Vol. 1, No.

1, January-June, 2005

INTERNET ATTACKS
Md. Ezaz Ahmed
Lecturer, CSE & IT

Type of Attacks
There are too many types, methods and mechanisms of attack to provide a comprehensive description. New attack techniques and exploits are constantly being developed and discovered. One of the main advantages of KFSensor is that it assumes all connections made to it are malevolent, as there is no legitimate reason to connect to its simulated servers. Because of this it is effective at detecting new unknown attack techniques, as it does not rely on signature databases of known attacks. This section provides an introduction to some of the types and techniques used to attack and compromise a system. Ultimately all attacks are originated by people with a motivation to steal, cause vandalism, prove themselves to be elite hackers, or just for the thrill it gives them. Most attacks are actually performed by automated tools that these people release on the Internet. Virus Computer viruses have been around a long time. A virus attempts to install itself on a users system and to spread directly to other files on that system with the aim that these infected files will be transferred to another machine. The pay load of a virus can range from comical pranks to destruction of the system itself. A virus relies on users to spread by sharing infected files either directly or via email. Once launched, a virus is completely independent of its creator. Although the most common threat to security, the traditional virus does not attack other systems directly and so is unlikely to be detected by KFSensor.

Worm A worm is very similar to a virus. The key difference is that a worm attempts to propagate itself without any user involvement. It typically scans other computers for vulnerabilities it is designed to exploit. When such a machine is identified, the worm will attack that machine, copying over its files and installing itself, so that the process can continue. KFSensor excels at detecting worms as they scan and attempt to attack very large numbers of systems at random. Trojan Trojans take their name from the trojans horse of Greek mythology. Computer trojans work in the same way. A game, screen saver or cracked piece of commercial software is given to a victim. The software may appear to work as normal, but its real purpose is to deliver a payload, such as a virus or a root kit. Root Kit A root kit is a piece of software that once installed on a victims machine opens up a port to allow a hacker to communicate with it and take full control of the system. Root kits are also known as back doors. Some root kits give a hacker even more control of a machine than a victim may have themselves. The SubSeven root kit allows an attacker to turn off a victims monitor, move the mouse and even turn on an installed web cam and watch the victim without their knowledge. Hybrids Often malware is a dangerous hybrid that can combine the features of the different classifications described above. The SubSeven-root kit is delivered and classified as a trojans.

Department of Computer Science & Information Technology

43

Vol. 1, No. 1, January-June, 2005

Scanners Scanners are tools designed to interrogate machines on the Internet to elicit information about the types and versions of the services that they are running. There are a variety of scanners, some just ping for the presence of a machine, others look for open ports, while others are more specialized in looking for vulnerabilities of a particular type of service, or the presence of a root kit. Scanners are often incorporated into other malware such as worms.Scanners are a favorite tool of a hacker, but are just as useful to security professionals trying to detect and close down systems vulnerabilities. KFSensor detects scanners and is effective at misleading them. Hacker Hacker, H4x0r5, crackers and black hats are all terms for those individuals that KFSensor is ultimately designed to detect and protect you from. The term hacker is used in this manual to cover all such individuals. Direct, or manual actions, by a hacker are much rarer than the attacks launched by the tools described above. Hackers usually only attack a system directly once a system has been identified as vulnerable or has already been exploited by an automated tool. DoS Denial of Service Trojan Horse Comes with other software. Virus Reproduces itself by attaching to other executable form. Worm Self-reproducing program. Creates copies of itself. Worms that spread using e-mail address books are often called viruses. Logic Bomb Dormant until an event triggers it (Date, user action, random trigger, etc.).

it is not actually from. There are various forms and results to this attack. The attack may be directed to a specific computer addressed as though it is from that same computer. This may make the computer think that it is talking to itself. This may cause some operating systems such as Windows to crash or lock up. Gaining access through source routing. Hackers may be able to break through other friendly but less secure networks and get access to your network using this method. Man in the middle attack Session hijacking-An attacker may watch a session open on a network. Once authentication is complete, they may attack the client computer to disable it, and use IP spoofing to claim to be the client who was just authenticated and steal the session. This attack can be prevented if the two legitimate systems share a secret which is checked periodically during the session. Server spoofing - A C2MYAZZ utility can be run on Windows 95 stations to request LANMAN (in the clear) authentication from the client. The attacker will run this utility while acting like the server while the user attempts to login. If the client is tricked into sending LANMAN authentication, the attacker can read their username and password from the network packets sent. DNS poisoning - This is an attack where DNS information is falsified. This attack can succeed under the right conditions, but may not be real practical as an attack form. The attacker will send incorrect DNS information which can cause traffic to be diverted. The DNS information can be falsified since name servers do not verify the source of a DNS reply. When a DNS request is sent, an attacker can send a false DNS reply with additional bogus information which the requesting DNS server may cache. This attack can be used to divert users from a correct webserver such as a bank and capture information from customers when they attempt to logon. Password cracking - Used to get the password of a user or administrator on a network and gain unauthorized access.

Hacker Attacks Hacker attacks that are not automated by programs such as viruses, worms, or trojan horse programs. There are various forms that exploit weaknesses in security. Many of these may cause loss of service or system crashes. IP spoofing - An attacker may fake their IP address so the receiver thinks it is sent from a location that

44

Department of Computer Science & Information Technology

Vol. 1, No. 1, January-June, 2005

Some DoS Attacks Ping broadcast - A ping request packet is sent to a broadcast network address where there are many hosts. The source address is shown in the packet to be the IP address of the computer to be attacked. If the router to the network passes the ping broadcast, all computers on the network will respond with a ping reply to the sttacked system. The attacked system will be flooded with ping responses which will cause it to be unable to operate on the network for some time, and may even cause it to lock up. The attacked computer may be on someone elses network. One countermeasure to this attack is to block incoming traffic that is sent to a broadcast address. Ping of death-An oversized ICMP datagram can crash IP devices that were made before 1996.

Smurf - An attack where a ping request is sent to a broadcast network address with the sending address spoofed so many ping replies will come back to the victim and overload the ability of the victim to process the replies. Teardrop - a normal packet is sent. A second packet is sent which has a fragmentation offset claiming to be inside the first fragment. This second fragment is too small to even extend outside the first fragment. This may cause an unexpected error condition to occur on the victim host which can cause a buffer overflow and possible system crash on many operating systems.

References
1. http://seeantyresprise.symantic.com. 2. http://www.webopedia.com.

Department of Computer Science & Information Technology

45