 |
 |
 |
|
 |
Over the last thirty years, most software development targeted delivery of functionality, not security. This holds true for communications software and protocols, operating systems, application software, and code embedded in hardware appliances. While computers and networks have become necessary tools to conduct commercial, government, and educational business, provide the means of global communications linking individuals, institutions, customers to vendors, citizens to governments, students to universities, thus creating a dependency well beyond a point of return to other, traditional means, the entire infrastructure remains highly vulnerable against misuse. These vulnerabilities affect every level of communications use: from the small Local Area Network, the Personal Computer at a residential home with a connection to the Internet, to enterprise networks, e-commerce businesses, government systems, nations, and the global Internet infrastructure. In essence, the exploitation of vulnerabilities establishes "CyberWarfare" between legitimate users of resources and their abusers, those being individuals of various degrees of sophistication, competing businesses, or unfriendly nations. With the evolution of the Internet, the TCP/IP network protocol has emerged to be the predominant communications protocol with its IPv4 structure, which in itself is highly insecure. Even without their own inherent insecurity, all network-based software applications and advanced communication protocols are vulnerable from the underlying TCP/IP network protocol. The development of IPv6, initially geared towards providing more network address space to meet the growth of the Internet, will also provide some improved security, but is many years away from practical implementation. Vulnerabilities are well known and accessible to everyone: a simple Google search in June 2003 for the term "Network Vulnerabilities" returns over 442,000 results, a search for "Application Vulnerabilities" returns over 275,000 results. Compiled in large databases such as BugTraq, this information allows both system administrators as well as malicious attackers to learn of detected risks and utilize the information. Since computer security firms and attackers are usually the ones finding the vulnerabilities, system administrators and those responsible for the security, integrity, and availability of computer/network infrastructure find themselves in the undesirable situation to keep up with newly detected risks and the search for solutions to mitigate the risks. This has always been a re-active approach, looking for application software patches, and devices to address individual risks. Commercial vendors and research projects in universities and governments have always tried to overcome the technology hurdles with mixed success to secure the critical computing and networking infrastructure from its own inherent insecurity, while the malicious attackers develop ever more sophisticated tools to compromise such efforts, and freely share these tools. Due to the re-active nature of defenses, the malicious attackers always stay ahead. Vulnerability DeterminationThe first step for any attack, both from the inside as well as the outside (commonly the Internet), is to find out which systems are in use at the targeted infrastructure. Powerful and freely available tools are easily accessible to anyone, and return detailed configuration results within minutes (this process is also frequently referred to as "enumeration" by scanning network addresses and ports).Tools such as NMAP and NESSUS (to name just two) penetrate multiple levels of firewalls, Demilitarized Zones (DMZs), and internal networks, and return exact results, specifying which systems and mechanisms are deployed to defend the infrastructure, which brand, operating systems, release versions, servers, and applications are in use. These tools also provide an automatic assessment of the grade of difficulty to compromise each detected system. With this information, the malicious attacker can look up how to best target an attack, exploit known vulnerabilities ("known" attack) or go a step further and develop a new form of attack specifically geared towards the mapped target ("unknown" attack). Currently, without exception, all network devices (such as routers, bridges, and switches), all defense devices (such as firewalls), and all application devices (such as servers, storage systems, workstations, and individual computers) are vulnerable to this information gathering. In other words, all systems connected to the Internet are "sitting ducks" for being mapped from public sources, as well as all systems on internal-only networks from any connected individual computer on that network. Information gathering on system and network configuration is conducted on an ongoing basis. Logs from IDS systems and firewalls are filled with these probes, which are either automatic sweeps by IP ranges, or probes against specific targets. The ideal solution to mitigate this first and most important step for every attack is to "hide", or "cloak", each infrastructure and system on internal networks and on the Internet. Such a solution is able to detect information gathering probes, and respond actively in a fashion which does not reveal the systems and configurations, while at the same time not impact the normal traffic. The technology hurdle to deliver such a solution had not been overcome prior to Melior's iSecure and Barbican products. TCP/IP Protocol AttacksTCP/IP has evolved to be the most-used network communications protocol. It is exclusively used for the Internet, and widely used on internal networks, complimented by IPX and other legacy protocols, which are increasingly diminished. The internal structure of the TCP/IP protocol, represented by the 7-layer OSI model, is extensively documented and freely accessible to anyone for analysis of vulnerabilities (in "RFCs", also known as Requests for Comments during the design of every commonly shared function of interaction between computing systems).All systems using TCP/IP-based network communications are accessible (and thus attackable) via all seven layers of the OSI model, spread over a total 65,535 ports for TCP, ICMP, and UDP communication. Along with the hardware Layer 1, Layer 2 (data link, addressable via the six-byte unique identifier, or MAC – Media Access Control) and Layer 3 (logical network address, represented by the assigned IP number) are the prime targets to access and identify any system on a network. The first three bytes of the MAC address is vendor-assigned, allowing to determine which vendor provides the hardware in use. Within TCP/IP, the packet, by which information is exchanged, is well documented, and allows for a lot of options to be set between two communicating devices. Many of these options are not practically used, but allow for the exploitation of vulnerabilities. Many low-level network (or TCP/IP protocol) attacks work through the manipulation of any of the less or not used fields, or by sending and requesting information outside the protocol specification. Every network device using TCP/IP as their communications protocol is vulnerable to such attacks, and many known forms of such attacks exist. The behavior of responses to low-level communications is used to determine system configuration. Current security defense technology has not overcome the technical hurdles to eliminate packet-based attacks. Any system deployed on a network (including firewalls, Intrusion Detection Systems, VPN Gateways), which is addressable, is in itself vulnerable to such attacks. Many threats and risks are based on malformed packets (such as most Denial-of-Service -or DoS- attacks). Known tools such as "Synk4" are able to make any TCP/IP-based device unavailable within seconds. The ideal and effective solution to TCP/IP protocol attacks is an inline-scanner inspecting all traffic flowing through it for validity. This device must not be addressable by either MAC (Layer 2) or IP number (Layer 3) in order not to be vulnerable in itself, and must have the ability to determine valid ("good") packets from invalid ("bad") packets, discarding the invalid packets and allowing the valid packets to follow through. Such a device must work in real time or near real-time to not introduce latency within the communication. (distributed) Denial-of-Service Attacks (DoS/dDoS)OverviewDistributed Denial of Service Attacks emerged as one of the most newsworthy, if not the greatest, weaknesses of the Internet. These distributed Denial of Service (dDoS) attacks are not a new development; but have been aggressively and increasingly used in the last years. They first appeared and were first widely discussed starting in the summer of 1999. During the week of February 7th through 11th, 2000, they emerged as a major new category of attack on the Internet. They took out many sites, including Yahoo, Buy.com, eBay, Amazon, Datek, E*Trade, and CNN. The victims were unreachable from several hours to over three days each. Subsequently, large-scale dDoS attacks almost disabled the entire Internet twice by attacking the DNS root structure in October 2002, and created significant tangible and intangible damages in the "Slammer" attack during Superbowl 2003, in which Bank of America (USA) lost all of its 13,000 Automatic Teller Machines (ATMs) for two days. During the Iraq conflict, media sites suffered dDoS attacks resulting in extended outages rendering the web sites inaccessible. The most widely reported victim during this period was the independent Arabic news source "Al Jazeera", whose English site was unavailable for several weeks. Even the largest providers such as Akamai were unable so withstand dDoS attacks. Due to the impact of dDoS attacks, businesses have been shut down (such as one of the oldest ISPs in the United Kingdom, "Cloud Nine", in 2002), or severely impacted with revenue loss and intangible damages. By now, in 2004, dDoS attacks have become a successful tool for organized crime in extortion attempts, shutting down payment processing providers such as WorldPay, Authorize.net, and many others. In response to the significance of the threat, the Federal Bureau of Investigation ("FBI", USA) classified distributed Denial-of-Service attacks as a threat to national security as early as February 2003, and the risk remains as a high-priority item on the newly formed Department of Homeland Security ("DHS") in the United States, as well as for many other governments and commercial businesses. A 2001 study by the Supercomputer Institute of the University of San Diego measuring the backscatter traffic found an average of 4,800 dDoS attacks per week on the Internet, with increasing tendency. Denial-of-Service Attacks also rank amongst the highest risks for damages due to their maturity and visibility, as the Gartner Group reported already in June 2003. By now, in 2004, Denial-of-Service attacks have risen to be the Number 1 threat on the Internet. Entire armies of "bots" can be rented for as little as $150 per attack; according to a 2004 Symantec study, 30,000 computers are taken over every day in extension of these "bot" networks (up from 2,000 / day six months ago). dDoS Background dDoS attacks involve breaking into hundreds or thousands of machines all over the Internet by means of a direct compromise or via worms, virii, and automatic scans and execution of vulnerabilities. The attacker installs dDoS software on the compromised systems, allowing the attacker to control all these compromised systems to launch coordinated attacks on victim sites. These attacks typically either exhaust bandwidth, router processing capacity, network stack resources (see above, TCP/IP protocol attacks), or target applications directly with low-level port traffic. Through breaking network connectivity to the victims, disabling security devices such as firewalls, or exhausting operating system or system application resources. The attacker starts by breaking into weakly-secured computers, using well-known defects in standard network service programs, and common weak configurations in operating systems. On each system, once the attacker breaks in, some additional steps are performed. First, software is installed to conceal the fact of the break-in, and to hide the traces of the subsequent activity. For example, the standard commands for displaying running processes are replaced with versions that fail to display the attacker's processes. These replacement tools are collectively called a "rootkit", since they are installed once the attacker has "broken root", taken over system administrator privileges, to keep other "root users" from being able to find the attacker. The attacker then installs a special process, used to remote control the compromised system. In the public environment, this process accepts commands via the Internet, and in response to those commands it launches an attack over the Internet against the designated victim site; the same process applies to internal attacks within an enclosed network. In an automated process, the attacker catalogues the addresses of the compromised systems. A cautious intruder will begin by breaking into just a few sites, then using them to break into some more, and repeating this cycle for several steps, to reduce the chance they are caught during the preparation phase. By the time the attacker is ready to mount the kind of attacks as widely reported (gigabytes per second of traffic for the attack on Yahoo in 2000, according to reports in SANS) the attacker has taken over thousands of machines ("dDoS handlers") and assembled them into a dDoS attack network; meaning the attacker has the attack software installed on them, and knows all their addresses (stored in a file on their control system). To run the actual dDoS attack, the attacker runs a single command, which sends command packets to all the compromised systems, instructing them to launch a particular attack (from a menu of different varieties of dDoS attacks) against a specific victim. When the attacker decides to stop the attack, another single command is sent. Only the attacker in control of the dDoS handler systems can start and stop a dDoS attack. While there are variations, (distributed) Denial-of-Service attacks generally take one or a combination of the three common forms:
The controlled machines being used to mount the attacks send a stream of packets. For most of the attacks, these packets are directed at the target systems (Network-Level and Application-Level attacks). For the bandwidth-flooding variant (such as a "smurf" attack, named after the first circulated program to perform this attack) the packets are aimed at other networks, indirectly causing the damage by provoking multiple reverse ICMP echoes all aimed at the victim. To go into further detail, some background description of the Internet: The Internet consists of hundreds of thousands or millions of small networks (called Local Area Networks, or LANs), all interconnected; attached to these LANs are many millions of separate computers. Any of these computers can communicate with any other computer, using the above described TCP/IP address. The addresses are structured (organized into groups) so that special-purpose traffic-handling computers (routers), can direct them in the right direction to reach their intended destination. A typical connection today may require 15 or more hops, crossing from one LAN to another, before it reaches its final destination. But most of these "LANs" are actually special-purpose links within and between network transport companies (Internet Service Providers, ISPs). The larger ISPs (backbone providers) and interconnect exchanges provide the routing of traffic between networks. As described above, when one computer wants to send a message to another, it divides it into fixed-size pieces, called "packets". Each of these packets is handled separately while in transit via the Internet, and then the message (if it is larger than a single packet) is reassembled at the remote computer. So the traffic passing between machines consists entirely of packets of data. Each of these packets contains a pair of addresses, called the Source and Destination IP (for Internet Protocol) addresses. These are the addresses of the originating machine, and the recipient system. When such a packet is sent over the Internet, it is passed first to the nearest router; commonly this router is at the point where the local network connects to the Internet. This router is usually referred to as "border router". In larger organizations the configuration is more complex; assembling its own collection of LANs, interconnected into an in-house internet, cross-connected at one or more points (often with firewalls) with the Internet ("edge routers"). The border or edge routers pass the packets upstream to a core router, which interconnects with many other core routers all over the Internet; passing the packet on until it reaches its destination. Due to the inherent insecurity of the network communication protocol, the source address is normally ignored by routers; it normally only provides the final destination address where the request is coming from. The packets used in today's dDoS attacks often use forged source addresses, thus hiding (or "spoofing") the true originating source (i.e. the compromised systems). The very first router to receive the packet could technically catch a packet with a spoofed source address; it has to know which address spaces are configured on every network attached to it, so that it can correctly route packets to them. If a packet arrives, and the source address does not match the network it is coming from, the router should discard the packet. This style of packet checking is called Ingress or Egress filtering, but not widely implemented. If the packet is allowed past the border router, discarding packets with spoofed source addresses is nearly impossible. From the victim's point of view, instant outages occur on routers, firewalls, or servers as thousands of compromised systems all over the world commence to attack. Indications are unavailability of routers, firewalls, or servers, and traffic simply stops flowing between systems and the Internet. Upon closer inspection it may be discovered that one or more targeted systems are being overloaded by the small fraction of the traffic that actually gets delivered, but the failures extend much further back. Analyzing the traffic of a dDoS attack does not provide useful information. A capture of a sample of the dDoS attack packets continuously arriving at the target site show the correct destination address, with a random number as a source address. There is no trace of the compromised hosts continuing the attack. The only information available is the low-level, hardware (MAC) address of the last router forwarding the packet; these low-level addresses are used to handle distribution of packets within a LAN. So it can only be determined which router passed the packets last, but nothing else. Identifying the last router may identify the Internet carrier that passed the traffic to the target site, but requires as a next step to capture another packet on the other side of the forwarding router, and determine where that packet came from. Each step of the trace back to each compromised system requires repetition for every network interchange passed (15 or more on average). Every time the back-trace crosses an administrative boundary, between the target and its Internet provider, between them and the next backbone provider on the path, all the way back to the compromised machine, the aid of another team of administrators is necessary to collect the trace data and carry the trace further back. Each trace requires typically several hours to complete. This manual trace-back applies to each of the thousands of compromised machines that are participating in this attack, making it practically impossible to perform the trace. Depending on the duration of a dDoS attack, it is unlikely to find more than a few of the thousands of machines used to launch the attack; the remainder will remain available for further attacks. And the compromised machines actually identified will contain no evidence that can be used to locate and identify the original attacker; the trace ends with the compromised system. Many computing systems and software come with inherent vulnerabilities, which can be exploited to turn them into dDoS attack systems. This includes for example the network of 180,000 Internet Relay Chat (IRC) client systems, the Seti-at-home clients, or the millions of computers vulnerable to Visual Basic Script (VBS) exploits; where a possible compromise of the software agent converts all of these machines into dDoS attack handlers. |
|
© Copyright 1987 - 2006 Melior, Inc. - CyberWarfare Defense
Trade- and Servicemarks, Copyrights, and Patent-Pending Protection is effective in WTO countries.
v 09062010-1044 NetGroup GmbH Dortmund/MEZ