In July 2001, the Code Red worm attacked web servers globally, infecting

over 350,000 hosts, as shown in the figure. The worm not only disrupted
access to the infected servers, but also affected the local networks hosting
the servers, making them very slow or unusable. The Code Red worm
caused a denial of service to millions of users.

If the network security professionals responsible for these Code Redinfected servers had developed and implemented a security policy,
security patches would have been applied in a timely manner. The Code
Red worm would have been stopped and would only merit a footnote in
network security history.

Network security relates directly to an organization's business continuity.

Network security breaches can disrupt e-commerce, cause the loss of
business data, threaten peoples privacy, and compromise the integrity of
information. These breaches can result in lost revenue for corporations,
theft of intellectual property, and lawsuits, and can even threaten public
safety.

Maintaining a secure network ensures the safety of network users and

protects commercial interests. To keep a network secure requires vigilance
on the part of an organizations network security professionals. Network
security professionals must constantly be aware of new and evolving
threats and attacks to networks, and vulnerabilities of devices and
applications. This information is used to adapt, develop, and implement
mitigation techniques. However, security of the network is ultimately the
responsibility of everyone who uses it. For this reason, it is the job of the
network security professional to ensure that all users receive security
awareness training. Maintaining a secure, protected network provides a
more stable, functional work environment for everyone.

Network attack vectors include:

External threats

Internal threats

As shown in the figure, in addition to dealing with threats from outside of

the network, network security professionals must also be prepared for
threats from inside the network. Internal threats, whether intentional or
accidental, can cause even greater damage than external threats because
of direct access to, and knowledge of, the corporate network and data.
Despite this fact, it has taken more than 20 years after the introduction of
tools and techniques for mitigating external threats to develop tools and
techniques for mitigating internal threats.

A common scenario for a threat originating from inside the network is a

disgruntled employee with some technical skills and a willingness to do
harm. Most threats from within the network leverage the protocols and
technologies used on the local area network (LAN) or the switched
infrastructure. These internal threats fall into two categories: spoofing and
DoS.

Spoofing attacks are attacks in which one device attempts to pose as

another by falsifying data. There are multiple types of spoofing attacks.
For example, MAC address spoofing occurs when one computer accepts
data packets based on the MAC address of another computer.

DoS attacks make computer resources unavailable to intended users.

Attackers use various methods to launch DoS attacks.

As a network security professional, it is important to understand the

methods designed specifically for targeting these types of threats and
ensuring the security of the LAN.

In addition to preventing and denying malicious traffic, network security

also requires that data stay protected. Cryptography, the study and
practice of hiding information, is used pervasively in modern network
security. Today, each type of network communication has a corresponding

protocol or technology designed to hide that communication from anyone

other than the intended user.

Network data can be encrypted (made unreadable to unauthorized users)

using various cryptography applications. The conversation between two IP
phone users can be encrypted. The files on a computer can also be
encrypted. These are just a few examples. Cryptography can be used
almost anywhere that there is data communication. In fact, the trend is
toward all communication being encrypted.

Cryptography ensures data confidentiality, which is one of the three

components of information security: confidentiality, integrity, and
availability. Information security deals with protecting information and
information systems from unauthorized access, use, disclosure, disruption,
modification, or destruction. Encryption provides confidentiality by hiding
plaintext data, as shown in Figure 1. Data integrity, meaning that the data
is preserved unaltered during any operation, is achieved by the use of
hashing mechanisms. Availability, which is data accessibility, is
guaranteed by network hardening mechanisms and backup systems.

White hat

Term used to describe individuals that use their abilities to find vulnerabilities in
systems or networks, and then report these vulnerabilities to the owners of the
system so that they can be fixed.

Black hat

Term for individuals that use their knowledge of computer systems to break into
systems or networks that they are not authorized to use.

Hacker

General term that has historically been used to describe a computer

programming expert.

Cracker

Term that describes someone which attempts to gain unauthorized access with
malicious intent.

Phreaker

An individual that manipulates the phone network cause it to

perform a function that is normally not allowed, such as to make
free, long distance calls.

Captain Crunch (John Drapper)

Spammer

Individual that sends large quantities of unsolicited email messages.

Spammers often use viruses to take control of home computers to

send out their bulk messages.

Phisher

Individual uses email or other means in an attempt to trick others

into providing sensitive information, such as credit card numbers or
passwords.

The primary threats for end devices are viruses, worms, and Trojan horses:

A virus is malicious software that executes a specific unwanted, often

harmful, function on a computer.

A worm executes arbitrary code and installs copies of itself in the memory
of the infected computer. The main purpose of a worm is to automatically
replicate itself and spread across the network from system to system.

A Trojan horse is a non-self-replicating type of malware, often containing

malicious code, designed to look like something else, such as a legitimate
application or file. When an infected application or file is downloaded and
opened, the Trojan horse can attack the end device from within.

Despite the mitigation techniques that have emerged over the years, worms
have continued to evolve with the Internet and still pose a threat. While worms
have become more sophisticated over time, they still tend to be based on
exploiting weaknesses in software applications. Most worm attacks have three
major components, as shown in the figure:

Enabling vulnerability - A worm installs itself using an exploit

mechanism, such as an email attachment, an executable file, or a Trojan
horse, on a vulnerable system.

Propagation mechanism - After gaining access to a device, the worm

replicates itself and locates new targets.

Payload - Any malicious code that results in some action. Most often this
is used to create a backdoor to the infected host.

Worms are self-contained programs that attack a system to exploit a

known vulnerability. Upon successful exploitation, the worm copies itself
from the attacking host to the newly exploited system and the cycle
begins again.

When studying the malicious software attacks over the past 20 years, it
becomes clear that the various phases of attack methods employed by
hackers have similarities.

Probe - Vulnerable targets are identified. The goal is to find computers

that can be subverted. Internet Control Message Protocol (ICMP) ping

scans are used to map networks. Then the application scans and identifies
operating systems and vulnerable software. Hackers can obtain passwords
using social engineering, dictionary attacks, brute-force attacks, or
network sniffing.

Penetrate - Exploit code is transferred to the vulnerable target. The goal

is to get the target to execute the exploit code through an attack vector,
such as a buffer overflow, ActiveX or Common Gateway Interface (CGI)
vulnerabilities, or an email virus.

Persist - After the attack is successfully launched in the memory, the

code tries to persist on the target system. The goal is to ensure that the
attacker code is running and available to the attacker even if the system
reboots. This is achieved by modifying system files, making registry
changes, and installing new code.

Propagate - The attacker attempts to extend the attack to other targets

by looking for vulnerable neighboring machines. Propagation vectors
include emailing copies of the attack to other systems, uploading files to
other systems using file shares or FTP services, active web connections,
and file transfers through Internet Relay Chat (IRC).

Paralyze - Actual damage is done to the system. Files can be erased,

systems can crash, information can be stolen, and distributed DoS (DDoS)
attacks can be launched.

The term Trojan horse originated from Greek mythology. Greek warriors
offered the people of Troy (Trojans) a giant hollow horse as a gift, as shown in
the figure. The Trojans brought the giant horse into their walled city, unaware
that it contained many Greek warriors. At night, after most Trojans were
asleep, the warriors burst out of the horse and overtook the city.

In the world of computing, a Trojan horse is malware that carries out

malicious operations under the guise of a desired function. A Trojan horse
contains hidden, malicious code that exploits the privileges of the user
that runs it. Games can often have a Trojan horse attached to them. When
running the game, the game works, but in the background, the Trojan
horse has been installed on the user's system and continues running after
the game has been closed.

The Trojan horse concept is flexible. It can cause immediate damage,

provide remote access to the system, or access through a back door. It can
also perform actions as instructed remotely, such as "send me the
password file once per week."

Custom-written Trojan horses, such as Trojan horses with a specific target,

are difficult to detect.

Remote-access Trojan Horse - Enables unauthorized remote access

Data sending Trojan Horse - Provides the attacker with sensitive data,
such as passwords

Destructive Trojan Horse - Corrupts or deletes files

Proxy Trojan Horse - Users computer functions as a proxy server

FTP Trojan Horse (opens port 21) - Security software disabler Trojan
Horse (stops antivirus programs or firewalls from functioning)

Security software disabler Trojan horse - Stops antivirus programs

or firewalls from functioning.

DoS Trojan Horse - Slows or halts network activity

Buffer - An allocated area of memory used by processes to store data

temporarily.
Buffer overflow - Occurs when a fixed-length buffer reaches its capacity and a
process attempts to store data beyond that maximum limit. This can result in
extra data overwriting adjacent memory locations, as well as causing other
unexpected behaviors. A majority of the software vulnerabilities that are
discovered relate to buffer overflows. Buffer overflows are usually the primary
conduit through which viruses, worms, and Trojan Horses do their damage.

Reports suggest that one-third of the software vulnerabilities identified by

CERT relate to buffer overflows. As shown in the figure, a buffer is an
allocated area of memory used by processes to store data temporarily. A
buffer overflow occurs when a fixed-length buffer reaches its capacity and
a process attempts to store data beyond that maximum limit. This can
result in extra data overwriting adjacent memory locations, as well as
causing other unexpected behaviors. Buffer overflows are usually the
primary conduit through which viruses, worms, and Trojan horses do their
damage.

Viruses and Trojan horses tend to take advantage of local root buffer
overflows. A root buffer overflow is a buffer overflow intended to attain
root privileges to a system. Local root buffer overflows require the end
user or system to take some type of action. A local root buffer overflow is
typically initiated by a user opening an email attachment, visiting a
website, or exchanging a file via instant messaging.

Worms such as SQL Slammer and Code Red exploited remote root buffer
overflows. Remote root buffer overflows are similar to local root buffer
overflows, except that local end user or system intervention is not
required.

Viruses, worms, and Trojan horses can cause serious problems on

networks and end systems. Network administrators have several means of
mitigating these attacks.

Note: Mitigation techniques are often referred to in the security

community as countermeasures.

The primary means of mitigating virus and Trojan horse attacks is antivirus
software. Antivirus software helps prevent hosts from getting infected and
spreading malicious code. It requires much more time to clean up infected
computers than it does to maintain up-to-date antivirus software and
antivirus definitions on the same machines.

Antivirus software is the most widely deployed security product on the

market today. Several companies that create antivirus software, such as
Symantec, Computer Associates, McAfee, and Trend Micro, have been in
the business of detecting and eliminating viruses for more than a decade.
Many corporations and educational institutions purchase volume licensing
for their users. The users are able to log in to a website with their account
and download the antivirus software on their desktops, laptops, or servers.

Antivirus products have update automation options so that new virus

definitions and new software updates can be downloaded automatically or
on demand. This practice is the most critical requirement for keeping a
network free of viruses and should be formalized in a network security
policy.

Antivirus products are host-based. These products are installed on

computers and servers to detect and eliminate viruses. However, they do
not prevent viruses from entering the network, so a network security
professional must be aware of the major viruses and keep track of security
updates regarding emerging viruses.

Worms are more network-based than viruses. Worm mitigation requires

diligence and coordination on the part of network security professionals.
The response to a worm attack can be broken down into four phases:
containment, inoculation, quarantine, and treatment, as shown in the

figure.

The containment phase involves limiting the spread of a worm infection to

areas of the network that are already affected. This requires
compartmentalization and segmentation of the network to slow down or
stop the worm and prevent currently infected hosts from targeting and
infecting other systems. Containment requires using both outgoing and
incoming ACLs on routers and firewalls at control points within the
network.

The inoculation phase runs parallel to or subsequent to the containment

phase. During the inoculation phase, all uninfected systems are patched
with the appropriate vendor patch for the vulnerability. The inoculation
process further deprives the worm of any available targets. A network
scanner can help identify potentially vulnerable hosts. The mobile
environment prevalent on modern networks poses significant challenges.
Laptops are routinely taken out of the secure network environment and
connected to potentially unsecure environments, such as home networks.
Without proper patching of the system, a laptop can be infected with a
worm or virus and then bring it back into the secure environment of the
organizations network where it can infect other systems.

The quarantine phase involves tracking down and identifying infected

machines within the contained areas and disconnecting, blocking, or
removing them. This isolates these systems appropriately for the
treatment phase.

During the treatment phase, actively infected systems are disinfected of

the worm. This can involve terminating the worm process, removing
modified files or system settings that the worm introduced, and patching
the vulnerability the worm used to exploit the system. Alternatively, in
more severe cases, the system may need to be reinstalled to ensure that
the worm and its byproducts are removed.

Containment Phase

Limits the spread of a worm infection to areas of the network that

are already affected.

Compartmentalizes and segments the network to slow down or stop

the worm to prevent currently infected hosts from targeting and
infecting other systems.

Uses both outgoing and incoming ACLs on routers and firewalls at

control points within the network.

Inoculation Phase

Runs parallel to or subsequent to the containment phase.

All uninfected systems are patched with the appropriate vendor

patch for the vulnerability.

The inoculation process further deprives the worm of any available

targets.

Quarantine Phase

Tracks down and identifies infected machines within the contained

areas and disconnects, blocks, or removes them.

This isolates these systems appropriately for the Treatment Phase.

Treatment Phase

Actively infected systems are disinfected of the worm.

Terminates the worm process, removes modified files or system

settings that the worm introduced, and patches the vulnerability the
worm used to exploit the system.

In more severe cases, completely reinstalling the system to ensure

that the worm and its by products are removed.

There are four categories of attacks:

Malicious Code: Viruses, Worms and Trojan Horses

Reconnaissance Attacks - Involves the unauthorized discovery

and mapping of systems, services, or vulnerabilities.

Access Attacks - Exploits known vulnerabilities in authentication

services, FTP services, and web services to gain entry to web
accounts, confidential databases, and other sensitive information.

Denial of Service (DoS) Attacks - Sends extremely large

numbers of requests over a network or the Internet.

These excessive requests cause the target device to run suboptimally.

Consequently, the attacked device becomes unavailable for

legitimate access and use.

Reconnaissance Attacks

Reconnaissance attacks involve the unauthorized discovery and mapping

of systems, services, or vulnerabilities. Reconnaissance attacks often
employ the use of packet sniffers and port scanners, which are widely
available as free downloads on the Internet. Reconnaissance is analogous
to a thief surveying a neighborhood for vulnerable homes to break into,
such as an unoccupied residence or a house with an easy-to-open door or
window.

Access Attacks

Access attacks exploit known vulnerabilities in authentication services, FTP

services, and web services to gain entry to web accounts, confidential
databases, and other sensitive information. An access attack can be
performed in many different ways. An access attack often employs a
dictionary attack to guess system passwords. There are also specialized
dictionaries for different languages that can be used.

DoS Attacks

DoS attacks send extremely large numbers of requests over a network or

the Internet. These excessive requests cause the target device to run suboptimally. Consequently, the attacked device becomes unavailable for
legitimate access and use. By executing exploits or combinations of
exploits, DoS attacks slow or crash applications and processes.

Reconnaissance is also known as information gathering and, in most

cases, precedes an access or DoS attack. In a reconnaissance attack, the
malicious intruder typically begins by conducting a ping sweep of the target
network to determine which IP addresses are active. The intruder then
determines which services or ports are available on the live IP addresses.
Nmap is the most popular application for performing port scans. From the port
information obtained, the intruder queries the ports to determine the type
and version of the application and operating system that is running on the
target host. In many cases, the intruders look for vulnerable services that can
be exploited later when there is less likelihood of being caught.
Reconnaissance attacks use various tools to gain access to a network:

Packet sniffers

Ping sweeps (Click Play in the animation.)

Port scans

Internet information queries

DNS queries can reveal information, such as who owns a particular domain
and what addresses have been assigned to that domain. Use tools such as
whois, nslookup,

A packet sniffer is a software application that uses a network adapter card

in promiscuous mode to capture all network packets that are sent across a
LAN. Promiscuous mode is a mode in which the network adapter card
sends all packets that are received to an application for processing. Some
network applications distribute network packets in unencrypted plaintext.
Because the network packets are not encrypted, they can be understood
by any application that can pick them off the network and process them.

Click Play in the animation to see how packet sniffers function.

Packet sniffers can only work in the same collision domain as the network
being attacked, unless the attacker has access to the intermediary
switches. Numerous freeware and shareware packet sniffers, such as
Wireshark, are available.

When used as legitimate tools, ping sweep and port scan applications run
a series of tests against hosts and devices to identify vulnerable services.
The information is gathered by examining IP addressing and port, or
banner, data on both Transmission Control Protocol (TCP) and User
Datagram Protocol (UDP) ports. An attacker uses this information to
compromise the system.

Internet information queries can reveal information such as who owns a

particular domain and what addresses have been assigned to that domain.
They can also reveal who owns a particular IP address and which domain
is associated with the address. Click Play in Figure 1 to view an Internet
information query animation.

A ping sweep is a basic network scanning technique that determines which

range of IP addresses map to live hosts. A single ping indicates whether
one specified host computer exists on the network. A ping sweep consists
of ICMP echo requests sent to multiple hosts. If a given address is live, the
address returns an ICMP echo reply. Ping sweeps are among the older and
slower methods used to scan a network. Click Play in Figure 2 to view a
ping sweep animation.

Each service on a host is associated with a well-known port number. Port

scanning is a scan of a range of TCP or UDP port numbers on a host to
detect listening services. It consists of sending a message to each port on
a host. The response that the sender receives indicates whether the port is
used. Click Play in Figure 3 to view a port scanning animation.

Ping sweeps of addresses revealed by Internet information queries can

present a list of the live hosts in a particular environment. After such a list
is generated, port scanning tools can cycle through all well-known ports to
provide a complete list of all services that are running on the hosts that
the ping sweep discovered. Hackers can then examine the characteristics
of active applications, which can lead to specific information that is useful
to a hacker whose intent is to compromise that service.
Reconnaissance attacks are typically the precursor to additional attacks,
with the intent of gaining unauthorized access to a network or disrupting
network functionality. A network security professional can detect when a
reconnaissance attack is underway by receiving notifications from
preconfigured alarms. These alarms are triggered when certain
parameters are exceeded, such as the number of ICMP requests per
second. A variety of technologies and devices can be used to monitor this
type of activity and generate an alarm. Ciscos Adaptive Security
Appliance (ASA) provides intrusion prevention in a standalone device.
Additionally, the Cisco ISR supports network-based intrusion prevention
through the Cisco IOS security image.

Hackers use access attacks on networks or systems for three reasons:

retrieve data, gain access, and escalate access privileges.

Access attacks often employ password attacks to guess system

passwords. Password attacks can be implemented using several methods,
including brute-force attacks, Trojan horse programs, IP spoofing, and
packet sniffers. However, most password attacks refer to brute-force
attacks, which involve repeated attempts based on a built-in dictionary to
identify a user account or password.

A brute-force attack is often performed using a program that runs across

the network and attempts to log in to a shared resource, such as a server.
After an attacker gains access to a resource, the attacker has the same

access rights as the user account that was compromised. If this account
has sufficient privileges, the attacker can create a back door for future
access without concern for any status and password changes to the
compromised user account.

As an example, a user can run the L0phtCrack, or LC5, application to

perform a brute-force attack to obtain a Windows server password. When
the password is obtained, the attacker can install a keylogger, which sends
a copy of all keystrokes to a desired destination. In another example, a
Trojan horse can be installed to send a copy of all packets sent and
received by the target to a particular destination, thus enabling the
monitoring of all the traffic to and from that server.

There are five types of access attacks:

Password attack - An attacker attempts to guess system passwords. A

common example is a dictionary attack. Figure 1 shows an example of a
password attack.

Hackers implement password attacks using the following:

Brute-force attacks - An access attack method that involves a software
program attempting to discover a system password by using an electronic
dictionary.
Trojan horse programs
IP spoofing
Packet sniffers
Manipulating users

L0phtCrack loft-crack takes the hashes of passwords and generates the

plaintext passwords from them

Passwords are compromised using one of two methods:

1. Dictionary cracking
2. Brute-force computation

Trust exploitation - An attacker uses privileges granted to a system in

an unauthorized way, possibly leading to compromising the target. Click
Play in the animation in Figure 2 to view an example of trust exploitation.

Trust exploitation refers to an individual taking advantage of a trust

relationship within a network.
An example of when trust exploitation takes place is when a perimeter
network is connected to a corporate network.
These network segments often contain DNS, SMTP, and HTTP servers.

Because these servers all reside on the same segment, a compromise of one
system can lead to the compromise of other systems if those other systems
also trust systems that are attached to the same network.
Another example of trust exploitation is a Demilitarized Zone (DMZ) host that
has a trust relationship with an inside host that is connected to the inside
firewall interface.
The inside host trusts the DMZ host. When the DMZ host is compromised, the
attacker can leverage that trust relationship to attack the inside host.

A hacker leverages existing trust relationships.

Several trust models exist:

Windows:

Domains

Active directory

Linux and UNIX:

NIS

NIS+

Port redirection - A compromised system is used as a jump-off point for

attacks against other targets. A type of trust-exploitation that uses a
compromised host as a jump-off point for attacks against other targets. An
intrusion tool is installed on the compromised system for session
redirection. It does this in order to pass traffic through a firewall that would
otherwise be dropped. A port redirection attack is shown in Figure 3.

A port redirection attack is a type of trust exploitation attack that uses a

compromised host to pass traffic through a firewall that would otherwise have
been dropped.
Port redirection bypasses the firewall rule sets by changing the normal source
port for a type of network traffic.
You can mitigate port redirection by using proper trust models that are
network-specific.

Assuming a system is under attack, an IPS can help detect a hacker and
prevent installation of such utilities on a host.

The host outside the network can reach the host on the public services
segment (Host A), but not the host on the inside (Host B). The host on the
public services segment can reach the host on both the outside and the
inside. If hackers are able to compromise the public services segment host,
they can install software to redirect traffic from the outside host directly to
the inside host. Though neither communication violates the rules that are
implemented in the firewall, the outside host has now achieved connectivity
to the inside host through the port redirection process on the public services
host. An example of an application that provides that type of access is Netcat.

Man-in-the-middle attack - An attacker is positioned in the middle of

communications between two legitimate entities in order to read or modify
the data that passes between the two parties. A popular man-in-themiddle attack involves a laptop acting as a rogue access point to capture
and copy all network traffic from a targeted user. Often the user is in a
public location on a wireless hotspot. In Figure 4, click each blue numbered
button to learn more about that step in the man-in-the-middle attack.

MITM attacks have these purposes:

Theft of information

Hijacking of an ongoing session to gain access to your internal network

resources
Traffic analysis to obtain information about your network and network users
DoS
Corruption of transmitted data
Introduction of new information into network sessions
An example of a MITM attack is when someone working for your ISP gains
access to all network packets that transfer between your network and any
other network.

Buffer overflow - A program writes data beyond the allocated buffer

memory. Buffer overflows usually arise as a consequence of a bug in a C or
C++ program. A result of the overflow is that valid data is overwritten or
exploited to enable the execution of malicious code. A buffer overflow
attack is illustrated in Figure 5. In this example, an attacker exploits a
weakness in an application by submitting an extra-long input to the
program, creating a buffer overflow. The overflow can be used to modify
the values of program variables and cause the program to jump to
unintended places, or even replace valid program instructions with
arbitrary code.

A program writes data beyond the allocated buffer memory.

Buffer overflows usually arise as a consequence of a bug in a C or C++
program.
A result of the overflow is that valid data is overwritten or exploited to enable
the execution of malicious code.
The overflow can be used to modify the values of program variables and
cause the program to jump to unintended places, or even replace valid
program instructions with arbitrary code.
Mitigating Access Attacks

Access attacks in general can be detected by reviewing logs, bandwidth

utilization, and process loads.

The network security policy should specify that logs are formally
maintained for all network devices and servers, as shown in the figure. By
reviewing logs, network security personnel can determine if an unusual
number of failed login attempts have occurred. Software packages such as
ManageEngineEventLog Analyzer or Cisco Secure Access Control Server
(ACS) (CSACS) maintain information regarding failed login attempts to
network devices. UNIX and Windows servers also keep a log of failed login
attempts. Cisco routers and firewall devices can be configured to prevent
login attempts for a given time, from a particular source, and after a
prescribed number of failures within a specified amount of time.

Man-in-the-middle attacks often involve replicating data. An indication of

such an attack is an unusual amount of network activity and bandwidth
utilization, as indicated by network monitoring software.

Similarly, an access attack resulting in a compromised system would likely

be revealed by sluggish activity due to ongoing buffer overflow attacks, as
indicated by active process loads viewable on a Windows or a UNIX
system.

A DoS attack is a network attack that results in some sort of interruption of

service to users, devices, or applications.

There are two major reasons a DoS attack occurs:

A host or application fails to handle an unexpected condition, such

as maliciously formatted input data, an unexpected interaction of
system components, or simple resource exhaustion.

A network, host, or application is unable to handle an enormous

quantity of data, causing the system to crash or become extremely
slow.

A DoS attack is a network attack that results in some sort of interruption of

service to users, devices, or applications. Several mechanisms can
generate a DoS attack. The simplest method is to generate large amounts
of what appears to be valid network traffic. This type of network DoS
attack saturates the network so that valid user traffic cannot get through.

Click Play in the animation to view an example of a DoS attack.

A DoS attack takes advantage of the fact that target systems, such as
servers, must maintain state information. Applications may rely on
expected buffer sizes and specific content of network packets. A DoS
attack can exploit this by sending packet sizes or data values that are not
expected by the receiving application.

There are two major reasons a DoS attack occurs:

A host or application fails to handle an unexpected condition, such as

maliciously formatted input data, an unexpected interaction of system
components, or simple resource exhaustion.

A network, host, or application is unable to handle an enormous quantity

of data, causing the system to crash or become extremely slow.

DoS attacks attempt to compromise the availability of a network, host, or

application. They are considered a major risk because they can easily
interrupt a business process and cause significant loss. These attacks are
relatively simple to conduct, even by an unskilled attacker.

A Distributed DoS Attack (DDoS) is similar in intent to a DoS attack,

except that a DDoS attack originates from multiple coordinated sources.

One example of a DoS attack is sending a poisonous packet. A poisonous

packet is an improperly formatted packet designed to cause the receiving
device to process the packet in an improper manner. The poisonous packet
causes the receiving device to crash or run very slowly. This attack can
cause all communications to and from the device to be disrupted. In
another DoS example, an attacker sends a continuous stream of packets
to a specific device. This can overwhelm the available resources of the end
device, causing the device to be unresponsive.

A Distributed DoS Attack (DDoS) is similar in intent to a DoS attack, except

that a DDoS attack originates from multiple coordinated sources. A DDoS
attack requires the network security professional to identify and stop
attacks from distributed sources while managing an increase in traffic.

As an example, a DDoS attack could proceed as follows:

A hacker scans for systems that are accessible.

After the hacker accesses several "handler" systems, the hacker installs
zombie software on them.

Zombies then scan and infect agent systems.

When the hacker accesses the agent systems, the hacker loads remotecontrol attack software to carry out the DDoS attack.

Click Play in Figures 1 and 2 to view the animations of a DoS attack and a
DDoS attack, respectively.

Three common DoS attacks include:

Ping of Death

In a ping of death attack, a hacker sends an echo request in an IP packet

larger than the maximum packet size of 65,535 bytes. Sending a ping of
this size can crash the target computer. A variant of this attack is to crash
a system by sending ICMP fragments, which fill the reassembly buffers of
the target. Click Play in Figure 1 to view an animation of a ping of death.

Smurf Attack

In a smurf attack, shown in Figure 2, a perpetrator sends a large number

of ICMP requests to directed broadcast addresses, all with spoofed source
addresses on the same network as the respective directed broadcast. If
the routing device delivering traffic to those broadcast addresses forwards
the directed broadcasts, all hosts on the destination networks send ICMP
replies, multiplying the traffic by the number of hosts on the networks. On
a multi-access broadcast network, hundreds of machines might reply to
each packet.

TCP SYN Flood Attack

As shown in Figure 3, a TCP SYN flood attack sends a flood of TCP SYN
packets, often with a forged sender address. Each packet is handled like a
connection request, causing the server to initiate a half-open connection
by sending back a TCP SYN-ACK packet and waiting for a packet in
response from the sender address. However, because the sender address
is forged, the response never comes. These half-open connections
saturate the number of available connections the server is able to make,

keeping it from responding to legitimate requests until after the attack

ends.

There are five basic ways that DoS attacks can do harm:
1. Consumption of resources, such as bandwidth, disk space, or processor
time.
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP
sessions.
4. Disruption of physical network components.
5. Obstruction of communication between the victim and others.

Reconnaissance attacks can be mitigated in several ways, as shown in the figure.

Using strong authentication is a first option for defense against packet

sniffers. Strong authentication is a method of authenticating users that
cannot easily be circumvented. A one-time password (OTP) is a form of
strong authentication. OTPs utilize two-factor authentication, which
combines something one has, such as a token card, with something one
knows, such as a PIN. Automated teller machines (ATMs) use two-factor
authentication.

Encryption is also effective for mitigating packet sniffer attacks. If traffic is

encrypted, using a packet sniffer is of little use because captured data is
not readable.

Anti-sniffer software and hardware tools detect changes in the response

time of hosts to determine whether the hosts are processing more traffic
than their own traffic loads would indicate. While this does not completely
eliminate the threat, as part of an overall mitigation system, it can reduce
the number of instances of threat.

A switched infrastructure is the norm today, which makes it difficult to

capture any data, except for the data in your immediate collision domain,
which probably contains only one host. A switched infrastructure does not
eliminate the threat of packet sniffers, but can greatly reduce the sniffers
effectiveness.

It is impossible to mitigate port scanning, but using an intrusion

prevention system (IPS) and firewall can limit the information that can be
discovered with a port scanner. Ping sweeps can be stopped if ICMP echo
and echo-reply are turned off on edge routers; however, when these
services are turned off, network diagnostic data is lost. Additionally, port
scans can be run without full ping sweeps. The scans simply take longer
because inactive IP addresses are also scanned.

Several techniques are also available for mitigating access attacks, as shown
in the figure.

A surprising number of access attacks are carried out through simple

password guessing or brute-force dictionary attacks against passwords.
The use of encrypted or hashed authentication protocols, along with a
strong password policy, greatly reduces the probability of successful
access attacks. There are specific practices that help to ensure a strong
password policy:

Disable accounts after a specific number of unsuccessful logins. This

practice helps to prevent continuous password attempts.

Do not use plaintext passwords. Use either a one-time password or

encrypted password.

Use strong passwords. Strong passwords are at least eight characters and
contain uppercase letters, lowercase letters, numbers, and special
characters.

The network should be designed using the principle of minimum trust. This
means that systems should not use one another unnecessarily. For
example, if an organization has a trusted server that is used by untrusted
devices, such as web servers, the trusted server should not trust the
untrusted devices unconditionally.

Cryptography is a critical component of any modern secure network. Using

encryption for remote access to a network is recommended. Routing
protocol traffic should also be encrypted. The more that traffic is
encrypted, the less opportunity hackers have for intercepting data with
man-in-the-middle attacks.

Mitigating DoS Attacks

IPS and firewalls (Cisco ASAs and ISRs)

Antispoofing technologies

Quality of Service-traffic policing

Anti-DoS features on routers and firewalls:

Proper configuration of anti-DoS features on routers and

firewalls can help limit the effectiveness of an attack.

These features often involve limits on the amount of halfopen TCP connections that a system allows at any given
time.

Anti-spoof features on routers and firewalls:

Proper configuration of anti-spoof features on your routers

and firewalls can reduce your risk of attack.

These features include an appropriate filtering with access

lists, unicast reverse path forwarding that looks up the

routing table to identify spoofed packets, disabling of

source route options, and others.
Companies with a high-profile Internet presence should plan in advance how
to respond to potential DoS attacks with proposed mitigation techniques, as
shown in the figure. Historically, many DoS attacks were sourced from
spoofed source addresses. These types of attacks can be thwarted using
antispoofing technologies on perimeter routers and firewalls. Many DoS
attacks today are distributed DoS attacks carried out by compromised hosts
on several networks. Mitigating DDoS attacks requires careful diagnostics,
planning, and cooperation from ISPs. The most important elements for
mitigating DoS attacks are firewalls and IPSs.

Cisco routers and switches support a number of antispoofing technologies,

such as port security, Dynamic Host Configuration Protocol (DHCP)
snooping, IP Source Guard, Dynamic Address Resolution Protocol (ARP)
Inspection, and access control lists (ACLs).

Lastly, although Quality of Service (QoS) is not designed as a security

technology, one of its applications, traffic policing, can be used to limit
ingress traffic from any given customer on an edge router. This limits the
impact a single source can have on ingress bandwidth utilization.

Port scanning and ping sweeping is not a crime and there is no way to stop these
scans and sweeps when a computer is connected to the Internet.

Ping sweeps can be stopped if ICMP echo and echo-reply are turned off on
edge routers.

However, when these services are turned off, network diagnostic data is
lost.

Packet Sniffer Mitigation

Authentication

Strong authentication is a first line for defense.

Cryptography

Anti-sniffer tools

If a communication channel is cryptographically secure, the only

data a packet sniffer detects is cipher text.

Anti-sniffer tools detect changes in the response time of hosts to

determine whether the hosts are processing more traffic than their
own traffic loads would indicate.

Switched infrastructure

A switched infrastructure obviously does not eliminate the threat of

packet sniffers, but can greatly reduce the snifferseffectiveness.

Password attack mitigation techniques include:

Do not allow users to use the same password on multiple systems.

Disable accounts after a certain number of unsuccessful login

attempts.

Use OTP (One-Time Password) or a cryptographic password is

recommended.

Use strong passwords that are, at least, eight characters long and
contain uppercase letters, lowercase letters, numbers, and special
characters.

Do not use plaintext passwords.

Mitigating Access Attacks

Trust Exploitation Attack Mitigation

Trust levels within a network should be tightly restrained by ensuring that

systems inside a firewall never absolutely trust systems outside the firewall.
Mitigating Access Attacks
Man-in-the-Middle Mitigation

Man-in-the-middle attacks can be effectively mitigated only through

the use of cryptography (encryption).
Mitigating Access Attacks
IP Spoofing Attack Mitigation

The threat of IP spoofing can be reduced, but not eliminated,

using these measures:

Access control configuration

Encryption

RFC 3704 filtering

Additional authentication requirement that does not use IP

address-based authentication; examples are:

Cryptographic (recommended)

Strong, two-factor, OTP

Access Control Configuration

The most common method for preventing IP spoofing is to properly
configure access control. To reduce the effectiveness of IP spoofing,
configure the access control list (ACL) to deny any traffic from the
external network that has a source address that should reside on the
internal network. This configuration helps to prevent spoofing attacks
only if the internal addresses are the only trusted addresses. If some
external addresses are trusted, this method is not effective.
Encryption
Another possible way to prevent IP spoofing is to encrypt all network
traffic to prevent source and destination hosts from being
compromised.
RFC 3704 Filtering

You can prevent your network users from spoofing other networks
(and be a good Internet citizen at the same time) by preventing
any outbound traffic on your network that does not have a source
address in your the IP range of your organization. This filtering
denies any traffic that does not have the source address that was
expected on a particular interface. For example, if an ISP is
providing a connection to the IP address 15.1.1.0/24, the ISP
could filter traffic so that only traffic sourced from address
15.1.1.0/24 can enter the ISP router from that interface. Note that
unless all ISPs implement this type of filtering, the effectiveness
is significantly reduced.

RFC 3704 covers ingress filtering for multihomed networks. It

updates RFC 2827.

RFC 2827 defines filters to drop packets that come from source
addresses within 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, 224.0.0.0/4, or 240.0.0.0/4. This source address is
a so-called Martian Address.

Additional Authentication
The most effective method for mitigating the threat of IP spoofing is to
eliminate the attacks effectiveness. IP spoofing can function correctly
only when devices use IP address-based authentication; therefore, if
you use additional authentication methods, IP spoofing attacks are
irrelevant. Cryptographic authentication is the best form of additional
authentication. However, when cryptographic authentication is not
possible, strong two-factor authentication using OTPs can also be
effective.
Mitigating Network Attacks
10 Best Practices
1. Keep patches current by installing them weekly or daily, if
possible, to prevent buffer overflow and privilege escalation
attacks.
2. Shut down unnecessary services and ports.
3. Use strong passwords and change them often.
4. Control physical access to systems.
5. Avoid unnecessary web page inputs.

Some websites allow users to enter usernames and

passwords.

A hacker can enter more than just a username.

For example, entering jdoe; rm -rf / might allow an attacker

to remove the root file system from a UNIX server.

Programmers should limit input characters and not accept

invalid characters, such as | ; < > as input.

6. Perform backups and test the backed up files on a regular basis.

7. Educate employees about the risks of social engineering, and
develop strategies to validate identities over the phone, via
email, or in person.

http://www.networkworld.com/news/2010/091610-socialnetworks.html?source=NWWNLE_nlt_daily_pm_2010-09-16

http://searchsecurity.techtarget.com/news/1519804/Phishin
g-attacks-target-users-of-Facebook-other-social-networks?
asrc=EM_NLN_12420860&track=NL-102&ad=784799&

8. Encrypt and password-protect sensitive data.

9. Implement security hardware and software such as firewalls,

Intrusion Prevention Systems (IPSs), Virtual Private Network
(VPN) devices, antivirus software, and content filtering.
10.

Develop a written security policy for the company.

The Cisco Network Foundation Protection (NFP) framework

provides comprehensive guidelines for protecting the network
infrastructure. These guidelines form the foundation for
continuous delivery of service.

NFP logically divides routers and switches into three functional

areas, as shown in the figure:

Control plane - Responsible for routing data correctly. Control

plane traffic consists of device-generated packets required for the
operation of the network itself such as ARP message exchanges
or OSPF routing advertisements.

Management plane - Responsible for managing network elements.

Management plane traffic is generated either by network devices
or network management stations using processes and protocols
such as Telnet, SSH, TFTP, FTP, NTP, AAA, SNMP, syslog, TACACS+,
RADIUS, and NetFlow.

Data plane (Forwarding plane) - Responsible for forwarding data.

Data plane traffic normally consists of user-generated packets
being forwarded between end stations. Most traffic travels
through the router, or switch, via the data plane. Data plane
packets are typically processed in fast-switching cache.

Control plane traffic consists of device-generated packets required for the

operation of the network itself. Control plane security can be implemented
using the following features, as shown in the figure:

Cisco AutoSecure - Cisco AutoSecure provides a one-step device

lockdown feature to protect the control plane and the management and
data planes. It is a script that is initiated from the CLI to configure the
security posture of routers. The script disables nonessential system
processes and services. It first makes recommendations to address
security vulnerabilities and then modifies the router configuration.

Routing protocol authentication - Routing protocol authentication, or

neighbor authentication, prevents a router from accepting fraudulent
routing updates. Most routing protocols support neighbor authentication.

Control Plane Policing (CoPP) - CoPP is a Cisco IOS feature designed to

allow users to control the flow of traffic that is handled by the route
processor of a network device.

CoPP is designed to prevent unnecessary traffic from overwhelming the

route processor. The CoPP feature treats the control plane as a separate
entity with its own ingress (input) and egress (output) ports. A set of rules
can be established and associated with the ingress and egress ports of the
control plane.

CoPP consists of the following features:

Control Plane Policing (CoPP) - Allows users to configure a QoS filter

that manages the traffic flow of control plane packets. This protects the
control plane against reconnaissance and DoS attacks.

Control Plane Protection (CPPr) - An extension of CoPP that allows for

policing granularity. For example, CPPr can filter and rate-limit the packets
that go to the control plane of the router and discard malicious and error
packets (or both).

Control plane logging - Enables the logging of packets that CoPP or CPPr
drop or permit. It provides the logging mechanism needed to deploy,
monitor, and troubleshoot CoPP features efficiently.

Note: Further detail on securing the control plane is beyond the scope of
this course.

Management plane traffic is generated either by network devices or

network management stations using processes and protocols such as
Telnet, SSH, TFTP, and FTP, etc. The management plane is a very
attractive target to hackers. For this reason, the management module was
built with several technologies designed to mitigate such risks.

The information flow between management hosts and the managed

devices can be out-of-band (OOB), where information flows within a
network on which no production traffic resides or in-band, where
information flows across the enterprise production network, the Internet,
or both.

Management plane security can be implemented using the following

features, as shown in the figure:

Login and password policy - Restricts device accessibility. Limits the

accessible ports and restricts the who and how methods of access.

Present legal notification - Displays legal notices. These are often

developed by legal counsel of a corporation.

Ensure the confidentiality of data - Protects locally stored sensitive

data from being viewed or copied. Uses management protocols with
strong authentication to mitigate confidentiality attacks aimed at exposing
passwords and device configurations.

Role-based access control (RBAC) - Ensures access is only granted to

authenticated users, groups, and services. RBAC and authentication,
authorization, and accounting (AAA) services provide mechanisms to
effectively manage access control.

Authorize actions - Restricts the actions and views that are permitted by
any particular user, group, or service.

Enable management access reporting - Logs and accounts for all

access. Records who accessed the device, what occurred, and when it
occurred.

RBAC restricts user access based on the role of the user. Roles are created
according to job or task functions, and assigned access permissions to
specific assets. Users are then assigned to roles, and are granted the
permissions that are defined for that role.

In Cisco IOS, the role-based CLI access feature implements RBAC for router
management access. The feature creates different views that define
which commands are accepted and what configuration information is
visible. For scalability, users, permissions, and roles are usually created

and maintained in a central repository server. This makes the access

control policy available to multiple devices. The central repository server
can be an AAA server, such as the Cisco Secure Access Control System
(ACS), which provides AAA services to a network for management
purposes.

Data plane traffic consists mostly of user-generated packets being

forwarded through the router via the data plane. Data plane security can
be implemented using ACLs, antispoofing mechanisms, and Layer 2
security features, as shown in the figure.

ACLs perform packet filtering to control which packets move through the
network and where those packets are allowed to go. ACLs are used to
secure the data plane in a variety of ways, including:

Blocking unwanted traffic or users - ACLs can filter incoming or

outgoing packets on an interface. They can be used to control access
based on source addresses, destination addresses, or user authentication.

Reducing the chance of DoS attacks - ACLs can be used to specify

whether traffic from hosts, networks, or users access the network. The TCP
intercept feature can also be configured to prevent servers from being
flooded with requests for a connection.

Mitigating spoofing attacks - ACLs allow security practitioners to

implement recommended practices to mitigate spoofing attacks.

Providing bandwidth control - ACLs on a slow link can prevent excess

traffic.

Classifying traffic to protect the Management and Control planes ACLs can be applied on the vtylines.

ACLs can also be used as an antispoofing mechanism by discarding traffic

that has an invalid source address. This forces attacks to be initiated from
valid, reachable IP addresses, allowing the packets to be traced to the
originator of an attack.

Features, such as Unicast Reverse Path Forwarding (uRPF), can be used to

complement the antispoofing strategy.

Cisco Catalyst switches can use integrated features to help secure the
Layer 2 infrastructure. The following Layer 2 security tools are integrated
into the Cisco Catalyst switches:

Port security - Prevents MAC address spoofing and MAC address flooding
attacks.

DHCP snooping - Prevents client attacks on the DHCP server and switch.

Dynamic ARP Inspection (DAI) - Adds security to ARP by using the

DHCP snooping table to minimize the impact of ARP poisoning and
spoofing attacks.

IP Source Guard - Prevents spoofing of IP addresses by using the DHCP

snooping table.

This course focuses on the various technologies and protocols used to

secure the Management and Data planes.