According to Information Security System, an attack is an intentional or intentional attempt to cause damage to or otherwise compromise the information and/or the systems that support it. If someone casually reads sensitive information not intended for his or her use, this is considered a passive attack. If hacker attempts to break into an information system, the attack is considered active. If a lightning strike causes a fire in a building, the attack is unintentional.
There are too many types, methods and mechanisms of attack to provide a comprehensive description of all of them. New attack techniques and exploits are constantly being developed and discovered.
One of the main advantages of KFSensor is that it assumes all connections made to it are malevolent, as there is no legitimate reason to connect to its simulated servers. Because of this it is effective at detecting unknown attack techniques as it does not rely on signature databases of known attacks.
This section provides an introduction to some of the types and techniques used to attack and compromise a system.
The perpetrators
Ultimately all attacks are originated by people with a motivation to steal, cause vandalism, prove themselves to be elite hackers, or just for the thrill it gives them. Most attacks are actually performed by automated tools that such people release on the Internet.
· Virus
Computer viruses have a long history. A virus attempts to install itself on a user's system and to spread directly to other files on that system with the aim that these infected files will be transferred to another machine. The payload of a virus can range from 'comical' pranks to destruction of the system itself.
A virus relies on users to spread by sharing infected files either directly or via email. Once launched, a virus is completely independent of its creator.
Although the most common threat to security, the traditional virus does not attack other systems directly and so is unlikely to be detected by KFSensor.
· Worm
A worm is very similar to a virus. The key difference is that a worm attempts to propagate itself without any user involvement. It typically scans other computers for vulnerabilities which it is designed to exploit. When such a machine is identified, the worm will attack that machine, copying over its files and installing itself, so that the process can continue.
KFSensor excels at detecting worms as they scan and attempt to attack very large numbers of systems at random.
· Trojan
Trojans take their name from the trojan horse of Greek mythology.
Computer trojans work in the same way. A game, screen saver or cracked piece of commercial software is given to a victim. The software may appear to work as normal, but its real purpose is to deliver a payload, such as a virus or a root kit.
The perpetrators
Ultimately all attacks are originated by people with a motivation to steal, cause vandalism, prove themselves to be elite hackers, or just for the thrill it gives them. Most attacks are actually performed by automated tools that such people release on the Internet.
· Virus
Computer viruses have a long history. A virus attempts to install itself on a user's system and to spread directly to other files on that system with the aim that these infected files will be transferred to another machine. The payload of a virus can range from 'comical' pranks to destruction of the system itself.
A virus relies on users to spread by sharing infected files either directly or via email. Once launched, a virus is completely independent of its creator.
Although the most common threat to security, the traditional virus does not attack other systems directly and so is unlikely to be detected by KFSensor.
· Worm
A worm is very similar to a virus. The key difference is that a worm attempts to propagate itself without any user involvement. It typically scans other computers for vulnerabilities which it is designed to exploit. When such a machine is identified, the worm will attack that machine, copying over its files and installing itself, so that the process can continue.
KFSensor excels at detecting worms as they scan and attempt to attack very large numbers of systems at random.
· Trojan
Trojans take their name from the trojan horse of Greek mythology.
Computer trojans work in the same way. A game, screen saver or cracked piece of commercial software is given to a victim. The software may appear to work as normal, but its real purpose is to deliver a payload, such as a virus or a root kit.
· Root Kit
A root kit is a piece of software that once installed on a victim's machine opens up a port to allow a hacker to communicate with it and take full control of the system. Root kits are also known as back doors. Some root kits give a hacker even more control of a machine than a victim may have themselves.
The SubSeven root kit allows an attacker to turn off a victim's monitor, move the mouse and even turn on an installed web cam and watch the victim without their knowledge.
· Hybrids
Often malware is a dangerous hybrid that can combine the features of the different classifications described above. The SubSeven root kit is delivered and classified as a trojan.
· Scanners
Scanners are tools designed to interrogate machines on the Internet to elicit information about the types and versions of the services that they are running. There are a variety of scanners, some just ping for the presence of a machine, others look for open ports, while others are more specialized in looking for vulnerabilities of a particular type of service, or the presence of a root kit. Scanners are often incorporated into other malware such as worms.
Scanners are a favorite tool of a hacker, but are just as useful to security professionals trying to detect and close down system vulnerabilities. KFSensor detects scanners and is effective at misleading them.
· Hacker
Hacker, H4x0r5, crackers and black hats are all terms for those individuals that KFSensor is ultimately designed to detect and offer protection from. The term hacker is used in this manual to cover all such individuals.
Direct, or manual actions, by a hacker are much rarer than the attacks launched by the tools described above. Hackers usually only attack a system directly once a system has been identified as vulnerable or has already been exploited by an automated tool.
Denial of Service (DoS)
A denial of service attack is a simple, but often extremely effective, attack that is difficult, if not impossible, to prevent. The goal of a denial of service attack is to deny access to your particular services, effectively preventing your organization from operating. A denial of service could be launched against any part of your Internet connectivity and network infrastructure.
Flood Pings
An attacker could target your Internet connection, for example, with a DoS attack. By sending a simple flood ping, which barrages the target with ICMP Echo Request packets as fast as possible without waiting for replies, an attacker can cause more traffic than your Internet connection is capable of handling. This effectively prevents you from receiving or replying to legitimate requests. (ICMP is the Internet Control Message Protocol which is used to report errors to devices, usually routers. An echo request packet asks for an ICMP reply; sent continuously, your machine will get bogged down sending ICMP replies.)
Mail Bombing
Another type of Denial of Service attack can be caused by mail bombing, in which an attacker targets your email system by sending overly large email messages to users such as postmaster or Webmaster. This not only affects your Internet connection bandwidth, but also your mail server's capability to handle other email. An attack such as this could easily fill up your mail server's mail store drive, preventing you from sending or receiving new email.
TCP SYN Scan
Another common type of attack is the TCP SYN attack. Typically, when a TCP connection is initiated, the sending machine sends a SYN request, which is acknowledged by the recipient machine with an ACK, and the sending machine responds itself with an ACK. This three-way handshake sets the stage for a normal TCP connection.
An example of putting it all together
The following description explains how everything described above came together to produce one of the most dangerous and destructive Internet attacks.
Code Red
The Code Red worm first attacked on 18 June 2001. It exploited a buffer overflow vulnerability in the Microsoft Internet Information Server's ISAPI Index Server filter. Even though a patch for this exploit had been released by Microsoft some time before, many administrators had not updated their systems. Once infected with Code Red, a system would scan the Internet searching for un-patched IIS installations and infect them using the buffer overflow. Due to the ineffective way in which Code Red generated random IP addresses to scan it did not spread as rapidly as it could have done.
Code Red II
A new variant, named Code Red II, quickly emerged a month later on 19 July 2001. This had a much better mechanism for selecting random IP addresses and managed to infect 359,000 servers within 14 hours of its release.
Code Red III
Code Red evolved again, by 4 August 2001 its payload was more destructive. It re-configured the web server to allow access to the entire disk drive and installed a trojan.
Nimba
The vulnerability opened by Code Red laid thousands of servers open to further attack by hackers and a new worm called Nimba that emerged on 18 September 2001.
The Nimba worm is a true hybrid managing to spread via the vulnerabilities caused by Code Red, but also via a vulnerability in Microsoft Outlook and ASP files and mis-configured network shares.
___________________________________________________
A root kit is a piece of software that once installed on a victim's machine opens up a port to allow a hacker to communicate with it and take full control of the system. Root kits are also known as back doors. Some root kits give a hacker even more control of a machine than a victim may have themselves.
The SubSeven root kit allows an attacker to turn off a victim's monitor, move the mouse and even turn on an installed web cam and watch the victim without their knowledge.
· Hybrids
Often malware is a dangerous hybrid that can combine the features of the different classifications described above. The SubSeven root kit is delivered and classified as a trojan.
· Scanners
Scanners are tools designed to interrogate machines on the Internet to elicit information about the types and versions of the services that they are running. There are a variety of scanners, some just ping for the presence of a machine, others look for open ports, while others are more specialized in looking for vulnerabilities of a particular type of service, or the presence of a root kit. Scanners are often incorporated into other malware such as worms.
Scanners are a favorite tool of a hacker, but are just as useful to security professionals trying to detect and close down system vulnerabilities. KFSensor detects scanners and is effective at misleading them.
· Hacker
Hacker, H4x0r5, crackers and black hats are all terms for those individuals that KFSensor is ultimately designed to detect and offer protection from. The term hacker is used in this manual to cover all such individuals.
Direct, or manual actions, by a hacker are much rarer than the attacks launched by the tools described above. Hackers usually only attack a system directly once a system has been identified as vulnerable or has already been exploited by an automated tool.
Denial of Service (DoS)
A denial of service attack is a simple, but often extremely effective, attack that is difficult, if not impossible, to prevent. The goal of a denial of service attack is to deny access to your particular services, effectively preventing your organization from operating. A denial of service could be launched against any part of your Internet connectivity and network infrastructure.
Flood Pings
An attacker could target your Internet connection, for example, with a DoS attack. By sending a simple flood ping, which barrages the target with ICMP Echo Request packets as fast as possible without waiting for replies, an attacker can cause more traffic than your Internet connection is capable of handling. This effectively prevents you from receiving or replying to legitimate requests. (ICMP is the Internet Control Message Protocol which is used to report errors to devices, usually routers. An echo request packet asks for an ICMP reply; sent continuously, your machine will get bogged down sending ICMP replies.)
Mail Bombing
Another type of Denial of Service attack can be caused by mail bombing, in which an attacker targets your email system by sending overly large email messages to users such as postmaster or Webmaster. This not only affects your Internet connection bandwidth, but also your mail server's capability to handle other email. An attack such as this could easily fill up your mail server's mail store drive, preventing you from sending or receiving new email.
TCP SYN Scan
Another common type of attack is the TCP SYN attack. Typically, when a TCP connection is initiated, the sending machine sends a SYN request, which is acknowledged by the recipient machine with an ACK, and the sending machine responds itself with an ACK. This three-way handshake sets the stage for a normal TCP connection.
An example of putting it all together
The following description explains how everything described above came together to produce one of the most dangerous and destructive Internet attacks.
Code Red
The Code Red worm first attacked on 18 June 2001. It exploited a buffer overflow vulnerability in the Microsoft Internet Information Server's ISAPI Index Server filter. Even though a patch for this exploit had been released by Microsoft some time before, many administrators had not updated their systems. Once infected with Code Red, a system would scan the Internet searching for un-patched IIS installations and infect them using the buffer overflow. Due to the ineffective way in which Code Red generated random IP addresses to scan it did not spread as rapidly as it could have done.
Code Red II
A new variant, named Code Red II, quickly emerged a month later on 19 July 2001. This had a much better mechanism for selecting random IP addresses and managed to infect 359,000 servers within 14 hours of its release.
Code Red III
Code Red evolved again, by 4 August 2001 its payload was more destructive. It re-configured the web server to allow access to the entire disk drive and installed a trojan.
Nimba
The vulnerability opened by Code Red laid thousands of servers open to further attack by hackers and a new worm called Nimba that emerged on 18 September 2001.
The Nimba worm is a true hybrid managing to spread via the vulnerabilities caused by Code Red, but also via a vulnerability in Microsoft Outlook and ASP files and mis-configured network shares.
___________________________________________________
Reference:
http://www.keyfocus.net/kfsensor/help/Concepts/con_TypesOfAttacks.php
http://www.comptechdoc.org/independent/security/recommendations/secattacks.html
Introduction to Information Security. Information Security Terminology, page 30.
No comments:
Post a Comment