Categorizing Network Attacks


Network attacks can be categorized based upon the nature of the attack. Categories of network attacks include the following:

  • Virus

  • Worm

  • Trojan Horse

  • Denial of service (DoS)

  • Distributed denial of service (DDoS)

  • Spyware

  • Phishing

The next sections describe each of these categories in more detail.

Virus

When I was a software developer for a large systems company in the early 1990s, one of my coworkers liked to tell a story about how his grandmother called him up one day at the office and told him that she was worried about his health because she was concerned that he would catch a computer virus and become sick! A tremendous amount of education and socialization about computer viruses has occurred since the early 1990s. Even television and radio advertisements talk about how Internet services come bundled with antivirus protection to thwart these dastardly viruses. As my coworker had to explain to his grandmother, only computers, not people, can catch these particular viruses.

The term virus is credited to University of Southern California professor Frederick Cohen in his 1984 research paper Computer Viruses: Theory and Experiments. A computer virus is designed to attack a computer and often to wreak havoc on other computers and network devices. A virus can often be an attachment in an e-mail, and selecting the attachment can cause the executable code to run and replicate the virus. Other examples of executable code that can contain a virus include spreadsheet macros, JavaScript, or a macro in a Microsoft Word document.

Simple text files and .JPG pictures for example do not spread viruses because they are treated as a data form to be viewed and are not executed by the target computer. A virus must be executed or run in memory in order to run and search for other programs or hosts to infect and replicate. As the name implies, a virus needs a host such as a spreadsheet or e-mail in order to attach, infect, and replicate.

There are several common effects of a virus. Some viruses are benign, and simply notify their victim that they have been infected. Viruses can also be malignant and create destruction by deleting files and otherwise wreaking havoc on the infected computer that contains digital assets, such as pictures, documents, passwords, and financial records.

Worm

In this case, worm doesn't refer to a hole in the space-time continuum. A worm is a destructive software program that scans for vulnerabilities or security holes on other computers in order to exploit the weakness and replicate.

Worms can replicate independently and very quickly. For example, in 2001, the Code Red worm replicated itself over 250,000 times in less than 12 hours. Worms can also be relatively small in size. The SQL Slammer worm from 2003, for example, was only around 400 bytes. Worms can also attack instant messaging technology, as evidenced by an alert from Trend Micro on the Bropia worm, which you can read about at ZDNet (http://news.zdnet.com/2100-1009_22-5562129.html).

Note

Two researchers at Xerox Parc are credited with developing the first computer worm in 1978.


Worms differ from viruses in two major ways:

  • Viruses require a host to attach and execute, and worms do not require a host.

  • Viruses and worms typically cause different types of destruction.

Viruses, once they are resident in memory, often delete and modify important files on the infected computer. Worms, however, tend to be more network-centric than computer-centric. Worms can replicate quickly by initiating network connections to replicate and send massive amounts of data. Worms, such as SQL Slammer, brought many unsuspecting networks to their knees by initiating large numbers of network connections and data transfers. This type of network attack is also called a distributed denial-of-service (DDoS) attack, which is discussed in more detail later in this chapter.

Worms can also contain a piggybacked passenger, or data payload, which can relegate a target computer to the status of a zombie. A zombie is a computer that has been compromised and is now under control by the network attacker. Zombies are often used to launch additional network attacks. A large collection of zombies under the control of an attacker is referred to as a "botnet." Botnets can grow to be quite large. Botnets have been identified that were larger than 100,000 zombie computers.

Trojan Horse

A Trojan horse, or Trojan, is pernicious software that attempts to masquerade itself as a trusted application such as a game or screen saver. Once the unsuspecting user attempts to access what appears to be an innocuous game or screen saver, the Trojan can initiate damaging activities such as deleting files or reformatting a hard drive. Trojans are typically not self-replicating.

Network attackers attempt to use popular applications, such as Apple's iTunes, to deploy a Trojan. For example, a network attack sends an e-mail with a purported link to download a free iTunes song. This Trojan would then initiate a connection to an external web server and initiate an attack once the user attempted to download the apparent free song.

Denial-of-Service

A denial-of-service (DoS) attack is a network attack that results in the denial of service by a requested application such as a web server. There are several mechanisms to generate a DoS attack. The simplest method is to generate large amounts of what appears to be valid network traffic. This type of network DoS attack attempts to clog the network pipe so that valid user traffic cannot get through the network connection. However, this type of DoS typically needs to be distributed because it usually requires more than one source to generate the attack (more on distributed DoS, or DDoS, attacks in the following section).

A DoS attack takes advantage of the fact that target systems such as servers must maintain state information and may have expected buffer sizes and network packet contents for specific applications. A DoS can exploit this vulnerability by sending packet sizes and data values that are not expected by the receiving application.

Several types of DoS attacks exist, including Teardrop attacks and the Ping of Death, which send handcrafted network packets that are different from those the application expects and may provoke the application and server to crash. These DoS attacks on an unprotected server, such as an ecommerce server, can cause the server to crash and prevent users from adding items to their shopping cart.

Distributed Denial-of-Service

A DDoS is similar in intent of a DoS attack, except that a DDoS attack originates from multiple source attack points. In addition to increasing the amount of network traffic from multiple, distributed attackers, a DDoS attack also presents the challenge of requiring the network defense to identify and stop each of the distributed attackers. You learn more about DDoS attacks in the section "DDoS Mitigation."

Several years ago, I was on a customer site visit to a very large online retailer at the very same time they were under a DDoS attack. They were able to stop the DDoS attack without dedicated DDoS mitigation products, but a significant amount of time was involved to identify the sources of the attack. This investigation, as well as the eventual remediation of the attack, involved communication and cooperation from the customer's Internet service provider (ISP). The intended victim was able to stop the attack after several hours, but they also had to stop the flow of valid traffic (in this case sales orders) in order to stop the DDoS attack.

Spyware

Spyware is a class of software applications that can participate in a network attack. Spyware is an application that attempts to install and remain hidden on a target PC or laptop. Once the spyware application has been surreptitiously installed, the spyware captures information about what users are doing with their computers. Some of this captured information includes websites visited, e-mails sent, and passwords used. Attackers can use the captured passwords and information to gain entry to a network to launch a network attack.

In addition to being used to directly participate in a network attack, Spyware can also be used to gather information that can be sold underground. This information, once purchased, can be used by another attacker that is "harvesting data" to be used in planning another network attack.

Phishing

Phishing is a type of network attack that typically starts by sending an e-mail to an unsuspecting user. The phishing e-mail attempts to look like a legitimate e-mail from a known and trusted institution such as a bank or ecommerce site. This false e-mail attempts to convince users that something has happened, such as suspicious activity on their account, and that the user must follow the link in the e-mail and logon to the site to view their user information. The link in this e-mail is often a false copy of the real bank or ecommerce site and features a similar look-and-feel to the real site. The phishing attack is designed to trick users into providing valuable information such as their username and password.



Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net