Contacts      About the site
home computer, iron

Analysis of Existing Targets of Network Attacks and Methods of Attacks on Web Services Dudnikov е.а. Types and classification of attacks on information systems Characteristic features of network attacks

There are four main categories of attacks:

Access attacks

Modification attacks

denial of service attacks

denial attacks.

Let's take a closer look at each category. There are many ways to carry out attacks: using specially designed tools, social engineering methods, through vulnerabilities in computer systems. Social engineering does not use technical means to gain unauthorized access to the system. An attacker obtains information through a simple phone call or infiltrates an organization under the guise of an employee. Attacks of this kind are the most destructive.

Attacks aimed at capturing information stored in electronic form have one interesting feature: the information is not stolen, but copied. It remains with the original owner, but the attacker also gets it. Thus, the owner of the information bears losses, and it is very difficult to detect the moment when this happened.

Access attacks

Access attack is an attempt by an attacker to obtain information that they do not have permission to view. The implementation of such an attack is possible wherever there is information and means for its transmission. An access attack is aimed at violating the confidentiality of information. There are the following types of access attacks:

· peeping;

eavesdropping

interception.

peeping(snooping) is the viewing of files or documents in order to find information of interest to the attacker. If the documents are stored as printouts, then the attacker will open the desk drawers and rummage through them. If the information is in a computer system, then he will go through file by file until he finds the information he needs.

Eavesdropping(eavesdropping) is unauthorized wiretapping of a conversation in which the attacker is not a participant. To obtain unauthorized access to information, in this case, the attacker must be close to it. Very often he uses electronic devices. The introduction of wireless networks has increased the likelihood of successful eavesdropping. Now the attacker does not need to be inside the system or physically connect the listening device to the network.

Unlike eavesdropping. interception(interception) is an active attack. An attacker captures information in the process of its transmission to its destination. After analyzing the information, he makes a decision to allow or prohibit its further passage.

Access attacks take various forms depending on how information is stored: in the form of paper documents or electronically on a computer. If the information needed by the attacker is stored in the form of paper documents, he will need access to these documents. They may be found in the following places: in file cabinets, in desk drawers or on desks, in a fax or printer in the trash, in the archive. Therefore, an attacker needs to physically penetrate all these places.

Thus, physical access is the key to obtaining data. It should be noted that reliable protection of the premises will protect data only from unauthorized persons, but not from employees of the organization or internal users.

Information is stored electronically: at workstations, on servers, in portable computers, on floppy disks, on CDs, on backup magnetic tapes.

An attacker can simply steal a storage medium (floppy disk, CD, backup tape, or laptop computer). Sometimes this is easier than accessing files stored on computers.

If an attacker has legal access to the system, he will analyze the files by simply opening them one by one. With the right level of control over permissions, access for an illegal user will be denied, and access attempts will be logged.

Properly configured permissions will prevent accidental information leakage. However, a serious attacker will try to bypass the control system and gain access to the necessary information. Exists a large number of vulnerabilities that will help him in this.

When passing information over the network, you can access it by listening to the transmission. The attacker does this by installing a network packet sniffer (sniffer) on the computer system. This is usually a computer configured to capture all network traffic (not just traffic directed to this computer). To do this, the attacker must elevate their privileges in the system or connect to the network. The analyzer is configured to capture any information passing through the network, but especially user IDs and passwords.

Eavesdropping is also performed in global computer networks types of leased lines and telephone connections. However, this type of interception requires appropriate equipment and special knowledge.

Interception is possible even in fiber-optic communication systems using specialized equipment, usually performed by a skilled attacker.

Information access using interception is one of the most difficult tasks for an attacker. To be successful, he must place his system in the transmission line between the sender and receiver of information. On the Internet, this is done by changing name resolution, which translates the computer name into an invalid address. Traffic is redirected to the attacker's system instead of the real destination. With the appropriate configuration of such a system, the sender will never know that his information has not reached the recipient.

Interception is also possible during an actual communication session. This type of attack is best suited for capturing interactive traffic. In this case, the attacker must be on the same network segment as the client and server. The attacker waits for a legitimate user to open a session on the server, and then, using specialized software, takes the session already in the process.

Modification attacks

Modification attack is an unauthorized attempt to change information. Such an attack is possible wherever information exists or is transmitted. It is aimed at violating the integrity of information.

One type of modification attack is replacement existing information, such as a change in an employee's salary. The substitution attack is directed against both secret and publicly available information.

Another type of attack is adding new data, for example, information about the history of past periods. In this case, the attacker performs an operation in the banking system, as a result of which funds from the client's account are transferred to his own account.

Attack removal means moving existing data, such as deleting a transaction from a bank's balance sheet, leaving funds withdrawn from the account to remain there.

Like access attacks, modification attacks are performed against information stored in paper documents or electronically on a computer.

Documents are difficult to change so that no one notices: if there is a signature (for example, in a contract), you need to take care of its forgery, the fastened document must be carefully reassembled. If there are copies of the document, they also need to be redone, like the original one. And since it is almost impossible to find all copies, it is very easy to spot a fake.

It is very difficult to add or remove entries from the activity logs. Firstly, the information in them is arranged in chronological order, so any change will be immediately noticed. The best way- remove the document and replace it with a new one. These types of attacks require physical access to information.

Modifying information stored electronically is much easier. Given that the attacker has access to the system, such an operation leaves behind a minimum of evidence. In the absence of authorized access to the files, the attacker must first secure a login to the system or change the file access control settings.

Modifying the database files or the transaction list must be done very carefully. Transactions are numbered sequentially and deletion or addition of incorrect transaction numbers will be noticed. In these cases, you need to work hard on the entire system to prevent detection.

In most cases, the appearance of some kind of malicious code on the site is not the result of some malicious behavior on the part of the site owner, but often turns out to be a surprise for the site owner, being the result of a hack.

We have been working with this for many years, we have looked at many different cases, and in recent years I have also seen a fairly large number of very different cases of hacking various sites. These are both very large sites, for example, such as the most famous online media, banks, sites of large companies, and sometimes very small sites, business card sites, some sites of educational, religious institutions.

How to protect your site

All of them are more or less exposed to some kind of threats, risks associated with computer security, and this will be discussed. We will also talk about how to reduce these risks, about some basic minimum, a general overview of everything connected with this, about what threats exist, what the webmaster of a particular site faces in his work.

Today we will talk about the most common example, when we have some kind of external attacker who threatens the site in one way or another.

In order to understand what to expect, what damage is possible, what possible attacks, you need to understand who this attacker is.

All these intruders and types of attacks fall into two broad categories. By what criteria can they be divided?

  • on used approaches to attacks;
  • by groups of sites that are subject to a particular group of attacks;
  • according to the appropriate risk mitigation techniques for each of these groups.

For example, mass attacks are largely automated, like gaining unauthorized access, for example. Mass attacks are an attempt to always gain access to the whole site. Mass extortion also occurs here, but they are also implemented through obtaining unauthorized access.

Often, entire automatic systems just work, a script works, which simply looks for vulnerable versions of various software components that are of interest to it. For example, vulnerable versions of the content management system, or vice versa, or he looks for some typical problems with the configuration of the server environment. For example, that you have some kind of HTTP server sticking out and enumeration of passwords begins to it.

Since everything is automated, the exploitation of the access obtained is also automated, and if you have a database with payment details on the site, in the event of an automatic attack, you can be considered lucky because the script will not be parsed, for the most part they are pretty dumb.

It will not figure out what important data you have on your site, it will implement some very simple scheme in the style of sending spam, organizing distributed denial of service attacks, some simple petty extortion, infecting your site visitors.

In the case of targeted attacks, everything is somewhat sadder for the site owner. Often they are subject to a major attack, a person comes with his hands with such great experience and well-developed tools, and begins to look for characteristic problems. With a very high probability, as practice shows, finds.

And further on, especially villainous exploitation begins, which is much more difficult, firstly, to detect than in the case of mass attacks, and secondly, it is much more difficult to minimize possible damage in advance. Therefore, as an attacker, having entered the system with his hands, he understands the context very well and often initially knows why he is going.

What is safer to use? For example, some such stock popular content management system or something self-written? To reduce the risk of mass attacks, it is better to use something non-standard.

Because all this is automated, some standard solutions are being looked for and the use of some kind of self-written content management system, practically, a self-written captcha - any self-written solutions from some kind of mass attacks, when a script comes to your site that is looking for something familiar , but this won't work.

In the case of targeted attacks, everything is rather the opposite. That is, the probability that typical critical errors will be made in some kind of self-written solution, which then become vulnerabilities, are exploited to gain access, it is much higher than if you used some popular software solutions, which over the long history of their development have collected a lot of "rakes" in this area. Therefore, when vulnerabilities are published in them, they are often either intricate or occur at the junction of different systems.


The attack consists of the following steps:


Especially for a mass event. Some special string is taken, such as Power Add Buy, phpBB version 1.6.1. A set of sites is automatically searched using a specific technology - one of the vectors. All these sites are located, a script is launched on them, the script goes, looking for some vulnerabilities, different admins. panels in standard paths, some standard tools, like php my admin, which are also located in standard paths.

And, accordingly, if there is a vulnerability, they are automatically exploited if there are any admin. panels where you can enter passwords and at the same time there is no protection against enumeration, enumeration of simple cases begins, which, as practice shows, is also very effective.

After access is obtained, a component called web-shell is poured - this is such a tool, such a piece of a web application, a script that opens up wide possibilities, leaves a permanent back door on your server to continue further actions.

After that, when the attacker has a stable path to your server bypassing all means of autoinfection, the attacker tries to gain a foothold in the system and, for example, scatter all sorts of spare web shells around, exploit, for example, a vulnerability in the operating system, elevate privileges. For example, becoming root, which is often also automated and after that the exploitation becomes even more severe. And then the squeezing of money begins due to the fact that the site was hacked. It is now rare to find cases where someone or something hacks into a site with something other than money as a motive in one way or another.

This is how this very web-shell looks from the attacker's point of view:


This is a system that allows you to work through the interface, and automatically. Curiously, there is a line at the top - very detailed information about the kernel of the operating system. Just in order to automate the operation of privilege escalation right there.

When they find vulnerabilities in the kernel of the operating system, they publish exploits on popular sites. What is an exploit? A program that uses this vulnerability to realize its own purpose, and privileges are raised. Approximately it looks like this:


In addition to the fact that various malicious scripts begin to scatter around the server, it happens that binary components also get through the site. For example, such as the main binary assembly or plugins for the web server itself. These are modules for a patch, for njinx, rebuilt njinx, or some other important binary component that you have in the system, SSHD.

This is a Virustotal site where you can check any file, what 50 antivirus engines think about it.

These are examples of some binary components, when they are added, what various anti-virus scanners say about various malicious web servers, or modules for them that we happened to find:


I want to note that when we found them, it was empty everywhere, no one often detected anything. It was only later, sometimes we started sending these examples to antivirus companies, and detections appeared.

Sometimes, if you are already trying to find the source of malicious code on your site, the antivirus industry can help you in some way. All preparatory files can be “feeded” either to the site or to specific utilities, but we’ll talk about this a little later, but the point is this.


After exploitation, server scripts appear, as well as modified web server configs. There was such an example, often encountered, when, when a site was hacked, the configuration of the web server was also automatically modified by adding conditional redirects.

All visitors mobile devices your site was redirected to various fraudulent sites, thus monetizing them. And, since, not so long ago, a couple of years ago, many webmasters did not think about mobile users for their sites, they could not even notice for a long time that mobile visitors, entering their site, are sent to various scams. Many webmasters set this consciously, trying to make such monetization, but there really were such mass cases when all this appeared as part of a hack.

It is also possible that there is malicious code in the database. The most banal example is when the XXS class-preserved attack is made. For example, you have some form for entering comments on the site and there is insufficient parameter validation.

Attackers, as I said, are often fully automated systems that themselves search for your site, they upload not just text there, but a special load, which, when the page is rendered, will become a script controlled by an attacker. And in this way you can do anything with your site visitors.

It happens in statics, when some malicious code is simply added to templates, to static JavaScript. As I said, it happens that binary files are replaced. There are very tricky cases when, for example, attackers make such a tricky system, we have already come across this.

The main file of the web server is taken, for example, if it is a web server patch, it is an sshd binary file that is copied to another location, a malicious assembly is put in its place, and then it is launched.

After that, the modified file is deleted from the file system and the original one is placed. You have a malicious web server running, and you have an unchanged version of it in the file system, and even the integrity check does not show any problems.

Attackers, getting on the server, especially in the case of targeted attacks, are quite cunning in their inventions, and sometimes, for the most part, for targeted attacks, when real people come, you have to show some kind of not hefty skill in order to find the source of compromise of the site in general.

Why is all this being done? It is also important to understand in order to keep some threat model in mind, to predict what will happen to the site and what problems there may be in general. As I said, the monetization methods that motivate attackers to attack differ between these groups for targeted and mass attacks.


If for mass attacks we have something that can be done without delving into the context of the site. We just got to the abstract server, what can we do with it? He has visitors, so they can be infected. It most likely appears in the search engine, so it can be used in search engine position for various black hat SEO.

Add catalogs with doorways to it, list it on the reference exchange, in general, everything related to this. Sending spam, organizing DDoS attacks, for example. For DDoS attacks, which we will talk about later, attackers also need some resources, for example, many, many different servers.

The line "extortion" is very interesting. This has also been developing a lot lately. Everyone has heard and probably encountered such ransomware Trojans many times, for example, on desktops, on the operating Windows system. A few years ago, they more or less started to fill in, to get on android phones, when ...

Everyone knows, everyone has encountered in one way or another, or at least heard about how a malicious file is launched. He begins to encrypt the entire file system, and then asks for a ransom. So, for the last year we have seen that such things started just on the servers. The site is hacked, after that the entire contents of the databases are encrypted, as well as the entire file system, and the attacker asks the administrator for a ransom, hoping that the administrator does not have up-to-date backups of the file system and database.

In targeted attacks, everything is still more sophisticated. Often, if a targeted attack is made, then it is already known what can be obtained from the site. This is either a client base, or a very, very many visitors, who can also be monetized in various ways. Often unnoticed by the resource administrator for months.

You can, once inside, interfere with the site in every possible way, create various technical difficulties for the purpose of unfair competition. It must be understood that in fact there is such a myth in the anti-virus environment that, for example, I have a computer on the outskirts, or in the case of a site, the site has little traffic, which means that no one needs it. It is not true.

Even the most shabby site on some free hosting somehow monetizes at least a little, and it will always represent some desired target for massive attacks. Not to mention, of course, about large sites that are even easier to monetize.

Attack on visitors: drive-by download

Yes, we talked about the infection of visitors, literally, in a nutshell. Probably, in the last year, this threat is disappearing by itself now. What is visitor infection? The attacker hacked the site and what happens next if he wants to get money by infecting visitors:


As I said, it can redirect mobile users to some site where they are offered to put the application under the guise of some kind of flash player update or something like that. And for desktops, such a popular scheme is when a vulnerability is exploited in the visitor's browser or in one of the plug-ins of his environment.

For example, in 2012, the most exploited vulnerabilities were in the Java plugin, which were more than half of the users exploited in Adobe Reader in 2012. Now they don’t exploit Adobe Reader, they don’t exploit Java, they exploit it now Flash Player.

New vulnerabilities in Flash Player are released regularly, and each of them often allows for such an attack, which is called drive-by download. What does it mean? This means that the visitor simply enters the site, does nothing additionally, and in his system, due to the exploitation of the plug-in vulnerability, a malicious program appears that automatically starts and infects the system.

Denial of Service, aka DDoS

This is if we are talking about when an attacker still gets access to the site and its management. In many cases, the attacker does not even try to gain access, he just wants to interfere with the normal functioning of your site in one way or another. Everyone has probably heard, faced with a denial of service, which is called Distributed Denial of Service.


Main motives: competitiveness and extortion. Competition - it's clear, as long as users do not go to your site, they go to a competitor's site, extortion - it's also quite obvious that an attack on your site begins, you get some kind of letter calling for something to pay someone, and there you have to do something with it.

Attacks fall into three main categories

The simplest attack is an application attack. The most typical attack scenario for an application is if you have some kind of website, let's say an online store with some kind of search. You have there an advanced search on a bunch of parameters that creates a relatively heavy database query. An attacker comes, sees you have an advanced search option, and makes a script that starts pushing heavy-heavy queries into your advanced search form. The database quickly falls even under the pressure of one standard host for many sites in practice and that's it. For this, no special resources are needed from the side of the attacker.

Attack at the transport layer. At the transport layer, in fact, there are two protocols. Attacks on UDP, they rather refer to an attack on the channel, because there is no session there. And if we are talking about the TCP protocol, then this is a fairly common case of attacks.

What is the TCP protocol? The TCP protocol implies that you have a server and it has a table of open connections with users. It is clear that this table cannot be of infinite size, and the attacker deliberately constructs many, many packets that initiate the creation of a new connection, while packets often come even from fake IP addresses.

It overflows this table, therefore, legal users who go to your site cannot get into this connection table and, as a result, do not receive your service. This is a typical example of a common attack that has been learned to deal with in recent years.

And the worst thing is the attack on the channel. This is when you have an incoming channel through which some requests can come to your server and just the entire channel is clogged entirely.

If in two higher-level attacks you can still apply some logic on the server itself in order to somehow turn these attacks around, then in the case of an attack on the channel on the server itself, nothing can be done, because in order to do something, you need to at least to accept the request, and the entire channel is already full, users can’t knock at all.

Why? Why are we even discussing such a classification and why do you need it? Yes, simply because each of these types of attacks has its own countermeasure. If you encounter, you understand that you have a denial of service attack and the first thing to do is to decide what type of attack is coming and choose the right way to start fighting this attack. Although they are also combined.

Magomed Cherbizhev

Procedure for detecting network attacks.

1. Classification of network attacks

1.1. Packet sniffers

A packet sniffer is an application program that uses network card, operating in promiscuous mode ( in this mode, all packets received via physical channels are sent by the network adapter to the application for processing). In this case, the sniffer intercepts all network packets that are transmitted through a specific domain.

1.2. IP spoofing

IP spoofing occurs when a hacker, whether inside or outside the system, poses as an authorized user. This can be done in two ways. First, a hacker can use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed to access certain network resources. IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack that starts with someone else's address hiding the hacker's true identity.

Typically, IP spoofing is limited to inserting false information or malicious commands into a normal data stream transmitted between a client and server application or over a communication channel between peers. For two-way communication, a hacker must change all the routing tables to direct traffic to a fake IP address. Some hackers, however, don't even try to get a response from the applications. If the main task is to receive an important file from the system, the responses of applications do not matter.

If the hacker manages to change the routing tables and direct traffic to a fake IP address, the hacker will receive all the packets and be able to respond to them as if he were an authorized user.

1.3. Denial of Service ( Denial of Service - DoS)

DoS is the best known form hacker attacks. Against attacks of this type, it is most difficult to create one hundred percent protection.

The most famous types of DoS:

  • TCP SYN Flood Ping of Death Tribe Flood Network ( TFN);
  • Tribe Flood Network 2000 TFN2K);
  • Trinco;
  • Stacheldracht;
  • Trinity.

DoS attacks are different from other types of attacks. They are not intended to gain access to the network or to obtain any information from this network. A DoS attack renders a network unavailable for normal use by exceeding the allowable limits of the network, operating system, or application.

When using some server applications (such as Web server or FTP server) DoS attacks may be to take all the connections available to these applications and keep them in a busy state, preventing normal users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP ( Internet Control Message Protocol). Most DoS attacks do not rely on software bugs or security holes, but on general weaknesses in the system architecture. Some attacks nullify network performance by flooding it with unwanted and unnecessary packets, or by misrepresenting the current state of network resources. This type of attack is difficult to prevent as it requires coordination with the ISP. If the traffic intended to flood your network is not stopped at the provider, then at the entrance to the network you will no longer be able to do this, because the entire bandwidth will be occupied. When this type of attack is carried out simultaneously through many devices, the attack is a distributed DoS ( DDoS - distributed DoS).

1.4. Password attacks

Hackers can carry out password attacks using a variety of methods, such as brute force ( brute force attack), Trojan horse, IP spoofing and packet sniffing. Although the login and password can often be obtained using IP spoofing and packet sniffing, hackers often try to guess the password and login using multiple access attempts. This approach is called simple iteration. (brute force attack). Often, such an attack uses a special program that tries to access a shared resource ( e.g. to the server). If, as a result, a hacker gains access to resources, he gets it as a regular user whose password was guessed. If this user has significant access privileges, a hacker can create a "gateway" for himself for future access, which will work even if the user changes his password and login.

Another problem arises when users use the same ( even if it's very good) password for access to many systems: corporate, personal and Internet systems. Since the strength of the password is equal to that of the weakest host, a hacker who learns the password through this host gains access to all other systems where the same password is used.

1.5. Man-in-the-Middle attacks

For a Man-in-the-Middle attack, a hacker needs access to the packets being sent over the network. Such access to all packets transmitted from the provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack. Attacks are carried out to steal information, intercept the current session and gain access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distort transmitted data and enter unauthorized information into network sessions.

1.6. Application Layer Attacks

Application layer attacks can be carried out in several ways. The most common of these is exploiting weaknesses in server software ( sendmail, HTTP, FTP). Using these weaknesses, hackers can gain access to the computer on behalf of the user running the application ( usually this is not a simple user, but a privileged administrator with system access rights). Application layer attack details are widely published to enable administrators to correct the problem using corrective modules ( patches). The main problem with application layer attacks is that they often use ports that are allowed to pass through the firewall. For example, a hacker exploiting a well-known weakness in a Web server often uses port 80 in a TCP attack. Since a Web server exposes Web pages to users, the firewall must provide access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.

1.7. network intelligence

Network intelligence is the collection of information about the network using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible. Network reconnaissance takes the form of DNS queries, ping sweeps, and port scans. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Echo Testing ( ping sweep) of DNS-discovered addresses allows you to see which hosts are actually operating in a given environment. Given a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. And finally, the hacker analyzes the characteristics of the applications running on the hosts. As a result, information is obtained that can be used for hacking.

1.8. breach of trust

This type of action is not "attack" or "storm". It is a malicious exploitation of the trust relationships that exist on the network. An example is a system installed on the outside of a firewall that has a trust relationship with a system installed on its inside. In the event that an external system is hacked, a hacker can use trust relationships to break into a system protected by a firewall.

1.9. Port forwarding

Port forwarding is a form of breach of trust where a compromised host is used to send traffic through a firewall that would otherwise be rejected. An example of an application that can provide this access is netcat.

1.10. Unauthorized access

Unauthorized access cannot be considered a separate type of attack. Most network attacks are carried out to gain unauthorized access. To pick up a telnet login, a hacker must first get a telnet prompt on their system. After connecting to the telnet port, a message appears on the screen "authorization required to use this resource" (Authorization is required to use this resource.). If after that the hacker continues to attempt access, they will be considered "unauthorized". The source of such attacks can be both inside the network and outside.

1.11. Viruses and applications of the type "Trojan horse"

Client workstations are very vulnerable to viruses and Trojan horses. "Trojan horse"- this is not a software insert, but a real program that looks like a useful application, but in fact plays a harmful role.

2. Methods for countering network attacks

2.1. You can mitigate the threat of packet sniffing by using the following tools:

2.1.1. Authentication - Strong authentication is the first defense against packet sniffing. Under "strong" we understand an authentication method that is difficult to bypass. An example of such authentication is one-time passwords ( OTP - One Time Passwords). OTP is a two-factor authentication technology that combines what you have with what you know. Under the "card" ( token) means a hardware or software tool that generates ( on a random basis) unique one-time one-time password. If a hacker learns this password using a sniffer, this information will be useless because at that point the password will already be used and obsolete. This way of dealing with sniffing is effective only for dealing with password sniffing.

2.1.2. Switched Infrastructure - Another way to combat packet sniffing in a network environment is to create a switched infrastructure so that hackers can only access traffic on the port they are connected to. The switched infrastructure does not eliminate the threat of sniffing, but it significantly reduces its severity.

2.1.3. Anti-sniffers - A third way to combat sniffing is to install hardware or software that recognizes sniffers running on your network. These tools cannot completely eliminate the threat, but, like many other network security tools, they are included in the overall protection system. So called "anti-sniffers" measure the response time of the hosts and determine if the hosts need to process "extra" traffic.

2.1.4. Cryptography - The most effective way to deal with packet sniffing does not prevent sniffing and does not recognize the work of sniffers, but makes this work useless. If the communication channel is cryptographically secure, this means that the hacker is not intercepting the message, but the ciphertext (that is, an incomprehensible sequence of bits).

2.2. The threat of spoofing can be mitigated ( but not eliminate) through the following measures:

2.2.1. Access Control - The easiest way to prevent IP spoofing is to properly set up access control. To reduce the effectiveness of IP spoofing, access control is configured to cut off any traffic coming from an external network with a source address that must be located inside your network. This helps fight IP spoofing when only internal addresses are authorized. If some external network addresses are also authorized, this method becomes ineffective.

2.2.2. Filtering RFC 2827 - suppression of attempts to spoof foreign networks by users of a corporate network. To do this, it is necessary to reject any outgoing traffic whose source address is not one of the Bank's IP addresses. This type of filtering, known as "RFC 2827", can also be performed by an ISP ( ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected.

2.2.3. The most effective method of dealing with IP spoofing is the same as in the case of packet sniffing: you need to make the attack completely ineffective. IP spoofing can only function if authentication is based on IP addresses. Therefore, the implementation additional methods authentication renders this kind of attack useless. best view additional authentication is cryptographic. If this is not possible, two-factor authentication using one-time passwords can give good results.

2.3. The threat of DoS attacks can be mitigated in the following ways:

2.3.1. Anti-spoofing features - Properly configuring the anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. Unless a hacker can disguise his true identity, he is unlikely to attempt an attack.

2.3.2. Anti-DoS Functions - Proper configuration of anti-DoS functions on routers and firewalls can limit the effectiveness of attacks. These features limit the number of half-open channels at any one time.

2.3.3. Limiting the amount of traffic ( traffic rate limiting) – contract with the provider ( ISP) about limiting the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic passing through the network. A common example is to limit the amount of ICMP traffic that is used for diagnostic purposes only. attacks ( D) DoS often use ICMP.

2.3.4. Blocking IP addresses - after analyzing the DoS attack and identifying the range of IP addresses from which the attack is carried out, contact the provider to block them.

2.4. Password attacks can be avoided by not using plain text passwords. One time passwords and/or cryptographic authentication can virtually eliminate the threat of such attacks. Not all applications, hosts, and devices support the above authentication methods.

When using regular passwords, you need to come up with a password that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters ( #, %, $, etc.). The best passwords are hard to guess and hard to remember, forcing users to write down passwords on paper.

2.5. Man-in-the-Middle attacks can only be effectively dealt with using cryptography. If a hacker intercepts the data of an encrypted session, he will have on the screen not an intercepted message, but a meaningless set of characters. Note that if a hacker gets information about a cryptographic session ( e.g. session key), this can make a Man-in-the-Middle attack possible even in an encrypted environment.

2.6. It is not possible to completely eliminate application layer attacks. Hackers are constantly discovering and posting new application vulnerabilities on the Internet. The most important thing is good system administration.

Measures that can be taken to reduce vulnerability to this type of attack:

  • reading and/or analyzing log files of operating systems and network log files using special analytical applications;
  • timely updating of versions of operating systems and applications and installation of the latest correction modules ( patches);
  • use of attack recognition systems ( IDS).

2.7. It is impossible to completely get rid of network intelligence. If you disable ICMP echo and echo reply on peripheral routers, you will get rid of pinging, but you will lose the data needed to diagnose network failures. You can also scan ports without pinging them first. This one will just take longer, as non-existent IP addresses will also have to be scanned. Network and host-level IDS systems are usually good at notifying the administrator of ongoing network reconnaissance, which allows them to better prepare for an upcoming attack and notify the ISP ( ISP) on whose network a system that exhibits excessive curiosity is installed.

2.8. You can reduce the risk of breach of trust by controlling the levels of trust within your network more tightly. Systems outside the firewall should never be absolutely trusted by systems protected by the firewall. Trust relationships should be limited to certain protocols and, if possible, be authenticated not only by IP addresses, but also by other parameters.

2.9. The main way to deal with port forwarding is to use strong trust models ( see point 2.8 ). In addition, the IDS host system ( HIDS).

2.10. Ways to combat unauthorized access are quite simple. The main thing here is to reduce or completely eliminate the ability of a hacker to gain access to the system using an unauthorized protocol. As an example, consider preventing hackers from accessing the telnet port on a server that provides Web services to external users. Without access to this port, a hacker will not be able to attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.

2.11. The fight against viruses and Trojan horses is carried out with the help of effective anti-virus software that works at the user level and at the network level. Antivirus tools detect most viruses and Trojan horses and prevent their spread.

3. Algorithm of actions when network attacks are detected

3.1. Most network attacks are blocked by automatically installed information protection tools ( firewalls, trusted boot tools, network routers, antivirus tools, etc.).

3.2. Attacks that require human intervention to block them or mitigate the severity of the consequences include DoS attacks.

3.2.1. DoS attacks are detected by analyzing network traffic. The beginning of the attack is characterized by " driving» communication channels using resource-intensive packets with fake addresses. Such an attack on the Internet banking site complicates the access of legitimate users and the web resource may become inaccessible.

3.2.2. If an attack is detected, the system administrator performs the following actions:

  • performs manual switching of the router to the backup channel and back in order to identify a less loaded channel (a channel with a wider bandwidth);
  • reveals the range of IP addresses from which the attack is carried out;
  • sends a request to the provider to block IP addresses from the specified range.

3.3. A DoS attack is typically used to disguise a successful attack on a client's resources in order to make it more difficult to detect. Therefore, when a DoS attack is detected, it is necessary to analyze the latest transactions in order to identify unusual transactions, block them (if possible), and contact customers via an alternative channel to confirm the transactions.

3.4. If information about unauthorized actions is received from the client, all available evidence is recorded, an internal investigation is carried out and an application is submitted to law enforcement agencies.

Download ZIP file (24151)

Documents came in handy - put a "like":

I told a little about who hackers are, and in this article I want to continue this topic and write about the types of hacker attacks and give recommendations on how to prevent them.

Attack(attack) on an information system is an action or a sequence of interconnected actions of an intruder that lead to the implementation of a threat by exploiting the vulnerabilities of this information system. Let's start studying the attacks:

fishing

Fishing (or Phishing). Its meaning is to get information (passwords, credit card numbers, etc.) or money from users. This technique is not aimed at one user, but at many. For example, letters allegedly from the technical support service are sent to all known clients of a bank.

The letters usually contain a request to send a password to the account, ostensibly due to some technical work. Such letters are usually very believable and well-written, which, perhaps, captivates gullible users.

Recommendations: Paranoia is the best defense. Do not trust anything suspicious, do not give your data to anyone. Administrators do not need to know your password if it is intended to access their server. They have full control of the server and can view the password themselves or change it.

social engineering

Social engineering is not a technical, but a psychological technique. Using the data obtained during the inventory, an attacker can call a user (for example, a corporate network) on behalf of an administrator and try to ask him, for example, for a password.

This becomes possible when, in large networks, users do not know all the employees, and even more so, they cannot always accurately recognize them by phone. In addition, complex psychological techniques are used, so the chance of success greatly increases.

Suggestions: same. If there is a real need, then provide the necessary data in person. If you wrote down the password on paper, do not leave it anywhere and destroy it if possible, and do not just throw it in the trash.

DoS

DoS (Denial of Service or Denial of Service). This is not a single attack, but the result of an attack; used to disable the system or individual programs. To do this, the cracker forms a request to any program in a special way, after which it ceases to function. A reboot is required to get the program back into working order.

Smurf

Smurf (an attack aimed at protocol implementation errors). Now this type of attack is considered exotic, but earlier, when the TCP-IP protocol was quite new, it contained a number of errors that allowed, for example, to replace IP addresses.

However, this type of attack is still used today. Some experts distinguish TCP Smurf, UDP Smurf, ICMP Smurf. Of course, this division is based on the type of packages.

UDP Storm

UDP Storm (UDP storm) - used if at least two UDP ports are open on the victim, each of which sends a response to the sender. For example, port 37 with the time server sends the current date and time to the request. The cracker sends a UDP packet to one of the victim's ports, but specifies the victim's address and the victim's second open UDP port as the sender.

Then the ports begin to endlessly respond to each other, which reduces performance. The storm will stop as soon as one of the packets is lost (for example, due to resource overload).

UDP Bomb

UDP Bomb - an attacker sends a UDP packet to the system with incorrect service data fields. Data can be broken in any way (for example, incorrect field length, structure). This may lead to a crash. Recommendations: update the software.

mail bombing

Mail Bombing ("Mail bombing"). If there is a mail server on the attacked computer, then a huge amount of mail messages are sent to it in order to disable it.

In addition, such messages are stored on the server's hard disk and can fill it up, which can cause DoS. Of course, now this attack is more of a history, but in some cases it can still be used. Recommendations: competent setup of the mail server.

sniffing

Sniffing (Sniffing or listening to the network). In the event that hubs are installed instead of switches in the network, the received packets are sent to all computers on the network, and then the computers determine whether this packet is for them or not.

If an intruder gains access to a computer that is included in such a network, or gains access to the network directly, then all information transmitted within the network segment, including passwords, will become available.

The cracker will simply put the network card in listening mode and will accept all packets, regardless of whether they were intended for him.

You can find out more in the article "".

IP Hijack

IP Hijack (IP hijack). If there is physical access to the network, then an attacker can “hit” the network cable and act as an intermediary in the transmission of packets, thereby he will listen to all traffic between two computers. A very inconvenient way, which often does not justify itself, except in cases where no other way can be implemented.

Such an inclusion in itself is inconvenient, although there are devices that simplify this task a little, in particular, they monitor the numbering of packets to avoid failure and possible detection of intrusion into the channel.

Dummy DNS Server

Dummy DNS Server (false DNS Server). If the network settings are set to automatic, then when you turn on the network, the computer “asks” who will be its DNS server, to which it will send DNS queries in the future.

Given physical access to the network, an attacker can intercept such a broadcast request and respond that his computer will be a DNS server.

After that, he will be able to send the deceived victim along any route. For example, if a victim wants to go to a bank website and transfer money, a hacker can send it to his computer, where a password entry form will be fabricated. After that, the password will belong to the attacker.

A rather complicated method, because the attacker needs to respond to the victim before the DNS server.

IP spoofing

IP-Spoofing (Spoofing or IP address spoofing). The attacker replaces his real IP with a fictitious one. This is necessary if only certain IP addresses have access to the resource. An attacker needs to change his real IP to "privileged" or "trusted" in order to gain access. This method can be used differently.

After two computers have established a connection between themselves by checking passwords, an attacker can cause the victim to overload network resources with specially generated packets. Thus, he can redirect traffic to himself and thus bypass the authentication procedure.

Recommendations: reducing the response packet time with the SYN and ACK flags set, as well as increasing the maximum number of SYN requests per connection in the queue (tcp_max_backlog), will reduce the threat. You can also use SYN Cookies.

Software vulnerabilities

Software vulnerabilities. Use of errors in software. The effect may be different. From getting insignificant information to getting full control over the system. Attacks through software bugs are the most popular of all time.

Old bugs are fixed by new versions, but new bugs appear in new versions, which can be used again.

Viruses

The most known problem to the common user. The bottom line is the introduction of malware into the user's computer. The consequences can be different and depend on the type of virus with which the computer is infected.

But in general - from stealing information to sending spam, organizing DDoS attacks, as well as gaining full control over the computer. In addition to the file attached to the letter, viruses can enter the computer through some OS vulnerabilities.

Recommendations: Use antivirus software. Don't limit yourself to just DrWEB or Kaspersky Anti-Virus (because they don't check the registry), use specialized anti-Malware antiviruses like Ad-Aware, SpyBot, XSpy.

Also, don't open suspicious attachments, and generally don't open programs from unknown senders. Even if the sender is familiar to you, check it with an antivirus first.

Table 9.1.
Name of the protocol Level protocol stack Name (characteristic) of the vulnerability Content of the violation information security
ftp ( File Transfer Protocol ) - a protocol for transferring files over a network
  • Based authentication plaintext (passwords are sent unencrypted)
  • Default access
  • Having two open ports
  • Possibility data interception
telnet- control protocol remote terminal Applied, representative, session Based authentication plaintext(passwords are sent unencrypted)
  • Possibility data interception account(registered usernames, passwords).
  • Getting remote access to hosts
UDP- data transfer protocol connectionless Transport No mechanism to prevent buffer overloads
  • Possibility of realization of UDR-storm.
  • Packet exchange results in a significant performance degradation of the server
ARP - protocol for converting an IP address to a physical address network Based authentication plaintext(information is sent unencrypted) Ability to intercept user traffic by an attacker
RIP - Routing Information Protocol Transport No Authentication of Reroute Control Messages Ability to redirect traffic through the attacker's host
TCP- control protocol transfer Transport Absence of a mechanism for checking the correctness of filling in the packet's service headers A significant decrease in the exchange rate and even a complete break in arbitrary connections via the TCP protocol
DNS - Mapping protocol for mnemonic names and network addresses Applied, representative, session Lack of means of verifying the authentication of received data from the source DNS server response spoofing
IGMP - Routing Message Transfer Protocol network No authentication of route parameter change messages Hanging Win 9x/NT/2000 systems
SMTP is a protocol for providing an email message delivery service. Applied, representative, session Ability to spoof messages Email, as well as addresses message sender
SNMP- control protocol routers in networks Applied, representative, session No support for message header authentication Possibility of network bandwidth congestion

Threats implemented over the network are classified according to the following main features:

  1. nature of the threat.

    Passive - a threat that does not affect the operation of the information system, but may violate the rules for accessing protected information. Example: using a sniffer to "listen" to the network. Active - a threat that affects the components of the information system, the implementation of which has a direct impact on the operation of the system. Example: DDOS attack in the form of a storm with TCP requests.

  2. purpose of the threat(respectively, confidentiality, availability, integrity of information).
  3. attack start condition:
    • at the request of the attacker. That is, the attacker expects the transmission of a request of a certain type, which will be the condition for the start of the UA.
    • upon the occurrence of the expected event on the attacked object.
    • unconditional impact - the attacker does not expect anything, that is, the threat is realized immediately and regardless of the state of the attacked object.
  4. feedback with the attacked object:
    • with feedback, that is, for some requests, the attacker needs to get a response. Thus, there is a feedback between the attacked and the attacker, which allows the attacker to monitor the state of the attacked object and adequately respond to its changes.
    • without feedback - accordingly, there is no feedback and the need for the attacker to respond to changes in the attacked object.
  5. location of the intruder relative to the attacked information system: intrasegment and intersegment. A network segment is a physical association of hosts, hardware, and other network components that have a network address. For example, one segment is formed by computers connected to a common bus based on Token Ring.
  6. the level of the ISO/OSI reference model at which the threat is implemented: physical, channel, network, transport, session, representative, applied.

Consider the most common attacks in networks based on protocol stack TCP/IP.

  1. Network traffic analysis. This attack is implemented using a special program called sniffer . Sniffer is an application that uses a network card running in promiscuous mode, the so-called "promiscuous" mode in which the network card allows all packets to be received, regardless of who they are addressed to. In the normal state, the Ethernet interface uses link layer packet filtering, and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not broadcast, then the packet is dropped. In "promiscuous" mode, filtering on network interface is disabled and all packets, including those not intended for the current host, are allowed into the system. It should be noted that many of these programs are used for legal purposes, for example, for troubleshooting or traffic analysis. However, the table we reviewed above lists the protocols that send information, including passwords, in clear text - FTP, SMTP, POP3, etc. Thus, using a sniffer, you can intercept the name and password and make unauthorized access to confidential information. Moreover, many users use the same passwords to access many network services. That is, if there is a weakness in one place in the network in the form of weak authentication, the entire network can suffer. Attackers are well aware of human weaknesses and widely use social engineering methods.

    Protection against this type of attack can be as follows:

    • Strong Authentication, for example, using one-time passwords(one-time password). The bottom line is that the password can be used once, and even if an attacker intercepted it using a sniffer , it is of no value. Of course, this protection mechanism saves only from interception of passwords, and is useless in case of interception of other information, such as e-mail.
    • Anti-sniffers are hardware or software tools that can detect the operation of a sniffer in a network segment. As a rule, they check the load on the network nodes in order to determine the "extra" load.
    • switched infrastructure. It is clear that network traffic analysis is possible only within one network segment. If the network is built on devices that divide it into many segments (switches and routers), then an attack is possible only in those parts of the network that belong to one of the ports of these devices. This does not solve the problem of sniffing, but it reduces the boundaries that an attacker can "listen" to.
    • cryptographic methods. Most reliable way combat work sniffer . The information that can be obtained through interception is encrypted and therefore of no use. The most commonly used are IPSec, SSL, and SSH.
  2. Network Scan.The purpose of network scanning is to identify services running on the network, open ports, active network services, protocols used, etc., that is, the collection of information about the network. The most commonly used for network scanning are:
    • DNS queries help an attacker find out the owner of a domain, the address area,
    • pinging - identifies live hosts based on DNS addresses received earlier;
    • port scan - a complete list of services supported by these hosts is compiled, open ports, applications, etc.

    A good and most common countermeasure is to use an IDS that successfully finds signs of a network scan in progress and notifies the administrator. It is impossible to completely get rid of this threat, because if, for example, you disable ICMP echo and echo reply on the router, you can get rid of the ping threat, but at the same time lose the data necessary for diagnosing network failures.

  3. Password Reveal.The main purpose of this attack is to gain unauthorized access to protected resources by overcoming password protection. To get a password, an attacker can use many methods - simple enumeration, dictionary search, sniffing, etc. The most common is a simple enumeration of all possible password values. To protect against simple enumeration, it is necessary to use strong passwords that are not easy to guess: length 6-8 characters, use of upper and lower case letters, use of special characters (@, #, $, etc.).

    Another information security problem is that most people use the same passwords for all services, applications, sites, etc. At the same time, the vulnerability of a password depends on the weakest part of its use.

    This kind of attack can be avoided by using one-time passwords, which we talked about earlier, or cryptographic authentication.

  4. IP spoofing or spoofing a trusted network object.A trusted object in this case is a network object (computer, router, firewall, etc.) legally connected to the server. The threat lies in the fact that an attacker pretends to be a trusted network object. This can be done in two ways. First, use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed to access certain network resources. attacks of this type are often the starting point for other attacks.

    Typically, spoofing a trusted network object is limited to inserting false information or malicious commands into the normal data stream transmitted between network objects. For two-way communication, an attacker must change all the routing tables to direct traffic to a fake IP address, which is also possible. To mitigate the threat (but not eliminate it), you can use the following:

    • access control. You can configure access control to cut off any traffic coming from an external network with a source address within the network. This method is valid if only internal addresses are authorized and fails if there are authorized external addresses.
    • RFC 2827 filtering - this type of filtering allows you to stop users of your network from spoofing foreign networks. To do this, you must reject any outbound traffic whose source address is not one of your organization's IP addresses. Often this type of filtering is performed by the provider. As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if an ISP provides a connection to the IP address 15.1.1.0/24, it can configure the filter so that only traffic coming from 15.1.1.0/24 is allowed from that interface to the ISP router. Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible.
    • Implementation of additional authentication methods. IP spoofing is only possible with IP-based authentication. If some additional authentication measures are introduced, for example, cryptographic ones, the attack becomes useless.
  5. Denial of Service or Denial of Service (DoS)- an attack on a computing system with the aim of bringing it to failure, that is, the creation of such conditions under which legitimate users of the system cannot gain access to the resources provided by the system, or this access is difficult.

    DoS attack is the most common and well-known attack in recent times, which is primarily due to the ease of implementation. The organization of a DOS attack requires a minimum of knowledge and skills and is based on the shortcomings of network software and network protocols. If the attack is carried out for many network devices, they talk about a distributed DoS attack (DDoS - distributed DoS).

    The following five types of DoS attacks are most commonly used today, for which there is a large amount of software and which are the most difficult to defend against:

    • Smurf- ICMP ping requests. When a ping packet (an ICMP ECHO message) is sent to a broadcast address (for example, 10.255.255.255), it is delivered to every machine on that network. The principle of the attack is to send an ICMP ECHO REQUEST packet with the source address of the attacked host. An attacker sends a constant stream of ping packets to a network broadcast address. All machines, upon receiving the request, respond to the source with an ICMP ECHO REPLY packet. Accordingly, the size of the response packet stream increases in proportion to the number of hosts. As a result, the entire network is subject to denial of service due to congestion.
    • ICMP flood- an attack similar to Smurf, only without the amplification created by requests to the directed broadcast address.
    • UDP flood- sending a lot of UDP (User Datagram Protocol) packets to the address of the attacked host.
    • TCP flood- sending a lot of TCP packets to the address of the attacked host.
    • TCP SYN flood- when carrying out this kind of attack, a large number of requests are issued to initialize TCP connections with the attacked node, which, as a result, has to spend all its resources on tracking these partially open connections.

    If a Web server or FTP server application is used, a DoS attack causes all connections available to those applications to be busy and users cannot access them. Some attacks can take out an entire network by flooding it with unnecessary packets. To counter such attacks, the participation of the provider is necessary, because if he does not stop unwanted traffic at the entrance to the network, the attack cannot be stopped, because the bandwidth will be busy.

    The following programs are most commonly used to implement a DoS attack:

    • Trinoo- is a rather primitive program, which historically became the first to organize DoS attacks of a single type - UDP-flood. Programs of the "trinoo" family are easily discovered standard means protection and do not pose a threat to those who care at least a little about their safety.
    • TFN and TFN2K- a more serious weapon. They allow you to simultaneously organize attacks of several types - Smurf, UDP flood, ICMP flood and TCP SYN flood. The use of these programs requires a much higher skill from the attacker.
    • The latest tool for organizing DoS attacks - Stacheldracht("barbed wire"). This package allows you to organize a variety of types of attacks and an avalanche of broadcast ping requests. In addition, communication between controllers and agents is encrypted, and an auto-modification function is built into the software itself. Encryption makes it very difficult to detect an attacker.

    To mitigate the threat, you can use the following:

    • Anti-spoofing features - Properly configuring the anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. Unless a hacker can disguise his true identity, he is unlikely to attempt an attack.
    • Anti-DoS Functions - Proper configuration of anti-DoS functions on routers and firewalls can limit the effectiveness of attacks. These features often limit the number of half-open channels at any one time.
    • Traffic rate limiting - An organization can ask an ISP to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic passing through your network. A common example is ICMP traffic limiting, which is used for diagnostic purposes only. DoS attacks often use ICMP.

    There are several types of threats of this type:

    • A latent denial of service, when part of the network resources is used to process packets transmitted by an attacker with a decrease in channel bandwidth, a violation of request processing time, and a violation of the performance of network devices. Example: directed ICMP echo request storm or TCP connection request storm.
    • An explicit denial of service caused by the fact that network resources have been exhausted as a result of processing packets sent by attackers. At the same time, legitimate user requests cannot be processed due to the fact that the entire bandwidth of the channel is busy, buffers are full, disk space is full, etc. Example: directed storm (SYN-flooding).
    • An explicit denial of service caused by a violation of the logical connectivity between the technical means of the network when an attacker sends control messages on behalf of network devices. This changes the routing data. Example: ICMP Redirect Host or DNS flood.
    • An explicit denial of service caused by an attacker transmitting packets with non-standard attributes (such as UDP-bomb) or exceeding the maximum length (Ping Death).

    DoS attacks are aimed at disrupting the availability of information and do not violate the integrity and confidentiality.

  6. Application layer attacks. This type of attack consists in using "gaps" in the server software (HTML, sendmail, FTP). Using these vulnerabilities, an attacker gains access to a computer on behalf of an application user. Application layer attacks often use ports that can "pass" through the firewall.

    The main problem with application layer attacks is that they often use ports that are allowed to pass through the firewall. For example, a hacker attacking a Web server might be using TCP port 80. In order for the Web server to serve pages to users, port 80 must be open on the firewall. From the firewall's point of view, the attack is treated as standard traffic on port 80.

    It is not possible to completely eliminate application layer attacks, as applications with new vulnerabilities emerge regularly. The most important thing here is good system administration. Here are some steps you can take to reduce your vulnerability to this type of attack:

    • reading logs (system and network);
    • tracking vulnerabilities in new software using specialized sites, such as http://www.cert.com.
    • use of IDS.

From the very nature of a network attack, it is clear that its occurrence is not controlled by each specific network node. We have not considered all the attacks that are possible on the network - in practice there are much more of them. However, it is not possible to defend against all types of attacks. The most optimal approach to protecting the network perimeter is to eliminate the vulnerabilities that are used in most malicious attacks. Lists of such vulnerabilities are published on many websites that collect such statistics, for example, the website of the SANS Institute: http://www.sans.org/top-cyber-security-risks/?ref=top20 . An ordinary attacker does not look for any original ways to attack, but scans the network in search of a known vulnerability and uses it.

Share with friends or save for yourself:

Loading...
Recommended related articles
Find the best noise canceling headphones
Find the best noise canceling headphones
When trying to activate, it fails:
When trying to activate, it fails: "Your iPhone could not be activated because the activation server is temporarily unavailable
Smart watch Pebble Buy now or wait
Smart watch Pebble Buy now or wait