Tech Notes

Sunday, February 05, 2012

Hardening the TCP/IP stack to SYN attacks in Linux

Friends,

Although I am having limited experience in Linux so thought of publishing Solaris Tuning Parameters First. While got lots ofrequest for Linux so compliling the hardning parameters of Linux First. Please feel free to add your comments if some thing I missed in this part.

Linux operating systems, has implemented a SYN cookies mechanism which can be enabled in the following way:

# echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Note that to make this change permanent we need to create a startup file that sets this variable. We must do the same operation for other UNIX variables described because the values for these variables will return to default upon system reboot.

SYN cookies protection is especially useful when the system is under a SYN flood attack and source IP addresses of SYN packets are also forged (a SYN spoofing attack). This mechanism allows construction of a packet with the SYN and ACK flags set and which has a specially crafted initial sequence number (ISN), called a cookie. The value of the cookie is not a pseudo-random number generated by the system but instead is the result of a hash function. This hash result is generated from information like: source IP, source port, destination IP, destination port plus some secret values. During a SYN attack the system generates a response by sending back a packet with a cookie, instead of rejecting the connection when the SYN queue is full. When a server receives a packet with the ACK flag set (the last stage of the three-way handshake process) then it verifies the cookie. When its value is correct, it creates the connection, even though there is no corresponding entry in the SYN queue. Then we know that it is a legitimate connection and that the source IP address was not spoofed. It is important to note that the SYN cookie mechanism works by not using the backlog queue at all, so we don't need to change the backlog queue size. More information about SYN cookies can be found at http://cr.yp.to/syncookies.html.

Also note that the SYN cookies mechanism works only when the CONFIG_SYNCOOKIES option is set during kernel compilation.

A tcp_max_syn_backlog variable defines how many half-open connections can be kept by the backlog queue. For instance 256 is a total number of half-open connections handled in memory by Linux RedHat 7.3. The TCP/IP stack variables can be configured by sysctl or standard Unix commands. The following example shows how to change the default size of the backlog queue by the sysctl command:

# sysctl -w net.ipv4.tcp_max_syn_backlog="2048"

A tcp_synack_retries variable is responsible for controlling the number of retransmissions in Linux operating system. Its default value is set to 5 for most Linux operating systems, which causes the half-open connection to be removed after 3 minutes. In the below table there are calculations for other values.

# sysctl -w net.ipv4.tcp_synack_retries="2048"

Value

Time of retransmission
Total time to keep half-open connections in the backlog queue

1

in 3rd second

9 seconds

2

in 3rd and 9th second

21 seconds

3

in 3rd , 9th and 21st second

45 seconds

Thursday, January 19, 2012

Hardening the TCP/IP stack to SYN attacks in Windows

All of us know how problematic protection against SYN denial of service attacks can be. Several methods, more or less effective, are usually used. In almost every case proper filtering of packets is a viable solution. In addition to creating packet filters, the modification of the TCP/IP stack of a given operating system can be performed by an administrator.

While SYN attacks may not be entirely preventable, tuning the TCP/IP stack will help reduce the impact of SYN attacks while still allowing legitimate client traffic through. It should be noted that some SYN attacks do not always attempt to upset servers, but instead try to consume all of the bandwidth of your Internet connection. This kind of flood is outside the scope.

What can an administrator do when his servers are under a classic, non-bandwidth flooding SYN attack? One of most important steps is to enable the operating system's built-in protection mechanisms like SYN cookies or SynAttackProtect. Additionally, in some cases it is worth tuning parameters of the TCP/IP stack. Changing the default values of stack variables can be another layer of protection and help better secure your hosts. We will concentrate on:

• Increasing the queue of half-open connections (in the SYN RECEIVED state).

• Decreasing the time period of keeping a pending connection in the SYN RECEIVED state in the queue.

Which is accomplished by decreasing the time of the first packet retransmission and by either decreasing the number of packet retransmissions or by turning off packet retransmissions entirely. The process of packet retransmissions is performed by a server when it doesn't receive an ACK packet from a client. A Packet with the ACK flag finalizes the process of the three-way handshake.

Note that an attacker can simply send more packets with the SYN flag set and then the above tasks will not solve the problem. However, we can still increase the likelihood of creating a full connection with legitimate clients by performing the above operations.

We should remember that our modification of variables will change the behavior of the TCP/IP stack. In some cases the values can be too strict. So, after the modification we have to make sure that our server can properly communicate with other hosts. For example, the disabling of packet retransmissions in some environments with low bandwidth can cause a legitimate request to fail.

We will discuss tuning parameters for Microsoft Windows first

These variables are similar or the same in current releases.

Definitions: SYN flooding and SYN spoofing

A SYN flood is a type of Denial of Service attack. We can say that a victim host is under a SYN flooding attack when an attacker tries to create a huge amount of connections in the SYN RECEIVED state until the backlog queue has overflowed. The SYN RECEIVED state is created when the victim host receives a connection request (a packet with SYN flag set) and allocates for it some memory resources. A SYN flood attack creates so many half-open connections that the system becomes overwhelmed and cannot handle incoming requests any more.

To increase an effectiveness of a SYN flood attack, an attacker spoofs source IP addresses of SYN packets. In this case the victim host cannot finish the initialization process in a short time because the source IP address can be unreachable. This malicious operation is called a SYN spoofing attack.

We need to know that the process of creating a full connection takes some time. Initially, after receiving a connection request (a packet with SYN flag set), a victim host puts this half-open connection to the backlog queue and sends out the first response (a packet with SYN and ACK flags set). When the victim does not receive a response from a remote host, it tries to retransmit this SYN+ACK packet until it times out, and then finally removes this half-open connection from the backlog queue. In some operating systems this process for a single SYN request can take about 3 minutes!

The other important information to know is that the operating system can handle only a defined amount of half-open connections in the backlog queue. This amount is controlled by the size of the backlog queue. For instance, the default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000 Professional. When this size is reached, the system will no longer accept incoming connection requests.

How to detect a SYN attack

It is very simple to detect SYN attacks. The netstat command shows us how many connections are currently in the half-open state. The half-open state is described as SYN_RECEIVED in Windows and as SYN_RECV in Unix systems.

# netstat -n -p TCP

tcp 0 0 10.100.0.200:21 237.177.154.8:25882 SYN_RECV -

tcp 0 0 10.100.0.200:21 236.15.133.204:2577 SYN_RECV -

tcp 0 0 10.100.0.200:21 127.160.6.129:51748 SYN_RECV -

tcp 0 0 10.100.0.200:21 230.220.13.25:47393 SYN_RECV -

tcp 0 0 10.100.0.200:21 227.200.204.182:60427 SYN_RECV -

tcp 0 0 10.100.0.200:21 232.115.18.38:278 SYN_RECV -

tcp 0 0 10.100.0.200:21 229.116.95.96:5122 SYN_RECV -

tcp 0 0 10.100.0.200:21 236.219.139.207:49162 SYN_RECV -

tcp 0 0 10.100.0.200:21 238.100.72.228:37899 SYN_RECV -

We can also count how many half-open connections are in the backlog queue at the moment. In the example below, 769 connections (for TELNET) in the SYN RECEIVED state are kept in the backlog queue.

# netstat -n -p TCP | grep SYN_RECV | grep :23 | wc -l

769

The other method for detecting SYN attacks is to print TCP statistics and look at the TCP parameters which count dropped connection requests. While under attack, the values of these parameters grow rapidly.

In this example we watch the value of the TcpHalfOpenDrop parameter on a Sun Solaris machine.

# netstat -s -P tcp | grep tcpHalfOpenDrop

tcpHalfOpenDrop = 473

It is important to note that every TCP port has its own backlog queue, but only one variable of the TCP/IP stack controls the size of backlog queues for all ports.

The backlog queue

The backlog queue is a large memory structure used to handle incoming packets with the SYN flag set until the moment the three-way handshake process is completed. An operating system allocates part of the system memory for every incoming connection. We know that every TCP port can handle a defined number of incoming requests. The backlog queue controls how many half-open connections can be handled by the operating system at the same time. When a maximum number of incoming connections is reached, subsequent requests are silently dropped by the operating system.

As mentioned before, when we detect a lot of connections in the SYN RECEIVED state, host is probably under a SYN flooding attack. Moreover, the source IP addresses of these incoming packets can be spoofed. To limit the effects of SYN attacks we should enable some built-in protection mechanisms. Additionally, we can sometimes use techniques such as increasing the backlog queue size and minimizing the total time where a pending connection in kept in allocated memory (in the backlog queue).

Increasing the backlog queue

Under a SYN attack, we can modify the backlog queue to support more connections in the half-open state without denying access to legitimate clients. In some operating systems, the value of the backlog queue is very low and vendors often recommend increasing the SYN queue when a system is under attack.

Increasing the backlog queue size requires that a system reserve additional memory resources for incoming requests. If a system has not enough memory for this operation, it will have an impact on system performance. We should also make sure that network applications like Apache or IIS can accept more connections.

Decreasing total time of handling connection request

As we know, SYN flooding/spoofing attacks are simply a series of SYN packets, mostly from forged IP addresses. In the last section we tried to increase the backlog queue. Now that our systems can handle more SYN requests, we should decrease the total time we keep half-open connections in the backlog queue. When a server receives a request, it immediately sends a response with the SYN and ACK flags set, puts this half-open connection into the backlog queue, and then waits for a packet with the ACK flag set from the client. When no response is received from the client, the server retransmits a response packet (with the SYN and ACK flags set) several times (depending on default value in each operating system) by giving the client a chance to send the ACK packet again. It is clear that when the source IP address of client was spoofed, the ACK packet will never arrive. After a few minutes the server removes this half-open connection. We can speed up this time of removing connections in the SYN RECEIVED state from the backlog queue by changing time of first retransmission and by changing the total number of retransmissions.

Another technique of protection against SYN attacks is switching off some TCP parameters that are always negotiated during the three-way handshake process. Some of these parameters are automatically turned off by mechanisms described in the first section (SynAttackProtect and Syncookies).

Now, I will describe TCP/IP stack variables which allow a decrease in the time half-open connections are kept in the backlog queueBuilt-in protection mechanisms of Windows

The most important parameter in Windows is SynAttackProtect. Enabling this parameter allows the operating system to handle incoming connections more efficiently. The protection can be set by adding a SynAttackProtect DWORD value to the following registry key:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

In general, when a SYN attack is detected the SynAttackProtect parameter changes the behavior of the TCP/IP stack. This allows the operating system to handle more SYN requests. It works by disabling some socket options, adding additional delays to connection indications and changing the timeout for connection requests.

When the value of SynAttackProtect is set to 1, the number of retransmissions is reduced and according to the vendor, the creation of a route cache entry is delayed until a connection is made. The recommended value of SynAttackProtect is 2, which additionally delays the indication of a connection to the Windows Socket until the three-way handshake is completed. During an attack, better performance in handling connections is achieved by disabling the use of a few parameters (these parameters are usually used by the system during the process of creating new connections). The TCPInitialRTT parameter, which defines the time of the first retransmission, will no longer work. It's impossible to negotiate the window size value. Also, the scalable windows option is disabled on any socket.

As we can see, by enabling the SynAttackProtect parameter we don't change the TCP/IP stack behavior until under a SYN attack. But even then, when SynAttackProtect starts to operate, the operating system can handle legitimate incoming connections.

The operating system enables protection against SYN attacks automatically when it detects that values of the following three parameters are exceeded. These parameters are TcpMaxHalfOpen, TcpMaxHalfOpenRetried and TcpMaxPortsExhausted.

To change the values of these parameters, first we have to add them to the same registry key as we made for SynAttackProtect.

The TcpMaxHalfOpen registry entry defines the maximum number of SYN RECEIVED states which can be handled concurrently before SYN protection starts working. The recommended value of this parameter is 100 for Windows 2000 Server and 500 for Windows 2000 Advanced Server.

TcpMaxHalfOpenRetried defines the maximum number of half-open connections, for which the operating system has performed at least one retransmission, before SYN protection begins to operate. The recommended value is 80 for Windows 2000 Server, and 400 for Advanced Server.

The TcpMaxPortsExhausted registry entry defines the number of dropped SYN requests, after which the protection against SYN attacks starts to operate. Recommended value is 5.

Aside from described above TcpMaxHalfOpen and TcpMaxHalfOpenRetried variables, in Windows the number of connections handled in the half-open state can be set through a dynamic backlog. Configuration of this dynamic backlog is accomplished via the AFD.SYS driver. This kernel-mode driver is used to support Windows Socket applications like FTP and Telnet. To increase the number of half-open connections, AFD.SYS provides four registry entries. All of these values, corresponding to AFD.SYS, are located under the following registry key:

HKLM\System\CurrentControlSet\Services\AFD\Parameters

The EnableDynamicBacklog registry value is a global switch to enable or disable a dynamic backlog. Setting it to 1 enables the dynamic backlog queue.

MinimumDynamicBacklog controls the minimum number of free connections allowed on a single TCP port. If the number of free connections drops below this value, then additional free connections are created automatically. Recommended value is 20.

The MaximumDynamicBacklog registry value defines the sum of active half-open connections and the maximum number of free connections. When this value is exceeded, no more free connections will be created by a system. Microsoft suggests that this value should not exceed 20000.

The last DynamicBacklogGrowthDelta parameter controls the number of free connections to be created when additional connections are necessary. Recommended value: 10.

The table below shows the recommended values for the AFD.SYS driver:

Subkey Registry Value Entry Format Value

EnableDynamicBacklog DWORD 1

MinimumDynamicBacklog DWORD 20

MaximumDynamicBacklog DWORD 20000

DynamicBacklogGrowthDelta DWORD 10

In Windows, the default time for a first retransmission is set to 3 seconds (3000 milliseconds) and can be changed by modifying the value of the TcpInitialRtt registry entry (for every interface). For example, to decrease time of a first retransmission to 2 seconds we have to set this registry value to 2000 milliseconds in decimal format. The number of retransmissions (packets with the SYN and ACK flags set) is controlled by a TcpMaxConnectResponseRetransmissions registry parameter which has to be added to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry key.

The table below contains a few examples of values and corresponding times for keeping half-open connections in the backlog queue (the time of a first retransmission is set to 3 seconds).

<><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><> <><>

Value	Time of retransmission	Total time to keep half-open connections in the backlog queue
1000	-	1 second
5000	in 2nd second	5 seconds
10000	in 2nd and 5th second	10 seconds
60000	In 2nd, 5th, 11th, 23rd and 47th second	1 minute

Tuesday, December 06, 2011

Understand Data Loss Prevention System for Deployment

First of all please make a note that DLP is about risk reduction, not threat elimination. It's important to know what kinds of policies can be defined and what enforcement options are available before beginning a deployment. Later, the proper workflow needs to be in place to handle policy violations. While human resources and legal teams are rarely involved in a virus infection, they may be intimately involved when an employee tries to send a customer list to a competitor. Setting up a good baseline early; know what data needs protection, the capabilities of the tools in place to protect it, and the workflow for handling incidents will actually easy the DLP implementation in any organization. The below mentioned Small write-up will help Security Council members to understand what DLP is what are industry best practices adopted by different organization for DLP Implementation.
Basically now data protection efforts of organization are shifting toward the internal users (Vendor/Employee) as compare to external threats like earlier. As 80% of breaches are reported by internal users accidental or intentional only 20% are by external forces. Hence now companies are interested to do the right investment decision and like to protect any potential breached due to their own employees. There are many avenues in which confidential data or proprietary secrets can leave an organization via the Internet:

• Email
• Webmail
• HTTP (message boards, blogs and other websites)
• Instant Messaging
• Peer-to-peer sites and sessions
• FTP

Current firewall and other network security solutions do not include data loss prevention capabilities to secure data in motion. Missing are such important controls as content scanning, blocking of communications containing sensitive data and encryption. While companies have attempted to address the data loss problem through corporate policies and employee education, without appropriate controls in place, employees can (either through ignorance or malicious disregard) still leak confidential company information.

If categorize all the avenues available to employees today to electronically expose sensitive data, the scope of the data loss problem is an order of magnitude greater than threat protection from outsiders. Consider the extent of the effort required to cover all the loss vectors an organization has the potential to encounter:

• Data in motion – Any data that is moving through the network to the outside via Internet.
(Solution provided by: Web-sense, Symantec and CA)
• Data at rest – Data that resides in files systems, databases and other storage methods.
(Solution provided by: Iron port, CA, Vontu)
• Data at the endpoint – Data at the endpoints of the network (e.g. data on USB devices, External drives, MP3 players, laptops, and other highly-mobile devices) (Solution provided by: Digital Guardian: SOPHOS)

There are two different types of Content Aware DLP solutions available:

1. Single Channel solutions – Focuses on the data loss channel we want to address such as email or Web.
2. Enterprise DLP solutions – Involves lengthy implementations and big budgets. It can also be very disruptive to the organization but delivers much more coverage.

DLP is shipped with hundreds of pre-defined policies. Port authority by WebSense boasts over 140 pre-defined templates for major regulatory statutes. These policies have rules for anywhere from identification of social security numbers to US regulatory laws. The very popular ones are HIPAA, Sarbanes Oxley, GLBA, etc. In addition, vendors are even willing to create a custom policy based on customer requirements. This is based on the business model of a particular customer. Default policies can be fine tuned to suit our needs and gets even more accurate when data matching is applied against context. For Ex. If a payroll employee is observed viewing someone else’s remuneration package, this event is a normal behavior and can be ignored. However, if this event were to occur from another department, the DLP should raise a flag and hence it should be escalated. One key to point to note in writing a signature is the tradeoff between false positives and false negatives. Some vendors call them wide and narrow rules. If the matching occurs at broader scope, it can result in a high number of false positives. On the other hand, we run into the risk of not catching a true positive, if we were to keep the rules too narrow. This is a business decision an organization should make based on the sensitivity level of the content vs. resources allocated for remediation. After all, customers do not want to end up in a similar situation as they are with IDS.

While making a DLP Investment I would advise following points should be considered.

1. Ensure Effective, Comprehensive Coverage :
Means overall, a DLP solution must be able to effectively and comprehensively detect attempted policy violations. This includes:
• Multi-protocol monitoring and prevention
• Content-level analysis of all major file and attachment types
• Selective blocking and/or quarantining of messages
• Automatic enforcement of corporate encryption policies.

2. Make the Solution Unobtrusive:
The next important aspect for a DLP solution is that it’s non-intrusive. Overcoming the challenges of maintaining effective communications (while ensuring management and control of customer and sensitive information) requires both well thought out policies, and processes for monitoring communications content.

3. Should have a Work Flow, Administration and Reporting capabilities:
To help keep total cost of ownership low, the selected product should be simple and fast to implement effectively within the organization’s infrastructure – leveraging plug-and-play capabilities to minimize integration requirements. Robust reporting capabilities allow policy officers to readily access information to:
• Analyze and improve the organization’s DLP capabilities
• Automatically deliver decision-making information in a timely manner
• Easily generate instant reports for executives.

4. Combination of Network/End Point and Heterogeneous.

Friday, November 18, 2011

Design a right Firewall Topology for your Network

With network security becoming such a hot topic, you may have come under the microscope about your firewall and network security configuration. You may have even been assigned to implement or reassess a firewall design. In either case, you need to be familiar with the most common firewall configurations and how they can increase security. In this article, I will introduce you to some common firewall configurations and some best practices for designing a secure network topology

Setting up a firewall security strategy
At its most basic level, a firewall is some sort of hardware or software that filters traffic between your company’s network and the Internet. With the large number of hackers roaming the Internet today and the ease of downloading hacking tools, every network should have a security policy that includes a firewall design.

If your manager is pressuring you to make sure that you have a strong firewall in place and to generally beef up network security, what is your next move? Your strategy should be twofold:

Examine your network and take account of existing security mechanisms (routers with access lists, intrusion detection, etc.) as part of a firewall and security plan.

Make sure that you have a dedicated firewall solution by purchasing new equipment and/or software or upgrading your current systems.

Keep in mind that a good firewall topology involves more than simply filtering network traffic. It should include:

· A solid security policy.

· Traffic checkpoints.

· Activity logging.

· Limiting exposure to your internal network.

Before purchasing or upgrading your dedicated firewall, you should have a solid security policy in place. A firewall will enforce your security policy, and by having it documented, there will be fewer questions when configuring your firewall to reflect that policy. Any changes made to the firewall should be amended in the security policy.

One of the best features of a well-designed firewall is the ability to funnel traffic through checkpoints. When you configure your firewall to force traffic (outbound and inbound) through specific points in your firewall, you can easily monitor your logs for normal and suspicious activity.

How do you monitor your firewall once you have a security policy and checkpoints configured? By using alarms and enabling logging on your firewall, you can easily monitor all authorized and unauthorized access to your network. You can even purchase third-party utilities to help filter out the messages you don't need.

It's also a good practice to hide your internal network address scheme from the outside world. It is never wise to let the outside world know the layout of your network.

Firewall terminology
Before we look at specific firewall designs, let's run through some basic firewall terminology you should become familiar with:

· Gateway—A gateway is usually a computer that acts as a connector from a private network to another network, usually the Internet or a WAN link. A firewall gateway can transmit information from the internal network to that Internet in addition to defining what should and should not be able to pass between the internal network and the Internet.

· Network Address Translation (NAT)—NAT hides the internal addresses from the external network (Internet) or outside world. If your firewall is using NAT, all internal addresses are translated to public IP addresses when leaving the internal network, thus concealing their original identity.

· Proxy servers—A proxy server replaces the network's IP address and effectively hides the actual IP address from the rest of the Internet. Examples of proxy servers include Web proxies, circuit level gateways, and application level gateways.

· Packet filtering firewall—This is a simple firewall solution that is usually implemented on routers that filter packets. The headers of network packets are inspected when going through the firewall. Depending on your rules, the packet is either accepted or denied. Because most routers can filter packets, this is an easy way to quickly configure firewall rules to accept or deny packets. However, it's difficult for a packet filtering firewall to differentiate between a benign packet and a malicious packet.

· Screening routers—This is a packet filtering router that contains two network interface cards. The router connects two networks and performs packet filtering to control traffic between the networks. Security administrators configure rules to define how packet filtering is done. This type of router is also known as an outside router or border router.

· Application level gateway—This type of gateway allows the network administrator to configure a more complex policy than a packet filtering router. It uses a specialized program for each type of application or service that needs to pass through the firewall.

· Bastion host—A bastion host is a secured computer that allows an untrusted network (such as the Internet) access to a trusted network (your internal network). It is typically placed between the two networks and is often referred to as an application level gateway.

· Demilitarized zone (DMZ)—A DMZ sits between your internal network and the outside world, and it's the best place to put your public servers. Examples of systems to place on a DMZ include Web servers and FTP servers.

Now that we have gone over some of the basics, it is time to discuss common firewall designs.
Screening router
A screening router is one of the simplest firewall strategies to implement. This is a popular design because most companies already have the hardware in place to implement it. A screening router is an excellent first line of defense in the creation of your firewall strategy. It's just a router that has filters associated with it to screen outbound and inbound traffic based on IP address and UDP and TCP ports.

If you decide to implement this strategy, you should have a good understanding of TCP/IP and how to create filters correctly on your router(s). Failure to implement this strategy properly can result in dangerous traffic passing through your filters and onto your private LAN. If this is your only device, and a hacker is able to pass through it, he or she will have free rein. It's also important to note that this type of configuration doesn't hide your internal network IP addresses and typically has poor monitoring and logging capabilities.

            If you have little or no money to spend and need a firewall configuration quickly, this method will cost you the least amount of money and will let you use existing routers. It's an excellent start to your firewall strategy and is a good device to use on networks that use other security tools as well.

Screened host firewalls
            A screened host firewall configuration uses a single homed bastion host in addition to a screening router. This design uses packet filtering and the bastion host as security mechanisms and incorporates both network- and application-level security. The router performs the packet filtering, and the bastion host performs the application-side security. This is a solid design, and a hacker must penetrate the router and the bastion host to compromise your internal network.
            Also, by using this configuration as an application gateway (proxy server), you can hide your internal network configuration by using NAT translation.

The above design configures all incoming and outgoing information to be passed through the bastion host. When information hits the screening router, the screening router filters all data through the bastion host prior to the information passing to the internal network.
You can go one step further by creating a dual-homed bastion host firewall. This configuration has two network interfaces and is secure because it creates a complete physical break in your network.

Demilitarized zone (DMZ) topology
A DMZ is the most common and secure firewall topology. It is often referred to as a screened subnet. A DMZ creates a secure space between your Internet and your network.

A DMZ will typically contain the following:

· Web server

· Mail server

· Application gateway

· E-commerce systems (It should contain only your front-end systems. Your back-end systems should be on your internal network.)

A DMZ is considered very secure because it supports network- and application-level security in addition to providing a secure place to host your public servers. A bastion host (proxy), modem pools, and all public servers are placed in the DMZ.

Furthermore, the outside firewall protects against external attacks and manages all Internet access to the DMZ. The inside firewall manages DMZ access to the internal network and provides a second line of defense if the external firewall is compromised. In addition, LAN traffic to the Internet is managed by the inside firewall and the bastion host on the DMZ. With this type of configuration, a hacker must compromise three separate areas (external firewall, internal firewall, and the bastion host) to fully obtain access to your LAN.

Many companies take it one step further by also adding an intrusion detection system (IDS) to their DMZ. By adding an IDS, you can quickly monitor problems before they escalate into major problems.

Defense in Depth: The operations factor

The first two pillars of the three-tiered Defense in Depth concept of network security: people and technology. The final pillar of Defense in Depth is operations. This phase of your security model is where policy meets reality.

Logic dictates that something within your network will break down--whether due to human error, malicious behavior, or hardware failure. Your operations plan must be sufficient to cope with these threats; to do so, it must meet five basic criteria: The plan must be comprehensively documented, widely supported, and it must reflect your current operations while allowing for both growth and the possibility of disaster

Thursday, September 15, 2011

Different type of cyber crimes and their investigation.

1. Hacking
Hacking in simple terms means illegal intrusion into a computer system without the permission of the computer owner/user.

Evidences to be secured: HDD, Mails with Header, Network Logs
Investigation Mechanism: IP Tracing, Location Tracing Mac address Verification and figure printing

2. Phishing
It is technique of pulling out confidential information from the bank/financial institutional account holders by deceptive means.

Evidences to be secured: Mails with Header, Network Logs.
Investigation Mechanism: Mail Tracing, IP Tracing, Location Tracing.

3. Credit Card Fraud
You simply have to type credit card number into www page off the vendor for online transaction if electronic transactions are not secured the credit card numbers can be stolen by the hackers who can misuse this card by impersonating the credit card owner.

Evidence to be secured: Transaction logs, network logs, product delivery address, sometime HDD.
Investigation Mechanism: Transaction Verification, IP Tracing, Location Tracing, Mac Address Verification and finger printing, log Analysis.

4. Denial of Service (SPAMMING)
This is an act by the criminal, who floods the bandwidth of the victim’s network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide.

Evidences to be secured: Mails with Header, Network Logs.
Investigation Mechanism: Mail Tracing, IP Tracing, Location Tracing, Log Analysis.

5. VIRUS Dissemination
Malicious software that attaches itself to other software...
(Virus, worms, Trojan horse, Time bomb, Logic Bomb, Rabbit and Bacterium are the malicious software’s)

Evidences to be secured: HDD, Mails with Header, Network Logs.
Investigation Mechanism: Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

6. Software Piracy
Theft of software through the illegal copying of genuine programs or the counterfeiting and
Distribution of products intended to pass for the original..
• Retail revenue losses worldwide are ever increasing due to this crime
• Can be done in various ways- End user copying, Hard disk loading, Counterfeiting, Illegal downloads from the internet etc..

Evidences to be secured: HDD, Mails with Header, Network Logs
Investigation Mechanism: Mail Tracing, Log Analysis, Finger printing.

7. Pornography
Pornography is the first consistently successful ecommerce product.
• Deceptive marketing tactics and mouse trapping technologies Pornography encourage customers

To access their websites.
• Anybody including children can log on to the internet and access websites with pornographic
Contents with a click of a mouse.
• Publishing, transmitting any material in electronic form which is lascivious or appeals to the prurient Interest is an offence under the provisions of section 67 of I.T. Act -2000.

Evidences to be secured: HDD, Network Logs
Investigation Mechanism: IP Tracing, Location Tracing, Log Analysis, Finger printing.

8. PAEDOPHILIES
THE SLAUGHTER OF INNOCENCE (Paedophilia or sexual attraction to children by an adult, is a sickness that does not discriminate by race, class, or age.

1. Instant access to other predators worldwide;
2. Open discussion of their sexual desires ways to lure victims;
3. Mutual support of their adult child sex philosophies;
4. Instant access to potential child victims worldwide;
5 Disguised identities for approaching children, even to the point of presenting as a member of teen groups;
6 Ready access to "teen chat rooms" to find out how and why to target as potential victims;
7 Shared ideas about Means to identify and track down home contact information;
8 Ability to build a long-term "Internet" relationship with a potential victim, prior to attempting to engage the child in physical contact.

Evidences to be secured: HDD, Mails with Header, Network Logs
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

9. IRC Crime
Internet Relay Chat (IRC) servers have chat rooms in which people from anywhere the world can come together and chat with each other
• Criminals use it for meeting coconspirators.
• Hackers use it for discussing their exploits / sharing the techniques
• Pedophiles use chat rooms to allure small children
• Cyber Stalking - In order to harass a woman her telephone number is given to others as if she
Wants to befriend males
Evidences to be secured: HDD, Network Logs
Investigation Mechanism: Identity Verification, IP Tracing, Location Tracing, Log Analysis, Finger printing.

10. NET Extortion
Copying the company’s confidential data in order to extort said company for huge amount.

Evidences to be secured: HDD, Mails with Header, Network Logs
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

11. Spoofing ( SMS Spoofing)
Getting one computer on a network to pretend to have the identity off another computer, usually one with special access privileges, so as to obtain access to the other computers on the network.

Evidences to be secured: Mails with Header, Network Logs
Investigation Mechanism: Mail Tracing, IP Tracing, Location Tracing, Log Analysis.

12. Threatening
Threats that can create a fear by using computers. Most of the time these threats are generated from email, blogs and social network posts.

Evidences to be secured: HDD, Mails with Header, Network Logs
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

13. Identity Theft
Identity theft is the fastest growing crime in the U.S., with over nine million victims each year. Just being careful isn't enough to protect your identity. Identity theft occurs when someone uses your personal information, such as your Social Security number, name or credit card number, without your permission, to commit fraud or other crimes. A thief could take out a mortgage in your name or commit a crime and pretend to be you when caught. Thieves can even use your personal information to apply for a job or use your medical insurance! . (Information Technology Act 2000 Chapter IX Sec 43 (b))

Evidences to be secured: HDD, Mails with Header, Network Logs
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

14. Carding
Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a Web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the card issuer's attention. A website known to be susceptible to carding is known as a cardable website.
In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which valid accounts were. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event.

Evidence to be secured: Transaction logs, network logs, product delivery address, sometime HDD.
Investigation Mechanism: Transaction Verification, Identity Verification, IP Tracing, Location Tracing, Mac Address Verification and finger printing, log Analysis.

15. Cracking
Software cracking is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware.

Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords. On a file-by-file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.

Evidences to be secured: HDD, Applications and Systems Logs
Investigation Mechanism: IP Tracing, Location Tracing Mac address Verification and figure printing

16. Salami Attack
In such crime criminal makes insignificant changes in such a manner that such changes would go unnoticed. Criminal makes such program that deducts small amount like Rs. 2.50 per month from the
Account of all the customer of the Bank and deposit the same in his account. In this case no account holder will approach the bank for such small amount but criminal gains huge amount.

Evidences to be secured: Transaction Logs
Investigation Mechanism: Transaction Verification, Identity Verification, IP Tracing, Location Tracing, Mac Address Verification and finger printing, log Analysis.

17. Phreakers
Phreaking is a slang term coined to describe the activity of a culture of people who study, experiment with, or explore telecommunication systems, such as equipment and systems connected to public telephone networks. As telephone networks have become computerized, phreaking has become closely linked with computer hacking.[1] This is sometimes called the H/P culture (with H standing for hacking and P standing for phreaking).

The term phreak is a portmanteau of the words phone and freak, and may also refer to the use of various audio frequencies to manipulate a phone system. Phreak, phreaker, or phone phreak are names used for and by individuals who participate in phreaking. A large percentage of the phone Phreaks were blind.[2][3] Because identities were usually masked, an exact percentage cannot be calculated.
http://www.theregister.co.uk/2007/03/22/voip_fraud/

18. IP Infringement
An intellectual property infringement is the infringement or violation of an intellectual property right. There are several types of intellectual property rights, such as copyrights, patents, and trademarks. Therefore, an intellectual property infringement may for instance be a
Copyright infringement
Patent infringement
Trademark infringement
Techniques to detect (or deter) intellectual property infringement include:
Fictitious entry, such as:
Fictitious dictionary entry. An example is Esquivalience included in the New Oxford American Dictionary
Trap street, a fictitious street included on a map for the purpose of "trapping" potential copyright violators of the map
Evidences to be secured: HDD, Mails with Header

19. H/W S/W Sabotage
Sabotage is a deliberate action aimed at weakening another entity through subversion, obstruction, disruption, or destruction.
Evidences to be secured: Pictures of Damaged Hardware’s, and HDD for S/w

20. Cyber Terrorism
Premeditated, usually politically-motivated violence committed against civilians through the use of, or with the help of, computer technology.

Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

21. Cyber Vandalism
Damaging or destroying data rather than stealing or misusing them (as with cyber theft) is called cyber vandalism. This can include a situation where network services are disrupted or stopped.

Evidences to be secured: HDD, Mails with Header, Web Page Dumps of social Network Sites..
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

22. Cyber Contraband
Transferring illegal items through the internet (such as encryption technology) that is banned in some locations.
• Sale Of Narcotics
• Sale & Purchase through net..
• There are web site which offer sale and shipment off contrabands drugs..
• They may use the techniques off steganography for hiding the messages..
• Sale Of Not Permitted Encryption Software and Hardware’s

23. Cyber Laundering
Electronic transfer of illegally-obtained monies with the goal of hiding its source and possibly its destination.
Evidences to be secured: Transaction Logs, Applications Logs, Mails with Header, Network Logs

24. Cyber Stalking
Cyberstalking is the use of the Internet or other electronic means to stalk or harass an individual, a group of individuals, or an organization. It may include false accusations, monitoring, making threats, identity theft and damage to data or equipment, the solicitation of minors for sex, or gathering information in order to harass.
Evidences to be secured: HDD, Applications and Systems Logs

25. CYBER Defamation
The Criminal sends emails containing defamatory matters to all concerned off the victim or post the defamatory matters on a website.(Disgruntled employee may do this against boss,, ex-boys friend against girl,, divorced husband against wife etc.)

Evidences to be secured: HDD, Mails with Header, Web Page Dumps of social Network Sites..
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

26. Cyber Squatting
The misleading use of trademarks for Internet domain names. using a domain name with bad faith intent to profit from the goodwill of a trademark belonging to someone else. The cyber squatter then offers to sell the domain to the person or company who owns a trademark contained within the name at an inflated price.

Evidences to be secured: HDD, Mails with Header, Web Page Dumps of social Network Sites..
Investigation Mechanism: Identity Verification, Mail Tracing, IP Tracing, Location Tracing, Log Analysis, Finger printing.

27. Pay-Per-Click Click Fraud

28. Pump & dump schemes

"Pump and dump" schemes, also known as "hype and dump manipulation," involve the touting of a company's stock (typically microcap companies) through false and misleading statements to the marketplace. After pumping the stock, fraudsters make huge profits by selling their cheap stock into the market.

Pump and dump schemes often occur on the Internet where it is common to see messages posted that urge readers to buy a stock quickly or to sell before the price goes down, or a telemarketer will call using the same sort of pitch.

References:-
1. Mumbai Police Cyber Crime Awareness Program.
2. http://www.slideshare.net/sanjay_jhaa/cyber-crimeppt-1
3.http://www.redorbit.com/news/technology/2021986/cybersquatting_activity_jumped_28_percent_in_2010/index.html
4. http://www.wipo.int/pressroom/en/articles/2011/article_0010.html

Search This Blog