5. Basics of network security .5.1. Threats to security in global networks

The rapid development of the Internet has led to the emergence of many additional information threats. If, when working in a local network, there is the possibility of unifying the software configuration for each workstation and the protocols used in the network, centralizing network administration, the global network is an uncontrolled and very often aggressive information environment in which there are a number of specific threats that cannot be controlled. above ways. To counteract network attacks, special hardware, software, algorithmic protection methods are used, which will be discussed in this chapter.

5.1. Threats to security in global networks

One of the main reasons for the vulnerability of information systems on the Internet are the weaknesses of the IP network protocol of the TCP / IP protocol stack, which serves as the basis of network communications. When designing this protocol at the dawn of the development of the Internet, security problems were not so acute, and therefore little attention was paid to security of the protocol. Currently, a new version of the protocol, IPv6, is being developed, which is expected to contain built-in protection mechanisms and will help eliminate many problems. Consider the main network threats.

Denial of service (DoS) attacks . Under this name are combined methods designed to disrupt the work of a network device by overloading a limited resource, device failure, changing its settings. Limited resources are RAM, hard disk capacity, processor time. A typical DoS attack is the generation of a large flow of network packets that do not have time to be processed by network servers, which leads either to failures in their work, or to the inability to process requests from ordinary users. An example of a DoS attack is the SYN flooding attack, when an attacker sends a multitude of TCP packets to the attacked computer with the SYN flag set and the sender's address that does not exist. The attacked computer in response to each such packet creates the internal data structures necessary to support the connection and sends a response packet to confirm the connection. Since a non-existent address was specified as the sender's address, the attacked computer will not wait for a response to its packet, and the memory for internal data structures will be reserved for a while. With a large number of attacking packages, the memory of the attacked computer may end, which will lead to its failure. To prevent such attacks, intelligent packet filters are used, at the time of the occurrence of an attack, you can dynamically reduce the waiting time for response to a packet. Especially destructive are distributed DoS attacks (distributed DoS, DDoS). When launching an attack of this type, the attacker must first gain access to the set of weakly protected computers connected to the Internet and install special DDoS software on them. A remote computer with installed DDoS software is called an agent. Upon command from the attacker's computer, the agents begin to transfer network packets to the attacked computer. Agents can send ICMP requests to a broadcast address (Smurf attacks), bogus HTTP requests, fragmented packets, or random traffic. The attack can be directed to any network device: routers (which effectively blocks the entire network), servers (Web, mail, DNS), or specific computers (firewalls, IDS). As a result of the attack (and several hundred machines can generate traffic of several gigabytes), the attacked computer will either completely stop processing requests, or it will do so very slowly.

Very common are attacks using the ICMP protocol . The Internet Control Message Protocol (ICMP) is an auxiliary protocol (the popular ping utility uses this protocol). The ICMP protocol does not contain methods for authenticating the source of the message, which is actively used by attackers. For example, icmp messages “time exceeded” (time exceeded) or “destination unreachable” (destination unavailable) are used to block the service. The first message means that the limit specified in the TTL field of the packet header has been exceeded. This can happen because of packet looping or when the addressee is very far away. The message “destination unreachable” has several meanings. But they all mean that there is no way to safely deliver the package to the addressee. Both messages force the recipient to immediately disconnect. This is the goal that an attacker can pursue by sending such a message to one of the participants in the interaction. ICMP can also be used to intercept packets. The “redirect” ICMP message is usually used by external network ports in cases when a computer assumes that the addressee is outside the local network and forwards packets addressed to it through an external port. An attacker can send an ICMP “redirect” message and force another computer to send packets through the host specified by the attacker.

Attacks on the servers of some network services (Web, mail) are also popular, when, due to software errors, requests of a certain configuration can cause errors such as buffer overflows, provide an attacker with administrative access.

An important aspect of security is ensuring the confidentiality of network traffic , since message packets can be intercepted at any intermediate node along the way to the recipient, and classical IP does not provide any built-in encryption.

The global network is a favorable environment for the spread of viruses and Trojan horses . The development of the Internet has led to the emergence of such a phenomenon as viruses - worms. Let us dwell on the Klez network worm. This instance infects a computer through an error in the Outlook email program: when a user tries to read a letter containing a virus, Klez infects the system. After hitting the OS, the network worm scans the hard drives, searches for email addresses and sends letters to them, attaching its body as an attachment, creating very large outgoing traffic. Thus, the speed of propagation of the network worm became very high. All other network worms use the same scheme: they somehow get onto the computer, search for sweat addresses and send themselves further. According to Kaspersky Lab, during its existence, Klez has infected more than 110 thousand computers. The main way to protect against such malware is to regularly update the databases of antivirus software, as well as regularly update the software used that is attacked by viruses, because, for example, the software patch that prevents the OS error, is exploited by the Klez virus, was released long before his appearance.

The list of possible threats emanating from the global network is, of course, not exhausted, all the more so as more and more new types of attacks regularly appear on the network, but the above list describes a number of problems facing the local network security system. Next will be discussed ways to counter the main network threats.