How to secure your TCP/IP ports

Understanding ports is the key to shoring up your defences

Unfortunately, TCP/IP was conceived to send and receive data reliably, not to secure it. That's the job of the applications listening and sending on specific ports.

If they don't make an effort to negotiate some form of data encryption, anyone can intercept the 'clear text' data as it flows past, which can include usernames and passwords. This is the basis for a 'man-in-the-middle' attack.

In this form of attack, data is routed through an attacker's computer, which retransmits it as if nothing had happened.

Meanwhile, the attacker copies every packet for later analysis. It's also possible to sniff this clear text traffic as it goes past on the network using a utility such as WireShark.

WireShark

LISTEN IN: Be careful when using WireShark. If you accidentally listen in to someone else's PC, it could land you in a lot of bother with the law

In web jargon, HTTP is a plain text protocol. When you log into a site, the username and password you use are sent in plain text. This is why you should always ensure that the site is using an encrypted HTTPS connection before entering your credentials.

This goes for your ISP, too. It may be convenient to read your email on the web when you're on the move, but unless your ISP redirects to an HTTPS connection before asking for your username and password, your details could be vulnerable.

It's better to have your ISP forward your mail to a more secure online account, such as Gmail, which logs you in using an HTTPS web page.

Classic hacks

From the earliest days of the internet, hackers quickly realised that bugs in different TCP/IP implementations meant that they could knock a computer offline by sending carefully crafted packets. They could, in other words, deny people its services.

There are two basic types of denial of service (DoS) attacks. Bandwidth consumption attacks are far more popular these days thanks to the rise of the botnet. In this type of attack, infected 'zombie' computers are directed to flood a target with data.

This usually takes the form of massive numbers of SYN packets. The target believes that someone is trying to connect, so it blindly makes a note of each request and sends a SYN-ACK packet back. Because it has to use a small amount of memory to remember all the connection requests, the target quickly gets overwhelmed and is knocked off the internet until the botnet ceases its attack.

The second type of DoS attack is designed to crash the TCP/IP software itself. Attackers send a data packet that's either far too big or is broken into overlapping fragments. These packets confuse the target and lock it up.

One frightening element to this second form of attack is that with a single, carefully crafted packet you could take out a whole server until it is rebooted, possibly causing massive data loss for the affected website.

However, this type of attack is losing popularity with hackers because operating system producers have spent a lot of time and effort hardening their TCP/IP code to make it more reliable and less vulnerable.

Hackers exploit bugs in networking software for far more than simply disrupting services, however. It's possible in some instances to inject code into the running system. This can open a backdoor, allowing a trojan to be uploaded and installed to your machine, ready to steal your credentials, make your PC part of a botnet or even force your system to serve illegal images. Such attacks are automated and can infect thousands of computers a day.

The bug that let malicious code install the Conficker botnet's client software in just this way caused a global panic in late 2008.