Chapter 2- CLASSES OF ATTACKS

As we have seen in the first chapter, the principles of security face threats from
various attacks. These attacks are generally classified into four categories. They
are-
• Interception- Which is discussed in the context of
‘confidentiality’.
• Fabrication- Which is discussed in the context of
‘authentication’.
• Modification- Which is discussed in the context of ‘integrity’.
• Interruption- Which is discussed in the context of
‘availability’.
These attacks are further grouped into two types- passive attacks and active
attacks.

ATTACKS

PASSIVE ACTIVE

Passive attacks: Passive attacks are those, wherein the attacker indulges in
monitoring of data transmission. That is the attacker aims to obtain information
that is in transit. The term ‘passive’ indicates that the attacker does not attempt to
perform any modifications to the data. In fact this is why passive attacks are
harder to detect. Thus, the general approach to deal with passive attacks is to think
about prevention, rather than detection or corrective actions.
Passive attacks are further classified into two sub categories; release of
message contents and traffic analysis. ‘Release of message contents’ is quite
simple to understand. When we send a confidential e-mail to our friend, we wish
that only he should access it. Otherwise, the contents of the message are released
against our wishes to someone else. Using certain security mechanisms, we can
prevent this type of attack. For example, we can encode the messages using code
language, so that only the desired party understands the contents of the message,
because only it knows the code language. However, if many such messages are
passing through, a passive attacker could try to figure out the similarities between
them to come up with some sort of pattern that provides him some clues regarding
the communication that is taking place. Such attempts of analyzing encoded
messages to come up with likely patterns are the work of traffic analysis attack.
 PASSIVE ATTACKS

RELEASE OF MESSAGE CONTENTS TRAFFIC ANALYSIS

Active attacks: The active attacks are based on the modification of the original
message in some manner, or on creation of a false message. These attacks can not
be prevented easily. However, they can be detected with some effort, and attempts
can be made to recover form them. These attacks can be in the form of
interruption, modification, and fabrication.
 Interruption attacks are called as masquerade attacks.
 Modification attacks can be classified further into replay attacks and
alteration of messages.
 Fabrication causes denial of service attacks.
Masquerade is used when an unauthorized entity prevents to be another entity.
In replay attacks, a user captures a sequence of events, or some data units, and
resends them. Whereas alteration of message involves some change to the original
message. ‘Denial of service’ attacks make an attempt to prevent legitimate users
form accessing some services, which they are eligible for. For example, an
unauthorized user might send too many login requests to a server using random
user ids one after the other in quick succession so as to flood the network and deny
other legitimate users an access to the network.
 ACTIVE ATTACKS

INTERRUPTION MODIFICATION FABRICATION

(MASQUERADE)
(DOS ATTACKS)

REPLAY ATTACKS ALTERATIONS

The practical side of attacks: The attacks discussed earlier are classified into two
broad categories; application level attacks and network level attacks.
Application level attacks: These attacks happen at an application level in the sense
that an attacker attempts to access, modify or prevent access to information of a
particular application, or the application itself. Examples of this are trying to
obtain someone’s credit card information on the internet, or changing the contents
of the message to change the amount in a transaction.
Network level attacks: These attacks generally aim at reducing the capabilities of
a network by a number of possible means. These attacks generally make an
attempt to either slow down, or completely bring to halt, a computer network.
Note that this automatically can lead to application level attacks, because if
someone is able to gain access to a network, usually he is able to access/modify at
least some sensitive information, causing havoc.
These two types of attacks can be attempted by using various mechanisms.
The following few are the types of attacks:
A) Stealing passwords:
Passwords to the system are like the keys to the front doors. Obviously the system
passwords will have to be kept very much secure. Attackers, in contrast, will try to
somehow steal the passwords to give them an easy ad graceful entry like a
legitimate user. Using log-in names and password is an easy and cheap method of
authentication, but it is followed most commonly. The different techniques used
by intruders to steal the passwords are as follows:
1. Direct approach: Although it is very easy, it is obviously fruitless, since
nobody is going to disclose the passwords easily to anyone. Still intruders
use this as the first method and try their luck and then go to more difficult
ones.
2. Dictionary based attacks: Hackers may use ready-made dictionaries for
checking the passwords of the systems, using special software. This method
is somewhat time consuming but not very secure.
 3. Brute-force attacks: This involves several combinations of keys, alphabets,
numbers & special characters etc. for a specific number of digits and
comparing or applying them to guess passwords. Of course, this is the most
tedious and time consuming but surer method of getting passwords.
4. Using fake login: Sometimes if the attacker is insider or can get direct
access, then he may keep fake login program running on a terminal which
feels legitimate to unknown user. When someone logs in, he gets an invalid
login message and the password is meanwhile collected somewhere which
is available for the attacker.

B) Social engineering:
This is like an art, a special tool at the hands of attackers in which he plays
psychological tricks with the target to get the important information. All this
happens without the knowledge of the target, i.e. the target doesn’t know that he is
giving vital information to the attacker. For social engineering, the hacker must
have
• Some information about the target
• Good social skills
• Lot of patience
There are various methods which are used by hackers for social engineering:
1) Using personal conversation: By talking directly with the target, the hacker
tries to get some important information. This is the most dangerous process.
2) Through telephonic conversation: Using this, the hacker may pose as a top
official, network administrator and may persuade the target in giving
important information about them. This is easier than the first method and
hence most widely used.
3) By chatting with the target: Alternatively, hacker, by keeping himself
secret, can chat and make good friendship with the target and then using
tricky questions, can gain the vital information.
4) By sending anonymous mails: It is possible to send mails without needing
some address or using some address which looks legitimate and official
enough to fool the target. This is also widely used technique.

C) Bugs and Backdoors:

As it is seen and experienced, no computer software ever made is free of bugs. A
bug may mean some problem in the software, which is not desired by the author. It
may mean some kind of limitation in the software, which does not allow it to do
the appropriate work. These are loopholes or vulnerabilities in the program which
make it less secure. Hackers, who know about these loopholes, can misuse it or
can use it for their own benefit, whereas some of them may disclose it to make
everyone aware about it. One solution for this is to keep the softwares always
updated with bug fixes, which are normally provided by the developer. For e.g.
added virus databases in antivirus utility, service packs for the operating systems
etc. one should use them regularly in order to stay away from the new viruses and
vulnerabilities. There are people who post known vulnerabilities in the software to
make everyone aware of it.
Another security vulnerability is due to the backdoors. These are the known
programs which when stored on the target systems, may allow easy access to the
hackers or give them sufficient information about the target to carry out the
attacks. There are several backdoor attacks used by the attackers. These are like
automated tools which carry out the destructive jobs for the attackers. Trojan
Horse programs may also come in this category. In order to save from backdoors,
cleaner solutions are available which work in similar manner as antivirus utilities.

D) Authentication Failures:
Authentication is the method of validating the identity if genuine or authorized
users. There are various methods used for this purpose, but the most commonly
used one is by the way of login names and passwords. In order to keep your
authentication method foolproof, some strict policy will have to be adapted. But
still, authentication failure is on of the ways in which intruders can penetrate in the
system.
Firstly the passwords have to be properly designed using all available rules.
Sometimes if the password is stored in some user database in cleartext, then the
intruder can easily interpret it. Another example of authentication failure is by way
of fake login program run on the terminal. Windows 2000 prevents this type of
attack by combination of ctrl-alt-del before actual login which terminates any fake
login program being run over there. One more form of authentication attacks may
come from remote login programs. Protocols like Telnet are vulnerable to this. If
these are available on your host then the attacker may keep retrying till they are
lucky and get a chance to penetrate these systems. Hence it is normally advised to
turn off remote login features for added security.

D) Protocol Failures:
Sometimes the protocol used in the network also has certain limitations or
problems contained in them, which prevent the application form doing appropriate
things. Since they work form behind the applications, this may increase the
vulnerability. An example of such failure is TCP protocol failures. TCP provides
the paths for IP datagrams. These may be sent across the network. The attackers
checking for the packets can get information about the source IP. Similarly IP is
the stateless and unreliable protocol. No guarantee of delivery of packets can be
given for it. It is possible for the attackers to send the packets using any known
valid source address. This is called source address spoofing. Although the
operating system controls this, still it can’t be relied on.
F) Information Leakage:
Many times, the attackers rely on the information leakage which is due to various
reasons and helps them to get the inside information leakage which is due to
various reasons and helps them to get inside information about the victim. In case
of internal attacks, either the information is directly available to the attacker or is
passed on from inside. This information may include IP address, Network
topology and structure login names, passwords and host names etc. Sometimes
protocols also give away some information. Finger is the protocol which gives the
information about the users connected to the live hosts. Attackers may also use
social engineering techniques on the basis of the information given by these
protocols to get further important information. It is also possible to use the
information given on the web sites such as phone numbers, users’ names, credit
card numbers etc. Obviously, the defense against any such kind of information
leakage is to use good firewalls and keep them properly configured.

1. BotNets

Given the preliminary information above, the definition of a BotNet is now

obvious: a BotNet is a connected collection of IRC Bots. In this section we'll
describe BotNet structure and operation, and then in Section 4 we'll look at
BotNet uses.

The "bot" itself is actually computer code which runs on a client system; not all
bots can participate in a BotNet, but many that do are widely available. There
are two main types of BotNet structures: Hub-Leaf and Channel.

In a Hub-Leaf BotNet, two bots are connected by installing the bots on the
target client systems, then configuring one bot as a Hub and the other as a
Leaf. BotNet building continues by configuring additional Leaf bots to
connect to the same Hub, resulting in a star (hub and spoke) architecture.
Further, independent BotNets can be merged by joining their Hubs. Hub-
Leaf BotNets do not typically use IRC for communication, but rather
communicate via bot-specific listeners on configurable ports, so each Hub-
Leaf pair of ports could be unique.

In a Channel BotNet (more prevalent than Hub-Leaf BotNets), bot

configuration includes identifying or establishing an IRC channel (and
often a password, or key) for BotNet communication. Each bot joins the
channel, and the controller (which may or may not be a bot) issues
commands by posting messages to the IRC channel, which the bots read
and interpret.
 Installation of a bot on a client system has the same requirements as installing
any application: the client system operator must intentionally perform the
install, must be tricked into performing the install, or vulnerability must be
exploited to perform the install.

2. BotNet Uses

As noted above, bots were originally developed to facilitate IRC channel

administration and monitoring; BotNets emerged to enhance the bots'
capabilities, and also to add capabilities (e.g., to establish "private" networks).
As is the case with many well-intended capabilities, malicious uses were soon
identified as well; two primary malicious uses of BotNets are noted below.

First, BotNets enable the creation and operation of "private" networks; traffic
on these networks does not traverse the IRC server infrastructure, and so is
harder to detect unless the monitor is in the path of, or part of, the private
network. Such networks are widely used for file transfer and distributed file
storage; of course, no controls enforce what type of files are stored or
transferred, and such files may include illegal material (stolen software, illegal
data, etc.). It is certainly possible to use normal IRC capabilities to exchange
illegal material as well, but such activity is easier to detect.

Second, BotNets can be used to launch coordinated network attacks in the

same manner as any collection of systems under single control. BotNets are
most often used for Denial of Service attacks, either against Channel Operators
(so that channel control may be obtained), or against distinct targets like web
servers (to render them unavailable for a period of time). It is also possible to
use BotNets for distributed scanning, vulnerability exploitation, distributed
computation (i.e., breaking codes by brute force), email spamming/bombing,
malware distribution, and any activity which can be partitioned among multiple
systems.