Monday, May 18, 2009

DNS or other Services works on both TCP and UDP

DNS and some other services work on both the protocols. We will take an example of DNS Service. Two protocols are somewhat different from each other. TCP is a connection-oriented protocol and it requires data to be consistent at the destination and UDP is connection-less protocol and doesn't require data to be consistent or don't need a connection to be established with host for consistency of data.
 
UDP packets are smaller in size. UDP packets can not be greater then 512 bytes. So any application needs data to be transferred greater than 512 bytes require TCP in place. For example, DNS uses both TCP and UDP for valid reasons described below. Note that UDP messages are not larger than 512 Bytes and are truncated when greater than this size.  DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn't get response from DNS it must re-transmit the data using TCP after 3-5 seconds of interval.
 
There should be consistency in DNS Zone database. To make this, DNS always transfer Zone data using TCP because TCP is reliable and make sure zone data is consistent by transferring the full zone to other DNS servers who has requested the data.
 
The problem occurs when Windows 2000 server and Advanced Server products uses Dynamic ports for all above 1023. In this case your DNS server should not be internet facing i.e. doing all standard queries for client machines on the network. The router (ACL) must permitted all UDP inbound traffic to access any high UDP ports for it to work.
 
LDAP always uses TCP - this is true and why not UDP because a secure connection is established between client and server to send the data and this can be done only using TCP not UDP. UDP is only used when finding a domain controller (Kerberos) for authentication. For example, a domain client finding a domain controller using DNS.
 
Posted by at No comments:

Tuesday, May 12, 2009

The 10 faces of computer malware


The complexity of today’s IT environment makes it easy for computer malware to exist, even flourish. Being informed about what’s out there is a good first step to avoid problems.

With all the different terms, definitions, and terminology, trying to figure out what’s what when it comes to computer malware can be difficult. To start things off, let’s define some key terms that will be used throughout the article:

  • Malware: Is malicious software that’s specifically developed to infiltrate or cause damage to computer systems without the owners knowing or their permission.
  • Malcode: Is malicious programming code that’s introduced during the development stage of a software application and is commonly referred to as the malware’s payload.
  • Anti-malware: Includes any program that combats malware, whether it’s real-time protection or detection and removal of existing malware. Anti-virus, anti-spyware applications and malware scanners are examples of anti-malware.

One important thing to remember about malware is that like its biological counterpart the number one goal is reproduction. Causing damage to a computer system, destroying data, or stealing sensitive information are all secondary objectives.

Keeping the above definitions in mind, let’s take a look at 10 different types of malware.

1: The infamous computer virus

A computer virus is malware that’s capable of infecting a computer but has to rely on some other means to propagate. A true virus can only spread from the infected computer to a non-infected computer by attaching to some form of executable code that’s passed between the two computers. For example, a virus could be hidden in a PDF file attached to an e-mail message. Most viruses consist of the following three parts:

  • Replicator: When the host program is activated, so is the virus and the viral malcode’s first priority is to propagate.
  • Concealer: The computer virus can employ one of several methods to hide from anti-malware.
  • Payload: The malcode payload of a virus can be purposed to do just about anything, from disabling computer functions to destroying data.

Some examples of computer viruses currently in the wild are W32.Sens.A, W32.Sality.AM, and W32.Dizan.F. Most quality anti-virus software will remove computer viruses once the application has the signature file for the virus.

2: The ever popular computer worm

Computer worms are more sophisticated than viruses, being able to replicate without user intervention. If the malware uses networks (Internet) to propagate it’s a worm rather than a virus. The main components of a worm are:

  • Penetration tool: Malcode that leverages vulnerabilities on the victim computer to gain access.
  • Installer: The penetration tool gets the computer worm past the initial defense mechanism. At that point the installer takes over and transfers the main body of malcode to the victim.
  • Discovery tool: Once settled in, the worm uses several different methods to discover other computers on the network, including e-mail addresses, Host lists, and DNS queries.
  • Scanner: The worm uses a scanner to determine if any of the newly-found target computers are vulnerable to the exploits available in its penetration tool.
  • Payload: Malcode that resides on each victim’s computer. Could be anything from a remote access application to a key logger used to capture user names and passwords.

This category of malware is unfortunately the most prolific, starting with the Morris worm in 1988 and continuing today with the Conficker worm. Most computer worms can be removed by using malware scanners such as MBAM or GMER.

3: The unknown backdoor

Backdoors are similar to the remote access programs that many of us use all the time. They’re considered malware when installed without permission, which is exactly what an attacker wants to do, by using the following methods:

  • One installation method used is to exploit vulnerabilities on the target computer.
  • Another approach is to trick the user into installing the backdoor through social engineering.

Once installed, back doors allow attackers complete remote control of the computer under attack. SubSeven, NetBus, Deep Throat, Back Orifice, and Bionet are backdoors that have gained notoriety. Malware scanners like MBAM and GMER are usually successful at removing backdoors.

4: The secretive trojan horse

It’s difficult to come up with a better definition for trojan horse malware than Ed Skoudis and Lenny Zelter did in their book Malware: Fighting Malicious Code:

“A trojan horse is a program that appears to have some useful or benign purpose, but really masks some hidden malicious functionality.”

Trojan horse malware cloaks the destructive payload during installation and program execution, preventing anti-malware from recognizing the malcode. Some of the concealment techniques include:

  • Rename the malware to resemble files that are normally present.
  • Corrupt installed anti-malware to not respond when malware is located.
  • Polymorphic code is used to alter the malware’s signature faster than the defensive software can retrieve new signature files.

Vundo is a prime example; it creates pop up advertising for rogue anti-spyware programs, degrades system performance, and interferes with Web browsing. Typically, a malware scanner installed on a LiveCD  is required to detect and remove it.

5: Adware/Spyware, more than an annoyance

Adware is software that creates pop-up advertisements without the user’s permission. Typically the way adware gets installed is by being a component of free software. Besides being very irritating, adware can significantly decrease computer performance.

Spyware is software that collects information from your computer without your knowledge. Free software is notorious for having spyware as a payload, so reading the user agreement is very important. The Sony BMG CD copy protection scandal is probably the most notable example of spyware.

Most quality anti-spyware program will quickly find unwanted adware/spyware and remove it from the computer. It’s also not a bad idea to regularly remove temp files, cookies, and browsing history from the Web browser program as preventative maintenance.

Malware stew

Up until now, all the malware discussed has distinctive characteristics, making each type easy to define. Unfortunately that’s not the case with the next categories. Malware developers have figured out how to combine the best features from different types of malware in an attempt to improve their success ratio.

Rootkits are an example of this, integrating a trojan horse and a backdoor into one package. When used in this combination, an attacker can gain access to a computer remotely and do so without raising any suspicion. Rootkits are one of the more important combined threats, so let’s take a deeper look at them.

Rootkits: Uniquely different

Rootkits are in a class all their own, choosing to modify the existing operating system instead of adding software at the application level like most malware. That’s significant, because it makes detection by anti-malware that much more difficult.

There are several different types of rootkits, but three make up the vast majority of those seen in the wild. They are user-mode, kernel-mode, and firmware rootkits. User-mode and kernel-mode may need some explanation:

  • User mode: Code has restricted access to software and hardware resources on the computer. Most of the code running on your computer will execute in user mode. Due to the restricted access, crashes in user mode are recoverable.
  • Kernel mode: Code has unrestricted access to all software and hardware resources on the computer. Kernel mode is generally reserved for the most trusted functions of the operating system. Crashes in kernel mode aren’t recoverable.

6: User-mode rootkits

It’s now understood that user-mode rootkits run on a computer with the same privileges reserved for administrators. This means that:

  • User-mode rootkits can alter processes, files, system drivers, network ports, and even system services.
  • User-mode rootkits remain installed by copying required files to the computer’s hard drive, automatically launching with every system boot.

Hacker Defender is one example of a user-mode rootkit and luckily Mark Russinovich’s well-known application Rootkit Revealer is able to detect it as well as most other user-mode rootkits.

7: Kernel-mode rootkits

Since rootkits running in user-mode can be found and removed, rootkit designers changed their thinking and developed kernel-mode rootkits:

  • Kernel-mode means the rootkit is installed at the same level as the operating system and rootkit detection software.
  • This allows the rootkit to manipulate the operating system to a point where the operating system can no longer be trusted.

Instability is the one downfall of a kernel-mode rootkit, typically leading to unexplained crashes or blue screens. At that point, it might be a good idea to try GMER. It’s one of a few trusted rootkit removal tools that has a chance against kernel-mode rootkits like Rustock.

8: Firmware rootkits

Firmware rootkits are the next step up in sophistication, with rootkit developers figuring out how to store rootkit malcode in firmware. The altered firmware could be anything from microprocessor code to PCI expansion card firmware. This means that:

  • When the computer is shut down the rootkit writes the current malcode to the specified firmware.
  • Restart the computer and the rootkit reinstalls itself.

Even if a removal program finds and eliminates the firmware rootkit, the next time the computer starts, the firmware rootkit is right back in business.

9: Malicious mobile code

In relative anonymity, malicious mobile code is fast becoming the most effective way to get malware installed on a computer. First, let’s define mobile code as software that’s:

  • Obtained from remote servers.
  • Transferred across a network.
  • Downloaded and executed on a local system.

Examples of mobile code include JavaScript, VBScript, ActiveX controls, and Flash animations. The primary idea behind mobile code is active content, which is easy to recognize. It’s the dynamic page content that makes Web browsing an interactive experience.

What makes mobile code malicious? Installing it without the owner’s permission or misleading the user as to what the software does. To make matters worse, it’s usually the first step of a combined attack, similar to the penetration tool used by trojan horse malware. After which the attacker can install additional malware.

The best way to combat malicious mobile code is to make sure that the operating system and all ancillary software is up to date.

10: Blended threat

Malware is considered a blended threat when it seeks to maximize damage and propagate efficiently by combining several pieces of single-intentioned malcode. That said, blended threats deserve special mention as security experts grudgingly admit they’re the best at what they do. A blended threat typically includes the following abilities:

  • Exploit several known vulnerabilities or even create vulnerabilities.
  • Incorporate alternate methods for replicating.
  • Automate code execution, which eliminates user interaction.

Blended threat malware for example may send an HTML e-mail message containing an embedded trojan horse along with a PDF attachment containing a different type of trojan horse. Some of the more famous blended threats are Nimda, CodeRed, and Bugbear. Removing blended threat malware from a computer may take several different pieces of anti-malware as well as using malware scanners installed on a LiveCD.

Final thoughts

Malware: is it even possible to reduce the harmful effect it causes? Here are a few final thoughts on that subject:

  • Malware isn’t going away any time soon. Especially when it became evident that money, lots of money can be made from its use.
  • Since all anti-malware applications are reactionary, they are destined to fail.
  • Developers who create operating system and application software need to show zero tolerance for software vulnerabilities.
  • Everyone who uses computers needs to take more ownership in learning how to react to the ever-changing malware environment in.
  • It cannot be stressed enough, please make sure to keep operating system and application software up to date.

Posted by at No comments:

Monday, May 11, 2009

TCP Connections: The Three-Way Handshake


The three-way handshake in Transmission Control Protocol (also called the three message handshake) is the method used to establish and tear down network connections. This handshaking technique is referred to as the 3-way handshake or as "SYN-SYN-ACK" (or more accurately SYN, SYN-ACK, ACK). The TCP handshaking mechanism is designed so that two computers attempting to communicate can negotiate the parameters of the network connection before beginning communication. This process is also designed so that both ends can initiate and negotiate separate connections at the same time.

3-Way Handshake Description

Below is a (very) simplified description of the TCP 3-way handshake process. Refer to the diagram on the right as you examine the list of events on the left.

EVENTDIAGRAM

Host A sends a TCP SYNchronize packet to Host B

Host B receives A's SYN

Host B sends a SYNchronize-ACKnowledgement

Host A receives B's SYN-ACK

Host A sends ACKnowledge

Host B receives ACKTCP connection is ESTABLISHED.

three-way handshake

SYNchronize and ACKnowledge messages are indicated by a bit inside the TCP header of thesegment.

TCP knows whether the network connection is opening, synchronizing or established by using theSYNchronize and ACKnowledge messages when establishing a network connection.

When the communication between two computers ends, another 3-way communication is performed to tear down the TCP connection. This setup and teardown of a TCP connection is part of what qualifies TCP a reliable protocol.

Note that UDP does not perform this 3-way handshake and for this reason, it is referred to as an unreliable protocol.

Protocols Encapsulated in TCP

Note that FTPTelnetHTTP

HTTPSSMTPPOP3IMAPSSH and any other protocol that rides overTCP also has a three way handshake performed as connection is opened. HTTP web requests, SMTPemails, FTP file transfers all manage the messages they each send. TCP handles the transmission of those messages.

TCP rides on top of Internet Protocol (IP) which is why it is called TCP/IP (TCP over IP). TCP segments are passed inside the payload section of the IP packets. IP handles addressing and routing and gets the packets from one place to another, but TCP handles the actual communication between hosts.



Posted by at No comments:

Technical Interview Questions – Networking

  • What is an IP address?
  • What is a subnet mask?
  • What is ARP?
  • What is ARP Cache Poisoning?
  • What is the ANDing process?
  • What is a default gateway? What happens if I don't have one?
  • Can a workstation computer be configured to browse the Internet and yet NOT have a default gateway?
  • What is a subnet?
  • What is APIPA?
  • What is an RFC? Name a few if possible (not necessarily the numbers, just the ideas behind them)
  • What is RFC 1918?
  • What is CIDR?
  • You have the following Network ID: 192.115.103.64/27. What is the IP range for your network?
  • You have the following Network ID: 131.112.0.0. You need at least 500 hosts per network. How many networks can you create? What subnet mask will you use?
  • You need to view at network traffic. What will you use? Name a few tools
  • How do I know the path that a packet takes to the destination?
  • What does the ping 192.168.0.1 -l 1000 -n 100 command do?
  • What is DHCP? What are the benefits and drawbacks of using it?
  • Describe the steps taken by the client and DHCP server in order to obtain an IP address.
  • What is the DHCPNACK and when do I get one? Name 2 scenarios.
  • What ports are used by DHCP and the DHCP clients?
  • Describe the process of installing a DHCP server in an AD infrastructure.
  • What is DHCPINFORM?
  • Describe the integration between DHCP and DNS.
  • What options in DHCP do you regularly use for an MS network?
  • What are User Classes and Vendor Classes in DHCP?
  • How do I configure a client machine to use a specific User Class?
  • What is the BOOTP protocol used for, where might you find it in Windows network infrastructure?
  • DNS zones – describe the differences between the 4 types.
  • DNS record types – describe the most important ones.
  • Describe the process of working with an external domain name
  • Describe the importance of DNS to AD.
  • Describe a few methods of finding an MX record for a remote domain on the Internet.
  • What does "Disable Recursion" in DNS mean?
  • What could cause the Forwarders and Root Hints to be grayed out?
  • What is a "Single Label domain name" and what sort of issues can it cause?
  • What is the "in-addr.arpa" zone used for?
  • What are the requirements from DNS to support AD?
  • How do you manually create SRV records in DNS?
  • Name 3 benefits of using AD-integrated zones.
  • What are the benefits of using Windows 2003 DNS when using AD-integrated zones?
  • You installed a new AD domain and the new (and first) DC has not registered its SRV records in DNS. Name a few possible causes.
  • What are the benefits and scenarios of using Stub zones?
  • What are the benefits and scenarios of using Conditional Forwarding?
  • What are the differences between Windows Clustering, Network Load Balancing and Round Robin, and scenarios for each use?
  • How do I work with the Host name cache on a client computer?
  • How do I clear the DNS cache on the DNS server?
  • What is the 224.0.1.24 address used for?
  • What is WINS and when do we use it?
  • Can you have a Microsoft-based network without any WINS server on it? What are the "considerations" regarding not using WINS?
  • Describe the differences between WINS push and pull replications.
  • What is the difference between tombstoning a WINS record and simply deleting it?
  • Name the NetBIOS names you might expect from a Windows 2003 DC that is registered in WINS.
  • Describe the role of the routing table on a host and on a router.
  • What are routing protocols? Why do we need them? Name a few.
  • What are router interfaces? What types can they be?
  • In Windows 2003 routing, what are the interface filters?
  • What is NAT?
  • What is the real difference between NAT and PAT?
  • How do you configure NAT on Windows 2003?
  • How do you allow inbound traffic for specific hosts on Windows 2003 NAT?
  • What is VPN? What types of VPN does Windows 2000 and beyond work with natively?
  • What is IAS? In what scenarios do we use it?
  • What's the difference between Mixed mode and Native mode in AD when dealing with RRAS?
  • What is the "RAS and IAS" group in AD?
  • What are Conditions and Profile in RRAS Policies?
  • What types or authentication can a Windows 2003 based RRAS work with?
  • How does SSL work?
  • How does IPSec work?
  • How do I deploy IPSec for a large number of computers?
  • What types of authentication can IPSec use?
  • What is PFS (Perfect Forward Secrecy) in IPSec?
  • How do I monitor IPSec?
  • Looking at IPSec-encrypted traffic with a sniffer. What packet types do I see?
  • What can you do with NETSH?
  • How do I look at the open ports on my machine?
Posted by at No comments:
Subscribe to: Posts (Atom)