This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This particular chapter aims to throw light on the types of attacks or intrusions that an organization's network could be vulnerable to. Though this is not an exhaustive list, an attempt is made to explain the main threats in today's network environments;
Some of the types of attacks are:
DoS - Denial of Service attack - Used to flood a target machine, usually a web server with unlimited probes to render it unreachable
DDoS - Distributed Denial of Service attack - similar to DoS except that it is done from different machines at the same time
Virus - Replicating programs which cling to other executable applications
Trojan Horses - Is accompanied with other applications
Worm - Self-replicating programs, which create copies of themselves multiple folds
Logic Bomb - Is an application that is started or triggered when a specific condition is met
Hacking is basically to obtain information or data which is not owned by the operator and in an unauthorized or unlawful manner for the use by one's self or simply for the sake of enjoyment.
There are several ways or types of hacking prevalent in today's environment, some of which are outlined below;
In this attack the victim is made to believe he is being sent information from a legitimate source which is actually not. The internet address is faked to resemble the same one that the information is expected from. It consists of several forms and has various outcomes ;
The attack can be pointed towards a particular system as if it was from the same computer. This would fool the machine into believing it is communicating with itself. When done on some OS such as Windows, it causes failure an crashing of the platform.
Source Routing Access:
It is also possible for attackers to illegally enter other friendly but sparsely protected networks to gain entry to the intended network in the end.
Man in the middle Attack:
Session Hijack: A hacker can observe an open session on the network. After due authentication, the client computer will be attacked and disabled, and by the use of spoofing, the client camouflages itself to resemble the authenticated machine and takes control of the session. This type of intrusion can be avoided if the two machines additionally share a secret which is verified either at the beginning of the session or in intervals during the session.
Server Spoofing: A utility called C2MYAZZ is available to be run on Windows 95 machines requesting LANMAN authentication from the client machine. The hacker can execute this application by impersonating the server as the legitimate person logs in. Once the client is fooled into passing the LANMAN verification, the credentials of the user can be read from the flow of network packets.
Poisoning of DNS:
In this attack, the DNS is erred. DNS poisoning is able to work under favorable conditions, however may not practically be a hackers option. The hacker sends incorrect DNS details to make the internet flow divert. This DNS data can be changed as the name servers usually do not check the source of a DNS transaction. As soon as a requesting occurs for DNS, the hacker can send a wrong DNS reply, with more wrong information which the server which requested the DNS can store. This particular hacking option for hacking is useful in diverting users from a legitimate internet server such as a bank and record details form the customers when they try and log on.
This particular attack is used to obtain the credentials of a user or a system or network administrator to get unauthorized access to get unauthorized access to the users details.
Common DoS Attack Types:
Ping Broadcast: In this type of attack, a ping request information is passed to a broadcast network address which contains several hosts machines. The source address is viewable in the packet to be the internet address of the victim machine. If the router to the network makes the ping broadcast flow, all the machines available on the network come back with a reply to the machine that is under attack. The victim machine will be flooded with ping answers hence causing it not to be able to operate on the mesh for a while, and might also make it crash. The victim machine can also be on another person's network. This particular intrusion type can be prevented by blocking traffic from a broadcast address and is sent to the machine in question on the network.
Ping of death: A very large ICMP command can crash internet devices which were manufactured earlier than 1996
Smurf: An attack where the ping request is sent to a broadcast network address with the originating address spoofed so several ping replies will return to the victim and challenge its capability of processing the requests.
Teardrop: First a legitimate data packet is passed. The second packet that is passed claims to have an offset fragmentation inside the first bit of packet. This second bit is too small to even go beyond the boundaries of the first one. This would cause an unexpected problem condition happening on the victim machine hence causing a buffer overflow and also a machine hang on several operating platforms.
Countermeasures - Intrusion Detection Systems
As we have taken a look at the different types of Intrusions which are prevalent in today's environment, we might as well also analyze one of the countermeasures i.e. Intrusion Detection/Prevention Systems;
Types of Intrusion Detection:
NIDS - Network Intrusion Detection - This type of IDS/IPS is used to secure organizational networks or large portions of them. This particular type of detection system listens to all the flowing network information and attempts to detect and log any intrusion anomaly with respect to the data specified in the information packets. The location of this IDS on the network is essential for the best analysis of the packets originating from different network devices such as hubs, switches, routers, bridges, etc.
HIDS - Host or System Intrusion Detection - The Host Intrusion Detection System is employed to check on a particular host or machine specified, usually a web server. Also, this method of intrusion detection would be most effective when a server is in a location away from the firewall so that it is neither on the internet nor on the internal network. This can also be employed on a zone known as the Demilitarized zone (DMZ). However, this particular flavor of intrusion detection system would only be effective in checking and securing one particular service or application up to the mark.
Essentials of Intrusion Detection:
The following essential components of an Intrusion Detection System would usually hold good for network type of intrusion detection than for the host or system types of intrusion detection.
Intrusion Detection Systems mostly contain two main areas, which are the detection engine and the other is the control console. These areas are based usually on different machines, The console is used to control and make amendments to the way the intrusion detection engine behaves. Once an intrusion is checked or triggered, an analysis of the network information flow is done and steps are accordingly taken by the intrusion detection engine.
As the case is, Network Intrusion Detection Systems would require to work on huge network information, hence the machines on which these are installed would essentially need a hig processing power, along with enough RAM and hard disk space which is required to store the tracking data and log information.
Features of IDS:
The paths and patterns of the attacks are recorded and stored using a database for analysis later.
Reassembling of Data Packets: Once the internet information packets are received by a system, they might or may not be reassembled. Usually Intrusion Detection Systems would not reassemble the information packets this way; however, without doing so, some intrusions are vulnerable and might be missed.
Verifying Checksum: An IDS that has good working characteristics would ensure checksums are put into verification to check and confirm that the information transferred through the packets is not tampered with.
Actions of Intrusion Detection
Record attack data or raw information packets.
Alert the system administrator through electronic mail or other media
Block the intrusion; this constitutes several methods that can be used;
Disrupting the session in progress: The detection system is capable of sending ACK-FIN commands to either end of the connection to end the session. It would usually perform this action if it is apparent that a machine is being hacked and access is being attempted in an unauthorized manner.
Change or amend the way the firewall or router behaves during the attack so changes can be immediately detected an logged.