next up previous
Next: Active Network Attacks Up: Network Layer Attacks Previous: Network Layer Attacks

Passive Network Attacks

The whole point of network snooping is to gather ``interesting'' information. There are a fair variety of utilities out there that are able to extract authentication information from e.g. telnet and remote X Windows sessions. This type of program is often referred to as password sniffers, or just sniffers. Most likely, there are also tools out there for extracting credit card information from HTTP requests; personally, I haven't seen such a tool but given that there are crackers systematically looking for credit card info, this is highly probable.

Watching network traffic is usually just a matter of attaching a computer to the network cable, configuring its network card to accept all packets whizzing by,6.1 analyzing them, and filtering out the interesting ones. In order to carry out this type of attack, the perpetrator needs physical access to the cable, or other network equipment such as a hub. That means, the villain, unless it is an insider, needs to break into the premises first. For many small to medium size companies, that is all the reassurance they need: that their data processing is at least as secure as their physical premises. And this point isnīt something that you can dismiss easily: if a burglar intends steal all their corporate data why should he install sophisticated Ethernet sniffing equipment if he can simply carry away the file server?

One issue worth noting in this context, however, is that if you trust the local infrastructure, you also need to trust the people that legitimately have access to it. Trivial as it may sound, this is a threat that you should not dismiss. According to various studies, attacks carried out by insiders are by far the most common security problem.

The theorem ``local network snooping requires physical access to the premises'' held until wireless networks such as Bluetooth or WaveLAN (a.k.a. IEEE 802.11) came along. The electromagnetic waves carrying IEEE 802.11 network traffic can be received up to 50 m away, depending on the transmission power of the network concentrator. Now, most 802.11 equipment nowadays supports a protocol called WEP that is supposed to protect you from eavesdropping by encrypting all data, but the protocol's use of encryption is so weak it's pathetic. A laptop fitted with a WaveLAN network card, conveniently located in a car in the building's parking lot, will do nicely when you intend to intercept 802.11 traffic.

Finally, the picture changes dramatically when you talk about traffic going across the Internet. With your average Internet connection, there are usually a dozen or more intermediate network segments or ``hops'' a packet has to travel from client to server and vice versa, and by default, these should not be trusted. Internet Service Providers are in fact a very popular cracker target exactly because once the attackers have compromised one of the routers, they can sift large amounts of traffic for useful information. To make things worse, during the late nineties, many wannabe-ISPs jumped on the Internet bandwagon and compensated for their overabundance of enthusiasm with a serious lack of competent staff.

XXX: what about deletion of packets? DoS, support for spoof attacks.

To sum it up, things don't look good. But what does that mean for the design of a network application? Does it mean you need to encrypt everything that goes across the network using public key cryptography? As you may have expected, the answer is a firm ``Maybe!'' We'll come back to this in a second, but first let me discuss the second major class of network level attacks.


next up previous
Next: Active Network Attacks Up: Network Layer Attacks Previous: Network Layer Attacks
Olaf Kirch 2002-01-16