Network attacks, security breaches, hacks and things similar tend to wreck the system with varied intensities. If you are a system administrator, despite every possible security measure in place, you’d surely be aware of the damage that an attack can cause on your server or an entire network.
Lets take a look closer into what DDoS, Network attacks and Security breaches actually are and what are the possible ways to avoid, detect and recover from an attack.
What does a Network Attack actually imply to ?
One thing is for sure that a network attack is initiated with sole criminal intentions. It usually occurs when an attacker or a hacker tries to compromise the network using various means and technologies. Such an attack isn’t usually an accident but a planned, executed attempt to get access to corporate networks for stealing the data, then damaging the data on the system and corrupting it to an extent that nothing can be retrieved by the authorized users.
One form of such an attack is External attacks, carried out by fraudsters who are external to the targeted corporate network. A fair amount of knowledge, planning and procedures are required before the actual attack to be initiated. Such fraudsters spend days or even months scanning and gathering information about the systems.
Structured external threats are usually posed by criminal hackers who are well aware about their intentions and the damage that can be caused. To a large extent, these fraudsters are perfectly skilled on network design, know various ways to by-pass security measures, Intrusion Detection Systems (IDSs), access procedures, and other tools.
Unstructured external threats are usually posed by inexperienced fraudsters, but are aware that it can surely cause some damage to the system. These inexperienced attackers usually make use of various cracking or scripting tools that are easily found over the Internet, and use it for an attack over the network.
Remote external attacks, this is something that targets systems and services that a particular service provider offers to the public. Such an attack can even target services that are offered to internal users, or even at the brute force password authenticated systems.
Local external attacks are initiated from shared computing facilities to gain an access to the system.
Attacks initiated from within the system, this is a threat posed to every organization, service provider company etc. It is at-times initiated by an unhappy customers using the system or even an internal employee. These attackers have certain level of access to the system and try to shield the attack showing themselves as a usual computing process. Hence it is usually difficult to identify such an attack from within way before any damage is caused to the system.
Various forms of attacks can be found in the industry, sometimes attackers may use multiple ways to compromise pre-existing network securities with an intention of gaining access. Footprinting is usually the initial stage for hacking into a corporate network. At this stage attacker’s build a network map comprising of various details such as OS’s, applications and address ranges used, and to trace a possible access from an open port. Port scanning is done to gather information about network services running over the targeted network with an attempt to identify any open ports on the system. They may even user Enumeration for gathering information on applications and hosts on the network, and on the user accounts utilized on the network. This is usually successful in networks that contain unprotected network resources and services. Then an Access attack is initiated with an intention to exploit a security weakness and try to gain an access to a system or the network. In this attempt Trojan horses and password hacking programs are usually to serve the purpose. Once the target network is compromised and the hacker(s) gain an access to the system data modification or deletion of data can be carried out and network resources can be added, modified or removed.
One of the other common typed os attacks is the Unauthorized privilege escalation. In this type of threat, Privilege escalation occurs when an intruder attempts to gain a higher level of access such as administrative privileges to gain control of the network system. Hackers can also implement mechanisms that allows them grant access at sometime in future.Then, Backdoors are installed to gain an easy access to the system at sometime later. If you realise the fact that your system to be compromised, it is usually advisable to restore the system from a backup which you know to be secure and free from backdoors.
What are the Common Types of Network Attacks ?
– Eavesdropping : In such an attack, fraudsters keeping monitoring or listening to the network traffic in transit. After a close analysis every possible unprotected data is traced and documented. Then, using a sniffing technology to eavesdrop on an Internet Protocol (IP) based network to capture traffic in transit.
IP address spoofing : This is a common technique used by attackers, in this type the source IP address is assumed by the attacker and shielded as if the IP packets were from a legitimate IP address. The sole purpose of IP spoofing attack is to identify computers on a network.
Fraudsters usually monitor and analyze traffic before initiating an attack, this is known as Sniffing. Many sniffing tools are readily available over the web, popularly known as sniffers or protocol analyzers and used for gathering the intended data before the attack. These tools helps the attackers gather specific network information, such as passwords and other user credentials.
– Password attacks have a sole purpose of finding out the access passwords of a system. Its algorithm runs through through different permutations and combinations until the right password is matched. Once the login credentials are known, they can easily force an attack on the corporate networks. Few may even raise an attack using a combination of dictionary or brute force attacks for forcefully getting an access to resources that too at a similar access level as that of a legitimate user.
– Brute force attack : Many webmasters or even users would be aware of this type of threat posed to any system that is connected to the Internet. Learn more about What is brute force attack and how to prevent this attack? In this a simple script is used to crack passwords of a targeted system. It may even compromise networks that utilize Simple Mail Transfer Protocol.
– Denial of Service (DoS) or DDoS (Distributed Denial of Service) : In this type of an attack, invalid data is set to the target system causing to flood it with multiple requests to an extent which it isn’t capable to handle, hence causing to get into a hang state. Learn more about (D)DoS Attack (Denial-of-service) . TCP attack is one of the very common methods of DoS.
When DoS is targeted over an entire network it is known as the DDoS. Here the intensity of the attack is wide spread and targeted over a single network from multiple locations. It is one of the most difficult attacks to handle as the administrators find a tough time segregating an attacker system from legitimate users system.
– A man-in-the-middle (MITM) attack : In this type of threat an attacker is able to barge into the system and place itself between the communication channel. In this the hacker is aware about the data that is exchanged and at-times even have control over it. Need not mention the data that can be leaked without your knowledge.
How to Avoid Network and other Security Threats?
IDS i.e. Intrusion Detection System is supposed to be an ideal method for protecting a network against attacks. Every type of attack must be logged and analyzed to identify the posed risks to a network or a particular system. This usually helps anticipating the upcoming threats and prepare you to tackle or avoid it.
An Incident Response Plan is usually helpful with counteracting in case of an attack. A strategically planned process flow chart can help dealing with the incident in a short span of time and avoiding any serious damage to the network and the systems.
If you have enough man-power, you may even setup an Incident response team comprising of highly skilled members who would be responsible for managing the situation in event of an attack. The team would not only protect the system from threats but would also play a key role in recovering from an attack in the shortest time.
Analyzing an Attack
There are multiple ways how intruders and attackers can compromise a network.
– Cracking In progress attacks : Hackers and individuals with illegal intentions constantly try different methods of decrypting confidential encrypted data, evading evading authentications to gain an access to a system or into a network, this is referred as cracking. Cracking in progress attacks imply to the risks when the illegal activity is in process over a network and that the attacker is still within the system. If s/he isn’t active at a given point of time, there are chances of them returning.Scanning the systems and network using various tools should help identify the event of a compromised security. In event of a breach, it is necessary to be prepared for any unexpected incident on your system. Usually an attacker would trespass the installed security of a system, leave a backdoor, shield their activities and leave for that moment, so that they may return whenever they wish to in the past. Its a bit difficult to encounter a cracking in progress attack over a network. Though if you do identify an attacker to be active over your network, it is necessary to identify it and block them from doing any further activity over the system. Below are couple of options you may choose from :
- Restrict the attacker from carrying out any activities further over your system or network by blocking the connection that s/he has established with your system.
- Monitor the activities of the hacker
– Denial of Service attacks: The sole aim of a DoS attack is to restrict legitimate users from accessing the services over a network.Varied types of DoS attacks are found to be used by attackers, below listed are couple of those .
– Flooding the network with invalid data to an extent where the legitimate users fails to establish a connection and proceed with their activity.
– Flood the network with invalid service requests until the host offering the services is inefficient with serving to it. In this case, the network gets overloaded with incoming requests and goes into a hang state.
– Communication between hosts and clients can be broken by altering the system configuration settings or even breaking it entirely.
Some bold attackers may even indulge into carrying out a large volume of unauthorised DNS dynamic updates via the DHCP server. With DNS DoS attacks the DNS servers are targeted by sending constant requests to an extent that it gets flooded resulting in the system failure from responding to any requests made to it. If the attack lasts for too long, the entire system tends to shut down eventually.
What are the Types of DoS Attacks ?
Network scanning: This is when a fraudster has already gained an access into the system and scans it to grab information abotu the services and applications running over the network. In this the prime motive is to identify open ports within the system.The first action to be taken incase you identify the breach is to instantly restrict the access to your system.
Smurf attack : In this type of DoS, the Internet Control Message Protocol (ICMP) is the target and attackers try to compromise it. Following are certain measures that one can use inorder to disable the attack:
– Disable hosts from responding to ICMP packets transmitted to a broadcast address.
– Disable IP broadcast traffic on perimeter routers.
– Activate ingress filtering on perimeter routers to stop spoofed traffic from moving over the network.
SYN flooding attacks : In this type of DoS attack, the system resources are targeted and are utilized to an extent until it gets exhausted. To carry out such an attack SYN packets are used. Following are couple of ways to restrict SYN flooding attacks :
- Activate ingress filtering on service provider routers.
- The firewall must be configured to block SYN attacks.
- Increase the size of TCP connection attempts.
- Reduce the time out setting for TCP connection attempts.
Unexpected Files found at certain locations within the system : This could be a serious pointer towards a possible attack that has happened without your knowledge. This is something that needs to be addressed at the earliest as there are chances the attacker might return in the near future.
Investigation and Collection of Proofs with reference to Attacks
It is necessary to make a list of evidences that point towards a possibility of an attack.
- Check for the below information
- – Application event log information.
- – System event log information.
- – Security event log information.
- – All other machine specific event logs, such as DNS logs, DHCP logs, or File Replication logs.
- Logs describing possible malicious activities:
- – Modifies, corrupted, or deleted files.
- – All unauthorized processes running.
Places where you can get the necessary information about a network attack are :
- – System logs
- – Network logs
- – System state
- – Network state
Neutralizing Network Attackers
Administrators can choose amongst multiple techniques to checkmate attacks carried out by fraudsters. Following are couple of those :
- – Preparing an access control list and implementing it over firewalls and routers.
- – Taking the Server offline incase of an attack
- – Disconnect the host being attacked from the network
- – Taking the site down from the Internet
Furthermore, it is essential to analyze the attack even after it has been pacified. This usually seems useful and helps you gather useful information that can help you prepare for similar attacks for future.
You may even use a sniffer over the network that can identify any strange activity within a network.
How to identify whether your system has been compromised of security?
Even a layman would realise that a system security to be compromised, very true. But there is something more to look for. As stated earlier, an attacker would leave a backdoor so that it can be used at a later stage.
What most aren’t aware are the vulnerabilities that hackers look for within a system for the purpose of exploiting it. Here is a list :
- Mis-configured network service(s).
- Bugs in operating systems
- Application bug.
How to deal with these vulnerabilities ?
- – Disconnect the system from the network instantly
- – Reporting the attack as soon as you encounter it to the network service provider.
- – If you are well verse with server and network administration, creating an image of the system can help with for analyzing the attack.
- – Validate the system for any modified components such as :
- – System files.
- – Data files.
- – Configuration files.
- – Configuration settings
- – Deleted data.
- You should use a clean install to recover a compromised system.
- Hardening the system security for possible threats.
How to Detect Network Intrusions ?
It is advisable to monitor the network regularly for any possible intrusion. It’s rarely possible that you detect an intrusion in the first instance as hackers would usually camouflage themselves are seem to show processes that appear to be normal. But, you can look for any strange activities or strange files on your network.
You can make use of logging information to detect an intrusion attempt.
- – Intrusion detection system (IDS) logs: The IDS is designed to monitor the network scanning through every activity over a network. It’s algorithm analyzes suspicious data patterns. If it detects something spooky, it alerts the administrators instantly. It is one of the trusted precautionary mechanisms to protect a system from threats. This system can be implemented on either or on both i.e. over the Network and/or on Hosts
- – Firewall logs: System firewall can be configured in a way that it logs all the traffic that it detects suspicious and logs it for you. These logs are one of the trusted means to identify an intrusion attempt that has been failed.
- – Event logs : An Event Viewer is used to monitor every event that occurs on a server. These events are stored and categorized as system log, application log, and security log.
- – Syslog data : Syslog is specifically for Unix systems utilized.
Following these procedures can help protect your system from any threats and attacks. Though these are just counteracting measures that can be implemented. If an attack is of greater intensity, you don’t have any option other than taking the system offline for may couple of hours or days.