ch26.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 26 -- Levels of Attack</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch25/ch25.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch27/ch27.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">26</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Levels of Attack</FONT></H1>
</CENTER>
<P>This chapter examines various levels of attack. An <I>attack</I> is any unauthorized
action undertaken with the intent of hindering, damaging, incapacitating, or breaching
the security of your server. Such an attack might range from a denial of service
to complete compromise and destruction of your server. The level of attack that is
successful against your network depends on the security you employ.
<H2><FONT COLOR="#000077"><B>When Can an Attack Occur?</B></FONT></H2>
<P>An attack can occur any time your network is connected to the Internet. Because
most networks are connected 24 hours a day, that means attacks can occur at <I>any
time</I>. Nonetheless, there are some conventions that you can expect attackers to
follow.</P>
<P>The majority of attacks occur (or at least commence) late at night relative to
the position of the server. That is, if you are in Los Angeles and your attacker
is in London, the attack will probably occur during the late night-early morning
hours Los Angeles time. You might think that crackers would work during the day (relative
to the target) because the heavy traffic might obscure their activity. There are
several reasons, however, why crackers avoid such times:

<UL>
	<LI>Practicality--The majority of crackers hold jobs, go to school, or spend time
	in other environments during the day that may preclude cracking. That is, these characters
	do more than spend time in front of a machine all day. This differs from the past,
	when most crackers were kids at home, with nothing to do.<BR>
	<BR>
	
	<LI>Speed--The network is becoming more and more congested. Therefore, it is often
	better to work during times that offer fast packet transport. These windows depend
	largely on geographical location. Someone in the southwestern United States who is
	attacking a machine in London would best conduct their affairs between 10:00 p.m.
	and 12:00 a.m. local time. Playing the field slightly earlier will catch local traffic
	(people checking their mail before bed, users viewing late news, and so on). Working
	much later will catch Netizens of the UK waking up to check their e-mail. Going out
	through Mae East (the largest and busiest Internet exchange gateway) in the early
	morning hours may be fast, but once across the Atlantic, speed dies off quickly.
	Anyone who stays up all night surfing the Net will confirm this. Once you hit the
	morning e-mail check, the Net grinds to a halt. Try it sometime, even locally. At
	4:00 a.m. things are great. By 7:00 a.m., you will be praying for a T3 (or SONET).<BR>
	<BR>
	
	<LI>Stealth--Suppose for a moment that a cracker finds a hole. Suppose further that
	it is 11:00 a.m. and three system administrators are logged on to the network. Just
	what type of cracking do you suppose can be done? Very little. Sysads are quick to
	track down bizarre behavior if they are there to witness it. I once had a system
	administrator track me down immediately after I grabbed her password file. She was
	in Canada and I was in Los Angeles. She issued me a talk instruct before I could
	even cut the line. We had a lovely, albeit short, conversation. This also happened
	once when I broke into a server in Czechoslovakia. The lady there had a Sun and an
	SGI. I cracked the SGI. The conversation there was so good, I stayed connected. We
	discussed her security and she actually gave me an account on an old SPARC at her
	university. The account probably still exists.
</UL>

<P>Favorite targets of crackers are machines with no one on them. For a time, I used
a workstation in Japan to launch my attacks because no one ever seemed to be logged
in. I Telnetted out of that machine, back into the United States. I found a similar
situation with a new ISP in Rome. (I can say no more, because they will definitely
remember me and my identity will be blown. They actually told me that if I ever came
to hack in Italy, I should look them up!)</P>
<P>With such machines, you can temporarily take over, setting things to your particular
tastes. Moreover, you have plenty of time to alter the logs. So be advised: Most
of this activity happens at night relative to your geographical location.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If you have been doing heavy logging
	and you have only limited time and resources to conduct analysis of those logs, I
	would concentrate more on the late night connection requests. These portions of your
	logs will undoubtedly produce interesting and bizarre information. 
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>What Operating Systems Do Crackers Use?</B></FONT></H2>
<P>Operating systems used by crackers vary. Macintosh is the least likely platform
for a cracker; there simply aren't enough tools available for MacOS, and the tools
needed are too much trouble to port. UNIX is the most likely platform and of that
class, probably FreeBSD or Linux.</P>
<P>The most obvious reason for this is cost. For the price of a $39 book on Linux
(with the accompanying CD-ROM), a cracker gets everything he could ever need in the
way of tools: C, C++, Smalltalk, Perl, TCP/IP, and much more. Moreover, he gets the
full source code to his operating system.</P>
<P>This cost issue is not trivial. Even older workstations can be expensive. Your
money will buy more computing power if you stay with an IBM compatible. Today, you
can get a 100MHz PC with 8MB of RAM for $300. You can put either FreeBSD or Linux
on that machine and suddenly, you have a powerful workstation. Conversely, that same
$300 might buy you a 25MHz SPARCstation 1 with a disk, monitor, and keyboard kit.
Or perhaps an ELC with an external disk and 16MB of RAM. Compounding this is the
problem of software. If you get an old Sun, chances are that you will also be receiving
SunOS 4.1.<I>x</I>. If so, a C compiler (cc) comes stock. However, if you buy an
RS/6000 with AIX 4.1.<I>x</I>, you get a better deal on the machine but you are forced
to get a C compiler. This will probably entail getting GCC from the Internet. As
you might guess, a C compiler is imperative. Without it, you cannot build the majority
of tools distributed from the void. This is a big consideration and one reason that
Linux is becoming much more popular.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Compatibility is not really an issue.
	The majority of good tools are written under the UNIX environment and these can be
	easily ported to the free UNIX platforms. In fact, in many cases, binaries for Linux
	and FreeBSD already exist (although I readily admit that this is more prevalent for
	FreeBSD, as early implementations of Linux had a somewhat eclectic source tree that
	probably more closely resembled AIX than other traditional flavors, like SunOS).
	This is somewhat of a cult issue as well. Purists generally prefer BSD. 
<HR>


</BLOCKQUOTE>

<P>I should mention that professional crackers (those who get paid for their work)
can probably afford any system. You can bet that those forces in American intelligence
investigating cyberwar are using some extreme computing power. For these individuals,
licensing and cost are not issues.
<H3><FONT COLOR="#000077"><B>Sun</B></FONT></H3>
<P>It is fairly common to see crackers using either SolarisX86 or SCO as a platform.
This is because even though these products are licenseware, they can easily be obtained.
Typically, crackers using these platforms know students or are students. They can
therefore take advantage of the enormous discounts offered to educational institutions
and students in general. There is a radical difference between the price paid by
a student and the price paid by the average man on the street. The identical product's
price could differ by hundreds of dollars. Again, because these operating systems
run on PC architecture, they are still more economical alternatives. (SolarisX86
2.4 became enormously popular after support was added for standard IDE drives and
CD-ROM devices. Prior to the 2.4 driver update, the system supported only SCSI drives:
a slightly more expensive proposition.) And of course, one can always order demo
disks from Sun and simply keep the distribution, even though you are in violation
of the license.
<H3><FONT COLOR="#000077"><B>UNIX</B></FONT></H3>
<P>UNIX platforms are popular because they generally require a low overhead. A machine
with Windows 95 and all the trimmings requires a lot of RAM; in contrast, you can
run Linux or FreeBSD on a paltry 386 and gain good performance (provided, of course,
that you do not use X). This is reasonable, too, because even tools that have been
written for use in the X environment usually have a command-line interface as well
(for example, you can run SATAN in CLI).
<H3><FONT COLOR="#000077"><B>Microsoft</B></FONT></H3>
<P>The Microsoft platform supports many legitimate security tools that can be used
to attack remote hosts. Of that class, more and more crackers are using Windows NT.
It outperforms 95 by a wide margin and has advanced tools for networking as well.
Also, Windows NT is a more serious platform in terms of security. It has access control
as well, so crackers can safely offer remote services to their buddies. If those
&quot;friends&quot; log in and attempt to trash the system, they will be faced with
the same controls as they would on a non-cracker-friendly box.</P>
<P>Moreover, NT is becoming more popular because crackers know they must learn this
platform. As NT becomes a more popular platform for Internet servers (and it will,
with the recent commitments between DEC and Microsoft), crackers will need to know
how to crack these machines. Moreover, security professionals will also develop tools
to test internal NT security. Thus, you will see a dramatic rise in the use of NT
as a cracking platform.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Windows 95 tools are also rapidly
	emerging, which will greatly alter the state of cracking on the Net. Such tools are
	typically point and click, requiring little skill on the part of the operator. As
	these tools become more common, you can expect even more security violations on the
	Net. Nonetheless, I don't think 95 will ever be a major platform for serious crackers.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Origin of Attacks</B></FONT></H2>
<P>Years ago, many attacks originated from universities because that is where the
Internet access came from. Most crackers were youngsters who had no other easy means
of accessing the Internet. This naturally influenced not only the origin of the attack
but also the time during which the attack happened. Also, real TCP/IP was not available
as an option in the old days (at least not from the comfort of your home, save a
shell account).</P>
<P>Today the situation is entirely different. Crackers can crack your network from
their home, office, or vehicle. However, there are some constants. For instance,
serious crackers do not generally use providers such as America Online, Prodigy,
or Microsoft Network. (The obvious exceptions are those crackers who utilize stolen
credit-card numbers. In those cases, AOL is an excellent choice.) One reason for
this is that these providers will roll over a hacker or cracker to the authorities
at the drop of a hat. The suspect may not have even done anything wrong (smaller
ISPs may simply cut them loose). Ironically, big providers allow spammers to pummel
the Internet with largely unwanted advertising. Go figure. Curiosity is frowned upon,
but stone-cold commercialism is A-OK.</P>
<P>Furthermore, these providers do not offer a UNIX shell environment in addition
to garden-variety PPP. A shell account can facilitate many actions that are otherwise
more difficult to undertake. System tools available that can provide increased functionality
include the various shells, Perl, AWK, SED, C, C++, and a handful of system commands
(<TT>showmount</TT> is one; <TT>rusers</TT> is another).</P>
<P>So the picture of a typical cracker is developing: This is a person who works
late at night, who is armed with a UNIX or an NT box and advanced tools, and, with
all likelihood, is using a local provider.
<H2><FONT COLOR="#000077"><B>What Is the Typical Cracker Like?</B></FONT></H2>
<P>The typical cracker can probably be described by at least three qualities in the
following profile:

<UL>
	<LI>Can code in C, C++, or Perl--These are general requirements, because many of
	the baseline security tools are written in one or more of these languages. At minimum,
	the cracker must be able to properly interpret, compile, and execute the code. More-advanced
	crackers can take code not expressly written for a particular platform and port it
	to their own. Equally, they may develop new modules of code for extensible products
	such as SATAN and SAFEsuite (these programs allow the integration of new tools written
	by the user).<BR>
	<BR>
	
	<LI>Has an in-depth knowledge of TCP/IP--No competent cracker can get along without
	this requirement. At minimum, a cracker must know how the Internet works. This knowledge
	must necessarily go deeper than just what it takes to connect and network. The modern,
	competent cracker must know the raw codes within TCP/IP, such as the composition
	of IP packet headers. This knowledge, however, need not be acquired at school and