attack
Click on the red underlined text to get to the source
... on the number of attempts made to foil the firewall before triggering
a response? Escallation levels should be defined for both attacks
and responses. Sites without firewalls will have to determine if a
...
... networks are vulnerable. The
classic problem is a "denial of service" attack. In this case, the
network is brought to a state ...
...
An attack on the router is designed to cause it to stop forwarding
packets, or to forward them improperly. The former case may be due
...
... update, or
a "flood attack" (i.e., the router is bombarded with unroutable
packets, causing its performance ...
... packets, causing its performance to degrade). A flood attack on a
network is similar to a flood ...
... flood packets are usually broadcast. An ideal flood attack would be
the injection of a single packet which exploits some known flaw in
the network ...
... generate error packets, each of which is picked up and repeated by
another host. A well chosen attack packet can even generate an
exponential explosion of transmissions.
...
... routing updates are sent to one or more routers causing them to
misroute packets. This differs from a denial of service attack only
in the purpose behind the spurious route. In denial of service ...
... unique identifier, a checksum can also
protect again "replay" attacks, wherein an old (but valid at the
time) routing ...
...
Unfortunately, there is no adequate protection against a flooding
attack, or a misbehaving host or router which is flooding ...
... flooding the
network. Fortunately, this type of attack is obvious when it occurs
and can usually be terminated relatively simply.
...
... most frequently used services, they are the most obvious points of
attack. Also, a successful attack on one of these services can
...
... services, they are the most obvious points of
attack. Also, a successful attack on one of these services can
produce disaster all out of proportion to the innocence of the basic
service ...
... critical to the secure operation of any network. An
attacker who can successfully control or impersonate a DNS server can
re-route ...
... to act as secondary name servers and protect their DNS masters from
denial of service attacks using filtering routers.
...
... one-way encrypted password can be determined by a dictionary
attack (wherein common words are encrypted to see if they match the
stored encryption ...
... security by leaving the security server itself open
to attack. Based on considerations previously discussed, it should
be clear that: the security server should not be accessible from
...
... router is "outside" of
its filters and may be more vulnerable to attack). In addition to
the router being vulnerable, this distinction between applying
...
... implementing security for a site and they protect against a large
variety of attacks. But it is important to keep in mind that they
are only one part of the solution. They cannot protect your site
against all types of attack ...
... attacks. But it is important to keep in mind that they
are only one part of the solution. They cannot protect your site
against all types of attack.
...
... host to your
network. This increases the risk of attacks via techniques such as
IP address spoofing ...
... disconnect after the third. This will slow down automated password
attacks. Don't tell the user whether the username, the password, or
...
... methods and the easiest to configure. It allows instant access to
the records for analysis, which may be important if an attack is in
progress. File system logging is also the least reliable method ...
... Line printer logging is useful in system where permanent and
immediate logs are required. A real time system is an example of
this, where the exact point of a failure or attack must be recorded.
A laser printer, or other device which buffers data (e.g., a print
...
... search for incidents? If a host
in one organization is used as a launching point for an attack
against another organization, can the second organization use the
audit data of the first organization to prove negligence on the part
...
... security is to react according
to a plan. This is true whether the breach is the result of an
external intruder attack, unintentional damage, a student testing
some new program to exploit a software vulnerability, or a
...
... site security plan, usually pays little attention to how to actually
handle an attack once one occurs. The result is that when an attack
is in progress, many decisions are made in haste and can be damaging
...
... security plan, usually pays little attention to how to actually
handle an attack once one occurs. The result is that when an attack
is in progress, many decisions are made in haste and can be damaging
to tracking down the source of the incident, collecting evidence to
...
... nodes was used to launch a
network attack. In a similar vein, people who develop patches or
workarounds may be sued if the patches or workarounds are
ineffective, resulting in compromise of the systems, or, if the
...
... operating system vulnerabilities and patterns of attacks, and then
taking appropriate measures to counter these potential threats, is
...
... Preventing the use of your systems in attacks against other
systems (which could cause you to incur legal liability) ...
... POC must be a person with the technical expertise to successfully
coordinate the efforts of the system managers and users involved in
monitoring and reacting to the attack. Care should be taken when
identifying who this person will be. It should not necessarily be
the same person who has administrative responsibility for the
...
...
A primary reason for determining these point of contact well in
advance of an incident is that once a major attack is in progress,
there is little time to call these agencies to determine exactly who
the correct point of contact is. Another reason is that it is
...
... Downstream liability--if you leave a compromised system as is so
it can be monitored and another computer is damaged because the
attack originated from your system, your site or organization
may be liable for damages incurred.
...
... Distribution of information--if your site or organization
distributes information about an attack in which another site or
organization may be involved or the vulnerability in a product
...
... A similar consideration is using a secure means of communication.
Because many network attackers can easily re-route electronic mail,
...
... network, to avoid telephone contact with the
suspected attackers, etc. Each organization will have a set of local
and national laws and regulations that must be adhered to when
handling incidents. It is recommended that each site be familiar with
...
... Keep the technical level of detail low. Detailed
information about the incident may provide enough
information for others to launch similar attacks on
other sites, or even damage the site's ability to
prosecute the guilty party once the event is over.
...
... available. Audit information is also extremely useful, especially in
determining whether there is a network attack. It is extremely
important to obtain a system snapshot as soon as one suspects that
something is wrong. Many incidents cause a dynamic chain of events
...
... to occur, and an initial system snapshot may be the most valuable
tool for identifying the problem and any source of attack. Finally,
it is important to start a log book. Recording system events,
...
... telnet, but the administrator of a military system is
likely to consider the same action as a possible attack.
...
...
The purpose of containment is to limit the extent of an attack. An
essential part of containment is decision making (e.g., determining
whether to shut a system down, disconnect from a network ...
... a
record of the original system setup and each customization change
should be maintained. In the case of a network-based attack, it is
important to install patches for each operating system vulnerability ...
... The whole purpose of this post mortem process is to improve all
security measures to protect the site against future attacks. As a
result of an incident, a site or organization should gain practical
knowledge from the experience. A concrete goal of the post mortem is
...
... available. A CERT advisory may also be a warning to our
constituency about ongoing attacks (e.g.,
"CA-91:18.Active ...
... P. Denning, Editor, "Computers Under Attack: Intruders, Worms, and Viruses", ACM Press, 1990. ...