Cybersecurity

I've recently registered for the site and have found it very useful thus far. However, I am a student currently researching network attacks, specifically, denial of services and the damage posed to operating systems. If you have any information about this topic, please send to me.

Thanks,
Darrell

I think the big thing here is to consider the damaged posed *BY* operating systems. With certain commercial operating being unwilling or unable to fix published (and unpublished) security holes in their operating system as well as users that are ignorant to the global picture when it comes to security, not alot can be done to resolve the problem. (I'm a strong beliver in mandatory licensing for Internet usage )

However there are a few basic guidelines you can follow to protect your network as well as your machines.

First we need to break down the different types of network attacks.

1. Information Leaks.
This includes intrusion, sniffing, etc.

2. Generic DoS.
These are attacks (both intentional and non-intentional) that take down a service, or multiple services.

3. Distributed DoS. (DDoS)
These are often targetted at a single point, but the effect can be felt upstream.



1.
For informational leaks, the best thing to do is keep up with the software you run.

Avoid 'bleeding edge' software, and stick to stuff that has a good history. Bleeding edge versions of software may have a load of new features, and often even bug fixes, however they may have even worse problems introduced into them. If you are running a semi-critical service on your network, and a new version comes out, check the Changelog, are any security holes fixed? Are the new features really worth the possiblity of new bugs? Even things like speed and memory overhead improvements in software are rarely worth the upgrade unless there are known security holes.

Run what you need to, disable what you don't, and firewall the rest. If you have a web server that serves static HTML pages, and ftp then there is no need for sendmail to be listening on the network. Configure it to only listen to localhost, or if you don't know how, filter it out with your kernel's firewall utility (ipchains, iptables, pf, ipfw, whatever). The less there is listening on the network, the less you have to worry about.

On the topic of firewalls, today I was reading a client's firewall pf.conf OpenBSD's PF and it gave me a headache. 800 lines of nonsense. The rule of security is simplicity. If you know what services your network provides, block everything else.

Take my home firewall for example (NAT'd). The rules are very simple. I know I don't provide any internal services other then SSH on the firewall itself to a few trusted machines. I know all of my machine on my network are safe. Here is my pf.conf:

Code:

$ cat /etc/pf.conf
# Configuration Options
ext_if="fxp0"
int_if="fxp1"
internal_net="192.168.0.0/24"

# Tables
table <trusted> { *REMOVED*}
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <dsua03> const { 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 224.0.0.0/4, 240.0.0.0/4 }

# Options
set loginterface $ext_if
set optimization normal
set block-policy drop

# Normalization
scrub in on $ext_if all fragment crop

# NAT
nat on $ext_if from $internal_net to any -> ($ext_if)

# Antispoof
block in quick on $ext_if from {<rfc1918>, <dsua03>} to any

# Block all incoming
block in log on $ext_if all

# Allow SSH from trusted people
pass in on $ext_if proto tcp from <trusted> to any port 22 keep state

# Allow anything to go out
pass out on $ext_if proto {tcp, udp, icmp} all keep state
pass out on $int_if all

Summarized up for anyone who don't know PF, it basicly says to

2.
Generic Denial of Service. This is anything that stops a service from working. This could be a connection flood, a wild script running on the machine, or just not enough bandwidth.

Denial of service is not something that you can really proactivly secure against, other then keep your software update and know the services you are running. It is all about having the means and knowledge to respond to the event. You need to monitor the services you run.

If your httpd goes down, you need to get it back up and find out why it went down. Once you know why it went down, do whatever you need to do to prevent it for happening again (eg. filter an attacker on your firewall, disable the mis-behaving script, etc).

It may just be that the machine hosting your service just can't deal with the load. This means upgrade. Hardware, software, providers, whatever.

3.
Distributed Denial of Service.

DDoS attacks can take down full networks. I have personally seen DDoS attacks in the upward range of 1200Mbps. At this point the only response is to try to get it filtered upstream and wait it out (Unless your network can handle 1200Mbps).

These attacks can be prevented. Some may not agree with that statement but it is true. DDoS attacks have a target. It's either a machine on your network, or your network itself.

IRC is a massive target of DDoS attacks. With gangs of skript kiddies trying to out do each other, or just someone who wants your nick. Avoid IRC, or at least public IRC daemons. Don't piss people off on IRC if you decide you can't live without it. Avoid common nicks, or l33t hax0r nicks if at all possible. These draw attention to you.

The other big target of DDoS attacks are large (evil) corporations. Although I'd love to say those assholes deserve it, I know what the cost of my own spite is. An example:

A l33t hax0r decides they want to attack windowsupdate.microsoft.com. Clients are no longer able to connect to download the weekly Microsoft security hole, err, I mean security fix. Now there is a bazillion machine open to even more security holes for skript kiddies to infect.

If you do not draw too much negative attention to yourself, or your services, you won't have problems with network attacks.

However, that is not the solution to the problem, it is only an ugly inconvient patch.

The real problem is with end users and moron system administrators. As operating systems get easier to use and install, the basic intelligent requirements for their operation decreases. The average unix user is much stupider then they were 5 years ago. The real solution is education. I don't mean 'Look mom, I gots my edgemacation'. I mean real education, the kind of things schools don't teach. Things like these forums are a great start, however it is hard to reach the world of moron system admins, as people who come to forums like these come either knowing they need help, or coming to help others.

It's either that, or mandatory licensing for Internet usage ;-)