An Overview of IT Security Threats and Attacks

From Techotopia
Revision as of 19:16, 14 February 2008 by Neil (Talk | contribs) (TCP/IP Hijacking)

Jump to: navigation, search

Before moving on to chapters that outline the steps necessary to secure networks and computer systems it helps to first have an understanding of the kinds of attacks and threats that need to be defended against. Armed with this information it will be clearer in later chapters not just how to implement particular security measures, but also why such measures need to be implemented.

There are a variety of different forms of attack to which a network or computer system may be exposed each of which will be covered in this chapter.


Contents


TCP and UDP Based Denial of Service (DoS) Attacks

Denial of Service (DoS) are undertaken with the express purpose of preventing users from accessing and using a service they should otherwise be able to access. Such attacks make malicious use of a variety of different standard protocols and tools. There is no single DoS attack method, and the term has come to encompass a variety of different forms of attack, a number of which are outlined below:

  • Ping flood - This attack uses the Internet Message Protocol (ICMP) ping request to a server as a DoS method. The strategy either involves sending ping requests in such vast quantities that the receiving system is unable to respond to valid user requests, or sending ping messages which are so large (known as a ping of death) that the system is unable to handle the request.
  • Smurfing - As with Ping Flood attacks, smurfing makes use of the TCP Internet Message Protocol (ICMP) ping request to mount DoS attacks. In a typical smurfing attack the attacker sends a ping request to the broadcast address of network containing the IP address of the victim. The ping request is sent to all computers on the broadcast network, which in turn all reply to the IP address of the victim system thereby overloading the victim with ping responses. The primary method for preventing smurf attacks is to block ICMP traffic through routers so that the ping responses are blocked from reaching internal servers.
  • TCP SYN Flood - Also known as the TCP Ack Attack, this attack leverages the TCP three way handshake to launch a DoS attack. The attack begins with a client attempting to establish a TCP connection with the victim server. The client send a request to the server, which in turn returns an ACK package to acknowledge the connection. At this point in the communication the client should respond with a message accepting the connection. Instead the client sends another ACK which is responded to by the server with yet another ACK. The client continues to send ACKs to the server with the effect of causing the server to hold sessions open in anticipation of the client sending the final packet required to completion the connection. As a result the server uses up all available sessions serving the malicious client, thereby preventing access to other users.
  • Fraggle - A fraggle attack is similar to a smurfing attack with the exception that the User Datagram Protocol (UDP) is used instead of using ICMP.
  • Land - Under a Land attack the attacker creates a fake SYN packet contain the same source and destination IP addresses and ports and sends it to the victim causing the system to become confused whn trying to respond to the packet.
  • Teardrop - A teardrop type of DoS attack exploits a weakness in the TCP/IP implementation of some operating systems. The attack works by sending messages fragmented into multiple UDP packages. Ordinarily the operating system is able to reassemble the packets into a complete message by referencing data in each UDB packet. The teardrop attack works by corrupting the offset data in the UDP packets making it impossible for the system to rebuild the original packets. On systems which are unable to handle this corruption a crash is the most likely outcome of a teardrop attack.
  • Bonk - An effective attack on some Windows systems involving the transmission corrupted UDP packets to the DNS port (port 53) resulting in a system crash.
  • Boink - Similar to the Bonk attack except that the corrupted UDP packets are sent to multiple ports, not just port 53 (DNS).

Distributed Denial of Service (DDoS) Attacks

The Denial of Service (DoS) attacks outlined above involve the use of a single client to launch an attack on a system or service. Distributed Denial of Service Attacks use the same basic attack methodologies as outline above with the exception that the attacks are initiated from multiple client systems.

The way this typically works is that malicious parties will use viruses to subtly gain control over large numbers of computers (typically poorly defended home computers connected to broadband internet connections). Unbeknown to the owner of the computer (which generally continues to function as normal) the system is essentially a zombie waiting to be given instructions. Once the malicious party has gathered an army of zombie computers they are instructed to participate in massive Distributed DoS attacks on unsuspecting victims. A large enough volume of zombie systems can, and indeed have been know to bring down even the largest and most scalable enterprise infrastructure, and even bring parts of the internet itself to a grinding halt.


Back Door Attacks

Back Door attacks utilize programs which provide a mechanism for entering a system without going through the usual authentication process. This can either take the form of hidden access points intentionally put into application by the original developers to aid in maintaining and debugging the software (which were then left in when the software was deployed by customers) or a malicious program that is placed on a system via a virus, or other method which opens up the system to unauthorized access.

A number of back door programs have been discovered over the years, some which are listed below:

  • Back Orifice - This rather distastefully named tool was developed by a group known as the the Cult of the Dead Cow Communications. The primary purpose of Back Orifice is to provide remote access to a server for the purposes of performing administrative tasks.
  • NetBus - Similar to Back Orifice, NetBus is also designed to enable remote administrative access to Windows system.
  • Sub7 - Sub7 is yet another illicit back door program designed to allow unauthorized access to systems.

Whilst the installation of any of the above back door programs on a system will have serious implications for security, all these threats can be effectively prevented through the implementation of a comprehensive virus scanning strategy.

IP and DNS Spoofing Attacks

The basis of spoofing involves masquerading a trusted system in order to gain unauthorized access to a secure environment. IP spoofing involves modifying data to make it appear to originate from the IP address of a system that is trusted by a server or firewall. Using this approach, a host is able to pass through the IP filtering that would otherwise serve to prevent access.

The objective IP Spoofing is to gain unauthorized access to a server or service. DNS Spoofing differs in that the objective is send users to a different location than the one they thought they were going to. Take, for example, a user who goes to their bank's web site to perform online banking transactions (such as paying bills etc). The user enters the web address (URL) of their bank into a browser. The browser contacts a Domain Name Server (DNS) which looks up the IP address which matches the URL. The user is then taken to the site located at that IP address where they enter their login and password. DNS spoofing involves the DNS server is compromised such that the bank URL set to point to the IP address of a malicious party where a web site that looks just like the real bank site has been set up. Now when the user enters the URL in a browser they are taken to the fake web site where their login and password are captured and stored. The web site will then likely report that the bank site is off-line for maintenance. The user decides to return and try again later. Meanwhile the attacker uses the customers credentials to log into the account on the real site and transfer all the money out of the account.

Man in the Middle Attacks

Man-in-the-middle attacks are perhaps one of the more complex and sophisticated forms of security breaching approaches. As the name implies, such an attack involves the surreptitious placement of a software agent between the client and server ends of a communication. In this scenario neither end of the communication is aware that the malicious agent is present in the line of communication. For the most part, the man in the middle simply relays the data transmissions between client and server as though nothing is happening. What is generally happening in parallel with this process is that the agent is also recording the data as it is passed through. This results in a third party having access to a variety of different types of data, from login and password credentials to proprietary and confidential information. It is also possible for the man-in-the-middle agent to modify data "on the fly" causing untold problems for the victim.

Man-in-middle attacks have increased considerable since the introduction of wireless networking. Now ther is no need for the rogue to connect to a wire, instead the data can simply be intercepted from anywhere within range of the wireless signal (such as in the parking lot outside an office or the road in front of a house).

The best way to avoid such attacks is to use encryption and secure protocols in all communications.

Replay Attacks

Replay attacks are a variation on the man-in-the-middle theme. In a replay attack an agent is once again placed within the the client / server line of communication. In the case of a Replay attack, however, the transaction data is recorded for the express purpose of allowing the data to be modified and replayed to the server at a later time for nefarious purposes. For example, a replay attack might record the entire process of a user logging into a banking web site and performing transactions. The recorded transcript may then be replayed to repeat the login sequence for the purposes of stealing money from the account.

Replay attacks are best countered using encryption, timestamps, serial numbers and packet sequences so that the server can detect that the data is being replayed from a previous session.

TCP/IP Hijacking

TCP/IP Hijacking is occurs when an attacker takes control of an ongoing session between a client and a server. This is similar in to a man-in-the-middle attack except that the rogue agent sends a reset request to the client so that the client loses contact with the server while the rogue system assumes the role of the legitimate client, continuing the session.

Mathematical Attacked

The solution to a number of the types of attack outlined above has involved the use of encryption. A mathematical attack involves the use of computation based on the mathematical properties of the encryption algorithm to attempt to decrypt data.

The best way to avoid the decryption of data is to use strong encryption (128-bit) rather than rely on weaker encryption (both 40-bit and 56-bit encryption can easily be broken).

Password Guessing

On systems which rely solely on a login name and password the security of the entire system is only as strong as the passwords chosen by the users. The best way to ensure passwords are not cracked is to avoid the use of simple words or phrases which can be found in a dictionary. This needs to be balanced with making the passowrds easy enough to remember so that users do not write them on pieces of paper and stick them on their laptops or monitors for others to find.

The best passwords consist of a mixture of upper and lower case characters combined with numbers and special characters. A common approach is to substitute numbers in place of similar letters. For example W3ath3rN3ws uses the number 3 in place of the letter 'E', the reasoning being that the number 3 is much like a reversed 'E' making the password easy to remember. Unfortunately most password cracking algorithms know about this type of substitution.

There are two primary mechanisms for breaking password protection, brute force and dictionary.

Brute Force Password Attacks

A brute force attack uses algorithms to systematically try every possible permutation of characters in an effort to find the correct password. If allowed to persist, a brute force attack will eventually identify the correct password, although a well implemented security strategy will disable the account and block the IP address from which the attempts were made after 3 or 4 failed password attempts.

Dictionary Password Attacks