The documentation for popular network security products often lists types of network intrusions and attacks that the products offer protection against. We hear a lot about denial of service (DoS) attacks and how certain software applications (such as Microsoft Outlook) are vulnerable to “hacker exploits.” You read about the Teardrop attack, the Land attack, the Syn attack, and the especially ominous-sounding “ping of death.” However, in many cases, only vague information is given—if any at all—about how each of these colorfully named attack types works or the differences between them.
In the hacker world, a well-known truism is knowledge is power. This applies to the network professional as well. If you understand how common intrusions and attacks work, you can turn would-be attackers’ own weapon—knowledge—against them to protect your network and safeguard your data, system operations, and access.
In this Daily Drill Down, I’ll discuss some of the most commonly encountered types of intrusions and attacks, and I’ll explain what’s really going on when a hacker comes calling on your network.
Categorizing network attacks
We can categorize network attacks in several ways:
- By where the attack originated (on the internal LAN or from an external source on the Internet)
- By whether the attacker actually enters your network and compromises the security of your data or whether the attacker merely attempts to prevent your network users from accessing data and services
- By the motivation of the attacker
- By the technical details of how the attack works and what vulnerability is being exploited
Let’s discuss each of these categories briefly before we address specific attacks.
Internal vs. external attacks
An attack can originate from inside the local network, or it can be perpetuated from the outside, across the Internet or other internetwork.
First, I’ll focus on internal threats. Just as it is easy for employees of a retail establishment to steal merchandise because they have physical access, it is easy for legitimate network users to steal, modify, or destroy data or plant malicious code on the network because they don’t have to worry about “getting inside.”
Some internal “attacks” may not be true attacks at all but rather mistakes made by network users that result in loss or compromise of data. Although not deliberate, this threat to your data can be just as damaging, so it is important to take steps to guard against it.
A common mistake is focusing entirely on external threats when designing a security plan. While it is important to protect the network perimeter—where your LAN connects to the Internet—it is equally important to consider internal threats. To address internal threats, you should:
- Limit physical access to servers, hubs, switches, routers, and other network devices.
- Use access control features of your network operating system—permissions and user rights—to give users access to only those resources they need to do their jobs.
- Enable auditing to track users’ successful and failed attempts to access sensitive data.
- In a high-security environment, perform intensive background checks of potential employees and contractors.
- In a high-security environment, lock down machines and remove floppy drives, CD-ROM drives, and other means of introducing data via removable media.
Now let’s consider external threats. Although internal threats may be more insidious, the unknown enemy who attacks from across town or across the globe presents a more frightening image. Now that most company networks and even home computer users are connected to the Internet at least part of the time, and as more of these connections become full-time dedicated ones with static IP addresses, the threat from “out there” has become very real. Most of the specific attack types I’ll discuss generally originate from the Internet.
Protecting your Internet-connected network from external intrusions and attacks requires a good, multilevel, well-thought-out security plan. Your first line of defense should be a firewall of some sort at the outer perimeter of your network. This can be a hardware solution, such as Cisco’s PIX and other dedicated firewall products, or a software solution, such as Microsoft’s ISA Server, which runs on top of Windows 2000 Server. You may also want to create a DMZ, or perimeter network, which is a sort of “buffer zone” between the external network and your LAN. For more information, see “To DMZ or not to DMZ.”
Intrusion vs. nonintrusion attacks
Although any attack on your network may feel like an intrusion, you can differentiate between those in which the data on your network is the target of the attack and those in which the aim of the attacker is to bring down your network (or someone else’s, in the case of distributed denial of service attacks) and prevent legitimate users from gaining access.
We could compare the two types of attacks to real-world criminals: one who breaks into your home and steals your TV, stereo, and jewelry vs. one who vandalizes your property and stuffs metal shavings in the keyholes of your locks so that you can’t get into your house. Although the second type of attack is annoying and may cost you money for the services of a locksmith, your property inside is not taken or damaged. Likewise, a denial of service attack can result in lost productivity and can cost the company money, but your data is not at risk.
Motivations of network attackers
Asking why hackers hack into networks may be a little like asking why a mountain climber climbs the mountain. In both cases, the answer may be simply: because it’s there. However, like mountain climbers, not all hackers have the same motivation. We can break reasons for hacking into a few broad categories:
- Hacking for love (love of hacking, that is): These are the recreational hackers, who do it just for fun.
- Ego hacking: These are members of the “hacker society,” who do it to prove their technical prowess to themselves and/or others.
- Hacking for money: This includes the professional “hacker for hire” who is paid by others to break in to a network for corporate espionage or other reasons and the folks who attempt to transfer funds to their own accounts, erase records of their debts, or other acts for personal gain.
- Crime-of-passion hacking: These folks are the most serious of all—and the most dangerous. They include disgruntled customers, former employees, angry competitors, or those with a personal grudge.
The scope of the damage is often—though not always—tied to the motivation of the hacker, as is the extent of protection necessary. Recreational or ego hackers usually pick victim networks at random, while people who are hacking for remuneration or revenge generally have a specific target and are usually much more determined to accomplish their goals. Of course, there are also “hybrid hackers,” who have multiple motivations.
What do you want to exploit today?
Another way to categorize attacks is by the technical aspect; different attack types exploit different vulnerabilities. For example, an attack that exploits the bugs in a user application is a risk only to those who use that application. An attack that exploits security holes in an operating system is likely to put a larger group at risk, because most computers run one of only a few common operating systems (Windows, UNIX, Linux, NetWare). Most universally dangerous is the attack that uses the characteristics of a networking protocol, particularly TCP/IP, the protocol run by every computer on the Internet. Many common attacks are based on creative exploitation of some weakness or characteristic of a member of the TCP/IP protocol suite.
Application exploits that have gotten a lot of publicity recently are those that use the advanced features of productivity programs, such as the Microsoft Office applications, to do their insidious work. Because modern versions of Word and other Office programs allow you to create macros or use Visual Basic for Applications to automate functions, hackers can insert malicious code into Office documents, which can then be sent to a destination on your network as e-mail attachments.
Microsoft Outlook and other sophisticated e-mail clients, as well as Microsoft’s Internet Information Server (IIS), are vulnerable to this. Because these e-mail clients allow you to receive HTML-formatted e-mail, they are also vulnerable to exploits that embed malicious Java applets or VBScript into an HTML document. These applications then run on the destination computer and can introduce a virus, collect data and send it back to the originator, delete data from your hard disk, or perform other unwanted actions.
Operating system exploits
Hackers can exploit bugs in an operating system to gain access to your system as well. The Windows 9x operating systems are inherently insecure. Operating system components can be subject to buffer overflows, in which the number of bytes or characters exceeds the maximum number allowed by the programmer writing the software. This can cause the system to crash.
For a list and explanations of common UNIX/Linux exploits, take a look at Outpost9. For a list of Windows NT bugs and exploits, see emf.net.
Often, operating system vulnerabilities are more a matter of bad default configuration rather than a true programming bug. By changing configuration settings, you can prevent many of these vulnerabilities. For true security bugs, most operating system vendors are diligent about releasing patches, hot fixes, or service packs that fix the problem, once it becomes known. Hackers count on the fact that many network administrators are not so diligent about applying the fixes on a timely basis.
Commonly used protocols, such as HTTP, DNS, CGI, and FTP, can be exploited by knowledgeable hackers to gain access to your network or damage your data. TCP/IP-related protocols, such as TCP, UDP, and ICMP, are favorite targets and are the basis of many of the attack types.
Network attacks are becoming a common, everyday nuisance. Like the common cold or flu, they gain ground every day, and, as the old adage says, an ounce of prevention is worth a pound of cure. As long as you think of a network attack as a cold—something that will always be prevalent and ready to take you captive—you’ll be far ahead of most hackers.
I hope this Daily Drill Down has helped you understand what is really going on when an attempt is made to compromise your system.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.