Network Sniffers

Troubleshooting DNS

2009-12-20T22:43:00.000-08:00

Troubleshooting, by its nature, is a tough subject to teach. You start with any of a world of symptoms and try to work your way back to the cause. We can’t cover the whole gamut of problems you may encounter on the Internet, but we will certainly do our best to show you how to diagnose the most common of them. And along the way, we hope to teach you troubleshooting techniques that will be valuable in tracking down more obscure problems that we don’t document.

Is DNS Really Your Problem?

Before we launch into a discussion of how to troubleshoot a DNS problem, we should make sure you know how to tell whether a problem is caused by DNS, not by another naming service. On Windows hosts, figuring out whether the culprit is actually DNS can be difficult. Windows supports a whole panoply of naming services: DNS, WINS, HOSTS, LMHOSTS, and more. The stock Windows 2000 nslookup, however, doesn’t pay any attention to these other naming services. You can run nslookup on a Windows 2000 box and query the name server ’till the cows come home while the service with the problem is using a different naming service.

How do you know where to put the blame? First, you need to consider what kind of program is having the problem. If it’s a TCP/IP client, such as telnet or ftp, the possible culprits are DNS and the HOSTS file. If it’s a utility that supports NetBIOS naming, such as net (as in net use), the likely suspects also include WINS and the LMHOSTS file. Other clients, such as ping, that also take either a DNS name or a NetBIOS name as an argument can use any of these naming services.

Next, consider the order in which Windows uses the naming services. You should look through the various services in that order when troubleshooting the problem.

These hints should help you identify the guilty party or at least exonerate one suspect. If you narrow down the suspects and DNS is still implicated, you’ll just have to read this chapter.

Checking the Cache

As we’ve said earlier, you can check the contents of your name server’s cache with the DNS console. This can come in handy if you suspect that your name server has cached bad or out-of-date data from another server. To inspect a server’s cache, click the plus sign to the left of the name of the server in the DNS console’s left pane. You’ll see a folder named Cached Lookups. Either click on the plus sign to the left of it or double-click the folder icon or the label to expand the next level. This shows you the top-level domains for which your name server has cached data. Expand your way to the domain name to which the cached data you’re looking for is attached. In Figure 13-1, we’ve clicked our way down to acmebw.com to look for cached data.

Figure: NS and A records for acmebw.com in the cache

As you can see in the right pane, our name server has cached three NS records and one A record for acmebw.com. If we double-clicked net and then acmebw, we could find the cached addresses of these name servers, too.

If you’d like to see the TTL on the cached data, double-click on a record in the right pane. Provided the DNS console is in advanced view mode (select View Þ Advanced), the resulting window shows the record’s TTL. For example, in Figure 13-2, we’ve double-clicked the acmebw.com A record.

Figure: The TTL on a cached record

Be sure to refresh the DNS console with Action Þ Refresh or F5 before checking the TTL, or the TTL you see may be bigger than the current TTL.

If you right-clicked the record, you may have noticed a Delete Record selection. Now there’s something you can’t do in BIND. Using the DNS console, you can actually delete cached data record by record! If you know that some records in your name server’s cache are out of date, you can delete them and let your name server pick up updated records from an authoritative name server.

Potential Problem List

Let’s go through some common real-world DNS problems. Many of these problems are easy to recognize and correct. We cover these problems as a matter of course–they’re some of the most common problems because they’re caused by some of the most common mistakes. Here are the contestants, in no particular order.

1. Forget to Increment Serial Number

This particular problem will occur only if you make changes to your zone data file by hand, without using the DNS console. The DNS console remembers to increment the serial number in the SOA record each time it changes zone data, so you don’t have to worry about it. However, this also means that you probably won’t be in the habit of updating the serial number, so you may forget when making that one-off manual modification.

The main symptom of this problem is that slave name servers don’t pick up any changes you make to the zone on the primary server. The slaves think the zone data hasn’t changed since the serial number is still the same.

How do you check if you remembered to increment the serial number? Unfortunately, that’s not so easy. If you don’t remember what the old serial number was and your serial number gives you no indication of when it was updated, there’s no direct way to tell whether it has changed. 1

When you start the primary, it will load the updated zone data file regardless of whether you’ve changed the serial number. About the best you can do is to use nslookup to compare the data returned by the primary and by a slave. If they return different data, you probably forgot to increment the serial number. If you can remember a recent change you made, you can look for that data. If you can’t remember a recent change, you can try transferring the zone from a primary and from a slave, sorting the results, and using a file-comparison tool to compare them.

The good news is that, although determining whether the zone was transferred is tricky, making sure the zone is transferred is simple. Just increment the serial number on the primary’s copy of the zone by double-clicking the SOA record in the DNS console and manually editing the serial number field. The slaves should pick up the new data within their refresh interval, or sooner if they use NOTIFY.

2. Forget to Restart Primary Master Server

Like the last problem, you’ll see this problem only if you make changes to your zone data files by hand. The DNS console adds and deletes data on the fly, so there’s no need to restart your primary master name server.

If you’re not using the DNS console, though, you may forget to restart your primary master name server after editing a zone data file. The name server won’t know to load the new data–it doesn’t automatically check the file to see if it has changed. Consequently, any changes you’ve made won’t be reflected in the name server’s data: new zones won’t be loaded, and new records won’t percolate out to the slaves.

To check when you last restarted the name server, scan the Event Viewer output for the last entry that looks like this:

The DNS Server has started.

The date and time on these events will tell you the last time you restarted the name server.

If the time of the restart doesn’t correlate with the time you made the last change, use the DNS console to stop and restart the name server and reload its data. Check that you incremented the serial numbers on the zone data files you changed, too.

3. DNS Server Loses Manual Changes

One final but important note about making manual changes: remember that the Microsoft DNS Server periodically updates its zone data files. Each time you make changes to a zone’s data using the DNS console, a write is pending: before the DNS server exits, it must rewrite the zone’s data file or it will lose the changes you made. Think of this as a dirty page in memory: the operating system must write it to disk before exiting.

If you make a manual change to a zone data file while a write is pending, you’ll mysteriously lose the change when the name server exits. Say you add delegation to a new subdomain of movie.edu while the server is running and a write is pending. After you’ve made the change, you have to stop the server and start it again to get it to read the zone data again. But as the server exits, it rewrites the movie.edu zone data file, and your delegation disappears. If you’re watching the Event Viewer carefully (like you should be), you’ll see this message before the server stops:

The DNS server wrote version 37 of zone movie.edu to   file movie.edu.dns.

Once you force the server to rewrite its zone data files with Action Þ Update Server Data Files, the server is in sync with the zone data files and doesn’t have to rewrite them on exit. So, if you’re going to make manual changes to the zone data files, you should either stop the server first (although that means your server won’t answer queries while you make the change), or use the DNS console to sync the server with the zone data files and then make the change.

4. Slave Server Can’t Load Zone Data

If a slave name server can’t get the current serial number for a zone from its master server, you won’t be warned about it initially. However, if the problem persists and the slave can’t determine within the expire interval whether or not its data is up to date, it will expire the zone. On a Microsoft DNS Server, you’ll see a message like this in the Event Viewer:

Zone movie.edu expired before it could obtain a successful   zone transfer or update from a master server acting as its source   for the zone. The zone has been shut down.

Once the zone has expired, you’ll start getting SERVFAIL errors when you query the name server for data in the zone:

C:\>  nslookup robocop wormhole.movie.edu .   Server:  wormhole.movie.edu   Addresses:  192.249.249.1, 192.253.253.1   *** wormhole.movie.edu can't find robocop.movie.edu: Server failed

There are three leading causes of this problem: a loss in connectivity to the master server due to network failure, an incorrect IP address configured for the master server, and a syntax error in the zone data file on the master server.

First, use the DNS console to check the address of the master server(s) from which the slave is attempting to load data. Right-click the domain name of the zone in the left pane, choose Properties, and look at the General tab, shown in Figure 13-3.

Figure : Zone properties window showing master server(s)

Make sure that’s really the IP address of the master name server. If it is, check connectivity to that IP address:

C:\>  ping 192.249.249.3    Pinging 192.249.249.3 with 32 bytes of data:    Request timed out.  Request timed out.  Request timed out.  Request timed out.

If the master server isn’t reachable, make sure that the server’s host is really running (for example, is powered on) or look for a network problem.

You may also want to check that the master server is returning authoritative responses to queries for data in the zone. If the master server is responding as not authoritative for the zone, the slave won’t transfer the zone from it. Here’s how you could use nslookup to check for an authoritative response for the zone’s SOA record from the master server:

C:\>  nslookup -norec -type=SOA movie.edu. 192.249.249.3

This command sends a nonrecursive query for the SOA record for movie.edu to the name server at 192.249.249.3. We need to send a nonrecursive query so that the name server at 192.249.249.3 doesn’t try to forward the query to another server.

If this master server is correctly configured, the answer to this query should be authoritative. (Remember that unless nslookup reports “Non-authoritative answer,” the answer is authoritative.) A nonauthoritative reply may indicate that the master server had a problem loading the zone, usually because of a syntax error in the zone data file. Contact the administrator of the master server and have him check his Event Viewer or syslog output for indications of a syntax error. We’ve never seen a Windows 2000 name server go nonauthoritative for a zone based on a syntax error in a zone data file, but older BIND name servers exhibit this behavior. So if your name server is a slave to a zone whose primary master is a BIND name server that’s not claiming authority for the zone, a syntax error could be your problem.

If the answer to the query is authoritative but the slave server still can’t transfer the zone successfully, you can use the nslookup’s ls command to try to transfer the zone manually (ls, as we said in Chapter 12, performs a zone transfer). If you see an error like this, it’s a good bet that the master server restricts zone transfers:

C:\>  nslookup - 192.249.249.3   Default Server:  terminator.movie.edu  Address:  192.249.249.3  >  ls movie.edu   [terminator.movie.edu]  *** Can't list domain movie.edu: Query refused  >

Contact the administrator of the master server and ask whether she is restricting zone transfers. Ask her to check the options on the Zone Transfers tab of the Properties window for the zone you’re trying to transfer (if she’s running the Microsoft DNS Server). If the remote server is running BIND, ask if she’s using the xfrnets or allow-transfer features to restrict zone transfers.

Once the problem has been cleared up and your server successfully transfers the zone, you’ll see messages like these in the Event Viewer:

A more recent version, version 212 of zone movie.edu was   found at DNS server at 192.249.249.3. Zone transfer is in progress.  The DNS server wrote version 212 of zone movie.edu to   file movie.edu.dns.

5. Add Address to Zone, but Forget to Add Corresponding PTR Record

Because the mappings from hostnames to IP addresses are disjointed from the mappings from IP addresses to hostnames in DNS, it’s easy to forget to add a PTR record for a new host. Adding the A record is intuitive, but many people who are used to host tables assume that adding an address record takes care of the reverse mapping, too. That’s not true–you need to add a PTR record for the host to the appropriate in-addr.arpa zone. Thankfully, the DNS console makes that easy by providing a checkbox to Create associated pointer (PTR) record when you choose New Host….

Neglecting to add the PTR record for a host usually causes that host to fail authentication checks. For example, users on the host won’t be able to rsh or rcp to other hosts. The servers these programs talk to need to be able to map the connection’s IP address to a domain name to check authorization files.

In addition, many large FTP archives, including ftp.uu.net, refuse anonymous ftp access to hosts whose IP addresses don’t map back to domain names. ftp.uu.net’s FTP server emits a message that reads, in part:

530- Sorry, we're unable to map your IP address 140.186.66.1   530- to a hostname in the DNS. This is probably because your   530- nameserver does not have a PTR record for your address in its   530- tables, or because your reverse nameservers are not registered.   530-   We refuse service to hosts whose names we cannot resolve.  531-

That makes the reason you can’t use anonymous ftp pretty evident. Other FTP sites, however, don’t bother printing informative messages; they simply deny service.

nslookup is handy for checking whether or not you’ve forgotten the PTR record:

C:\>  nslookup    Default Server:  terminator.movie.edu   Address:  192.249.249.3     >  beetlejuice   --Check for a hostname-to-address mapping   Server:  terminator.movie.edu   Address:  192.249.249.3   Name:    beetlejuice.movie.edu   Address:  192.249.249.23     > 192.249.249.23  --Now check for a corresponding   address-to-hostname mapping   Server:  terminator.movie.edu   Address:  192.249.249.3   *** terminator.movie.edu can't find 192.249.249.23: Non-existent domain

On the primary master for 249.249.192.in-addr.arpa, a quick check of the DNS console or the 249.249.192.in-addr.arpa.dns file will tell you if the PTR record has been added to the zone yet.

6. Wrong Domain Name in RDATA of Record

When you add CNAME, MX, and NS records with the DNS console, remember to specify the fully qualified domain name of the host for the resource record-specific data. The DNS console assumes that the name you type as the RDATA field is fully qualified. So if you try to create a CNAME record as shown in Figure 13-4, the CNAME record looks like this in the zone data file:

bigt    IN  NS  terminator.

This is probably not what you intended, since there’s no top-level terminator domain. You probably assumed the DNS console would append the name of the zone to the name if you left off the dot. Nope.

Figure : Creating a CNAME record (the wrong way)

These mistakes are easy to discover if you simply examine the zone data file (after Action Update Server Data Files) or use nslookup:

C:\>  nslookup -type=ns movie.edu.    Server:  terminator.movie.edu   Address:  192.249.249.3     movie.edu       nameserver = wormhole.movie.edu  movie.edu       nameserver = terminator  wormhole.movie.edu      internet address = 192.253.253.1  wormhole.movie.edu      internet address = 192.249.249.1

7. Loss of Network Connectivity

Though the Internet is more reliable today than it was back in the wild and woolly days of the ARPANET, network outages are still relatively common. These failures usually look like poor performance:

C:\>  nslookup nisc.sri.com.    Server:  terminator.movie.edu   Address:  192.249.249.3     DNS request timed out.      timeout was 2 seconds.  DNS request timed out.      timeout was 4 seconds.  DNS request timed out.      timeout was 8 seconds.  *** Request to terminator.movie.edu timed-out

Using nslookup, you can look up the names and addresses of the name servers your name server needs to talk to in order to resolve the name:

C:\>  nslookup   Default Server:  terminator.movie.edu  Address:  192.249.249.3    >  set type=ns    > sri.com.   Server:  terminator.movie.edu  Address:  192.249.249.3    Non-authoritative answer:  sri.com nameserver = NS.sri.com  sri.com nameserver = NS.CSL.sri.com  sri.com nameserver = TURTLE.MCC.COM  sri.com nameserver = NS1.sri.com    NS.sri.com      internet address = 128.18.30.66  NS.CSL.sri.com  internet address = 130.107.4.94  NS.CSL.sri.com  internet address = 192.12.33.94  TURTLE.MCC.COM  internet address = 128.62.1.215    NS1.sri.com     internet address = 128.18.30.65  >  com.   Server: terminator.movie.edu  Address:  192.249.249.3    Non-authoritative answer:  com     nameserver = C.ROOT-SERVERS.NET  com     nameserver = D.ROOT-SERVERS.NET  com     nameserver = E.ROOT-SERVERS.NET  com     nameserver = I.ROOT-SERVERS.NET  com     nameserver = F.ROOT-SERVERS.NET  com     nameserver = G.ROOT-SERVERS.NET  com     nameserver = J.GTLD-SERVERS.INTERNIC.NET  com     nameserver = A.ROOT-SERVERS.NET  com     nameserver = H.ROOT-SERVERS.NET  com     nameserver = B.ROOT-SERVERS.NET    C.ROOT-SERVERS.NET      internet address = 192.33.4.12  D.ROOT-SERVERS.NET      internet address = 128.8.10.90  E.ROOT-SERVERS.NET      internet address = 192.203.230.10  I.ROOT-SERVERS.NET      internet address = 192.36.148.17  F.ROOT-SERVERS.NET      internet address = 192.5.5.241  G.ROOT-SERVERS.NET      internet address = 192.112.36.4  J.GTLD-SERVERS.INTERNIC.NET     internet address = 198.41.0.21  A.ROOT-SERVERS.NET      internet address = 198.41.0.4  H.ROOT-SERVERS.NET      internet address = 128.63.2.53  B.ROOT-SERVERS.NET      internet address = 128.9.0.107

Then you can check your host’s connectivity to those servers. Odds are, ping won’t have much better luck than your name server did. If it does, you should check that the remote name servers are really running.

C:\>  ping 128.18.30.66   --ping first sri.com name server  Pinging 128.18.30.66 with 32 bytes of data:    Request timed out.  Request timed out.  Request timed out.  Request timed out.  C:\>  ping 130.107.4.94   --ping second sri.com name server  Pinging 130.107.4.94 with 32 bytes of data:    Request timed out.  Request timed out.  Request timed out.  Request timed out.

Now all that’s left to do is to locate the break in the network. Utilities like tracert can help you determine whether the problem is on your network, on the destination network, or somewhere in the middle.

You should also use common sense when tracking down the break. If, for example, your ping testing showed that you couldn’t reach any of the Internet’s root name servers, it’s not likely that each root’s local network went down or that the Internet’s commercial backbone networks collapsed entirely. Occam’s razor says that the simplest condition that could cause this behavior–namely, the loss of your network’s link to the Internet–is the most likely cause.

8. Missing Subdomain Delegation

Even though your ICANN-accredited registrar does its best to process your requests as quickly as possible, it may take a week or two for your subdomain’s delegation to appear in the root name servers. Depending on your parent (whether an ICANN-accredited registrar or some other zone administrator), your mileage may vary. Some parents are quick and responsible; others are slow and inconsistent. Just like in real life, though, you’re stuck with them.

Until your delegation data appear in your parent zone’s name servers, your name servers will be able to look up data in the Internet domain namespace, but no one else on the Internet (outside of your domain) will know how to look up data in your namespace.

That means that even though you can send mail outside of your domain, the recipients won’t be able to reply to it. Furthermore, no one will be able to telnet to, ftp to, or even ping your hosts by name.

Remember that this applies equally to any in-addr.arpa subdomains you may run. Until the parent delegates those subdomains to your servers, name servers on the Internet won’t be able to reverse-map addresses on your networks.

To determine whether or not your zone’s delegation has made it into your parent zone’s name servers, query a parent name server for the NS records for your zone. If the parent name server has the data, any name server on the Internet can find it:

C:\>  nslookup    Default Server:  terminator.movie.edu   Address:  192.249.249.3     >  server a.root-servers.net .  --Query a root name server   Default Server:  a.root-servers.net   Address:  198.41.0.4     >  set norecurse               --Instruct the server to answer out of  >  set type=ns                 --its own data and to look for NS records   >  249.249.192.in-addr.arpa.   --for 249.249.192.in-addr.arpa  Server:  a.root-servers.net   Address:  198.41.0.4     *** a.root-servers.net can't find 249.249.192.in-addr.arpa.  : Non-existent domain

Here, the delegation clearly hasn’t been added yet. You can either wait patiently or, if an unreasonable amount of time has passed since you requested delegation from your parent zone, you can contact your parent zone’s administrator and ask what’s up.

9. Incorrect Subdomain Delegation

Incorrect subdomain delegation is another familiar problem on the Internet. Keeping delegation up-to-date requires human intervention–informing your parent zone’s administrator of changes to your set of authoritative name servers. Consequently, delegation information often becomes inaccurate as administrators make changes without letting their parents know. Far too many administrators believe that setting up delegation is a one-shot deal: they let their parents know which name servers are authoritative once, when they set up their zones, and then they never talk to them again. They don’t even call on Mother’s Day.

An administrator may add a new name server, decommission another, and change the IP address of a third, all without telling the parent zone’s administrator. Gradually, the number of name servers correctly delegated to by the parent zone dwindles. In the best case this leads to long resolution times, as querying name servers struggle to find an authoritative name server for the zone. If the delegation information becomes badly out-of-date and the last authoritative name server host is brought down for maintenance, the information within the zone will be inaccessible.

If you suspect bad delegation, whether from your parent to your zone, from your zone to one of your children, or from a remote zone to one of its children, you can check with nslookup:

C:\>  nslookup    Default Server:  terminator.movie.edu   Address:  192.249.249.3   >  server a.gtld-servers.net.   --Set server to the parent name                                 --server you suspect has bad delegation   Default Server:  a.gtld-servers.net   Address:  198.41.0.4     >  set type=ns     --Look for NS records   >  hp.com.         --for the zone in question   Server:  a.gtld-servers.net   Address:  198.41.0.4     Non-authoritative answer:   hp.com          nameserver = RELAY.HP.COM   hp.com          nameserver = HPLABS.HPL.HP.COM   hp.com          nameserver = NNSC.NSF.NET   hp.com          nameserver = HPSDLO.SDD.HP.COM     Authoritative answers can be found from:   hp.com          nameserver = RELAY.HP.COM   hp.com          nameserver = HPLABS.HPL.HP.COM   hp.com          nameserver = NNSC.NSF.NET   hp.com          nameserver = HPSDLO.SDD.HP.COM   RELAY.HP.COM    internet address = 15.255.152.2   HPLABS.HPL.HP.COM       internet address = 15.255.176.47   NNSC.NSF.NET            internet address = 128.89.1.178   HPSDLO.SDD.HP.COM       internet address = 15.255.160.64   HPSDLO.SDD.HP.COM       internet address = 15.26.112.11

Let’s say you suspect that the delegation to hpsdlo.sdd.hp.com is incorrect. Query hpsdlo for data in the hp.com zone, and check the answer:

>  server hpsdlo.sdd.hp.com.    Default Server:  hpsdlo.sdd.hp.com   Addresses:  15.255.160.64, 15.26.112.11     >  set norecurse     > set type=soa     > hp.com.    Server:  hpsdlo.sdd.hp.com   Addresses:  15.255.160.64, 15.26.112.11     Non-authoritative answer:   hp.com   origin = relay.hp.com   mail addr = hostmaster.hp.com   serial = 1001462   refresh = 21600 (6 hours)   retry   = 3600 (1 hour)   expire  = 604800 (7 days)   minimum ttl = 86400 (1 day)     Authoritative answers can be found from:   hp.com          nameserver = RELAY.HP.COM   hp.com          nameserver = HPLABS.HPL.HP.COM   hp.com          nameserver = NNSC.NSF.NET   RELAY.HP.COM    internet address = 15.255.152.2   HPLABS.HPL.HP.COM       internet address = 15.255.176.47   NNSC.NSF.NET    internet address = 128.89.1.178

If hpsdlo really were authoritative, it would have responded with an authoritative answer. The administrator of the hp.com zone can tell you whether hpsdlo should be an authoritative name server for hp.com, so that’s who you should contact.

Interoperability Problems

The Microsoft DNS Server has at least one known interoperability issue with BIND name servers: zone transfers sometimes fail because of the proprietary WINS record.

When a Microsoft DNS Server is configured to consult a WINS server for names it can’t find in a given zone, it inserts a special record into the zone data file. The record looks like this:

@   IN     WINS    <IP address of WINS server>

Unfortunately, WINS is not a standard record type in the IN class. Consequently, any BIND slaves that transfer this zone will choke on the WINS record and refuse to load the zone. Here’s the message the administrator of the BIND server would see in his syslog output:

May 23 15:58:43 terminator named-xfer[386]:   "fx.movie.edu IN 65281" - unknown type (65281)

The workaround for this problem is to configure the Microsoft DNS Server to filter out the proprietary record before transferring the zone. You do this by selecting the zone in the left pane of the DNS console, right-clicking it, and selecting Properties. Click on the WINS tab in the resulting properties window, which is shown in Figure 13-5.

Checking Do not replicate this record will filter out the WINS record for that zone. However, any Microsoft DNS Server slaves won’t see the record, even though they could use it.

Problem Symptoms

Some problems, unfortunately, aren’t as easy to identify as the ones we’ve listed. You’ll probably experience some misbehavior that you won’t be able to attribute directly to its cause, often because any of a number of problems may cause the symptoms you see. For cases like this, we’ll suggest some of the common causes of these symptoms and ways to isolate them.

Can’t Look Up Local Name

The first thing to do when a program like telnet or ftp can’t look up a local name is to use nslookup to try to look up the same name. When we say “the same name,” we mean literally the same name–don’t add a domain name and a trailing dot if the user didn’t type either one. Don’t query a different name server than the user did.

As often as not, the user will have mistyped the name or misunderstood how the search list works and just needs direction. Occasionally, you’ll turn up real host configuration errors, such as a mistake in the resolver configuration (e.g., the wrong IP address for a name server). You can check for errors like this using nslookup’s set all command.

If nslookup points to a problem with the name server, rather than with the host configuration, check for the problems associated with the type of name server. If the name server is the primary master for the zone but it doesn’t respond with data you think it should:

Check that the zone or zone data file contains the data in question.
Ensure that the domain names in the records are correct (problem 6).

If the name server is a slave server, you should first check whether or not its master has the correct data. If it does, and the slave doesn’t:

Make sure you’ve incremented the serial number on the primary (problem 1).
Look for a problem on the slave in updating the zone (problem 4).

If the primary doesn’t have the correct data, of course, diagnose the problem on the primary.

If the problem server isn’t authoritative for the zone that contains the data, check that your parent zone’s delegation to your zone exists and is correct (problems 8 and 9). Remember that to that name server, your zone looks just like any other remote zone. Even though the host it runs on may be inside your zone, the name server must be able to locate an authoritative server for your zone from your parent zone’s servers.

Can’t Look Up Remote Names

If your local lookups succeed but you can’t look up names outside your local zones, there is a different set of problems to check:

Can you ping the remote zone’s name servers? Maybe you can’t reach the remote zone’s servers because of connectivity loss (problem 7).
Is the remote zone new? Maybe its delegation hasn’t yet appeared (problem 8). Alternatively, the delegation information for the remote zone may be wrong or out of date, due to neglect (problem 9).
Does the domain name actually exist on the remote zone’s servers? Does it exist on all of them (problems 1, 2, and 4)?

Wrong or Inconsistent Answer

If you get the wrong answer when looking up a local name or you get an inconsistent answer, depending on which name server you ask or when you ask, first check the synchronization between your name servers:

Are they all holding the same serial number for the zone? Did you forget to increment the serial number on the primary after you made a manual change (problem 1)? If you did, the name servers may all have the same serial number, but they will answer differently out of their authoritative data.
Did you forget to restart the primary after making a manual change (problem 2)? Then the primary will return (via nslookup, for example) a different serial number than the serial number in the zone data file.
Are the slaves having trouble updating from the primary (problem 4)?
Is the name server’s round-robin feature rotating the addresses of the domain name you’re looking up?

If you get these results when looking up a name in a remote zone, you should check whether the remote zone’s name servers have lost synchronization. You can use tools like nslookup to determine whether the remote zone’s administrator has forgotten to increment the serial number, for example. If the name servers answer differently from their authoritative data but show the same serial number, the serial number probably wasn’t incremented. If the primary’s serial number is much lower than the slaves’, the primary’s serial number was probably accidentally reset. We usually assume a zone’s primary name server is running on the host listed as the origin in the SOA record.

You probably can’t determine conclusively that the primary hasn’t been restarted, though. It’s also difficult to pin down updating problems between remote name servers. In cases like this, if you’ve determined that the remote name servers are giving out incorrect data, contact the zone administrator and (gently) relay what you’ve found. This will help the administrator track down the problem on the remote end.

Lookups Take a Long Time

Long name resolution periods are usually due to one of two problems:

Connectivity loss (problem 7), which you can diagnose with tools like ping and tracert
Incorrect delegation information (problem 9), which points to the wrong name servers or the wrong IP addresses

Usually, sending a few pings will point to one or the other of these causes. Either you can’t reach the name servers at all, or you can reach the hosts but the name servers aren’t responding.

Sometimes, though, the results are inconclusive. For example, the parent name servers may delegate to a set of name servers that don’t respond to pings or queries, but connectivity to the remote network seems all right (a tracert, for example, will get you to the remote network’s “doorstep”–the last router between you and the host). Is the delegation information so badly out-of-date that the name servers have long since moved to other addresses? Are the hosts simply down? Or is there really a remote network problem? Usually, finding out will require a call or a message to the administrator of the remote zone. (And remember, whois gives you phone numbers!)

That’s about all we can think of to cover. It’s certainly a less than comprehensive list, but we hope it’ll help you solve the more common problems you encounter with DNS and give you ideas about how to approach the rest. Boy, if we’d only had a troubleshooting guide when we started!

Troubleshoot Broadcast Storm With Network Sniffer

2009-12-18T01:01:00.000-08:00

Based on the network architecture, the protocols, and the node count on a site being studied, an analyst must determine what constitutes a broadcast storm. This requires the analyst to be quite familiar with the topology and types of protocols and applications being deployed. A general benchmark is that a broadcast sequence occurring from a single device or a group of devices, either rapidly or on an intermittent cycle at more than 500 frames per second, is a storm event. At the very least, the sequence should be investigated if it is occurring at 500 frames per second (relative to just a few devices and a specific protocol operation).
After the threshold has been set on the network sniffer, a data-trace capture should be started. After the capture has been invoked, and a broadcast storm event has occurred in the Expert system with notification or in the statistics screen, the time of the storm and the devices related to the storm should be carefully noted. The addresses should be noted in a log along with the time of the storm and the frame-per-second count. Most protocol analyzers provide this information before the capture is even stopped. As soon as the broadcast storm occurrence takes place, the analyzer should be immediately stopped to ensure that the internal data-trace information is still within the memory buffer of the protocol analyzer. The data trace should then be saved to a disk drive or printed to a file to ensure that the information can be reviewed. The data-trace capture should then be opened and the actual absolute storm time noted from the Expert system or the statistical screen. Based on the absolute time, it may be possible on the protocol analyzer to turn on an absolute time feature. When turned on in the data trace, the absolute time feature enables an analyst to search on the actual storm for the absolute time event. This may immediately isolate and identify the cause of the broadcast storm.
Certain network sniffers offer hotkey filtering to move directly within the data-trace analysis results of the storm event. Either way, by using absolute time or hotkey filtering, the broadcast storm should be located within the data-trace capture.
Other metrics can be turned on in a protocol analysis display view when examining a broadcast storm, such as relative time and packet size. After the start of the storm has been located, the key devices starting and invoking the storm should be logged. Sometimes only one or two devices cause a cyclical broadcast storm occurrence throughout an internetwork, resulting in a broadcast storm event across many different network areas. The devices communicating at the time closest to the start of the storm inside the data-trace analysis results may be the devices causing the event.
After the storm has been located, the Relative Time field should be zeroed out and the storm should be closely reviewed by examining all packets or frames involved in the storm. If 500 or 1,000 frames are involved, all frames should be closely examined by paging through the trace. After the end of the storm has been located, the time between the start of the storm and the end of the storm should be measured by using a relative time process. This is achieved by just zeroing out the relative time at the beginning of the storm occurrence and examining the cumulative relative time at the end of the sequence. This provides a clear picture of the storm device participation and processes, the packet-size generation during the storm, and the source of the storm location. The initial several packets located for the broadcast storm should be investigated for the physical, network, and transport layer addressing schemes that may relate to the storm occurrence. This helps an analyst to understand the sequence of the storm event.
This is an extremely important process in network baselining and should be engaged in proactive and reactive analysis. In proactive baselining, an analyst must configure the proper broadcast storm thresholds on the protocol analyzer. This way, the storm events will show during the network baseline session. In a troubleshooting (reactive) event, it is important to know whether certain failure occurrences or site network failures are also being reported by the users; these may relate to the time of the storm occurrence. If this is the case, just isolating and identifying the broadcast storm may make it possible to isolate the devices causing the storm or the protocol operations involved. It may then be possible to stop the storm occurrence. This will increase performance levels and optimize the network.

Protocol Analyzer, Protocol Analysis, Protocol Analyzing

2009-12-18T00:46:00.000-08:00

What Are Network Protocols?

In computing, a protocol is a convention or standard that controls or enables the connection, communication, and data transfer between two computing endpoints. In its simplest form, a protocol can be defined as the rules governing the syntax, semantics, and synchronization of communication. Protocols may be implemented by hardware, software, or a combination of the two. At the lowest level, a protocol defines the behavior of a hardware connection.

Why Protocol Analyzing Important?

Since all network communications are based on protocols and different protocols indicates varieties of network behaviors, by analyzing protocols using a network sniffer, we get to know what network applications are used on the network and what network behavior is taken against your network. You may check out our protocols database to get an explanation of each protocol.

Analyze Protocols with Capsa

Being able to support more than 300 protocols in the latest version, Capsa make it easy to analyze protocols in network and understand what is happening.

- Comprehensive Protocols Information in “Protocols” Tab

In “Protocols” tab, all protocols detected are listed with detailed traffic (both total and real-time) and connections information. With its easy sorting feature, we can understand which protocol has generated the largest traffic and built most connections.

- Drilldown on a Single Protocol

Capsa’s unique “Explorer” allows you to carry out drilldown analysis on a single protocols and view dedicated information in the information-rich tab views.

Conclusion

With Capsa’s protocol analyzing ability, we can easily understand what is happening on our network and which network application has generated the largest traffic, these statistics provides first-hand information to carry out everyday network management.

Download Trial Now!

Network Monitor

2009-12-16T19:24:00.000-08:00

Network Monitor is a packet capture and network protocol analyzer software that translates complex protocol negotiation into natural language, pinpointing where errors occurred. Not only is easier to use than any other competing products, but it also translates the packet negotiation into natural language, something no other network protocol analyzer does.

Network Monitor was developed for network professionals who need to quickly detect network errors rather than wading through pages of incomprehensible network traffic.

Colasoft Network Monitor is a network and server monitoring tool that allows administrators to monitor the network for failures and irregularities automatically. It can monitor all aspects of your LAN- and WAN servers, workstations and IP devices.

For years, System Administrators, Network Operators and Helpdesk Employees have relied upon the power, flexibility and reliability of the Colasoft Network Monitor tool.

Colasoft powerful Network Monitor Engine technology has been adopted by several software companies all over the world. colasoft’ Network Monitoring technologies is used by thousands of companies all over the world, making Colasoft the leading provider of Network Monitoring solutions.

The mission of the product is to maximize the reliability of your production servers and applications through the automatic detection? of ?problems and issues.

Colasoft Network Monitor runs as a service on the Windows 2003/2000/XP/NT platform.

Network monitors provide information regarding network related problems even before a problem develops. It also provides guidance on how to improve the network. Network monitorsNetwork Monitoring should be conducted with proper and suitable software in order to obtain better results.
Proper network monitor software can identify future and present network related problems even before the problem develops or system crashes. Network monitors perpetually monitor computer network for failing or slow systems, and in case of outages via pagers or e-mails, it notifies the administrators. bring forth log files and charts of performance that are assigned to check system’s responses and capabilities.

Network monitors automatically apprize the network administrator about network failure or network problem and compose expanded log files. Network Monitors takes suitable actions by rebooting the system or by running a script and monitor the problems that are caused by crashed or overloaded servers or network connection.

Network monitor software sends a test message through Simple Mail Transfer Protocol (SMTP) to ensure the condition of e-mail server, which is received by Internet Message Access Protocol (IMAP). To ensure the condition of web server, network monitor software sends HTTP a request to get a page. With Network Monitor, users can monitor any IP networked device on Local Area Network (LAN). It has the ability to detect issues like failed logins (which causes suspicious), someone using particular protocols, or connecting to particular sites.

Most network monitors can supervise Internet usage and also registers fingerprints of each network connection in its database. Users can trace out browser toolbars, worms, plug-ins, viruses, and more. Built-in pager and e-mail alarm keeps network administrator informed on all the important happenings in network.

Network Monitor provides detailed information on Network Monitoring, Network Monitoring Software, Network Monitoring Tools, Network Performance Monitoring and more. Network Monitor is affiliated with Network Bandwidth Monitors.

Related Network Monitor Software:

MSN Sniffer & Monitor - Capture MSN messenger chat and conversations on your network.

Network Analysis - The general name given to certain specific techniques which can be used for the planning, management and control of projects.

Tips For Staying Safe While Online

2009-12-16T19:18:00.000-08:00

The online world can be a confusing—even intimidating—place, with new threats emerging on a regular basis. How can you keep yourself safe and still enjoy the benefits that the Internet brings? Armed with just a little knowledge, you can easily and effectively improve the security of your computer and your personal information. Here are some simple tips that will give you the freedom and confidence to take full advantage of the Internet:

Use anti-virus software, and keep it updated.

Getting infected with a computer virus or Trojan can be frustrating. These programs are known to destroy your computer, slow its performance, and barrage you with annoying pop-up ads. However, the types of viruses and Trojans that infect computers today are more malicious. They are designed to steal your credit card information and passwords, take over your email and use it for spamming, or even record what you type on your computer. Also, many of the new viruses and Trojans aim to be transparent so most people don’t even know they have been infected.

Use a personal firewall, and keep it updated.

Hackers constantly create new ways to penetrate your computer. Installing a personal firewall is essential to safeguard your computer and valuable personal information. A firewall is a secure barrier that sits between your computer and the Internet that prevents hackers from accessing your information.

Create strong passwords and change them regularly.

Do you think your password is impossible to guess? The reality is that many people use simple passwords that are easy to remember but make it easy for hackers to gain access to your financial and personal accounts. Making your password more complex will keep you safer online (though much more can still be done).

You should also have more than one password that you use. Just as you wouldn’t use the same key for your house, your car, your mailbox and your office, you shouldn’t use the same password for all of your online accounts. This exposes you to more risk and increases the likelihood of having your information stolen.

Be aware of deceptive emails, pop-ups, and other online scams

Online criminals will attempt to acquire your personal information by luring you to a website that looks legitimate, but is actually a fake site. If you receive any emails from an unfamiliar source, or any suspicious pop-ups, do not click on the links or open the attachment.

Check the security lock.

Sometimes, just the presence of a security lock alone is not proof enough that a website is genuine. If in doubt, you can verify a website is genuine by double clicking on the lock to display the website’s security certificate, and then check if the name on the certificate and the website that appears in the address bar match. If they do not match, then the website might be phony.

Guard your privacy and limit the amount of personal information you share online.

The growth of social networking sites over the last two years has made it easier for online criminals to obtain information on you. This is a way for them to gather information to answer the challenge questions most online service providers require in order to enable access to your account or retrieve and change your password. Limit the amount of personal information you publicly share online.

Fraud is always on the move.

As consumers become more educated about fraud and identity theft, online criminals are moving to other places to launch their scams. Phone scams are gaining popularity again. There are two common types of phone scams. The first type of scam involves an email detailing a problem with your account and requests you to call a specific phone number to provide more details. The second type of scam involves a phone call from an automated call center asking you for sensitive information. You should never provide personal information to an unsolicited caller.

Check your online statements frequently.

Despite adopting all the appropriate security measures, online users still manage to fall victim to scams and have their identity stolen. In order to help ensure that you and your information stay safe, check your online account statements frequently. If you have fallen victim to online fraud, the sooner you know about it, the sooner you can act to block your accounts, and take corrective action. If you detect suspicious activity in your account, you should immediately contact your account provider for help.

Analyzing Telnet

2009-01-22T19:36:00.000-08:00

Telnet offers a bi-directional byte-oriented communication. Originally designed to offer a
communications method for terminal access, telnet uses port 23 on the server side and
a dynamic port number on the client side. Telnet is documented in RFCs 854 (Telnet)
and 855 (Telnet Options).
The Telnet Elements
Telnet hosts exchange information about options that they support as they establish a
connection with another host. This remote host is referred to as a Network Virtual
Terminal (NVT), or a virtual, generic host. These options use the DO, DON’T, WILL and
WON’T structure to define what features they support. All telnet communications use the
server port number 23 to exchange the option information and telnet data, as shown in
Figure 1.

NVT
Each side of a telnet communication is referred to as an NVT – the client NVT typically
initiates the telnet connection, while the server NVT offers some services to the client. In
the traditional sense, the NVT was considered a printer-keyboard device that receives
bytes from the other host and prints the information. It sends data entered on the
keyboard to the other host.

WILL –WON’T – DO – DON’T Structures
During the initial telnet connection establishment process, the hosts propose and accept
or deny the use of specific parameters to use in the communications.
The following structures are used for this negotiation process:
· 251 (0xFB) WILL
· 252 (0xFC) WON’T
· 253 (0xFD) DO
· 254 (0xFE) DON’T
Although these operators are not the only ones available, they are the most widely used
structures. A host sends one of these operators, such as DO or WILL, and follows it with
an option code. The option is accepted when the other host responds with a DO or
WILL. Returning a DON’T or WON’T indicates that a host does not accept an option.
Options
Options are parameters or conventions used for the telnet connection. For example, one
option, echo, is used to define whether a telnet host echoes back data characters it
receives over the telnet connection. The telnet echo option is covered in detail in RFC
857.
Table 1 shows a partial list of the options registered for telnet. Refer to www.iana.org for
a complete list of telnet options.
Table 1
Telnet Options List
Options Name References
0 Binary Transmission [RFC856]
1 Echo [RFC857]
2 Reconnection [NIC50005]
3 Suppress Go Ahead [RFC858]
4 Approx Message Size Negotiation [ETHERNET]
5 Status [RFC859]
6 Timing Mark [RFC860]
7 Remote Controlled Trans and Echo [RFC726]
8 Output Line Width [NIC50005]
9 Output Page Size [NIC50005]
10 Output Carriage-Return Disposition [RFC652]
11 Output Horizontal Tab Stops [RFC653]
12 Output Horizontal Tab Disposition [RFC654]
13 Output Formfeed Disposition [RFC655]
14 Output Vertical Tabstops [RFC656]
15 Output Vertical Tab Disposition [RFC657]
16 Output Linefeed Disposition [RFC658]
17 Extended ASCII [RFC698]
18 Logout [RFC727]
19 Byte Macro [RFC735]
20 Data Entry Terminal [RFC1043, RFC732]
21 SUPDUP [RFC736, RFC734]
22 SUPDUP Output [RFC749]
23 Send Location [RFC779]
24 Terminal Type [RFC1091]
25 End of Record [RFC885]
26 TACACS User Identification [RFC927]
27 Output Marking [RFC933]
28 Terminal Location Number [RFC946]
29 Telnet 3270 Regime [RFC1041]
30 X.3 PAD [RFC1053]
31 Negotiate About Window Size [RFC1073]
32 Terminal Speed [RFC1079]
33 Remote Flow Control [RFC1372]
34 Linemode [RFC1184]
35 X Display Location [RFC1096]
36 Environment Option [RFC1408]
37 Authentication Option [RFC2941]
38 Encryption Option [RFC2946]
Some options require that additional information is exchanged between hosts. For
example, when an option requires a parameter, the simple DO, DON’T, WILL, and
WON’T functions are not sufficient. To support additional information exchange, both
hosts must agree to discuss the parameters and then use the command SB to begin
subnegotiation.

How to Hack

2008-12-17T18:34:00.000-08:00

Hacking can be difficult and there are many different ways to hack and many different exploits to use. Hacking is neither defined nor limited by exploitation or exploration. Hacking into someone else's system may be illegal, so don't do it unless you are sure you have permission from the owner of the system you are trying to hack.

Hacking was primarily used for learning new things about systems and computing in general, 'in the good ol' days'. In recent years it has taken dark connotations and in general has been looked down upon. Likewise, many corporations now employ "hackers" to test the strengths and weaknesses of their own systems. These hackers know when to stop, and it is the positive trust they have built that earn them large salaries.

There is a major difference between a hacker and a cracker. A cracker is motivated by malicious reasons; a hacker is attempting to gain knowledge through exploration.
Learn a programming language. C++ is very useful, although difficult to learn. Python is much easier to learn, although less flexible. In order to break into web systems, learning server side languages such as PHP will help you immensely. Perl is also a very useful language to learn, as it can be used in many situations, and once you are familiar with the syntax (which is similar to that of C), you will be able to create Perl scripts very quickly.
Use a *nix terminal for commands. Cygwin will help emulate this for Windows users. DOS is more limiting than a *nix terminal. The tools in this article can be found for Windows based machines. Nmap particularly, uses WinPCap to run on Windows and does not require Cygwin. However, Nmap works poorly on Windows systems due to the lack of raw sockets. You should also consider using Linux or BSD, which are both more flexible, more reliable, and more secure. Most Linux distributions come with many useful tools pre-installed.
Try securing your machine first. Make sure you fully understood all common techniques, including the way to protect yourself.
Know your target. The process of gathering information about your target is known as 'enumeration'. Can you reach the remote system? You can use the ping utility (which is included in most operating systems) to see if the target is 'alive', however, you can not always trust the results of the ping utility, as it relies on the ICMP protocol, which can be easily shut off by paranoid system administrators.
Determine the operating system (OS). This is important because how can you gain access to a system if you don't know what the system is? This step involves running a scan of th ports. Try pOf, or nmap to run a port scan. This will show you the ports that are open on the machine, the OS, and can even tell you what type of firewall or router they are using so you can plan a course of action. You can activate OS detection in nmap by using the -O switch.
Find some path or open port in the system. Common ports such as FTP (21) and HTTP (80) are often well protected, and possibly only vulnerable to exploits yet to be discovered. Try other TCP and UDP ports that may have been forgotten, such as Telnet and various UDP ports left open for LAN gaming. An open port 22 is usually evidence of an SSH (secure shell) service running on the target, which can sometimes be bruteforced.
Crack the password or authentication process. There are several methods for cracking a password, including brute force. Using brute force on a password is an effort to try every possible password contained within a pre-defined dictionary of brute force software. Users are often discouraged from using weak passwords, so brute force may take a lot of time. You may try using Rainbow Tables for fastest password cracking. Notice that password cracking is good technique only if you already got the hash of password. Trying every possible password while logging to remote machine is not good idea, as it's easily detected by intrusion detection systems, pollute system logs and may take years to complete. Actually it's often much easier to find other way into system, than cracking password.
Get super user (root) privileges if targeting a *nix machine, or administrator privileges if taking Windows systems. Most information that will be of vital interest is protected and you need a certain level of authentication to get it. To see all the files on a computer you need super user privileges. This is a user account that is given the same privileges as the "root" user in Linux and BSD operating systems. For routers this is the "admin" account by default (unless it has been changed), for Windows, this is the Administrator account, etc. Just because you have gained access to a connection doesn't mean you can access everything. Only a super user, the administrator account, or the root account can do this.
Use various tricks. Often to gain super user status you have use tactics such as creating a "buffer overflow" which is basically causing the memory to dump and allowing you to inject a code or perform a task at a higher level then you're normally authorized. In unix-like systems this will happen if the bugged software has setuid bit set, so program will be executed as different user (superuser for example). Only writing or finding an insecure program that you can execute on their machine will allow you to do this.
Create a backdoor. Once you gained full control over machine, it's best to make sure you can come back one day. This can be done by backdooring important system service, such as SSH server. However your backdoor may be removed upon next system upgrade - really experienced hackers would backdoor the compiler itself, so every compiled software would've be potential way to come back.
Cover your tracks. Never ever let the administrator know that the system is compromised. Do not change the website (if any), do not create more files than you really need. Do not create any additional users. Act as fast as possible. If you patched server like SSHD, make sure it has your secret password hard-coded. If someone tries to login with this password, server should let him in, but shouldn't tell syslog about it.
TipsRead books discussing TCP/IP networking.
This article discusses what is known in the hacking world as "cracking". Hackers are those that built the internet, made Linux, and work on open source software. It is advisable to look into hacking, as it is respected and less likely to get you arrested.
Using these tactics on a popular corporate or government computer is asking for trouble unless you're a professional hacker. Keep in mind there are people a bit more knowledgeable than you who are protecting these systems for a living. Once found, they sometimes monitor intruders to let them incriminate themselves first before legal action is taken. This means you might think you have free access after hacking into a system, when in fact, you're being watched, and may be stopped at any moment.
Find information online related to hacking, or to even attend an "underground" hacking event, visit these sites:

enigmagroup.org A legal and safe network security resource where users test their hacking skills on various challenges and learn about hacking and network security. Also provided are articles, comprehensive and active forums, and guides and tutorials.
defcon.org Underground hacking event.
hackthissite.org Hacking site with a large selection of challenges to practice your skills in a safe and legal environment.
insecure.org Hacking tools and other software.
securityforest.com Tools, papers, exploits, and other reference material.
hellboundhackers.org Learn vital skills, complete training "missions, and talk with other experienced hackers to become better. Also get tools, and skills.

WarningsMisuse of this information may be a local and/or federal crime. This article is intended to be informational and should only be used for ethical purposes.
Do not delete entire logfiles, instead, just remove the incriminating entries from the file. What do you think would look more suspicious; logs with a few entries missing, or the entire log file destroyed?
Be extremely careful if you think you have found a very easy crack or a crude mistake in security management. A security professional that protects that system may be trying to track you be setting up a (honeypot).
Stay away from breaking into government networks. If you do find a vulnerability in such a network, the best plan of action is to inform the system administrator, and perhaps help them in patching the vulnerability.

Things You'll NeedA computer with a connection to the Internet.
A proxy is always a good idea.
An ip scanner
Petraflops help

Intrusion Detection Methodologies

2008-12-12T00:20:00.000-08:00

1. The "business problem": Keeping the bad guys out
Internet and internal network attacks on corporate enterprises seem inescapable in today’s computing
environment. Most companies admit to having been attacked over the past year. While the most costly attacks
have been from the inside, external attacks from hackers and competitors are rising dramatically. How do you
know when you’re under attack? Chances are you can already create enough audit trail data, but who has time
to look at it?
Intrusion Detection tools solve this problem by automatically discovering and responding to attacks. This paper
investigates the need for Intrusion Detection, discusses lessons learned from early Intrusion Detection efforts,
and explores the different types of Intrusion Detection tools available. The paper compares and contrasts the
three common methodologies used for Intrusion Detection and discusses the advantages and disadvantages
inherent to various architectures.
2. "Why Intrusion Detection?"
The 1997 annual Ernst & Young security survey indicated that 46% of the respondents considered intrusions a
major concern. This rose dramatically from 16% in 1996. U.S. government penetration tests at the Department of
Defense over the last two years showed that less than 4% of the systems broken into were able to detect the
attack. Even more disturbing, less than 1% took any response.
Taking advantage of "Free Stuff"
A few years ago, hacking took a lot of time and study. While expert hackers still abound, the Internet has entered
a new era. Using almost any search engine, average Internet users can quickly find information describing how
to break into systems; for example, simply searching for key words like hacking, password cracking, and Internet
security. Thousands of sites publish step-by-step instructions as to how to break into Windows NT systems, Web
Servers, UNIX systems, etc. The sites often include tools that automate the hacking process. In many cases the
tools have easy to use graphical interfaces. For instance, a tool called "crack" automatically attempts to guess
UNIX passwords. A similar tool called L0phtcrack breaks Windows NT passwords. A software probe called
SATAN discovers vulnerable systems in a network and reports on the specific holes that can be exploited.
What does all this mean? Almost anyone with the motivation to break into systems can quickly obtain the
technology to do so without having to become an expert hacker.
Attacks come from both the inside and the outside. As the survey in the following chart illustrates, disgruntled
employees actually represent a larger threat and typically cause more damage than hacker attacks. An effective
Intrusion Detection solution should detect attacks from both inside and outside the network.
More computers than people
With the explosion of Internet connectivity and the pervasive access every day users have to both internal and
external networks, experts have seen a tremendous rise in attacks and corporate and government networks. At
the same time the complexity of our enterprises has increased rapidly. Many organizations report that they have
more computer systems than users. Add to this the diversity of operating system platforms, routers, network
protocols, applications, web servers, databases, etc., and we can quickly see why trying to spot an attack
becomes extremely difficult. Without sophisticated tools, it’s nearly impossible.
Nevertheless, nearly every organization wants to know when they are under attack. Enter Intrusion Detection
technology. Intrusion Detection tools automatically detect attacks and threats and ideally provide some type of
response.
3. Early Intrusion Detection Efforts
n the early 1980s, conventional wisdom dictated that the best way to detect intrusions was to create logs or audit
trails of all security relevant activity. As a result most operating systems, databases, routers, and mission-critical
applications generate audit trails. The original idea was that a security administrator would review the audit logs
looking for suspicious events. This seemed like a fine idea when companies only had a few systems and a few
users.
The industry quickly realized that no one had time to read all that audit trail data. So a few enterprising
developers built query and reporting programs to help analyze the audit trail in an attempt to find trouble spots.
For example, in 1984, Clyde Digital Systems developed a product called AUDIT, which automatically searches
through OpenVMS audit trails looking for suspicious events (incidentally, that product is still in use today). In
1987, a U.S. Government-funded project called IDES at Stanford Research Institute read audit trails and created
profiles of normal use patterns for users and then reported deviations.
Having "the answer" without solving the problem equals no answer at all
Intrusion Detection efforts throughout the 1980’s and early 90’s tended to focus on post-event audit trail analysis.
Most companies, however, did not make use of such tools. Unfortunately, as the number of users, systems,
applications, and databases grew, so did the audit trails now grow so large that they actually can cause denial of
service problems from using up too much disk space. Many production environments routinely turn off audit trails
to avoid disruptions to production systems.
So the current situation at most sites is that they plan to rely on audit trails to detect intrusions, but without
staffing to review the audit trails, these sites turn off the audit trails to improve productivity. No wonder most
attacks go undetected. Nobody’s looking.
4. Intrusion Detection—Essential Functionality
The term "Intrusion Detection" implies discovering attacks and threats throughout an enterprise, and responding
to those discoveries. Some of the automated responses typically include notifying a security administrator via a
console, e-mail, pager; stopping the offending session; shutting the system down; turning off down Internet links;
disabling users; or executing a predefined command procedure.
Clearly Defined: "Intrusion Detection" is more than just a coded application
An effective Intrusion Detection system needs to limit false positives—incorrectly identifying an attack when there
is none. At the same time it needs to be effective at catching attacks. Figuratively speaking, Intrusion Detection is
like a surveillance camera and alarm system all rolled into one. False alarms are distracting and reduce the
effectiveness of an Intrusion Detection system. Failing to catch a break-in reduces its value even further. To
detect new types of attacks an Intrusion Detection tool must have a way to be quickly updated. This is
particularly challenging since updates of attack detection scenarios need to be more frequent than typical
product release upgrade cycles of three to nine months. In fact, to be effective probably requires updating the
software to new detection procedures on a regular basis.
SWATting the problem of keeping current on new attacks
AXENT’s Information Security SWAT Team illustrates one way to address this challenge of rapid deployment of
new attack scenarios. The SWAT team researches new attack techniques and security threats and tests them in
the lab. It develops new Intrusion Detection scenarios in response and publishes both a description of the attack
and the scenarios on an Internet web site, www.axent.com/swat/swat.htm. Customers can download and quickly
deploy new Intrusion Detection scenarios every week or two.
5. What is a "Network?"
Although this may seem strange, but let’s clearly define the term "network." Why? Many intrusion detection
products on the market claim to be network-based, when in fact, they are only link-based packet-sniffers and
analyzers. Remembering basic geometry, a network is an assembly of "nodes" and "links." You might have seen
the following illustration used to define the term "network."
In the example, to meet our basic definition of a network, the illustration required single points, connected by
individual lines. The points, we described as "nodes" and the lines connecting between these nodes we referred
to as "links." (Individual links can connect multiple nodes as shown by the middle link in the picture, which
connects three nodes. Ethernet is an example of a network link that can connect multiple nodes to a single
segment.)
In the Intrusion Detection industry, much attention has been focused on the individual links, or on the individual
nodes (some times referred to as "hosts"). The following section examines the various methods that the leading
vendors consider as their solution to "Network-wide Security."
6. Types of Intrusion Detection Tools
As recently as the last couple of years a number of Intrusion Detection products have appeared on the market.
The Intrusion Detection market is relatively new, but growing fast. Based on their underlying methodologies,
today’s Intrusion Detection products fall into three basic categories:
An example, of a manager/agent real-time Intrusion Detection architecture is AXENT’s OmniGuard/Intruder Alert.
Intruder Alert runs across Windows NT, UNIX, and NetWare (more than 50 operating system versions). It also
monitors audit trails from Cisco routers, webservers, and various firewalls.
Intruder Alert’s manager/agent architecture offers the following advantages:
Manages Intrusion Detection from a central console, while still monitoring activity throughout the entire
network.
l
Relies on the devices themselves for first-level packet monitoring. Events that manage to slip through the
device’s capabilities to catch them are then evaluated by Intruder Alert.
l
Correlates suspicious activity as it occurs in multiple locations in the network. For example, an intruder
may use a hacker program to attempt to guess the root password on a hundred UNIX systems at the
same time.
l
Quickly updates the various agents in the network with new attack scenarios. The vendor could publish
these scenarios on the web so that customers could then download them and rapidly deploy them
throughout the enterprise.
l
Detects intrusions even if network connections are encrypted or if attackers use direct dial-up
connections.
l
Logs critical security activity on manager systems. This makes it difficult for hackers to cover their tracks
since activity is logged on another system in the network, not just a local audit trail. It also centralizes and
facilitates audit trail management.
l
7. Comparison of Detection Methods
The chart below shows a brief comparison of the basic features of the various methods of Intrusion Detection.
The final section of the chart shows what types of security threats and attacks each method can detect. A check
mark means that it can detect and respond. A "d" means it can only detect, but that it can’t provide an immediate Attack from inappropriate IP address Ö Ö
Illegal "Root" grabbing Ö Ö
Critical file tampering d Ö Ö
Trojan horse detection d Ö Ö
Browsing files (snooping) d Ö Ö
Snooping across multiple systems Ö
Response Types
Alert central console Ö Ö
Send e-mail Ö Ö Ö
Send message to pager Ö Ö Ö
Disable intruder’s user account Ö Ö
Terminate network access Ö Ö
Terminate intruder’s session Ö Ö Ö
Shutdown system Ö Ö
Terminate intruder’s user process Ö Ö
Generate SNMP Trap Ö Ö Ö
Record event on security server Ö Ö
Execute command procedure Ö Ö Ö
The previous chart clearly shows that while all Intrusion Detection methodologies are useful, manager/agent
real-time activity monitoring has the most flexible architecture. It can pick up information from routers, firewalls,
and other sources to detect many different kinds of attacks.
8. Conclusion
Intrusion detection is critical in today’s complex enterprises. Attempting to manually review audit trails is
hopelessly time-consuming and a losing battle given the number of systems and different types of audit trails.
Today’s enterprises need automated Intrusion Detection tools. These tools fall into three categories, post-event
audit trail analysis, real-time packet analysis, and real-time activity monitoring.
All three types of Intrusion Detection methods have merit, although post-event monitoring lacks the capability for
immediate response to avoid or reduce damage. Real-time packet analysis is interesting for detecting certain
low-level packet attacks, but is too far from the system—and does not effectively solve the network-wide
Intrusion Detection problem alone. Real-time activity monitoring that considers both host and link activity seems the appropriate solution for Intrusion Detection.
A manager/agent architecture provides the ability to monitor intrusions network-wide and to perform audit trail analysis and management as well as real-time Intrusion Detection. This covers both the first and third methods.Hooking packet analysis into a manager/agent architecture is really just a special case of adding a new type of agent to the manager/agent product.
As Intrusion Detection moves into the future we expect to see specific products that span all three types of types of Intrusion Detection. Because of the enabling infrastructure they already possess, products with a manager/agent architecture, like Intruder Alert, are most likely to adequately focus on all three of the Intrusion
Detection methodologies.

ARP

2008-11-12T17:33:00.000-08:00

Address Resolution Protocol (ARP) is used to resolve an IP address into a MAC address.
An IP address is the address of a host at the network layer. To send a network layer packet to a destination host, the device must know the MAC address of the destination host. To this end, the IP address must be resolved into the corresponding MAC address.

ARP Message Format

Figure 1 ARP message format

The following explains the fields in Figure 1.

Hardware type: This field specifies the hardware address type. The value “1” represents Ethernet.

Protocol type: This field specifies the type of the protocol address to be mapped. The hexadecimal value “0x0800” represents IP.

Hardware address length and protocol address length: They respectively specify the length of a hardware address and a protocol address, in bytes. For an Ethernet address, the value of the hardware address length field is "6”. For an IP(v4) address, the value of the protocol address length field is “4”.

OP: Operation code. This field specifies the type of ARP message. The value “1” represents an ARP request and “2” represents an ARP reply.

Sender hardware address: This field specifies the hardware address of the device sending the message.

Sender protocol address: This field specifies the protocol address of the device sending the message.

Target hardware address: This field specifies the hardware address of the device the message is being sent to.

Target protocol address: This field specifies the protocol address of the device the message is being sent to.

ARP Address Resolution Process

Figure 2 ARP address resolution process

Suppose that Host A and Host B are on the same subnet and that Host A sends a message to Host B. The resolution process is as follows:

1) Host A looks in its ARP mapping table to see whether there is an ARP entry for Host B. If Host A finds it, Host A uses the MAC address in the entry to encapsulate the IP packet into a data link layer frame and sends the frame to Host B.

2) If Host A finds no entry for Host B, Host A buffers the packet and broadcasts an ARP request, in which the source IP address and source MAC address are respectively the IP address and MAC address of Host A and the destination IP address and MAC address are respectively the IP address of Host B and an all-zero MAC address. Because the ARP request is sent in broadcast mode, all hosts on this subnet can receive the request, but only the requested host (namely, Host B) will process the request.

3) Host B compares its own IP address with the destination IP address in the ARP request. If they are the same, Host B saves the source IP address and source MAC address into its ARP mapping table, encapsulates its MAC address into an ARP reply, and unicasts the reply to Host A.

4) After receiving the ARP reply, Host A adds the MAC address of Host B into its ARP mapping table for subsequent packet forwarding. Meanwhile, Host A encapsulates the IP packet and sends it out.

ARP Mapping Table
After obtaining the destination MAC address, the device adds the IP-to-MAC mapping into its own ARP mapping table. This mapping is used for forwarding packets with the same destination in future.

An ARP mapping table contains ARP entries, which fall into two categories: dynamic and static.

1) A dynamic entry is automatically created and maintained by ARP. It can get aged, be updated by a new ARP packet, or be overwritten by a static ARP entry. When the aging timer expires or the interface goes down, the corresponding dynamic ARP entry will be removed.

2) A static ARP entry is manually configured and maintained. It cannot get aged or be overwritten by a dynamic ARP entry. It can be permanent or non-permanent.

l A permanent static ARP entry can be directly used to forward packets. When configuring a permanent static ARP entry, you must configure a VLAN and outbound interface for the entry besides the IP address and MAC address.

l A non-permanent static ARP entry cannot be directly used for forwarding data. When configuring a non-permanent static ARP entry, you only need to configure the IP address and MAC address. When forwarding IP packets, the device sends an ARP request. If the source IP and MAC addresses in the received ARP reply are the same as the configured IP and MAC addresses, the device adds the interface receiving the ARP reply into the static ARP entry. Now the entry can be used for forwarding IP packets.

Gratuitous ARP
A gratuitous ARP packet is a special ARP packet, in which the source IP address and destination IP address are both the IP address of the sender, the source MAC address is the MAC address of the sender, and the destination MAC address is a broadcast address.

A device can implement the following functions by sending gratuitous ARP packets:

l Determining whether its IP address is already used by another device.

l Informing other devices of its MAC address change so that they can update their ARP entries.

A device receiving a gratuitous ARP packet can add the information carried in the packet to its own dynamic ARP mapping table if it finds no corresponding ARP entry for the ARP packet in the cache.

ARP Source Suppression
If hosts on a network attack the device by sending large amounts of IP packets whose IP addresses cannot be resolved, the following consequences will be resulted in:

l The device sends large amounts of ARP request messages to the destination subnet, which increases the load of the destination subnet.

l The device continuously resolves destination IP addresses, which increase the load of the CPU.

To protect the device against this kind of attack, you can enable the ARP source suppression function. With the function enabled, whenever the number of packets with unresolvable IP addresses that a host on the network sends to the device within five seconds exceeds the specified threshold, the device drops all subsequent packets with the same source IP address in another five coming seconds. This helps in protecting the device against the attack.

ARP Defense Against IP Packet Attack
In forwarding an IPv4 packet, a device depends on ARP to resolve the MAC address of the next hop. If the address resolution is successful, the forwarding chip forwards the packet directly. Otherwise, the device runs software for further processing. When large amounts of IP packets for which ARP cannot resolve the IP addresses of the next hops arrive at a device, the software on the device will be called again and again and the CPU of the device will be overburdened. This is called IP packet attack.

To protect a device against IP packet attack, you can configure the ARP defense against IP packet attack function. After receiving an IP packet with the IP address of the next hop unreachable (an IP packet that ARP cannot resolve the MAC address of the next hop), a device with this function creates a black hole route immediately and the forwarding chip simply drops all packets to the address. Note that a black hole route can get aged, in which case a subsequent IP packet with the same next hop triggers the above process. This protects the device against the IP packet attack efficiently, reducing the load of the CPU.

Proxy ARP
For an ARP request of a host on a network to be forwarded to an interface that is on the same network but isolated at Layer 2 or a host on another network, the device connecting the two physical or virtual networks must be able to respond to the request. This is achieved by proxy ARP.

Proxy ARP implements Layer 3 communication between interfaces isolated at Layer 2 or located on different networks.

In one of the following cases, you need to enable the local proxy ARP:

Devices connected to different isolated layer 2 ports in the same VLAN need to implement layer 3 communication.

With the super VLAN function enabled, devices in different sub VLANs need to implement layer 3 communication.

With the isolate-user-vlan function enabled, devices in different second VLANs need to implement layer 3 communication.

How to Monitor Network Traffic

2008-11-06T18:27:00.000-08:00

As a network analyzer (aka. packet sniffer & protocol analyzer), Capsa make it easy for us to monitor and analyze network traffic in its intuitive and information-rich tab views. With Capsa's network traffic monitor feature, we can quickly identify network bottleneck and detect network abnormities. This article is to discuss how we can monitor network traffic with Capsa's network traffic monitor feature.

Monitor network traffic in "Summary" tab
"Summary" is a view that provides general information of the entire network or the selected node in the "Explorer". In "Summary" we can get a quick view of the total traffic, real-time traffic, broadcast traffic, multicast traffic and so on. When we switch among the node from the explorer, corresponding traffic information will be provided.

what can packet sniffer do?

2008-11-04T18:08:00.000-08:00

Uses
The versatility of packet sniffers means they can be used to:

Analyze network problems.

Detect network intrusion attempts.

Gain information for effecting a network intrusion.

Monitor network usage.

Gather and report network statistics.

Filter suspect content from network traffic.

Spy on other network users and collect sensitive information such as passwords (depending on any content encryption methods which may be in use)

Reverse engineer protocols used over the network.

Debug client/server communications.

Debug network protocol implementations.

Example uses

A packet sniffer for a token ring network could detect that the token has been lost or the presence of too many tokens (verifying the protocol).

A packet sniffer could detect that messages are being sent to a network adapter; if the network adapter did not report receiving the messages then this would localize the failure to the adapter.

A packet sniffer could detect excessive messages being sent by a port, detecting an error in the implementation.

A packet sniffer could collect statistics on the amount of traffic (number of messages) from a process detecting the need for more bandwidth or a better method.

A packet sniffer could be used to extract messages and reassemble into a complete form the traffic from a process, allowing it to be reverse engineered.

A packet sniffer could be used to diagnose operating system connectivity issues like web,ftp,sql,active directory,etc.

A packet sniffer could be used to analyse data sent to and from secure systems in order to understand and circumvent security measures, for the purposes of penetration testing or illegal activities

http://www.colasoft.com/download/capsa_overview.php

Uses of Computer Networks

2008-11-04T17:55:00.000-08:00

1.1 Uses of Computer Networks
Before we start to examine the technical issues in detail, it is worth devoting some time to pointing out why people are interested in computer networks and what they can be used for. After all, if nobody were interested in computer networks, few of them would be built. We will start with traditional uses at companies and for individuals and then move on to recent developments regarding mobile users and home networking.

1.1.1 Business Applications
Many companies have a substantial number of computers. For example, a company may have separate computers to monitor production, keep track of inventories, and do the payroll. Initially, each of these computers may have worked in isolation from the others, but at some point, management may have decided to connect them to be able to extract and correlate information about the entire company.

Put in slightly more general form, the issue here is resource sharing, and the goal is to make all programs, equipment, and especially data available to anyone on the network without regard to the physical location of the resource and the user. An obvious and widespread example is having a group of office workers share a common printer. None of the individuals really needs a private printer, and a high-volume networked printer is often cheaper, faster, and easier to maintain than a large collection of individual printers.

However, probably even more important than sharing physical resources such as printers, scanners, and CD burners, is sharing information. Every large and medium-sized company and many small companies are vitally dependent on computerized information. Most companies have customer records, inventories, accounts receivable, financial statements, tax information, and much more online. If all of its computers went down, a bank could not last more than five minutes. A modern manufacturing plant, with a computer-controlled assembly line, would not last even that long. Even a small travel agency or three-person law firm is now highly dependent on computer networks for allowing employees to access relevant information and documents instantly.

For smaller companies, all the computers are likely to be in a single office or perhaps a single building, but for larger ones, the computers and employees may be scattered over dozens of offices and plants in many countries. Nevertheless, a sales person in New York might sometimes need access to a product inventory database in Singapore. In other words, the mere fact that a user happens to be 15,000 km away from his data should not prevent him from using the data as though they were local. This goal may be summarized by saying that it is an attempt to end the ''tyranny of geography.''

In the simplest of terms, one can imagine a company's information system as consisting of one or more databases and some number of employees who need to access them remotely. In this model, the data are stored on powerful computers called servers. Often these are centrally housed and maintained by a system administrator. In contrast, the employees have simpler machines, called clients, on their desks, with which they access remote data, for example, to include in spreadsheets they are constructing. (Sometimes we will refer to the human user of the client machine as the ''client,'' but it should be clear from the context whether we mean the computer or its user.) The client and server machines are connected by a network, as illustrated in Fig. 1-1. Note that we have shown the network as a simple oval, without any detail. We will use this form when we mean a network in the abstract sense. When more detail is required, it will be provided.

Figure 1-1. A network with two clients and one server.

This whole arrangement is called the client-server model. It is widely used and forms the basis of much network usage. It is applicable when the client and server are both in the same building (e.g., belong to the same company), but also when they are far apart. For example, when a person at home accesses a page on the World Wide Web, the same model is employed, with the remote Web server being the server and the user's personal computer being the client. Under most conditions, one server can handle a large number of clients.

If we look at the client-server model in detail, we see that two processes are involved, one on the client machine and one on the server machine. Communication takes the form of the client process sending a message over the network to the server process. The client process then waits for a reply message. When the server process gets the request, it performs the requested work or looks up the requested data and sends back a reply. These messages are shown in Fig. 1-2.

Figure 1-2. The client-server model involves requests and replies.

A second goal of setting up a computer network has to do with people rather than information or even computers. A computer network can provide a powerful communication medium among employees. Virtually every company that has two or more computers now has e-mail (electronic mail), which employees generally use for a great deal of daily communication. In fact, a common gripe around the water cooler is how much e-mail everyone has to deal with, much of it meaningless because bosses have discovered that they can send the same (often content-free) message to all their subordinates at the push of a button.

But e-mail is not the only form of improved communication made possible by computer networks. With a network, it is easy for two or more people who work far apart to write a report together. When one worker makes a change to an online document, the others can see the change immediately, instead of waiting several days for a letter. Such a speedup makes cooperation among far-flung groups of people easy where it previously had been impossible.

Yet another form of computer-assisted communication is videoconferencing. Using this technology, employees at distant locations can hold a meeting, seeing and hearing each other and even writing on a shared virtual blackboard. Videoconferencing is a powerful tool for eliminating the cost and time previously devoted to travel. It is sometimes said that communication and transportation are having a race, and whichever wins will make the other obsolete.

A third goal for increasingly many companies is doing business electronically with other companies, especially suppliers and customers. For example, manufacturers of automobiles, aircraft, and computers, among others, buy subsystems from a variety of suppliers and then assemble the parts. Using computer networks, manufacturers can place orders electronically as needed. Being able to place orders in real time (i.e., as needed) reduces the need for large inventories and enhances efficiency.

A fourth goal that is starting to become more important is doing business with consumers over the Internet. Airlines, bookstores, and music vendors have discovered that many customers like the convenience of shopping from home. Consequently, many companies provide catalogs of their goods and services online and take orders on-line. This sector is expected to grow quickly in the future. It is called e-commerce (electronic commerce).

1.1.2 Home Applications
In 1977, Ken Olsen was president of the Digital Equipment Corporation, then the number two computer vendor in the world (after IBM). When asked why Digital was not going after the personal computer market in a big way, he said: ''There is no reason for any individual to have a computer in his home.'' History showed otherwise and Digital no longer exists. Why do people buy computers for home use? Initially, for word processing and games, but in recent years that picture has changed radically. Probably the biggest reason now is for Internet access. Some of the more popular uses of the Internet for home users are as follows:

Access to remote information.

Person-to-person communication.

Interactive entertainment.

Electronic commerce.

Access to remote information comes in many forms. It can be surfing the World Wide Web for information or just for fun. Information available includes the arts, business, cooking, government, health, history, hobbies, recreation, science, sports, travel, and many others. Fun comes in too many ways to mention, plus some ways that are better left unmentioned.

Many newspapers have gone on-line and can be personalized. For example, it is sometimes possible to tell a newspaper that you want everything about corrupt politicians, big fires, scandals involving celebrities, and epidemics, but no football, thank you. Sometimes it is even possible to have the selected articles downloaded to your hard disk while you sleep or printed on your printer just before breakfast. As this trend continues, it will cause massive unemployment among 12-year-old paperboys, but newspapers like it because distribution has always been the weakest link in the whole production chain.

The next step beyond newspapers (plus magazines and scientific journals) is the on-line digital library. Many professional organizations, such as the ACM (www.acm.org) and the IEEE Computer Society (www.computer.org), already have many journals and conference proceedings on-line. Other groups are following rapidly. Depending on the cost, size, and weight of book-sized notebook computers, printed books may become obsolete. Skeptics should take note of the effect the printing press had on the medieval illuminated manuscript.

All of the above applications involve interactions between a person and a remote database full of information. The second broad category of network use is person-to-person communication, basically the 21st century's answer to the 19th century's telephone. E-mail is already used on a daily basis by millions of people all over the world and its use is growing rapidly. It already routinely contains audio and video as well as text and pictures. Smell may take a while.

Any teenager worth his or her salt is addicted to instant messaging. This facility, derived from the UNIX talk program in use since around 1970, allows two people to type messages at each other in real time. A multiperson version of this idea is the chat room, in which a group of people can type messages for all to see.

Worldwide newsgroups, with discussions on every conceivable topic, are already commonplace among a select group of people, and this phenomenon will grow to include the population at large. These discussions, in which one person posts a message and all the other subscribers to the newsgroup can read it, run the gamut from humorous to impassioned. Unlike chat rooms, newsgroups are not real time and messages are saved so that when someone comes back from vacation, all messages that have been posted in the meanwhile are patiently waiting for reading.

Another type of person-to-person communication often goes by the name of peer-to-peer communication, to distinguish it from the client-server model (Parameswaran et al., 2001). In this form, individuals who form a loose group can communicate with others in the group, as shown in Fig. 1-3. Every person can, in principle, communicate with one or more other people; there is no fixed division into clients and servers.

Figure 1-3. In a peer-to-peer system there are no fixed clients and servers.

Peer-to-peer communication really hit the big time around 2000 with a service called Napster, which at its peak had over 50 million music fans swapping music, in what was probably the biggest copyright infringement in all of recorded history (Lam and Tan, 2001; and Macedonia, 2000). The idea was fairly simple. Members registered the music they had on their hard disks in a central database maintained on the Napster server. If a member wanted a song, he checked the database to see who had it and went directly there to get it. By not actually keeping any music on its machines, Napster argued that it was not infringing anyone's copyright. The courts did not agree and shut it down.

However, the next generation of peer-to-peer systems eliminates the central database by having each user maintain his own database locally, as well as providing a list of other nearby people who are members of the system. A new user can then go to any existing member to see what he has and get a list of other members to inspect for more music and more names. This lookup process can be repeated indefinitely to build up a large local database of what is out there. It is an activity that would get tedious for people but is one at which computers excel.

Legal applications for peer-to-peer communication also exist. For example, fans sharing public domain music or sample tracks that new bands have released for publicity purposes, families sharing photos, movies, and genealogical information, and teenagers playing multiperson on-line games. In fact, one of the most popular Internet applications of all, e-mail, is inherently peer-to-peer. This form of communication is expected to grow considerably in the future.

Electronic crime is not restricted to copyright law. Another hot area is electronic gambling. Computers have been simulating things for decades. Why not simulate slot machines, roulette wheels, blackjack dealers, and more gambling equipment? Well, because it is illegal in a lot of places. The trouble is, gambling is legal in a lot of other places (England, for example) and casino owners there have grasped the potential for Internet gambling. What happens if the gambler and the casino are in different countries, with conflicting laws? Good question.

Other communication-oriented applications include using the Internet to carry telephone calls, video phone, and Internet radio, three rapidly growing areas. Another application is telelearning, meaning attending 8 A.M. classes without the inconvenience of having to get out of bed first. In the long run, the use of networks to enhance human-to-human communication may prove more important than any of the others.

Our third category is entertainment, which is a huge and growing industry. The killer application here (the one that may drive all the rest) is video on demand. A decade or so hence, it may be possible to select any movie or television program ever made, in any country, and have it displayed on your screen instantly. New films may become interactive, where the user is occasionally prompted for the story direction (should Macbeth murder Duncan or just bide his time?) with alternative scenarios provided for all cases. Live television may also become interactive, with the audience participating in quiz shows, choosing among contestants, and so on.

On the other hand, maybe the killer application will not be video on demand. Maybe it will be game playing. Already we have multiperson real-time simulation games, like hide-and-seek in a virtual dungeon, and flight simulators with the players on one team trying to shoot down the players on the opposing team. If games are played with goggles and three-dimensional real-time, photographic-quality moving images, we have a kind of worldwide shared virtual reality.

Our fourth category is electronic commerce in the broadest sense of the term. Home shopping is already popular and enables users to inspect the on-line catalogs of thousands of companies. Some of these catalogs will soon provide the ability to get an instant video on any product by just clicking on the product's name. After the customer buys a product electronically but cannot figure out how to use it, on-line technical support may be consulted.

Another area in which e-commerce is already happening is access to financial institutions. Many people already pay their bills, manage their bank accounts, and handle their investments electronically. This will surely grow as networks become more secure.

One area that virtually nobody foresaw is electronic flea markets (e-flea?). On-line auctions of second-hand goods have become a massive industry. Unlike traditional e-commerce, which follows the client-server model, on-line auctions are more of a peer-to-peer system, sort of consumer-to-consumer. Some of these forms of e-commerce have acquired cute little tags based on the fact that ''to'' and ''2'' are pronounced the same. The most popular ones are listed in Fig. 1-4.

Figure 1-4. Some forms of e-commerce.

No doubt the range of uses of computer networks will grow rapidly in the future, and probably in ways no one can now foresee. After all, how many people in 1990 predicted that teenagers tediously typing short text messages on mobile phones while riding buses would be an immense money maker for telephone companies in 10 years? But short message service is very profitable.

Computer networks may become hugely important to people who are geographically challenged, giving them the same access to services as people living in the middle of a big city. Telelearning may radically affect education; universities may go national or international. Telemedicine is only now starting to catch on (e.g., remote patient monitoring) but may become much more important. But the killer application may be something mundane, like using the webcam in your refrigerator to see if you have to buy milk on the way home from work.

1.1.3 Mobile Users
Mobile computers, such as notebook computers and personal digital assistants (PDAs), are one of the fastest-growing segments of the computer industry. Many owners of these computers have desktop machines back at the office and want to be connected to their home base even when away from home or en route. Since having a wired connection is impossible in cars and airplanes, there is a lot of interest in wireless networks. In this section we will briefly look at some of the uses of wireless networks.

Why would anyone want one? A common reason is the portable office. People on the road often want to use their portable electronic equipment to send and receive telephone calls, faxes, and electronic mail, surf the Web, access remote files, and log on to remote machines. And they want to do this from anywhere on land, sea, or air. For example, at computer conferences these days, the organizers often set up a wireless network in the conference area. Anyone with a notebook computer and a wireless modem can just turn the computer on and be connected to the Internet, as though the computer were plugged into a wired network. Similarly, some universities have installed wireless networks on campus so students can sit under the trees and consult the library's card catalog or read their e-mail.

Wireless networks are of great value to fleets of trucks, taxis, delivery vehicles, and repairpersons for keeping in contact with home. For example, in many cities, taxi drivers are independent businessmen, rather than being employees of a taxi company. In some of these cities, the taxis have a display the driver can see. When a customer calls up, a central dispatcher types in the pickup and destination points. This information is displayed on the drivers' displays and a beep sounds. The first driver to hit a button on the display gets the call.

Wireless networks are also important to the military. If you have to be able to fight a war anywhere on earth on short notice, counting on using the local networking infrastructure is probably not a good idea. It is better to bring your own.

Although wireless networking and mobile computing are often related, they are not identical, as Fig. 1-5 shows. Here we see a distinction between fixed wireless and mobile wireless. Even notebook computers are sometimes wired. For example, if a traveler plugs a notebook computer into the telephone jack in a hotel room, he has mobility without a wireless network.

Figure 1-5. Combinations of wireless networks and mobile computing.

On the other hand, some wireless computers are not mobile. An important example is a company that owns an older building lacking network cabling, and which wants to connect its computers. Installing a wireless network may require little more than buying a small box with some electronics, unpacking it, and plugging it in. This solution may be far cheaper than having workmen put in cable ducts to wire the building.

But of course, there are also the true mobile, wireless applications, ranging from the portable office to people walking around a store with a PDA doing inventory. At many busy airports, car rental return clerks work in the parking lot with wireless portable computers. They type in the license plate number of returning cars, and their portable, which has a built-in printer, calls the main computer, gets the rental information, and prints out the bill on the spot.

As wireless technology becomes more widespread, numerous other applications are likely to emerge. Let us take a quick look at some of the possibilities. Wireless parking meters have advantages for both users and city governments. The meters could accept credit or debit cards with instant verification over the wireless link. When a meter expires, it could check for the presence of a car (by bouncing a signal off it) and report the expiration to the police. It has been estimated that city governments in the U.S. alone could collect an additional $10 billion this way (Harte et al., 2000). Furthermore, better parking enforcement would help the environment, as drivers who knew their illegal parking was sure to be caught might use public transport instead.

Food, drink, and other vending machines are found everywhere. However, the food does not get into the machines by magic. Periodically, someone comes by with a truck to fill them. If the vending machines issued a wireless report once a day announcing their current inventories, the truck driver would know which machines needed servicing and how much of which product to bring. This information could lead to more efficient route planning. Of course, this information could be sent over a standard telephone line as well, but giving every vending machine a fixed telephone connection for one call a day is expensive on account of the fixed monthly charge.

Another area in which wireless could save money is utility meter reading. If electricity, gas, water, and other meters in people's homes were to report usage over a wireless network, there would be no need to send out meter readers. Similarly, wireless smoke detectors could call the fire department instead of making a big noise (which has little value if no one is home). As the cost of both the radio devices and the air time drops, more and more measurement and reporting will be done with wireless networks.

A whole different application area for wireless networks is the expected merger of cell phones and PDAs into tiny wireless computers. A first attempt was tiny wireless PDAs that could display stripped-down Web pages on their even tinier screens. This system, called WAP 1.0 (Wireless Application Protocol) failed, mostly due to the microscopic screens, low bandwidth, and poor service. But newer devices and services will be better with WAP 2.0.

One area in which these devices may excel is called m-commerce (mobile-commerce) (Senn, 2000). The driving force behind this phenomenon consists of an amalgam of wireless PDA manufacturers and network operators who are trying hard to figure out how to get a piece of the e-commerce pie. One of their hopes is to use wireless PDAs for banking and shopping. One idea is to use the wireless PDAs as a kind of electronic wallet, authorizing payments in stores, as a replacement for cash and credit cards. The charge then appears on the mobile phone bill. From the store's point of view, this scheme may save them most of the credit card company's fee, which can be several percent. Of course, this plan may backfire, since customers in a store might use their PDAs to check out competitors' prices before buying. Worse yet, telephone companies might offer PDAs with bar code readers that allow a customer to scan a product in a store and then instantaneously get a detailed report on where else it can be purchased and at what price.

Since the network operator knows where the user is, some services are intentionally location dependent. For example, it may be possible to ask for a nearby bookstore or Chinese restaurant. Mobile maps are another candidate. So are very local weather forecasts (''When is it going to stop raining in my backyard?''). No doubt many other applications appear as these devices become more widespread.

One huge thing that m-commerce has going for it is that mobile phone users are accustomed to paying for everything (in contrast to Internet users, who expect everything to be free). If an Internet Web site charged a fee to allow its customers to pay by credit card, there would be an immense howling noise from the users. If a mobile phone operator allowed people to pay for items in a store by using the phone and then tacked on a fee for this convenience, it would probably be accepted as normal. Time will tell.

A little further out in time are personal area networks and wearable computers. IBM has developed a watch that runs Linux (including the X11 windowing system) and has wireless connectivity to the Internet for sending and receiving e-mail (Narayanaswami et al., 2002). In the future, people may exchange business cards just by exposing their watches to each other. Wearable wireless computers may give people access to secure rooms the same way magnetic stripe cards do now (possibly in combination with a PIN code or biometric measurement). These watches may also be able to retrieve information relevant to the user's current location (e.g., local restaurants). The possibilities are endless.

Smart watches with radios have been part of our mental space since their appearance in the Dick Tracy comic strip in 1946. But smart dust? Researchers at Berkeley have packed a wireless computer into a cube 1 mm on edge (Warneke et al., 2001). Potential applications include tracking inventory, packages, and even small birds, rodents, and insects.

1.1.4 Social Issues
The widespread introduction of networking has introduced new social, ethical, and political problems. Let us just briefly mention a few of them; a thorough study would require a full book, at least. A popular feature of many networks are newsgroups or bulletin boards whereby people can exchange messages with like-minded individuals. As long as the subjects are restricted to technical topics or hobbies like gardening, not too many problems will arise.

The trouble comes when newsgroups are set up on topics that people actually care about, like politics, religion, or sex. Views posted to such groups may be deeply offensive to some people. Worse yet, they may not be politically correct. Furthermore, messages need not be limited to text. High-resolution color photographs and even short video clips can now easily be transmitted over computer networks. Some people take a live-and-let-live view, but others feel that posting certain material (e.g., attacks on particular countries or religions, pornography, etc.) is simply unacceptable and must be censored. Different countries have different and conflicting laws in this area. Thus, the debate rages.

People have sued network operators, claiming that they are responsible for the contents of what they carry, just as newspapers and magazines are. The inevitable response is that a network is like a telephone company or the post office and cannot be expected to police what its users say. Stronger yet, were network operators to censor messages, they would likely delete everything containing even the slightest possibility of them being sued, and thus violate their users' rights to free speech. It is probably safe to say that this debate will go on for a while.

Another fun area is employee rights versus employer rights. Many people read and write e-mail at work. Many employers have claimed the right to read and possibly censor employee messages, including messages sent from a home computer after work. Not all employees agree with this.

Even if employers have power over employees, does this relationship also govern universities and students? How about high schools and students? In 1994, Carnegie-Mellon University decided to turn off the incoming message stream for several newsgroups dealing with sex because the university felt the material was inappropriate for minors (i.e., those few students under 18). The fallout from this event took years to settle.

Another key topic is government versus citizen. The FBI has installed a system at many Internet service providers to snoop on all incoming and outgoing e-mail for nuggets of interest to it (Blaze and Bellovin, 2000; Sobel, 2001; and Zacks, 2001). The system was originally called Carnivore but bad publicity caused it to be renamed to the more innocent-sounding DCS1000. But its goal is still to spy on millions of people in the hope of finding information about illegal activities. Unfortunately, the Fourth Amendment to the U.S. Constitution prohibits government searches without a search warrant. Whether these 54 words, written in the 18th century, still carry any weight in the 21st century is a matter that may keep the courts busy until the 22nd century.

The government does not have a monopoly on threatening people's privacy. The private sector does its bit too. For example, small files called cookies that Web browsers store on users' computers allow companies to track users' activities in cyberspace and also may allow credit card numbers, social security numbers, and other confidential information to leak all over the Internet (Berghel, 2001).

Computer networks offer the potential for sending anonymous messages. In some situations, this capability may be desirable. For example, it provides a way for students, soldiers, employees, and citizens to blow the whistle on illegal behavior on the part of professors, officers, superiors, and politicians without fear of reprisals. On the other hand, in the United States and most other democracies, the law specifically permits an accused person the right to confront and challenge his accuser in court. Anonymous accusations cannot be used as evidence.

In short, computer networks, like the printing press 500 years ago, allow ordinary citizens to distribute their views in different ways and to different audiences than were previously possible. This new-found freedom brings with it many unsolved social, political, and moral issues.

Along with the good comes the bad. Life seems to be like that. The Internet makes it possible to find information quickly, but a lot of it is ill-informed, misleading, or downright wrong. The medical advice you plucked from the Internet may have come from a Nobel Prize winner or from a high school dropout. Computer networks have also introduced new kinds of antisocial and criminal behavior. Electronic junk mail (spam) has become a part of life because people have collected millions of e-mail addresses and sell them on CD-ROMs to would-be marketeers. E-mail messages containing active content (basically programs or macros that execute on the receiver's machine) can contain viruses that wreak havoc.

Identity theft is becoming a serious problem as thieves collect enough information about a victim to obtain get credit cards and other documents in the victim's name. Finally, being able to transmit music and video digitally has opened the door to massive copyright violations that are hard to catch and enforce.

A lot of these problems could be solved if the computer industry took computer security seriously. If all messages were encrypted and authenticated, it would be harder to commit mischief. This technology is well established and we will study it in detail in Chap. 8. The problem is that hardware and software vendors know that putting in security features costs money and their customers are not demanding such features. In addition, a substantial number of the problems are caused by buggy software, which occurs because vendors keep adding more and more features to their programs, which inevitably means more code and thus more bugs. A tax on new features might help, but that is probably a tough sell in some quarters. A refund for defective software might be nice, except it would bankrupt the entire software industry in the first year.

Cryptography

2008-10-29T00:28:00.000-07:00

Cryptography
Cryptography comes from the Greek words for ''secret writing.'' It has a long and colorful history going back thousands of years. In this section we will just sketch some of the highlights, as background information for what follows. For a complete history of cryptography, Kahn's (1995) book is recommended reading. For a comprehensive treatment of the current state-of-the-art in security and cryptographic algorithms, protocols, and applications, see (Kaufman et al., 2002). For a more mathematical approach, see (Stinson, 2002). For a less mathematical approach, see (Burnett and Paine, 2001).
Professionals make a distinction between ciphers and codes. A cipher is a character-for-character or bit-for-bit transformation, without regard to the linguistic structure of the message. In contrast, a code replaces one word with another word or symbol. Codes are not used any more, although they have a glorious history. The most successful code ever devised was used by the U.S. armed forces during World War II in the Pacific. They simply had Navajo Indians talking to each other using specific Navajo words for military terms, for example chay-dagahi-nail-tsaidi (literally: tortoise killer) for antitank weapon. The Navajo language is highly tonal, exceedingly complex, and has no written form. And not a single person in Japan knew anything about it.
In September 1945, the San Diego Union described the code by saying ''For three years, wherever the Marines landed, the Japanese got an earful of strange gurgling noises interspersed with other sounds resembling the call of a Tibetan monk and the sound of a hot water bottle being emptied.'' The Japanese never broke the code and many Navajo code talkers were awarded high military honors for extraordinary service and bravery. The fact that the U.S. broke the Japanese code but the Japanese never broke the Navajo code played a crucial role in the American victories in the Pacific.
Introduction to Cryptography
Historically, four groups of people have used and contributed to the art of cryptography: the military, the diplomatic corps, diarists, and lovers. Of these, the military has had the most important role and has shaped the field over the centuries. Within military organizations, the messages to be encrypted have traditionally been given to poorly-paid, low-level code clerks for encryption and transmission. The sheer volume of messages prevented this work from being done by a few elite specialists.
Until the advent of computers, one of the main constraints on cryptography had been the ability of the code clerk to perform the necessary transformations, often on a battlefield with little equipment. An additional constraint has been the difficulty in switching over quickly from one cryptographic method to another one, since this entails retraining a large number of people. However, the danger of a code clerk being captured by the enemy has made it essential to be able to change the cryptographic method instantly if need be. These conflicting requirements have given rise to the model of Fig. 8-2.
Figure 8-2. The encryption model (for a symmetric-key cipher).
The messages to be encrypted, known as the plaintext, are transformed by a function that is parameterized by a key. The output of the encryption process, known as the ciphertext, is then transmitted, often by messenger or radio. We assume that the enemy, or intruder, hears and accurately copies down the complete ciphertext. However, unlike the intended recipient, he does not know what the decryption key is and so cannot decrypt the ciphertext easily. Sometimes the intruder can not only listen to the communication channel (passive intruder) but can also record messages and play them back later, inject his own messages, or modify legitimate messages before they get to the receiver (active intruder). The art of breaking ciphers, called cryptanalysis, and the art devising them (cryptography) is collectively known as cryptology.
It will often be useful to have a notation for relating plaintext, ciphertext, and keys. We will use C = EK(P) to mean that the encryption of the plaintext P using key K gives the ciphertext C. Similarly, P = DK(C) represents the decryption of C to get the plaintext again. It then follows that
This notation suggests that E and D are just mathematical functions, which they are. The only tricky part is that both are functions of two parameters, and we have written one of the parameters (the key) as a subscript, rather than as an argument, to distinguish it from the message.
A fundamental rule of cryptography is that one must assume that the cryptanalyst knows the methods used for encryption and decryption. In other words, the cryptanalyst knows how the encryption method, E, and decryption, D,of Fig. 8-2 work in detail. The amount of effort necessary to invent, test, and install a new algorithm every time the old method is compromised (or thought to be compromised) has always made it impractical to keep the encryption algorithm secret. Thinking it is secret when it is not does more harm than good.
This is where the key enters. The key consists of a (relatively) short string that selects one of many potential encryptions. In contrast to the general method, which may only be changed every few years, the key can be changed as often as required. Thus, our basic model is a stable and publicly-known general method parameterized by a secret and easily changed key. The idea that the cryptanalyst knows the algorithms and that the secrecy lies exclusively in the keys is called Kerckhoff's principle, named after the Flemish military cryptographer Auguste Kerckhoff who first stated it in 1883 (Kerckhoff, 1883). Thus, we have:
Kerckhoff's principle: All algorithms must be public; only the keys are secret
The nonsecrecy of the algorithm cannot be emphasized enough. Trying to keep the algorithm secret, known in the trade as security by obscurity, never works. Also, by publicizing the algorithm, the cryptographer gets free consulting from a large number of academic cryptologists eager to break the system so they can publish papers demonstrating how smart they are. If many experts have tried to break the algorithm for 5 years after its publication and no one has succeeded, it is probably pretty solid.
Since the real secrecy is in the key, its length is a major design issue. Consider a simple combination lock. The general principle is that you enter digits in sequence. Everyone knows this, but the key is secret. A key length of two digits means that there are 100 possibilities. A key length of three digits means 1000 possibilities, and a key length of six digits means a million. The longer the key, the higher the work factor the cryptanalyst has to deal with. The work factor for breaking the system by exhaustive search of the key space is exponential in the key length. Secrecy comes from having a strong (but public) algorithm and a long key. To prevent your kid brother from reading your e-mail, 64-bit keys will do. For routine commercial use, at least 128 bits should be used. To keep major governments at bay, keys of at least 256 bits, preferably more, are needed.
From the cryptanalyst's point of view, the cryptanalysis problem has three principal variations. When he has a quantity of ciphertext and no plaintext, he is confronted with the ciphertext-only problem. The cryptograms that appear in the puzzle section of newspapers pose this kind of problem. When the cryptanalyst has some matched ciphertext and plaintext, the problem is called the known plaintext problem. Finally, when the cryptanalyst has the ability to encrypt pieces of plaintext of his own choosing, we have the chosen plaintext problem. Newspaper cryptograms could be broken trivially if the cryptanalyst were allowed to ask such questions as: What is the encryption of ABCDEFGHIJKL?
Novices in the cryptography business often assume that if a cipher can withstand a ciphertext-only attack, it is secure. This assumption is very naive. In many cases the cryptanalyst can make a good guess at parts of the plaintext. For example, the first thing many computers say when you call them up is login: . Equipped with some matched plaintext-ciphertext pairs, the cryptanalyst's job becomes much easier. To achieve security, the cryptographer should be conservative and make sure that the system is unbreakable even if his opponent can encrypt arbitrary amounts of chosen plaintext.
Encryption methods have historically been divided into two categories: substitution ciphers and transposition ciphers. We will now deal with each of these briefly as background information for modern cryptography.
2 Substitution Ciphers
In a substitution cipher each letter or group of letters is replaced by another letter or group of letters to disguise it. One of the oldest known ciphers is the Caesar cipher, attributed to Julius Caesar. In this method, a becomes D, b becomes E, c becomes F, ... , and z becomes C. For example, attack becomes DWWDFN. In examples, plaintext will be given in lower case letters, and ciphertext in upper case letters.
A slight generalization of the Caesar cipher allows the ciphertext alphabet to be shifted by k letters, instead of always 3. In this case k becomes a key to the general method of circularly shifted alphabets. The Caesar cipher may have fooled Pompey, but it has not fooled anyone since.
The next improvement is to have each of the symbols in the plaintext, say, the 26 letters for simplicity, map onto some other letter. For example,
plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z
ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M
The general system of symbol-for-symbol substitution is called a monoalphabetic substitution, with the key being the 26-letter string corresponding to the full alphabet. For the key above, the plaintext attack would be transformed into the ciphertext QZZQEA.
At first glance this might appear to be a safe system because although the cryptanalyst knows the general system (letter-for-letter substitution), he does not know which of the 26! 4 x 1026 possible keys is in use. In contrast with the Caesar cipher, trying all of them is not a promising approach. Even at 1 nsec per solution, a computer would take 1010 years to try all the keys.
Nevertheless, given a surprisingly small amount of ciphertext, the cipher can be broken easily. The basic attack takes advantage of the statistical properties of natural languages. In English, for example, e is the most common letter, followed by t, o, a, n, i, etc. The most common two-letter combinations, or digrams, are th, in, er, re, and an. The most common three-letter combinations, or trigrams, are the, ing, and, and ion.
A cryptanalyst trying to break a monoalphabetic cipher would start out by counting the relative frequencies of all letters in the ciphertext. Then he might tentatively assign the most common one to e and the next most common one to t. He would then look at trigrams to find a common one of the form tXe, which strongly suggests that X is h. Similarly, if the pattern thYt occurs frequently, the Y probably stands for a. With this information, he can look for a frequently occurring trigram of the form aZW, which is most likely and. By making guesses at common letters, digrams, and trigrams and knowing about likely patterns of vowels and consonants, the cryptanalyst builds up a tentative plaintext, letter by letter.
Another approach is to guess a probable word or phrase. For example, consider the following ciphertext from an accounting firm (blocked into groups of five characters):CTBMN BYCTC BTJDS QXBNS GSTJC BTSWX CTQTZ CQVUJ
QJSGS TJQZZ MNQJS VLNSX VSZJU JDSTS JQUUS JUBXJ
DSKSU JSNTK BGAQJ ZBGYQ TLCTZ BNYBN QJSW
A likely word in a message from an accounting firm is financial. Using our knowledge that financial has a repeated letter (i), with four other letters between their occurrences, we look for repeated letters in the ciphertext at this spacing. We find 12 hits, at positions 6, 15, 27, 31, 42, 48, 56, 66, 70, 71, 76, and 82. However, only two of these, 31 and 42, have the next letter (corresponding to n in the plaintext) repeated in the proper place. Of these two, only 31 also has the a correctly positioned, so we know that financial begins at position 30. From this point on, deducing the key is easy by using the frequency statistics for English text.
3 Transposition Ciphers
Substitution ciphers preserve the order of the plaintext symbols but disguise them. Transposition ciphers, in contrast, reorder the letters but do not disguise them. Figure 8-3 depicts a common transposition cipher, the columnar transposition. The cipher is keyed by a word or phrase not containing any repeated letters. In this example, MEGABUCK is the key. The purpose of the key is to number the columns, column 1 being under the key letter closest to the start of the alphabet, and so on. The plaintext is written horizontally, in rows, padded to fill the matrix if need be. The ciphertext is read out by columns, starting with the column whose key letter is the lowest.
Figure 8-3. A transposition cipher.
To break a transposition cipher, the cryptanalyst must first be aware that he is dealing with a transposition cipher. By looking at the frequency of E, T, A, O, I, N, etc., it is easy to see if they fit the normal pattern for plaintext. If so, the cipher is clearly a transposition cipher, because in such a cipher every letter represents itself, keeping the frequency distribution intact.
The next step is to make a guess at the number of columns. In many cases a probable word or phrase may be guessed at from the context. For example, suppose that our cryptanalyst suspects that the plaintext phrase milliondollars occurs somewhere in the message. Observe that digrams MO, IL, LL, LA, IR and OS occur in the ciphertext as a result of this phrase wrapping around. The ciphertext letter O follows the ciphertext letter M (i.e., they are vertically adjacent in column 4) because they are separated in the probable phrase by a distance equal to the key length. If a key of length seven had been used, the digrams MD, IO, LL, LL, IA, OR, and NS would have occurred instead. In fact, for each key length, a different set of digrams is produced in the ciphertext. By hunting for the various possibilities, the cryptanalyst can often easily determine the key length.
The remaining step is to order the columns. When the number of columns, k, is small, each of the k(k - 1) column pairs can be examined to see if its digram frequencies match those for English plaintext. The pair with the best match is assumed to be correctly positioned. Now each remaining column is tentatively tried as the successor to this pair. The column whose digram and trigram frequencies give the best match is tentatively assumed to be correct. The predecessor column is found in the same way. The entire process is continued until a potential ordering is found. Chances are that the plaintext will be recognizable at this point (e.g., if milloin occurs, it is clear what the error is).
Some transposition ciphers accept a fixed-length block of input and produce a fixed-length block of output. These ciphers can be completely described by giving a list telling the order in which the characters are to be output. For example, the cipher of Fig. 8-3 can be seen as a 64 character block cipher. Its output is 4, 12, 20, 28, 36, 44, 52, 60, 5, 13 , ... , 62. In other words, the fourth input character, a, is the first to be output, followed by the twelfth, f, and so on.
4 One-Time Pads
Constructing an unbreakable cipher is actually quite easy; the technique has been known for decades. First choose a random bit string as the key. Then convert the plaintext into a bit string, for example by using its ASCII representation. Finally, compute the XOR (eXclusive OR) of these two strings, bit by bit. The resulting ciphertext cannot be broken, because in a sufficiently large sample of ciphertext, each letter will occur equally often, as will every digram, every trigram, and so on. This method, known as the one-time pad, is immune to all present and future attacks no matter how much computational power the intruder has. The reason derives from information theory: there is simply no information in the message because all possible plaintexts of the given length are equally likely.
An example of how one-time pads are used is given in Fig. 8-4. First, message 1, ''I love you.'' is converted to 7-bit ASCII. Then a one-time pad, pad 1, is chosen and XORed with the message to get the ciphertext. A cryptanalyst could try all possible one-time pads to see what plaintext came out for each one. For example, the one-time pad listed as pad 2 in the figure could be tried, resulting in plaintext 2, ''Elvis lives'', which may or may not be plausible (a subject beyond the scope of this book). In fact, for every 11-character ASCII plaintext, there is a one-time pad that generates it. That is what we mean by saying there is no information in the ciphertext: you can get any message of the correct length out of it.
Figure 8-4. The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad.
One-time pads are great in theory but have a number of disadvantages in practice. To start with, the key cannot be memorized, so both sender and receiver must carry a written copy with them. If either one is subject to capture, written keys are clearly undesirable. Additionally, the total amount of data that can be transmitted is limited by the amount of key available. If the spy strikes it rich and discovers a wealth of data, he may find himself unable to transmit it back to headquarters because the key has been used up. Another problem is the sensitivity of the method to lost or inserted characters. If the sender and receiver get out of synchronization, all data from then on will appear garbled.
With the advent of computers, the one-time pad might potentially become practical for some applications. The source of the key could be a special DVD that contains several gigabytes of information and if transported in a DVD movie box and prefixed by a few minutes of video, would not even be suspicious. Of course, at gigabit network speeds, having to insert a new DVD every 30 sec could become tedious. And the DVDs must be personally carried from the sender to the receiver before any messages can be sent, which greatly reduces their practical utility.
Quantum Cryptography
Interestingly, there may be a solution to the problem of how to transmit the one-time pad over the network, and it comes from a very unlikely source: quantum mechanics. This area is still experimental, but initial tests are promising. If it can be perfected and be made efficient, virtually all cryptography will eventually be done using one-time pads since they are provably secure. Below we will briefly explain how this method, quantum cryptography, works. In particular, we will describe a protocol called BB84 after its authors and publication year (Bennet and Brassard, 1984).
A user, Alice, wants to establish a one-time pad with a second user, Bob. Alice and Bob are called principals, the main characters in our story. For example, Bob is a banker with whom Alice would like to do business. The names ''Alice'' and ''Bob'' have been used for the principals in virtually every paper and book on cryptography in the past decade. Cryptographers love tradition. If we were to use ''Andy'' and ''Barbara'' as the principals, no one would believe anything in this chapter. So be it.
If Alice and Bob could establish a one-time pad, they could use it to communicate securely. The question is: How can they establish it without previously exchanging DVDs? We can assume that Alice and Bob are at opposite ends of an optical fiber over which they can send and receive light pulses. However, an intrepid intruder, Trudy, can cut the fiber to splice in an active tap. Trudy can read all the bits in both directions. She can also send false messages in both directions. The situation might seem hopeless for Alice and Bob, but quantum cryptography can shed some new light on the subject.
Quantum cryptography is based on the fact that light comes in little packets called photons, which have some peculiar properties. Furthermore, light can be polarized by being passed through a polarizing filter, a fact well known to both sunglasses wearers and photographers. If a beam of light (i.e., a stream of photons) is passed through a polarizing filter, all the photons emerging from it will be polarized in the direction of the filter's axis (e.g., vertical). If the beam is now passed through a second polarizing filter, the intensity of the light emerging from the second filter is proportional to the square of the cosine of the angle between the axes. If the two axes are perpendicular, no photons get through. The absolute orientation of the two filters does not matter; only the angle between their axes counts.
To generate a one-time pad, Alice needs two sets of polarizing filters. Set one consists of a vertical filter and a horizontal filter. This choice is called a rectilinear basis. A basis (plural: bases) is just a coordinate system. The second set of filters is the same, except rotated 45 degrees, so one filter runs from the lower left to the upper right and the other filter runs from the upper left to the lower right. This choice is called a diagonal basis. Thus, Alice has two bases, which she can rapidly insert into her beam at will. In reality, Alice does not have four separate filters, but a crystal whose polarization can be switched electrically to any of the four allowed directions at great speed. Bob has the same equipment as Alice. The fact that Alice and Bob each have two bases available is essential to quantum cryptography.
For each basis, Alice now assigns one direction as 0 and the other as 1. In the example presented below, we assume she chooses vertical to be 0 and horizontal to be 1. Independently, she also chooses lower left to upper right as 0 and upper left to lower right as 1. She sends these choices to Bob as plaintext.
Now Alice picks a one-time pad, for example based on a random number generator (a complex subject all by itself). She transfers it bit by bit to Bob, choosing one of her two bases at random for each bit. To send a bit, her photon gun emits one photon polarized appropriately for the basis she is using for that bit. For example, she might choose bases of diagonal, rectilinear, rectilinear, diagonal, rectilinear, etc. To send her one-time pad of 1001110010100110 with these bases, she would send the photons shown in Fig. 8-5(a). Given the one-time pad and the sequence of bases, the polarization to use for each bit is uniquely determined. Bits sent one photon at a time are called qubits.
Figure 8-5. An example of quantum cryptography.
Bob does not know which bases to use, so he picks one at random for each arriving photon and just uses it, as shown in Fig. 8-5(b). If he picks the correct basis, he gets the correct bit. If he picks the incorrect basis, he gets a random bit because if a photon hits a filter polarized at 45 degrees to its own polarization, it randomly jumps to the polarization of the filter or to a polarization perpendicular to the filter with equal probability. This property of photons is fundamental to quantum mechanics. Thus, some of the bits are correct and some are random, but Bob does not know which are which. Bob's results are depicted in Fig. 8-5(c).
How does Bob find out which bases he got right and which he got wrong? He simply tells Alice which basis he used for each bit in plaintext and she tells him which are right and which are wrong in plaintext, as shown in Fig. 8-5(d). From this information both of them can build a bit string from the correct guesses, as shown in Fig. 8-5(e). On the average, this bit string will be half the length of the original bit string, but since both parties know it, they can use it as a one-time pad. All Alice has to do is transmit a bit string slightly more than twice the desired length and she and Bob have a one-time pad of the desired length. Problem solved.
But wait a minute. We forgot Trudy. Suppose that she is curious about what Alice has to say and cuts the fiber, inserting her own detector and transmitter. Unfortunately for her, she does not know which basis to use for each photon either. The best she can do is pick one at random for each photon, just as Bob does. An example of her choices is shown in Fig. 8-5(f). When Bob later reports (in plaintext) which bases he used and Alice tells him (in plaintext) which ones are correct, Trudy now knows when she got it right and when she got it wrong. In Fig. 8-5 she got it right for bits 0, 1, 2, 3, 4, 6, 8, 12, and 13. But she knows from Alice's reply in Fig. 8-5(d) that only bits 1, 3, 7, 8, 10, 11, 12, and 14 are part of the one-time pad. For four of these bits (1, 3, 8, and 12), she guessed right and captured the correct bit. For the other four (7, 10, 11, and 14) she guessed wrong and does not know the bit transmitted. Thus, Bob knows the one-time pad starts with 01011001, from Fig. 8-5(e) but all Trudy has is 01?1??0?, from Fig. 8-5(g).
Of course, Alice and Bob are aware that Trudy may have captured part of their one-time pad, so they would like to reduce the information Trudy has. They can do this by performing a transformation on it. For example, they could divide the one-time pad into blocks of 1024 bits and square each one to form a 2048-bit number and use the concatenation of these 2048-bit numbers as the one-time pad. With her partial knowledge of the bit string transmitted, Trudy has no way to generate its square and so has nothing. The transformation from the original one-time pad to a different one that reduces Trudy's knowledge is called privacy amplification. In practice, complex transformations in which every output bit depends on every input bit are used instead of squaring.
Poor Trudy. Not only does she have no idea what the one-time pad is, but her presence is not a secret either. After all, she must relay each received bit to Bob to trick him into thinking he is talking to Alice. The trouble is, the best she can do is transmit the qubit she received, using the polarization she used to receive it, and about half the time she will be wrong, causing many errors in Bob's one-time pad.
When Alice finally starts sending data, she encodes it using a heavy forward-error-correcting code. From Bob's point of view, a 1-bit error in the one-time pad is the same as a 1-bit transmission error. Either way, he gets the wrong bit. If there is enough forward error correction, he can recover the original message despite all the errors, but he can easily count how many errors were corrected. If this number is far more than the expected error rate of the equipment, he knows that Trudy has tapped the line and can act accordingly (e.g., tell Alice to switch to a radio channel, call the police, etc.). If Trudy had a way to clone a photon so she had one photon to inspect and an identical photon to send to Bob, she could avoid detection, but at present no way to clone a photon perfectly is known. But even if Trudy could clone photons, the value of quantum cryptography to establish one-time pads would not be reduced.
Although quantum cryptography has been shown to operate over distances of 60 km of fiber, the equipment is complex and expensive. Still, the idea has promise. For more information about quantum cryptography, see (Mullins, 2002).
5 Two Fundamental Cryptographic Principles
Although we will study many different cryptographic systems in the pages ahead, two principles underlying all of them are important to understand.
Redundancy
The first principle is that all encrypted messages must contain some redundancy, that is, information not needed to understand the message. An example may make it clear why this is needed. Consider a mail-order company, The Couch Potato (TCP), with 60,000 products. Thinking they are being very efficient, TCP's programmers decide that ordering messages should consist of a 16-byte customer name followed by a 3-byte data field (1 byte for the quantity and 2 bytes for the product number). The last 3 bytes are to be encrypted using a very long key known only by the customer and TCP.
At first this might seem secure, and in a sense it is because passive intruders cannot decrypt the messages. Unfortunately, it also has a fatal flaw that renders it useless. Suppose that a recently-fired employee wants to punish TCP for firing her. Just before leaving, she takes the customer list with her. She works through the night writing a program to generate fictitious orders using real customer names. Since she does not have the list of keys, she just puts random numbers in the last 3 bytes, and sends hundreds of orders off to TCP.
When these messages arrive, TCP's computer uses the customer's name to locate the key and decrypt the message. Unfortunately for TCP, almost every 3-byte message is valid, so the computer begins printing out shipping instructions. While it might seem odd for a customer to order 837 sets of children's swings or 540 sandboxes, for all the computer knows, the customer might be planning to open a chain of franchised playgrounds. In this way an active intruder (the ex-employee) can cause a massive amount of trouble, even though she cannot understand the messages her computer is generating.
This problem can be solved by the addition of redundancy to all messages. For example, if order messages are extended to 12 bytes, the first 9 of which must be zeros, then this attack no longer works because the ex-employee can no longer generate a large stream of valid messages. The moral of the story is that all messages must contain considerable redundancy so that active intruders cannot send random junk and have it be interpreted as a valid message.
However, adding redundancy also makes it easier for cryptanalysts to break messages. Suppose that the mail order business is highly competitive, and The Couch Potato's main competitor, The Sofa Tuber, would dearly love to know how many sandboxes TCP is selling. Consequently, they have tapped TCP's telephone line. In the original scheme with 3-byte messages, cryptanalysis was nearly impossible, because after guessing a key, the cryptanalyst had no way of telling whether the guess was right. After all, almost every message is technically legal. With the new 12-byte scheme, it is easy for the cryptanalyst to tell a valid message from an invalid one. Thus, we have
Cryptographic principle 1: Messages must contain some redundancy
In other words, upon decrypting a message, the recipient must be able to tell whether it is valid by simply inspecting it and perhaps performing a simple computation. This redundancy is needed to prevent active intruders from sending garbage and tricking the receiver into decrypting the garbage and acting on the ''plaintext.'' However, this same redundancy makes it much easier for passive intruders to break the system, so there is some tension here. Furthermore, the redundancy should never be in the form of n zeros at the start or end of a message, since running such messages through some cryptographic algorithms gives more predictable results, making the cryptanalysts' job easier. A CRC polynomial is much better than a run of 0s since the receiver can easily verify it, but it generates more work for the cryptanalyst. Even better is to use a cryptographic hash, a concept we will explore later.
Getting back to quantum cryptography for a moment, we can also see how redundancy plays a role there. Due to Trudy's interception of the photons, some bits in Bob's one-time pad will be wrong. Bob needs some redundancy in the incoming messages to determine that errors are present. One very crude form of redundancy is repeating the message two times. If the two copies are not identical, Bob knows that either the fiber is very noisy or someone is tampering with the transmission. Of course, sending everything twice is overkill; a Hamming or Reed-Solomon code is a more efficient way to do error detection and correction. But it should be clear that some redundancy is needed to distinguish a valid message from an invalid message, especially in the face of an active intruder.
Freshness
The second cryptographic principle is that some measures must be taken to ensure that each message received can be verified as being fresh, that is, sent very recently. This measure is needed to prevent active intruders from playing back old messages. If no such measures were taken, our ex-employee could tap TCP's phone line and just keep repeating previously sent valid messages. Restating this idea we get:
Cryptographic principle 2: Some method is needed to foil replay attacks
One such measure is including in every message a timestamp valid only for, say, 10 seconds. The receiver can then just keep messages around for 10 seconds, to compare newly arrived messages to previous ones to filter out duplicates. Messages older than 10 seconds can be thrown out, since any replays sent more than 10 seconds later will be rejected as too old. Measures other than timestamps will be discussed later.

Security Management

2008-10-27T23:33:00.000-07:00

Aligned with the needs of configuration management, the tenants of security management ensure
the integrity and reliability of the network. Many network devices by default enable security
through a shared password concept, which can be a violation of established security policies.
Enabling successful security management means segregating the roles and responsibilities of
administrators and users, logging their activity, and ensuring the privacy of data on the network.
An effective security management system will provide mechanisms for security administrators to
easily record network activity and parse that activity for anomalies. Consider the following
activities as critical for an effective security management system:
• Selective resource access
• Access logs
• Data privacy
• User access rights checking
• Security audit trail log
• Security alarm/event reporting
• Take care of security breaches and attempts
• Security-related information distributions

Packet Sniffing

2008-10-26T20:33:00.000-07:00

Packet sniffing is listening (with software) to the raw network device for packets that interest you. When your software sees a packet that fits certain criteria, it logs it to a file. The most common criteria for an interesting packet is one that contains words like "login" or "password."
To do packet sniffing, you will have to obtain or code a packet sniffer that is capable of working with the type of network interface supported by your operating system:

Network interfaces include:

LLI
NIT (Network Interface Tap)
Ultrix Packet Filter
DLPI (Data Link Provider Interface)
BPF (Berkeley Packet Filter)
LLI was a network interface used by SCO, which has been augmented with DLPI support as of SCO OpenServer Release V.

NIT was a network interface used by Sun, but has been replaced in later releases of SunOS/Solaris with DLPI.

Ultrix supported the Ultrix Packet Filter before Digital implemented support for BPF.

DLPI is supported under current releases of System V Release 4, SunOS/Solaris, AIX, HP/UX, UnixWare, Irix, and MacOS. DLPI is partially supported under Digital Unix. Sun DLPI version 2 supports Ethernet, X.25 LAPB, SDLC, ISDN LAPD, CSMA/CD, FDDI, Token Ring, Token Bus, and Bisync as data-link protocols. The DLPI network interface provided with HP/UX supports Ethernet/IEEE 802.3, IEEE 802.5, FDDI, and Fibre Channel.

BPF is supported under current releases of BSD and Digital Unix, and has been ported to SunOS and Solaris. AIX supports BPF reads, but not writes. A BPF library is available for Linux.

Packet Sniffers
Commercial, bundled, and free packet sniffers are available for most operating systems:

Free Packet Sniffers
Ethereal
Platform(s): Most
License: Open Source GPL
Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows.

tcpdump
Platform(s): Most
License: BSD License
Tcpdump prints out the headers of packets on a network interface that match the boolean expression. It can also be run with the -w flag, which causes it to save the packet data to a file for later analysis, and/or with the -b flag, which causes it to read from a saved packet file rather than to read packets from a network interface. In all cases, only packets that match expression will be processed by tcpdump.

Natas
Platform(s): Windows
License: Free
Natas is a free Windows 2000 network packet sniffer with several options. Sourcecode (C++) included.

nfswatch/
Platform(s): Unix
License: Open Source
nfswatch is a packet sniffer which is dedicated to sniffing NFS (Network File System) traffic. nfswatch lets you monitor NFS requests to any given machine, or the entire local network. It mostly monitors NFS client traffic (NFS requests); it also monitors the NFS reply traffic from a server in order to measure the response time for each RPC.

Web Packet Sniffer
Platform(s): Unix
License: Open Source
Web Packet Sniffer is a pair of Perl scripts that together will:

Listen to all TCP/IP traffic on a subnet.
Intercept all outgoing requests for Web documents and display them.
Intercept all incoming requests for Web documents and display them.
Decode the Basic authentication passwords, if any.
Sniffit
Platform(s): Linux, SunOS, Solaris, FreeBSD and Irix
License: Open Source
sniffit is a packet sniffer for TCP/UDP/ICMP packets. sniffit is able to give you very detailed technical info on these packets (SEQ, ACK, TTL, Window, ...) but also packet contents in different formats (hex or plain text, ...).

Bundled Packet Sniffers
Microsoft Network Monitor
Platform(s): Windows
License: Bundled with Microsoft Windows
Microsoft Network Monitor is the packet sniffer which is bundled with Microsoft Windows.

Network Monitor is a component of Microsoft� Systems Management Server (SMS) that enables you to detect and troubleshoot problems on LANs, WANs, and serial links running the Microsoft� Remote Access Server (RAS). Network Monitor provides real-time and post-capture modes of network data analysis.

In real-time analysis, network traffic is examined by real-time monitors. These monitors test network traffic for a specific set of conditions, and when those conditions are detected, display events, which may prompt end-user action. For example, a monitor can detect conditions that indicate a SYN attack and aid a network administer to respond to the potential attack.

In post-capture analysis, network traffic is saved in a proprietary capture file so that the captured data can be analyzed later. In this case, analysis can be in the form of protocol parsers picking out specific network frame types and displaying the frame data in the Network Monitor UI; or analysis can be in the form of experts examining the network data and displaying a report (experts may also manipulate the network data).

Network Monitor provides the following types of functionality:

Captures network data in real-time or delayed mode.
Provides filtering capabilities when capturing data.
Uses monitors for real-time analysis and security.
Uses experts and parsers for detailed post-capture analysis.
snoop
Platform(s): Solaris
License: Bundled with Solaris
snoop is the packet sniffer which is bundled with the Solaris Operating System.

snoop captures packets from the network and displays their contents. snoop uses both the network packet filter and streams buffer modules to provide efficient capture of packets from the network. Captured packets can be displayed as they are received, or saved to a file for later inspection.

snoop can display packets in a single-line summary form or in verbose multi-line forms. In summary form, only the data pertaining to the highest level protocol is displayed. For example, an NFS packet will have only NFS information displayed. The underlying RPC, UDP, IP, and ethernet frame information is suppressed but can be displayed if either of the verbose options are chosen.

nettl / netfmt
Platform(s): HP-UX
License: Bundled with HP-UX
The nettl and netfmt packet sniffing utilities are bundled with the HP-UX operating system.

Commercial Packet Sniffers
LanWatch
Platform(s): DOS/Windows
License: Commercial
LANWatch is a software-based network packet analyzer. Easy to install and use, LANWatch monitors traffic in real time and displays a wide range of statistics. With LANWatch, network administrators can quickly identify problems and keep networks running at peak performance. Support and QA Personnel can determine the origin of network problems. Network Application and Protocol Developers can easily monitor, examine and verify network protocols in both hexadecimal and formatted views.

Etherpeek
Platform(s): Windows, Macintosh
License: Commercial
EtherPeek is an Ethernet network traffic and protocol analyzer designed to make the complex tasks of troubleshooting and debugging mixed-platform, multi-protocol networks easy. EtherPeek sets the industry standard for ease-of-use while delivering all the superior diagnostic and analysis capabilities expected of a full-featured analyzer at an affordable price.

Sniff'em
Platform(s): Windows
License: Commercial
Sniff'em captures, monitors and analyzes network traffic, detecting bottlenecks and other network related problems. Using this information, a network manager can keep traffic flowing efficiently. The Sniff'em packet sniffer can also be used legitimately or illegitimately to capture data being transmitted over a network.

Sniff'em is a competitively priced, performance minded Windows based Packet sniffer, Network analyzer and Network sniffer, a revolutionary new network management tool designed from the ground up with ease and functionality in mind.

Sniffer Pro
Platform(s): Windows
License: Commercial
The Sniffer Portable family of network fault and performance management solutions enables network professionals to maintain, troubleshoot, fine tune, and expand multi-topology and multi-protocol networks. Capable of insertion wherever needed in the network, Sniffer Portable identifies and analyzes performance problems automatically and recommends corrective action. Sniffer Portable supports virtually all LAN and WAN topologies plus a wide range of network and application protocols, and immediately alerts administrators of attempted intrusions.

EffeTech HTTP Sniffer
Platform(s): Windows
License: Commercial
EffeTech HTTP Sniffer is a HTTP packet sniffer, protocol analyzer and file reassembly software based on windows platform. Unlike most other sniffers, it is dedicated to capture IP packets containing HTTP protocol, rebuild the HTTP sessions, and reassemble files sent through HTTP protocol. Its smart real-time analyzer enables on-the-fly content viewing while capture, analyze, parse and decode HTTP protocol.

Iris
Platform(s): Windows
License: Commercial
Iris is a powerful yet intuitive network traffic analyzer which allows system administrators to examine the inner workings of their network, simplifying the detective work of pinpointing a security breach or resolving a performance problem.

Iris takes network traffic and returns it to its original format, dramatically reducing the time previously spent examining individual packets. Utilizing Iris, security professionals are able to; read the actual text of an email, as well as any attachments, exactly as it was sent, reconstruct the actual HTML pages that your users have visited and even simulate cookies for entry into password-protected websites.

Iris provides automated filters that can be set up to flag and record specific network traffic that contains a particular MAC or IP address, unacceptable words or websites, and more, to ensure whether company security is being compromised or corporate policies are abused. Iris also provides a variety of statistical measurements allowing you to proactively identify, and take the steps to eliminate, performance issues before they can result in downtime.

Colasoft Capsa
Platform(s): Windows
License: Commercial

As a professional network analyzer (also known as protocol analyzer & packet sniffer), Colasoft Capsa performs real-time packet capturing, 24/7 network monitoring, advanced protocol analyzing, in-depth packet decoding, and automatic expert diagnosing. It allows you to get a clear view of the complex network, conduct packet level analysis, and troubleshoot network problems.

Whether you're a network administrator who needs to identify, diagnose, and solve network problems, a company manager who wants to monitor user activities on the network and ensure that the corporation's communications assets are safe, or a consultant who has to quickly solve network problems for clients, Capsa is the tool you need.

what is hacker?

2008-10-26T19:42:00.000-07:00

A hacker is someone who thinks outside the box. It's someone who discards conventional wisdom, and does something else instead. It's someone who looks at the edge and wonders what's beyond. It's someone who sees a set of rules and wonders what happens if you don't follow them. A hacker is someone who experiments with the limitations of systems for intellectual curiosity.

Hackers are as old as curiosity, although the term itself is modern. Galileo was a hacker. Mme. Curie was one, too. Aristotle wasn't. (Aristotle had some theoretical proof that women had fewer teeth than men. A hacker would have simply counted his wife's teeth. A good hacker would have counted his wife's teeth without her knowing about it, while she was asleep. A good bad hacker might remove some of them, just to prove a point.)
When I was in college, I knew a group similar to hackers: the key freaks. They wanted access, and their goal was to have a key to every lock on campus. They would study lockpicking and learn new techniques, trade maps of the steam tunnels and where they led, and exchange copies of keys with each other. A locked door was a challenge, a personal affront to their ability. These people weren't out to do damage -- stealing stuff wasn't their objective -- although they certainly could have. Their hobby was the power to go anywhere they wanted to.

Remember the phone phreaks of yesteryear, the ones who could whistle into payphones and make free phone calls. Sure, they stole phone service. But it wasn't like they needed to make eight-hour calls to Manila or McMurdo. And their real work was secret knowledge: The phone network was a vast maze of information. They wanted to know the system better than the designers, and they wanted the ability to modify it to their will. Understanding how the phone system worked -- that was the true prize. Other early hackers were ham-radio hobbyists and model-train enthusiasts.

Richard Feynman was a hacker; read any of his books.

Computer hackers follow these evolutionary lines. Or, they are the same genus operating on a new system. Computers, and networks in particular, are the new landscape to be explored. Networks provide the ultimate maze of steam tunnels, where a new hacking technique becomes a key that can open computer after computer. And inside is knowledge, understanding. Access. How things work. Why things work. It's all out there, waiting to be discovered.

Computers are the perfect playground for hackers. Computers, and computer networks, are vast treasure troves of secret knowledge. The Internet is an immense landscape of undiscovered information. The more you know, the more you can do.

And it should be no surprise that many hackers have focused their skills on computer security. Not only is it often the obstacle between the hacker and knowledge, and therefore something to be defeated, but also the very mindset necessary to be good at security is exactly the same mindset that hackers have: thinking outside the box, breaking the rules, exploring the limitations of a system. The easiest way to break a security system is to figure out what the system's designers hadn't thought of: that's security hacking.

Hackers cheat. And breaking security regularly involves cheating. It's figuring out a smart card's RSA key by looking at the power fluctuations, because the designers of the card never realized anyone could do that. It's self-signing a piece of code, because the signature-verification system didn't think someone might try that. It's using a piece of a protocol to break a completely different protocol, because all previous security analysis only looked at protocols individually and not in pairs.

That's security hacking: breaking a system by thinking differently.

It all sounds criminal: recovering encrypted text, fooling signature algorithms, breaking protocols. But honestly, that's just the way we security people talk. Hacking isn't criminal. All the examples two paragraphs above were performed by respected security professionals, and all were presented at security conferences.

I remember one conversation I had at a Crypto conference, early in my career. It was outside amongst the jumbo shrimp, chocolate-covered strawberries, and other delectables. A bunch of us were talking about some cryptographic system, including Brian Snow of the NSA. Someone described an unconventional attack, one that didn't follow the normal rules of cryptanalysis. I don't remember any of the details, but I remember my response after hearing the description of the attack.

"That's cheating," I said.

Because it was.

I also remember Brian turning to look at me. He didn't say anything, but his look conveyed everything. "There's no such thing as cheating in this business."

Because there isn't.

Hacking is cheating, and it's how we get better at security. It's only after someone invents a new attack that the rest of us can figure out how to defend against it.

For years I have refused to play the semantic "hacker" vs. "cracker" game. There are good hackers and bad hackers, just as there are good electricians and bad electricians. "Hacker" is a mindset and a skill set; what you do with it is a different issue.

And I believe the best computer security experts have the hacker mindset. When I look to hire people, I look for someone who can't walk into a store without figuring out how to shoplift. I look for someone who can't test a computer security program without trying to get around it. I look for someone who, when told that things work in a particular way, immediately asks how things stop working if you do something else.

We need these people in security, and we need them on our side. Criminals are always trying to figure out how to break security systems. Field a new system -- an ATM, an online banking system, a gambling machine -- and criminals will try to make an illegal profit off it. They'll figure it out eventually, because some hackers are also criminals. But if we have hackers working for us, they'll figure it out first -- and then we can defend ourselves.

2008-10-23T23:26:00.001-07:00

Top 11 Packet Sniffers
After the tremendously successful 2000 and 2003 security tools surveys, Insecure.Org is delighted to release this 2006 survey. I (Fyodor) asked users from the nmap-hackers mailing list to share their favorite tools, and 3,243 people responded. This allowed me to expand the list to 100 tools, and even subdivide them into categories. This is the category page for packet sniffers -- the full network security list is available here. Anyone in the security field would be well advised to go over the list and investigate tools they are unfamiliar with. I discovered several powerful new tools this way. I also point newbies to this site whenever they write me saying “I don't know where to start”.

Respondents were allowed to list open source or commercial tools on any platform. Commercial tools are noted as such in the list below. No votes for the Nmap Security Scanner were counted because the survey was taken on a Nmap mailing list. This audience also biases the list slightly toward “attack” hacking tools rather than defensive ones.

Each tool is described by one ore more attributes: Did not appear on the 2003 list
Generally costs money. A free limited/demo/trial version may be available.
Works natively on Linux
Works natively on OpenBSD, FreeBSD, Solaris, and/or other UNIX variants
Works natively on Apple Mac OS X
Works natively on Microsoft Windows
Features a command-line interface
Offers a GUI (point and click) interface
Source code available for inspection.

Please send updates and suggestions (or better tool logos) to Fyodor. If your tool is featured or you think your site visitors might enjoy this list, you are welcome to use our link banners. Here is the list, starting with the most popular:

#1

Wireshark : Sniffing the glue that holds the Internet together
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

--------------------------------------------------------------------------------
#2

Kismet : A powerful wireless sniffer
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating, ...
Also categorized as: wireless tools

--------------------------------------------------------------------------------
#3

Tcpdump : The classic sniffer for network monitoring and data acquisition
Tcpdump is the IP sniffer we all used before Ethereal (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI or parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with fewer security holes. It also requires fewer system resources. While it doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. TCPDump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap among many other tools.

--------------------------------------------------------------------------------
#4

Cain and Abel : The top password recovery tool for Windows
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.
Also categorized as: password crackers

--------------------------------------------------------------------------------
#5

Ettercap : In case you still thought switched LANs provide much extra security
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

--------------------------------------------------------------------------------
#6

Dsniff : A suite of powerful network auditing and penetration-testing tools
This popular and well-engineered suite by Dug Song includes many tools. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected ssh and https sessions by exploiting weak bindings in ad-hoc PKI. A separately maintained partial Windows port is available here. Overall, this is a great toolset. It handles pretty much all of your password sniffing needs.

--------------------------------------------------------------------------------
#7

NetStumbler : Free Windows 802.11 Sniffer
Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such named Ministumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as Kismet or KisMAC.
Also categorized as: wireless tools

--------------------------------------------------------------------------------
#8

Ntop : A network traffic usage monitor
Ntop shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user's terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.
Also categorized as: traffic monitoring tools

--------------------------------------------------------------------------------
#9

Ngrep : Convenient packet matching & display
ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.
Also categorized as: traffic monitoring tools

--------------------------------------------------------------------------------
#10

EtherApe : EtherApe is a graphical network monitor for Unix modeled after etherman
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically with a color coded protocols display. Hosts and links change in size with traffic. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.
Also categorized as: traffic monitoring tools

--------------------------------------------------------------------------------
#11

KisMAC : A A GUI passive wireless stumbler for Mac OS X
This popular stumbler for Mac OS X offers many of the features of its namesake Kismet, though the codebase is entirely different. Unlike console-based Kismet, KisMAC offers a pretty GUI and was around before Kismet was ported to OS X. It also offers mapping, Pcap-format import and logging, and even some decryption and deauthentication attacks.
Also categorized as: wireless tools

Sniffers: What They Are and How to Protect Yourself

2008-10-23T22:23:00.000-07:00

Sniffers: What They Are and How to Protect Yourself
by Matthew Tanase

Introduction

Have you ever thought about how your computer talks with others on a network? Would you like to listen to, or “sniff”, the conversation? Network engineers, system administrators, security professionals and, unfortunately, crackers have long used a tool that allows them to do exactly that. This nifty utility, known as a sniffer, can be found in the arsenal of every network guru, where it’s likely used everyday for a variety of tasks. This article will offer a brief overview of sniffers, including what they do, how they work, why users need to be aware of them, and what users can do to protect themselves against the illegitimate use of sniffers.

What is a Sniffer?

A sniffer is a piece of software that grabs all of the traffic flowing into and out of a computer attached to a network. They are available for several platforms in both commercial and open-source variations. Some of simplest packages are actually quite easy to implement in C or Perl, use a command line interface and dump captured data to the screen. More complex projects use a GUI, graph traffic statistics, track multiple sessions and offer several configuration options. Sniffers are also the engines for other programs. Intrusion Detection Systems (IDS) use sniffers to match packets against a rule-set designed to flag anything malicious or strange. Network utilization and monitoring programs often use sniffers to gather data necessary for metrics and analysis. Law enforcement agencies that need to monitor email during investigations, likely employ a sniffer designed to capture very specific traffic. Knowing that sniffers simply grab network data, let’s see how they work.

How Does a Sniffer Work?

Before we can explore how a sniffer operates, it may be helpful to examine what enables the tool to work. During normal tasks such as Web surfing and messaging, computers are constantly communicating with other machines. (For an introduction to the way that the Internet and networking works, please see the SecurityFocus article A Beginner’s Guide to the Internet.) Obviously, a user should be able to see all the traffic traveling to or from their machine. Most PCs, however, are on a Local Area Network (LAN), meaning they share a connection with several other computers. If the network is not switched (a switch is a device that filters and forwards packets between segments of the LAN), the traffic destined for any machine on a segment is broadcast to every machine on that segment. This means that a computer actually sees the data traveling to and from each of its neighbors, but ignores it, unless otherwise instructed.

We can now begin to understand the magic behind a sniffer. The sniffer program tells a computer, specifically its Network Interface Card (NIC), to stop ignoring all the traffic headed to other computers and pay attention to them. It does this by placing the NIC in a state known as promiscuous mode. Once a NIC is promiscuous, a status that requires administrative or root privileges, a machine can see all the data transmitted on its segment. The program then begins a constant read of all information entering the PC via the network card. As pointed out in A Beginner’s Guide to the Internet, data traveling along the network comes as frames, or packets, bursts of bits formatted to specific protocols. Because of this strict formatting, a sniffer can peel away the layers of encapsulation and decode the relevant information stored within: source computer, destination computer, targeted port number, payload, in short - every piece of information exchanged between two computers.

What Does Sniffed Data Look Like?

It is easy to grasp the concepts discussed above by watching a sniffer in action. The information in the following example was derived using tcpdump, a program that has been around for quite sometime and is available for many platforms. This particular snippet is an abbreviated exchange between a machine and the SecurityFocus Web server.

21:06:30.786814 0:1:3:e5:46:6b 0:4:5a:d1:46:ad 0800 650: 192.168.1.3.32946 >
66.38.151.10.80: P [tcp sum ok] 1:585(584) ack 336 win 64080 899338> (DF) (ttl 64, id 7468, len 636)
0x0000 4500 027c 1d2c 4000 4006 8074 c0a8 0103 E..|.,@.@..t....
0x0010 4226 970a 80b2 0050 54ac b070 78ef d6c3 B&.....PT..px...
0x0020 8018 fa50 c663 0000 0101 080a 0009 4a08 ...P.c........J.
0x0030 000d b90a 4745 5420 2f63 6f72 706f 7261 ....GET./corpora
0x0040 7465 2f69 6d61 6765 732f 6275 696c 642f te/images/build/
0x0050 626c 6c74 5f72 645f 312e 6769 6620 4854 bllt_rd_1.gif.HT
0x0060 5450 2f31 2e31 0d0a 486f 7374 3a20 7777 TP/1.1..Host:.ww
0x0070 772e 7365 6375 7269 7479 666f 6375 732e w.securityfocus.
0x0080 636f 6d0d 0a55 7365 722d 4167 656e 743a com..User-Agent:
0x0090 204d 6f7a 696c 6c61 2f35 2e30 2028 5831 .Mozilla/5.0.(X1
0x00a0 313b 2055 3b20 4c69 6e75 7820 6936 3836 1;.U;.Linux.i686

21:06:30.886814 0:4:5a:d1:46:ad 0:1:3:e5:46:6b 0800 402: 66.38.151.10.80 >
192.168.1.3.32949: P [tcp sum ok] 2363393025:2363393361(336) ack 1437810754 win 8616
(ttl 61, id 10825, len 388)
0x0000 4500 0184 2a49 0000 3d06 b74f 4226 970a E...*I..=..OB&..
0x0010 c0a8 0103 0050 80b5 8cde 8401 55b3 4042 .....P......U.@B
0x0020 8018 21a8 0543 0000 0101 080a 000d b90a ..!..C..........
0x0030 0009 49fe 4854 5450 2f31 2e31 2032 3030 ..I.HTTP/1.1.200
0x0040 204f 4b0d 0a41 6765 3a20 320d 0a41 6363 .OK..Age:.2..Acc
0x0050 6570 742d 5261 6e67 6573 3a20 6279 7465 ept-Ranges:.byte
0x0060 730d 0a44 6174 653a 2054 7565 2c20 3132 s..Date:.Tue,.12
0x0070 2046 6562 2032 3030 3220 3033 3a30 343a .Feb.2002.03:04:
0x0080 3538 2047 4d54 0d0a 436f 6e74 656e 742d 58.GMT..Content-
0x0090 4c65 6e67 7468 3a20 3433 0d0a 436f 6e74 Length:.43..Cont
0x00a0 656e 742d 5479 7065 3a20 696d 6167 652f ent-Type:.image/
0x00b0 6769 660d 0a53 6572 7665 723a 2041 7061 gif..Server:.Apa
0x00c0 6368 652f 312e 332e 3232 2028 556e 6978 che/1.3.22.(Unix
0x00d0 2920 6d6f 645f 7065 726c 2f31 2e32 360d ).mod_perl/1.26.
This excerpt shows two packets: an HTTP request by the client and the server’s response. Note that the first few lines of each sniffed packet provide a summary of the transaction: timestamps, source and destination MAC addresses, source and destination IP addresses and several other bits of information. The numbered lines (0x00##) show the data transmitted by each packet in hexadecimal format. Additionally, an ASCII decode of the payload is located off to the right - a convenient feature for crackers and nosy neighbors watching you on the network.

Why Should Users Be Concerned?

On a normal LAN there are thousands of packets exchanged by multiple machines every minute, ample supply for any attacker. Anything transmitted in plaintext over the network will be vulnerable - passwords, web pages, database queries and messaging to name a few. A sniffer can easily be customized to capture specific traffic like telnet sessions or e-mail. Once traffic has been captured, crackers can quickly extract the information they need - logins, passwords and the text of messages. And the users will likely never know they were compromised - sniffers cause no damage or disturbance to a network environment.

How Can Users Protect Themselves?

Anti-Sniffing Tools

A scary aspect of these tools is who can, and will, use them. As stated earlier, sniffers can be used for both legitimate and illegitimate purposes. For instance, a network manager can use them to monitor the flow of traffic on the network to ensure that the network is operating efficiently. However, sniffers can also be used by malicious users to obtain valuable personal information. Whether it is passwords or private communication, both crackers and co-workers can benefit from reading your data. Defending against sniffers, as with any other threat, needs to start from the top and filter down to the user. As on any network, administrators need to secure individual machines and servers. A sniffer is one of the first things a cracker will load to see what is taking place on and around their newly compromised machine.

Another method of protection involves tools, such as antisniff, that scan networks to determine if any NICs are running in promiscuous mode. These detection tools should run regularly, since they act as an alarm of sorts, triggered by evidence of a sniffer.

Switched Networks

A switched network is also a good deterrent. In the non-switched environment, packets are visible to every node on the network, in a switched environment, packets are only delivered to the target address. While more expensive than hubs, the cost of switches have fallen over time, bringing them within reach of most budgets. Unlike hubs, switches only send frames to the designated recipient; therefore a NIC in promiscuous mode on a switched network will not capture every piece of local traffic. But programs such as dsniff, allow an attacker to monitor a switched network with a technique known as arp-spoofing. Although it uses different methods, arp-spoofing can provide results similar to sniffing, i.e. compromised data. Is there anything that can truly protect your data once it reaches the network?

Encryption

Encryption is the best protection against any form of traffic interception. It is reasonable to assume that at some point along a path, data can always be compromised. Therefore, your best defense is to ensure that traffic is essentially unreadable to everyone but the intended receiver. This isn’t difficult to do, since many organizations have deployed services that make use of Secure Socket Layers (SSL), Transport Layer Security (TLS) and other methods that provide secure messaging, web browsing and more. Only the payloads are scrambled, ensuring that packets reach the correct destinations. So an attacker can see where traffic was headed and where it came from, but not what it carries.

21:09:04.599289 192.168.1.3.32933 > opensource-01.ee.ethz.ch.https: . [tcp sum ok]
793:793(0) ack 7011 win 20104 (DF) (ttl 64, id 12206, len 40)
0x0000 4500 0028 2fae 4000 4006 c059 c0a8 0103 E.(/.@.@..Y....
0x0010 8184 0799 80a5 01bb 19a2 0520 be10 d77f ................
0x0020 5010 4e88 dfd0 0000 P.N.....

21:09:04.599289 opensource-01.ee.ethz.ch.https > 192.168.1.3.32933: P [tcp sum ok]
7011:7135(124) ack 793 win 10052 (DF) (ttl 237, id 65192, len 164)
0x0000 4500 00a4 fea8 4000 ed06 43e2 8184 0799 E.....@...C.....
0x0010 c0a8 0103 01bb 80a5 be10 d77f 19a2 0520 ................
0x0020 5018 2744 8303 0000 4d3a a587 805e e2bc P.'D....M:...^..
0x0030 9a2a 8ff3 fe95 46d4 930e b2bc 74f0 a484 .*....F.....t...
0x0040 fcae 33ad 6d1f 0198 6020 aee5 0c26 908e ..3.m...`....&..
0x0050 a1b5 17b4 84b7 44bc 1b0b 434e bbae a483 ......D...CN....
0x0060 1e23 38d3 520f 687e c5e3 b62e 5225 aa2f .#8.R.h~....R%./
0x0070 f747 1a71 669c 8fd1 55bd 511c 4988 b78a .G.qf...U.Q.I...
0x0080 a08d 554e a3fe bb7d 36ca e66b fb8b 0392 ..UN...}6..k....
0x0090 a3f3 4cef 7b04 af5a 7a94 cb4c a1e6 e7fa ..L.{..Zz..L....
0x00a0 9610 a5ee ....
Compare this sniffed sample of a web session with the OpenSSL Web server to the example earlier in the article. Notice how the header information remains readable, but the ASCII decode of the payload contains seemingly random characters - thanks to the encryption. The two participants in this exchange, however, can both decrypt and process the data once it is received. This type of safeguard can be applied to virtually any network process and should be employed whenever possible.

Can I Use a Sniffer?

A sniffer can be an invaluable tool for administrators, security professionals, programmers and even beginners. They are excellent utilities for troubleshooting any type of network problem, since they provide a window into local traffic. I personally have used sniffers on multiple occasions for security work and once discovered a compromised machine that periodically sent updates to a cracker. For network programming, a sniffer is a necessity for debugging in the development stages. Sniffers are an outstanding resource for the curious beginner, who hopes to understand both networks and security. Nothing can bring you closer to what really happens, when computers communicate, than these tools. I still learn new things using them and often keep a copy of Richard Stevens’ book TCP/IP Illustrated Volume 1 nearby for quick references.

It should be noted that the casual user should be very cautious when, where and how they use these programs. Never employ sniffers on a local network without checking with an administrator. It's best to try these techniques at home, or on a network you run.

Conclusion

Having looked at what they are, why they work and how they are used, it is easy to view sniffers as both dangerous threats and powerful tools. Every user should understand they are vulnerable to these types of attacks and their best defense lies in encryption. Administrators and professionals need to know that these programs are superb diagnostic utilities that can, unfortunately, be used with malicious intent on any network.

Matthew Tanase is President of Qaddisin a network security company based in St. Louis. He has studied computer security for 10 years and holds a dual degree in Electrical Engineering and Computer Science. Currently, he provides network and security consulting services for universities, start-ups, small businesses and large corporations.

Relevant Links

A Beginner's Guide to the Internet
A good tutorial for those new to networking

Tcpdump
An established sniffer available for many platforms

Ethereal
A powerful sniffer with a GUI and additional utilities for Unix and Windows

Snort
A popular IDS, which can also be used as a sniffer

Ettercap
A sniffer designed to work on switched networks

Dsniff
A collection of tools which can sniff data on a switched network

OpenSSL
A project designed to implement SSL and TLS.

Network safety

2008-10-23T20:17:00.000-07:00

In recent months, unaware Information Technology customers may have violated responsible use policies at the University of Houston. Violations often involve the use of peer-to-peer networking software, such as Morpheus, Audiogalaxy or Gnutella, which arose in the wake of the Napster controversy. While most were simply uninformed about involved risks or etiquette, they made themselves vulnerable to attack by inviting unauthorized access to UH systems. Violations like these soften security measures and make it easier for malicious hackers to break into university computers. It is the responsibility of every customer to be familiar with responsible use policies. The penalties for abuse vary from disconnection to termination, or even legal action. Practicing good network safety is easy and makes both UH and Internet services faster and more reliable for everyone.
Most importantly customers should:
Avoid applications that use excessive bandwidth. Downloading or uploading a large amount of information is what the network is designed to allow. However, overuse of this ability can have a negative impact on other network customers. Customers should attempt to limit, or cap, the data sent and received by an application on the network. IT Security monitors network traffic and, if excessive traffic is detected, customers may be disconnected from the network without warning.
Keep software updated.
Mac OS 9
From the Apple Menu, select "Control Panel"
Select "Software Update"
Check the box next to "Update Software Automatically"
If the default time is during your workday, select "Schedule" and modify to a time on the weekends or a more convenient time. Mac OS X
Open System Preferences
Select Software Update
Click on "Automatically"
Select "Weekly" from the pull-down menu to enable weekly automatic software updates or "Monthly" for systems that are not often connected to the Network. Windows
Visit Microsoft's Windows Updates page at http://windowsupdate.microsoft.com monthly.
Click "Select Product Updates" to automatically search for necessary updates. Customers using other operating systems should check with operating system vendors to determine and apply software updates.
Do not open unexpected e-mail attachments without first confirming their contents with the sender. Do not open e-mail attachments sent by people you do not know.
Is there any software that can help protect me?
Install and maintain anti-virus software and virus definitions. Scan removable media for viruses before using them. To learn how IT customers can get free anti-virus software and how to keep virus definitions updated, read "Using Anti-Virus Software".
Back-up systems thoroughly and often. Read "Backing Up Your Computer" for more information.
Home users may wish to download and use the Zone Alarm personal firewall software for Windows from ZoneLabs, Inc., free for personal use.
Although not supported by IT, telnet customers can benefit from the use of SSH utilities such as MacSSH for Mac OS 9 or PuTTY for Windows. Most Linux, Mac OS X and other UNIX systems have SSH available by default. Visit http://www.openssh.com for more information.
How can I avoid causing problems on the network?
Turn computers off when leaving for the day or during extended periods of inactivity unless a special need requires that they be left on. Continuous connection to the network makes a computer more vulnerable to attack.
Do not exchange copyrighted materials.
IT Security monitors for internal attempts to compromise security. Scanning for network vulnerabilities or similar behavior is a violation of responsible use policies and penalties will be enforced.
Why should I change my password?Special tools exist that automatically guess passwords by attempting them all. This process can take many weeks or months so changing a password every 30 days is a good policy to foil this process. However, these tools are often configured to use English and commonly used terms first, so in addition to changing your password often, use a password that is difficult to guess. Here are some tips on creating a better password:
Passwords should be words that are difficult to guess but easy to remember.
They should consist of at least eight characters, both letters and numbers.
The more random and unusual the better. Note: The very best passwords use random, unconnected characters such as "sn8x@VA" or "Nx+@faS" but these can be difficult to remember. One solution is transforming simple words. This can be done by taking a word such as "marionette" and rewriting it as "m@R10N3tt3" to make it more secure. Or rewriting "capsized" as "c@p5!zeD." These passwords, although based on real words, are very difficult for password-guessing tools to defeat.
More hints on passwords:
Never use a blank field for your password. Access to all university systems should be protected by a password to prevent loss of data.
IT Support Center encourages customers to change new passwords at the first opportunity and then once every 30 days.
Avoid writing down your password unless it is in a secure place. For information on how to change your password visit this month's IT Support Center Frequently Asked Questions.
What is Spam? Does it hurt the network?
Spam is another word for unsolicited e-mail. Unlike ordinary advertisement methods, marketing through e-mail is very inexpensive for companies and individuals but can be very costly in time and confusion for individuals who receive it, as spam often designed to look like legitimate e-mail.
Avoid purchasing products or services sent to you in unsolicited e-mail as this encourages the distribution of millions of e-mail messages every year to UH servers, wasting bandwidth and productivity.
Individuals may not send unsolicited e-mail about non-university products or services using the UH network. This is a violation of university policy and can result in legal action.
Other tips:
Do not assume your peers understand network safety—they are the group most likely to expose you to vulnerability.
Close programs when you step away from them and password-protect screensavers to prevent unauthorized access.
Lock doors and keep unauthorized users away from systems.
Be familiar with the policies governing appropriate usage of university systems. Visit the policies section of the Information Technology reference guide for more information about specific guidelines. They are designed to reduce opportunities for malicious hackers and maximize network availability.