Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Types of Attack

advertisement 
Chapter- 1 Introduction and Security Trends
Types of Attack
Q. Active and Passive attack
Ans. Passive attack :




A passive attack is one in which the intruder eavesdrops but does not modify the
message stream in any way.
Electronic mail, file transfer, and client/server exchanges are examples of
transmissions that can be monitored.
Passive attack cannot be detected. Hence prevention is better for passive attack.
The attacker needs more time to get information about the target.
Active attack :




An active attack is one in which the intruder may transmit messages, replay old
messages, modify messages in transit, or delete selected messages from the wire.
Active attack include the modification of transmitted data and attempts to gain
unauthorized access to computer system.
Active attack can be easily detected.
In active attack, the attacker uses information collected in passive attack to launch an
successful attack on target.
Q. Describe Denial of Service attack and Distributed Denial of service Attack.
Ans. DoS Attack :

A denial of service (DoS) attack is a malicious attempt to make a server or a network
resource unavailable to users, usually by temporarily interrupting or suspending the
services of a host connected to the Internet.

In a DoS attack, one computer and one internet connection is used to flood a server
with packets, with the aim of overloading the targeted server’s bandwidth and
resources.
The most common type of Denial of Service attack involves flooding the target
resource with external communication requests. This overload prevents the resource
from responding to legitimate traffic, or slows its response so significantly that it is
rendered effectively unavailable.
Resources targeted in a DoS attack can be a specific computer, a port or service on
the targeted system, an entire network, a component of a given network any system
component.




DoS attacks may also target human-system communications (e.g. disabling an alarm
or printer), or human-response systems (e.g. disabling an important technician's
phone or laptop).
DoS attacks can also target tangible system resources, such as computational
resources (bandwidth, disk space, processor time); configuration information (routing
information, etc.); state information (for example, unsolicited TCP session resetting).
DDoS Attack :


A DDoS attack, uses many devices and multiple Internet connections, often
distributed globally into what is referred to as a botnet.
A DDoS attack is, therefore, much harder to deflect, simply because there is no single
attacker to defend from, as the targeted resource will be flooded with requests from
many hundreds and thousands of multiple sources.
Examples of DoS Attack:
SYN Flooding attack :
(When a system (called the client) attempts to establish a TCP connection to a system
providing a service (the server), the client and server exchange a sequence of messages. This
connection technique applies to all TCP connections – telnet, Web, email, etc.The client
system begins by sending a SYN message to the server, asking the server to open a
connection. The server then acknowledges the SYN message by sending a SYN-ACK message
to the client, meaning it accepts to open the connection from the client (the ACK part) and
asking if the client agrees to open the connection in the opposite sense (the SYN part). The
client then finishes establishing the connection by responding with an ACK message to
server. The connection between the client and the server is then open, and the service-specific
data can be exchanged between the client and the server. The potential for abuse arises at the
point where the server system has sent an acknowledgment (SYN-ACK) back to client but has
not yet received the ACK message. This is an half-open connection.)













SYN Flood Attack is an example of DOS attack that takes advantages of the way
TCP/IP networks were designed to function.
SYN Flood utilizes the TCP three way handshakes that are used to establish a
connection between two systems.
During normal communication, the 1st system sends a SYN packet to the system it
wishes to communicate with. The second system will respond with a SYN/ACK , if it
is able to accept request. When the initial system receives the SYN/ACK from the
second system , it responds with the ACK packet and communication can then
proceed.
In SYN Flooding attack, the attacker sends fake communication requests to the
targeted system. Each of these request will be answered by the target system, which
then waits for the third part of the handshake.
Since the request are fake in which nonexistent ip address is used in the requests, so
the target system is responding to a system which does not exist, the target will wait
for responses that will never come.
The target will drop drop these connections after a specific time out period eliminates
them, the system will quickly be filled with request s.
The number of connections the system can support is finite, so when more requests
come in than can be processed ,the system will soon be reserving all its connections
for fake requests.
At this point any further request are simply dropped and legitimate users who want to
connect to the target system will not be able to use it.
The system has thus being denied them.
The server has built in its system memory a data structure describing all pending
connections. This data structure is of finite size, and it can be overflowed by
intentionally creating too many partially-open connections.
Creating half-open connections is easily accomplished with IP spoofing. The
attacking system sends SYN messages to the victim server system; these appear to be
legitimate but in fact reference a client system that is unable to respond to the SYNACK messages.
This means that the final ACK message will never be sent to the victim server system.
The half-open connections data structure on the victim server system will eventually
exhaust; then the system will be unable to accept any new incoming connections until
the table is emptied out.


There is a timeout associated with a pending connection, so the halfopen connections
will eventually expire and the victim server system will recover.
However, the attacking system can simply continue sending IP-spoofed packets
requesting new connections faster than the victim system can timeout the pending
connections.
Q. Backdoor and Trapdoor.
Ans. Backdoors :




A back door is a means of access to a computer program that bypasses security
mechanisms.
A programmer may sometimes install a back door so that the program can be accessed
for troubleshooting or other purposes. However, attackers often use back doors that
they detect or install themselves, as part of an exploit.
In some cases, a worm is designed to take advantage of a back door created by an
earlier attack. For example, Nimda gained entrance through a back door left by Code
Red.
Whether installed as an administrative tool or a means of attack, a back door is a
security risk, because there are always crackers out there looking for any vulnerability
to exploit.
Trapdoor :








A trap door is a secret entry point into a program that allows someone that is aware of
the trap door to gain access without going through the usual security access
procedures.
Trap doors have been used legitimately for many years by programmers to debug and
test programs.
Trap doors become threats when they are used by unscrupulous programmers to gain
unauthorized access. It is difficult to implement operating system controls for trap
doors.
Security measures must focus on the program development and software update
activities.
Programmers don't necessarily program trapdoors with malicious intent. They may
leave them in place, legitimately, for testing or debugging purposes, or for allowing
service technicians to access a system in an emergency.
Trapdoors can also be introduced to program code inadvertently, and innocently, by
weaknesses in design logic.
Many software vendors still include undocumented trapdoor passwords, which they
use for maintenance or possibly for other unknown purposes.
The presence of trapdoors and trapdoor passwords in proprietary software -- software
whose source code is not distributed -- is rarely acknowledged by software companies
but is exposed from time to time by users.
Q. Describe Spoofing and types of Spoofing Attack.
Ans. Spoofing Attack: A spoofing attack is a situation in which one person or program
successfully masquerades as another by falsifying data and thereby gaining an illegitimate
advantage.
E-mail address spoofing:



The sender information shown in e-mails (the "From" field) can be spoofed easily.
This technique is commonly used by spammers to hide the origin of their e-mails
and leads to problems such as misdirected bounces (i.e. e-mail spam backscatter).
It can be done using a mail server with telnet.
GPS Spoofing :




A GPS spoofing attack attempts to deceive a GPS receiver by broadcasting a slightly
more powerful signal than that received from the GPS satellites, structured to
resemble a set of normal GPS signals.
These spoofed signals, however, are modified in such a way as to cause the receiver
to determine its position to be somewhere other than where it actually is, specifically
somewhere determined by the attacker.
Because GPS systems work by measuring the time it takes for a signal to travel from
the satellite to the receiver, a successful spoofing requires that the attacker know
precisely where the target is so that the spoofed signal can be structured with the
proper signal delays.
A GPS spoofing attack begins by broadcasting a slightly more powerful signal that
produces the correct position, and then slowly deviates away towards the position
desired by the spoofer, because moving too quickly will cause the receiver to lose
signal lock altogether, at which point the spoofer works only as a jammer.
Caller ID spoofing:




Public telephone networks often provide Caller ID information, which includes the
caller's name and number, with each call.
However, some technologies allow callers to forge Caller ID information and present
false names and numbers.
Gateways between networks that allow such spoofing and other public networks then
forward that false information.
Since spoofed calls can originate from other countries, the laws in the receiver's
country may not apply to the caller.
Spoofing of file-sharing networks:

Spoofing can also refer to copyright holders placing distorted or unlistenable versions
of works on file-sharing networks.
Referrer spoofing:



Some websites, especially pornographic paysites, allow access to their materials only
from certain approved (login-) pages.
This is enforced by checking the referrer header of the HTTP request.
This referrer header however can be changed (known as "referrer spoofing" allowing
users to gain unauthorized access to the materials.
ARP Spoofing:




Many of the protocols in the TCP/IP suite do not provide mechanisms for
authenticating the source or destination of a message.
They are thus vulnerable to spoofing attacks when extra precautions are not taken by
applications to verify the identity of the sending or receiving host.
IP spoofing and ARP spoofing in particular may be used to leverage man-in-themiddle attacks against hosts on a computer network.
Spoofing attacks which take advantage of TCP/IP suite protocols may be mitigated
with the use of firewalls capable of deep packet inspection or by taking measures to
verify the identity of the sender or recipient of a message.
Q. Describe spoofing and sniffing attack.
Ans. Spoofing : Spoofing is an active attack by one machine on another. a spoofing attack is
a situation in which one person or program successfully masquerades as another by falsifying
data and thereby gaining an illegitimate advantage. The spoofer appears to be familiar. It’s a
way of gaining access that is otherwise denied to the individual. Perhaps the person intends to
cause problems or perhaps the individual just wants to have a look around where he’s not
supposed to be.
Sniffing: Sniffing refers to the use of software or hardware to watch data as it travels over
the Internet. There are some legitimate uses for the process. It is then called network analysis
and helps network administrators diagnose problems. In the hands of the wrong person,
however, a sniffing program can collect passwords and read email. Sniffing is considered a
passive security attack.
Q. Describe Sniffing Attack.
Ans. Sniffing: Sniffing refers to the use of software or hardware to watch data as it travels
over the Internet. There are some legitimate uses for the process. It is then called network
analysis and helps network administrators diagnose problems. In the hands of the wrong
person, however, a sniffing program can collect passwords and read email. Sniffing is
considered a passive security attack.
Sniffing means a loss of privacy for those on a network. Along with the loss of privacy goes a
loss of trust, which is necessary in many situations.




Sniffing can compromise the privacy of passwords. An Ethernet sniffer can easily
detect passwords.
Sniffing can allow unauthorized persons access to financial information, including
account numbers for banking and credit cards.
Sniffing private and confidential information contained in email is very common.
Having an email viewed by someone other than the intended recipient can cause
problems ranging from embarrassment to a breach of national security.
Sniffing can yield low-level protocol information. Anyone who is interested in
attacking a network will then have the needed information.
Q. Describe Replay Attack.
Ans. Replay Attack:






A replay attack is a form of network attack in which a valid data transmission is
maliciously or fraudulently repeated or delayed.
This is carried out either by the originator or by an adversary who intercepts the data
and retransmits it, possibly as part of a masquerade attack by IP packet substitution
(such as stream cipher attack).
To gain access to resources by replaying an authentication message
In a denial-of-service attack, to confuse the destination host.
Replay attack is actually a kind of man in the middle attack.
Man in the middle may just be someone sniffing packets off the wire.In replay attack
attacker captures traffic, and stores or manipulates it before sending it on.
Example:
Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of
identity, which Alice dutifully provides; meanwhile, Mallory is eavesdropping on the
conversation and keeps the password . After the interchange is over, Mallory (posing as
Alice) connects to Bob; when asked for a proof of identity, sMallory sends Alice's password
read from the last session, which Bob accepts.
Countermeasures:

A way to avoid replay attacks is by using session tokens: Bob sends a one-time token to
Alice, which Alice uses to transform the password and send the result to Bob (e.g. computing
a hash function of the session token appended to the password). On his side Bob performs the
same computation; if and only if both values match, the login is successful. Now suppose
Mallory has captured this value and tries to use it on another session; Bob sends a different
session token, and when Mallory replies with the captured value it will be different from
Bob's computation.
Q. Describe Man-In-Middle Attack.
Or
Explain Bucket Bridge Attack
Ans. Man-In-Middle Attack:








An attack where a user gets between the sender and receiver of information and sniffs any
information being sent.
In some cases, users may be sending unencrypted data, which means the man-in-the-middle
(MITM) can obtain any unencrypted information.
In other cases, a user may be able to obtain information from the attack, but have to
unencrypt the information before it can be read.
Man-in-the-Middle is a type of eavesdropping attack that occurs when a malicious
actor inserts himself as a relay/proxy into a communication session between people or
systems.
A MITM attack exploits the real time processing of transactions, conversations, or
transfer of other data.
A Man-in-the-Middle attack allows an attacker to intercept, send, and receive data
never meant to be for them without either outside party knowing until it is too late.
The attacker intercepts some or all traffic coming from the computer, collects the data, and
then forwards it to the destination the user was originally intending to visit.
The attacker has intruded into the communication between the two endpoints he/she can inject
false information and intercept the data transferred between them.
Q. Describe TCP/Session Hijacking Attack.
Ans. TCP session hijacking attack :










Session hijacking, also known as TCP session hijacking, is a method of taking over a
Web user session by surreptitiously obtaining the session ID and masquerading as the
authorized user.
Once the user's session ID has been accessed through session prediction, the attacker
can masquerade as that user and do anything the user is authorized to do on the
network.
Session Hijacking is an attack by which a hacker exploits a valid computer session and gains
access to a client’s session identifier.
Since HTTP is a stateless protocol, when a user logs into a website, a session is created on
that Web Server for that user, this session contains all this user's information being used by
the server so the username and password is not needed at every page request.
The server uses a unique identifier called Session Identifier to authenticate this user to this
session, this session identifier is passed between the web server and the user's computer at
every request.
Session Hijacking is an attack by which the hacker steals this user's session identifier and
then sends this session identifier as their own to the server and tricks the server into thinking
they are that user.
After gaining access to a client’s session identifier for a website, the hacker then injects the
client’s session identifier into his/her browser. From then on, when that attacker connects to
that website, since his session identifier is the same as the authentic user, he will be logged in
as that userand will have access to all of that user’s information and privileges on that
website.
Preventing TCP session hijacking attack :
Use Secure Connections achieved through Secure Socket Layer(SSL) : SSL creates an
encrypted connection between the client and server, any data the attacker steals during this
transfer would be useless to them.
Regenerate user's session identifier often, therefore, even though the attacker may manage
to steal a user's session identifier, when it is regenerated, the Session Identifier he stole
would be useless.
Implement an IP Address Check to match a user's Session Identifier to his/her IP Address.
(Image just for reference)
Related documents
IP Spoofing
IP Spoofing
2 Attack with IP spoofing - San Jose State University
2 Attack with IP spoofing - San Jose State University
- Krest Technology
- Krest Technology
BUNDLE PROTOCOL
BUNDLE PROTOCOL
ch08 - Columbus State University
ch08 - Columbus State University
GPS and Solar Radio Burst Forensics Brady O`Hanlon, Paul Kintner
GPS and Solar Radio Burst Forensics Brady O`Hanlon, Paul Kintner
VSA Power Point presentation - Re-Solv
VSA Power Point presentation - Re-Solv
(01) - Network Basics
(01) - Network Basics
presentation - The University of Texas at Austin
presentation - The University of Texas at Austin
Download
advertisement