0% found this document useful (0 votes)
28 viewsCS 1.2
take this legal book notes
Uploaded by
vedantkale362Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
28 viewsCS 1.2
take this legal book notes
Uploaded by
vedantkale362Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 11
attacks and Malware
upon completion of this chapter, you will be able to:
Describe various types of computer and Netw:
+ Desc m ork a includi
Describe the different types of malicious software var eviee
viruses, worms, Trojan horses, and logic bombs
Explain how social engineering can be used
ce tiere and networks as a means to gain access to
+ Explain the importance of auditing and what should be audited
— — =
that exist, including
while hackers and viruses receive the most att
these forms of attack), they are not the only methods for attacking computer systems
and networks. This chapter addresses the many differen ways computers nnd denna
come under attack on a daily basis. Bach type of attack threatens at least one of the duce
security requirements mentioned in Chapter 1—confidentiality, integrity, and avail,
ability (the CIA of security). Attacks are thus attempts by unauthorized individuals to
access of modify information, to deceive the system so that an unauthorized individest
can take over an authorized session, or to disrupt service 10 authorized uccis
ention in the news (due to the volume of
Attacking Computer Systems and Networks
Froma high-level standpoint, attacks on computer systems and networks can be grouped
into two broad categories: attacks on specific software (such as an application or the oper-
ating system itself) and attacks oma specific protocol or service. Attacks on a specific appli-
ation or operating system are generally possible because of either an oversight in the
code (and possibly in the testing of that code) or because of a flaw or bug in the code
(again indicating a lack of thorough testing). Attacks on specific protocols or services are
attempts to either take advantage of a specific feature of the protocol or service or to use
the protocol or service ina manner for which it was not intended. In addition, the target of
an atiacker can be of two types: targets of opportunity where the attacker is attempting to
find any machine that is susceptible to a specific vulnerability, and defined targets where
the attacker wants to gain access to a very specific target and must attempt to find avulner-
ability that exists in that target. ‘The remainder of this section discusses the various forms
of attacks that security professionals need to be aware of.
Donlal-of-Service Attacks
Denlabot Service (DOS) attacks can exploit a kievn vulnerability in a specific 4
Calon oF aperating system. o they tay attack features (or weaknesses) in specific
toca at servires Hn this fenin of attack, the attacker re attempting to den
tren access either ty specific information or {0 the computer system of ne
The purpose of such an attack can be fo sitniply prevent access to the tanger *ystern op
sd can be used in conjunction with other actions in order to gain Unauthorized
oa campater at network Lor example, a SYN Mlooding aoe, tay be ured 1
femporanily prevent service toa systenn in order to tale advantage of a trusted relation?
ship that exists between that aystem and another
SYN flooding yan example ofa DOS attack that takes advantage
networks were designed to function, and it can be used to illustrate the basic Principles
of any DOS attack SYN Nooding utilizes the TCP three-way handshake that is usey to
tablish a connection between two systems. Under normed Circumstances, the first ye,
nacnds a SYN packet to the system it wishes to communicate with, The second system
will tespond with a SYN/ACK if it is able to aceept the request. When the initial system
receives the SYN/ACK from the second system, it responds with an ACK packet, ang
communication can then proceed, This process is shown in Figure 15.1"
pli
bro.
Y authorized
HHoTy ityel¢
of the way tCpyip
NOTE A SYN/ACK ic really a combination of the SYN packet sent to the
= first system, combined with an ACK packet acknowledging the first system's
Inia SYN flooding attack, the attacker sends fake communication Tequests to the tar-
Beted system. Each of these requests will be answered by the target system, which then
wails for the third part of the handshake. Since the requests are fake (a nonexistent IP
address is used in the requests, so the target system is responding to a system that does.
exist), the target will wait for responses that will nevercome ve shown in Figure 15.2
Ihe target system will drop these connections after a specific time-out period, but if the
attacker sends requests faster than the time-out period eliminates them, the system will
Miy be filled with requests. The number of connections» system can suppor is fi
nite, so when more requests come in than can be Processed, the system will soon be re-
Serving all its connections for fake requests. Atthis point, any further requests are simply
dropped (ignored), and legitimate users who warn ta connect to the target system will
not be able to, Use of the system has thus been denied to them.
Another simple DOS attack is the famous ping-of-death (POD), and it illustrates the
other type of attack—one targeted at a specific application or operating system, as op-
Posed to SYN flooding, which targets a protocol. jy the POD attack, the attacker sends
a
Figure 15-1 The top three-way handshake
Ancachs
an
(mt beh aktenyy f \
SYNIACK
Response to fakes
Agere 12 ASYN Moodng DOS wack
Internet Control Message Proto :
AUKIS (which i8 {0 say, wens than oie
ghoul not occur naturally (there iets a
Gentain systems WeIE HOL Able to hy
or crash.
DOS attacks ate conducted using
employing multiple attacking syst
(DOS) attack, ‘The goal of a DOS
hing,
1
Packet equal to, OF exce
65,546 bytes). Tis type of packet
son fora ping packet to be larger than 64KB)
dle this size af packet, and the system would hang
tack
asingle attacking system, A Denial of Service
“ns x known as a distributed Denial-ofService
ecifie service OF s 0 Attack is the same: to deny the use of oF access LO
ats ed auiacks cuehay Cun autachs ere nade amour in 2000 with the highly
Ina DDOSaitack, the method used to deny serviee ie erwwhelm the target
wi fic from many diffe «Ito deny service is simply 10 overwhelm the tatge
y oin many different systems, A network of attack agents (sometimes called
zombies) is created by the attacker, and upon receiving the attack command from the at-
tacker, the attack agents commence sending a specific type of trathie against the target. If
: ie ng a specific type of traffic against the target.
the attack network is large enough, even ordinary web traffic can quickly overwhelm the
Jargest of sites, such as the ones targeted in 2000. .
Creating @ DDOS network is nota simple task. The attack agents are not willing,
agents—they are systems that have been compromised and on which the DDOS attack
software has been installed. In order to compromise these agents, the attacker has to
have gained unauthorized access to the system or tricked authorized users to TUN a Pro-
gram that installed the attack software. The creation of the attack newwork may in factbe
a multistep process in which the attacker first compromises a few systems that are then
used as handlers or masters, and which in turn compromise other systems. Once the
network has been created, the agents wait for an attack message that will include data on
the specific target before launching the attack, One important aspect of a DDOS attack
that should be mentioned is that with just a few messages to the agents, the attacker can.
have a flood of messages sent against the targeted system. Figure 15-3 illustrates a DDOS
network with agents and handlers.
How can you stop or mitigate the effects of a DOS or DDOS attack? One important
precaution is to ensure that you have applied the latest patches and upgrades to your
systems and the applications running on them. Once a vulnerability is discovered, it
does not take long before multiple exploits are written to take advantage of it. Generally,
you will have a small window of opportunity in which to patch your system between the
time a vulnerability is discovered and the time exploits become widely available.
ute (Ds
Network
moneages
Gi: +(e.
Woseages
a
vice attacks, —
Another approach involves changing the timeout option fortep
attacks such as the SYN flooding attack, described previously,
Cause unused connections are dropped more quickly,
OF DOS attacks, much has been written about distuibuting, yo
across several systems so that any athick against your system would ina eleta
hosts in orderto be completely successful. While this is uc, if Lange camghe ree
Works are created (with tens of thousands of zombies, for example) any fiviwenke
matter how much the load is distributed, can be successfully attacked lin -aywect
also involves an additional cost to your organization in order to establish thn
uted environment, Addressing the problem in this manner is actually an atteinpi wenn
igate the effect of the attack, as opposed to preventing, or stopping, an aac,
In order to prevent a DDOS attack, you have to either he able to intercept or block the
attack messages or keep the DDOS network from being established in the fist plac
Tools have been developed that will scan your systems, searching for slecpiny ooh
waiting for an attack signal, ‘The problem with this type of prevention appronh, hoes
ever, is that it is not something you can do to prevent an attack on your network its
something you can do to keep your network from being uscd to attack other neiworksor
systems. You have to rely on the rest of the community to test their own systems in order
to prevent attacks on yours.
A final option you should consider that will address several forms of DOS and DDOS
attacks is to block ICMP packets at your border, since many attacks rely on ICMP. Cate
ful consideration should be given to this approach, because it will also prevent the use
of some possibly useful troubleshooting tools.
conn
UE OWL Wotton
Backdoors and Trapdoors
Backdoors were originally (and sometimes still are) nothing more than methods use
by sofiware developers to ensure that they could gait access to an application even i
something were to happen in the future to prevent normal access methods. An example
id bea hard-coded pasa,
went that administrators
Gre sort of backed
fund coded. it canine
cess to the program in the
Pan that sown renaneeteteed te gna The obvious protem with
the term backdoor sy aige, Milltierahye Maker learn al Is that. since it is
qsinstall after RAINING naan Mere come Attack ofthe backdoor, all systems
to hase UTES access te, MONE accent
and blocked Backdoors eqn the systeny,
{nould they un software alate be inst
ref) Common backdoors ine ges
Ate Bain ae
Te wenatel |
‘pateng ab fefet to programs that attack-
Aaensute that they can continue
acess method is discavered
h individuals inadvertently.
© anid Hack co Ore 08 these later in this chap-
rifice, Both of these, if rGnningon
san) LOU system —access that allows
ation on the backdoor
butra
ather toe
ta lower J Sloe
your system, will allow ait
them to perform any funcnen
and they are established noty
cess. Rootkits are generally gee ©
the operating system *alled a
che
tion ony cess ty
POD Your system Ge :
von aceese isthe rootkit,
‘nsure continued root ac-
evel, closer to the actual kernel level of
sniffing
oup o|
ms Serene cn stae wake UP the TCP/IP suite was desi .
were designed. The abuce ° rt who connected to the newrorkened we ae feetnes
sniffing programs, sores ‘his friendly assumption is illustrated by nework watfc
A network sniffer j fe Teferred to as sniffers. ——
r is a software or hard ji i
passes through a network on chases natdweate device thats used to observe traffic as it
traffic, orit can target a specific mace roadeast media. The device can be used to view alll
tooking, for logins). Normally, ne voce service, of even string of characters (for example,
is designed to ignore all traffic that is not dentate ee? COMPUTET to a NewWOrK,
ignore this friendly agreementana nes Stine for that computer. Network sniffers
for that computer Or ethers noche eee al alficon the newwork, whether destined
all network traffic and not just its own is said t b Tee ee en S
work sniffers are designed not j neerve gil UstHCtett Cou nttic cu
J just to observe all traffic but to modify traffic as well.
Network sniffers can be used by network administrators for monitoring network per-
formance. They can be used to perform traffic analysis, for example, in order to deter-
mine what type of traffic is most commonly carried on the network and to determine
which segments are most active. They can also be used for network bandwidth analysis
and to troubleshoot certain problems (such as duplicate MAC addresses).
Network sniffers can also be used by attackers to gather information that can be used
in penetration attempts. Information such as an authorized user's username and pass-
word can be viewed and recorded for later use. The contents of e-mail messages can also
be viewed as the messages travel across the network. It should be obvious that adminis-
trators and security professionals will not want unauthorized nework sniffers on their
networks because of the security and privacy concems they introduce. Fonunately, in
der f caork eniffers to be most effective, they need to be on the internal network,
which a ly means that the chances for outsiders to use them against you is ex-
which general
tremely limited.
Attacks and Malware
399
Figure 154
Network sniffers
Usten to all
howwork traffic
toner
worm 4
8
fe. of, I
5-5
.
Attacker —
Spoofing
nothing more than making data look like it has come from a differen:
Spoofing is
source. This is possible in TCP/IP because of the friendly assumptions behind the
cols. When the protocols were developed, it was assumed that individuals who had a
cess to the network layer would be privileged users who could be trusted
When a packet is sent from one system to another, it includes not only
tion IP address and port but the source IP address as well. You are supposed to fill in the
source with your own address, but there is nothing that stops you from filling in anotiver
system’s address. This is one of the several forms of spoofing.
the destina
Spoofing E-mail
E-mail spoofing is where you send a message with a From address different than your
i
own. This can be easily accomplished, and there are several different ways to do it and
ist you in doing so. A’ very simple method often used to demon-
programs that can assi
strate how simple it is to spoof an e-mail‘address is to telnet to port 25 (the port assoc
ated with e-mail) on a system. From there, you can fill in any address for the From and
To sections of the message, whether or not the addresses are yours and whether they ac
tually exist or not.
‘There are some simple ways to determine that an e-mail message was probably not
sent by the source it claims to have been sent from, but most users do not question their
e-mail and will accept where it appears to have come from. A variation on e-mail spoof
ing, though it is not technically spoofing, is for the attacker to acquire a URL close to the
‘one they want to spoof so that e-mail sent from their system appears to have come from
the official site unless you read the address carefully. For example, if attackers wanted 10
spoof XYZ, Corporation,
URL XYZ.Corp.com, Ay
site would Not norm,
same method can be,
com, the attackers might gain access to the
al receiving a message from the spoofed corporation
a PPE IL be a spoof but would take it to be official. This
of this is probably gaan has been, used to spoof web sites, The most famous exam P ie
site for the White Lene hitehouse.com. The wwi.whitchouse.gov site is the official
Site. In this case, noleeaey Be Wew.whitehiouse.com URL takes you 162 pornographic
ment site, and it was me, ikely to take the pornographic site to be the official govern~
their spoofed site apct tended to be taken that way. I, however, the atlacers made
viewer that they eee sitar to te oficial ne, they could eal convince many
he official site.
n individu
ally suspe;
IP Address Spoofi
Thejway the ip, Protocol esi . sot 5
clude their own IP addrey designed to work is to have the originators of any IP packet in-
there is nothing yee e85 the “From” portion of the packet. ‘While this is the intent,
portion of the packer nents system from inserting a different address in the “From’
spoofed for seve he This is known as IP Address Spoofing, An IP address may be
tucker sencls sera easons. In a specific DOS attack known 25 2 smurf attack, the at-
the packet to all s fa packet to the broadcast address for a network, which distributes
tacker to the broate ems on that network. In the smurf attack, the packet sent by the at-
appears the, roadeast address isan echo request with the From address forged so that it
recponse of another system (the target system) has made the echo request. The normal
response of a system to an echo request isan echo reply, and itis used in the ping utility
hese know if remote system is reachable and is responding, In the smurf attack,
‘quest is sent to all systems on the network, so all will respond with an echo reply to
the target system, as shown in Figure 15-5. The attacker has sent one packet and has
been able to generate as many as 254 responses aimed at the target. Should the attacker
send several of these spoofed requests, or send them to several different networks, the
target can quickly become overwhelmed with the volume of echo replies it receives.
Figure 15-5
Spoofing used ina
smurf DOS attack
sie
Spooted
echo request
/ sent to
(broadcast
address
Target
a)
Spoofing and Trusted Relationships
Spoofing can also take advantage of a trusted relationship between
gysteme are configures! tn accept the authentication accomplished by ages
dividual logged on to one orstem might not be forced t© go through an Oth I"
Process again to access the other system An attacker can take advantage Athen,
ment by sending a packet to one asstem that appears t0 have come fron thts
tem Sinee the meted relationship 8 in place, the targeted system may p.
za eT fe
out authentication
sentonce a packet is received. the system that
ats be
ing
personated could interfere with the attack, since it would receiv
for a request it never made The attac ker will often initially launch a DOS attach p t
2 SYN flooding attack) to temporarily take out the spoofed system for the perch Suh
that the ateacker is exploiting the trusted relationship, Once the attack is com, of
DOS attack on the spooted system would be terminated and possibly, apart PI
veponsive system, the administrators for the systems may see
15.6 illustrates a spoofing attack thar include,
