Chapter 7. Networking Protocols and Threats
This chapter covers the following subjects:
Ports and Protocols: In this section, you learn the ports and their associated protocols you need to know for the exam and how to secure those ports. Sometimes the port needs to be closed; sometimes it needs to remain open. Once you understand if the port is necessary, you can decide whether to lock it down or to keep it ajar in a secure manner.
Malicious Attacks: This section covers the basics about network attacks and how to defend against them. Study this section carefully; the CompTIA Security+ exam is bound to ask you several questions about these concepts.
Making client connections to servers means that the servers need to have open ports to facilitate their services. However, every open port is a vulnerability. It’s important to know the common protocols used by servers and their respective ports and how to protect against threats that might try to exploit those server ports.
The threats are many. Malicious attacks such as denial-of-service attacks, man-in-the-middle attacks, replay attacks, and session hijacking can all be devastating to individual computers and to entire networks. But once you have built a decent knowledge of ports and protocols, you can use that intelligence to better protect your servers and network against the plethora of attacks you will face.
One thing to remember is that there are always new network attacks being developed, and many that currently exist, but are unknown. Therefore, this chapter is incomplete in the sense that once it is written, it is out of date. Keep this in mind, and remember to always keep on top of your security bulletins, Common Vulnerabilities and Exposures (CVEs), and security updates.
Foundation Topics
Ports and Protocols
I can’t stress enough how important it is to secure a host’s ports and protocols. They are the doorways into an operating system. Think about it: An open doorway is a plain and simple invitation for disaster. And that disaster could be caused by one of many different types of malicious network attacks. The security administrator must be ever vigilant in monitoring, auditing, and implementing updated defense mechanisms to combat malicious attacks. Understanding ports and protocols is the first step in this endeavor.
Port Ranges, Inbound Versus Outbound, and Common Ports
Although some readers of this book will be familiar with ports used by the network adapter and operating system, a review of them is necessary because they play a big role in securing hosts and will most definitely appear on the exam in some way, shape, or form.
Ports act as logical communication endpoints for computers. Each protocol uses a specific port; for example, HTTP uses port 80 by default. These ports are ultimately controlled on the transport layer of the OSI model by protocols such as the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is used for guaranteed, connection-oriented sessions such as the initial connection to a web page, and UDP is used for connectionless sessions such as the streaming of data. There are 65,536 ports altogether, numbering between 0 and 65,535. The ports are divided into categories, as shown in Table 7-1.
| Port Range | Category Type | Description |
| 0–1023 | Well-Known Ports | This range defines commonly used protocols; for example, HTTP uses port 80. They are designated by the IANA (Internet Assigned Numbers Authority), which is operated by the ICANN (Internet Corporation for Assigned Names and Numbers). |
| 1024–49,151 | Registered Ports | Ports used by vendors for proprietary applications. These must be registered with the IANA. For example, Microsoft registered port 3389 for use with the Remote Desktop Protocol (RDP), also known as Remote Desktop Connection. |
| 49,152–65,535 | Dynamic and Private Ports | These ports can be used by applications but cannot be registered by vendors. |
You need to understand the difference between inbound and outbound ports as described in the following two bullets and as illustrated in Figure 7-1.
Inbound ports: Used when another computer wants to connect to a service or application running on your computer. Servers primarily use inbound ports so that they can accept incoming connections and serve data. For example, in Figure 7-1, the server with the IP address 66.102.1.100 has inbound port 80 open to accept incoming web page requests.
Outbound ports: Used when your computer wants to connect to a service or application running on another computer. Client computers primarily use outbound ports that are assigned dynamically by the operating system. For example, in Figure 7-1, the client computer with the IP address 172.30.250.3 has outbound port 3266 open to make a web page request to the server.
Note
For a refresher about TCP, UDP, and ports, see the short 5-minute video at the following link: http://www.davidlprowse.com/articles/?p=911.
It’s the inbound ports that a security administrator should be most concerned with. Web servers, FTP servers, database servers, and so on have specific inbound ports opened to the public. Any other unnecessary ports should be closed, and any open ports should be protected and monitored carefully. Although there are 1,024 well-known ports, for the exam you need to know only a handful of them, plus some that are beyond 1,024, as shown in Table 7-2. Remember that these inbound port numbers relate to the applications, services, and protocols that run on a computer, often a server. When it comes to the OSI model, the bulk of these protocols are application layer protocols. Examples of these protocols include HTTP, FTP, SMTP, SSH, DHCP, and POP3, and there are many more. Because these are known as application layer protocols, their associated ports are known as application service ports. The bulk of Table 7-2 is composed of application service ports. Some of the protocols listed make use of TCP transport layer connections only (for example, HTTP, port 80). Some make use of UDP only (for example, SNMP, port 161). Many can use TCP or UDP transport mechanisms. Note that some have secure versions listed as well. Study Table 7-2 carefully now, bookmark it, and refer to it often!
Table 7-2 Ports and Their Associated Protocols
| Port Number | Associated Protocol (or Keyword) | TCP/UDP Usage | Secure Version and Port | Usage |
| 21 | FTP | TCP | FTPS, port 989/990 | Transfers files from host to host. |
| 22 | SSH | TCP or UDP | Secure Shell: Remotely administers network devices and systems. Also used by Secure Copy (SCP) and Secure FTP (SFTP). | |
| 23 | Telnet | TCP or UDP | Remotely administers network devices (deprecated). | |
| 25 | SMTP | TCP | SMTP with SSL/TLS, port 465 or 587 | Sends e-mail. |
| 49 | TACACS+ | TCP | Remote authentication. Can also use UDP, but TCP is the default. Compare with RADIUS. |
|
| 53 | DNS | TCP or UDP | DNSSEC | Resolves hostnames to IP addresses and vice versa. |
| 69 | TFTP | UDP | Basic version of FTP. | |
| 80 | HTTP | TCP | HTTPS (uses SSL/TLS), port 443 | Transmits web page data. |
| 88 | Kerberos | TCP or UDP | Network authentication, uses tickets. | |
| 110 | POP3 | TCP | POP3 with SSL/TLS, port 995 | Receives e-mail. |
| 119 | NNTP | TCP | Transports Usenet articles. | |
| 135 | RPC/epmap/dcom-scm | TCP or UDP | Used to locate DCOM ports. Also known as RPC (Remote Procedure Call). | |
| 137–139 | NetBIOS | TCP or UDP | Name querying, sending data, NetBIOS connections. | |
| 143 | IMAP | TCP | IMAP4 with SSL/TLS, port 993 | Retrieval of e-mail, with advantages over POP3. |
| 161 | SNMP | UDP | Remotely monitor network devices. | |
| 162 | SNMPTRAP | TCP or UDP | Traps and InformRequests are sent to the SNMP Manager on this port. | |
| 389 | LDAP | TCP or UDP | LDAP over SSL/TLS, port 636 | Maintains directories of users and other objects. |
| 445 | SMB | TCP | Provides shared access to files and other resources. | |
| 514 | Syslog | UDP | Used for computer message logging, especially for router and firewall logs. A secure version (Syslog over TLS) uses TCP as the transport mechanism and port 6514. |
|
| 860 | iSCSI | TCP | IP-based protocol used for linking data storage facilities. Also uses port 3260 for the iSCSI target. |
|
| 1433 | Ms-sql-s | TCP | Opens queries to Microsoft SQL server. | |
| 1701 | L2TP | UDP | VPN protocol with no inherent security. Often used with IPsec. | |
| 1723 | PPTP | TCP or UDP | VPN protocol with built-in security. | |
| 1812/1813 | RADIUS | UDP | An AAA protocol used for authentication (port 1812), authorization, and accounting (port 1813) of users. Also, ports 1645 and 1646. |
|
| 3225 | FCIP | TCP or UDP | Encapsulates Fibre Channel frames within TCP/IP packets. Contrast with Fibre Channel over Ethernet (FCoE), which relies on the data link layer and doesn’t rely on TCP/IP directly. |
|
| 3389 | RDP | TCP or UDP | Remotely views and controls other Windows systems. | |
| 3868 | Diameter | TCP (or SCTP) | An AAA protocol; can replace the RADIUS protocol. |
Note
You can find a complete list of ports and their corresponding protocols at the following link: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.
Note
Not all protocols have set port numbers. For example, the Real-time Transport Protocol (RTP) and Secure RTP (SRTP) use a pair of port numbers determined by the application that is streaming the audio and video information via RTP. They are selected from a broad range of ports (between 16384 and 32767).
The IP address of a computer and the port number it is sending or receiving on are combined together to form a network socket address. An example of this would be 66.102.1.100:80. That is illustrated by the IP address of the server in Figure 7-1 and the inbound port number accepting a connection from the client computer. Notice that when they are written, the two are separated by a colon. The IP address precedes the colon and the port number follows it.
Figure 7-2 illustrates a few more examples of this within a Windows client computer. It shows some of the results of a netstat -an command after FTP, WWW, and mail connections were made by the client to two separate servers. Examine Figure 7-2 and then read on.
The first callout in Figure 7-2 is the initial FTP connection. This happens when a user first connects to an FTP server with FTP client software. Notice that the local computer has the IP address 10.254.254.205 and uses the dynamically assigned outbound port 55768 to connect to the FTP server. The remote computer, on the other hand, has the IP address 216.97.236.245 and uses inbound port 21 (known as a command port) to accept the connection. Keep in mind that this is only the initial connection and login to the FTP server. Subsequent data connections are normally done on the server side via dynamically assigned ports. For example, the second callout, FTP Data Connection, occurred when the client downloaded a file. It is a separate session in which the client used the dynamically assigned port number 55769. In reality, this isn’t quite dynamic anymore; the client operating system is simply selecting the next port number available. Afterward, a subsequent and concurrent download would probably use port 55770. The server, on the other hand, used the dynamically assigned port number 31290.
Many FTP servers randomly select a different inbound port to use for each data connection to increase security. However, some active FTP connections still use the original port 20 for data connections, which is not as secure, not only because it is well known, but also because it is static. To secure FTP communications, consider using software that enables dynamically assigned ports during data transfers; for example, Pure-FTPd (https://www.pureftpd.org/project/pure-ftpd) on the server side and FileZilla (https://filezilla-project.org/) on the client side. If your FTP server enables it, you can also consider IPv6 connections, and as always, be sure to use strong, complex passwords. (I don’t mean to sound like a broken record!)
The third callout in Figure 7-2 shows an HTTP connection. Note that this is being made to a different server (208.80.152.118) and uses port 80. And finally, the fourth callout shows a POP3 connection that was previously made to the same server IP as the FTP connection, but note that the port number reflects POP3—it shows port number 110. Always be mindful of securing connections; if you were making an encrypted POP3 connection using SSL/TLS, then the port number used would most likely be port 995.
These are just a few examples of many that occur between clients and servers all the time. Try making some connections to various servers from your client computer and view those sessions in the command-line.
Aside from servers, ports also become particularly important on router/firewall devices. These devices operate on the implicit deny concept, which means they deny all traffic unless a rule is made to open the port associated with the type of traffic desired to be let through. We talk more about firewalls in Chapter 8, “Network Perimeter Security.”
You need to scan your servers, routers, and firewall devices to discern which ports are open. This can be done with the aforementioned netstat command, with an application such as Nmap (https://nmap.org/), or with an online scanner from a website. The most effective way is with an actual scanning application, which we show in depth in Chapter 12, “Vulnerability and Risk Assessment.”
Afterward, unnecessary ports should be closed. This can be done in a few ways:
Within the operating system GUI: For example, in Windows, open the Computer Management console. Then go to Services and Applications > Services. Right-click the appropriate service and select Properties. From here the service can be stopped and disabled.
Within the CLI: For example, a service can be stopped in Windows by using the net stop service command, or with the sudo stop service command in Linux. (More about stopping services can be found in Chapter 4, “OS Hardening and Virtualization.”)
Within a firewall: Simply setting up a firewall normally closes and shields all ports by default. But you might have a service that was used previously on a server, and therefore a rule might have been created on the firewall to enable traffic on that port. Within the firewall software, the rule can be deleted, disabled, or modified as needed. In general, network firewalls protect all the computers on the network, so this is where you would normally go to close particular ports.
Unnecessary ports also include ports associated with nonessential protocols. For example, TFTP (port 69) is usually considered a nonessential protocol, as is Finger (port 79). Telnet (port 23) is insecure and as such is also considered nonessential. However, the list of nonessential protocols differs from one organization to the next. Always rescan the host to make sure that the ports are indeed closed. Then, make the necessary changes in documentation. Depending on company policy, you might need to follow change management procedures before making modifications to ports and services. For more information on this type of documentation and procedures, see Chapter 18, “Policies and Procedures.”
Note
In some cases, you might find that a particular network interface is used either very infrequently or not at all. In these scenarios it is smart to consider disabling the entire interface altogether, either from the properties of the network adapter, in the Device Manager, or in the command-line of the OS in question. When the network adapter is disabled, all ports are effectively closed.
Protocols That Can Cause Anxiety on the Exam
Unfortunately, a lot of the protocols look similar, behave similarly, and can be downright confusing. Let’s discuss a few of the more difficult ones and try to dispel some of the confusion. We start with FTP and its derivatives.
You know about the FTP protocol and what it does. You probably also know that FTP can be inherently insecure. There are several ways to make FTP sessions more secure. We mentioned previously that you can use FTP software that randomizes which ports are selected to transfer each file. You can also select passive mode instead of active mode (most FTP clients default to passive). The difference is that in passive mode the server is required to open ports for incoming traffic, and in active mode both the server and the client open ports. Then, you could use an FTP protocol that is secured through encryption. Two examples are Secure FTP (SFTP) and FTP Secure (FTPS). SFTP uses SSH port 22 to make connections to other systems. Because of this it is also known as SSH FTP. However, FTPS works with SSL or TLS, and (in implicit mode) it uses ports 990 (control port) and 989 (data port) to make secure connections and send data, respectively. FTPS can work in two modes: explicit mode and the previously mentioned implicit mode. In explicit mode, the FTPS client must explicitly request security from an FTPS server and then mutually agree on the type of encryption to be used. In implicit mode, there is no negotiation, and the client is expected to already know the type of encryption used by the server. In general, implicit mode is considered to be more secure than explicit mode.
So, in summary, regular FTP uses port 21 as the control port by default, and possibly port 20 to do data transfers—or (and more likely), it uses random ports for data transfers, if the software allows it. SFTP uses port 22. FTPS uses port 990 to make connections, and port 989 to transfer data by default. TFTP (which is not really secure) uses port 69.
On a separate note, another file transfer program, Secure Copy (SCP), is an example of a protocol that uses an additional protocol (and its corresponding port) for security. It uses SSH, and ultimately uses port 22 to transfer data.
All those acronyms can be difficult to keep straight at times. Hopefully this section alleviates some of the confusion. For more help, be sure to memorize Table 7-2 to the best of your ability for the exam, and don’t be afraid to ask me questions on my website!
Malicious Attacks
There are many types of malicious network attacks. We’ve mentioned some of these attacks in the preceding chapters as they relate to secure computing, but in this section we will better define them. Some attacks are similar to others, making it difficult to differentiate between them. Because of this, I’ve listed simple definitions and examples of each, plus mitigating techniques, and summarized them at the end of this section.
DoS
Denial-of-service (DoS) is a broad term given to many different types of network attacks that attempt to make computer resources unavailable. Generally, this is done to servers but could also be perpetuated against routers and other hosts. DoS attacks can be implemented in several ways, as listed here:
Flood attack: An attacker sends many packets to a single server or other host in an attempt to disable it. There are a few ways to accomplish this, including:
Ping flood: Also known as an ICMP flood attack, this is when an attacker attempts to send many ICMP echo request packets (pings) to a host in an attempt to use up all available bandwidth. This works only if the attacker has more bandwidth available than the target. To deter this attack, configure the system not to respond to ICMP echoes. You might have noticed that several years ago, you could ping large companies’ websites and get replies. But after ping floods became prevalent, a lot of these companies disabled ICMP echo replies. For example, try opening the command prompt and typing ping microsoft.com (Internet connection required). It should result in Request Timed Out, which tells you that Microsoft has disabled this.
Smurf attack: Also sends large amounts of ICMP echoes, but this particular attack goes a bit further. The attacking computer broadcasts the ICMP echo requests to every computer on its network or subnetwork. In addition, in the header of the ICMP echo requests will be a spoofed IP address. That IP address is the target of the Smurf attack. Every computer that replies to the ICMP echo requests will do so to the spoofed IP. Don’t forget that the original attack was broadcast, so, the more systems on the network (or subnetwork), the more echo replies that are sent to the target computer. There are several defenses for this attack, including configuring hosts not to respond to pings or ICMP echoes, configuring routers not to forward packets directed to broadcast addresses, implementing subnetting with smaller subnetworks, and employing network ingress filtering in an attempt to drop packets that contain forged or spoofed IP addresses (especially addresses on other networks). These defenses have enabled most network administrators to make their networks immune to Smurf and other ICMP-based attacks. The attack can be automated and modified using the exploit code known as Smurf.c.
Fraggle: Similar to the Smurf attack, but the traffic sent is UDP echoes. The traffic is directed to port 7 (Echo) and port 19 (CHARGEN). To protect against this attack, again, configure routers not to forward packets directed to broadcast addresses, employ network filtering, and disable ports 7 and 19. These ports are not normally used in most networks. The attack can be automated and modified using the exploit code known as Fraggle.c.
Note
A similar attack is known as a UDP flood attack, which also uses the connectionless User Datagram Protocol. It is enticing to attackers because it does not require a synchronization process.
SYN flood: Also known as a SYN attack, it occurs when an attacker sends a large amount of SYN request packets to a server in an attempt to deny service. Remember that in the TCP three-way handshake, a synchronization (SYN) packet is sent from the client to the server, then a SYN/ACK packet is sent from the server to the client, and finally, an acknowledgment (ACK) packet is sent from the client to the server. Attackers attempting a SYN flood either simply skip sending the ACK or spoof the source IP address in the original SYN. Either way, the server will never receive the final ACK packet. This ends up being a half-open connection. By doing this multiple times, an attacker seeks to use up all connection-oriented resources so that no real connections can be made. Some ways to defend against this include implementing flood guards (which can be implemented on some firewalls and other devices, otherwise known as attack guards), recycling half-open connections after a predetermined amount of time, and using intrusion detection systems (IDSs) to detect the attack. You can find more information about IDSs in Chapter 8 and more information about SYN flood attacks and mitigation techniques at the following link: https://tools.ietf.org/html/rfc4987.
Xmas attack: Also known as the Christmas Tree attack or TCP Xmas Scan attack, it can deny service to routers and other devices, or simply cause them to reboot. It is based on the Christmas Tree packet, which can be generated by a variety of programs; for example, Nmap can be used (with the -sX parameter) to produce this scanning packet. This type of packet has the FIN, PSH, and URG flags set, which gives a “Christmas Tree” appearance when viewing the flags in a network sniffer. If the packet is sent many times in a short period of time, it could possibly result in a DoS (which is why I placed this attack in the DoS flood section). But most routers and other devices today will block this type of packet, as it is a well-known attack. Otherwise, an IDS/IPS solution (if in place) can detect the packet and/or prevent the packet from denying service to a router or other device.
Ping of Death: POD is an attack that sends an oversized and malformed packet to another computer. It is an older attack; most computer operating systems today will not be affected by it, and most firewalls will block it before it enters a network. It entails sending a packet that is larger than 65,535 bytes in length, which according to RFC 791 is the largest size packet that can be used on a TCP/IP network without fragmentation. It should be noted that, normally, the maximum transmission unit (MTU) size of an Ethernet frame is 1500 bytes, and slightly less for the encapsulated TCP/IP packet. Going beyond this requires special means. Now, if a packet is sent that is larger than 65,535 bytes, it might overflow the target system’s memory buffers, which can cause several types of problems, including system crashes. Windows computers do not allow ping sizes beyond 65,500 bytes. For example, ping destination -l 65500 will work, but ping destination -l 66000 will not work. However, on some systems, this maximum limitation can be hacked in the Registry, and there are also third-party applications that can send these “larger than life” packets. To protect against this type of attack, configure hosts not to respond to pings or ICMP echoes, make sure that operating systems run the latest service packs and updates, update the firmware on any hardware-based firewalls, and update any software-based firewalls as well. POD can be combined with a ping flood, but because most firewalls will block one or more PODs, it doesn’t make much sense to attempt the attack, so most attackers opt for some other sort of packet flooding nowadays. This was one of the first DoS attacks. It and other attacks such as Nuke and WinNuke are considered by the security community to be deprecated.
Teardrop attack: Sends mangled IP fragments with overlapping and oversized payloads to the target machine. This can crash and reboot various operating systems due to a bug in their TCP/IP fragmentation reassembly code. For example, some older versions of Windows are particularly susceptible to teardrop attacks. Linux and Windows systems should be upgraded to protect from this attack. There are also software downloads available on the Internet for teardrop detection.
Permanent DoS attack: Generally consists of an attacker exploiting security flaws in routers and other networking hardware by flashing the firmware of the device and replacing it with a modified image. This is also known as phlashing, or PDoS.
Fork bomb: Works by quickly creating a large number of processes to saturate the available processing space in the computer’s operating system. Running processes can be “forked” to create other running processes, and so on. They are not considered viruses or worms but are known as “rabbit malware,” “wabbits,” or “bacteria” because they might self-replicate but do not infect programs or use the network to spread. They are still considered DoS attacks though, due to their ability to stop a system from functioning.
There are other types of DoS attacks, but that should suffice for now. Keep in mind that new DoS attacks are always being dreamed up (and implemented), so as a security administrator, you need to be ready for new attacks and prepared to exercise new mitigation techniques.
DDoS
A distributed denial-of-service (DDoS) attack is when a group of compromised systems attacks a single target, causing a DoS to occur at that host. A DDoS attack often utilizes a botnet—which is a large group of computers known as robots or simply “bots.” Often, these are systems owned by unsuspecting users. The computers in the botnet that act as attackers are known as zombies. An attacker starts the DDoS attack by exploiting a single vulnerability in a computer system and making that computer the zombie master, or DDoS master. The master system communicates with the other systems in the botnet. The attacker often loads malicious software on many computers (zombies). The attacker can launch a flood of attacks by all zombies in the botnet with a single command. DDoS attacks and botnets are often associated with exploit kits (such as the Blackhole kit) and ransomware.
DoS and DDoS attacks are difficult to defend against. Other than the methods mentioned previously in the DoS section, these attacks can be prevented to some extent by updated stateful firewalls, switches, and routers with access control lists, intrusion prevention systems (IPSs), and proactive testing. Several companies offer products that simulate DoS and DDoS attacks. By creating a test server and assessing its vulnerabilities with simulated DoS tests, you can find holes in the security of your server before you take it live. A quick web search for “DoS testing” shows a few of these simulation test companies. An organization could also opt for a “clean pipe,” which attempts to weed out DDoS attacks, among other attacks. This solution is offered as a service by Verisign and other companies. Manual protection of servers can be a difficult task; to implement proper DDoS mitigation, your organization might want to consider anti-DDoS technology and emergency response from an outside source or from the organization’s cloud-based provider. Finally, if you do realize that a DDoS attack is being carried out on your network, call your ISP and request that this traffic be redirected.
One specific type of DDoS is the DNS amplification attack. Amplification attacks generate a high volume of packets ultimately intended to flood a target website. In the case of a DNS amplification attack, the attacker initiates DNS requests with a spoofed source IP address. The attacker relies on reflection; responses are not sent back to the attacker, but are instead sent “back” to the victim server. Because the DNS response is larger than the DNS request (usually), it amplifies the amount of data being passed to the victim. An attacker can use a small number of systems with little bandwidth to create a sizable attack. However, a DNS amplification attack can also be accomplished with the aid of a botnet, which has proven to be devastating to sections of the Internet during the period when the attack was carried out.
The primary way of preventing this attack is to block spoofed source packets. It can also be prevented by blocking specific DNS servers, blocking open recursive relay servers, rate limiting, and updating one’s own DNS server(s) often. Finally, make use of the Domain Name System Security Extensions (DNSSEC), which are specifications that provide for origin authentication and data integrity.
Note
Smurf and Fraggle are also examples of amplification attacks.
Sinkholes and Blackholes
To combat DoS and DDoS attacks, security admins have the option to employ or make use of sinkholes, blackholes, and blackhole lists. A DNS sinkhole is a DNS server that can be configured to hand out false information to bots, and can detect and block malicious traffic by redirecting it to nonroutable addresses. However, the sinkhole can also be used maliciously to redirect unwary users to unwanted IP addresses and domains. A DNS blackhole is similar; it can be used to identify domains used by spammers, domains that contain malware, and so on, and block traffic to those domains. It can also be remotely triggered (known as a RTBH). A DNS blackhole list (DNSBL) is a published list of IP addresses within DNS that contains the addresses of computers and networks involved in spamming and other malicious activity such as DDoS attacks initiated by botnets. The list can be downloaded and used on an organization’s DNS server to help block zombie computers and botnets.
Spoofing
A spoofing attack is when an attacker masquerades as another person by falsifying information. There are several types of spoofing attacks. The man-in-the-middle attack is not only a form of session hijacking (which we discuss in the next section), but it is also considered spoofing. Internet protocols and their associated applications can also be spoofed, especially if the protocols were poorly programmed in the first place. Web pages can also be spoofed in an attempt to fool users into thinking they are logging in to a trusted website; this is known as URL spoofing and is used when attackers are fraudulently phishing for information such as usernames, passwords, credit card information, and identities. Phishing can also be done through a false e-mail that looks like it comes from a valid source. Often, this is combined with e-mail address spoofing, which hides or disguises the sender information. Defending against these types of spoofing attacks is difficult, but by carefully selecting and updating applications that your organization uses, and through user awareness, spoofing can be held down to a minimum and when necessary ignored.
Note
A Uniform Resource Locator (URL) is a type of Uniform Resource Identifier (URI). URIs are strings of characters that are used to identify a resource—for example, a pointer to a file. The URL is the most well-known type of URI, so it is commonly spoofed, but any other type of URI can be spoofed as well.
Just about anything can be spoofed if enough work is put into it, and IP addresses are no exception. IP address spoofing is when IP packets are created with a forged source IP address in the header. This conceals where the packets originated from. Packet filtering and sessions that repeat authentication can defend against this type of spoofing. Also, updating operating systems and firmware and using newer operating systems and network devices helps to mitigate risks involved with IP spoofing. IP spoofing is commonly used in DoS attacks, as mentioned earlier, and is also common in TCP/IP hijacking, which we discuss more in the next section. MAC addresses can also be spoofed. MAC addresses are usually unique, which helps to identify a particular system. This is the best type of address to use to identify a malicious insider or other attacker, because it is more difficult to modify than an IP address. However, there are methods for attackers to change the MAC address of a network adapter (or mask it) so that the system cannot be identified properly.
A World Wide Name (WWN) can be spoofed too. World Wide Names (and their derivatives, pWWN and nWWN) are unique identifiers for SAS, ATA, and Fibre Channel equipment that are common to storage area networks (SANs). It’s not really a name, but a hexadecimal address that includes a 3-byte vendor identifier and a 3-byte vendor-specified serial number. An attacker that is masquerading as an authorized WWN can be prevented by challenging the attacker to give unique information only known to an authorized user or device. For a user, this might be information that corresponds to a password. For devices, a secret is associated with the WWN of the port on the SAN switch. Proper authentication is also beneficial when combating these types of spoof attacks.
Session Hijacking
Session hijacking is the exploitation of a computer session in an attempt to gain unauthorized access to data, services, or other resources on a computer. A few types of session hijacks can occur:
Session theft: Can be accomplished by making use of packet header manipulation (see Chapter 5, “Application Security”) or by stealing a cookie from the client computer, which authenticates the client computer to a server. This is done at the application layer, and the cookies involved are often based off their corresponding web applications (such as WWW sessions). This can be combated by using encryption and long random numbers for the session key, and regeneration of the session after a successful login. The Challenge Handshake Authentication Protocol (CHAP) can also be employed to require clients to periodically re-authenticate. However, session hijacking can also occur at the network layer—for example, TCP/IP hijacking.
TCP/IP hijacking: A common type of session hijacking, due to its popularity among attackers. It is when an attacker takes over a TCP session between two computers without the need of a cookie or any other type of host access. Because most communications’ authentication occurs only at the beginning of a standard TCP session, an attacker can attempt to gain access to a client computer anytime after the session begins. One way would be to spoof the client computer’s IP address, then find out what was the last packet sequence number sent to the server, and then inject data into the session before the client sends another packet of information to the server. Remember the three-way handshake that occurs at the beginning of a session; this is the only authentication that occurs during the session. A synchronization (SYN) packet is sent by the client to the server, then a SYN/ACK packet is sent by the server to the client, and finally, an acknowledgment (ACK) packet is sent by the client to the server. An attacker can jump in anytime after this process and attempt to steal the session by injecting data into the data stream. This is the more difficult part; the attacker might need to perform a DoS attack on the client to stop it from sending any more packets so that the packet sequence number doesn’t increase. In contrast, UDP sessions are easier to hijack because no packet sequence numbers exist. Targets for this type of attack include online games and also DNS queries. To mitigate the risk of TCP/IP hijacking, employ encrypted transport protocols such as SSL, IPsec, and SSH. For more information about these encryption protocols, see Chapter 15, “PKI and Encryption Protocols.”
Blind hijacking: When an attacker blindly injects data into a data stream without being able to see whether the injection was successful. The attacker could be attempting to create a new administrator account or gain access to one.
Clickjacking: When a user browsing the web is tricked into clicking something different than what the user thought he or she was clicking. It is usually implemented as a concealed link—embedded code or a script on a website that executes when the user clicks that element. For example, a Flash script—when clicked—could cause the user’s webcam to turn on without the user’s consent. The user is often redirected to the website from a malicious source. This can be prevented by updating the user’s web browser and using third-party add-ons that watch for clickjacking code or scripts. On the server side, web page frames (such as iframes) must be managed carefully. There are JavaScript-based snippets that can be added and content security policies that can be configured to help manage frames.
Man-in-the-middle (MITM): These attacks intercept all data between a client and a server. It is a type of active interception. If successful, all communications now go through the MITM attacking computer. The attacking computer can at this point modify the data, insert code, and send it to the receiving computer. This type of eavesdropping is only successful when the attacker can properly impersonate each endpoint. Cryptographic protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS) address MITM attacks by using a mutually trusted third-party certification authority (CA). These public key infrastructures (PKIs) should use strong mutual authentication such as secret keys and strong passwords. For more information about PKI, see Chapter 15.
Man-in-the-browser (MITB): Similar to MITM, this attack makes use of a Trojan (from a proxy location) that infects a vulnerable web browser and modifies web pages and online transactions, in an attempt to ultimately steal money or data. For example, a user might make an online banking transaction, and the user would see confirmation of the exact transaction, but on the banking side, a different amount might have been actually transferred, with some of it going to a different location altogether. This can be prevented by updating the web browser, using transaction verification (often third-party), and updating the anti-malware on the computer in question.
Watering hole attack: This targeted attack is when an attacker profiles the websites that the intended victim accesses. The attacker then scans those websites for possible vulnerabilities. If the attacker locates a website that can be compromised, the website is then injected with a JavaScript or other similar code injection that is designed to redirect the user when the user returns to that site (also known as a pivot attack). The user is then redirected to a site with some sort of exploit code...and the rest is, well, history. The purpose is to infect computers in the organization’s network, thereby allowing the attacker to gain a foothold in the network for espionage or other reasons. Watering hole attacks are often designed to profile users of specific organizations, and as such, an organization should develop policies to prevent these attacks. This can be done by updating anti-malware applications regularly, and by other security controls mentioned in Chapters 2 through 4, but also by using secure virtual browsers that have little connectivity to the rest of the system and the rest of the network. To avoid having a website compromised as part of this attack, the admin should use proper programming methods (discussed in Chapter 5) and scan the website for malware regularly.
On a semi-related note, cross-site scripting (XSS) is a type of vulnerability found in web applications that is used with session hijacking. The attacker manipulates a client computer into executing code that is considered trusted as if it came from the server the client was connected to. In this way, the attacker can acquire the client computer’s session cookie (enabling the attacker to steal sensitive information) or exploit the computer in other ways. See Chapter 5 for ways on how to prevent XSS.
Replay
A replay attack is a network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This differs from session hijacking in that the original session is simply intercepted and analyzed for later use. In a replay attack an attacker might use a packet sniffer to intercept data and retransmit it later. In this way, the attacker can impersonate the entity that originally sent the data. For example, if customers were to log in to a banking website with their credentials while an attacker was watching, the attacker could possibly sniff out the packets that include the usernames and passwords and then possibly connect with those credentials later on. Of course, if the bank uses SSL or TLS to secure login sessions, then the attacker would have to decrypt the data as well, which could prove more difficult. An organization can defend against this attack in several ways. The first is to use session tokens that are transmitted to people the first time they attempt to connect, and identify them subsequently. They are handed out randomly so that attackers cannot guess at token numbers. The second way is to implement timestamping and synchronization as in a Kerberos environment. A third way would be to use a timestamped nonce, a random number issued by an authentication protocol that can be used only one time. We talk more about SSL, TLS, Kerberos, and other cryptographic solutions in Chapter 15. You can also implement CHAP-based authentication protocols to provide protection against replay attacks.
Note
A replay attack should not be confused with SMTP relay, which is when one server forwards e-mail to other e-mail servers.
Null Sessions
A null session is a connection to the Windows interprocess communications share (IPC$). The null session attack is a type of exploit that makes unauthenticated NetBIOS connections to a target computer. The attack uses ports 139 and 445, which are the NetBIOS session port and the Server Message Block (SMB) port, respectively. If successful, an attacker could find user IDs, share names, and various settings and could possibly gain access to files, folders, and other resources. An example of the initial code an attacker might use is
net use \IP addressipc$ "" /U: ""
Afterward, the attacker might use a program such as enum.exe or something similar to extract information from the remote computer, such as usernames. Finally, an attacker might use a brute-force attack in an attempt at cracking passwords and gaining more access.
To protect against this attack, computers should be updated as soon as possible. However, the best way to defend against this attack is to filter out traffic on ports 139 and 445 with a firewall or a host-based intrusion prevention system. When a firewall is enabled, ports 139 and 445 will not appear to exist.
Note
Command-line scripting in general can be used for legitimate and illegitimate purposes: The former by security administrators, and the latter by malicious insiders. Tools such as the Command Prompt, PowerShell, Windows Scripting Host, and the command-line in general, can all be used for malevolent purposes. To that effect, operating systems should be updated and patched often, and access to these programs should be secured by using permissions, UAC, and other similar tools.
Transitive Access and Client-Side Attacks
Transitive access is not really a specific attack, but a way or means of attacking a computer. It is based on the transitive property in mathematics, which states that whenever A is equal to B, and B is equal to C, then A is equal to C, summed up as
If A = B and B = C, then A = C
That’s just a piece of the transitive property, but you get the gist of it. What we are really dealing with here is trust. Does one computer on the LAN trust another? Can that trust be manipulated? For example, let’s say that computer C is a server that hosts a database. Now, let’s say that computer B is a client on the LAN that frequently accesses the database and is authorized to do so. This is all well and good, and is normal. However, add in the attacker, at computer A. If the attacker can somehow create a trusted environment between computer A and computer B, then by way of transitivity, the attacker can obtain a trust with computer C, and then the database can become compromised. Normally, the attacker at computer A cannot access the database at computer C. But by compromising computer B, the attacker can then launch a client-side attack, one that is coming from a computer on the LAN that would otherwise be harmless.
Trusting relationships are created between computers (and sometimes networks) to save time and to bypass authentication methods. It would seem like a good idea at first, but when you think of all the vulnerable operating systems and applications on client computers, each one of which is a possible opening for transitive access, it makes sense that nowadays the general rule is to have every client computer authenticated whenever any session is started to another computer (perhaps even twice!). Implementing this practice along with the use of firewalls, intrusion detection/prevention systems, and updates is the best way to prevent transitive access and client-side attacks. In many environments, the rule is that no one computer should trust any other by default, and if a computer needs to do so, it happens only temporarily, and in a secure fashion.
DNS Poisoning and Other DNS Attacks
DNS poisoning (or DNS cache poisoning) is the modification of name resolution information that should be in a DNS server’s cache. It is done to redirect client computers to incorrect websites. This can happen through improper software design, misconfiguration of name servers, and maliciously designed scenarios exploiting the traditionally open architecture of the DNS system. Let’s say a client wants to go to www.comptia.org. That client’s DNS server will have a cache of information about domain names and their corresponding IP addresses. If CompTIA’s site were visited in the recent past by any client accessing the DNS server, its domain name and IP should be in the DNS server’s cache. If the cache is poisoned, it could be modified in such a way to redirect requests for www.comptia.org to a different IP address and website. This other site could be a phishing site or could be malicious in some other way. This attack can be countered by using Transport Layer Security (TLS) and digital signatures or by using Secure DNS (DNSSEC), which uses encrypted electronic signatures when passing DNS information, and finally, by patching the DNS server. You might use a Transaction Signature (TSIG) to provide authentication for DNS database updates. This protocol uses shared secret keys and one-way hashing to provide security. One item of note: the hashing procedure might not be secure enough for your organization, so you may want to consider alternatives when updating DNS databases.
Unauthorized zone transfers are another bane to DNS servers. Zone transfers replicate the database that contains DNS data; they operate on top of TCP. If a zone transfer is initiated, say through a reconnaissance attack, server name and IP address information can be stolen, resulting in the attacker accessing various hosts by IP address. To defend against this, zone transfers should be restricted and audited in an attempt to eliminate unauthorized zone transfers and to identify anyone who tries to exploit the DNS server in this manner. Vigilant logging of the DNS server and the regular checking of DNS records can help detect unauthorized zone transfers.
A Windows computer’s hosts file can also be the victim of attack. The hosts file is used on a local computer to translate or resolve hostnames to IP addresses. This is the predecessor to DNS, and although the file is normally empty of entries, it is still read and parsed by Windows operating systems. Attackers may attempt to hijack the hosts file in an attempt to alter or poison it or to try to have the client bypass DNS altogether. The best defense for this is to modify the computer’s hosts file permissions to read-only. It is located at the following path: \%systemroot%System32driversetc.
If the file has already been hijacked, and you don’t use the file for any static entries, delete it, and Windows should re-create it automatically at the next system startup. If Windows does not, then a standard hosts file can be easily re-created by simply making a blank hosts.txt file and placing it in the path mentioned previously. The hosts file is used by some people as a security measure as well. This is done by adding entries that redirect known bad domains to other safe locations or the localhost. Generally, this is done in conjunction with disabling the DNS client service. However, in general, the DNS client service is required by the average Windows user.
Hosts files and vulnerable DNS software can also be victims of pharming attacks. Pharming is when an attacker redirects one website’s traffic to another website that is bogus and possibly malicious. Pharming can be prevented by carefully monitoring DNS configurations and hosts files. Unfortunately, if an ISP’s DNS server is compromised, that will be passed on to all the small office/home office routers that the ISP services. So, it becomes more important for end users to be conscious of pharming. They can prevent it by turning on phishing and pharming filters within the browser, and by being careful of which websites they access. Users can also check their local hosts files. By default, the file doesn’t have any entries, so if they see entries and have never modified the file themselves, they should either delete the entries or delete the file entirely.
Although it is less of an actual attack, domain name kiting (or simply domain kiting) is the process of deleting a domain name during the five-day grace period (known as the add grace period, or AGP) and immediately reregistering it for another five-day period. This process is repeated any number of times with the end result of having the domain registered without ever actually paying for it. It is a malicious attack on the entire Domain Name System by misusing the domain-tasting grace period. The result is that a legitimate company or organization often cannot secure the domain name of its choice.
As you can see, the DNS server can be the victim of many attacks due to its visibility on the Internet. It should be closely monitored at all times. Other highly visible servers such as web servers and mail servers should be likewise monitored, audited, and patched as soon as updates are available.
ARP Poisoning
The Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses. Any resolutions that occur over a set amount of time are stored in the ARP table. The ARP table can be poisoned or spoofed. ARP poisoning is an attack that exploits Ethernet networks, and it may enable an attacker to sniff frames of information, modify that information, or stop it from getting to its intended destination. The spoofed frames of data contain a false source MAC address, which deceives other devices on the network. The idea behind this is to associate the attacker’s MAC address with an IP address of another device, such as a default gateway or router, so that any traffic that would normally go to the gateway would end up at the attacker’s computer. The attacker could then perpetuate a man-in-the-middle attack, or a denial-of-service attack, in addition to MAC flooding. Some of the defenses for ARP poisoning include VLAN segregation/VLAN separation (creating multiple virtual LANs in an effort to thwart the attack), DHCP snooping, and an open source program called ArpON (http://arpon.sourceforge.net/).
Summary of Network Attacks
Table 7-3 summarizes important network attacks and mitigation techniques discussed in this chapter that you should know for the Security+ exam. Keep in mind that we covered some other device-oriented attacks in the previous chapter. Plus, there are always new attacks being invented. Keep abreast of the latest attacks and prevention methods.
Table 7-3 Summary of Important Network Attacks and Mitigation Techniques
Chapter Review Activities
Use the features in this section to study and review the topics in this chapter.
Chapter Summary
Just as cracks in a dam are vulnerabilities to anything standing in a nearby valley, open ports are vulnerabilities to computer networks. The teaming flood of network attacks is seemingly endless; and though new network attacks are constantly being devised, these threats have to be dealt with in a proactive manner.
All metaphors aside, this means you are required to have a thorough understanding of the many networking protocols in use today, and their corresponding port numbers. Knowledge of inbound ports is the most important because they correlate to the services that run on a server; these are the doorways that attackers use to access a system. Servers that run protocols such as HTTP, FTP, SMTP, and so on should be updated, hardened, and secured appropriately. Secure versions of these protocols should be implemented. Any nonessential protocols and services (such as the deprecated Telnet or, for instance, TFTP) should be stopped and disabled. This effectively closes the ports in question. Know it all! You should memorize the ports mentioned in this chapter because you will be scanning for open ports such as these in upcoming chapters. If there is ever confusion about a port or protocol, remember to access the IANA website for more information.
The whole point of reducing the attack surface of a system is so that malicious network attacks will have a more difficult time accessing that system. For example, let’s say you have a server running Microsoft Internet Information Services (IIS) and have a website running on it that uses HTTP, but you unknowingly also have FTP running on that server, using port 21. The server could be easy prey for attacks designed to infiltrate via port 21. But it doesn’t have to be this way! Using secure ports, closing ports, disabling services, and, of course, using firewalls are vital defenses. Chapter 8 covers additional equipment such as network intrusion detection systems, proxies, and the varying types of firewalls.
In this day and age there is a cornucopia of network attacks. When observing your network and servers, attacks such as denial-of-service (DoS), distributed DoS (DDoS), spoofing, hijacking, replays, amplification, and poisoning should be at the top of your list. But the security administrator must wear multiple hats. In addition to investigator, one of your roles is that of researcher. You must study the latest attacks and CVEs for a system, watch for updates and bulletins, and visit online forums and discussion groups often. However, the role of “watcher” is probably one of the best descriptive terms for a security administrator. You must constantly scrutinize your servers and network equipment. This everlasting vigil is part of the job. Those who are alert and observant shall prevail, and those who are not...well, they risk the danger of becoming enveloped by the flood of threats that lurks just outside (and sometimes inside) the computer network.
Review Key Topics
Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 7-4 lists a reference of these key topics and the page number on which each is found.
Table 7-4 Key Topics for Chapter 7
| Key Topic Element | Description | Page Number |
| Table 7-2 | Ports and their associated protocols | 151 |
| Figure 7-2 | IP addresses and ports | 153 |
| Table 7-3 | Summary of network attacks and mitigation techniques | 164 |
Define Key Terms
Define the following key terms from this chapter, and check your answers in the glossary:
distributed denial-of-service (DDoS)
Complete the Real-World Scenarios
Complete the Real-World Scenarios found on the companion website (www.pearsonitcertification.com/title/9780134846057). You will find a PDF containing the scenario and questions, and also supporting videos and simulations.
Review Questions
Answer the following review questions. Check your answers in Appendix A, “Answers to the Review Questions.”
1. Which of the following is an example of a nonessential protocol?
A. DNS
B. ARP
C. TCP
D. TFTP
2. A person attempts to access a server during a zone transfer to get access to a zone file. What type of server is that person trying to manipulate?
A. Proxy server
B. DNS server
C. File server
D. Web server
3. Which one of the following can monitor and protect a DNS server?
A. Ping the DNS server.
B. Block port 53 on the firewall.
C. Purge PTR records daily.
D. Check DNS records regularly.
4. Which TCP port does LDAP use?
A. 389
B. 80
C. 443
D. 143
5. From the list of ports, select two that are used for e-mail. (Select the two best answers.)
A. 110
B. 3389
C. 143
D. 389
6. Which port number does the Domain Name System use?
A. 53
B. 80
C. 110
D. 88
7. John needs to install a web server that can offer SSL-based encryption. Which of the following ports is required for SSL transactions?
A. Port 80 inbound
B. Port 80 outbound
C. Port 443 inbound
D. Port 443 outbound
8. If a person takes control of a session between a server and a client, it is known as what type of attack?
A. DDoS
B. Smurf
C. Session hijacking
D. Malicious software
9. Making data appear as if it is coming from somewhere other than its original source is known as what?
A. Hacking
B. Phishing
C. Cracking
D. Spoofing
10. Which of the following enables an attacker to float a domain registration for a maximum of five days?
A. Kiting
B. DNS poisoning
C. Domain hijacking
D. Spoofing
11. What is the best definition for ARP?
A. Resolves IP addresses to DNS names
B. Resolves IP addresses to hostnames
C. Resolves IP addresses to MAC addresses
D. Resolves IP addresses to DNS addresses
12. You have three e-mail servers. What is it called when one server forwards e-mail to another?
A. SMTP relay
B. Buffer overflows
C. POP3
D. Cookies
13. A coworker goes to a website but notices that the browser brings her to a different website and that the URL has changed. What type of attack is this?
A. DNS poisoning
B. Denial of service
C. Buffer overflow
D. ARP poisoning
14. Which of the following misuses the Transmission Control Protocol handshake process?
A. Man-in-the-middle attack
B. SYN attack
C. WPA attack
D. Replay attack
15. For a remote tech to log in to a user’s computer in another state, what inbound port must be open on the user’s computer?
A. 21
B. 389
C. 3389
D. 8080
16. A DDoS attack can be best defined as what?
A. Privilege escalation
B. Multiple computers attacking a single server
C. A computer placed between a sender and receiver to capture data
D. Overhearing parts of a conversation
17. When users in your company attempt to access a particular website, the attempts are redirected to a spoofed website. What are two possible reasons for this?
A. DoS
B. DNS poisoning
C. Modified hosts file
D. Domain name kiting
18. What kind of attack is it when the packets sent do not require a synchronization process and are not connection-oriented?
A. Man-in-the-middle
B. TCP/IP hijacking
C. UDP attack
D. ICMP flood
19. Which of the following attacks is a type of DoS attack that sends large amounts of UDP echoes to ports 7 and 19?
A. Teardrop
B. IP spoofing
C. Fraggle
D. Replay
20. Don must configure his firewall to support TACACS+. Which port(s) should he open on the firewall?
A. Port 53
B. Port 49
C. Port 161
D. Port 22
21. Which of the following ports is used by Kerberos by default?
A. 21
B. 80
C. 88
D. 443
22. Which of the following is the best option if you are trying to monitor network devices?
A. SNMP
B. Telnet
C. FTPS
D. IPsec
23. What is a secure way to remotely administer Linux systems?
A. SCP
B. SSH
C. SNMP
D. SFTP
24. Your web server that conducts online transactions crashed, so you examine the HTTP logs and see that a search string was executed by a single user masquerading as a customer. The crash happened immediately afterward. What type of network attack occurred?
A. DDoS
B. DoS
C. MAC spoofing
D. MITM
E. DNS amplification attack
25. Which port number is ultimately used by SCP?
A. 22
B. 23
C. 25
D. 443
26. A malicious insider is accused of stealing confidential data from your organization. What is the best way to identify the insider’s computer?
A. IP address
B. MAC address
C. Computer name
D. NetBIOS name
27. What is the best way to utilize FTP sessions securely?
A. FTPS
B. FTP passive
C. FTP active
D. TFTP
28. Which of the following is the most secure protocol for transferring files?
A. FTP
B. SSH
C. FTPS
D. Telnet
29. Which of the following protocols allow for the secure transfer of files? (Select the two best answers.)
A. SNMP
B. SFTP
C. TFTP
D. SCP
E. ICMP
30. Your organization wants to implement a secure e-mail system using the POP3 and SMTP mail protocols. All mail connections need to be secured with SSL. Which of the following ports should you be using? (Select the two best answers.)
A. 25
B. 110
C. 143
D. 465
E. 993
F. 995