Network Attacks and Security Issues

CH02-P374463.indd 49

50 CHAPTER 2 Network Attacks

overfl ows). For example, it is possible for a malicious entity (we will refer to a malicious entity—a human, a criminal organization, or software—as Oscar in this chapter) to craft packets that can be sent to buggy services. When a service is compromised, it can enable Oscar to take control over the host. This means Oscar can perhaps install malicious software on the host, use the host to launch other malicious packets, steal fi les that are stored on the host or on other hosts on the network that trust the compromised host, and so on as described in the following examples.

2.2.2 Some Example Security Attacks

The emergence of very large cyber-crime operations has moved network security attacks from the realm of hobbyists to criminal organizations, making them more dangerous with potential for great economic harm. In this section, we discuss some specifi c security attacks that will lead us to a general discussion of security attacks and security services in the next section. We do not provide an exhaus- tive list of attacks but have picked a few for illustration. The web site of US-CERT

IP Address MAC Address ARP DHCP BOOTP Root DNS Server Backbone RIP or OSPF BGP Autonomous System Autonomous System RIP or OSPF PSTN PPP Services DNS DHCP Telnet FTP HTTP RPC P2P POP IMAP SMTP FIGURE 2.1

Simplifi ed view of the many protocols that impact network communications.

CH02-P374463.indd 50

51

(United States Computer Emergency Readiness Team) [1] is a good source for past and recent vulnerabilities and security incidents.

TCP SYN Flood Attack

As mentioned earlier, TCP is the most common transport layer protocol. It is used by many application layer protocols like the HyperText Transfer Protocol (HTTP) and FTP. TCP was designed to provide reliable service on top of the unreliable net- work layer provided by IP. So among other things, TCP is connection oriented and it carefully maintains buffers, windows, and other resources to count segments and track lost segments. When host A wants to connect to host B, a “ three-way ” handshake occurs to set up the connection. First, host A sends a TCP segment with a SYN fl ag set (this is one of six fl ags used for synchronization—bits—in TCP for indicating information). Host B acknowledges the SYN segment with its own TCP segment with the SYN fl ag and ACK fl ag (used to acknowledge the receipt of the SYN packet) set. Host A completes the handshake with a TCP segment with the ACK fl ag set. Then data transfer begins. Whenever a server receives a SYN segment from a client, it sets aside some resources (e.g., memory) anticipating a completed handshake and subsequent data transfer. As there are limited resources at a server, only a set number of connections can be accepted. Other requests are dropped. Oscar can make use of this “ feature ” to deny services to legitimate hosts by send- ing a fl ood of crafted SYN segments to a server with possibly spoofed source IP addresses. The server responds with SYN-ACK segments and waits for completion of the handshake, which never happens. Meanwhile, legitimate requests for con- nection are dropped. Such an attack is called a SYN fl ood attack and has been the cause of denial of service to popular web servers in recent years. Note that Oscar primarily makes use of a feature in a communications protocol to launch denial of service (DoS). The absence of authentication of the source IP address makes it diffi cult to block such attacks since it is hard to separate legitimate requests from malicious requests. Similarly, Internet Control Message Protocol (ICMP) and other protocols can be used to launch fl oods that result in DoS. Distributed DoS (DDoS) attacks have recently made headlines by bringing down several popular web sites in recent years as well as launching attacks on root DNS servers. A taxonomy of DDoS attacks is available in Mirkovic and Reiher [2] .

Address Spoofi ng and Sequence Number Guessing Attacks

Several services use the IP address or host name to provide access to the ser- vice. As discussed previously, it is very easy for Oscar to craft packets. Spoofi ng IP addresses is as trivial as spoofi ng host names. There have been instances of attacks where root access to certain hosts has been obtained by sending crafted pack- ets with spoofed IP addresses. In many of the attacks, it is not suffi cient to spoof IP addresses; it is also necessary to guess sequence numbers (of other protocols carried in the IP packet as payload such as TCP or DNS). For example, we previ- ously discussed the TCP three-way handshake. As part of the handshake, both the

2.2 Network Attacks and Security Issues

CH02-P374463.indd 51

52 CHAPTER 2 Network Attacks

client and the server use initial sequence numbers that are incremented in the cor- responding acknowledgments. If the IP address is spoofed and Oscar wishes to fool the server into believing that a legitimate client has connected with it, Oscar needs to “ guess ” the sequence number generated by the server. This is because the server’s SYN-ACK segment is delivered to an IP address that does not belong to Oscar (and hence Oscar may not receive the response from the server). The server sequence number is supposed to be random and diffi cult to guess. However, poor implementations of TCP have allowed malicious entities to easily guess the sequence number generated by the server. Similarly, spoofed DNS responses that can poison the DNS cache (see the section below on pharming) can be generated if the sequence numbers associated with DNS requests can be guessed.

Worm Attacks

Worms are self-replicating, malicious software programs that can crash hosts or services, open trapdoors for installing keyboard sniffers, or perform other mali- cious activity. Once a worm is installed on a host, it probes other networked hosts for bugs or vulnerabilities in services that can be exploited. This essentially means that the worm sends crafted packets to certain port numbers at IP addresses. If the services listening to such port numbers are vulnerable, the worm can exploit such vulnerabilities to install itself on such hosts. For example, in July 2001, web servers running Microsoft’s Internet Information Server (IIS) software were dis- covered to have a buffer overfl ow bug. Although a patch was issued for this bug, not every host running IIS was patched. The Code Red (two versions) and Code Red II worms exploited this bug and spread it rapidly across the Internet [3] . It is estimated that Code Red infected at least 350,000 hosts.

The speed with which a worm spreads depends on the design of the worm (e.g., the rate at which it scans for other vulnerable hosts), whether patches exist for the vulnerability exploited by the worm, the number of hosts running the vul- nerable software, and the clean-up rate [4] . The way worms fi nd other hosts to exploit can also infl uence their spread. Many early worms would randomly pick IP addresses to probe for vulnerabilities. This, however, meant that many IP addresses would either not belong to hosts that existed or to hosts that did not run the vulnerable service or operating system, thereby limiting the spread of the worm. Others had a hard-coded sequence of IP addresses that would be probed. This meant that infected hosts would likely probe other infected hosts fi rst.

Recent worms are intelligent—they look for “ neighboring ” IP addresses fi rst. Some worms use Internet search engines to discover vulnerable hosts. However, most search engines present the same set of results for a query, thereby reducing the set of hosts scanned for vulnerabilities. The most rapidly spreading worms use email and entries in the address books of infected hosts to reach a variety of legiti- mate and potentially vulnerable hosts. In the past, exploits for vulnerabilities would not appear quickly, but it is common to see so-called “ zero-day ” exploits today. A zero-day exploit, for instance, can result in a worm that can be released on the same

CH02-P374463.indd 52

53

day that a vulnerability is discovered in a service. This makes it almost impossible to patch the exploit in time, enabling the worm to spread extremely rapidly.

Phishing, Evil Twins, and Pharming

Phishing is an example of a social engineering security attack where legitimate users are fooled into revealing information such as logins, passwords, credit card numbers, and so on by making them visit web sites that look like legitimate sites, but are actually fake ones run by criminal organizations. Legitimate users can visit such sites, for instance, by clicking on links that appear in emails that look legiti- mate. Most phishing attacks target fi nancial organizations like banks or e-com- merce sites like Paypal or eBay.

Recently, a special form of phishing attacks, called “ evil twins, ” has appeared whereby WiFi access points are placed in areas (e.g., hot spots like coffee shops or hotels) close to where legitimate service is being provided by some service provider. When a legitimate user tries to connect to such access points placed by Oscar, a web page, similar to ones displayed by legitimate service providers, is dis- played. It is common for subscribers to enter credit card and other sensitive infor- mation on these web pages, enabling Oscar to steal such information.

Pharming is a more dangerous security attack. As described previously, DNS is used to discover IP addresses associated with domain names. In the case of pharm- ing, DNS caches can be poisoned with fake entries so that a user sees a fake web site even if a legitimate URL is typed in the browser. DNS cache poisoning is pos- sible when name servers use vulnerable versions of software that can be exploited with unsolicited DNS responses. Once again, the impact is similar to phishing attacks where a legitimate user will reveal sensitive information to the criminals.

2.2.3 Security Attacks, Services, and Architecture

In the previous section, we have seen some examples of security attacks, such as denial of service, session hijacking, worms, and social engineering. One way of classifying security attacks is to consider their nature—whether they are passive or active. In the case of passive attacks, Oscar does not interfere with the informa- tion fl ow or storage (e.g., eavesdropping), making such attacks hard to discover. It is important to prevent such attacks. Active attacks (such as masquerading) involve interference and participation by Oscar. As they are hard to prevent, they must be detected and stopped as rapidly as possible.

Security attacks can be of many types: eavesdropping (interception) on infor- mation and revealing such information; interrupting the fl ow or availability of information; masquerading as a legitimate entity to access services, information, or resources; and fabricating information with the aim of causing damage are all different security attacks. Security attacks usually do not occur in one shot. Oscar typically fi rst engages in mapping out the victim’s network, resources, IP addresses, open services, and so on. This is sometimes called reconnaissance, and Oscar may try to get information that appears to be harmless if revealed, but may

2.2 Network Attacks and Security Issues

CH02-P374463.indd 53

54 CHAPTER 2 Network Attacks

impact security later. This is followed up by exploitation of vulnerabilities, theft of information, taking over of hosts, and so on. An excellent treatment of the secu- rity attack process is available in Bejtlich [5] .

The common security services to protect against security attacks as defi ned in the literature are confi dentiality , authentication , integrity , nonrepudiation , and

availability [6] . Confi dentiality implies that information or data is kept secret from unauthorized entities, specifi cally Oscar. In the case of authentication , it is necessary for communicating parties to (a) ensure at the start of communications that they are communicating with who they think they are communicating with, that is, Oscar should not fool an honest Alice into thinking that she is communicat- ing with an honest Bob, and (b) ensure that after communications have been estab- lished and verifi ed to be between legitimate parties, that Oscar does not hijack the communications session and interpose himself as one of the legitimate parties. The second part of authentication is often called message authentication and it is com-

bined with integrity . In such a case, once legitimate communications have been

established, it is necessary to ensure that any messages exchanged have not been modifi ed, fabricated, reordered, replayed, or deleted. Nonrepudiation refers to a security service where once a person has sent a message, he or she cannot deny having created the message. Availability refers to a security service that ensures that services are made available to an authorized person in a timely manner.

Note that all security services may not be present all the time, and differ- ent protocols and applications support different subsets of security services. Sometimes architectural methods (using fi rewalls, screened subnets, and demilita- rized zones) are necessary for ensuring some of the security services (e.g., confi - dentiality or availability ).