ch26.htm

Maximum Security (First Edition) 网络安全 英文版

<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find Cheswick's &quot;An
	Evening With Berferd In Which a Cracker is Lured, Endured and Studied&quot; online
	at <A HREF="ftp://research.att.com/dist/internet_security/berferd.ps"><TT>ftp://research.att.com/dist/internet_security/berferd.ps</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Tsutomu Shimomura and Weitse Venema
	were also involved in this case, which spanned a fairly lengthy period of time. Shimomura
	reportedly assisted in capturing the network traffic, while Venema monitored the
	cracker (and his associates) in the Netherlands. Also, Cheswick reports that Steve
	Bellovin constructed a throwaway machine that they intended to use for such cases.
	They reasoned that such a machine would provide a better environment to observe a
	cracker at work, because the machine could actually be compromised at a root level
	(and perhaps even the file system could be destroyed). They would simply locate the
	machine on a network segment on which a sniffer could also be installed. Thus, if
	the cracker destroyed the file system of the instant machine, they could still reap
	the benefit of the logs. This is truly an important paper. It is humorous, entertaining,
	and enormously instructive.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>As it happens, Steve Bellovin did
	provide a dedicated bait machine, which would later become the model for other such
	machines. In the referenced paper, there is an extensive discussion of how to build
	a jail like the one the folks at Bell Labs used for the Berferd. 
<HR>


</BLOCKQUOTE>

<P>Other such reports exist. A particularly scathing one was authored by Tsutomu
Shimomura, who had a cracker who closely resembled the Berferd mentioned above. The
individual claimed to be from the <I>Mitnik Liberation Front</I> (the name of this
so-called organization says it all). In any event, this individual &quot;compromised&quot;
a baited machine, similar to the one that Bellovin reportedly constructed. Shimomura's
commentary is interlaced between failed attempts by the cracker to accomplish much.
There are logs of the sessions. It is an interesting study.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Shimomura's paper is
	located online at <A HREF="http://www.takedown.com/evidence/anklebiters/mlf/index.html"><TT>http://www.takedown.com/evidence/anklebiters/mlf/index.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Another engrossing account was authored by Leendert van Dorn, from Vrije University
in the Netherlands. It is titled &quot;Computer Break-ins: A Case Study&quot; (January
21, 1993). The paper addresses various types of attacks. These techniques were collected
from actual attacks directed against Vrije University. Some of the attacks were quite
sophisticated.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Find van Dorn's account
	online at <A HREF="http://www.alw.nih.gov/Security/FIRST/papers/general/holland.ps"><TT>http://www.alw.nih.gov/Security/FIRST/papers/general/holland.ps</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Perhaps a better-known paper is &quot;Security Breaches: Five Recent Incidents
at Columbia University.&quot; Because I analyze that paper elsewhere in this text,
I will refrain from doing so again. However, it is an excellent study (some 23 pages
in all) that sheds significant light on the behavior of crackers implementing attacks.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;Security Breaches:
	Five Recent Incidents at Columbia University&quot; can be found online at <A HREF="http://www.alw.nih.gov/Security/FIRST/papers/general/fuat.ps"><TT>http://www.alw.nih.gov/Security/FIRST/papers/general/fuat.ps</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Gordon R. Meyer wrote a very interesting paper titled &quot;The Social Organization
of the Computer Underground&quot; as his master's thesis at Northern Illinois University.
In it, Meyer analyzed the computer underground from a sociological point of view
and gathered some enlightening information. The paper, although dated, provides excerpts
from radio and television interviews, message logs, journals, and other publications.
Although Meyer's paper does not reveal specific methods of operation in the same
detail as the papers mentioned earlier, it does describe (with considerable detail
and clarity) the social aspects of cracking and crackers.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Meyer's paper, written
	in August, 1989, is located online at <TT>http://www.alw.nih.gov/Security/FIRST/papers/general/hacker.txt</TT>.
	
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>The Sams Crack Level Index</B></FONT></H2>
<P>Figure 26.1 shows six levels, each representing one level of depth into your network.
I will refer to these as <I>levels of sensitivity</I>. Points along those levels
identify the risks associated with each cracking technique. I will refer to those
as <I>states of attack</I>.</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>FIGURE 26.1.</B></A> <I><BR>
The Sams crack level index.</I>
<H3><FONT COLOR="#000077"><B>Levels of Sensitivity</B></FONT></H3>
<P>The levels of sensitivity in all networks are pretty much the same (barring those
using secure network operating systems). The common risks can be summed up in a list,
which has basically not changed for a decade. The list rarely changes, except with
the introduction of new technologies, such as ActiveX, that allow arbitrary execution
of binaries over the Net.</P>
<P>The majority of crackers capitalize on the holes we hear about daily in security
newsgroups. If you have frequented these groups (or a security mailing list) you
will have read these words a thousand times:

<UL>
	<LI>&quot;Oh, they had <TT>test.cgi</TT> still installed in their cgi-bin directory.&quot;<BR>
	<BR>
	
	<LI>&quot;It was a Linux box and apparently, they installed sudo and some of the
	demo users.&quot;<BR>
	<BR>
	
	<LI>&quot;It was the <TT>phf</TT> script that did them in.&quot;
</UL>

<H4><FONT COLOR="#000077"><B>Level One</B></FONT></H4>
<P>Attacks classified in the level-one category are basically irrelevant. Level-one
attacks include denial-of-service attacks and mail bombing. At best, these techniques
require 30 minutes of your time to correct. This is because these attacks are instituted
with the express purpose of nuisance. In most instances, you can halt these problems
by applying an exclusionary scheme, as discussed in Computer Security Advisory 95-13
(<I>SATAN Update</I>), issued by the University of Pittsburgh:

<DL>
	<DD>Denial-of-service attacks are always possible: The best way to deal with this
	is to react to intrusions by adding intruder source hosts/networks into the DENY
	listings in the inetd.sec. There is no proactive way to avoid this without disabling
	networking altogether.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>If you uncover evidence of a denial-of-service
	attack, you should look elsewhere on the system for possible intrusions. Flooding
	and denial-of-service attacks are often precursors (or even integral portions) of
	a spoofing attack. If you see a comprehensive flooding of a given port on one machine,
	take note of the port and what it does. Examine what service is bound to it. If that
	service is an integral part of your internal system--where other machines use it
	and the communication relies on address authentication--be wary. What looks like
	a denial-of-service attack could in fact be the beginning of a breach of network
	security, though generally, denial-of-service attacks that last for long periods
	of time are just what they appear to be: nuisances. 
<HR>


</BLOCKQUOTE>

<P>There are some instances in which a denial-of-service attack can be more serious.
Certain, obscure configurations of your network could foster more threatening conditions.
Christopher Klaus of Internet Security Systems defined several such configurations
in a post concerning denial-of-service attacks. In that posting, Klaus wrote:

<DL>
	<DD>By sending a UDP packet with incorrect information in the header, some Sun-OS
	4.1.3 UNIX boxes will panic and then reboot. This is a problem found frequently on
	many firewalls that are on top of a Sun-OS machine. This could be high risk vulnerability
	if your firewall keeps going down.
</DL>

<P>Klaus also addressed other denial-of-service attacks in that post. I would recommend
reviewing it. Klaus provides information on vulnerabilities for NT, Novell, Linux,
and UNIX generally.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Klaus's posting can be
	found online at <A HREF="http://vger.alaska.net/mail/bos/msg00002.html"><TT>http://vger.alaska.net/mail/bos/msg00002.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>If the attack is a syn_flood attack, there are some measures you can take to identify
the cracking party. Currently, four major syn_flooding utilities are floating around
on the Internet. At least two of these tools have a fundamental flaw within them
that reveals the identity of the attacker, even if indirectly. These tools have provisions
within their code for a series of PING instructions. These PING instructs carry with
them the IP address of the machine issuing them. Therefore, if the cracker is using
one of these two utilities, he is telegraphing his IP address to you for each PING.
Although this will not give you the e-mail address of the party, you can, through
methods described earlier in this book, trace it to its ultimate source. (As noted,
traceroute will reveal the actual network the cracker is coming from. This is generally
the second-to-last entry on the reverse traceroute lookup.) The problem with this,
however, is that you must log heavily enough to capture all the traffic between you
and the cracking party. To find that IP address, you will have to dig for it. At
any rate, you have a 50 percent chance of the cracker using such a flawed utility.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The remaining two utilities for
	syn_flooding do not have this PING flaw. The developers of these tools were a bit
	more sophisticated. They added a provision to randomize the purported IP address.
	This naturally presents a much more difficult situation to the victim. Even low-level
	analysis of the received packets is a waste of time. However, to the inexperienced
	system administrator, this could be a bit confusing. Tricky, right? 
<HR>


</BLOCKQUOTE>

<P>Most denial-of-service attacks represent a relatively low-level risk. Even those
attacks that can force a reboot (of over-utilization of a processor) are only temporary
problems. These types of attacks are vastly different from attacks where someone
gains control of your network. The only truly irritating thing about denial-of-service
attacks is that in the same way that they are low-level risks, they are also high-level
possibilities. A cracker implementing a denial-of-service attack need have only very
limited experience and expertise. These attacks are therefore common, though not