Professional Documents
Culture Documents
Chapter 2-Classes of Attacks
Chapter 2-Classes of Attacks
As we have seen in the first chapter, the principles of security face threats from
various attacks. These attacks are generally classified into four categories. They
are-
• Interception- Which is discussed in the context of
‘confidentiality’.
• Fabrication- Which is discussed in the context of
‘authentication’.
• Modification- Which is discussed in the context of ‘integrity’.
• Interruption- Which is discussed in the context of
‘availability’.
These attacks are further grouped into two types- passive attacks and active
attacks.
ATTACKS
PASSIVE ACTIVE
Passive attacks: Passive attacks are those, wherein the attacker indulges in
monitoring of data transmission. That is the attacker aims to obtain information
that is in transit. The term ‘passive’ indicates that the attacker does not attempt to
perform any modifications to the data. In fact this is why passive attacks are
harder to detect. Thus, the general approach to deal with passive attacks is to think
about prevention, rather than detection or corrective actions.
Passive attacks are further classified into two sub categories; release of
message contents and traffic analysis. ‘Release of message contents’ is quite
simple to understand. When we send a confidential e-mail to our friend, we wish
that only he should access it. Otherwise, the contents of the message are released
against our wishes to someone else. Using certain security mechanisms, we can
prevent this type of attack. For example, we can encode the messages using code
language, so that only the desired party understands the contents of the message,
because only it knows the code language. However, if many such messages are
passing through, a passive attacker could try to figure out the similarities between
them to come up with some sort of pattern that provides him some clues regarding
the communication that is taking place. Such attempts of analyzing encoded
messages to come up with likely patterns are the work of traffic analysis attack.
PASSIVE ATTACKS
Active attacks: The active attacks are based on the modification of the original
message in some manner, or on creation of a false message. These attacks can not
be prevented easily. However, they can be detected with some effort, and attempts
can be made to recover form them. These attacks can be in the form of
interruption, modification, and fabrication.
Interruption attacks are called as masquerade attacks.
Modification attacks can be classified further into replay attacks and
alteration of messages.
Fabrication causes denial of service attacks.
Masquerade is used when an unauthorized entity prevents to be another entity.
In replay attacks, a user captures a sequence of events, or some data units, and
resends them. Whereas alteration of message involves some change to the original
message. ‘Denial of service’ attacks make an attempt to prevent legitimate users
form accessing some services, which they are eligible for. For example, an
unauthorized user might send too many login requests to a server using random
user ids one after the other in quick succession so as to flood the network and deny
other legitimate users an access to the network.
ACTIVE ATTACKS
The practical side of attacks: The attacks discussed earlier are classified into two
broad categories; application level attacks and network level attacks.
Application level attacks: These attacks happen at an application level in the sense
that an attacker attempts to access, modify or prevent access to information of a
particular application, or the application itself. Examples of this are trying to
obtain someone’s credit card information on the internet, or changing the contents
of the message to change the amount in a transaction.
Network level attacks: These attacks generally aim at reducing the capabilities of
a network by a number of possible means. These attacks generally make an
attempt to either slow down, or completely bring to halt, a computer network.
Note that this automatically can lead to application level attacks, because if
someone is able to gain access to a network, usually he is able to access/modify at
least some sensitive information, causing havoc.
These two types of attacks can be attempted by using various mechanisms.
The following few are the types of attacks:
A) Stealing passwords:
Passwords to the system are like the keys to the front doors. Obviously the system
passwords will have to be kept very much secure. Attackers, in contrast, will try to
somehow steal the passwords to give them an easy ad graceful entry like a
legitimate user. Using log-in names and password is an easy and cheap method of
authentication, but it is followed most commonly. The different techniques used
by intruders to steal the passwords are as follows:
1. Direct approach: Although it is very easy, it is obviously fruitless, since
nobody is going to disclose the passwords easily to anyone. Still intruders
use this as the first method and try their luck and then go to more difficult
ones.
2. Dictionary based attacks: Hackers may use ready-made dictionaries for
checking the passwords of the systems, using special software. This method
is somewhat time consuming but not very secure.
3. Brute-force attacks: This involves several combinations of keys, alphabets,
numbers & special characters etc. for a specific number of digits and
comparing or applying them to guess passwords. Of course, this is the most
tedious and time consuming but surer method of getting passwords.
4. Using fake login: Sometimes if the attacker is insider or can get direct
access, then he may keep fake login program running on a terminal which
feels legitimate to unknown user. When someone logs in, he gets an invalid
login message and the password is meanwhile collected somewhere which
is available for the attacker.
B) Social engineering:
This is like an art, a special tool at the hands of attackers in which he plays
psychological tricks with the target to get the important information. All this
happens without the knowledge of the target, i.e. the target doesn’t know that he is
giving vital information to the attacker. For social engineering, the hacker must
have
• Some information about the target
• Good social skills
• Lot of patience
There are various methods which are used by hackers for social engineering:
1) Using personal conversation: By talking directly with the target, the hacker
tries to get some important information. This is the most dangerous process.
2) Through telephonic conversation: Using this, the hacker may pose as a top
official, network administrator and may persuade the target in giving
important information about them. This is easier than the first method and
hence most widely used.
3) By chatting with the target: Alternatively, hacker, by keeping himself
secret, can chat and make good friendship with the target and then using
tricky questions, can gain the vital information.
4) By sending anonymous mails: It is possible to send mails without needing
some address or using some address which looks legitimate and official
enough to fool the target. This is also widely used technique.
D) Authentication Failures:
Authentication is the method of validating the identity if genuine or authorized
users. There are various methods used for this purpose, but the most commonly
used one is by the way of login names and passwords. In order to keep your
authentication method foolproof, some strict policy will have to be adapted. But
still, authentication failure is on of the ways in which intruders can penetrate in the
system.
Firstly the passwords have to be properly designed using all available rules.
Sometimes if the password is stored in some user database in cleartext, then the
intruder can easily interpret it. Another example of authentication failure is by way
of fake login program run on the terminal. Windows 2000 prevents this type of
attack by combination of ctrl-alt-del before actual login which terminates any fake
login program being run over there. One more form of authentication attacks may
come from remote login programs. Protocols like Telnet are vulnerable to this. If
these are available on your host then the attacker may keep retrying till they are
lucky and get a chance to penetrate these systems. Hence it is normally advised to
turn off remote login features for added security.
D) Protocol Failures:
Sometimes the protocol used in the network also has certain limitations or
problems contained in them, which prevent the application form doing appropriate
things. Since they work form behind the applications, this may increase the
vulnerability. An example of such failure is TCP protocol failures. TCP provides
the paths for IP datagrams. These may be sent across the network. The attackers
checking for the packets can get information about the source IP. Similarly IP is
the stateless and unreliable protocol. No guarantee of delivery of packets can be
given for it. It is possible for the attackers to send the packets using any known
valid source address. This is called source address spoofing. Although the
operating system controls this, still it can’t be relied on.
F) Information Leakage:
Many times, the attackers rely on the information leakage which is due to various
reasons and helps them to get the inside information leakage which is due to
various reasons and helps them to get inside information about the victim. In case
of internal attacks, either the information is directly available to the attacker or is
passed on from inside. This information may include IP address, Network
topology and structure login names, passwords and host names etc. Sometimes
protocols also give away some information. Finger is the protocol which gives the
information about the users connected to the live hosts. Attackers may also use
social engineering techniques on the basis of the information given by these
protocols to get further important information. It is also possible to use the
information given on the web sites such as phone numbers, users’ names, credit
card numbers etc. Obviously, the defense against any such kind of information
leakage is to use good firewalls and keep them properly configured.
1. BotNets
The "bot" itself is actually computer code which runs on a client system; not all
bots can participate in a BotNet, but many that do are widely available. There
are two main types of BotNet structures: Hub-Leaf and Channel.
In a Hub-Leaf BotNet, two bots are connected by installing the bots on the
target client systems, then configuring one bot as a Hub and the other as a
Leaf. BotNet building continues by configuring additional Leaf bots to
connect to the same Hub, resulting in a star (hub and spoke) architecture.
Further, independent BotNets can be merged by joining their Hubs. Hub-
Leaf BotNets do not typically use IRC for communication, but rather
communicate via bot-specific listeners on configurable ports, so each Hub-
Leaf pair of ports could be unique.
2. BotNet Uses
First, BotNets enable the creation and operation of "private" networks; traffic
on these networks does not traverse the IRC server infrastructure, and so is
harder to detect unless the monitor is in the path of, or part of, the private
network. Such networks are widely used for file transfer and distributed file
storage; of course, no controls enforce what type of files are stored or
transferred, and such files may include illegal material (stolen software, illegal
data, etc.). It is certainly possible to use normal IRC capabilities to exchange
illegal material as well, but such activity is easier to detect.