How to Classify Network Security Attacks
When classifying threats, the general perspective of hackers which is visible from the attacks helps in making categories. The patterns which attacks follow are a powerful source for helping to communicate and capture attacker’s perspectives. In order to exploit vulnerabilities, the patterns are the methods and their general descriptions. These patterns are driven from the design patter concepts which are applied in destructive context rather than constructive context and these pattern concepts are based on in depth analysis and examples of specific real world exploits.
For improving security a number of publicly available databases are available for classifications which provide attack pattern catalog and taxonomies for classifications. These help in identification, sharing, and refining the patterns of attacks. The following list shows the most famous databases.
- CAPEC (Common attack pattern enumeration and Classification)
- OWASP (Open Web Application Security Project) ASVS (Application Security Verification Standard
- WA SC TC (Web Application Security Consortium Threat Classification
- MAEC (Malware Attribute Enumeration and Characterization)
Following is the list of categories under which threats can regroup:
- Enumeration and Fingerprinting with Ping Sweep and Port Scan
Fingerprinting and Enumeration are the attack which use various tools legitimately to carry out processes which are illegitimate. The most common include ping sweep application and port scans that help in identification of vulnerable services through a number of tests against devices and hosts. When the situation is illegitimate, port scan is used that is a group of messages sent for breaking into computer for learning computer network services that computer offers. For listening services the port scanner scans a number of UDP and TCP port numbers located on a host. This approach lets the hacker probe the weakness areas.
ICMP (Internet Control Message Protocol) in other words ping sweeps is a technique for scanning which helps in determining which IP address maps to the live host. It contains echo requests that are sent to various hosts, though one host computer receives a single ping. It lets the hackers probe for vulnerability in a host on a network.
- IP Spoofing Attack
IP Spoofing is primarily responsible for establishing connection which enables attackers for gaining a root access to target host and for creating backdoor entry path in the target system. Whenever an unauthorized access is required this technique is used, the message sent by the intruder is with an IP address that builds trust. IP spoofing becomes comprehensible at higher level where routers are responsible for determining the most appropriate route between distant computer by ignoring source address and examining destination address. By using a trusted external or internal IP address the attacker tends to be trusted computer in a spoofing attack.
By use of IP spoofing technique the attacker can also locate username password and account. This use can make the attacker use email and messages which can result in embarrassment. A site can be bombarded by using rudimentary IP spoofing technique with ping requests, IP packets, spoofing a source, a third party registered public address. When multiple hosts get attacked with spoofed request and their collective responses, it creates unstoppable flood of packets resulting in a DoS attack.
For better understanding of IP Spoofing, here’s a technical explanation of IP Spoofing on OSI Model:
OSI models layer 3 and 4 are the ones on which TCP/IP works; IP works on layer 3 and TCP works on layer 4. The packet headers do not contain information of transacting state used for routing packets on networks which means that IP is a connectionless model. On receiving the packet at layer three, no acknowledgement is sent back from the source, thus the surety of packet delivery cannot be made. IP header contains IP address of source and destination. With the use of various tools, the source filed can easily be modified by an attacker.
Due to the stateless nature IP has, every datagram is independent in IP of others. In the IP spoofing technique hackers modify the packet headers with a trusted IP address which ensures the source address is trustable. The design TCP uses is connection oriented which means that TCP participants have to build a three way handshake connection first. One the connection gets established, TCP ensures data’s reliability by following the same process to every packer. The sequence which is followed for acknowledgement is as follows:
- Initial sequence number is selected and transmitted by the client.
- The initial sequence number is acknowledged by the server and it sends its sequence number.
- The server sequence number is acknowledged by the client and connection gets open for transmission of data.
Sequence prediction is the weakness of security in TCP communication and forms the basis of IP spoofing technique. The hacker’s dues TCP sequence number without a response from the server and use it for constructing TCP packet. This prediction enables them in spoofing trusted hot on a LAN. For mounting an IP spoofing attack, hacker makes use of the communication between two systems. By listening to the communication hacker sends in a packet with source IP address to the target. In case the sequence number in hackers packet are the ones which target system was expecting and they come before the real packet, hacker packet becomes the trusted packet.
For engaging IP spoofing, the hackers should first find the trusted hosts IP address by using number of tools and further should modify the packets for ensuring their trust. Next in the other case, hacker can force other unsuspecting hosts for generating traffic which would appear from trusted host as well, thus leading to flooding the network.
Exploitation of Trust:
Whenever an individual takes advantage of a trust relationship in networks it results in trust exploitation. Consider an example of this as; System A stands at the DMZ (Demilitarized Zone) of firewall, System B is in the Firewall and trust system A. Now, when the hacker wants to initiate attack, it will compromise system A from the outside network and is fully in the condition to leverage the trust. DMZ is more of a semi secure segment of a network and is used for providing access to outside users to corporate resources.
The users are not allowed to access and reach the servers inside directly. DMZ can provide the direct access to inside resources and is used as a springboard by hackers for reaching the inside network in a Trust Exploitation Attack.
- Password Attack
The implementation of password attacks can take place through IP spoofing, brute force attacks, packet sniffers, Trojan horse program, dictionary attacks, and key loggers. Though IP spoofing and Packet sniffers also yield passwords but generally password attack is a term for repeated attempts for identifying user password, accounts or both and because of the repeated attempt, password attacks are named as brute force attacks.
For executing such brute force attack, a hacker can make use of program that runs across the network and log in to server which is a shared resource. The attacker becomes eligible with rights as the authorized user after gaining access to the resource. If the attacker finds sufficient privileges in the resource he can create a back door for future entrance without the worry of changing password.
Brute force attack provides access to accounts to hackers which they use for modifying critical network services and files. Take an example of this where an attacker would use network routing tables for compromising network integrity. This technique enables attacker to receive all the packets before they are sent to the destination. This makes the attacker a man in the middle who can monitor the entire traffic.
For avoiding risk and keeping security, passwords must always be encrypted when stored. Majority of the systems follow a process of encryption algorithm which creates a one way hash on passwords for storing them and this one way hash cannot be reversed in any case. And on majority of the systems the passwords are not decrypted rather kept in encrypted form for authentication. For login a password and account is supplied which passes through encryption, a one way hash is created, algorithm process the matching of this hash with the hash stored in the system. If both the hashes match, the algorithm believes that proper information is provided.
When a password is passed through the algorithm, a password hash results. The hash is the result of the algorithm and not an encrypted password. Hash has a great strength which requires the original username and password and it does not allow information to be retrieved in any case. The hashes are perfect for encoding passwords.
The techniques and tools used by hackers for cracking passwords are as follows:
- Word List: This program uses a list of phrases, words, numbers, letters, and symbols which computers use as password. Hackers use Dictionary Attack for finding the exact match where they enter word after word at a very high speed.
- Brute Force: This program depends completely on repetition and power and compares every possible combination for finding the exact match. It can crack any sort of password but is a slow process and takes a lot of time.
- Hybrid Crackers: This technique follows a combination of both the above and is perfect for cracking the poor passwords.
Password cracking attacks can be applied to any application or service which requires authentication process.
Confidentiality and Integrity Attack
Whenever sensitive data is accessed by an attacker, it results in confidentiality breach. These sorts of attacks are difficult for detection and more or like saying impossible as attackers are capable of copying such data without owner’s acknowledgement. They occur when the files are left unprotected and for global access. Attackers are able to compromise the exposed web server and by using this server they can gain access to the database, which results in letting the attackers download entire customer data. Through this channel the attacker is able to read the sensitive data emails and other reports and all this undetectable because no data gets deleted.
For compromising Confidentiality and Integrity, attackers use the following techniques and tools:
- Packet sniffing
- Port scan and Ping sweep
- Overt Channel
- Covert Channel
- Emanation Capture
- Dumpsters Diving
- Social Engineering
These techniques are used for compromising more than just confidentially.
- Man in The Middle Attack
When the hacker is able to monitor the traffic coming across the network and introduces himself between the sender and receiver as an intermediary, it results in complex attack known as Man in Middle attack. Another one of these clever attacks include introducing himself as a DHCP server where the attacker has to provide his own IP address (default gateway) at the DHCP offer. Security violations where attackers use man in the middle attack are:
- Information Theft
- New information introduction in network sessions
- For gaining access to internal network resources hijacking an ongoing session
- Transmitted data corruption
- Driving out information about network and users by analyzing traffic
An attack generated can be non blind or blind, where a blind attack interfere the connection that takes place from outside and the acknowledgement and sequence numbers it has are unreachable. A non blind attack interfere the cross wiring connection. A more variant of the man in the middle attack is TCP session hijacking where the attacker sniffs for identifying server IP address and client IP address as well as the port numbers.
The attacker then modifies his packet headers for spoofing client TCP/IP packets, and then waits for the client communicating to send an ACK packet. The ACK packet is contained with sequence number of the next packet which the client expects. The attacker responds to this with modified source and destination address of server and client. This response results in resetting and disconnecting legitimate client. The attacker with the server then takes over the communication from ACK by spoofing the expected sequence number, which was previously sent to the server from the legitimate client.
This technique results in attack against confidentiality. An understanding of all these types of attacks develops an understanding for providing the security which your network needs and prepares you for CCNP certification, which contains an explanation of all these attacks.
· Overt and Covert Channel
The capability of using information or hiding information within refers to Overt and Covert channels.
Overt Channel is a transmission channel which tunnels one protocol inside the other. It can be a transmission and insertion of clear text into protocol header of clear text.
Covert Channel is a transmission channel which uses sets of events for encoding data.
Overt and Covert channels are provided through various ways by the Internet protocols and the way data transmission takes place over them. Attackers make use of these channels for acquiring confidential and unauthorized information and they are not detected by firewalls.
The security policy is bypassed with overt channel with one protocol being tunneled within the other. Examples of this include IM over HTTP, telnet over FTP and IP over POP3. A common use of overt channel includes the instant messaging (IM) option. Most organizations firewalls block IM but allow outbound HTTP. A user is capable of leaking the sensitive information over IM over an HTTP session.
Steganography is one other example of overt channels which precisely means secret writing or covered. The importance of privacy and a combination of CPU power has driven ways for developing techniques which lead to hiding messages in digitized audio’s and digital pictures. The knowledge of the special bits which have hidden message in a digital picture is shared only among the two parties which privately carry out the conversation. Steganography is difficult for prevention and detection.
With covert channels the information gets encoded as another set of events. A Trojan horse can be installed on a target host by the attacker, and he can use the Trojan horse for writing binary information and sending it back to attacker’s server. The client which gets infected from the Trojan horse gets back to attacker’s server ping with a status report in binary format where 0 in the format would be the representation of a single successful ping/one minute and 1 would be the representation of two successful pings/one minute. The attacker is capable of keeping the connectivity statistics of all the compromised clients all around the world.
If firewall does not permit an ICMP than the other possible way would be letting the client visit attacker’s web page. The Trojan horse which is installed on client’s web page has a feature of automatically opening up connection to TCP port 80 with a specific IP address. This process enables the attacker to realize how many compromised workstations he possess on a single day. Number 1 would mean a single visit and 0 would mean no visits at all.
· Availability Attack
Hackers can use a number of attacks for compromising availability, such as:
- DoS and DDoS
- ICMP Flooding
- SYN Flooding
- Electrical Power
- Computer Environment
DoS Attacks: Denial of Service (DoS) attacks compromise availability of host, application, or network. They are publicized forms, are very simple to conduct, even an unskilled attacker is capable for carrying out this attack-but can cause major loss and are the most difficult forms of attacks for elimination. These are considered as a huge risk, an attack of this level can cause interruption in business process. On a server and over an internet or intranet DoS attack sends a large volume of requests, resulting in slowing down of the infected server and finally is not available for use.
They differ from all other attacks as the other attacks focus on acquiring information from targets, whereas DoS makes the service unavailable for use. This is achieved through exhausting the source from its limitation within an operating system, application or on a network. They require effort and time for execution and as per hackers they are known to be trivial. Yet special procedures are implemented by administrators for limiting their damage.
The consequence which appears because of a DoS attack is one of the following:
- When an application or a host becomes incapable of handling an unexpected condition, the failure such unexpected interaction of components of a system or maliciously input data are results of DoS attack.
- When system crashes and goes to a halt due to host, network, or an application becoming incapable of handling a huge amount of data. Similarly in the case when despite that firewall protecting the corporate web server is in DMZ, on receiving a large amount of data crashes and the link which connects the corporation with service provider gets clogged; it will be an open case of DoS.
DDoS Attacks on the other hand use combined bandwidth of many machines for targeting a single machine and cause higher flooding of traffic. In a Distributed Denial of Service attack the hacker joins up with network of all remotely controlled agent attack program containing compromised machines. The master sends instructions and when the zombies receive these, they begin to generate malicious traffic aiming the victim.
DDoS attacks are more of a next generation thing to DoS attacks, though not new but their scope is new. The Smurf attacks, SYN flooding of TCP and UDP, and ICMP flooding similar to DDoS attacks with a difference of scope where the victim of this attack go through an experience of flooding from various sources. DoS attacks make a single attempt of flooding target host with packets, while DDoS attack utilizes thousands of systems for conducting the attack.
The steps for the process of DDoS attack:
- Hacker would use a host for scanning the systems to hack
- Once the handler system is accessed, zombie software is installed for scanning, compromising, and finally infecting the agent system.
- Agent systems are loaded with remote control attack software.
- Instructions are issued by the hacker to handler for controlling the agents with DDoS attack.
A very famous tool which is used for conducting DDoS attack is Stacheldracht.
- Blended Threats
Blended Threats is an attack mechanism which combines all the characteristics of worms, Trojan horses, viruses, malwares, and spywares for accomplishing vulnerability exploit by infecting, propagating, and play loading through various techniques. An exploited vulnerability of blended threat includes validation lack of HTTP and buffer overflow which can be carried out without hacker’s intervention. All it requires is scanning hosts for infecting, embedding the code in HTML, or by simply spamming.
Most of the blended threats are always remarked as “zero day” which precisely means that they were not identified before, the hackers pretest these attacks on the unreleased antivirus software’s. The blended threats revolve and easily breach firewalls, open channels, and within their boundaries they present a challenge to mitigate them.