Getting to Know Your Enemies
The few minutes that you’ll spend reading this article will save you hundreds of minutes and possibly hundreds of dollars that you might need to repair the ruins that your attackers leave behind — if they find you unprepared for them.
Today I’ll focus mainly on the reconnaissance methods that the attackers exploit and present in detail how these methods achieve their goals (which in this case is about how the enemy learns about YOU!)
The Various Stages of an Attack
All malicious attacks go through a couple of stages.
In the first stage, the attacker collects and evaluates information from the prospective “victim.” In the second stage, the actual attack is performed while at the same time the attacker tries to hide evidence about its operation.
You’re probably wondering “what kind of information does the attacker try to collect?” Just to give you an idea, below is a small list of information about a given network that would make an attacker really happy:
- IP addresses of active hosts
- The actual port numbers that are active on the active hosts
- The topology of the network
- The operating system of the hosts
Let’s start by introducing basic Reconnaissance Techniques that attackers exploit.
Reconnaissance Methods
• IP Address Sweep
A malicious agent is sending continuous ICMP packets (echo requests) to different hosts within a defined interval (5 milliseconds is the default). The purpose of this is to have at least one host replying back, thus exposing itself to the attacker.
The easiest way to preclude an attacker from performing an IP address sweep is to disable all ICMP traffic., but this could mean that you lose network diagnostics. More advanced systems can monitor sessions and identify IP address sweeps by monitoring the rate of transmission of ICMP messages originating from a particular source.
• Port Scanning
An attacker is trying to find an active service on a remote host by sending TCP SYN segments to different ports at the same destination IP address within a defined interval.
Similar to an IP address sweep, this can be avoided by applying access control lists. Sophisticated systems (such as Cisco IPS) can monitor the number of ports scanned by a given remote source and block all further requests when the number of port scans reaches a predefined value within a defined interval.
• Network Reconnaissance Using IP Options
IP standard supports a set of options that provide special routing functionality and diagnostics. These options are rarely used and if they are, they are probably added for evil use.
Therefore, in a secure network it is advisable to drop IP packets that contain IP Options headers. Cisco Intrusion Prevention signatures can identify such packets and discard them. You can find more details about the intended use of these options in RFC 791.
• Discovering Victim’s Operating System
A great advantage for an attacker is to discover the Operating System of its potential target. Equipped with this knowledge, the attacker could launch the appropriate vulnerability. A few ways exist for identifying the os of a host:
1. SYN and FIN Flags Set
Those of you who didn’t read my article on TCP-IP, now is a good time to do so to refresh your memory about the TCP header.
Normally, in a given TCP segment, the SYN and FIN flags are not set together. A SYN flag is used when initiating a TCP connection and a FIN flag is used when terminating a TCP connection. Therefore, a TCP header with both these flags set is an up normal situation which causes various responses from the recipient host based on the operating system.
An attacker could set these Flags on, as seen in the figure below, causing the recipient party to reveal its operating system and open the way for the attacker to launch the next possible vulnerability attack.
2. Only FIN Flag is Set
Normally, TCP segments with the FIN flag set also have the ACK flag set to acknowledge reception of the last packet. Having a FIN flag without ACK flag is an up normal behavior which may lead in revealing the recipients operating system according to the response provided.
3. No Flag is Set
A normal TCP header has at least one flag set. Having a TCP segment with no Flags set is again an up normal condition leading to various responses according to the operating system.
• IP Spoofing
An old method of malicious attacks is having a source host injecting a fake IP source address pretending to be a trusted host. This is called IP Spoofing and the most common way to deal with it is to properly configure an ACL to block traffic from the untrusted network that has a source address which should reside in the trusted network.
No comments:
Post a Comment