Note
RFC 2827 defines filters to drop
packets that come from source addresses within 0.0.0.0/8,
10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16,
224.0.0.0/4, or 240.0.0.0/4. This source address is a so-called
Martian Address. Additional Authentication
The most
effective method for mitigating the threat of IP spoofing is to
eliminate the attack’s effectiveness. IP spoofing can function
correctly only when devices use IP address-based
authentication; therefore, if you use additional authentication
methods, IP spoofing attacks are irrelevant. Cryptographic
authentication is the best form of additional authentication.
However, when cryptographic authentication is not possible,
strong two-factor authentication using OTPs can also be
effective. Web Links RFC 3704
http://www.ietf.org/rfc/rfc3704.txt
Content
5.3 Network Attacks Using
Intelligence 5.3.1 End Station Vulnerabilities:
Worm, Virus, and Trojan Horses The previous lesson
discussed attacks based on gathering intelligence and gaining
access to networks. This lesson looks at the second category of
attack, those using the more sophisticated techniques. These
attacks are often based on using malicious code; intelligence
gathered in the earlier attacks; or insider access to the
network. End stations are particularly vulnerable to attack if
not adequately protected. Figure lists the main threats.
Viruses are malicious software programs that attach themselves
to other programs and execute a particular unwanted function on
a user workstation. A virus propagates itself by infecting
other programs on the same computer. Viruses can do severe
damage, such as erasing files or erasing an entire disk. They
can also be a simple annoyance, such as popping up a window
that says, “Ha ha, you are infected.” Viruses cannot spread to
a new computer without human assistance, such as opening an
infected file on a removable media such as an e-mail
attachment, or through file sharing. Trojan horse is a
general term that refers to programs that appear desirable but
actually contain something harmful. For example, a downloaded
game could erase files. The contents could also hold a virus or
a worm. A Trojan horse can attack on three levels. A virus
known as the “Love Bug” is an example of a Trojan horse because
the virus pretended to be a love letter but actually carried a
harmful program. The Love Bug was a virus because the program
infected all image files on the attacked disk, turning the
files into new Trojans. It specifically looked for files with
the extensions jpeg, .mp3, .mp2, .jpg, .js, .jse, .css, .wsh,
.sct, and .hta extensions and overwrote them with itself,
changing the extensions to .vbs or .vbe. These original files
could only be restored from backups. Without backups they could
not be retrieved or used again. Finally, the Love Bug was a
worm because the program propagated itself over the Internet by
hiding in the Trojan horses that the program sent out using
addresses in the attacked e-mail address book. A worm executes
arbitrary code and installs copies of itself in the memory of
the infected computer. The worm can then infect other hosts
from the infected computer. Like a virus, a worm is also a
program that propagates itself. Unlike a virus, a worm can
spread itself automatically over the network from one computer
to the next. Worms are not clever or evil; they just take
advantage of automatic file sending and receiving features
found on many computers. The next topic will discuss worm
attacks in more detail. Virus and Trojan Horse Attack
Containment
As shown in Figure , you can contain
viruses and Trojan horse attacks by using antivirus software at
the user level and potentially at the network level. Antivirus
software can detect most viruses and many Trojan horse
applications and prevent these forms of attack from spreading
in the network. Keeping up to date with the latest developments
in these sorts of attacks can also lead to a more effective
posture against attacks. As new virus or Trojan horse
applications appear, enterprises need to keep up to date with
the latest antivirus software and application versions and
patches. Deploying host-based intrusion prevention systems,
such as the Cisco Security Agent (CSA), provides a very
effective defense-in-depth method to prevent attacks against
the hosts.
Content 5.3 Network
Attacks Using Intelligence 5.3.2 Worm Attack,
Mitigation and Response The anatomy of a worm attack has
three parts as shown in Figure : - The enabling
vulnerability: A worm installs itself on a vulnerable
system.
- Propagation mechanism: After gaining
access to devices, a worm replicates and selects new
targets.
- Payload: Once the worm infects the
device, the attacker has access to the host—often as a
privileged user. Attackers use a local exploit to escalate
their privilege level to administrator.
Typically,
worms are self-contained programs that attack a system and try
to exploit vulnerabilities in the target. Upon successful
exploitation of the vulnerability, the worm copies the program
from the attacking host to the newly exploited system to begin
the cycle again. A virus normally requires a path to carry the
virus code from one system to another. The path can be a
word-processing document, an e-mail message, or an executable
program. The key element that distinguishes a computer worm
from a computer virus is that human interaction is required to
facilitate the spread of a virus. Worm attack mitigation
requires diligence on the part of system and network
administration staff. Coordination between system
administration, network engineering, and security operations
personnel is critical in responding effectively to a worm
incident. Figure lists these recommended steps for worm attack
mitigation: Step 1 Containment: Contain the
spread of the worm into your network and within your network.
Compartmentalize uninfected parts of your network. Step
2 Inoculation: Start patching all systems and, if
possible, scanning for vulnerable systems. Step 3
Quarantine: Track down each infected machine inside your
network. Disconnect, remove, or block infected machines from
the network. Step 4 Treatment: Clean and patch
each infected system. Some worms may require complete core
system reinstallations to clean the system. Worm Attack
Response
Figure lists six typical incident response
methodologies to worms as follows:
- Preparation: Acquire the resources to respond.
- Identification: Identify the worm.
-
Classification: Classify the type of worm.
- Traceback: Trace the worm back to the attack’s
origin.
- Reaction: Isolate and repair the
affected systems.
- Post mortem: Document and
analyze the process that you used for future use.
Content 5.3 Network Attacks Using
Intelligence 5.3.3 Application Layer Attacks
and Mitigation Attackers implement application layer
attacks using several different methods summarized in Figure
: - One of the most common methods of implementing
application layer attacks is exploiting well-known weaknesses
in software commonly found on servers, such as sendmail,
PostScript, and FTP. By exploiting these weaknesses, attackers
can gain access to a computer with the permission of the
account that is running the application. The account is usually
a privileged, system-level account.
- Trojan horse
program attacks are implemented using programs that an attacker
substitutes for common programs. These programs may provide all
the functionality that the normal program provides, but may
also include other features known to the attacker, such as
monitoring login attempts to capture user account and password
information. These programs can capture sensitive information
and distribute the information back to the attacker. The