Types of network attacks. According to the condition of the beginning of the impact

Lecture 33 Types and types of network attacks

Lecture 33

Topic: Types and types of network attacks

A remote network attack is an information destructive effect on a distributed computing system, carried out programmatically via communication channels.

Introduction

To organize communications in a heterogeneous network environment, a set of TCP/IP protocols are used, ensuring compatibility between computers of different types. This set protocols gained popularity due to their compatibility and provision of access to the resources of the global Internet and became the standard for internetworking. However, the ubiquity of the TCP/IP protocol stack has also exposed its weaknesses. This makes distributed systems especially susceptible to remote attacks, since their components typically use open channels data transmission, and the intruder can not only passively eavesdrop on the transmitted information, but also modify the transmitted traffic.

The difficulty of detecting a remote attack and the relative ease of implementation (due to the redundant functionality of modern systems) puts this type of illegal action in first place in terms of the degree of danger and prevents a timely response to the threat, as a result of which the attacker increases the chances of successfully implementing the attack.

Classification of attacks

By the nature of the impact

Passive

Active

Passive impact on a distributed computing system (DCS) is some impact that does not directly affect the operation of the system, but at the same time can violate its security policy. The lack of direct influence on the operation of the RVS leads precisely to the fact that passive remote influence (RPI) is difficult to detect. A possible example of a typical PUV in a DCS is listening to a communication channel in a network.

Active impact on the DCS - an impact that has a direct impact on the operation of the system itself (impairment of functionality, change in the DCS configuration, etc.), which violates the security policy adopted in it. Almost all types of remote attacks are active influences. This is due to the fact that the very nature of the damaging effect includes an active principle. The clear difference between active influence and passive influence is the fundamental possibility of its detection, since as a result of its implementation some changes occur in the system. With a passive influence, absolutely no traces remain (due to the fact that the attacker views someone else’s message in the system, nothing will change at the same moment).

By purpose of influence

Violation of system functioning (access to the system)

Violation of the integrity of information resources (IR)

Violation of IR confidentiality

This feature, by which classification is made, is essentially a direct projection of three basic types of threats - denial of service, disclosure and violation of integrity.

The main goal pursued in almost any attack is to gain unauthorized access to information. There are two fundamental options for obtaining information: distortion and interception. The option of intercepting information means gaining access to it without the possibility of changing it. Interception of information therefore leads to a violation of its confidentiality. Listening to a channel on a network is an example of intercepting information. In this case, there is illegitimate access to information without possible options her replacement. It is also obvious that violation of confidentiality of information refers to passive influences.

The ability to replace information should be understood either as complete control over the flow of information between system objects, or the ability to transmit various messages on someone else’s behalf. Therefore, it is clear that substitution of information leads to a violation of its integrity. Such information destructive influence is a typical example of active influence. An example of a remote attack designed to violate the integrity of information is the “False RVS object” remote attack (RA).

According to availability feedback with the attacked object

With feedback

No feedback (unidirectional attack)

The attacker sends some requests to the attacked object, to which he expects to receive a response. Consequently, feedback appears between the attacker and the attacked, allowing the former to adequately respond to all sorts of changes in the attacked object. This is the essence of a remote attack, carried out in the presence of feedback from the attacking object. Such attacks are most typical for RVS.

Open-loop attacks are characterized by the fact that they do not need to react to changes in the attacked object. Such attacks are usually carried out by sending single requests to the attacked object. The attacker does not need answers to these requests. Such UA can also be called unidirectional UA. An example of unidirectional attacks is a typical DoS attack.

According to the condition of the beginning of the impact

Remote influence, just like any other, can begin to take place only under certain conditions. There are three types of such conditional attacks in RVS:

Attack on request from the attacked object

Attack upon the occurrence of an expected event on the attacked object

Unconditional attack

The impact from the attacker will begin provided that the potential target of the attack transmits a request of a certain type. Such an attack can be called an attack on request from the attacked object. This type of UA is most typical for RVS. An example of such requests on the Internet can be DNS and ARP requests, and in Novell NetWare- SAP request.

An attack upon the occurrence of an expected event on the attacked object. The attacker continuously monitors the state of the OS of the remote target of the attack and begins to influence when a specific event occurs in this system. The attacked object itself is the initiator of the attack. An example of such an event would be when a user's session with the server is interrupted without issuing the LOGOUT command in Novell NetWare.

An unconditional attack is carried out immediately and regardless of the state of the operating system and the attacked object. Therefore, the attacker is the initiator of the attack in this case.

If the normal operation of the system is disrupted, other goals are pursued and the attacker is not expected to gain illegal access to data. Its goal is to disable the OS on the attacked object and make it impossible for other system objects to access the resources of this object. An example of an attack of this type is a DoS attack.

By location of the subject of the attack relative to the attacked object

Intrasegmental

Intersegmental

Some definitions:

The source of the attack (subject of the attack) is the program (possibly the operator) leading the attack and having a direct impact.

Host - a computer that is an element of the network.

Router is a device that routes packets on a network.

A subnetwork is a group of hosts that are part of a global network, differing in that the router allocates the same subnet number for them. We can also say that a subnet is a logical association of hosts through a router. Hosts within the same subnet can communicate directly with each other without using a router.

A network segment is a combination of hosts at the physical level.

From the point of view of a remote attack, the relative location of the subject and object of the attack is extremely important, that is, whether they are in different or identical segments. During an intra-segment attack, the subject and target of the attack are located in the same segment. In the case of an intersegment attack, the subject and target of the attack are located in different network segments. This classification feature makes it possible to judge the so-called “degree of remoteness” of the attack.

It will be shown below that an intra-segment attack is much easier to carry out than an inter-segment attack. We also note that an inter-segment remote attack poses a much greater danger than an intra-segment one. This is due to the fact that in the case of an intersegment attack, the target and the attacker may be located at a distance of many thousands of kilometers from each other, which can significantly impede measures to repel the attack.

According to the level of the ISO/OSI reference model at which the impact is carried out

Physical

Duct

Network

Transport

Session

Representative

Applied

The International Organization for Standardization (ISO) adopted the ISO 7498 standard, which describes open systems interconnection (OSI), to which RBCs also belong. Each network communication protocol, as well as each network program, can be projected in one way or another onto the OSI reference 7-layer model. This multi-level projection makes it possible to describe the functions used in a network protocol or program in terms of the OSI model. UA is a network program, and it is logical to consider it from the point of view of projection onto the ISO/OSI reference model.

Short description some network attacks

Data fragmentation

When an IP data packet is transmitted over a network, the packet can be divided into several fragments. Subsequently, when reaching the destination, the packet is reconstructed from these fragments. An attacker can initiate sending a large number of fragments, which leads to an overflow of software buffers on the receiving side and, in some cases, to a system crash.

Ping flooding attack

This attack requires the attacker to have access to fast Internet channels.

The ping program sends an ICMP packet of the ECHO REQUEST type, setting the time and its identifier in it. The receiving machine's kernel responds to such a request with an ICMP ECHO REPLY packet. Having received it, ping displays the speed of the packet.

At standard mode packets are sent at certain intervals, practically without loading the network. But in "aggressive" mode, a flood of ICMP echo request/reply packets can cause congestion on a small line, preventing it from transmitting useful information.

Non-standard protocols encapsulated in IP

The IP packet contains a field that specifies the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use a non-standard value of this field to transmit data that will not be recorded by standard information flow control tools.

Smurf attack

The smurf attack involves sending broadcast ICMP requests to the network on behalf of the victim computer.

As a result, computers that have received such broadcast packets respond to the victim computer, which leads to a significant reduction in the communication channel throughput and, in some cases, to complete isolation of the attacked network. The smurf attack is extremely effective and widespread.

Counteraction: to recognize this attack, it is necessary to analyze the channel load and determine the reasons for the decrease in throughput.

DNS spoofing attack

The result of this attack is the introduction of a forced correspondence between an IP address and a domain name into the DNS server cache. As a result of a successful attack, all users of the DNS server will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some DNS exchange parameters.

Counteraction: to detect such an attack, it is necessary to analyze the contents of DNS traffic or use DNSSEC.

IP spoofing attack

A large number of attacks on the Internet are associated with spoofing the source IP address. Such attacks also include syslog spoofing, which involves sending a message to the victim computer on behalf of another computer on the internal network. Since the syslog protocol is used to maintain system logs, by sending false messages to the victim computer, it is possible to induce information or cover up the tracks of unauthorized access.

Countermeasures: detection of attacks related to IP address spoofing is possible by monitoring the receipt on one of the interfaces of a packet with the source address of the same interface or by monitoring the receipt on external interface packets with internal network IP addresses.

Package imposition

The attacker sends packets with a false return address onto the network. With this attack, an attacker can switch connections established between other computers to his own computer. In this case, the attacker's access rights become equal to the rights of the user whose connection to the server was switched to the attacker's computer.

Sniffing - listening to a channel

Possible only in the local network segment.

Almost everything network cards support the ability to intercept packets transmitted over a common local network channel. In this case, the workstation can receive packets addressed to other computers on the same network segment. Thus, all information exchange in a network segment becomes accessible to an attacker. To successfully implement this attack, the attacker's computer must be located in the same local network segment as the computer being attacked.

Packet interception on the router

A router's network software has access to all network packets sent through the router, allowing packet interception. To carry out this attack, the attacker must have privileged access to at least one router on the network. Since so many packets are usually transmitted through a router, total interception of them is almost impossible. However, individual packets may well be intercepted and stored for later analysis by an attacker. The most effective interception of FTP packets containing user passwords, as well as email.

Forcing a false route on a host using ICMP

On the Internet there is a special protocol ICMP (Internet Control Message Protocol), one of the functions of which is to inform hosts about changing the current router. This control message is called redirect. It is possible to send a false redirect message from any host in the network segment on behalf of the router to the attacked host. As a result, the host's current routing table changes and, in the future, all network traffic of this host will pass, for example, through the host that sent the false redirect message. In this way, it is possible to actively impose a false route within one segment of the Internet.

Along with regular data sent over a TCP connection, the standard also provides for the transmission of urgent (Out Of Band) data. At the level of TCP packet formats, this is expressed as a non-zero urgent pointer. Most PCs with Windows installed have the NetBIOS network protocol, which uses three IP ports for its needs: 137, 138, 139. If you connect to a Windows machine via port 139 and send several bytes of OutOfBand data there, then the NetBIOS implementation will not knowing what to do with this data, it simply hangs or reboots the machine. For Windows 95, this usually looks like a blue text screen indicating an error in the TCP/IP driver, and the inability to work with the network until the OS is rebooted. NT 4.0 without service packs reboots, NT 4.0 with ServicePack 2 pack crashes into a blue screen. Judging by information from the network, both Windows NT 3.51 and Windows 3.11 for Workgroups are susceptible to such an attack.

Sending data to port 139 leads to a reboot of NT 4.0, or a “blue screen of death” with Service Pack 2 installed. A similar sending of data to 135 and some other ports leads to a significant load on the RPCSS.EXE process. On Windows NT WorkStation this leads to a significant slowdown; Windows NT Server practically freezes.

Trusted host spoofing

Successful implementation of remote attacks of this type will allow the attacker to conduct a session with the server on behalf of a trusted host. (Trusted host - a station that legally connected to the server). The implementation of this type of attack usually consists of sending exchange packets from the attacker’s station on behalf of a trusted station under his control.

Attack detection technologies

Network and information technologies are changing so quickly that static protective mechanisms, which include access control systems, firewalls, and authentication systems, in many cases cannot provide effective protection. Therefore, dynamic methods are required to quickly detect and prevent security violations. One technology that can detect violations that cannot be identified using traditional access control models is intrusion detection technology.

Essentially, the attack detection process is the process of assessing suspicious activities that occur in corporate network. In other words, intrusion detection is the process of identifying and responding to suspicious activity aimed at computing or network resources

Methods for analyzing network information

The effectiveness of an attack detection system largely depends on the methods used to analyze the received information. The first intrusion detection systems, developed in the early 1980s, used statistical methods to detect attacks. Currently, a number of new techniques have been added to statistical analysis, starting with expert systems and fuzzy logic to the use of neural networks.

Statistical method

The main advantages of the statistical approach are the use of an already developed and proven apparatus of mathematical statistics and adaptation to the behavior of the subject.

First, profiles are determined for all subjects of the analyzed system. Any deviation of the used profile from the reference one is considered unauthorized activity. Statistical methods are universal because the analysis does not require knowledge of possible attacks and the vulnerabilities they exploit. However, when using these techniques, problems arise:

“statistical” systems are not sensitive to the order of events; in some cases, the same events, depending on the order in which they occur, may characterize abnormal or normal activity;

It is difficult to set the boundary (threshold) values ​​of the characteristics monitored by the intrusion detection system in order to adequately identify anomalous activity;

“statistical” systems can be “trained” by attackers over time so that attack actions are seen as normal.

It should also be taken into account that statistical methods are not applicable in cases where there is no pattern of typical behavior for the user or when unauthorized actions are typical for the user.

Expert systems

Expert systems consist of a set of rules that capture the knowledge of a human expert. The use of expert systems is a common attack detection method in which attack information is formulated in the form of rules. These rules can be written, for example, as a sequence of actions or as a signature. When any of these rules are met, a decision is made about the presence of unauthorized activity. An important advantage of this approach is the almost complete absence of false alarms.

The expert system database should contain scripts for most currently known attacks. In order to remain constantly up-to-date, expert systems require constant updating of the database. Although expert systems offer good visibility into log data, required updates may either be ignored or manually performed by the administrator. At a minimum, this results in an expert system with weakened capabilities. In the worst case, the lack of proper maintenance reduces the security of the entire network, misleading its users about the actual level of security.

The main disadvantage is the inability to repel unknown attacks. Moreover, even a small change to an already known attack can become a serious obstacle to the functioning of the attack detection system.

Neural networks

Most modern attack detection methods use some form of controlled space analysis, either rule-based or statistical approach. The controlled space can be logs or network traffic. The analysis is based on a set of predefined rules that are created by the administrator or the intrusion detection system itself.

Any separation of an attack over time or among multiple attackers is difficult to detect using expert systems. Due to the wide variety of attacks and hackers, even ad hoc, ongoing updates to the expert system rule database will never guarantee accurate identification of the full range of attacks.

The use of neural networks is one of the ways to overcome these problems of expert systems. Unlike expert systems, which can give the user a definite answer about the compliance of the characteristics under consideration with the rules embedded in the database, a neural network analyzes information and provides the opportunity to evaluate whether the data is consistent with the characteristics that it is trained to recognize. While the degree of correspondence of a neural network representation can reach 100%, the reliability of the choice depends entirely on the quality of the system in analyzing examples of the task.

First, the neural network is trained to correctly identify using a pre-selected sample of domain examples. The response of the neural network is analyzed and the system is adjusted in such a way as to achieve satisfactory results. In addition to the initial training period, the neural network gains experience over time as it analyzes domain-specific data.

An important advantage of neural networks in detecting abuse is their ability to “learn” the characteristics of deliberate attacks and identify elements that are unlike those previously observed on the network.

Each of the described methods has a number of advantages and disadvantages, so now it is almost difficult to find a system that implements only one of the described methods. As a rule, these methods are used in combination.

There are a huge variety of different computer configurations, operating systems and network equipment however, this does not become an obstacle to access to global network. This situation became possible thanks to the universal network protocol TCP/IP, which sets certain standards and rules for transmitting data over the Internet. Unfortunately, this versatility has led to the fact that computers using this protocol, have become vulnerable to external influence, and since the TCP/IP protocol is used on all computers connected to the Internet, attackers do not need to develop custom means of accessing other people's machines.

A network attack is an attempt to influence remote computer using software methods. As a rule, the purpose of a network attack is to violate data confidentiality, that is, to steal information. In addition, network attacks are carried out to gain access to someone else's computer and subsequently change files located on it.

There are several types of classification of network attacks. One of them is based on the principle of influence. Passive network attacks are aimed at obtaining confidential information from a remote computer. Such attacks, for example, include reading incoming and outgoing messages via e-mail. As for active network attacks, their task is not only access to certain information, but also its modification. One of the most significant differences between these types of attacks is that passive interference is nearly impossible to detect, while the effects of an active attack are usually noticeable.

In addition, attacks are classified according to what objectives they serve. Among the main tasks, as a rule, are disruption of computer operation, unauthorized access to information and hidden modification of data stored on the computer. For example, hacking a school server in order to change grades in journals is classified as active network attacks of the third type.

Protection technologies

Methods of protection against network attacks are constantly being developed and improved, but none of them provides a complete guarantee. The fact is that any static defense has weaknesses, since it is impossible to protect against everything at once. As for dynamic protection methods, such as statistical, expert, fuzzy logic and neural networks, then they also have their weaknesses, since they are based primarily on the analysis of suspicious actions and comparison of them with known methods of network attacks. Consequently, most defense systems give in to unknown types of attacks, starting to repel the intrusion too late. However, modern security systems make it so difficult for an attacker to access data that it is more rational to look for another victim.

Kaspersky Internet Security protects your computer from network attacks.

Network attack is an intrusion into the operating system of a remote computer. Attackers launch network attacks to take control of an operating system, cause a denial of service, or gain access to protected information.

Network attacks are malicious actions that are carried out by attackers themselves (such as port scanning, password guessing), as well as actions that malware installed on the attacked computer (such as transferring protected information to the attacker). Malicious programs involved in network attacks include some Trojans, DoS attack tools, malicious scripts and network worms.

Network attacks can be divided into the following types:

• Port scanning. This type of network attack is usually a preparatory stage for a more dangerous network attack. The attacker scans the UDP and TCP ports used by network services on the attacked computer, and determines the degree of vulnerability of the attacked computer to more dangerous types of network attacks. Port scanning also allows an attacker to determine the operating system on the target computer and select network attacks suitable for it.
• DoS attacks, or network attacks causing denial of service. These are network attacks, as a result of which the attacked operating system becomes unstable or completely inoperable.

  There are the following main types of DoS attacks:

  • Sending specially crafted network packets to a remote computer that are not expected by this computer, causing the operating system to malfunction or stop.
  • Sending a large number of network packets to a remote computer in a short period of time. All resources of the attacked computer are used to process network packets sent by the attacker, which is why the computer stops performing its functions.
• Network attacks-intrusions. These are network attacks whose goal is to “hijack” the operating system of the attacked computer. This is the most dangerous type of network attack, since if it is successful, the operating system comes completely under the control of the attacker.

  This type of network attack is used in cases where an attacker needs to obtain confidential data from a remote computer (for example, numbers bank cards or passwords) or use a remote computer for your own purposes (for example, attack other computers from this computer) without the user’s knowledge.

1. On the Protection tab in the block Protection against network attacks uncheck the box.

You can also enable Network Attack Protection in Protection Center. Disabling your computer's protection or protection components significantly increases the risk of your computer becoming infected, which is why information about disabling protection is displayed in Protection Center.

Important: If you have turned off Network Attack Protection, then after restarting Kaspersky Internet Security or rebooting the operating system, it will not turn on automatically and you will need to turn it on manually.

When dangerous network activity is detected, Kaspersky Internet Security automatically adds the IP address of the attacking computer to the list of blocked computers if this computer is not added to the list of trusted computers.

1. In the menu bar, click on the program icon.
2. In the menu that opens, select Settings.

   The program settings window will open.

3. On the Protection tab in the block Protection against network attacks check the box Enable Network Attack Protection.
4. Click on the Exceptions button.

   A window will open with a list of trusted computers and a list of blocked computers.

5. Open a bookmark Locked computers.
6. If you are sure that the blocked computer does not pose a threat, select its IP address in the list and click the Unblock button.

   A confirmation window will open.

7. At the confirmation window, do one of the following:
   • If you want to unlock your computer, click on the Unlock button.

     Kaspersky Internet Security unblocks the IP address.

   • If you want Kaspersky Internet Security to never block the selected IP address, click the button Unblock and add to exceptions.

     Kaspersky Internet Security will unblock the IP address and add it to the list of trusted computers.

8. Click on the Save button to save your changes.

You can create a list of trusted computers. Kaspersky Internet Security does not automatically block the IP addresses of these computers when it detects dangerous network activity originating from them.

When a network attack is detected, Kaspersky Internet Security saves information about it in a report.

1. Open the Protection menu.
2. Select Reports.

   The Kaspersky Internet Security reports window will open.

3. Open a bookmark Protection against network attacks.

Note: If the Network Attack Protection component has completed an error, you can view the report and try to restart the component. If you are unable to resolve the issue, please contact Technical Support.

1. Packet interception.

A packet sniffer (from the English sniff - sniff) is an application program that uses a network interface operating in promiscuous mode. In this mode, the network adapter allows you to receive all packets received over physical channels, regardless of who they are addressed to, and sends them to the application for processing. Currently, sniffers are used in networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, due to the fact that some network applications transmit data in text format (Telnet, FTP, SMTP, POP3, etc.), using a sniffer you can find out useful, and sometimes confidential information(for example, usernames and passwords).

Interception of logins and passwords creates a great danger. If the application runs in client-server mode, and authentication data is transmitted over the network in readable text format, then this information can most likely be used to access other corporate or external resources. In the worst case scenario, an attacker will gain access to a user resource at the system level and use it to create a new user who can be used at any time to access the network and its resources.

2. IP spoofing.

IP spoofing (from the English spoof - hoax) occurs when an attacker, inside or outside a corporation, impersonates an authorized user. This can be achieved in two ways:

a) use of an IP address that is within the range of authorized IP addresses;

IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts from someone else's address, hiding the true identity of the attacker.

Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices. For two-way communication, the attacker must modify all routing tables to direct traffic to the false IP address.

If the attacker managed to change the routing tables and direct network traffic to a false IP address, then he will receive all packets and will be able to respond to them as if he were an authorized user.

3. Denial of service.

Denial of Service (Denial of Service, abbreviated as DoS) is without a doubt the most well-known form of network attacks. In addition, these types of attacks are the most difficult to create 100% protection against. To organize DoS, a minimum of knowledge and skills is required. Nevertheless, it is the simplicity of implementation and the enormous scale of harm caused that attracts attackers to DoS attacks.

This attack is significantly different from other types of attacks. Attackers do not intend to gain access to the network or obtain any information from that network, but a DoS attack makes your network unavailable for normal use by exceeding the permissible limits of the network, operating system or application. In case of using some server applications(such as a Web server or FTP server) DoS attacks can involve taking over all connections available to those applications and keeping them occupied, preventing ordinary users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP.

Some attacks cripple network performance by flooding it with unwanted and unnecessary packets or misleading information about the current state of network resources. When the attack of this type carried out simultaneously through many devices, we are talking about a distributed DoS attack (from the English distributed DoS, abbreviated DDoS).

4. Password attacks.

Attackers can conduct password attacks using a variety of methods, such as brute force attack, Trojan horse, IP spoofing, and packet sniffing. Despite the fact that login and password can often be obtained using IP spoofing and packet sniffing, attackers often try to guess the password and login using multiple access attempts. This approach is called simple enumeration.

For such an attack it is used special program, which is trying to access a public resource (for example, a server). If, as a result, the attacker is granted access to resources, then he receives it as the user whose password was selected. If this user has significant access privileges, an attacker can create a gateway for future access that will remain in effect even if the user changes their password.

5. Man-in-the-middle attacks.

For a Man-in-the-Middle attack, the attacker needs access to packets transmitted over the network. Such access to all packets transmitted from a provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack. Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distortion of transmitted data and entering unauthorized information into network sessions.

6. Application level attacks.

Application-level attacks can be carried out in several ways. The most common of them is the use of well-known weaknesses of the server software(sendmail, HTTP, FTP). Using these weaknesses, attackers can gain access to a computer on behalf of the user running the application (usually this is not a simple user, but a privileged administrator with system access rights). Information about application-level attacks is widely published to give administrators the opportunity to correct the problem using corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to improve.

The main problem with application-level attacks is that attackers often use ports that are allowed to pass through the firewall. For example, an attacker exploiting a known weakness in a Web server will often use port 80 in a TCP attack. Since the Web server provides Web pages to users, the firewall must provide access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.

7. Network intelligence.

Network intelligence refers to the collection of network information using publicly available data and applications. When preparing an attack against a network, an attacker usually tries to obtain as much information about it as possible. Network reconnaissance is carried out in the form of DNS queries, pings and port scanning. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging addresses revealed by DNS allows you to see which hosts are actually running in a given environment. Having received a list of hosts, the attacker uses port scanning tools to compose full list services supported by these hosts. Finally, it analyzes the characteristics of the applications running on the hosts. As a result, he obtains information that can be used for hacking.

8. Breach of trust.

Strictly speaking, this type of action is not in the full sense of the word an attack or assault. It represents the malicious exploitation of trust relationships that exist in a network. A classic example of such abuse is the situation in the peripheral part of the corporate network. This segment often houses DNS, SMTP, and HTTP servers. Since they all belong to the same segment, hacking any one of them leads to hacking all the others, since these servers trust other systems on their network. Another example is a system installed on the outside of the firewall that has a trust relationship with a system installed on the inside of the firewall. If an external system is compromised, an attacker can use trust relationships to penetrate the firewall-protected system.

9. Port forwarding.

Port forwarding is a form of abuse of trust in which a compromised host is used to pass traffic through a firewall that would otherwise be rejected. Let's imagine a firewall with three interfaces, each of which is connected to a specific host. External host can connect to host public access(DMZ), but not to the one installed on the inside of the firewall. A shared host can connect to both an internal and external host. If an attacker takes over a shared host, he can install on it software tool, redirecting traffic from an external host directly to an internal one. Although this does not violate any of the rules on the screen, the external host gains direct access to the protected host as a result of the redirection. An example of an application that can provide such access is netcat.

10. Unauthorized access.

Unauthorized access cannot be identified as a separate type of attack, since most network attacks are carried out precisely to gain unauthorized access. To guess a Telnet login, an attacker must first get a Telnet hint on his system. After connecting to the Telnet port, the message “authorization required to use this resource” appears on the screen. If the attacker continues to attempt access after this, they will be considered unauthorized. The source of such attacks can be either inside the network or outside.

11. Viruses and Trojan horse applications

End user workstations are very vulnerable to viruses and Trojan horses. Viruses are malicious programs that are inserted into other programs to perform a specific unwanted function on the end user's workstation. An example is a virus that is written in the command.com file (the main interpreter Windows systems) and erases other files, and also infects all other versions of command.com it finds.

A Trojan horse is not a software insert, but a real program that at first glance seems useful application, but in fact plays a harmful role. An example of a typical Trojan horse is a program that looks like a simple game for the user's workstation. However, while the user is playing the game, the program sends a copy of itself by email to each subscriber listed in address book this user. All subscribers receive the game by mail, causing its further distribution.

The class of network attacks includes attacks that cause suspicious, anomalous behavior of network traffic on a corporate network. These are so-called network anomalies. Network anomalies can also be classified. They can be divided into two main groups: hardware and software deviations and security problems (Fig. 1.2.1.)

1. Software and hardware deviations.

Component software errors information system may entail a transfer to emergency mode with subsequent termination of services.

Configuration errors translate functionality components of the information system in non-compliance with standard design parameters, which disrupts the overall performance.

Violations of performance entail a departure of the parameters of the information system beyond the calculated values, which is accompanied by a violation of the provision of services.

Hardware faults can lead to both the complete failure of individual components of the information system, and the degrading influence of a separate subsystem on the entire complex.

2. Security violations.

Network scanning is performed to analyze the network topology and detect services available for attack. During the scanning process, an attempt is made to connect to network services by accessing a specific port. In the case of open scanning, the scanner performs a three-way handshake procedure, and in the case of closed (stealth) scanning, it does not complete the connection. Since when scanning a single host, an enumeration of services (ports) occurs, this anomaly is characterized by attempts to access from one scanner IP address to a specific IP address on multiple ports. However, most often entire subnets are scanned, which is expressed in the presence in the attacked network of many packets from one scanner IP address to multiple IP addresses of the subnet being examined, sometimes even using a sequential search method. Most famous network scanners are: nmap, ISS, satan, strobe, xscan and others.

Traffic analyzers or sniffers are designed to intercept and analyze network traffic. In the simplest case, this is done by translating network adapter hardware complex into listening mode and data streams in the segment to which it is connected become available for further study. Since many application programs use protocols that transmit information in clear, unencrypted form, the work of sniffers dramatically reduces the level of security. Note that sniffers do not cause pronounced anomalies in network operation. The most famous sniffers are: tcpdump, ethereal, sniffit, Microsoft network monitor, netxray, lan explorer.

IN computer security The term vulnerability is used to designate a component of an information system that is weakly protected from unauthorized influence. The vulnerability may be the result of design, programming, or configuration errors. A vulnerability can exist only theoretically or have an exploitative software implementation - an exploit. In the network aspect, vulnerabilities may be informational resources, such as OS and software services.

Viral network activity is the result of attempts to spread computer viruses and worms using network resources. More often computer virus exploits a single vulnerability in a network application service, so virus traffic is characterized by the presence of multiple calls from one infected IP address to many IP addresses on a specific port corresponding to a potentially vulnerable service.