16 Chapter 1 Introduction to Network Security

number of hosts responding. This eats up tons of bandwidth and results in a denial of service to valid users because the network traffic is so high.

The smurf attack’s cousin is called fraggle, which uses UDP echo packets in the same fashion as the ICMP echo packets. Fraggle is a simple rewrite of smurf to use a Layer 4 (Transport layer) broadcast.

To stop a smurf attack, all networks should perform filtering either at the edge of the network where customers connect (the Access layer) or at the edge of the network with connections to the upstream providers. Your goal is to prevent source address–spoofed packets from entering from downstream networks or leaving for upstream ones.

Password Attacks

These days, it’s a rare user who isn’t aware of password issues, but you can still depend on the user to pick the name of their dog, significant other, or child for their password because those strings are so easy to remember. But you are wise and have defined policies to stop these easy- to-guess passwords, so you have no worries—right?

Well, almost. You’ve definitely saved yourself a good bit of grief by educating your users. It’s just that even if your users pick really great passwords, programs that record a username and password can still be used to gather them up. If a hacker uses a program that repeatedly attempts to identify a user account and/or password, it’s called a brute-force attack. And if it’s successful, the hacker will gain access to all the resources the stolen username and password usually provides to the now ripped-off corporate user. As you can imagine, it’s an especially dark day when the bad guy manages to jack the username and password of an administrator account.

Man-in-the-Middle Attacks

A man-in-the-middle attack is just that—a person between you and the network you are connected to who is gathering all the data that you send and receive. For a man-in-the-middle attack to be possible, the attacker must have access to the packets traveling across the networks. This means your middleman could be an internal user, someone who spoofed, or even someone who works for an Internet service provider (ISP). Man-in-the-middle attacks are usually implemented by using network packet sniffers, routing protocols, or even Transport-layer protocols.

Your middleman attacker’s goal is any or all of the following:

Theft of information

Hijacking of an ongoing session to gain access to your internal network resources

Traffic analysis to derive information about your network and its users

Denial of service

Corruption of transmitted data

Introduction of new information into network sessions

Application-Layer Attacks

An Application-layer attack involves an application with well-known weaknesses that can be easily exploited. PostScript, sendmail, and FTP are a few really good examples of these types of applications. The goal is to gain access to a computer with the permissions of the account running the application, which is usually a privileged, system-level account.

Trojan Horse Programs, Viruses, and Worms

I hate to admit this, but the Trojan horse attack is actually a very cool attack—that is, if you look at the way it’s implemented and, more importantly, if it’s not happening to you. The Trojan horse attack creates a substitute for a common program, duping users into thinking they are in a valid program when they are not. They’re actually in the Trojan horse, which gives the attacker the power to monitor login attempts and to capture user account and password information. This attack can even mix it up a notch and allow the horse’s rider to modify application behavior so that the attacker receives all your corporate e-mail messages instead of you. Pretty stylin’, huh? I told you it was cool.

Both worms and viruses spread and infect multiple systems. The difference between the two is that viruses require some form of human intervention to spread, and worms do that on their own. Because viruses, Trojan horses, and worms are conceptually alike, they’re all considered to be the same form of attack. They’re all software programs created for and aimed at destroying your data. Some variants of these weapons can also deny legitimate users access to resources and consume bandwidth, memory, disk space, and CPU cycles.

So be smart—use a virus program on your network and update it regularly!

HTML Attacks

Another new attack on the Internet scene exploits several new technologies: the Hypertext Markup Language (HTML) specification, web browser functionality, and HTTP.

HTML attacks can include Java applets and ActiveX controls. Their modus operandi is to pass destructive programs across the network and load them through a user’s browser.

Microsoft promotes an Authenticode technology for ActiveX only but it doesn’t do much except to provide a false sense of security to users. This is because attackers can use a properly signed and totally bug-free ActiveX control to create a Trojan horse!

This particular approach is unique because it involves teamwork between the attacker and you. Part one of this attack—the attacker’s part—is to modify a program and set it up so that you, the user, actually initiate the attack when you either start the program or choose a function within it. And these attacks aren’t hardware dependent. They’re very flexible because of the portability of the programs.