The Dangers of PPP
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
PPP means you don't need a cable or DSL modem to be vulnerable to hacking.
by Rik Farrow
The advent of Digital Subscriber Line (DSL) and cable modems has brought with it an avalanche of dire warnings. Doomsayers proclaim that people with always-on Internet connections are at great risk of having their home systems hacked—greater than those with dial-up connections. The truth, as usual, is somewhere in between.
While DSL and cable modem users do face a greater risk of Internet attacks than do dial-up users, the main difference is one of magnitude. When you use PPP (defined in RFC 1661), your system becomes part of the Internet and is subject to scans and attacks. And using a modem to connect a desktop system directly to the Internet, bypassing your organization's firewall, may expose your internal network to attacks.
DSL and cable modem users are already facing attacks because the address ranges used by suppliers of these full-time connections are known. If past history is any guide, attacks that target systems with always-on connections will increase.
Any system connected to the Internet needs protection. For desktop systems, software or hardware firewalls make sense, whether you use a modem or a full-time link.
On This Page
PPP defines a method for encapsulating and transporting other network protocols. PPP supports IP and other protocols, such as NetWare and AppleTalk.
PPP is primarily used to set up connections over serial lines connected by modems. The protocol handles authentication, negotiates compression, monitors link reliability, and also handles breaking down a connection. Each PPP header includes a description of the protocol encapsulated.
When you use PPP to connect to the Internet, you are primarily using IP over PPP. At your end of the connection, a default route is added that directs your IP packets to the Internet via the PPP link. At the ISP's end, a route already exists that directs packets to your end of the PPP connection.
IP is a two-way protocol. Once you've connected to the Internet, it's as if you've connected your system directly to the network within your ISP—a network that is up full-time. The difference is that your connection only exists when you successfully dial in to your ISP. Also, each time you dial in, the IP address assigned to your PPP link changes.
However, a changing IP address doesn't necessarily protect you from scans and attacks. An attacker who scans the range of addresses assigned to a terminal server (which provides the PPP dial-ins) will see your system after it has been connected, and can attack it at that time (see figure). If the attack is successful, the attacker can then install software on your system.
This software can range from a virus to a backdoor program like a Trojan Horse. Trojan Horses like Back Orifice provide remote access to your system and can set up a password sniffer. The combination of a back door and a sniffer is a dangerous one: The back door provides future remote access, while the sniffer may reveal the passwords of other systems.
For example, if an attacker installed a back door and password sniffer on your home system, and that system is connected to your internal network, the intruder will then have the same access to your network that you have working locally. In other words, you will have created a back door into your network that bypasses any firewall that may be guarding the front door—your organization's official Internet connection.
An attacker who installs a back door into your system via PPP will only be able to use it while you are using your dial-up link, and the IP address will (likely) be different every time you dial in. While this provides a slight layer of protection, routine scanning for the back door's port address will ultimately reveal your system, and the back door will provide access.
Modems that permit dial-in connections are especially attractive targets for hackers. War Dialer programs automatically scan for modems by trying every phone number within an exchange. If the modem can only be used for dial-out connections, a War Dialer won't discover it. However, PPP changes the equation, as it provides bidirectional transport for TCP/IP, making any connected system visible to scanners—and attackers.
Open 24 Hours
Using PPP makes your system visible—and potentially vulnerable—only when you connect to the Internet; new always-on connections exacerbate this problem. Instead of hackers hunting for sporadically appearing system back doors, a full-time connection is always there. The IP address also (for the most part) stays the same, making the system easy to find again. These features make DSL and cable modem connections more interesting to an attacker.
One attack, reported in April 2000, targets network addresses known to include cable modem or DSL users. The attack checks for enabled file sharing, attempts to map the exposed directory, and then installs the so-called 911 virus. The 911 virus either deletes all files (or just the ones in the Windows installation) on the 19th of the month, or uses a modem to dial 911 (which should fail now that these systems are using cable modems or DSL).
Cable modem users have already begun to notice just how wide open their connections to the Internet have become. For example, if they check out the network neighborhood, they can see other people's desktops (anyone with the same broadcast address). Macintosh users can spot icons for other people's printers appearing on their desktops. Hopefully, these things are disturbing enough to get people to do something about them.
Some cable modem suppliers include rudimentary filtering in their modems. For example, simply by blocking access to TCP port 139, you cut off access to Microsoft's Server Message Block (SMB) file and printer sharing. Suppliers of always-on connections should educate their customers on exactly what filtering they offer, if any.
Firewalls Come Home
You can be proactive about defending your system by installing a personal firewall product or firewall appliance. Personal firewalls fit into your IP stack and can detect and block attempts to connect to your system from the Internet. (See Resources below for more information.)
Of course, if you plan on using ICQ, you will want some of those connections to succeed. (ICQ is a chat program that uses direct connections to users for private conversations, requiring a PC to accept TCP connections that cannot be predicted by the firewall.) Certain other Internet services, such as NetMeeting and even FTP, may also require incoming connections. Most products deal with these issues by permitting you to poke holes in your firewall.
BlackICE Defender is a popular personal firewall. It acts both as a filter—controlling which packets are permitted to pass—and as an individual Intrusion Detection System (IDS). You upload signatures along with the tool, and BlackICE will attempt to identify scans, Denial of Service (DoS) attacks, and other attacks launched against your system.
An IDS can be a real eye-opener, especially for dial-up PPP users who don't suspect how often their systems are scanned. Products like BlackICE are designed for individual users; they don't have central management consoles or means to consolidate logs.
Personal firewalls do not function as anti-virus software, so you must also use up-to-date virus detection software to keep your desktop secure. All anti-virus products now include signatures for Trojan Horses like Back Orifice, or the version of the DoS tool TFN that has been ported to Windows 98. There are over a hundred Trojan Horse programs for Windows systems, all of which feature remote control.
If you use Linux or Berkeley Software Distribution (BSD), you can set up your own firewall with software that comes with the OS. Unlike the PC firewall products, you will need to know more to set up an IP firewall. New tools like Mason and FWctl make it easier to point and click your way through the configuration of "ipchains," the firewall modules that provide packet filtering and some stateful inspection for certain Linux versions that have been distributed since mid-1999. (For more information, see Building a Robust Linux Security Solution, March 2000.)
Linux systems and other versions of Unix have not suffered from the virus problems that plague Windows systems, so don't bother looking for anti-virus software for Unix.
Firewall appliances, unlike personal firewalls, have the advantage of being separate devices, not part of your OS. Besides specializing in system protection, they also let you connect multiple systems while exposing only a single, registered IP address through the use of Network Address Translation (NAT).
Firebox SOHO, from WatchGuard Technologies, provides stateful packet filtering and centralized management. One Ethernet port connects to your DSL, cable, or ISDN modem, and four ports permit connection for internal systems or other hubs. A single Firebox SOHO can support up to 50 systems. For an upgrade fee, the Firebox SOHO can also function as a VPN encryption device, supporting IPSec.
Any system connected to the Internet is vulnerable. A full-time Internet connection does not make you more vulnerable—just a more accessible and attractive target. The fixed IP address and 24-by-7 availability make your desktop system a great relay for attacks on your internal network or other sites, as well as a great launch pad for Distributed DDoS attacks.
The Internet and TCP/IP grew out of research projects that had no concerns about security. However, just because TCP/IP was initially designed without security in mind doesn't mean you can ignore your own system's vulnerabilities. Protect yourself. Not only will you be doing yourself a favor, you'll be performing a service to the community as well.
Rik Farrow is an independent security consultant. His Web site, http://www.spirit.com, contains security links and information about network and computer security courses. He can be reached at mailto: firstname.lastname@example.org.
RFC 1661 defines the standards for PPP. Go to http://www.faqs.org/rfcs/rfc1661.html.
Information about the 911 virus, which has been deliberately spread to networks with cable modem and Digital Subscriber Line (DSL) hookups, is available at http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=BAT_CHODE911/.
ZoneAlarm is a free, easy-to-use firewall for Windows 95/98. You can download it at http://www.zonelabs.com.
BlackICE Defender is both a firewall and a modest Intrusion Detection System (IDS) for the PC. It's available at http://www.networkice.com.
To find out more about WatchGuard Technologies' Firebox SOHO firewall appliance, designed to protect small networks or home offices, go to http://www.watchguard.com/products/fireboxsoho.asp.
Steve Gibson of Gibson Research reviews personal firewalls on his Web site. Go to http://grc.com/su-firewalls.htm.
Tools for building and configuring firewalls for Linux, and for some Berkeley Software Distribution (BSD) systems can be found at http://xmission.linuxberg.com/conhtml/adm_firewall.html.