Why do we learn how to attack? Just like doctors need to train treating sick patients for years, with an attending, before they can practice on their own, security practitioners need to practice attack detection and defense, in a realistic setting and under supervision of more experienced professionals, before they gain enough skills to handle attacks in the wild. Attacks occur in many variants, and may affect different networks in different ways. Also, often several types of attacks have similar "symptoms" and only hands-on investigation of each event can help a security practitioner disambiguate among them.
Unfortunately, it is almost impossible to obtain access to a real network during attack, unless one is this network's administrator. And it is too costly for classes to have a team of professional hackers attack a network so students could investigate the effects and try out countermeasures. This is why in this class we are learning how to attack ourselves, and then how to diagnose and defend against these attacks.
What about ethics? Attacks we learn are all performed in DeterLab, on a set of machines and network connections that are isolated from the real Internet and whose purpose is to be used for security experimentation. It is perfectly safe to crash these machines, infect them, overload the network, disturb connectivity, etc. There are established procedures to recover the initial state after any of these events and no one is disturbed by these actions.
What if a student uses the techniques learned in class to attack someone in real world? Many attacks that we learn about in class include sending unsolicited traffic to the victim, breaking into the victim's computer, accessing resources or information without authorization or interfering with their network connectivity. Any of these acts are punishable by US law and are criminal offenses. Most are misdemeanors but some are felonies. Same rules apply to cybercrime as they do for stealing or physical attacks. It is never OK to attack someone, physically or in cyber-world.
An intrusion scenario consists of five stages:
Another way to do reconnaissance is to search the Internet for desired information. Organization's Web site may hold information about internal servers, their configuration and their IPs or DNS names. Employees may post such information to Web forums, e.g., for Linux or Java troubleshooting.
When an organization acquires a domain name or a set of IP addresses, Internet bodies known as registrars collect and publicly display information about:
An attacker can gather information about target's IP address range, different server's names and IP addresses and possibly server OS and configuration information from the target's DNS server. One way to do this is called interrogating DNS or DNS zone transfer. This is the type of DNS query that causes the server to dump all its information in the reply. It was created to help networks perform server backup. If the target's DNS server does not have a security rule that prevents DNS zone transfers to an IP outside of the target's IP address range, the attacker can use this to obtain information about the target.
What are defenses against DNS interrogation? One is to ensure that DNS zone transfers can be done only with internal servers. Another is to make sure that DNS server has no extra information - just public server IPs and domain names. The third defense is split-horizon DNS illustrated in the figure below.
Here, there are two DNS servers - an external one visible to external users and an internal one visible to employees. The external/internal server holds information only about public/private servers respectively. If a server needs to be accessible both to external and to internal users it receives two IP addresses, one public one private. The internal DNS server can redirect internal users to the external DNS server if these users need info about public addresses of the company's servers. No external user can access the internal DNS server. This can be enforced either via firewall rules or security rules in the internal DNS server's configuration.
To learn about live machines the attacker can perform a ping sweep or a TCP SYN sweep. A ping sweep sends a ping (ICMP ECHO request) to each IP address in the IP range assigned to the target. If there is no reply or ICMP unreachable message, the address is not live; if there is a ping reply (ICMP ECHO reply) the address is live. A network could defend against this with a firewall rule that forbids ICMP traffic to exit the network, thus any ping would receive no reply. TCP SYN sweep sends a TCP SYN to all or some ports on each IP address in the IP range assigned to the target. Such traffic cannot be filtered by a firewall since the target may offer some public services that legitimate customers will access by sending TCP SYNs. But a firewall could restrict TCP SYN traffic only to those public services.
To learn about network topology the attacker can perform a traceroute. This program sends packets (usually ICMP ECHO but other types can be sent as well) to some address in the target's IP range, with the increasing value in the IP header's TTL (time-to-live) field. When this value comes to zero, routers usually issue ICMP unreachable message to the sender. By looking at these replies the attacker can piece together the route from his machines to the target, as well as the target's internal network topology. One defense against network topology mapping is to have a firewall rule that forbids ICMP traffic to exit the network. Another is network address translation (NAT).
A NAT sits on a border router of the network and rewrites IP addresses and ports in packets going in and out. When an internal host B wants to send traffic out on a new source port NAT creates an entry in its table that maps (IPB, sportB) to a currently unused port X at the NAT. It then rewrites (IPB, sportB) with (IPNAT, X) in each packet sent from B to the outside. When the replies come back for (IPNAT, X), NAT rewrites this into (IPB, sportB) and passes the replies to B. This way the remote server has an impression that it is communicating only with the NAT and learns nothing about the internal topology of the network.
If B offers some public service (e.g. a Web server) NAT will use the well-known service port (e.g. 80) for X. The situation becomes complicated if there is more than one public server within the NAT-protected network, that needs the same well-known service port. In this case only one server can offer service on this port to its clients, while all other servers must use non-standard port numbers. This requires notifying clients about this non-standard port number, i.e. this is not transparent to the clients.
Port scanning is usually done to detect open ports, but can also be used to find OS type and version or firewall holes. Various scans can be sent, e.g.: