15

What type of attacks are there that do not use open TCP or open UDP ports?

Is it safe to assume that no open ports means no remote access?

(Excluding the possibility that there is a badware already on the machine that makes outgoing connections to send/receive data/instructions)

Edit: Looks like we also would have to disable ICMP to (help) prevent Denial Of Service type attacks and the possibility of buffer overflow or other undiscovered attacks. Also the possibility that the server would receive a spoofed ping that then sends the response to a third party victim for Denial Of Service

Edit: Looks like one should also look at good-ware "that makes outgoing connections to send/receive data/instructions" such as DNS. The DNS server instructs the UNIX machine what other machines to connect to and send/receive data for. One has to make sure that the DNS server is not hacked and the routers on the way are not hacked.

Edit: I am specifically referring to network attacks in this question. As far as client-side attacks (cookies, social engineering, XSS, etc.) that is not for this question.

Edit: I am attempting to (hopefully fully) secure the servers so that they (theoretically) will not need a firewall. Firewalls are intended but not part of this question.

Related: What security risks does IP spoofing bring?

Community
  • 1
700 Software
  • 13,807
  • 3
  • 52
  • 82
  • Is this intended to cover specifically Unix? If so, I would suggest specifying that in the question, since most wont notice the tag... Otherwise, you should remove it. – AviD Dec 27 '10 at 19:58
  • Good idea.. Done. – 700 Software Dec 27 '10 at 20:36
  • Your edits make me more confused. What sort of server are you running that doesn't have any open TCP or UDP ports? I guess you could mean e.g. a database server that actually always initiates persistent connections with the front-end web servers that it services. But if the machine is responding to requests initiated from elsewhere, that is a significant attack surface to consider. – nealmcb Dec 28 '10 at 23:36
  • 1
    While there are indeed some ICMP attacks, you also lose some management capabilities by turning off ping. DOS in general is hard to protect from, so it would help to know what your threat model is. – nealmcb Dec 28 '10 at 23:39
  • There will be open ports available to the web. But they are not part of the question. The question is meant to address the other types of attacks. Thank you for your comments. I am also confused by the answers list here. However, I have received some valuable information. – 700 Software Dec 29 '10 at 00:00

7 Answers7

11

Regardless of whether this should apply specifically to Unix, I would say that it is not safe to assume no access just because there are no open ports.

To wit, ICMP is usually listened to, even if no TCP or UDP ports are available.
And before you say, "But ICMP is just a simple Ping! It's irrelevant to attack using that!" check these out:

And while these are all pretty much historical (with the exception of the last), I wouldn't rule out additional, future attacks.

In addition, there are the indirect attacks, such as those that attack the infrastructure that the closed-off system would itself access - e.g. DNS poisoning...

AviD
  • 72,138
  • 22
  • 136
  • 218
  • OK, so to completely secure a server one would also want to disable ICMP??? also check on any type of instructions sources the server is looking for intentionally (such as DNS servers or routers that are on the way to the DNS server) – 700 Software Dec 27 '10 at 20:44
  • Note that some of the above attacks were not just DoS... Also, if the server has outgoing connections, poisoning the DNS server that the server uses to resolve addresses, could cause it to send its requests to bogus, malicious servers. – AviD Dec 27 '10 at 20:48
8

What type of attacks are there that do not use open TCP or open UDP ports?

This is way too general of a question. I'm answering this very literally, not to be a jerk, but because in security it's best to assume nothing. Here are some classes of attacks that do not use open TCP or UDP ports:

  • Social engineering: get someone to connect outbound from the machine to an attack site (or attach a thumb drive or bad media)
  • Physical access, keyloggers, etc
  • An attack at the IP level (IP stack vulnerabilities)
  • NTP: usually turned on by default and might not be bug-free
  • DHCP: is dhcp turned off? an attacker on the local net could push a PXE boot image to your ethernet card and load their OS.

Is it safe to assume that no open ports means no remote access?

  • Drive-by downloads that get executed could call out (including pinging out bound and getting ctrl data via ping reply)
  • Package managers could pull down trojaned software setting up call-out malware
  • Bluetooth access

I think your real question should be: "What kinds of remote exploits can be used to root my machine if it has no open TCP or UDP ports?"

Attacks can mean any number of things to people including Van Eck Phreaking.

Bradley Kreider
  • 6,152
  • 2
  • 23
  • 36
  • I am aware of the fact that I must not assume anything. I am trying to get a handle on one area of attack right now. Specifically for a server. I am not considering Social engineering, Physical access, Drive-by downloads (*"good-ware "that makes outgoing connections to send/receive data/instructions"*). Also there is no Bluetooth. Also I am not simply concerned about root access. I edited my question title to say UNIX Server. Please try to bear with me. A single paragraph, comma separated and a no assumptions statement should be plenty to make sure I know I am not covering everything. – 700 Software Dec 28 '10 at 17:33
  • @GeorgeBailey: I am bearing with you. You have to understand that people aren't just answering you, but also future people that stumble onto your question. If you don't narrowly describe your question, people will find valid attacks that you didn't think to constrain from the answers. When i said "assume nothing" i was talking about me answering your question. – Bradley Kreider Jan 03 '11 at 06:20
7

The fundamental problem of these classes of attacks is not within TCP or UDP protocols themselves, it is with the requirement of applications to process data from an untrusted (or less trusted) source, and faulty design and/or QA within said applications.

If your server is running any applications which process input from a source which does not have the same level of trust as your server, and you do not have a strong QA process in place for said applications, you are vulnerable.

For example, though several buffer overflows have presented themselves via pre-authentication communications with applications that happen to listen on TCP and UDP ports, they can just as easily be presented in routines that read data from a network resource that does not involve a listening connection, or even in functions that read from local resources such as files and databases, in many of these cases the programmer does not have the hostile mindset to the data that they do with socket programming. It is my experience that this is where the low-hanging fruit is found.

In my opinion, you are looking for a unicorn, and the only way you will end up with your current desired result is by leaving your server in a clean and locked room with no network connection at all. The primary goal of a server is functionality, not security, and compromises must be made with regards to untrusted input. The way to mitigate this risk, while still delivering functionality, is to enable only the functionality needed and to compensate for the required services by QA/audit processes such as code review and penetration testing, operational processes such as monitoring and incident response, and infrastructure to prevent or detect undesired input and connectivity.

fianchetto
  • 454
  • 2
  • 5
6

Even if your operating system is completely secure, your hardware may be vulnerable. Many network cards respond to various remote administration protocols (Wake-on-LAN, Alert-on-LAN, ASF, …).

In practice, an actual vulnerability has many requirements:

  • at least one of these features must be supported;
  • the feature must be enabled at least at some level (it's usually off as shipped);
  • the OS must not have disabled the feature at boot time (this is one case where a computer is more vulnerable when it's turned off);
  • the attacker must be on the right side of any self-respecting firewall (most of these features use UDP);
  • and of course the firmware must be vulnerable (example: CVE, FAQ).
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
4

If one permits DNS, then one permits IP over DNS.

3

If you can ensure that your network hardware has no open ports for any protocol then it will not be able to receive packets - this will make it very unlikely to be attacked through the network, however if you were wanting all ports closed, I would advise unplugging the network cable because I can think of a potential issue:

  • you could have a rootkit which reports closed ports when in actuality there is one open
Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • The machines in questions are fresh servers and they will not have any bad-ware (not even a rootkit). Also since they are servers I will not be able to unplug the network cable. – 700 Software Dec 27 '10 at 20:35
1

It is absolutely not safe. Here is a simple example: a user of the machine browses the web, visits sketchy web sites, and clicks on various links. This can easily cause the security of the machine to be compromised (e.g., by drive-by downloads, or by social engineering to fool the user into installing malware). This is true even if the OS does not have any open ports it is listening on.

D.W.
  • 98,420
  • 30
  • 267
  • 572