A network vulnerability is an inherent weakness in the design, implementation
use of a hardware component or a software routine.
A vulnerability invites
attacks and makes the network susceptible to threats.
A threat is anything that can disrupt the operation of the network.
even be accidental or an act of nature, but threats are
threat can damage the network, slow it down, or make
. Any type
of rogue software represents a threat.
An attack is a specific approach employed to exploit a known vulnerability.
A passive attack is designed to monitor and record network activity in
to collect information to be used later in an active attack.
passive attacks are packet sniffing
are difficult to detect.
An active attack tries to damage a network or its operation. Such
easier to detect, but are also more damaging.
When two programs on different computers exchange data, all the data
between the programs have (among other specifications) the
a network opens a port and is similar to opening
. This makes ports
especially important for network security.
When data packets
arrive at a computer from different sources, each stream of
a port number.
port is identified by a 16
bit integer and there can
− 1 = 65,535 ports.
There are three classes of ports, well known (0 through 1023),
through 49,151), and dynamic/private (49,152 through 65,535).
ports are assigned by [IANA port 04] and are normally used
system processes. Some examples are FTP (port 21),
port 23), SMTP
(port 25), and HTTP (port 80).
used by user applications (as opposed to operating
they have to contact a server, but such ports can also identify
that have been registered by a third party.
Dynamic/private ports are
used by user applications, but their use is rare. Such ports
meaning outside of any particular TCP connection.
A port scanner is a program that listens to data arriving
certain ports on a computer.
scanning has legitimate uses
but is also used heavily by hackers to gather
identifies open doors to the computer.
is used to
identify operating system utilities installed in the
exploit known vulnerabilities in those
utilities in order to
scanners are implemented by sophisticated
make them available on the Internet.
In many cases, it is easy to detect the activity of a port
the log files that are
continuously updated by the operating system.
Once a port scanner is detected, its transmissions can be
traced back to
and sometimes stopped.
However, the mere activity of port
port scanners exploit a vulnerability associated
packets and half
open connections. Those are
much harder to detect
are logged by the operating system.
Examples of Port Scanners
Vanilla: The scanner attempts to connect to all I/O ports.
Strobe: A specialized scan looking only for certain services to exploit.
Fragmented packets: The scanner sends fragments of packets.
can sometimes get through certain packet filters in a firewall.
UDP: The scanner looks for open UDP ports.
Sweep: The scanner connects to the same port on several (even many
FTP bounce: The scanner goes through an FTP server (to appear
Stealth scan: The scanner partly disables the log service of the
, so it (the operating system) can no longer record the
a free open source
exploration and security auditing. Among other checks, it
The term spoof means to pretend to
falsify one’s identity
to cover tracks.
is no wonder that various spoofing methods are
hackers to gain access or to obtain information.
A computer may be protected from attack by
IP addresses that may send it data.
router may have a list of
and it allows only
data from these numbers to enter the computer.
A hacker who has this list may spoof the router by sending
have come from a legitimate IP
address. Someone who doesn’t have
an allowed IP number by sending the computer data
consecutive IP numbers until a packet gains
entry to the computer.
Defending against spoofing
Filtering. If the computer is part of a local area network, the
a range of IP addresses.
data is sent outside a local
filter software at the router should block any source
the range of the local network. This prevents
someone in the
from sending spoofed data
outside the local network.
(download), the filter should block
any packets with source IPs
within the range of the
Encryption and Authentication. There are Internet
details of data encryption and
how to authenticate messages.
protocols may help to eliminate simple IP spoofing attacks.
Sequence number spoofing. The TCP protocol specifies the use
numbers within data packets.
data byte has a sequence number
the receiver must
acknowledge the sequence number of the last
Sequence number spoofing is the case where a hacker can compute
the next set of sequence numbers in a data transmission.
The hacker can
, in such a case, send false packets of data and they
will be received
trust by the client program in the receiving
Good defense against
this kind of attack is to encrypt the data. If
the hacker doesn’t
encryption key, any false data inserted
will not decrypt properly and
be useless to the owner
(who can request a retransmission) as
to the hacker (who
can try to corrupt the next transmission).
This type of attack occurs when a hacker
access to a network device, such as a router, that serves as
between the server and client. The hacker can, in
such a case, use
IP spoofing to take over the entire session of data
transmission and send
, rogue programs,
and corrupt data to the client’s computer
An alternative is to use “blind” hijacking, where the hacker
of the computers at
B and C.
hacker can, in such a case,
cannot see the response, but can guess the response to
. A typical command is to set a password
allowing access to
C from somewhere else on the
A domain name server (DNS) is a computer used
. It has a dictionary with IP
addresses and the
a computer wants to send data, it has to prepare
the IP address of the receiving computer.
the URL (a meaningful
string), so the sending application has
the DNS first, send it the URL, and receive the
then can the application send data with the
TCP headers. This is why, when we want
to browse a certain URL,
often displays the
message “looking for
. . . ” for a few seconds.
One threat related to DNS is man in the middle (MIM).
a domain name, such as
aple.com, that is similar to an
a user mistypes
instead of apple, the
from the DNS computer the IP
address of the hacker’s site,
to that site.
the hacker is in control. His site can
similar to that displayed by the real site,
while also sending
hacker can even retrieve from apple.com
pages the user wants, then forward them, perhaps
modified, to the user
A common MIM attack involves denial
) against a
flooding it with messages and so preventing it
legitimate users and
attack can be directed either
server computer to force it to crash, or against
the network connection
Another threat related to DNS is DNS poisoning. In the past, the
DNS software was the Berkeley Internet name daemon (BIND).
Early versions of this software had weaknesses that made it easy for a
modify the IP addresses associated with any URLs.
IP associated with, say apple.com. Anyone
trying to connect to
will be connected to the hacker’s site, with
potentially disastrous results.
known example of DNS poisoning is the defacing, in 2001, of
site of RSA
from RSAsecurity.com to a fake
site that looked like the RSA site
different in significant ways.
who noticed the differences in
site, assumed that RSA
Security, an important developer of
had been compromised. In fact, only the DNS
Spam is unwanted, unsolicited email sent
to many unwilling
of it is commercial advertising
quick schemes, or quasi
legal or health services
is named after the 12
oz cans of spicy ham made by the
itself, spam is nuisance, not a security concern
it can be
exploited for a
attack. A central computer
and receiving email for a large organization can be attacked
its many users massive quantities of identical email
valuable network bandwidth, it overloads the CPU,
on the email server, and can cause it to crash (by
structure) or freeze (by keeping the CPU
, logging, sending, and
forwarding the spam messages).
It may come as a surprise to many that most spam messages are
computers (mostly private personal computers on high
networks) that have been infected by special strains of viruses.
Such a virus
hijacks the infected computer and turns it into a
major spammer may at any time own such a
thousands of spam proxies that serve him
send millions of
virus (technically a worm, see year 2003 in Appendix C) was the
of malicious software designed to create spam proxies, but
(mostly variants of the original
) are implemented and
the time and manage to infect tens of thousands of computers
virus installs special software known as
computer (essentially hijacking it) and handles the distribution
URLs such as
and Spamforum.biz (both
now defunct), which are hosted
Russia and China
(but also in Florida), may not look very useful or
a casual visitor or even to security
this book, but are familiar and very
useful to spammers.
advertisements for bullet
hosting (ISPs, most of them Chinese
allow spam) and
allow spammers to exchange news and information.
The news is mostly about steps taken by ISPs and law
various countries to make the lives
of spammers more difficult.
Much information is
offered on ISPs and networks that
close their eyes to spam
for the high revenues
obtained from spammers.
Safe program has a feature that
speeds up the sending
and makes it
harder to identify its source
maintains a register of known spam
addresses, and much information on the top
Why Spam is bad ?
It is easy to send. All that a spammer needs is
spam software and
Many spam messages ask the user to click on
a link to be removed
Spammers tend to use computing resources
illegally or even to steal
Spam is trash. We have all seen messages
deceptive or fraudulent services
As a simple precaution, try to uncheck all the
ask for more
information or subscribe to a free service or
A Web site that collects names and addresses has
to have a
where it states whether it
shares this information with other parties.
If a site does not display such a policy, or if it has
no policy at all,
. Naturally, the worst sites
promise privacy and break this promise all
It is also a good idea (practiced by this author) to
you see the words “free
gift.” These words are a sure sign of
, because a gift, by its very nature, is free
A similar scam to avoid is contests. Contests are
very often used
to lure unsuspecting users
to submit their names, physical addresses
numbers, and email addresses.
important technique of collecting email addresses is
(some prefer the term scavenging) from the
The spammer can simply
numbers in order, and examine
each result automatically,
software (that he can constantly
tune up and improve), looking
that may be email
, software that
Web pages looking for email addresses, and
future abuse or for sale.
obvious (but alas, not ideal)
to obfuscate all email
addresses in a Web page. Instead of writing an
Web site in a form such as
to have something like
Anti Spam tools
There are commercial services that provide relief from spam for
by blocking it. A typical spam
relief service maintains a list
senders and asks each of its members to provide their own list
service “sits” between the member and the
and the member uses the same email software to send and
, the software connects to the service which, in
the member’s email server. Messages whose senders are in
list of approved senders (or in the individual member’s list) are
to the member.
any other messages, the service sends the
message, like the one of Figure 7.5, asking the sender
on a certain link.
the sender clicks on the link, he is
the service’s list of approved
senders. The idea is that a spammer
be able or willing to
respond to many challenges.
A simple technique to reduce spam is to open several
. When one gets flooded with spam,
tell your correspondents to
are several large companies, such as Yahoo and
provide free email addresses, but they
and various attacks.
A common sense idea is to avoid giving out your email
you have a Web site with your address, try to write it in
dot com or a similar format. If you set
or a discussion group, try to display
just part of any email address.
Certain types of malware are used to capture control of
command it remotely. Such a captured machine is known
a set of zombies is termed a
ideal means of hiding the identity of a perpetrator and
more and bigger
all the time.
is known that
carried out after the attacker has
gained control of many
turned them into zombies
targeted Web site is flooded with a
messages sent by computers whose innocent
the attack. The attack keeps legitimate users from
inconvenience to users and monetary losses to the
. Such an
attack is referred to as distributed denial of service (
Zombies are also used by spammers to hide their identities. A
controls a zombie computer, sends this slave a (normally stolen)
email addresses and instructs it to send a message (or several
useless merchandise, fraudulent schemes, or
the addresses. Zombies are less destructive than
viruses or other types
software because they rarely damage data.
More Spam Advice
If you have your email program set to preview
messages (i.e., to
the contents of the
message in a window below the list of email),
may be able to verify that the email has been
If you click on a link to unsubscribe from a mailing list,
the spammer that your email
address is active.
address to others.
Spammers can include a “web bug” in an email. This is
site as soon
as the email is read or previewed.
If you want to avoid letting spammers know that their
mail got through
the advice given here.
spam software, update and run it
regularly. This software
unwanted email, especially if it is programmed to
from the user/reader and
employ it to learn (from the subject
sender’s address) which messages are spam
Never buy anything advertised by unsolicited
email because this
If the sender’s name sounds unfamiliar, delete
the email without
. Most spam is
just a nuisance, but often it includes viruses
Never respond to spam messages or click on any links in them.
even to unsubscribe from it
confirms to the
address is a valid one, thereby
encouraging more spam.
Opt out of any further information or free or attractive offers.
fill out forms on the Web, uncheck any checkboxes that
Don’t use the preview mode in your email viewer. Spammers can
a message has been previewed, even if it hasn’t been
preview effectively opens the email.) Knowing
that you have read
encourages the spammers.
Try to decide whether an email message is spam based only on
line and sender’s name and address. Use the bcc field if you
people at once.
bcc (blind carbon copy) field hides the list
any individual recipient. If you include the addresses in
spammers may harvest them and add them to mailing lists.
Restrict the use of your email address on the Internet.
Web sites, newsgroup lists or other
online public forums.
Spammers have software
that crawls the internet to find
addresses in such places,
, and add them to
Give your main address only to those you trust (and even
your address to be discovered and
abused by spammers).
Always have several secondary email addresses ready.
open at sites such as Yahoo, Gmail, and
out Web registration
forms or surveys on sites with which you don’t
contact, use a secondary email address
Denial of Service
Many Internet attacks try to obtain private data or to damage data.
, a denial
service attack aims to shut down an entire
server, or a particular Web site. The attack tries to
of a service from using that service.
can be done by one of
Flood a network with traffic. This makes it hard or impossible for
to send or receive data.
Disrupt connections between two computers. This prevents remote
Attempt to prevent a particular user from accessing a service.
Disrupt or prevent network access to a particular computer or
hacker may open an account at an ftp site, then store
data and retrieve
, thereby consuming disk space and
There are three types of denial
service, (1) consumption of scarce
resources, (2) destruction or alteration of network
(3) physical destruction or alteration of network
The first type, consumption of scarce resources, relies on the fact
and networks need resources such as electrical power, CPU time
space, disk space, and network connections.
a hacker to consume is network connectivity. It is
possible to tie
network connections of a computer, such that it waits
never arrives, so it remains hung up.
that the hacker has to
start opening a connection to a network
server but never complete
. The victim server has reserved a port
and a data structure
connection, but the port remains half open. The
hacker (or a group
attackers) can very quickly tie up all the
available ports of
the meantime, other users, legitimate or not, who try to
are denied access
Such an attack is called a SYN flood. Even
someone with only a
and slow modem can stop a large server
very quickly. Here is
description of this threat.
Ping and ICMP
Those are commands that were originally developed for testing connectivity in
The original ping program was written as part of UNIX by Mike
much interest that the ping concept became
the Internet protocol.
If your operating system is experiencing frequent crashes with no
could be the result of this type of attack.
The obvious defense against the ping of death is to patch the
sends data packets to never send large packets, and patch
packets to ignore packets that are too large
should be done by the makers of the operating system and issued as
The second type of
threat involves destruction or alteration of
. An attacker may be able to change the IP number of
computer, change the registration of the operating system
telephone numbers used by the modem to call
The third type of
threat involves physical destruction or
components. This can be done by an intruder physically
a computer center
and disabling, breaking, or disconnecting cables
hardware devices. A hacker
may also climb a utility pole and
lines or television cables,
thereby disrupting service to users in
A firewall is a combination of software and hardware that decides
requests and what specific data packets can pass to
and from a computer
firewall for a personal computer is
software, whereas a small network of computers
home (typically consisting of 2
3 computers and a printer)
a hardware firewall that’s built into the network’s router
The main task of a firewall is to block certain requests for data
the firewall makes these decisions based on rules. A
in (default) rules, and its user/owner
can add, delete, and
can say that a firewall enforces an access policy through the
a rule tells the firewall what properties of a data packet
to decide whether to let the packet through or
A typical firewall performs the following tasks:
1) limit incoming data
that data coming from
certain senders (or that has certain properties)
2) limit outgoing data, so a program will not be
outside (to call home) without
the owner’s knowledge,
a log of all its activities,
especially on data packets it has blocked, and
(4) do all this fast and be transparent to the user.
A firewall rule specifies a set of conditions and
what action to take
complex rule can check several conditions,
rule is limited to just one
condition. Rules can also be hierarchical.
In such a case, each rule is simple and checks one
condition, but a rule
several child rules,
each checking one condition. This way, each rule
, but the overall performance can be
Examples of actions are “delete,” to delete a data packet, “pass,” to
(into or out of the computer), “drop,” to drop the
attack that tries to hang up the
connection), and “log,” to log
packet and then apply the
next rule to it. (For incoming data packets
“drop” action sends
a TCP RESET command to the sender, while for
the same action sends a small TCP FIN packet.)
The two main components of a firewall are the gate and the choke
be several such pairs in a large firewall).
gate transfers or
data and the choke is the filter that
decides which data to block.
with firewalls like to compare the gate to a security
choke to a security guard.
Firewall extra tasks
A modern firewall may also include rules for checking
the data of a
, not just the fields of its
header. This useful feature is referred to
Another advanced task is to limit the amount of data
to certain users or to certain
applications. This way, a firewall
Bandwidth accounting is another important task
. The owner/operator of
a local network needs to know how
used over time
Another important picture that a good firewall can
paint is the
A router is an important component of a
, even a small network used in a home.
if there is only
, a router is still
Perhaps the simplest attack on a router is to change
the DNS server
. Every time the computer user
wants to connect to the Internet,
typed by the
user has to be translated to an IP address.
There are many
DNS servers that maintain lists of pairs
(URL, IP), and they
needed IP addresses.
Sending the router to a malicious DNS server
the key to a whole slew of other attacks.
A more complex threat is posed if someone can modify the
run the router. Those programs are firmware and
updates from time to time. Imagine
someone slipping malware
new firmware update issued by
the router manufacturer and made
its website, waiting
to be downloaded by router owners.
updated, the malware in it can send its controller
copies of any data
received by the computer. It can even
send executable code to all
attached to the router, all
without the router owner’s knowledge.
Even more dangerous exploits are possible, but they may require
help” from the user. Both hackers and security researchers
router can be attacked and compromised if the
user can be enticed to
a bad link or if the user neglects to
change the router’s password from
Router usage advices
Reset the router (even a brand new one) to its
Update the router with the latest firmware
available in the
Change the default password to a new, secure
The router may have features to support devices
that you don’t have.
Turn those features off.
Turn off all features that allow the device to be
device(s) plugged directly into the router.
The Internet is big. There are
more files. Each file on the Internet (as also on a
have a unique name, which is
why many URLs are long. Special
shortening services exist to alleviate this
Examples are tinyurl.com
, bit.ly, and is.gd. These
services are useful but they
threat. Someone sends you a short URL that
to an interesting site whose URL
is long. Instead, the short URL takes
PDF JBIG2 flaw. In 1993, Adobe introduced the portable
(PDF), a file format for documents. The format is independent
application software, hardware, and operating system used to create
PDF file includes a complete description of the
fonts, illustrations (images in vector graphics format
type of data in the file is compressed with an
specifically for that type. Together with the format specification,
Adobe also released appropriate software that it collectively named
Adobe Acrobat is a family of computer programs designed to view, create
, and manage PDF files. Most of the programs in this
commercial, but Adobe Reader (for viewing and printing of PDF files
free and can be downloaded from Adobe’s web site.
especially the Reader are widely used to present
platform independent documents
Adobe Flash is a popular multimedia application
animation and interactivity to Web pages.
in 1996 by Jonathan
Gay who called it
by Macromedia in the same year and its name
2007, it has been developed and distributed by
Flash is commonly used to create animation,
videos that are included
pages. In July 2009, a weakness (that
day vulnerability) was discovered in Flash player
10 by an anonymous hacker.