Training IT Staff to Secure Networks

African companies are only now beginning to benefit from the sort of high speed internet infrastructure that other continents have had for many years. Yet with this high speed access comes some risks as well as benefits. As soon as you have web facing servers or indeed just allow internal clients to access the internet your network becomes a potential target for hackers. You can minimize this risk by installing firewalls, Intrusion detection systems and using a DMZ but there’s still a risk there. One of the issues is that experienced network administrators are sometimes in short supply in some African countries, technical skills are the easiest way to minimize potential risk of attacks.

Employers are recognizing the value of training their IT support staff and appreciating that it can be very wise investment.   African firms are at the same risk of various network attacks as other nations companies, indeed in some senses they are greater as there is a perception that they are soft targets.  Understanding the various risks and potential attacks is obviously important too, which should be incorporated in the training.

A Denial of Service (DOS) attack is literally any kind of attack which interrupts the functionality of a system so that genuine users can no longer get access to it. DoS attacks are actually conceivable on the majority of network hardware, including switches, hosting servers, firewalls, remote access computers, and almost every other network resource.A DoS attack may be specific to a service, such as in an FTP attack, or perhaps an entire machine.The categories of DoS are actually diverse and wide ranging, but they can be split into 2 distinctive categories which connect to intrusion detection: resource reduction and malicious packet attacks.

Malicious packet DoS attacks work by sending abnormal traffic to a host so as to bring about the service or the host in itself to crash. Crafted packet DoS attacks take place when software is not appropriately coded to take care of abnormal or unusual traffic. Frequently out-of– specification traffic can easily cause computer software to behave unexpectedly and crash. Attackers can utilize crafted packet DoS attacks in order to bring down IDSs, even Snort.A specifically crafted tiny ICMP packet using a size of 1 was found to cause Snort v. 1.8.3 to core dump. This specific version of Snort did not actually adequately define the minimal ICMP header dimensions, which in turn allowed the DoS to happen.

Attackers will normally use hosts which have been infected by viruses or trojans to launch these denial of service attacks.  Using the bandwidth of thousands of compromised computers means that even the largest and most stable systems can be attacked.  They will also cover their remote access connections to these networks which is easily done through a VPN in an obscure country.  Some will even rent proxies from residential IP providers like this one, in order to further hide and obscure their identity.

Alongside out of specification traffic, malicious packets can easily contain payloads that cause a system to crash. A packet’s payload is actually taken as input right into a service. In the case that the input is not appropriately checked, the program can be DoSed. The Microsoft FTP DoS attack demonstrates the wide variety of DoS attacks available to black hats in the wild.The initial step in the attack is to kick off a legitimate FTP connection.The attacker would most likely at that point issue a command together with a wildcard sequence (such as * or?). Within the FTP Server, a feature that handles wildcard sequences in FTP commands does not assign sufficient memory when carrying out pattern matching. It is feasible for the attackers command being composed of a wildcard pattern to trigger the FTP service to crash.This DoS, as well as the Snort ICMP DoS, are two examples of the many thousands of potential DoS attacks out there.

The other method to deny service is via resource depletion.A resource depletion DOS attack functions by means of swamping a service with just so much normal traffic that legitimate users can not gain access to the service. An attacker overruning a service with normal traffic can deplete finite resources such as bandwidth, memory, and processor chip cycles.A classic memory resource exhaustion DoS is a SYN flood.A SYN flood takes advantage of the TCP three-way handshake.The handshake starts with the client transmitting a TCP SYN packet. The host then sends out a SYN ACK in response.The handshake is finished when the client answers with an ACK. If the host does not receive the returned ACK, the host sits unoccupied and waits with the session open. Every single open session consumes a certain amount of memory. Assuming that enough three– way handshakes are launched, the host consumes all available memory waiting for ACKs.The traffic produced from a SYN flood is normal in appearance. Most servers are configured these days to leave just a certain number of TCP connections open. One more typical resource depletion attack is the Smurf attack.

A Smurf attack Performs by benefiting from open network broadcast addresses.A broadcast address forwards all of the packets on to almost every host on the destination subnet. Every host on the destination subnet responds to the source address specified in the traffic to the broadcast address. An attacker sends a stream of ICMP echo requests or pings to a broadcast address.This provides the effect of amplifying a solitary ICMP echo request as much as 250 times. Additionally. the attacker spoofs the origin address to ensure that the target receives all the ICMP echo reply traffic. An attacker with a 128 Kb/s DSL Net network can conceivably produce a 32 Mb/s Smurf flood. DoS attacks commonly utilize spoofed IP addresses because the attack succeeds even if the answer is misdirected.The attacker needs no response, and in cases like the Smurf attack, wants at any costs to stay clear of a response.This can help make DoS attacks difficult to defend from, and even more difficult to trace.

Further Reading: