Attackers are becoming more and more sophisticated and utilize highly sophisticated techniques to compromise critical information infrastructure that supports networks and information flow. In order for attacks to be successful, attackers are devising new mechanisms of promoting anonymity and evading detection.
- Promoting anonymity
Network attacks are classified into interactive attacks where perpetrator is concerned with stealing information from another user of the network or non-interactive where a perpetrator uses malicious software to instill denial of service attacks on other members of the network.
The two most common methods of used by attackers include,
- Stepping stones chains
- IP-spoofing
- Stepping stone chains
Stepping stone chains involves indirect connection of an intruder through a sequence of hosts known as stepping stones. Stepping stone attacks are as a result of intermediary hosts that were initially compromised and are available for further use.
This means that attackers launch the attacks from other computers apart from their own that they previously compromised to conceal their tricks. Intruders assemble a collection of accounts of compromised hosts and then conduct a new attack through logging in to a series of host before finally launching the assault on the target.
- Detecting the stepping stone is important because it helps flag suspicious activity and maintain logs incase a breaking is subsequently detected as originating from a local sited.
- It also helps detect inside attackers laundering their connections through external hosts and enforce policies regarding transit traffic
- Lastly, it allows the detection of insecure combinations of legitimate connections such as clear-text Telnet sessions that expose SSH passphrase.
- IP-spoofing
Networks rely on the truth and without accurate information, they don’t work correctly. Attackers use lies to deceive networks and systems attached to a particular network thereby impacting their operation. Source address spoofing is a mechanism of lying about a packets return address.
Attackers have used source address spoofing to institute denial of service attacks against commercial servers and networks. Though the phenomenon is still widely misunderstood relevant measures have been undertaken to make the attacks unsuccessful. Users can become a victim of address spoofing and more worryingly a source of attacks based on source address spoofing unless the user understands how it works and take measures to prevent it.
In order to get spoof proof, ISP practice ingress filtering is applied to filter and drop any packets with spoofed source addresses. For instance Cisco Express Forwarding is an advanced IP switching technology that is designed for high performance layer 3 IP switching with optimum performance.
- Attack from a trusted host
IP spoofing is a means of IP address forgery where an attacker masquerades as a trusted host to conceal his identity. An attacker obtains the IP address of the legitimate host and alters packet headers so as to make it look like that of the source which is the legitimate host. A user who visits the sited is redirected to the spoofed content created by the attacker and as such the attacker gains access to sensitive information and network resources. Apart from this, the attacker could alter sensitive information, install malware and take control of the compromised computer in order to send out spam.
Such attacks can be minimized by administrators through implementation of hierarchical or one time password and data encryption techniques. Users and administrators can protect themselves and their networks by installing firewalls that block outgoing packets with source addresses that differ from the IP address of the user’s computer or its network.
- Attack from a familiar Netblock
A block or range of an IP address is known as a Netblock. Internet attacks and intrusions target net blocks given the time taken to scan the network.
These are attacks that target vulnerabilities in the client applications that interact with a malicious server or data. The client can initiate a connection that could result in an attack. The client has to interact with the server in order to be affected. A client running mere FTP does not fall vulnerable but interaction such as instant messaging applications exposes the client to such attacks because clients are automatically configured to log into the remote server.
An example of a client side attacks is a malicious web page targeting a specific browser and given that the attack is successful, would grant the malicious server complete control of the client system.
- Evade Detection
Network intrusion detection systems employ data collection and unobstructive monitor of the network traffic to scrutinize and isolate suspicious network activity. They identify abnormal behavior of the system and isolate it against computer systems. A system attempting to detect attacks against web servers might consider only malicious HTTP request while the one intended to monitor dynamic routing protocols might consider RIP spoofing.
f) Encryption
Encryption is a means of evading detection where the payload of every packet crossing a NIDS path is not interpreted correctly. An SSL, SSH, and IPsec encrypted tunnels prevent NIDS from interpreting the payload correctly.
Distributed internet attacks (DDoS) involve multiples of compromised systems attack on a single target consequently causing a denial of service for users of the system. Incoming messages are flooded to the target system thereby forcing it to shut down and deny other system users resources.
- Self inflicted problems in NSM
When a system is degraded or denies collection, people and resources that analyze alerts and traffic are attacked. The most successful means to advance this attack is to exploit the procedures they follow. For instance, a simple way to slip and attack past the intrusion system is to sound an attack threat and wait for the analyst to clear the decks. By the time the “all clear” alert is issued the attack is already advanced and the associated concerns with potential attacks underscores intrusion detection mechanisms of the system or analyst.
References
Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education.
Ciampa, M. D. (2011). Security+ Guide to Network Security Fundamentals. Cengage Learning.
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security. Springer .
