Monday, November 3, 2008

Common types of Cyber Attacks

The following are the most common types of atacks an intruder could do when he gets into your network.
Website Defacement
A website defacement is when a Defacer breaks into a web server and alters the hosted website or creates one of his own. Sometimes the Defacer makes fun of the system administrator for failing to maintain server security. Most times the defacement is harmless, however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware.

Unsolicited Commercial Email (UCE or SPAM)
E-mail spam, also known as bulk e-mail or junk e-mail is a subset of spam that involves sending nearly identical messages to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Some definitions of spam specifically include the aspects of email that is unsolicited and sent in bulk.UCE refers specifically to Unsolicited Commercial E-mail.
In addition to wasting people's time with unwanted e-mail, Spam also eats up a lot of network bandwidth. Consequently, there are many organizations, as well as individuals, who have taken it upon themselves to fight Spam with a variety of techniques. But because the Internet is public, there is really little that can be done to prevent Spam, just as it is impossible to prevent junk mail. However, some online services have instituted policies to prevent spammers from spamming their subscribers.
Spam is flooding the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most Spam is commercial advertising, often for dubious products, get-rich-quick schemes, or quasi-legal services. Spam costs the sender very little to send -- most of the costs are paid for by the recipient or the carriers rather than by the sender.

IP Spoofing
Spoofing an IP address is the act of replacing the real source address with a different source address. This is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host.

Spoofing is the creation of TCP/IP packets using somebody else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. That address is only used by the destination machine when it responds back to the source.
A common misconception is that "IP spoofing" can be used to hide your IP address while surfing the Internet, chatting on-line, sending e-mail, and so forth. This is generally not true. Forging the source IP address causes the responses to be misdirected, meaning you cannot create a normal network connection. However, IP spoofing is an integral part of many network attacks that do not need to see responses (blind spoofing). Newer routers and firewall arrangements can offer protection against IP spoofing.

Email Spoofing
E-mail spoofing is a term used to describe fraudulent email activity in which the sender address and other parts of the email header are altered to appear as though the email originated from a different source. E-mail spoofing is a technique commonly used for spam e-mail and phishing to hide the origin of an e-mail message. By changing certain properties of the e-mail, such as the From, Return-Path and Reply-To fields (which can be found in the message header), ill-intentioned users can make the e-mail appear to be from someone other than the actual sender. It is often associated with website spoofing which mimic an actual, well-known website but are run by another party either with fraudulent intentions or as a means of criticism of the organization's activities.
As many spammers now use special software to create random sender addresses, even if the user finds the origin of the e-mail it is unlikely that the e-mail address will be active.
The technique is now used ubiquitously by mass-mailing worms as a means of concealing the origin of the propagation. On infection, worms such as ILOVEYOU, Klez and Sober will often try to perform searches for e-mail addresses within the address book of a mail client, and use those addresses in the From field of e-mails that they send, so that these e-mails appear to have been sent by the third party.

URL Spoofing or Phishing
Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.
This attack is often performed with the aid of URL spoofing, which exploits web browser bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache poisoning in order to direct the user away from the legitimate site and to the fake one. Once the user puts in their password, the attack-code reports a password error, then redirects the user back to the legitimate sit

Caller ID Spoofing
In public telephone networks, it has for a long while been possible to find out who is calling you by looking at the Caller ID information that is transmitted with the call. There are technologies that transmit this information on landlines, on cellphones and also with VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that allow callers to lie about their identity, and present false names and numbers, which could of course be used as a tool to defraud or harass. Because there are services and gateways that interconnect VoIP with other public phone networks, these false Caller IDs can be transmitted to any phone on the planet, which makes the whole Caller ID information now next to useless. Due to the distributed geographic nature of the Internet, VoIP calls can be generated in a different country to the receiver, which means that it is very difficult to have a legal framework to control those who would use fake Caller IDs as part of a scam.

Login Spoofing
Login spoofing is a technique used to obtain a user's password. The user is presented with an ordinary looking login prompt for username and password, which is actually a malicious program, usually called a Trojan horse under the control of the attacker. When the username and password are entered, this information is logged or in some way passed along to the attacker, breaching security.
To prevent this, some operating systems require a special key combination (called a Secure attention key) to be entered before a login screen is presented, for example Control-Alt-Delete. Users should be instructed to report login prompts that appear without having pressed this secure attention key. Only the kernel, which is the part of the operating system that interacts directly with the hardware, can detect whether the secure attention key has been pressed, so it cannot be intercepted by third party programs, unless the kernel itself has been compromised.

Denial of Service (DoS)
A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for and targets of a DoS attack may vary, it generally comprises the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.
One common method of attack involves saturating the target machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by:
forcing the targeted computer to reset, or consume its resources such that it can no longer provide its intended service; and/or,
obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Although a DoS attack does not usually result in the theft of information or other security loss, it can cost the target person or company a great deal of time and money.
Common forms of denial of service attacks are:
1. Buffer Overflow Attacks
The most common kind of DoS attack is simply to send more traffic to a network address than the programmers who planned its data buffers anticipated someone might send. The attacker may be aware that the target system has a weakness that can be exploited or the attacker may simply try the attack in case it might work. A few of the better-known attacks based on the buffer characteristics of a program or system include:
Sending e-mail messages that have attachments with 256-character file names to Netscape and Microsoft mail programs
Sending oversized Internet Control Message Protocol (ICMP) packets (this is also known as the Packet Internet or Inter-Network Groper (ping) of death)
Sending to a user of the Pine e-mail program a message with a "From" address larger than 256 characters
2. SYN Attack
When a session is initiated between the Transport Control Program (TCP) client and server in a network, a very small buffer space exists to handle the usually rapid "hand-shaking" exchange of messages that sets up the session. The session-establishing packets include a SYN field that identifies the sequence in the message exchange. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply. This leaves the first packet in the buffer so that other, legitimate connection requests can't be accommodated. Although the packet in the buffer is dropped after a certain period of time without a reply, the effect of many of these bogus connection requests is to make it difficult for legitimate requests for a session to get established. In general, this problem depends on the operating system providing correct settings or allowing the network administrator to tune the size of the buffer and the timeout period.
3. Teardrop Attack
This type of denial of service attack exploits the way that the Internet Protocol (IP) requires a packet that is too large for the next router to handle be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
4. Smurf Attack
In this attack, the perpetrator sends an IP ping request to a receiving site. The ping packet specifies that it be broadcast to a number of hosts within the receiving site's local network. The packet also indicates that the request is from another site, the target site that is to receive the denial of service. The result will be lots of ping replies flooding back to the innocent, spoofed host. If the flood is great enough, the spoofed host will no longer be able to receive or distinguish real traffic.
5. Viruses
Computer viruses, which replicate across a network in various ways, can be viewed as denial-of-service attacks where the victim is not usually specifically targeted but simply a host unlucky enough to get the virus. Depending on the particular virus, the denial of service can be hardly noticeable ranging all the way through disastrous.
6. Physical Infrastructure Attacks
Here, someone may simply snip a fiber optic cable. This kind of attack is usually mitigated by the fact that traffic can sometimes quickly be rerouted.
7. Mail Bombing
In Internet usage, an e-mail bomb is a form of net abuse consisting of sending huge volumes of e-mail to an address in an attempt to overflow the mailbox or overwhelm the server in a denial-of-service attack. Mailbombing is the act of sending an e-mail bomb, a term shared with the act of sending actual exploding devices through parcel post.
There are two methods of perpetrating an e-mail bomb -- mass mailing and list linking.
Mass mailing consists of sending numerous duplicate mails to the same email ID. These types of mail bombs are simple to design; but due to their extreme simplicity, they can be easily filtered by spam filters.
List linking on the other hand, consists of signing a particular email id up to several subscriptions. This type of bombing is effective as the person has to unsubscribe from all the services manually. In order to prevent this type of bombing, most services send a confirmation email to your inbox when you register for the subscription on that particular website.
8. Hidden file extensions
Windows operating systems contain an option to "Hide file extensions for known file types". The option is enabled by default, but a user may choose to disable this option in order to have file extensions displayed by Windows. Multiple email-borne viruses are known to exploit hidden file extensions. The first major attack that took advantage of a hidden file extension was the VBS/LoveLetter worm which contained an email attachment named "LOVE-LETTER-FOR-YOU.TXT.vbs". Other malicious programs have since incorporated similar naming schemes. Examples include
Downloader (MySis.avi.exe or QuickFlick.mpg.exe)
VBS/Timofonica (TIMOFONICA.TXT.vbs)
VBS/OnTheFly (AnnaKournikova.jpg.vbs)
The files attached to the email messages sent by these viruses may appear to be harmless text (.txt), MPEG (.mpg), AVI (.avi) or other file types when in fact the file is a malicious script or executable (.vbs or .exe, for example).

Distributed Denial of Service (DDoS)
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
A hacker begins a DDoS attack by exploiting vulnerability in one computer system and making it the DDoS master. It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
Malware can carry DDoS attack mechanisms; one of the more well known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
A system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web.
The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down.
Firewalls and IPS can prevent these kind of attacks.

No comments: