|
![]() |
![]() |
![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() ![]() |
![]() |
![]() |
To access the contents, click the chapter and section titles.
Intrusion Detection: Network Security beyond the Firewall
Chapter 6
|
Point of Origin | ||
Internal User | External User | |
Denial of Service | Annoying | Annoying |
Increased privilege | Moderately serious | Serious risk |
Superuser privilege | Very serious | Disaster |
Statistics from the FBI Crime Lab consistently show that the majority of computer crime occurs from the inside. True, as more people connect to the Internet, the threats from outside increase. Today, most crimes still are committed by insiders, or at least outside criminals are assisted by insiders. The theft of millions of dollars from a major U.S. bank was launched from Russia, but collusion from an insider made the task easier. Most of the money was returned. Although some companies do not like to think of their employees, contractors, or business partners as potential criminals, historical data encourages them to do so. What are some of the threats that an insider poses to internal systems?
Internal Denial-of-Service Attack
Recently, a number of NT systems at the University of Texas were hounded by a denial-of-service attack against the IP stack delivered with NT. The attack was a variant of the Teardrop UDP attack that was possible because of a bug in NT. By sending certain types of UDP datagrams, an adversary could cause the system to crash. Because UDP packets often are blocked by screening routers or firewalls, this threat was unlikely from outside sources. Someone with access to one of the UT labs launched the attack internally.
Users with accounts on various company servers or on university systems pose threats because they already have access to the system. When you are able to establish a login session on a computer, a number of denial-of-service attacks rare possible:
You really dont even need an account on a system to cause problems. As shown in Chapter 2, The Role of Identification and Authentication in Your Environment, physical or network access is sufficient for locking all accounts with failed login attempts until the lockout threshold is hit for each account. If the system permits remote logins from other nodes inside the enterprise, failed login attacks are possible even when physical access is not granted.
Most environments run a large number of client-server applications. The telnet program is a well-known example. However, numerous proprietary client-server protocols are running throughout the enterprise, and each of these also is susceptible to denial-of-service attacks. For example, it is unlikely that many legacy applications are performing adequate authentication of packets received. Forged IP addresses and packets can find their way into listening servers and cause denial-of-service attacks. If the servers are designed to accept connections from any internal node, its easy enough to create packets, flood the server with them, and thus render the server useless.
Previous | Table of Contents | Next |
![]() |
Products | Contact Us | About Us | Privacy | Ad Info | Home
Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc. All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited. |