TCP/IP and Security

  The types of attack that could be launched against your networks depend on who is attacking and why. The more motivated the cracker^1.3 to succeed, the more sophisticated the attacks will be. Teenage crackers are generally not very sophisticated, nor do they have the motivation to expend the effort required for sophisticated attacks; instead they usually just exploit poorly secured systems having well-known vulnerabilities using cracking programs freely available on the Internet (for this reason, such `crackers' are often referred to derisively as `script kiddies'). In determining how much defence your networks need, you need to determine whether there could be attacks motivated by industrial, political, commercial or military espionage and/or criminal activities. In such cases, the attacks may be much more sophisticated, and much harder to trace.

  Broadly speaking, there are two classes of attacks: denial-of-service attacks and unauthorised service access. The former aims to deny access to those who should have it, while the latter aims to grant access to those who shouldn't have it.

Denial-of-service attacks  involve attempting to crash or otherwise make unavailable network hosts, gateways, mail servers, etc. Such attacks can be made in a number of ways:

• Physical tampering with cables, power supplies or hosts;

• Flooding a machine with mail messages, printer or system log requests, or TCP connection requests ^1.4, in an attempt to crash it, overload it, or fill up its disk space;

• Attempting to crash a machine or alter a running program by sending long messages to servers that do not check for this, causing them to overwrite other data. This was one mechanism used by the famous Internet `worm' of 1988. Similarly, in October 1996 it was found that a number of UNIX operating systems could be crashed by `pinging' them with a large packet size.

• Attempting to crash a machine by causing other exceptional conditions (such as division by zero).

Denial-of-service attacks are usually easy to carry out. Most of these attacks can be prevented from succeeding by using robust server programs and through regular monitoring of disk space, CPU and network usage, log files, and so on.

Unauthorised-service-access attacks  are usually done either through impersonation (of a trusted user or host) or through hijacking of established sessions. Examples of such attacks are:

• Password-cracking attacks , facilitated by lax password control and easily available password cracking programs. These usually use fast, brute-force dictionary-based attacks to discover weak passwords, after which the user can be impersonated;

• Exploiting security holes in publicly accessible servers (for example, many mail servers have security holes that can be exploited);

• Address-spoofing  attacks, in which the attacker makes a host appear to be some other trusted host and thus gains access;

• Tunnelling and routing attacks, in which the attacker uses dynamic routing or protocol tunnelling methods to bypass strongly defended hosts and gain access to weakly defended hosts;

• Session hijacking , in which an established session is hijacked by the attacker, usually through injecting false packets into the network.

  The last three types of attacks require considerable sophistication to carry out. In particular, session hijacking is very difficult to do (but also very hard to prevent, except by the use of encryption). These attacks are easier the closer the attacker is to the targeted network; usually the point of attack needs to be along the physical route between two hosts which trust each other.