A remote network attack is an information destructive impact on a distributed computer system(RBC), which is carried out via communication channels.

Due to the fact that a remote attack is quite difficult to detect, but it is relatively simple to carry out (due to redundant functionality modern systems) this type of illegal action comes first in terms of the degree of danger. Depending on the nature of their impact, attacks can be passive or active. The first include those that do not directly affect the operation of the RVS, but are capable of violating its security policy. It is precisely because of the lack of direct impact on the system that such an attack is difficult to detect. An active influence on the RVS is one that has a direct impact on the operation of the system, disrupts its performance, changes the configuration, etc. With an active type of attack, some changes occur in the system, while with a passive attack, no visible traces remain.

In any attack, the main goal is usually to gain unauthorized access to information. There are two types of receiving information: interception and distortion. During interception, information is obtained without the possibility of changing it. Distortion or substitution of data leads to a violation of its integrity. Thus, according to the purpose of impact, network attacks can be divided into those that violate the functioning of the system, the integrity of information resources, or their confidentiality.

Information and network technologies are developing and changing so quickly that static security mechanisms, such as access control and authentication systems, cannot provide effective protection in many cases. What is required is dynamic methods that make it possible to quickly detect and prevent security violations. One such system that can detect violations that are not identified by traditional access control models is intrusion detection technology.

Attack detection is the process of recognizing and responding to suspicious activity targeting network or computing resources. The effectiveness of the technology largely depends on what methods of analyzing the received information are used. Currently, along with the statistical method, a number of new techniques are used, such as expert systems and neural networks. Let's look at each method separately.

Statistical analysis. This approach has two main advantages: the use of a proven apparatus of mathematical statistics and adaptation to the behavior of the subject. At the very beginning of use this method profiles are determined for each subject of the analyzed system. Any deviation of the used profile from the standard is considered as unauthorized activity. Statistical methods are universal because they do not require knowledge about possible attacks and system vulnerabilities. However, when using them, some difficulties may arise, related, for example, to the fact that they can be “trained” to perceive unauthorized actions as normal. Therefore, along with statistical analysis, additional techniques are used.

Expert systems. This method of detecting attacks is quite common. When using it, information about attacks is formulated in the form of rules, which are often written down in the form of a sequence of actions or in the form of a signature.

If any of these rules are met, then a decision is immediately made about the presence of unauthorized activity. One of the main advantages of this method is the almost complete absence of false alarms. In order for expert systems to always remain up-to-date, it is necessary to constantly update the databases used. The disadvantage of this method is the inability to repel unknown attacks. Even if the database attack is slightly modified, this can become a serious obstacle to its detection.

Neural networks. Due to the fact that there are more and more hackers and attack options every day, expert systems, even with constant database updates, cannot guarantee the accurate identification of every possible intrusion. Neural networks are used as one of the ways to overcome this problem. The neural network analyzes the information and provides the ability to evaluate how consistent the data is with the characteristics it recognizes. To do this, the neural network is trained to accurately identify using a selected sample of examples from subject area. The response of the neural network is analyzed, after which the system is adjusted in such a way as to achieve satisfactory results. As the neural network analyzes the data, it gains additional experience.

One of the important advantages neural networks is their ability to take into account the characteristics of attacks, identifying elements that are not similar to those studied.

Due to the fact that these attack detection methods have their drawbacks, they are usually used together to provide more reliable protection.

To ensure your computer's security, you need to know what network attacks can threaten it. All known threats can be divided into three groups:

Port scanning– these threats are not an attack in themselves, but, as a rule, they precede it, since this is one of the ways to obtain information about a remote computer. The essence this method consists of scanning UDP/TCP ports that are used by network services on the desired computer to identify their condition. This process helps to understand what attacks on this system some may be successful and some may not. Moreover, scanning provides the attacker with the necessary information about the operating system, which allows him to select even more suitable types of attacks.

DOS-attacks– they are also known as “denial of service”. These are attacks that result in the attacked system becoming unstable or completely inoperable. Their consequences may include damage or destruction of information resources and the inability to use them.

There are two types of DOS attacks. :

— specially crafted packets are sent to the victim computer, which lead to a system reboot or shutdown

— a large number of packets are sent to the victim computer per unit of time, and it cannot cope with processing them. The consequence is the exhaustion of system resources.

Invasion attacks. Their goal is to “take over” the system. This type of attack is the most dangerous, since if they are successfully executed, the attacker receives the maximum full information about the system.Intrusion attacks are used in cases where there is a need to obtain confidential data from a remote computer, such as passwords and access to credit cards. Also, the purpose of such attacks may be to gain a foothold in the system in order to subsequently use its computing resources for the attacker’s purposes. This group includes the largest number of attacks.

More common types of attacks that use operating system network services:

— Buffer overflow attacks. This is a type of software vulnerability that occurs due to the absence or insufficient control measures when working with data sets.

- Error-based attacks format strings. This type occurs due to an insufficient degree of control over the values ​​of the input parameters of the format I/O functions. If such a vulnerability is in the software, then an attacker can gain absolute control over the system.

In order to protect your Personal Computer(PC) from network attacks You need to install a high-quality antivirus, as well as a defender program called FireWall. This program monitors everything that goes and comes through the network, protects your computer from hacking and network attacks, and also prevents the transfer of personal information. FireWall solves the issue of port scanning, which was mentioned above: the software makes the computer invisible on the network, closing all ports. In addition, this program does not allow personal data to enter the network even if the system is infected with Trojan viruses (the purpose of which is precisely to steal confidential information). Even if you think that there is nothing on your PC that a criminal might need, you still shouldn’t neglect installing the above-mentioned software, since your computer after an attack can be used by a hacker to carry out attacks or hack other machines.

By the nature of the impact:

Passive;

Active.

Passive impact on a distributed computing system (DCS) is some impact that does not directly affect the operation of the system, but at the same time can violate its security policy. The lack of direct influence on the operation of the RVS leads precisely to the fact that passive remote influence (RPI) is difficult to detect. A possible example of a typical PUV in a DCS is listening to a communication channel in a network.

Active impact on the DCS is an impact that has a direct impact on the operation of the system itself (impairment of functionality, change in the DCS configuration, etc.), which violates the security policy adopted in it. Almost all types of remote attacks are active influences. This is due to the fact that the very nature of the damaging effect includes an active principle. The clear difference between active and passive influence is the fundamental possibility of its detection, since as a result of its implementation some changes occur in the system. With a passive influence, absolutely no traces remain (due to the fact that the attacker views someone else’s message in the system, nothing will change at the same moment).

By purpose of influence:

disruption of the functioning of the system (access to the system);

violation of the integrity of information resources (IR);

violation of IR confidentiality.

This feature, by which the classification is made, is, in fact, a direct projection of three basic types of threats - denial of service, disclosure and violation of integrity.

The main goal pursued in almost any attack is to gain unauthorized access to information. There are two fundamental options for obtaining information: distortion and interception. The option of intercepting information means gaining access to it without the possibility of changing it. Interception of information therefore leads to a violation of its confidentiality. Listening to a channel on a network is an example of intercepting information. In this case, there is illegitimate access to information without possible options her replacement. Obviously, violation of confidentiality of information refers to passive influences. The ability to replace information should be understood either as complete control over the flow of information between system objects, or the ability to transmit various messages on someone else’s behalf. Consequently, it is clear that substitution of information leads to a violation of its integrity. Such information destructive influence is a typical example of active influence. An example of a remote attack designed to violate the integrity of information is the “False RVS object” remote attack (RA).

According to availability feedback with the attacked object:

with feedback;

without feedback (unidirectional attack).

The attacker sends some requests to the attacked object, to which he expects to receive a response. Consequently, feedback appears between the attacker and the attacked, allowing the former to adequately respond to all sorts of changes in the attacked object. This is the essence of a remote attack, carried out in the presence of feedback from the attacking object. Such attacks are most typical for RVS. Open-loop attacks are characterized by the fact that they do not need to react to changes in the attacked object. Such attacks are usually carried out by sending single requests to the attacked object. The attacker does not need answers to these requests. Such UA can also be called unidirectional UA. An example of unidirectional attacks is a typical DoS attack.

According to the condition for the beginning of the impact. Remote influence, just like any other, can begin to occur only under certain conditions. There are three types of such conditional attacks in RVS:

attack on request from the attacked object;

attack upon the occurrence of an expected event on the attacked object;

unconditional attack.

The attacker's impact will begin if the potential target of the attack transmits a request of a certain type. Such an attack can be called an attack on request from the attacked object. This type of remote attack is most typical for RVS. An example of such requests on the Internet is DNS and ARP requests, and in Novell NetWare - a SAP request.

An attack upon the occurrence of an expected event on the attacked object. The attacker continuously monitors the state of the OS of the remote target of the attack and begins to influence when a specific event occurs in this system. The attacked object itself is the initiator of the attack. An example of such an event would be when a user's session with the server is interrupted without issuing the LOGOUT command in Novell NetWare. An unconditional attack is carried out immediately and regardless of the state of the OS and the attacked object. Therefore, the attacker is the initiator of the attack in this case. If the normal operation of the system is disrupted, other goals are pursued and the attacker is not expected to gain illegal access to data. Its goal is to disable the OS on the attacked object and make it impossible for other system objects to access the resources of this object. An example of this type of attack is a DoS attack.

Based on the location of the subject of the attack relative to the attacked object:

intersegmental;

intrasegmental.

The source of the attack (subject of the attack) is the program (possibly the operator) leading the attack and having a direct impact.

Host - a computer that is an element of the network.

Router is a device that routes packets on a network.

A subnetwork is a group of hosts that are part of global network, differing in that the router allocates the same subnet number for them. We can also say that a subnet is a logical association of hosts through a router. Hosts within the same subnet can communicate directly with each other without using a router. From the point of view of a remote attack, the relative location of the subject and object of the attack is extremely important, that is, whether they are in different or identical segments. During an intra-segment attack, the subject and target of the attack are located in the same segment. In the case of an intersegment attack, the subject and target of the attack are located in different network segments. This classification feature makes it possible to judge the so-called “degree of remoteness” of the attack.

It will be shown below that an intra-segment attack is much easier to carry out than an inter-segment attack. An inter-segment remote attack is more dangerous than an intra-segment attack. This is due to the fact that in the case of an intersegment attack, its object and the attacker may be located at a distance of many thousands of kilometers from each other, which can significantly impede measures to repel the attack.

According to the level of the ISO/OSI reference model at which the impact is carried out:

physical;

channel;

transport;

sessional;

representative;

applied.

adopted by the International Organization for Standardization (ISO) ISO standard 7498, which describes the interaction open systems(OSI), to which RVS also belong. Each network exchange protocol, as well as each network program, can, in one way or another, be projected onto the OSI reference 7-layer model. This multi-level projection makes it possible to describe in terms of the OSI model used in network protocol or function program. UA is a network program, and it is logical to consider it from the point of view of its projection onto the ISO/OSI reference model.

Local attacks

Local attacks come from users and/or programs on the local system. To determine the most likely attacks on information security, it is necessary to establish on what theoretical principles the security model is built, which are not attached by real means. For example, if one of the key provisions is that only an authorized person can physically approach the computer and no physical restriction systems are installed physical access- this means that attacks on physical security are most likely:

Bookmarks in hardware;

Access at the OS boot stage;

Attacks on authentication means;

Third-party software attacks;

Access at the firmware level;

Local attack utilities.

Kaspersky Internet Security protects your computer from network attacks.

Network attack is an intrusion into the operating system of a remote computer. Attackers launch network attacks to take control of an operating system, cause a denial of service, or gain access to protected information.

Network attacks are malicious actions performed by the attackers themselves (such as port scanning, password guessing), as well as actions performed by malicious programs installed on the attacked computer (such as transferring protected information to the attacker). Malicious programs involved in network attacks include some Trojans, DoS attack tools, malicious scripts and network worms.

Network attacks can be divided into the following types:

• Port scanning. This type of network attack is usually a preparatory stage for a more dangerous network attack. The attacker scans the UDP and TCP ports used by network services on the attacked computer and determines the level of vulnerability of the attacked computer to more dangerous types of network attacks. Port scanning also allows an attacker to determine the operating system on the target computer and select network attacks suitable for it.
• DoS attacks, or network attacks causing denial of service. These are network attacks, as a result of which the attacked operating system becomes unstable or completely inoperable.

  There are the following main types of DoS attacks:

  • Send to remote computer specially crafted network packets that are not expected by this computer and cause the operating system to malfunction or stop.
  • Sending a large number of network packets to a remote computer in a short period of time. All resources of the attacked computer are used to process network packets sent by the attacker, which is why the computer stops performing its functions.
• Network attacks-intrusions. These are network attacks whose goal is to “hijack” the operating system of the attacked computer. This is the most dangerous type of network attack, since if it is successful, the operating system comes completely under the control of the attacker.

  This type of network attack is used in cases where an attacker needs to obtain confidential data from a remote computer (for example, numbers bank cards or passwords) or use a remote computer for your own purposes (for example, attack other computers from this computer) without the user’s knowledge.

1. On the Protection tab in the block Protection against network attacks uncheck the box.

You can also enable Network Attack Protection in Protection Center. Disabling your computer's protection or protection components significantly increases the risk of your computer becoming infected, which is why information about disabling protection is displayed in Protection Center.

Important: If you have turned off Network Attack Protection, then after restarting Kaspersky Internet Security or rebooting the operating system, it will not turn on automatically and you will need to turn it on manually.

When dangerous network activity is detected, Kaspersky Internet Security automatically adds the IP address of the attacking computer to the list of blocked computers if this computer is not added to the list of trusted computers.

1. In the menu bar, click on the program icon.
2. In the menu that opens, select Settings.

   The program settings window will open.

3. On the Protection tab in the block Protection against network attacks check the box Enable Network Attack Protection.
4. Click on the Exceptions button.

   A window will open with a list of trusted computers and a list of blocked computers.

5. Open a bookmark Locked computers.
6. If you are sure that the blocked computer does not pose a threat, select its IP address in the list and click the Unblock button.

   A confirmation window will open.

7. At the confirmation window, do one of the following:
   • If you want to unlock your computer, click on the Unlock button.

     Kaspersky Internet Security unblocks the IP address.

   • If you want Kaspersky Internet Security to never block the selected IP address, click the button Unblock and add to exceptions.

     Kaspersky Internet Security will unblock the IP address and add it to the list of trusted computers.

8. Click on the Save button to save your changes.

You can create a list of trusted computers. Kaspersky Internet Security does not automatically block the IP addresses of these computers when it detects dangerous network activity originating from them.

When a network attack is detected, Kaspersky Internet Security saves information about it in a report.

1. Open the Protection menu.
2. Select Reports.

   The Kaspersky Internet Security reports window will open.

3. Open a bookmark Protection against network attacks.

Note: If the Network Attack Protection component has completed an error, you can view the report and try to restart the component. If you are unable to resolve the issue, please contact Technical Support.

buffer overflows are integral part many types of malicious attacks. Overflow attacks have, in turn, many varieties. One of the most dangerous involves entering into a dialog box, in addition to text, executable code attached to it. Such an input may result in this code being written over executable program which will sooner or later cause its execution. The consequences are not difficult to imagine.

“Passive” attacks using, for example, sniffer are especially dangerous, since, firstly, they are practically undetectable, and secondly, they are launched from local network(external Firewall is powerless).

Viruses- malicious programs capable of self-copying and self-distribution. Back in December 1994, I received a warning about the spread of network viruses (good times and xxx-1) on the Internet:

Hours, days, weeks, and sometimes months pass from the moment the virus is created to the moment the virus is detected. It depends on how quickly the effects of infection appear. The longer this time, the greater the number of computers that are infected. After identifying the fact of infection and the spread of a new version of the virus, it takes from a couple of hours (for example, for Email_Worm.Win32.Bagle.bj) to three weeks (W32.Netsky.N@mm) to identify the signature, create an antidote and include its signature in the database antiviral program. Temporary diagram life cycle virus is shown in Fig. 12.1 ("Network Security", v.2005, Issue 6, June 2005, p 16-18). In 2004 alone, 10,000 new virus signatures were registered. The Blaster worm infected 90% of machines in 10 minutes. During this time, the anti-virus team must detect the object, qualify it and develop a countermeasure. It is clear that this is unrealistic. So an antivirus program is not so much a countermeasure as sedative. The same considerations apply to all other types of attacks. Once the signature of an attack becomes known, the attack itself is usually not dangerous, since countermeasures have already been developed and the vulnerability has been covered. It is for this reason that such attention is paid to the control system software updates(in patches).

Some viruses and worms have built-in SMTP programs designed to send them, and hatches to easily penetrate the infected machine. Latest Versions equipped with means to suppress the activity of other viruses or worms. In this way, entire networks of infected machines (BotNet) can be created, ready to launch, for example, a DDoS attack on command. A protocol can be used to control such zombie machines IRC(Internet Relay Chart). This messaging system is supported by a large number of servers and therefore such a channel is usually difficult to track and record. This is also facilitated by the fact that most systems monitor input traffic more closely than output traffic. It should be borne in mind that an infected machine can serve, in addition to DoS attacks, to scan other computers and send SPAM, to store illegal software products, to control the machine itself and steal documents stored there, to identify passwords and keys used by the owner. Damage from the Blaster virus is estimated at $475,000.

Unfortunately, no reliable means of detecting new viruses (whose signature is unknown).

Rice. 12.1.

In 2005, another threat was identified - the spread of viruses and network worms using search engine robots (bots) based on IRC.

Bots programs are not always dangerous; some of their varieties are used to collect data, in particular, about customer preferences, and in the search engine Google system they work to collect and index documents. But in the hands of a hacker, these programs turn into dangerous weapons. The most famous attack was launched in 2005, although preparations and “first experiments” began in September 2004. The program looked for machines with specific vulnerabilities, in particular, LSASS (Local Security Authority Subsystem Service, Windows). The LSASS subsystem, designed to help ensure security, was itself vulnerable to attacks such as buffer overflows. Although the vulnerability has already been fixed, the number of machines with an unupdated version remains significant. After an intrusion, the hacker usually uses IRC to perform the operations he needs (opening a specific port, sending SPAM, launching scans for other potential victims). A new feature of such programs is that they are embedded into the operating system in such a way (rootkit) that they cannot be detected, since they are located in the OS kernel area. If antivirus program will try to access a specific area of ​​memory in order to identify malicious code, the rootkit intercepts such a request and sends a notification to the testing program that everything is in order. To make matters worse, bot programs can modify the content

IP Network Security Issues

Analysis of network security threats.

To organize communications in a heterogeneous network environment, a set of TCP/IP protocols is used, ensuring compatibility between computers different types. Compatibility is one of the main advantages of TCP/IP, which is why most computer networks support these protocols. In addition, TCP/IP protocols provide access to the resources of the global Internet.

Due to its popularity, TCP/IP has become the de facto standard for internetworking. However, the ubiquity of the TCP/IP protocol stack has also exposed it. weak sides. When creating their brainchild, the architects of the TCP/IP stack saw no reason to particularly worry about protecting the networks built on top of it. Therefore, the specifications of early versions of the IP protocol lacked security requirements, which led to the inherent vulnerability of its implementation.

The rapid growth in the popularity of Internet technologies is accompanied by an increase in serious threats of disclosure of personal data, critical corporate resources, state secrets, etc.

Every day, hackers and other malicious actors threaten online information resources by attempting to gain access to them using special attacks. These attacks are becoming more sophisticated in impact and simpler to execute. Two main factors contribute to this.

Firstly, this is the widespread penetration of the Internet. Today, millions of computers are connected to this network. With many millions of computers connected to the Internet in the near future, the likelihood of hackers gaining access to vulnerable computers and computer networks is increasing. In addition, the widespread use of the Internet allows hackers to exchange information on a global scale.

Secondly, there is the widespread proliferation of easy-to-use operating systems and development environments. This factor sharply reduces the requirements for the level of knowledge of the attacker. Previously, a hacker was required good knowledge and programming skills to create and distribute malware. Now, in order to gain access to a hacker's tool, you just need to know the IP address of the desired site, and to carry out an attack, just click the mouse.

Provisioning problems information security in corporate computer networks are caused by security threats to local workstations, local networks and attacks on corporate networks that have access to public data networks.

Network attacks are as varied as the systems they target. Some attacks are very difficult. Others can be carried out by an ordinary operator who does not even imagine what consequences his activities may have.

An intruder, when carrying out an attack, usually sets himself the following goals:

v breach of confidentiality transmitted information;

v violation of the integrity and reliability of transmitted information;

v disruption of the system as a whole or its individual parts.

From a security point of view, distributed systems are characterized primarily by the presence remote attacks , since components of distributed systems usually use open data transmission channels and an intruder can not only passively eavesdrop on transmitted information, but also modify transmitted traffic (active influence). And if the active impact on traffic can be recorded, then the passive impact is practically undetectable. But since during the operation of distributed systems the exchange of service information between system components is also carried out via open channels data transmission, then service information becomes the same target of attack as user data.

The difficulty of detecting the fact of a remote attack puts this type of illegal action in first place in terms of the degree of danger, since it prevents a timely response to the threat, as a result of which the violator increases the chances of successfully carrying out the attack.

Local network security compared to internetwork security differs in that in this case the security comes first in importance. violations of registered users , since, in general, local network data transmission channels are located in a controlled area and protection against unauthorized connection to them is implemented by administrative methods.

In practice, IP networks are vulnerable to a number of methods of unauthorized intrusion into the data exchange process. As computer and network technologies develop (for example, with the advent of mobile Java applications and ActiveX controls), the list of possible types of network attacks on IP networks is constantly expanding [Galitsky A.V., Ryabko S.D., Shangin V.F. Protecting information on the network - analysis of technologies and synthesis of solutions. M.: DMK Press, 2004].

Let's look at the most common types of network attacks.

Eavesdropping (sniffing). Much of the data on computer networks is transmitted in an unsecured format (plaintext), which allows an attacker with access to the data lines on your network to eavesdrop on or read the traffic. For eavesdropping on computer networks they use sniffer Packet sniffer is an application program that intercepts all network packets transmitted through a specific domain.

Currently, sniffers operate on networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, since some network applications transfer data in text format (Telnet, FTP, SMTP, POP3, etc.), using a sniffer can reveal useful and sometimes sensitive information (for example, usernames and passwords).

Password sniffing transmitted over a network in unencrypted form by “eavesdropping” on the channel is a type of eavesdropping attack. Login and password interception poses a major threat because users often use the same login and password for multiple applications and systems. Many users generally have one password to access all resources and applications. If the application is running in client/server mode and authentication data is sent over the network in human-readable text format, this information is high probability can be used to access other corporate or external resources.

In the worst case scenario, a hacker gains system-level access to a user resource and uses it to create new user attributes that can be used to access the network and its resources at any time.

You can prevent the threat of packet sniffing by using the following:
measures and means:

v use of one-time passwords for authentication;

v installation of hardware or software, recognizing
sniffers;

v application of cryptographic protection of communication channels.

Changing data. An attacker who was able to read
your data will be able to do and next step- change them. Data in
package can be changed even if the attacker knows nothing
about the sender or the recipient. Even if you don't need strict
confidentiality of all transmitted data, you probably do not want,
so that they are changed along the way.

Network traffic analysis. The purpose of attacks like this
type are listening to communication channels and analyzing transmitted
data and service information to study topology and architecture
building a system, obtaining critical user information
(for example, user passwords or credit card numbers transmitted
in open form). Attacks of this type protocols such as FTP are affected
or Telnet, the peculiarity of which is that the user name and password
transmitted within these protocols in clear text.

Substitution of a trusted subject. Most networks and operating
systems uses the computer's IP address to determine whether
this is the addressee that is needed. In some cases it may be incorrect
assignment of an IP address (substitution of the sender’s IP address with another address) - such
the attack method is called falsification of address(IP spoofing).

IP spoofing occurs when an attacker, inside or outside a corporation, impersonates a legitimate user. An attacker could use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources. An attacker can also use special programs that shape IP packets so that they appear to be coming from authorized internal addresses on the corporate network.

IP spoofing attacks are often the starting point for other attacks. Classic example is attack like " denial of service"(DoS), which begins with someone else's address, hiding the true identity of the hacker. Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices.

The threat of spoofing can be mitigated (but not eliminated) by the following measures:

v correct setting access control from the external network;

v suppression of attempts to spoof other people's networks by users of their network.

It should be kept in mind that IP spoofing can occur if users are authenticated based on IP addresses, so introducing additional user authentication methods (based on one-time passwords or other cryptographic methods) can prevent IP spoofing attacks.

Mediation. A man-in-the-middle attack involves active eavesdropping, interception, and control of transmitted data by an invisible intermediate node. When computers interact at low network levels, they cannot always determine with whom exactly they are exchanging data.

Mediation in the exchange of unencrypted keys (Man-in-the-Middle attack). To carry out a Man-in-the-Middle attack, an attacker needs access to packets transmitted over the network. Such access to all packets transmitted from an ISP to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack.

In a more general case, Man-in-the-Middle attacks are carried out to steal information, intercept the current session and gain access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, and distort transmitted data. and entering unauthorized information into network sessions.

Man-m-the-Middle attacks can only be effectively combated using cryptography. To counter this type of attack, the PKI (Public Key Infrastructure) public key management infrastructure is used.

Session hijacking. After the initial authentication procedure is completed, the connection established by the legitimate user, for example, with a mail server, is switched by the attacker to a new host, and the original server is commanded to terminate the connection. As a result, the “interlocutor” of the legitimate user is quietly replaced.

After gaining access to the network, the attacker has great opportunities:

v it may send incorrect data to applications and network services, which leads to their abnormal termination or malfunction;

v it can also flood a computer or entire network with traffic until the system crashes due to overload;

v Finally, the attacker can block traffic, which will lead to loss of access to network resources for authorized users.

Denial of Service (DoS). This attack is different from other types of attacks. It is not aimed at gaining access to your network or extracting any information from that network. A DoS attack makes an organization's network unavailable for normal use by exceeding the permissible limits of the network, operating system, or application. Essentially, this attack denies normal users access to resources or computers on an organization's network.

Most DoS attacks rely on general weaknesses in the system architecture. In case of using some server applications(such as a Web server or FTP server) DoS attacks can be as simple as taking over all connections available to those applications and keeping them busy, preventing

services for ordinary users. DoS attacks can use common Internet protocols such as TCP and ICMP (Internet Control Message Protocol).

DoS attacks are difficult to prevent because they require coordination with your ISP. If the traffic intended to overwhelm your network cannot be stopped at the provider, then at the entrance to the network you will no longer be able to do this, because all the bandwidth will be occupied.

If this type of attack is carried out simultaneously through many devices, we say about distributed denial of service DDoS attack(distributed DoS).

The ease of implementation of DoS attacks and the enormous harm they cause to organizations and users attract the close attention of network security administrators to these attacks.

Password attacks. The goal of these attacks is to obtain the password and login of the legitimate user. Attackers can conduct password attacks using methods such as:

v O IP address substitution (1P spoofing);

v eavesdropping (sniffing);

v simple search.

IP spoofing and packet sniffing were discussed above. These methods allow you to capture a user's password and login if they are transmitted in clear text over an insecure channel.

Often hackers try to guess the password and login, using numerous access attempts. This approach is called brute force attack(brute force attack). This attack uses special program, which is trying to access a public resource (for example, a server). If, as a result, the attacker manages to guess the password, he gains access to the resources as a regular user. If this user has significant access privileges, an attacker can create a "pass" for themselves for future access that will remain in effect even if the user changes their password and login.

Tools for intercepting, selecting and cracking passwords are currently considered practically legal and are officially produced by a fairly large number of companies. They are marketed as security auditing and recovery software forgotten passwords, and can be legally purchased from the developers.

Password attacks can be avoided by not using plain text passwords. The use of one-time passwords and cryptographic authentication can virtually eliminate the threat of such attacks. Unfortunately, not all applications, hosts and devices support specified methods authentication.

Using regular passwords It is necessary to come up with a password that would be difficult to guess. The minimum password length must be at least eight characters. The password must include the characters uppercase, numbers and special characters (#, $, &, %, etc.).

Guessing the key. A cryptographic key is a code or number needed to decrypt protected information. Although finding out the access key is difficult and requires a lot of resources, it is nevertheless possible. In particular, to determine the value of a key, a special program that implements the exhaustive search method can be used. The key that the attacker gains access to is called compromised. The attacker uses the compromised key to gain access to protected transmitted data without the knowledge of the sender and recipient. The key makes it possible to decrypt and change data.

Application level attacks. These attacks can be carried out in several ways. The most common of these is to exploit known server weaknesses. software(FTP, HTTP, Web servers).

The main problem with application-layer attacks is that they often use ports that are allowed to pass through the firewall.

Information about application-level attacks is widely published to enable administrators to correct the problem using corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to learn.

It is impossible to completely eliminate application-level attacks. Hackers are constantly discovering and publishing new vulnerabilities on their Internet sites. application programs.

Good system administration is important here. To reduce your vulnerability to this type of attack, you can take the following steps:

v analyze log files operating systems and network log files using special analytical applications;

v monitor CERT data on application software weaknesses;

v use the most latest versions operating systems and applications and the latest correction modules (patches);

v use IDS (Intrusion Detection Systems) attack detection systems.

Network intelligence is the collection of network information using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible.

Network reconnaissance is carried out in the form of DNS queries,
echo testing (ping sweep) and port scanning. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging addresses revealed by DNS allows you to see which hosts are actually running in a given environment. After receiving a list of hosts, the hacker uses port scanning tools to compile full list services supported by these hosts. As a result, information is obtained that can be used for hacking.

It is impossible to completely get rid of network intelligence. If, for example, you disable ICMP echo and echo reply on edge routers, you get rid of ping testing, but you lose the data needed to diagnose network failures. In addition, you can scan ports without prior ping testing. It will just take more time, since you will have to scan non-existent IP addresses.

Network- and host-level IDS systems typically do a good job of alerting administrators to ongoing network reconnaissance, allowing them to better prepare for an upcoming attack and alert the ISP on whose network a system is being overly nosy.

Breach of trust. This type of action is not an attack in the full sense of the word. It represents the malicious exploitation of trust relationships that exist in a network. A typical example of such abuse is the situation in the peripheral part of the corporate network. This segment typically houses DNS, SMTP, and HTTP servers. Since they all belong to the same segment, hacking one of them leads to hacking of all the others, since these servers trust other systems on their network.

The risk of breach of trust can be reduced by more tightly controlling the levels of trust within your network. Systems located outside the firewall should never have absolute trust from systems protected by the firewall.

Trust relationships should be limited to specific protocols and, if possible, authenticated not only by IP addresses, but also by other parameters. Malicious programs. Such programs include computer viruses, network worms, and Trojan horse programs.

Viruses are malicious programs that are inserted into other programs to perform a specific unwanted function on the end user's workstation. The virus is usually developed by attackers in such a way as to remain undetected for as long as possible. computer system. The initial period of dormancy of viruses is a mechanism for their survival. The virus manifests itself in full at a specific point in time, when some calling event occurs, for example Friday the 13th, a known date, etc.

A type of virus program is network worm, which is distributed over the global network and does not leave its copy on a magnetic medium. This term is used to name programs that, like tapeworms, move around computer network from one system to another. The worm uses network support mechanisms to determine which host may be affected. Then, using the same mechanisms, the worm transfers its body to this node and either becomes activated or waits for suitable conditions for activation. Network worms are a dangerous type of malware because the target of their attack can be any of the millions of computers connected to the global Internet. To protect against a worm, you must take precautions against unauthorized access to your internal network.

TO computer viruses adjacent to the so-called "Trojan horses"(Trojan programs). A Trojan horse is a program that looks like useful application I, but actually performs harmful functions (destruction of software
provision, copying and sending files with confidential data to the attacker, etc.). The danger of a Trojan horse lies in an additional block of commands inserted into the original harmless program, which is then provided to AS users. This block of commands can be triggered upon the occurrence of any condition (date, system state) or upon an external command. A user who runs such a program endangers both his files and the entire system as a whole.

According to the Sophos Security Threat Management Report, Trojan horses outnumbered viruses and worms by four to one in the first half of 2006, up from doubling in the first six months of 2005. Sophos also reports the emergence of a new type of " Trojan programs, called ransomware. Such programs steal data from infected computers, and then the user is asked to pay a certain ransom for it.

End user workstations are highly vulnerable to viruses, worms and Trojan horses.

A feature of modern malware is its focus on specific application software, which has become a de facto standard for most users, primarily Microsoft Internet Explorer and Microsoft Outlook. The massive creation of viruses for Microsoft products is explained not only by the low level of security and reliability of the programs, but also by the global distribution of these products. Authors of malicious software are increasingly beginning to explore “holes” in popular DBMSs, middleware, and corporate business applications built on top of these systems.

Viruses, worms and Trojan horses are constantly evolving, and the main trend in their development is polymorphism. Today it is already quite difficult to draw a line between a virus, a worm and a Trojan; they use almost the same mechanisms; the slight difference lies only in the degree of this use. The design of malicious software has become so unified today that, for example, it is almost impossible to distinguish an email virus from a worm with destructive functions. Even “Trojan” programs have a replication function (as one of the means of counteracting anti-virus tools), so that if desired, they can be called viruses (with a distribution mechanism in the form of masquerading as application programs).

To protect against these malicious programs, it is necessary to take a number of measures:

v preventing unauthorized access to executable files;

v testing of purchased software;

v monitoring the integrity of executable files and system areas;

v creation of a closed program execution environment.

Viruses, worms and Trojan horses are combatted using effective antivirus software that operates at the user level and possibly at the network level. As new viruses, worms and Trojan horses appear, new databases need to be installed antivirus agents and applications.

Spam and phishing refer to non-software threats. The prevalence of these two threats has increased significantly in recent times.

Spam, the volume of which now exceeds 80% of the total volume of mail traffic, can pose a threat to the availability of information by blocking mail servers, or be used to distribute malicious software.

Phishing(phishing) is a relatively new type of Internet fraud, the purpose of which is to obtain user identification data. This includes the theft of passwords, credit card numbers, bank accounts, PIN codes and other confidential information that gives access to the user's money. Phishing does not exploit the technical flaws of the software, but rather the gullibility of Internet users. The term phishing itself, consonant with fishing, stands for password harvesting fishing - fishing for a password. Indeed, phishing is very similar to fishing. The attacker throws a bait onto the Internet and “catch all the fish” - Internet users who will take the bait.

The attacker creates an almost exact copy of the website of the selected bank (electronic payment system, auction, etc.). Then, using spam technology, e-mail a letter is sent out, composed in such a way as to be as similar as possible to a real letter from the selected bank. When composing the letter, the bank's logos, names and surnames of real bank managers are used. Such a letter, as a rule, informs that due to a change in software in the Internet banking system, the user needs to confirm or change his credentials. The reason for changing the data may be a failure of the bank's software or an attack by hackers. The presence of a plausible legend that encourages the user to take the necessary actions is an indispensable component of the success of fraudulent phishers. In all cases, the purpose of such letters is the same - to force the user to click on the link provided and then enter their confidential data (passwords, account numbers, PIN codes) on the bank’s overlay website (electronic payment system, auction). Having visited a false site, the user enters his confidential data in the appropriate lines, and then the scammers gain access, at best, to his mailbox, at worst - to an electronic account.

Phisher technologies are being improved and social engineering methods are being used. They are trying to scare the client and come up with a critical reason for him to give up his confidential data. Typically, messages contain threats, such as blocking an account if the recipient does not comply with the requirements set out in the message.

A conjugate appeared with phishing concept - pharming . This is also a scam, the goal of which is to obtain users’ personal data, but not through mail, but directly through official Web sites. Farmers replace the digital addresses of legitimate Web sites on DNS servers with the addresses of fake ones, as a result of which users are redirected to scam sites. This type of fraud is even more dangerous, since it is almost impossible to notice a fake.

Nowadays, scammers often use Trojan horses. In this case, the phisher’s task is greatly simplified - it is enough to force the user to go to the phishing site and “pick up” a program that will independently find everything that is needed on the victim’s hard drive. Along with Trojan programs, they began to be used keyloggers. On fake sites, spyware tools that track keystrokes are downloaded to victims' computers. When using this approach, it is not necessary to find access to clients of a specific bank or company, and therefore phishers began to fake websites general purpose, such as news feeds and search engines.

What makes phishing scams successful? low level user awareness of the operating rules of companies on behalf of which criminals act. In particular, about 5% of users do not know a simple fact: banks do not send letters asking them to confirm their number online credit card and her PIN code.

According to analysts (www.cnews.ru), the damage caused by phishers to the global economy amounted to $14 billion in 2003, and a year later it reached $44 billion. According to Symantec statistics, in mid-2004, the company's filters blocked up to 9 million emails with phishing content every week. By the end of the year, 33 million had already been screened out during the same period.

Spam filters remain the main defense against phishing. Unfortunately, anti-phishing software tools have limited effectiveness, since attackers primarily exploit human psychology rather than software flaws. Actively being developed technical means security, primarily plugins for popular browsers. The essence of the protection is to block sites that are included in the “black lists” of fraudulent resources. The next step could be systems for generating one-time passwords for Internet access to bank accounts and accounts in payment systems, and the widespread distribution of additional levels of protection through a combination of entering a password using a USB hardware key.

The listed attacks on IP networks are possible for a number of reasons:

v use of public data transmission channels. Critical data is transmitted over the network in unencrypted form;

v vulnerabilities in authentication procedures implemented in the TCP/IP stack. Identity information at the IP layer is transmitted in clear text;

v absence in basic version stack of TCP/IP protocols mechanisms ensuring confidentiality and integrity of transmitted messages;

v the sender is authenticated by its IP address. The authentication procedure is performed only at the connection establishment stage, and subsequently the authenticity of received packets is not checked;

v lack of control over the route of messages on the Internet, which makes remote network attacks virtually unpunished.