Overview of Common Attacks and Exploits

This section reviews some of the more commonly used attacks and exploits available to attackers. It should by no means be considered complete because new attacks are discovered at an alarming rate every day. For a more complete list or more information on the exploits listed here, refer to any of the organizations presented in the previous section:

• Denial of service (DoS): A DoS attack attempts to force the target into a failure condition, thereby denying its services to others. There are several ways in which a failure condition can be induced, such as flooding the target with attempts to connect (http://en.wikipedia.org/wiki/Denial-of-service_attack).

• Distributed denial of service (DDoS): This type of attack uses a collection of unknowing accomplices to attack a target from multiple locations at once. The accomplices are compromised machines spread out in many different places.

• Zero day attacks: A security term used to describe when a new attack is launched; the key is this is before security professionals have detected it—hence, zero day. When detected, it becomes day one.

• Botnets: A grouping of compromised machines running malicious software under control of a single controller or bot master. This malicious software is stealthily run and communicates extremely securely with the command and control server; these communications can typically be done via chat and instant messaging. Botnets are rented out to third parties for them to send spam or join in as part of a DDoS. The largest botnet as of this writing is Conficker, with an estimated 10+ million machines under its control.

• SYN flood attack: A SYN flood attack occurs when a network becomes so overwhelmed by SYN packets initiating incomplete connection requests that it can no longer process legitimate connection requests (thereby causing high CPU, memory, and network usage) and resulting in a DoS.

• UDP flood attack: Similar to the ICMP flood, UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer handle valid connections. Port 53–DNS flooding is the hallmark modus operandi of this kind of attack.

• Port scan attack: Port scan attacks occur when packets are sent with different port numbers with the purpose of scanning the available services, in hopes that one port will respond. When a port is detected as open (because it responded), the hacker can begin looking for ways to compromise the system through that port.

• IP spoofing: Spoofing attacks occur when an attacker attempts to bypass the firewall security by imitating a valid client IP address, email address, or user ID. This becomes important when an attacker decides to exploit trust relationships that exist between computers. Usually, administrators set up trust relationships between multiple computers; one of the side benefits to this is a single login for all.

• Land (C) attack: Combining a SYN attack with IP spoofing, a land attack occurs when an attacker sends spoofed SYN packets that contain the victim’s IP address as both the destination and source IP address. The receiving system responds by sending the SYN-ACK packet to itself, thereby creating an empty connection that lasts until the idle timeout value is reached. Flooding a system with such empty connections can overwhelm the system, resulting in a DoS condition on the target system.

• Tear drop attack: Tear drop attacks exploit the reassembly of fragmented IP packets. In the IP header, one of the options is offset. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash.

• Ping scan: Similar to a port scan attack, a ping scan attack occurs when an attacker sends ICMP echo requests (or pings) to different destination addresses in hopes that one will reply and, therefore, uncover a potential target’s IP address.

• Java/ActiveX/ZIP/EXE: Malicious Java or ActiveX components can be hidden in web pages. When downloaded, these applets install a Trojan horse on your computer. Similarly, Trojan horses can be hidden in compressed files such as .zip, .gzip, .tar, and executable (.exe) files. Enabling this feature blocks all embedded Java and ActiveX applets from web pages and strips attached .zip, .gzip, .tar, and .exe files from email.

• Smurf: The little blue folks are not coming back to make your day; rather, ping (ICMP) is being used to target devices via an intermediate device, thus hiding the attacks from the true source. You can read more about Smurf attacks at www.cert.org/advisories/CA-1998-01.html.

• Brute force: In a brute force attack, an attacker tries to guess passwords through techniques such as repeatedly trying to log in to an account by using a dictionary of potential passwords.

• Source routing: Source routing is an option in an IP packet’s header that defines how packets are routed. When this option is on many firewalls, rules are bypassed, thereby allowing access to your network. For example, the IP header information can contain routing information that can specify a different source IP address than the header source. This causes the packets to be routed in a different direction. Following are several other ways to control the routing of ICMP packets:

• Record route: An attacker sends packets where the IP option is 7 (Record Route). This option is used to record the route of a packet. A recorded route is composed of a series of Internet addresses that an outsider can analyze to learn details about your network’s addressing scheme and topology.

• Loose source route: An attacker sends packets where the IP option is 3 (Loose Source Routing). This option provides a means for the source of a packet to supply routing information for the gateways to use to forward the packet to the destination. This option is a loose source route because the gateway or host IP is allowed to use any route of any number of other intermediate gateways to reach the next address in the route.

• Strict source route: An attacker sends packets where the IP option is 9 (Strict Source Routing). This option provides a means for a packet’s source to supply routing information for the gateways to use to forward the packet to the destination. This option is a strict source route because the gateway or host IP must send the datagram directly to the next address in the source route, and only through the directly connected network indicated in the next address to reach the next gateway or host specified in the route.

• ICMP flood: An ICMP flood occurs when ICMP pings overload a system with so many echo requests that the system expends all its resources responding until it can no longer process valid network traffic. Several different types of ICMP messages exist, each with its own purpose, and attackers can use them:

• ICMP Echo Reply: (Code 0, Echo Reply) A response to a ping. Many firewalls enable ping responses so that internal people can gain access to external resources. Therefore, they are an effective flooding technique.

• ICMP Host Unreachable: (Code 3, Destination Unreachable) An error message from a host or router indicating that a packet you sent did not reach its destination.

• ICMP Source Quench: (Code 4, Source Quench) A response indicating congestion on the Internet. Someone might be trying to flood your network with these packets in an attempt to convince your machines to slow down data transmission.

• ICMP Redirect: (Code 5, Redirect) A message advising to redirect traffic; for example, for network X directly to gateway G2 because this is a shorter path to the destination. Someone might be trying to redirect your default router. This could be from a hacker trying to execute a man-in-the-middle attack against you by causing you to route through his own machine.

• ICMP Echo Request: (Code 8, Echo Request) These are commonly used ping request packets. They might indicate hostile intent of someone trying to scan your computer, but they might be part of the normal network functionality.

• ICMP Time Exceeded for a Datagram: (Code 11, Time Exceeded in Transit) A message indicating that a packet never reached its target because something timed out.

• ICMP Parameter Problem on Datagram: (Code 12, Parameter Problem on Datagram) A message advising that something unusual is going on; this probably indicates an attack.

• Large ICMP Packet: An ICMP packet with a length greater than 1024 can cause trouble for some devices because ICMP packets are not normally this size.

• Sniffing packets: The use of a sniffer is a passive attack that allows a network interface card to be placed into a special mode: promiscuous. Do not be fooled into thinking that there is no danger because it is a passive attack. For an attacker to get a sniffer on your LAN, serious security issues have already occurred. Now that the attacker can see most of the packets on your LAN with a sniffer, there is a definite threat.

This is simply a short list of the thousands of vulnerabilities known today. Now imagine the effectiveness of a coordinated attack using some of these vulnerabilities. It puts it in a different perspective, doesn’t it?