Ensuring OS protection from attacks over computer networks. Network protection - the second level of protection Symantec

Submitting your good work to the knowledge base is easy. Use the form below

Students, graduate students, young scientists who use the knowledge base in their studies and work will be very grateful to you.

Network Protection Technologies

The "Network Protection" level includes 3 different technologies.

Network Intrusion Prevention Solution (Network IPS)

Network IPS technology understands and scans over 200 different protocols. It intelligently and accurately penetrates binary and network protocols, looking for signs of malicious traffic along the way. This intelligence allows for more accurate network scanning, while providing reliable protection. At its “heart” is an exploit blocking engine that provides open vulnerabilities with virtually impenetrable protection. A unique feature of Symantec IPS is that this component does not require any configuration. All its functions work, as they say, “out of the box”. Every Norton consumer product, and every Symantec Endpoint Protection product version 12.1 and later, has this critical technology enabled by default.

Browser Protection

This security engine is located inside the browser. It is capable of detecting the most complex threats that neither traditional antivirus nor Network IPS are able to detect. Nowadays, many network attacks use obfuscation techniques to avoid detection. Because Browser Protection runs inside the browser, it is able to study not-yet-hidden (obfuscated) code while it is being executed. This allows you to detect and block an attack if it was missed at lower levels of program protection.

Un-Authorized Download Protection (UXP)

Located within the network defense layer, the last line of defense helps cover and mitigate the effects of unknown and unpatched vulnerabilities, without the use of signatures. This provides an additional layer of protection against Zero Day attacks.

Focusing on problems

Working together, network security technologies solve the following problems.

Drive-by downloads and web attack kits

Using Network IPS, Browser Protection, and UXP technology, Symantec's network protection technologies block Drive-by downloads and essentially prevent malware from even reaching the user's system. Various preventive methods are practiced that include the use of these same technologies, including Generic Exploit Blocking technology and web attack detection tools. A common web attack detection tool analyzes the characteristics of a common web attack, regardless of the specific vulnerability that the attack targets. This allows you to provide additional protection for new and unknown vulnerabilities. The best thing about this type of protection is that if malicious file could "silently" infect a system, it would still be proactively stopped and removed from the system: this is precisely the behavior that traditional antivirus products usually miss. But Symantec continues to block tens of millions of malware variants that typically cannot be detected by other means.

Social Engineering Attacks

Because Symantec's technology monitors network and browser traffic as it travels, it detects "Social Engineering" attacks such as FakeAV or fake codecs. Technologies are designed to block such attacks before they appear on the user's screen. Most other competing solutions do not include this powerful capability.

Symantec blocks hundreds of millions of these types of attacks with online threat protection technology.

Attacks targeting social media applications

Social media applications in lately have become widely popular as they allow you to instantly exchange various messages, interesting videos and information with thousands of friends and users. The wide distribution and potential of such programs make them the No. 1 target for hackers. Some common hacker tricks include creating fake accounts and sending spam.

Symantec IPS technology can protect against these types of deception methods, often preventing them before the user even clicks on them. Symantec stops fraudulent and spoofed URLs, applications, and other deception methods with online threat protection technology.

Detection of malware, rootkits and bot-infected systems

Wouldn’t it be nice to know exactly where on the network the infected computer is located? Symantec's IPS solutions provide this capability, also including detection and recovery of threats that may have evaded other layers of protection. Symantec solutions detect malware and bots that attempt to make auto-dialers or download “updates” to increase their activity on the system. This allows IT managers, who have a clear list of systems to review, to have assurance that their enterprise is secure. Polymorphic and complex hidden threats, using rootkit techniques like Tidserv, ZeroAccess, Koobface and Zbot can be stopped and removed using this method.

Protection against obfuscated threats

Today's web attacks use complex techniques to increase the complexity of their attacks. Symantec's Browser Protection sits inside the browser and can detect very complex threats that traditional methods often cannot detect.

Zero-day threats and unpatched vulnerabilities

One of the past security additions the company has added is an additional layer of protection against zero-day threats and unpatched vulnerabilities. Using signatureless protection, the program intercepts System API calls and protects against malware downloads. This technology is called Un-Authorized Download Protection (UXP). It is the last line of support within the network threat protection ecosystem. This allows the product to “cover” unknown and unpatched vulnerabilities without using signatures. This technology is enabled by default and has been found in every product released since Norton 2010 debuted.

Protection against unpatched software vulnerabilities

Malicious programs are often installed without the user's knowledge, using vulnerabilities in the software. Symantec network security provides an additional layer of protection called Generic Exploit Blocking (GEB). Regardless of whether latest updates or not, GEB "mostly" protects underlying vulnerabilities from exploitation. Vulnerabilities in Oracle Sun Java, Adobe Acrobat Reader, Adobe Flash, Internet Explorer, ActiveX controls, or QuickTime are now ubiquitous. Generic Exploit Protection was created by "reverse engineering" by figuring out how the vulnerability could be exploited in the network, while providing a special patch at the network level. A single GEB, or vulnerability signature, can provide protection against thousands of malware variants, new and unknown.

Malicious IPs and domain blocking

Symantec's network protection also includes the ability to block malicious domains and IP addresses while stopping malware and traffic from known malicious sites. Through STAR's rigorous analysis and updating of website databases, Symantec provides real-time protection against ever-changing threats.

Improved Evasion Resistance

Support for additional encodings has been added to improve the effectiveness of attack detection using encryption techniques such as base64 and gzip.

Network audit detection to enforce usage policies and identify data leakage

Network IPS can be used to identify applications and tools that may violate corporate usage policies, or to prevent data leakage across the network. It is possible to detect, warn or prevent traffic like IM, P2P, social media, or other “interesting” type of traffic.

STAR Intelligence Communication Protocol

Network security technology does not work on its own. The engine communicates with other security services using the STAR Intelligence Communication (STAR ICB) protocol. The Network IPS engine connects to the Symantec Sonar engine, and then to the Insight Reputation engine. This allows you to provide more informative and accurate protection.

In the next article we will look at the Behavior Analyzer level.

Based on materials from Symantec

Found a typo? Highlight and press Ctrl + Enter

Of particular interest for consideration are remote, network attacks. Interest in this type of attack is caused by the fact that distributed data processing systems are becoming increasingly widespread in the world. Most users work with remote resources using INTERNET network and TCP/IP protocol stack. Initially, the INTERNET network was created for communication between government agencies and universities to help educational process and scientific research, and the creators of this network had no idea how widely it would spread. As a result, the specifications of early versions of the Internet Protocol (IP) lacked security requirements. This is why many IP implementations are inherently vulnerable.

The course covers the following attacks and how to combat them.

Sniffing attack. A packet sniffer is an application program that uses a network card operating in promiscuous mode (in this mode, all packets received over physical channels are network adapter sent to the application for processing). In this case, the sniffer intercepts all network packets that are transmitted through a specific domain. Currently, sniffers operate on networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, due to the fact that some network applications transmit data to text format(Telnet, FTP, SMTP, POP3, etc.), using a sniffer you can find out useful and sometimes confidential information (for example, usernames and passwords).

Login and password interception poses a major threat because users often use the same login and password for multiple applications and systems. Many users generally have one password to access all resources and applications. If the application runs in client/server mode and the authentication data is transmitted over the network in a readable text format, this information can likely be used to access other corporate or external resources. In the worst case scenario, an attacker gains system-level access to a user resource and uses it to create a new user who can be used at any time to access the network and its resources.

You can mitigate the threat of packet sniffing by using the following tools:

Authentication. Strong authentication is the first defense against packet sniffing. By “strong” we mean an authentication method that is difficult to bypass. An example of such authentication is one-time passwords (OTP - One-Time Passwords). OTP is a two-factor authentication technology. A typical example of two-factor authentication is the operation of a regular ATM, which identifies you, firstly, by your plastic card and, secondly, by the entered PIN code. Authentication in the OTP system also requires a PIN code and your personal card. A “card” (token) is understood as a hardware or software tool that generates (by random principle) a unique one-time, one-time password. If an attacker finds out this password using a sniffer, this information will be useless because at that point the password will have already been used and retired. Note that this method of combating sniffing is only effective against password interception. Sniffers that intercept other information (such as email messages) remain effective.

Switched infrastructure. Another way to combat packet sniffing in a network environment is to create a switched infrastructure. If, for example, the entire organization uses dial-up Ethernet, attackers can only access traffic arriving on the port they are connected to. A switched infrastructure does not eliminate the threat of sniffing, but it does significantly reduce its severity.

Anti-sniffers. The third way to combat sniffing is to install hardware or software that recognizes sniffers running on the network. These tools cannot completely eliminate the threat, but, like many other means network security, they are included in the overall protection system. So-called “anti-sniffers” measure host response times and determine whether hosts are having to process “unnecessary” traffic.

Cryptography. The most effective way to combat packet sniffing does not prevent interception or recognize the work of sniffers, but makes this work useless. If the communication channel is cryptographically secure, this means that the attacker is not intercepting the message, but the ciphertext (that is, an incomprehensible sequence of bits).

IP spoofing attack. This attack occurs when an attacker, inside or outside a corporation, impersonates an authorized user. The simplest reason for using spoofed IP addresses is the attacker's desire to hide his activities in the ocean of network activity. For example, the NMAP3 network diagramming tool sends additional sequences of packets, each using its own spoofed source IP address. In this case, the attacker knows which IP addresses are fake and which packets in each sequence are real. The security administrator of a system that is under attack will be forced to analyze many spoofed IP addresses before he can determine the real IP address of the attacker.

Another reason why an attacker uses IP address spoofing is to hide their identity. The fact is that it is possible to trace an IP address back to an individual system, and sometimes even to an individual user. Therefore, with the help of IP forgery, an attacker tries to avoid detection. However, using a fake IP address brings a number of difficulties to the sender.

All responses from the attacked system are sent to a fake IP address. In order to view or receive these responses, the attacker must be in their path from the compromised machine to the spoofed IP address (at least in theory). Because the response does not necessarily take the same route as the spoofed packet sent, an attacker may lose return traffic. To avoid this, an attacker can interfere with one or more intermediate routers, whose addresses will be used as spoofs to redirect traffic to another location.

Another approach is for the attacker to guess in advance the TCP sequence numbers that are used by the attacked machine. In this case, it does not need to receive a SYN-ACK packet, since it simply generates and sends an ACK packet with a predicted sequence number. Early implementations of IP stacks used predictive sequence number calculation schemes and were therefore sensitive to spoofed TCP data streams. In modern implementations, it is already more difficult to predict the sequence number. The NMAP network diagramming tool has the ability to estimate the difficulty of predicting the sequence numbers of systems that are being scanned.

In the third option, the attacker can interfere with the operation of one or more routers located between his server and the server that is being attacked. This makes it possible to direct response traffic destined for a spoofed IP address to the system from which the intrusion originated. Once the hack is complete, the router is released to cover its tracks.

Finally, the attacker may have no intention of responding to the SYN-ACK packet that is returned from the victim. There may be two reasons for this. The attacker may be performing a half-open port scan, known as SYN scan. In this case, he is only interested in the initial response from the machine that is being attacked. The RST-ACK flag combination means that the scanned port is closed, and the SYN-ACK combination means that it is open. The goal has been achieved, therefore there is no need to respond to this SYN-ACK packet. It is also possible that an avalanche-like SYN hack is carried out. In this case, the attacker not only does not respond to SYN-ACK or RST-ACK packets, but is generally not interested in the type of packets received from the compromised system.

IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts from someone else's address, hiding the attacker's true identity.

As noted, for two-way communication, an attacker must change all routing tables to direct traffic to a false IP address. Some attackers, however, don't even try to get a response from the applications. If the main task is to get an important file from the system, application responses do not matter. If the attacker manages to change the routing tables and direct traffic to a false IP address, the attacker will receive all packets and will be able to respond to them as if he were an authorized user.

The threat of spoofing can be mitigated (but not eliminated) by the following measures:

Access control. The easiest way to prevent IP spoofing is to properly configure access controls. To reduce the effectiveness of IP spoofing, you need to configure access control to reject any traffic coming from an external network with a source address that should be located inside your network. Note that this helps combat IP spoofing, where only internal addresses are authorized. If some external network addresses are also authorized, this method becomes ineffective.

RFC 2827 filtering. Attempts to spoof foreign networks by users of the protected network are stopped if any outgoing traffic whose source address is not one of the IP addresses of the protected organization is rejected. This type of filtering, known as RFC 2827, can also be performed by your Internet Service Provider (ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if an ISP provides a connection to the IP address 15.1.1.0/24, it can configure a filter so that only traffic originating from 15.1.1.0/24 is allowed from that interface to the ISP's router. Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible. Additionally, the further away you are from the devices being filtered, the more difficult it is to perform accurate filtration. For example, RFC 2827 filtering at the access router level requires passing all traffic from the main network address(10.0.0.0/8), while at the distribution level (in this architecture) it is possible to limit traffic more precisely (address - 10.1.5.0/24).

IP spoofing can only work if authentication is based on IP addresses. Therefore, implementation additional methods authentication makes this type of attack useless. The best type of additional authentication is cryptographic. If it's not possible, good results can give two-factor authentication using one-time passwords.

Denial of Service (DoS). DoS is, without any doubt, the most well-known form of attack. In addition, these types of attacks are the most difficult to create 100% protection against. The simplicity of implementation and the enormous harm caused attract the close attention of administrators responsible for network security to DoS. The most well-known types of attacks are: TCP SYN Flood; Ping of Death; Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K); Trinco; Stacheldracht; Trinity.

The source of information on these attacks is the Computer Emergency Response Team (CERT), which has published work on combating DoS attacks.

DoS attacks are different from other types of attacks. They are not aimed at gaining access to your network or obtaining any information from that network. A DoS attack makes a network unavailable for normal use by exceeding the operating limits of the network, operating system, or application. In the case of some server applications (such as a web server or FTP server), DoS attacks can involve taking over all connections available to those applications and keeping them occupied, preventing normal users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP (Internet Control Message Protocol).

Most DoS attacks rely not on software bugs or security holes, but on general weaknesses in the system architecture. Some attacks cripple network performance by flooding it with unwanted and unnecessary packets or misleading information about the current state of network resources. This type of attack is difficult to prevent because it requires coordination with the ISP. If the traffic intended to flood the network is not stopped at the provider, then at the entrance to the network this will no longer be possible, because all the bandwidth will be occupied. When this type of attack is carried out simultaneously through many devices, we talk about a distributed DoS attack (DDoS).

The threat of DoS attacks can be mitigated in three ways:

Anti-spoofing features. Properly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. If an attacker cannot disguise their true identity, they are unlikely to carry out an attack.

Anti-DoS functions. Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These features often limit the number of half-open channels at any given time.

Traffic rate limiting. An organization may ask its Internet Service Provider (ISP) to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic that passes through your network. A common example is limiting the amount of ICMP traffic that is used only for diagnostic purposes. (D)DoS attacks often use ICMP.

Password attacks. Attackers can conduct password attacks using a variety of methods, such as brute force attacks, Trojan horses, IP spoofing, and packet sniffing. Although login and password can often be obtained through IP spoofing and packet sniffing, hackers often try to guess the password and login through multiple access attempts. This approach is called a simple brute force attack.

Often, such an attack uses a special program that tries to gain access to a public resource (for example, a server). If, as a result, the attacker gains access to resources, he gains access to the rights of a regular user whose password was guessed. If this user has significant access privileges, an attacker can create a "pass" for themselves for future access that will remain in effect even if the user changes their password and login.

Another problem arises when users use the same (even very good) password to access many systems: corporate, personal, and Internet systems. Since a password is only as strong as the weakest host, an attacker who learns the password through that host gains access to all other systems that use the same password.

First of all, password attacks can be avoided by not using passwords in text form. One-time passwords and/or cryptographic authentication can virtually eliminate the threat of such attacks. Unfortunately, not all applications, hosts, and devices support the above authentication methods.

When using regular passwords, try to come up with a password that is difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters (#, %, $, etc.). The best passwords are difficult to guess and difficult to remember, forcing users to write down passwords on paper. To avoid this, users and administrators can take advantage of a number of recent technological advances. For example, there are application programs that encrypt a list of passwords that can be stored in a pocket computer. As a result, the user only needs to remember one complex password, while all other passwords will be securely protected by the application.

Man-in-the-Middle attacks. For a Man-in-the-Middle attack, the attacker needs access to packets transmitted over the network. Such access to all packets transmitted from a provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers are often used for this type of attack. transport protocols and routing protocols. Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distortion of transmitted data and entering unauthorized information into network sessions.

Man-in-the-Middle attacks can only be effectively combated using cryptography. If an attacker intercepts data from an encrypted session, what will appear on his screen is not the intercepted message, but a meaningless set of characters. Note that if an attacker obtains information about the cryptographic session (for example, the session key), this could make a Man-in-the-Middle attack possible even in an encrypted environment.

Application level attacks. Application-level attacks can be carried out in several ways. The most common one is to exploit well-known weaknesses in server software (sendmail, HTTP, FTP). Using these weaknesses, attackers can gain access to a computer on behalf of the user running the application (usually this is not a simple user, but a privileged administrator with system access rights). Information about application-level attacks is widely published to enable administrators to correct the problem using corrective modules (patches, patches). Unfortunately, many attackers also have access to this information, which allows them to learn.

The main problem with application-level attacks is that they often use ports that are allowed to pass through the firewall. Application-level attacks cannot be completely eliminated.

Procedure for detecting network attacks.

1. Classification of network attacks

1.1. Packet sniffers

A packet sniffer is an application program that uses a network card operating in promiscuous mode ( in this mode, all packets received over physical channels are sent by the network adapter to the application for processing). In this case, the sniffer intercepts all network packets that are transmitted through a specific domain.

1.2. IP spoofing

IP spoofing occurs when a hacker, inside or outside a system, impersonates an authorized user. This can be done in two ways. First, a hacker can use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources. IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts with someone else's address, hiding the hacker's true identity.

Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices. For two-way communication, the hacker must change all the routing tables to direct traffic to the false IP address. Some hackers, however, don't even try to get a response from the applications. If the main task is to get an important file from the system, application responses do not matter.

If a hacker manages to change the routing tables and direct traffic to a false IP address, the hacker will receive all packets and will be able to respond to them as if he were an authorized user.

1.3. Denial of service ( Denial of Service - DoS)

DoS is the most well-known form of hacker attacks. These types of attacks are the hardest to create 100% protection against.

The most famous types of DoS:

TCP SYN Flood Ping of Death Tribe Flood Network ( TFN);
Tribe Flood Network 2000 ( TFN2K);
Trinco;
Stacheldracht;
Trinity.

DoS attacks are different from other types of attacks. They are not aimed at gaining access to the network or obtaining any information from that network. A DoS attack makes a network unavailable for normal use by exceeding the operating limits of the network, operating system, or application.

When using some server applications (such as a Web server or FTP server) DoS attacks can be as simple as taking over all connections available to these applications and keeping them busy, preventing normal users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP ( Internet Control Message Protocol). Most DoS attacks rely not on software bugs or security holes, but on general weaknesses in the system architecture. Some attacks cripple network performance by flooding it with unwanted and unnecessary packets or misleading information about the current state of network resources. This type of attack is difficult to prevent because it requires coordination with the ISP. If the traffic intended to flood your network cannot be stopped at the provider, then at the entrance to the network you will no longer be able to do this, because all the bandwidth will be occupied. When this type of attack is carried out simultaneously through many devices, the attack is a distributed DoS ( DDoS - distributed DoS).

1.4. Password attacks

Hackers can carry out password attacks using a number of methods, such as brute force ( brute force attack), Trojan horse, IP spoofing and packet sniffing. Although login and password can often be obtained through IP spoofing and packet sniffing, hackers often try to guess the password and login through multiple access attempts. This approach is called simple enumeration (brute force attack). Often such an attack uses a special program that tries to gain access to a public resource ( for example, to the server). If, as a result, the hacker gains access to resources, he gains access to the rights of a regular user whose password was guessed. If this user has significant access privileges, the hacker can create a "pass" for future access that will remain valid even if the user changes his password and login.

Another problem occurs when users use the same ( even if it's very good) password for access to many systems: corporate, personal and Internet systems. Since a password is only as strong as the weakest host, a hacker who learns the password through that host gains access to all other systems that use the same password.

1.5. Man-in-the-Middle attacks

For a Man-in-the-Middle attack, a hacker needs access to packets transmitted over the network. Such access to all packets transmitted from a provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack. Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distortion of transmitted data and entering unauthorized information into network sessions.

1.6. Application level attacks

Application-level attacks can be carried out in several ways. The most common of these is to exploit weaknesses in the server software ( sendmail, HTTP, FTP). By exploiting these weaknesses, hackers can gain access to a computer as the user running the application ( usually this is not a simple user, but a privileged administrator with system access rights). Information about application-level attacks is widely published to enable administrators to fix the problem using remediation modules ( patches). The main problem with application-level attacks is that they often use ports that are allowed to pass through the firewall. For example, a hacker exploiting a known weakness in a Web server will often use port 80 in a TCP attack. Because the Web server provides Web pages to users, the firewall must allow access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.

1.7. Network intelligence

Network intelligence refers to the collection of network information using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible. Network reconnaissance is carried out in the form of DNS queries, ping sweeps and port scanning. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Echo testing ( ping sweep) addresses resolved using DNS allows you to see which hosts are actually running in a given environment. After receiving a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. Finally, the hacker analyzes the characteristics of the applications running on the hosts. As a result, information is obtained that can be used for hacking.

1.8. Breach of trust

This type of action is not "attack" or "assault". It represents the malicious exploitation of trust relationships that exist in a network. An example is a system installed outside the firewall that has a trust relationship with a system installed inside it. inside. In case of hacking external system, a hacker can use trust relationships to penetrate a system protected by a firewall.

1.9. Port Forwarding

Port forwarding is a form of abuse of trust in which a compromised host is used to pass traffic through a firewall that would otherwise be rejected. An example of an application that can provide such access is netcat.

1.10. Unauthorized access

Unauthorized access cannot be considered a separate type of attack. Most network attacks are carried out to gain unauthorized access. To guess a telnet login, a hacker must first get a telnet prompt on his system. After connecting to telnet port a message appears on the screen "authorization required to use this resource" (To use these resources you need authorization). If after this the hacker continues to attempt access, they will be considered "unauthorized". The source of such attacks can be either inside the network or outside.

1.11. Viruses and applications like "Trojan horse"

Client workstations are very vulnerable to viruses and Trojan horses. "Trojan Horse"- this is not a software insert, but real program which looks like useful application, but in fact performs a harmful role.

2. Methods for countering network attacks

2.1. You can mitigate the threat of packet sniffing by using the following tools:

2.1.1. Authentication - Strong authentication is the first defense against packet sniffing. Under "strong" We understand this is an authentication method that is difficult to bypass. An example of such authentication is one-time passwords ( OTP - One-Time Passwords). OTP is a two-factor authentication technology that combines what you have with what you know. Under the "card" ( token) means hardware or software that generates ( randomly) unique one-time one-time password. If a hacker finds out this password using a sniffer, this information will be useless because at that point the password will have already been used and retired. This method of combating sniffing is only effective against password interception.

2.1.2. Switched Infrastructure - Another way to combat packet sniffing in a network environment is to create a switched infrastructure, where hackers can only access traffic arriving on the port they are connected to. Switched infrastructure does not eliminate the threat of sniffing, but it significantly reduces its severity.

2.1.3. Anti-sniffers - The third way to combat sniffing is to install hardware or software that recognizes the sniffers running on your network. These tools cannot completely eliminate the threat, but, like many other network security tools, they are included in the overall protection system. The so-called "anti-sniffers" measure host response times and determine whether hosts are having to process "extra" traffic.

2.1.4. Cryptography - The most effective way to combat packet sniffing does not prevent interception or recognize the work of sniffers, but makes this work useless. If the communication channel is cryptographically secure, this means that the hacker is not intercepting the message, but the ciphertext (that is, an incomprehensible sequence of bits).

2.2. The threat of spoofing can be mitigated ( but not eliminated) using the following measures:

2.2.1. Access Control - The easiest way to prevent IP spoofing is to properly configure access controls. To reduce the effectiveness of IP spoofing, access control is configured to reject any traffic coming from an external network with a source address that should be located inside your network. This helps combat IP spoofing, where only internal addresses are authorized. If some external network addresses are also authorized, this method becomes ineffective.

2.2.2. Filtering RFC 2827 - stopping attempts to spoof other people's networks by users of a corporate network. To do this, it is necessary to reject any outgoing traffic whose source address is not one of the Bank’s IP addresses. This type of filtering, known as "RFC 2827", can also be performed by the ISP ( ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected.

2.2.3. The most effective method for combating IP spoofing is the same as for packet sniffing: you need to make the attack completely ineffective. IP spoofing can only work if authentication is based on IP addresses. Therefore, introducing additional authentication methods makes this type of attack useless. The best type of additional authentication is cryptographic. If this is not possible, two-factor authentication using one-time passwords can give good results.

2.3. The threat of DoS attacks can be reduced in the following ways:

2.3.1. Anti-spoofing features - Properly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. If a hacker cannot disguise his true identity, he is unlikely to carry out an attack.

2.3.2. Anti-DoS Features - Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These functions limit the number of half-open channels at any given time.

2.3.3. Limiting the volume of traffic ( traffic rate limiting) – agreement with the provider ( ISP) on limiting the volume of traffic. This type of filtering allows you to limit the amount of non-critical traffic passing through the network. A common example is limiting the amount of ICMP traffic that is used only for diagnostic purposes. Attacks ( D) DoS often use ICMP.

2.3.4. Blocking IP addresses - after analyzing the DoS attack and identifying the range of IP addresses from which the attack is carried out, contact your provider to block them.

2.4. Password attacks can be avoided by not using plain text passwords. One-time passwords and/or cryptographic authentication can virtually eliminate the threat of such attacks. Not all applications, hosts, and devices support the above authentication methods.

When using regular passwords, you need to come up with a password that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters ( #, %, $, etc.). The best passwords are difficult to guess and difficult to remember, forcing users to write down passwords on paper.

2.5. Man-in-the-Middle attacks can only be effectively combated using cryptography. If a hacker intercepts data from an encrypted session, what will appear on his screen is not the intercepted message, but a meaningless set of characters. Note that if a hacker obtains information about a cryptographic session ( for example, session key), this can make a Man-in-the-Middle attack possible even in an encrypted environment.

2.6. Application-level attacks cannot be completely eliminated. Hackers are constantly discovering and publishing new vulnerabilities on the Internet. application programs. The most important thing is good system administration.

Measures you can take to reduce your vulnerability to this type of attack:

reading and/or analysis of operating system log files and network log files using special analytical applications;
timely updating of versions of operating systems and applications and installation of the latest correction modules ( patches);
use of attack detection systems ( IDS).

2.7. It is impossible to completely get rid of network intelligence. If you disable ICMP echo and echo reply on edge routers, you get rid of ping testing, but you lose the data needed to diagnose network failures. In addition, you can scan ports without prior ping testing. This one will just take longer, since you will have to scan non-existent IP addresses. IDS systems at the network and host level usually do a good job of notifying the administrator of ongoing network reconnaissance, which allows them to better prepare for an upcoming attack and notify the ISP ( ISP), on whose network there is a system installed that shows excessive curiosity.

2.8. The risk of breach of trust can be reduced by more strict control levels of trust within your network. Systems located outside the firewall should never have absolute trust from systems protected by the firewall. Trust relationships should be limited to specific protocols and, if possible, authenticated by parameters other than IP addresses.

2.9. The main way to combat port forwarding is to use strong trust models ( see clause 2.8 ). In addition, to prevent a hacker from installing his own software can IDS host system ( HIDS).

2.10. Ways to combat unauthorized access quite simple. The main thing here is to reduce or completely eliminate the hacker's ability to gain access to the system using an unauthorized protocol. As an example, consider preventing hackers from accessing the telnet port on a server that provides Web services to external users. Without access to this port, a hacker will not be able to attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.

2.11. The fight against viruses and Trojan horses is carried out using effective anti-virus software that works at the user level and at the network level. Antivirus products detect most viruses and Trojan horses and stop their spread.

3. Algorithm of actions when detecting network attacks

3.1. Most network attacks are blocked by automatically installed information security tools ( firewalls, trusted boot tools, network routers, antivirus agents etc.).

3.2. Attacks that require personnel intervention to block them or reduce the severity of the consequences include DoS attacks.

3.2.1. DoS attacks are detected by analyzing network traffic. The beginning of the attack is characterized by “ hammering» communication channels using resource-intensive packets with fake addresses. Such an attack on an online banking website complicates access for legitimate users and the web resource may become inaccessible.

3.2.2. If an attack is detected, the system administrator performs the following actions:

manually switches the router to the backup channel and back in order to identify a less loaded channel (a channel with a wider bandwidth);
identifies the range of IP addresses from which the attack is carried out;
sends a request to the provider to block IP addresses from the specified range.

3.3. A DoS attack is usually used to disguise a successful attack on client resources in order to make it difficult to detect. Therefore, when detecting a DoS attack, it is necessary to analyze the latest transactions in order to identify unusual transactions, block them (if possible), and contact clients through an alternative channel to confirm the transactions.

3.4. If information about unauthorized actions is received from the client, all available evidence is recorded, an internal investigation is carried out and an application is submitted to law enforcement agencies.

Download ZIP file (24151)

If the documents were useful, please give them a “like”:

Each network attack can generally be divided into 5 stages (Table 3). In a real situation, some steps may be skipped.

Table 3. Main classes of network attacks

Network attack class	Class Description
1. Research	Receipt general information O computer system(KS)
1.1 Sociotechnics	Obtaining information through polite ingratiation by phone, email, etc.
1.2 Direct invasion	Obtaining information through physical access to network equipment
1.3 Debris removal	Retrieving information from trash bins or archives
1.4 WEB search	Obtaining information from the Internet using public search engines
1.5 Research WHOIS	Obtaining information from registration data about the owners of domain names, IP addresses and autonomous systems
1.6 Studying DNS zones	Obtaining information through the use of a domain name service
2. Scan	Obtaining information about the infrastructure and internal structure of the CS
2.1 Search for active devices	Obtaining information about active CS devices
2.2 Route tracing	Determination of the CS topology
2.3 Port scanning	Obtaining information about active services operating in the CS
3. Gaining access	Obtaining privileged rights to manage CS nodes
3.1 Stack overflow	Execution of arbitrary code as a result of an attacker-caused software glitch
3.2 Attack on passwords	Selection of passwords from a list of standard ones or using a specially generated dictionary, interception of passwords
3.3 Attacks on WEB applications	Gaining access as a result of exploiting vulnerabilities in open CS WEB applications
3.4 Sniffing	Gaining access through passive (listening) and active (substitution of recipients) interception of CS traffic
3.5 Session interception
Exploitation of acquired rights to achieve hacking goals
4.1 Maintaining access	Installation of remote administration systems
4.2 DOS attacks	Disablement of devices and individual CS services
4.3 Processing of confidential information	Interception, copying and/or destruction of information
5. Covering your tracks	Concealing the fact of penetration into the CS from security systems
5.1 Erasing system logs	Deleting archived data from CS applications and services
5.2 Hiding signs of online presence	Tunneling within standard protocols (HTTP, ICMP, TCP headers, etc.)

Let's consider the main methods and means of protection against the listed network threats.

Sociotechnics. Best Method protection from social technology - user awareness. It is necessary to inform all employees about the existence of social technology and clearly define the types of information that cannot be disclosed over the phone under any pretext. If the organization provides options for providing any information by phone (telephone numbers, identification data, etc.), then these procedures should be clearly regulated, for example, using caller authentication methods.

Direct Invasion:

* access control system (access control systems, visitor log, badges, etc.);

* physical safety of equipment (mechanical, electronic locks);

* computer lock, screen savers;

* file system encryption.

Racking up trash. The well-known paper cutting machine (shredder) is the best defense against those who rummage through trash bins. Employees must have unhindered access to such machines so that they can destroy any valuable information. Another option: each user is provided with a separate bin for papers containing important information, from where the documents are sent to the paper cutting machine every night. Employees must be clearly informed about how to handle confidential information.

Search in WEB. The main method of protection is non-disclosure of information. It is necessary to make a necessary and sufficient list of information to be posted on public resources on the Internet. Excessive data about a company can “help” an attacker in realizing his intentions. Employees must be responsible for disseminating confidential information. Public information should be reviewed periodically, either in-house or with third-party companies.

Study WHOIS. There are no general defenses against an attacker obtaining your login credentials. There are recommendations according to which information in the relevant databases should be as accurate and plausible as possible. This allows administrators from different companies to seamlessly communicate with each other and help find intruders.

Studying DNS zones. First of all, you need to check that there is no data leak on the DNS server, which occurs due to the presence of unnecessary information there. Such information can be names containing the name of operating systems, HINFO or TXT records. Secondly, the DNS server must be configured correctly to limit zone transfers. Third, you need to configure the border router so that only backup routers have access to port 53 (TCP and UDP). DNS servers, synchronizing with the central server. You should also use separation of external and internal DNS servers. The internal server is configured to resolve only internal network names, and forwarding rules are used to resolve external network names. That is, the external DNS server should not “know” anything about the internal network.

Search for active devices and trace routes. The method of protection is to install and configure firewalls to filter packets in such a way as to filter out requests from programs used by an attacker. For example, blocking ICMP requests from untrusted sources will make tracing very difficult.

Port scanning. The first and most important thing is to close all unused ports. For example, if you do not use TELNET, then you need to close the corresponding port. When deployed new system, you need to find out in advance the ports it uses and open them as needed. In particularly important systems, it is recommended to remove programs corresponding to unnecessary services. The best system setup is considered to be one in which the number installed services and minimal tools. Second, you need to test it yourself own system to penetrate, thereby predetermining the actions of the intruder. To protect against more advanced scanners, it is recommended to use packet filters with system state monitoring. Such filters examine protocol packets and pass only those that match established sessions.

General recommendations against scanning are the timely use of security packages, the use of intrusion detection systems (IDS) and intrusion prevention systems (IPS) for the network and hosts, and their timely updating.

Stack overflow. Methods for protecting against this type of attack can be divided into two categories.

1. Methods that system administrators and security officers use when operating, configuring and maintaining systems: timely application of patches to systems, tracking updates of installed products, service packs for them, removal unnecessary programs and services, control and filtering of incoming/ outgoing traffic, setting up a non-executable stack. Many IDSs are capable of detecting memory overflow attacks based on signatures.
2. Methods used by software developers in the process of creating programs: eliminating programming errors by checking the available memory space, the amount of input information passing through the application. Refrain from using problematic features from a security point of view; compilation of programs using special tools.

The above methods help to minimize the number of overflow attacks stack memory, but does not guarantee complete safety systems.

Password attacks. The first and most important thing is “strong” passwords. These are passwords that are at least 9 characters long and contain special characters. Next is changing passwords regularly. For this to work correctly, it is recommended to develop a password policy adapted to a specific organization and make its contents known to all users. It would be a good idea to provide employees with specific guidelines for creating passwords. Secondly, it is recommended to use systems with a built-in check for “weak” passwords. If there is no such check, then additional software that performs similar functionality should be deployed. The most effective way is to refuse passwords and use authentication systems (smart cards, etc.). It is recommended to regularly perform test “breaks” of your own passwords. It is good practice to protect hashed password files as well as their shadow copies.

Attacks on WEB applications. In order to protect against account theft, it is necessary to display the same error on the screen when incorrect input login or password. This will make it difficult for an attacker to guess your ID or password. The best protection against connection snooping attacks is hashing the transmitted connection information, dynamically changing the session ID, and terminating an inactive session. The most dangerous attacks are SQL injection into an application. Protection against them is the development of WEB applications in such a way that they can carefully filter user-specified data. The application should not blindly trust the input information, since it may contain characters that can be used to modify SQL commands. The application must remove special characters before processing the user's request.

It should be noted that today the WAF (Web Application Firewall) direction is actively developing - an application-level firewall that provides comprehensive methods for protecting WEB resources. Unfortunately, these solutions are mainly available only to large companies due to their high cost.

Sniffing. The first is encryption of data transmitted over the network. The protocols used for this are HTTPS, SSH, PGP, IPSEC. The second is careful handling of security certificates and ignoring dubious certificates. Using modern switches that allow you to configure MAC filtering on ports and implement a static ARP table. Use VLANs.

IP spoofing. This threat can be minimized by the following measures.

1. Access control. Packet filters are installed at the network border to filter out all external network traffic where the source address in the packets is one of the internal network addresses.
2. RFC2827 filtering. It consists of cutting off outgoing internal network traffic in which the source address does not indicate any of your organization’s IP addresses.
3. The introduction of additional types of authentication (two-factor) and cryptographic encryption makes such attacks completely ineffective.

Intercepting a communication session. This type of attack can only be effectively combated using cryptography. This could be the SSL protocol, VPN networks, etc. For the most critical systems, it is advisable to use encryption in internal networks. An attacker who intercepts traffic from an encrypted session will not be able to obtain any valuable information from it.

DOS attacks. To describe the means of protection against DOS attacks, let's consider their classification. These attacks generally fall into two categories: service termination and resource depletion (Table 5). Termination of services is the failure or shutdown of a specific server used on the network. Resource exhaustion is the expenditure of computer or network resources in order to prevent users from obtaining the attacked service. Both types of attacks can be carried out either locally or remotely (via a network).

Protection against termination of local services: current security patches for local systems, regular error correction, differentiation of access rights, use of file integrity checking programs.

Protection against local resource depletion: applying the principle of least privilege when assigning access rights, increasing system resources(memory, processor speed, communication channel bandwidth, etc.), IDS application.

Protection against remote termination of services: application of patches, quick response.

The best defense against remote resource depletion is to respond quickly to an attack. Modern IDS systems and cooperation with the provider can help with this. As in the previous paragraphs, systems should be updated and patched promptly. Use anti-spoofing features. Limit the amount of traffic from the provider. For the most critical systems, it is necessary to have adequate bandwidth and redundant communication links.

Maintaining access. Viruses and Trojan horses. The best protection is effective antivirus software that works both at the user level and at the network level. To ensure a high level of security against these threats, regular updates of antivirus software and signatures of known viruses are required. The second step is to get current updates operating systems, setting up application security policies in accordance with current recommendations their developers. It is necessary to train users in the skills of “safe” work on the Internet and with e-mail. Protection against "ROOTKIT" is provided by access control policies, anti-virus software, the use of decoys and intrusion detection systems.

Covering up tracks. After an attack, the attacker typically tries to avoid detection by security administrators. For these purposes, it changes or deletes log files that store the history of the offender’s actions. Creating effective protection that prevents an attacker from changing log files is the most important condition security. The amount of effort that must be expended to protect the registration information of a given system depends on its value. The first step to ensure the integrity and usefulness of log files is to enable logging on critical systems. To avoid a situation where, in the event of force majeure, it turns out that logs are disabled, it is necessary to create a security policy that would regulate the procedures for maintaining logs. It is recommended that systems be regularly audited to ensure compliance with this policy. Another necessary measure to protect log files is to differentiate access rights to these files. An effective method for protecting registration information is to install a dedicated event logging server, ensuring an appropriate level of security. Also good are such protection methods as encrypting log files and allowing writing only at the end of the file. Use of IDS systems. You can protect against tunneling in two places: on the target computer and on the network. On the destination computer, protection is provided by access rights, antivirus software, secure configuration, and installation of updates. At the network level, tunneling can be detected by intrusion detection systems.

The main methods of protection against network attacks have been listed above. Based on them, complex solutions are built that can combine a number of information protection functions and be used in a specific network infrastructure module.