Network Security: Understanding Types of Attacks
MacGyver was a television series on ABC in the 1980s and early 1990s. On the show MacGyver, the main character, would come up with innovative ways to stop his foes. These methods usually involved using everyday household items to create bombs, and other things that exploded. The creators of MacGyver, wisely opting not to be sued, always left out at least one critical step in the bomb-making process.
The same rules cannot apply to a network security book. It is important to have all of the information possible, so administrators can understand the tools being used. The better attack tools are understood, the easier it will be to defend against the incursions.
The goal of this chapter is to provide network and security administrators with an overview of the types of attacks that can be launched against a network. This chapter does not discuss, in any detail, ways to stop these attacks, or prevent them from occurring in the first place. That is what the rest of the book is for; this chapter is designed to educate administrators about the nature of the different types of attacks, and what they are designed to do. Whenever possible, existing attack tools are profiled, along with links to those tools. Attackers have access to this information; network administrators should have the same access.
One type that is not covered in this chapter, but is mentioned often in the press, is the DoS attack. Originally, a DoS attack referred to one launched against a network. An attacker would flood a network with malformed packets, causing all servers on that network to become unreachable, and, possibly, crashing gateway routers or firewalls.
The meaning of a DoS attack has morphed to the point that it no longer carries the same connotation. Instead, DoS refers to any attack that renders a network, part of a network, or a single server unreachable. Most network attacks fall into this category, so by broadening the definition of DoS attacks it has become a less useful description.1 The tools used throughout this chapter are relatively easy to download and install, most having precompiled binaries that run on either Microsoft Windows or Linux. The ease with which these tools can be downloaded and installed should be disconcerting, to say the least. Some very powerful tools are readily available for download. An ex-employee, an angered customer, a competitor, or someone who simply does not like an organization has an arsenal that can be used against that organization.
The pervasiveness of these tools has given rise to the pejorative term script kiddie. Script kiddie refers to someone who does not necessarily understand the tools being used, or the logic behind theminstead the script kiddie simply wants to cause as much damage as possible. Think of a script kiddie as someone who likes to graffiti buildings; the primary goal is defacement, not theft or information gathering. Of course the tools available to script kiddies are akin to making a do-it-yourself safe-cracking kit. Just because someone does not understand the logic behind the tool does not make him or her any less dangerous.
Script kiddies can cause serious damage. In February 2000, a script kiddie managed to knock eight of the world's largest websites offline for several hours using a DDoS attack. While there is still limited protection against DDoS attacks, the good news is that most other types of attacks can be prevented using good security practices.
Script kiddies rely on known weaknesses and systems that have not been properly patched, or upgraded, to launch successful attacks. A well locked-down system will almost always stop a script kiddie cold. A good understanding of the tools being used can help keep script kiddies out.
3.1 Sniffing and Port Scanning
The first step in any successful attack is sniffing, used to see what type of traffic is being passed on a network and to look for things like passwords, credit card numbers, and so forth. Sniffing is the term generally used for traffic monitoring within a network, while port scanning is used to find out information about a remote network.
Both sniffing and port scanning have the same objectiveto find system vulnerabilitiesbut they take different approaches. Sniffing is used by an attacker already on the network who wants to gather more information about the network. Port scanning is used by someone who is interested in finding vulnerabilities on a system that is unknown.
There are many tools available for network sniffing. Two of the most common tools are Ethereal (www.ethereal.com/) and Snort (www.snort.org/). Both tools are relatively simple to use, and are designed to help troubleshoot problems, but can also be used to watch traffic.
Always run programs like these on an isolated part of the network. While some of these programs are well known and have legitimate uses, others are specifically designed for launching attacks on other systems. It is possible there are Trojans within these programs that may wreak havoc on a network.
Figure 3.1 is an example of what a packet captured by Ethereal looks like. As you can see information about the transaction is included in the top window, while the bottom contains the contents of the actual packet. If the packet is not encrypted it is possible to read the information within it. It is also possible to string packets together to monitor an entire transaction.
Figure 3.1 A captured packet displayed in Ethereal
A packet sniffer works by putting the network card into promiscuous mode so the network card listens for and processes all Address Resolution Protocol (ARP) requests on the network segment, not just ARP requests destined for that machine.
Obviously, for a packet sniffer to be effective it has to be attached to the network. A packet sniffer is used either by someone who has compromised a machine on a network or by an internal attacker.
A packet sniffer is hard to detect because it operates passively. It simply collects information, rather than actively searching for data. Many network intrusion detection systems (NIDS) attempt to detect promiscuous mode by watching for certain behaviors, but these methods are not always effective.
3.1.1 Port Scanning
Prior to sniffing a network an attacker has to gain access. Attackers gain access by scanning devices on the network for vulnerabilities, then exploiting them. Port scanning can either be targeted or random. An attacker interested in a particular network will attempt to track down information about that network and scan for vulnerabilities. Alternatively, attackers will put large netblocks into a port scanner and let it run for days, trying to find any machine that is available and able to be exploited. This highlights the difference between an attacker and a script kiddie.
A knowledgeable attacker is looking for specific information; a script kiddie simply wants to destroy things.
A tool commonly used for port scanning is nmap (www.insecure.org/nmap/). It allows users to enter a range of IP addresses, choose the type of scan desired, and let the program run in the background. When it has completed its sweep it will produce a report, showing the ports that responded, on each network device:
[root@test root]# nmap -sT www.datacenterwire.com Starting nmap V. 2.99RC2 ( www.insecure.org/nmap/ ) Interesting ports on (126.96.36.199): (The 1589 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 81/tcp open hosts2-ns 110/tcp open pop-3 443/tcp open https 587/tcp open submission 3306/tcp open mysql 5432/tcp open postgres 10000/tcp open snet-sensor-mgmt Nmap run completed -- 1 IP address (1 host up) scanned in 48 seconds
Nmap can be configured to scan all TCP and User Datagram Protocol (UDP) ports, or just the ports that generally have services running on them. Using the information collected in the example, notice there were 12 out of 1,589 scanned ports responding on the server.
Once the list of ports and host names has been compiled, the next step is to try to exploit weaknesses in the various server configurations. This involves knowing what the weaknesses of the different servers are and exploiting those weaknesses.