Site Network: Beskerming.com | Skiifwrald.com | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Ports and Sockets

How networked computers share information and perform a range of tasks through a thin wire attached to them can seem like a dark art at times. The simplest analogy is to think of your computer like a bank. Inside of the bank there are many different things going on, but any time that information is coming in or going out across a network, it goes through the tellers.

Network connections are made through ports, which can be considered analogous to the teller windows. Ports are numbered, from 1 to 65535, with different protocols and information types that are specifically linked to certain ports. For example, some common ports are:

Just like teller windows in a bank, ports can be open or closed. If a port is closed, it can not have an active network connection, unless something inside the system specifically opens the port. With a valid IP address and an open port, a socket will exist. The socket can be considered to be the bank teller, who can take information from outside the system, pass it internally, and then pass information back out of the system. Any time that a computer has a port open, it is possible for a remote system to send information to that port, and try and exploit the service listening to that port.

An example of this is the RPC service which is active by default on Windows XP installations. In the default install environment, this service is exploitable by a remote hacker. This means that if you bought a new computer which had Windows XP as the operating system, and you plugged it into an internet connection without patching it, or firewalling off the service, then you would eventually find that someone would gain control of your computer via this security hole, usually within an hour of connecting it. Unfortunately, the RPC service is critical to the smooth operation of a Windows XP system, so it can not simply be turned off. However, some operating systems will not allow connections from remote systems to certain ports, even though they are open, and have a socket (bank teller) present. Such systems include OS X and various Linux distributions.

Now that network connections from a computer can be understood as being like tellers in a bank, it is time to consider how these connections can be used and abused by various agents. The first abuse of network connections is a DOS attack. This is where so much information is being pushed into the port that the system can not handle it and either stops supplying information, or can only reply to a small proportion of requests. This is like thousands of people trying to withdraw / deposit / find balance amounts all at the same time from the same teller. Eventually the teller will not be able to cope with the amount of information.

The next step from this is a dDOS attack, where requests come in from as many different systems as possible to the one port. A simple DOS is easy to stop as it all comes from one address, and that address can be blocked, like a bank security guard stopping someone from harassing a teller. When multiple systems are used, it becomes more difficult to separate legitimate requests from fake requests.

The next abuse is a directed attack against a service with the intention of gaining control of the system. This is equivalent to a bank robbery. There are a couple of ways that this attack can take place. In the first case a request can be made to each port in sequence, taking note of which ports respond, and then directing attacks against those services. In our bank analogy, this would mean someone knocking on each teller window in sequence, noting which ones are open - which would definitely be noticed as suspicious activity. The second case is where a directed attack is made against a service on a port in the hope that that particular port is open, and running a service. If the port is closed, then nothing will happen, but if it is open (such as the Windows XP default RPC service), then an attack may be successful. In the bank analogy, this would be someone walking up to a specific window and pulling a gun. If the window is closed, nothing happens, but if it is open, a robbery may take place. A successful exploitation of a service may result in the complete compromise of the system. Once this happens, the attacker can open any port and run any service they want. This would be like a bank robbery where the robbers gained control of the bank, but carried on business, opening various new teller windows for their special friends.

The final abuse that will be considered in this column is a man in the middle attack. This is where a system is placed to intercept all network communication between your computer and any other. This attack can be passive, where simple eavesdropping and logging takes place, or active, where the intercepting system subtly changes the information that is flowing back and forth. Wireless network connections are more susceptible to this kind of attack by the nature of their design.

A firewall can help prevent a number of attacks and compromises from getting through to a system. Unfortunately, a poorly configured firewall provides no security at all. Using the bank analogy, a firewall is equivalent to a security guard who controls access to the teller windows, and the tellers themselves. If his instructions are well laid out, he will be a massive improvement to security, but if his instructions are non-existent, he will contribute nothing. A well configured firewall will prevent access to all ports except the ones specifically allowed for by the system owner. It may also allow connections to be initialised by the system, but not accept connections made by other systems. It should then be able to manage all of this with respect to distinct internet addresses, blocking off address zones which have historically been attacking the system and giving more access to trusted addresses. A firewall can be as simple as an application (a software firewall) that launches at system startup, or it can be built in to networking hardware (a hardware firewall - which is really a specialised software firewall) like modems or routers.

18 April 2005

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.