Attack

An attack is an attempt to gain unauthorized control of someone's computer. Attack work by exploitinig a vulnerability in a system or piece of software. Attacks can be carried out using a variety of methods. Categories of computer attacks are listed below with types of attack in each category.

  1. Malicious Software
    1. Viruses - Attaches itself to other software and attempts to spread within the system and to others primarily using e-mail as a transport to spread. It may alter data and files on the infected computer. Attacks at the application layer.
    2. Worm - Spreads through a network usually exploiting a vulnerability in an operating system or application program. It attacks at the network and application layers.
    3. Trojan Horse - A worm or virus that may send information back to the originator or may be used by the originator or attacker to gain control of a targeted system. Many trojan horses spread by attaching themselves to an useful program. Usually attacks at the application layer. Many trojan horse programs will attempt to steal user account and password information.
    4. Time bomb - A virus or worm that activates at a certain point in time. Usually attacks at the application layer.
    5. Logic Bomb - A virus or worm that activates when set conditions are met. Usually attacks at the application layer.
    6. Rabbit - A worm which tries to consume all computer resources as it replicates. Attacks at the network and application layers.
    7. Bacterium - A virus which attaches itself to an operating system and consumes all system resources. Attacks at the application layer.
    8. Spyware - Software that may be installed as part of another program. It may also be installed when a user visits a website with malicious code or when an already running process loads and installs it. This program is designed to report on what the user does to the program creator.
    9. Adware - Software that may be installed as part of another program. It may also be installed when a user visits a website with malicious code or when an already running process loads and installs it. This program is designed to serve ads, usually in the form of popups to the system user.
  2. Spoofing
    1. Spoofing - Done at the data link and network layers, this is an attack where an attacker will try to get one computer to pretend it is another computer to fool another system or part of the network into allowing privileges of the spoofed computer. Sequence number spoofing may be used for this type of attack. One type of spoofing is IP spoofing where an attacker may fake their IP address so the receiver thinks it is sent from a location that it is not actually from. There are various forms and results to this attack. One IP spoofing attack is a denial of service attack where the attack may be directed to a specific computer addressed as though it is from that same computer. This may make the computer think that it is talking to itself. This may cause some operating systems such as Windows to crash or lock up.
    2. Masquerade - Done at the network layer, this is an attack where an attacker will try to access a computer pretending to have an authorized user identity such as a network administrator.
  3. Scanning
    1. Sequential Scanning - Attempting to log onto a system by sequentially trying different combinations of passwords and user IDs.
    2. Dictionary Scanning - Attempting to log onto a system by sequentially trying passwords for users that may be dictionary words such as "password"
    3. Port Scanning - This is done to determine what services are available. The port number that responds to a scan will indicate what service is running on the target system. Once services that run on the system are determined, then any available vulnerabilities of those services may be exploited to gain access or deny service.
  4. Snooping or Sniffing
    1. Digital Snooping - Monitoring a private or public network for passwords or data. This attack is at the network layer. This snooping is done on the physical cable. Attackers may reprogram network switches or other devices to allow them to capture data off a network. They may capture data that they should not have access to or they may capture user IDs and passwords, then run a password cracking program against them.
    2. Shoulder Snooping - This is a physical attack where someone trys to watch for typed passwords or see information on a monitor that they should not have access to.
  5. Scavenging
    1. Dumpster Diving - Trying to get information from the trash with the hope that it will allow the attacter to get access or priviledged information.
    2. Browsing - Scanning of large amounts of unprotected data to get information for greater access. This is usually automated and an indication of its activity would be an authorized user on line at unusual times.
  6. Tunneling - This attack uses low level system functions such as an operating system kernel or a device driver to get below a security system. Strange behavior of a system may indicate this type of attack including device failures or unusual hard drive activity.
  7. Impersonalization - Impersonating an authorized user or computer
    1. Replay attack - Replay an authentication session to fool a computer into granting access.
    2. Session hijacking - The attacker monitors a session between two computers. During the authentication process or immediately after, the attacker may disable the legitimate client computer and use IP spoofing to claim to be the legitimate client. The legitimate computer connection is dropped and the attacker continues with the same privileges the legitimate host had. Defenses include use of random sequence numbers rather than predictable ones, secret sharing and periodically verifying that the client knows the secret, or enryption of the data used to secure sessions since the attacker won't be able to encrypt properly without the encryption key. Without the encryption key, the decrypted commands from the attacker will be junk.
    3. Impersonating a router and sending false routing information to disrupt the network or gain information.
    4. DNS cache poisoning - This attack can be used to fool a victim into believing that a computer is who they want to connect to when it is really not. For instance, the DNS entry may be poisoned so the victim's computer will try to open a web page on the attacker's computer rather than their bank's computer. When the user tries to log in, the attacker will capture their login information and use the information to gain access to the victim's bank account. DNS cache poisoning is possibe since DNS servers do not verify the source of a DNS reply
    5. Man in the middle attack - During this attack an attacker can read, insert and modify any messages between two other people or computers without either victim knowing that the connection between them has been compromised. The attacker can observe and intercept messages going between the two victims. The attacker can change the message content going to both victims.
  8. Denial of service (DoS)
    1. SYN attack - Forces the target computer to allocate so much memory for TCP connections so that it runs out of memory.
    2. Ping of death - Uses IP to cause large packets to be reassembled in order to make the target computer crash.
    3. Teardrop.c attack - Uses IP to create packet reassembly problems so the target computer crashes or has a buffer overflow error. Uses overlapping fragments of packets. Packets are sent claiming to have fragmentation offsets that start inside previously sent fragments.
    4. Land.c attack - Sends a TCP SYN packet using the target's IP address as the sender and receiver causing some systems to crash.
    5. Smurf attack - Floods networks with broadcasted ICMP echo request traffic to cause a network to be congested. It sends the ping as a broadcast with a spoofed sender address. The effect is to cause many ping replies to be returned to the victim so the victim is unable to process the ping replies.
    6. Fraggle attack - Floods networks with broadcasted UDP echo request traffic to cause a network to be congested.
    7. DDOS attack - Uses many machines to attack one system or network. One method to do this was to do a broadcast ping to an entire subnet and fake the sender of the ping making it look like the sender was the intended target (smurf attack). This would cause a flood of ping replies to the target. Attackers may also use many compromised hosts.

Other Attack Methods include:

  • Password cracking - Used to get the password of a user or administrator on a network and gain unauthorized access.
  • Source routing - Hackers may be able to break through other friendly but less secure networks and get access to your network using source routing. If the machine not normally reachable supports source routing the attacker can specify that their data packet should go throuth that machine. Then the attacker can try to fool the router by making the router believe the attacker is a trusted machine.
  • Test to see if a system can be reached. This may use a DNS query then use other tools to determine whether the target system is available and what users have access to it. Some tools that may be used include:
    1. Nslookup
    2. Ping
    3. Finger
    4. Whois
    5. Telnet
  • Remote dial in - war dialing a bank of numbers into a private network. The dial in access may have weak password protection or none.
  • Wireless - both snooping and systems configured with no security.
  • Impersonating an authorized person - This can be done using various methods including snooping for user IDs and passwords and cracking them, dumpster diving for credentials, replay attack (replay the user authentication session).

    Attack Media

    1. Through firewall port to internal system.
    2. Dial up
    3. Wireless
    4. VPN
    5. Carry in computer
    6. Through an unauthorized or misconfigured dial out to the internet or another private network.
    7. Email that exploits a vulnerability in an internal system or luring an authorized person to a website that may exploit a vulnerability in an internal system.
    8. Website exploiting a vulnerability in a visiting user's system.