Cyber Security Threats to IP Enabled Alarm Systems
Network facing alarm systems are vulnerable to all cyber threats.
INTERNET-connected alarm systems of end users and installers are faced with the fact that the alarm signals are being sent over the public internet and are susceptible to all of the maladies of public internet – many of which impact on alarm communications, either deliberately or as a consequence of an attack on a network or infrastructure.
THERE are a swag of threats that might impact on cabled IP-based alarm communications. Denial-of-service attacks are a type of attack on a network that is designed to bring the network to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers.
On the Internet, a denial of service (DoS) attack is an incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as an alarm IP receiver, to be available or the temporary loss of all network connectivity and services. In the worst cases, for example, a Web site accessed by millions of people can occasionally be forced to temporarily cease operation. A denial of service attack can also destroy programming and files in a computer system. Although usually intentional and malicious, a denial of service attack can sometimes happen accidentally. A denial of service attack is a type of security breach to a computer system that does not usually result in the theft of information or other security loss. However, these attacks can cost the target person or company a great deal of time and money.
In a DoS or DDoS attack an IP-protocol communications system is suddenly flooded with such a volume of spurious commands that a sort of data roadblock is established, preventing genuine data traffic, such as an intruder alarm activation acknowledgement from getting through. The result is the IP-equivalent of a line failure in monitoring terms. By accident or design, DoS attacks can have the effect of blocking all transmissions to and from any security device or site within an organisation and/or the link to the 24-hour manned monitoring centre. In turn, this will reduce the effectiveness of response by the emergency services, key holder or the manned security patrol on-site.
A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS master. It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple – sometimes thousands of – compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
Teardrop attacks are a type of denial of service attack that exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker’s IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
Script kiddies are not technologically sophisticated but randomly seeks out a specific weakness over the internet in order to gain root access to a system without really understanding what it is they are exploiting because the weakness was discovered by someone else. A script kiddie is not looking to target specific information or a specific company but rather uses knowledge of a vulnerability to scan the entire internet for a victim that possesses that vulnerability.
Port scanning is the act of systematically scanning a computer’s ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.
Types of port scans include:
* Vanilla: the scanner attempts to connect to all 65,535 ports
* Strobe: a more focused scan looking only for known services to exploit
* Fragmented packets: the scanner sends packet fragments that get through simple packet filters in a firewall
* UDP: the scanner looks for open UDP ports
* Sweep: the scanner connects to the same port on more than one machine
* FTP bounce: the scanner goes through an FTP server in order to disguise the source of the scan
* Stealth scan: the scanner blocks the scanned computer from recording the port scan activities.
Port scanning in and of itself is not a crime. There is no way to stop someone from port scanning a computer while it’s on the Internet because accessing an Internet server opens a port, which opens a door to the computer.
Zombie Attacks are made by a computer that has been implanted with a daemon that puts it under the control of a malicious hacker without the knowledge of the computer owner. Zombies are used by malicious hackers to launch DoS attacks. The hacker sends commands to the zombie through an open port. On command, the zombie computer sends an enormous volume of packets of useless information to a targeted Web site in order to clog the site’s routers and keep legitimate users from gaining access to the site.
The traffic sent to the Web site is confusing and therefore the computer receiving the data spends time and resources trying to understand the influx of data that has been transmitted by the zombies. Compared to programs such as viruses or worms that can eradicate or steal information, zombies are relatively benign as they temporarily cripple web sites by flooding them with information and do not compromise the site’s data. Many big sites have been brought down by zombie DoS attacks. Zombies are also referred to as zombie ants.
Smurf attacks are a type of network security breach in which a network connected to the internet is swamped with replies to ICMP echo (PING) requests. A smurf attacker sends PING requests to an Internet broadcast address. These are special addresses that broadcast all received messages to the hosts connected to the subnet. Each broadcast address can support up to 255 hosts, so a single PING request can be multiplied 255 times. The return address of the request itself is spoofed to be the address of the attacker’s victim.
All the hosts receiving the PING request reply to this victim’s address instead of the real sender’s address. A single attacker sending hundreds or thousands of these PING messages per second can fill the victim’s T-1 (or even T-3) line with ping replies, bring the entire Internet service to its knees. Smurfing falls under the general category of denial-of-service attacks – security attacks that don’t try to steal information, but instead attempt to disable a computer or network.