large
numbers of UDP segments or TCP SYN packets to the target