The Internet completely changes our lifestyle: job, study, leisure. These changes will occur as in areas already known to us (electronic commerce, access to the information in real time, expansion of opportunities of communication{connection}, etc.), and in those spheres about which we yet have no performance. There can come{step} such time when the corporation will make all phone calls through the Internet, and completely free-of-charge. In a private{an individual} life occurrence of special Web-sites by means of which parents can learn{find out} at any moment how affairs at their children are is possible. Our society only starts to realize boundless opportunities of the Internet.

Introduction

Simultaneously with enormous growth of popularity of the Internet there is a unprecedented danger of disclosure of the personal data, crucial corporate resources, the state secrets, etc. Every day hackers subject to threat these resources, trying to get to them access by means of special attacks which gradually become, on the one hand, more refined, and with another - simple in execution{performance}. This is promoted by two major factors.

First, this universal penetration of the Internet. Today millions devices are connected to the Network, and many millions devices will be connected to the Internet in the near future, therefore the probability of access of hackers to vulnerable devices constantly grows. Besides the wide circulation of the Internet allows hackers to communicate on a global scale. Simple keyword search such as "hacker", "breaking", "hack", "crack" or "phreak" will give you thousand sites, on many of which it is possible to find nocuous codes and ways of their use.

Second, this broadest distribution simple in use of operational systems and environments of development. The given factor sharply reduces a level of knowledge necessary for a hacker and skills. Earlier, to create and distribute simple applications in use, the hacker should possess good skills of programming. Now, to get access to hacker's means, it is necessary to know only the IP-address of the necessary site, and for carrying out of attack it is enough to click the mouse.

Classification of network attacks

Network attacks are so diverse, as well as systems against which they are directed. Some attacks differ the big complexity, others on forces to the usual operator who is at all not supposing, in what consequences can result his  activity. For a rating of types of attacks it is necessary to know some restrictions initially inherent in report TPC/IP. The network the Internet was created for communication{connection} between official bodies and universities with the purpose of rendering assistance to educational process and scientific researches. Founders of this network did not suspect, as far as she will receive a wide circulation. In result in specifications of early versions of the Internet - report (IP) there were no safety requirements. For this reason many realizations IP are initially vulnerable. In many years, after set of claimes (Request for Comments, RFC), means of safety for IP at last began to take root. However whereas it is primary means of protection for report IP were not developed, all his  realizations began to be supplemented with various network procedures, services and the products lowering risks, inherent in this report. Further we shall briefly consider types of attacks which are usually applied against networks IP, and we list ways of struggle against them.

Sniffer packages

Sniffer packages represents the applied program which uses the network map working in a mode promiscuous mode (in this mode all packages received on physical channels, the network adapter sends the application for processing). Thus sniffer intercepts all network packages which are passed through the certain domain. Now sniffery work in networks on quite lawful basis. They are used for diagnostics of malfunctions and the analysis of the traffic. However whereas some network applications pass the data in a text format (Telnet, FTP, SMTP, POP3, etc.), with the help sniffera it is possible to learn{find out} useful, and sometimes and the confidential information (for example, names of users and passwords).

Interception of names and passwords creates the big danger as users often apply the same login and the password to set of applications and systems. Many users in general have the uniform password for access to all resources and applications. If the application works in a mode "client - server", and autentifikacionnye the data are passed on a network in a readable text format this information with a high probability can be used for access to other corporate or external resources. Hackers too well know and use human weaknesses (methods of attacks often are based on methods of social engineering). They fine imagine, that we use the same password for access to set of resources and consequently often it is possible to them, having learned{having found out} our password to get access to the important information. In the worst case the hacker gets access to the user resource at a system level and with his  help creates the new user who can be used at any moment for access in the Network and to its{her} resources.

To lower threat sniffinga packages it is possible with the help of the following means:

• Autentifikacija. Strong means autentifikacii are the major way of protection from sniffinga packages. Under "strong" we understand such methods autentifikacii which are difficult for bypassing. An example such autentifikacii are unitary passwords (One-Time Passwords, OTP). OTR is a technology two-factorial autentifikacii at which there is a combination of that at you is, with that, that you know. A typical example two-factorial autentifikacii is job of a usual cash dispenser which identifies you, first, on your plastic card, and second, on a pin-code entered by you. For autentifikacii in system OTR the pin-code and your personal card also are required. As "card" (token) it is understood hardware or a software generating (by a casual principle) the unique one-stage unitary password. If the hacker learns{finds out} the given password with the help sniffera this information will be useless as during this moment the password will be already used and deduced{removed} from the use. We shall note, that this way of struggle with sniffingom is effective only in case of interception of passwords. Sniffery, intercepting other information (for example, messages of email), do not lose the efficiency.

• the Switched infrastructure. One more way of struggle with sniffingom packages in your network environment is creation of a switched infrastructure. If, for example, in all organization it is used switched Ethernet, hackers can get access only to the traffic acting on that port to which they are connected. The switched infrastructure does not eliminate threat sniffinga, but appreciablly reduces its{her} acuteness{witticism}.

• Antisniffery. The third way of struggle with sniffingom consists in installation of equipment rooms or the software recognizing sniffery, working in your network. These means cannot liquidate completely threat, but, as well as many other means of network safety, they are included in the general{common} system of protection. Antisniffery measure time of reaction of hosts and define{determine}, whether it is necessary hosts to process the superfluous traffic. One of such means delivered by company LOpht Heavy Industries, is called AntiSniff.

• Cryptography. This most effective way of struggle with sniffingom packages though does not prevent interception and does not distinguish job snifferov, but does{makes} this job useless. If the link is kriptograficheski protected the hacker intercepts not the message, and the ciphered text (that is not clear sequence bitov). Cryptography Cisco on network layer is based on report IPSec which represents a standard method of the protected communication{connection} between devices with the help of report IP. Reports SSH concern to other cryptographic reports of network management (Secure Shell) and SSL (Secure Socket Layer).

IP-spoofing

IP-spoofing occurs in that case when the hacker who is taking place inside corporation or outside of her , gives out itself for the authorized user. It can be made two ways: the hacker can use or the IP-address which is taking place within the limits of a range of authorized IP-addresses, or the authorized external address to which access to the certain network resources is authorized. Attacks of IP-spoofing often are a starting point for other attacks. A classical example - attack DoS which begins with the another's address hiding the true person of a hacker.

As a rule, IP-spoofing is limited to an insert of a false information or nocuous commands in the usual dataflow, transmitted between the client and server application or on a liaison channel between peer-to-peer devices. For bilateral communication{connection} the hacker should change all tables of routing to direct the traffic on the false IP-address. Some hackers, however, do not try to receive at all the answer from applications - if the main task consists in reception from system of the important file answers of applications have no value.

If the hacker manages to change tables of routing and to direct the traffic on the false IP-address, he will receive all packages and can respond on them as if is the authorized user.

Threat of spoofing can be weakened (but to not remove) with the help of the herein provided measures.

• the Control of access. The most simple way of prevention of IP-spoofing will consist in correct adjustment of management by access. To lower efficiency of IP-spoofing, adjust the control of access over cutting off of any traffic acting from an external network with the initial address which should settle down inside your network. To tell the truth, it helps to struggle with IP-spoofing when internal addresses are authorized only; if some addresses of the external network are authorized also, the given method becomes inefficient.

• Kill RFC 2827. You can stop attempts of spoofing of another's networks by users of your network (and to become the respectable network citizen). For this purpose it is necessary to reject any proceeding traffic which initial address is not one of IP-addresses of your organization. The given type of kill known under name RFC 2827, can carry out and your provider (ISP). In result all traffic which has no the initial address expected on the certain interface is rejected. For example, if ISP gives connection with 15.1.1.0/24 IP-address, he can adjust the filter so that from the given interface on router ISP the traffic acting from 15.1.1.0/24 address was supposed only. We shall note, that until all providers will not introduce this type of kill, his  efficiency will be much lower possible{probable}. Besides the further from filtered devices, the it is more difficult to spend exact kill. For example, kill RFC 2827 at a level of the router of access demands the miss{passing} of all traffic from the main e-mail address (10.0.0.0/8), whereas at a level of distribution (in the given architecture) it is possible to limit the traffic more precisely (the address - 10.1.5.0/24).

The most effective method of struggle against IP-spoofing - the same, as in a case with sniffingom packages: it is necessary to make attack absolutely inefficient. IP-spoofing can function only provided that autentifikacija occurs on the basis of IP-addresses. Therefore introduction of additional methods autentifikacii does{makes} similar attacks useless. The best kind additional autentifikacii is cryptographic. If she is impossible, good results can give two-factorial autentifikacija with use of disposable passwords.

Refusal in service

Denial of Service (DoS), undoubtedly, is the most known form of hacker's attacks. Besides against attacks of such type it is the most difficult to create absolute{hundred-percent} protection. Among hackers of attack DoS are considered as a children's entertainment, and their application causes contemptious smiles as organization DoS needs a minimum of knowledge and skills. Nevertheless simplicity of realization and huge scales prichinjaemogo harm involve to DoS steadfast attention of the managers responsible for network safety. If you want to learn{find out} more about attacks DoS, you should consider their most known versions, namely:

?         TCP SYN Flood;

?         Ping of Death;

?         Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K);

?         Trinco;

?         Stacheldracht;

?         Trinity.

Perfect source of the information on safety issues is the group of emergency reaction to computer problems (Computer Emergency Response Team, CERT), published excellent{different} job on struggle against attacks DoS. This job can be found on a site www.cert.org/tech_tips/denial_of_service.html. Attacks DoS differ from attacks of other types. They are not aimed at reception of access to your network, on reception from this network of any information, but attack DoS does{makes} your network inaccessible to usual use at the expense of excess of allowable limits of functioning of a network, operational system or the application. In case of use of some server applications (such as the Web-server or the FTP-server) attacks DoS can consist in borrowing{occupying} all connections accessible to these applications, and to hold them in the borrowed{occupied} status, not supposing service of ordinary users. In a course of attacks DoS usual Internet - reports, such as TCP and ICMP (Internet Control Message Protocol) can be used.

The majority of attacks DoS is designed not for program mistakes or gaps in system of safety, and on the general{common} weaknesses of system architecture. Some attacks reduce to zero productivity of a network, overflowing with its{her} undesirable and unnecessary packages or informing a false information about the current status of network resources. The given type of attacks is difficult for preventing, as it needs coordination of actions with the provider. If not to stop at the provider the traffic intended for overflow of your network, to make it on an input{entrance} in a network you cannot any more as all passband will be borrowed{occupied}. When attack of the given type is spent simultaneously through set of devices, we speak about distributed{allocated} attack DoS (distributed DoS, DDoS).

Threat of attacks such as DoS can be reduced by three ways:

• Functions of antispoofing. The correct configuration of functions of antispoofing on your routers and gateway screens will help to lower risk DoS. These functions at least should include kill RFC 2827. If the hacker cannot disguise the true person, he hardly will dare to lead{carry out} attack.

• Functions anti-DoS. The correct configuration of functions anti-DoS on routers and gateway screens is capable to limit efficiency of attacks. These functions often limit number poluotkrytykh channels at any moment.

• Restriction of volume of the traffic (traffic rate limiting). The organization can ask (ISP) to limit the provider volume of the traffic. This type of kill allows to limit volume of the noncritical traffic which is taking place on your network. A typical example is restriction of volumes of traffic ICMP which is used only for the diagnostic purposes. Attacks (D) DoS often use ICMP.

Parol`nye attacks

Hackers can spend parol`nye attacks with the help of a lot of methods, such as idle time perebor (brute force attack), the Grecian horse, IP-spoofing and sniffing packages. Though the login and the password frequently can be received by means of IP-spoofing and sniffinga packages, hackers quite often try to pick up the password and a login, using for this purpose numerous attempts of access. Such approach carries the name simple perebora (brute force attack).

Often for such attack the special program which tries to get access to a general purpose resource (for example, to the server) is used. If in result access to resources he receives it  on the rights of the usual user which password has been picked up is given a hacker. If this user has significant privileges of access, the hacker can create to itself "pass" for the future access which will operate even if the user will change the the password and a login.

One more problem arises, when users apply same (let even very good) the password to access to many systems: to corporate, personal and to systems of the Internet. As stability of the password is equal to stability of the weakest host the hacker who was found out the password through this host, gets access to all other systems where the same password is used.

Parol`nykh attacks can be avoided if not to use passwords in the text form. Disposable passwords and-or cryptographic autentifikacija can practically bring to nothing threat of such attacks. Unfortunately, not all applications, hosts and devices support the above-stated methods autentifikacii.

At use of usual passwords try to think up such which would be difficult for picking up. The minimal length of the password should be not less than eight symbols. The password should include symbols of the top register, figures and special symbols (*, %, $, etc.) . The best passwords are difficult for picking up and difficultly to remember, that compels users to write down them on a paper. To avoid it, users and managers can use a number{line} of last technological achievements. So, for example, there are the applied programs ciphering the list of passwords which can be stored{kept} in a pocket computer. In result the user needs to remember only one complex  password whereas all others will be reliably protected by the application. For the manager there are some methods of struggle against selection of passwords. One of them consists in use of means L0phtCrack which is applied often by hackers to selection of passwords in Windows NT environment. This means quickly will show you whether easily to pick up the password chosen the user. The additional information can be received to the address http://www.l0phtcrack.com/.

Attacks such as Man-in-the-Middle

Access to the packages transmitted on a network is necessary for attack such as Man-in-the-Middle for a hacker. Such access to all packages transmitted from the provider in any other network, the employee of this provider can receive, for example. For attacks of the given type sniffery packages, transport reports and reports of routing often are used. Attacks are spent with the purpose of theft of the information, interception of the current session and reception of access to private{individual} network resources, for the analysis of the traffic and reception of the information on a network and its{her} users, for carrying out of attacks such as DoS, distortions of the transmitted data and input of the non-authorized information in network sessions.

Effectively to struggle with attacks such as Man-in-the-Middle it is possible only with the help of cryptography. If the hacker will intercept the data of the ciphered session, at him  on the screen not intercepted message, and a senseless character set will appear. We shall note, that if the hacker will receive the information on cryptographic session (for example, a key of session) it can make possible{probable} attack Man-in-the-Middle even in the ciphered environment.

Attacks at a level of applications

Attacks at a level of applications can be spent in several ways. The most widespread from them - use of well-known weaknesses of the server software (sendmail, HTTP, FTP). Using these weaknesses, hackers can get access to a computer from a login name working with the application (usually it happens not the simple user, and the exclusive manager with the right of system access). Data on attacks at a level of applications are widely published to enable managers to correct a problem with the help of correctional modules (patches). Unfortunately, many hackers also have access to these data that allows them to be improved.

The main problem at attacks at a level of applications consists that hackers often use ports to which pass through the gateway screen is resolved{allowed}. For example, the hacker maintaining known weakness of the Web-server, often uses in a course of attack TSR port 80. As the web-server gives users of Web-page the gateway screen should provide access to this port. From the point of view of the gateway screen attack is considered{examined} as the standard traffic for port 80.

Completely to exclude attacks at a level of applications it is impossible. Hackers constantly open and publish new weak spots of applied programs in the Internet. The most important here - good system administration. Some measures, which can be undertaken to lower vulnerability for attacks of this type:

• read broad gullies - files of operational systems and network broad gullies - files and-or analyze them with the help of special analytical applications;

• subscribe for services on dispatch of the data on weak places of applied programs: Bugtrad (http://www.securityfocus.com) and CERT (http: // www.cert.com);

Network investigation

Gathering the information on a network with the help of the shared data and applications is called as network investigation. By preparation of attack against any network the hacker, as a rule, tries to receive about her as much as possible information. Network investigation is spent in the form of searches DNS, echo - testings and scannings of ports. Searches DNS help to understand, who owns that or other domain and what addresses to this domain are appropriated{given}. Echo - testing of the addresses opened with help DNS, allows to see, what hosts really work in the given environment. Having received the list of hosts, the hacker uses means of scanning of ports to make the full list of the services supported by these hosts. And at last, the hacker analyzes characteristics of the applications working on hosts. In result he extracts the information which can be used for breaking.

Completely to get rid of network investigation it is impossible. If, for example, to disconnect echo ICMP and the echo - answer on peripheral routers you will get rid of echo - testing, but will lose the data necessary for diagnostics of network failures. Besides to scan ports it is possible and without preliminary echo - testing - simply it will borrow{occupy} more time as to scan it is necessary also nonexistent IP-addresses. Systems IDS at a level of a network and hosts usually well cope with a problem  of the notice of the manager about conducting{leading} network investigation that allows to be prepared better for forthcoming attack and to notify the provider (ISP) in which network the system showing excessive curiosity is established.

• use the freshest versions of operational systems and applications and the latest correctional modules (patches);

• except for system administration, use systems of recognition of attacks (IDS) - two technologies IDS complementary each other:

- Network system IDS (NIDS) traces all packages which are taking place through the certain domain. When system NIDS sees a package or a series of the packages conterminous to the signature of known or probable attack, she generates an alarm signal and-or stops session;

- Host - system IDS (HIDS) protects a host with the help of program agents. This system struggles only with attacks against one host.

In the job of system IDS use signatures of attacks which represent structures of concrete attacks or types of attacks. Signatures define{determine} conditions at which the traffic is considered hacker's. In the physical world it is possible to count analogues IDS system of the prevention{warning} or the chamber of supervision. The biggest lack IDS is their ability to generate alarm signals. To minimize quantity{amount} of false alarm signals and to achieve correct functioning of system IDS in a network, careful adjustment of this system is necessary.

Breach of confidence

As a matter of fact, this type of actions is not true attack or storm. He represents ill-intentioned use of attitudes{relations} of the trust existing in a network. A classical example of such abusing is the situation in a peripheral part of a corporate network. In this segment DNS servers, SMTP and HTTP often settle down. As all of them belong to the same segment, breaking of any of them results in breaking all others as these servers trust other systems of the network. Other example is established with the external party  of the gateway screen the system having the attitudes{relations} of trust with system, established with his  internal party . In case of breaking external system the hacker can use attitudes{relations} of trust for penetration into the system protected by the gateway screen.

The risk of breach of confidence can be lowered for the bill of more rigid control of levels of trust within the limits of the network. The systems located from the external party  of the gateway screen, under any conditions should not enjoy absolute trust on the part of the systems protected by the screen. Attitudes{relations} of trust should be limited to the certain reports and, whenever possible, autentificirovat`sja not only to IP-addresses, but also on other parameters.

Readdressing of ports

Readdressing of ports represents a version of breach of confidence when the cracked host is used for transfer through the gateway screen of the traffic which otherwise would be necessarily rejected. We shall imagine the gateway screen with three interfaces, the certain host is connected to each of which. The external host can be connected to a host of the general{common} access (DMZ), but not to that is established from the interior of the gateway screen. The host of the general{common} access can be connected both to internal, and to an external host. If the hacker will grasp a host of the general{common} access, he can establish on him a software redirecting the traffic from an external host directly on internal. Though thus any rule working on the screen is not broken, the external host as a result of readdressing gets direct access to the protected host. An example of the application which can give such access, is netcat. More detailed information can be received on a site http://www.avian.org.

The basic way of struggle against readdressing ports is use of reliable models of trust (see the previous section). Besides to prevent a hacker establish on a host the software host - system IDS (HIDS) can.

The non-authorized access

The non-authorized access cannot be selected in separate type of attack as the majority of network attacks are spent for the sake of reception of the non-authorized access. To pick up login Telnet, the hacker should receive all over again help Telnet on the system. After connection to port Telnet on the screen there is a message « authorization required to use this resource » (« authorization is necessary For using this resource »). If after that the hacker will continue attempts of access, they will be considered non-authorized. The source of such attacks can be as inside a network, and outside.

Ways of struggle against the non-authorized access are simple enough. The main thing here is reduction or full liquidation of opportunities of a hacker on reception of access to system with the help of the non-authorized report. As an example it is possible to consider nedopuhhenie hacker's access to port Telnet on the server which gives Web-services to external users. Not having access to this port, the hacker cannot attack it . As if to the gateway screen his  primary goal is prevention of the most simple attempts of the non-authorized access.

Viruses and applications such as "Grecian horse"

Workstations of end users are very vulnerable for viruses and the Grecian horses. Nocuous programs which take root into other programs for performance of the certain undesirable function on a workstation of the end user are called as viruses. As an example it is possible to result a virus which registers in a file command.com (the main interpreter of systems Windows) and erases other files, and also infects all other versions found by him  command.com.

The Grecian horse is not a program insert, and the present{true} program which at first sight seems the useful application, and in practice plays a harmful role. An example of the typical Grecian horse is the program which looks as simple game for a workstation of the user. However while the user plays game, the program sends the copy on email to each subscriber brought in a directory of this user. All subscribers receive by mail game, causing its{her} further distribution.

Struggle against viruses and the Grecian horses is conducted with the help of the effective anti-virus software working at the user level and, probably, at a level of a network. Anti-virus means find out the majority of viruses and the Grecian horses and stop their distribution. Reception of the freshest information on viruses will help to struggle with them more effectively. In process of occurrence of new viruses and the Grecian horses the enterprise should establish new versions of anti-virus means and applications.

At a spelling of clause{article} the materials given by company Cisco Systems (www.cisco.com ) are used.