Attacks


Up to now, security specialists have not come to a consensus on the exact definitions of the terms "attack" or "intrusion." Nearly every professional has their own interpretation of these terms. For example: "An intrusion is any action that results in the violation of security policy" or "any action that results in the breach of integrity, confidentiality, and availability of the system and information processed within it." However, I consider the usage of the term described below to be the most correct and closely related to the term "vulnerability." An attack on an information system is any action or sequence of interrelated actions by an intruder that results in a threat to the system by exploiting its vulnerabilities. Also, it should be noted that some types of attacks (for example, those based on social engineering) that can also be used for compromising IS are, for the most part, not in the scope of this book. The definition provided here is rather illustrative, and covers practically the whole range of possible attacks, including "social engineering," which primarily uses human weak points. Notice that humans are also part of the information system, just like the computers. Therefore, they also can be considered "weak links."

An attack is different from a security event in that, in the case of an attack, the intruder deliberately tries to get a specific result, which is in direct defiance of the security policy. For example, a user logging in or accessing a file are security events. However, if the user logs in or accesses a file, bypassing files permissions, this event turns into an attack. An analysis of symptoms characterizing an attack will help to determine whether or not this specific case actually represents an attack. These symptoms are described in detail in Chapter 4. If we expand the above-described model of a security event, we will get an attack model comprising four elements (Fig. 2.2).

click to expand
Fig. 2.2. Attack model

To implement an attack, the intruder models a specific security event that produces the required result, using some tool exploiting the system's vulnerabilities. The first two elements of this model are used to implement a security event that represents a specific action on the target that violates the security policy.

Before we start to discuss automated tools of intrusion detection, it is necessary to point out that they detect attacks and security events, rather than security incidents. The models shown in Figs. 2.1 and 2.2 do not include such components as "attacker" or "intruder." This component appears only in the description of a security incident. This explains the fact that intrusion detection systems are not always capable of tracing intruders who implement specific attacks.

At the present moment, the actual number of attack methods available is unknown. This is mainly due to the lack of serious mathematical investigations into this area. Among the most important works in a related area, which deserves mention, is the work of Fred Cohen, who made an attempt to describe the mathematical foundations of virus technology. The most interesting result of this work is mathematical proof of the fact that the possible number of viruses is infinite. These results can be extrapolated to attack theory, since viruses are simply a subset of attacks.

In other words, especially when recalling the well-known scientific proverb "a negative result is also a result," we can draw the conclusion that, if an intruder has not achieved the desired result but still exploits some vulnerability, an attack has still taken place.

Informal Model of an Attack

Without going into extensive detail with a mathematical model describing attacks, I would like to provide a brief description of attack mechanisms. It is important that you know how attacks are implemented. Understanding attack mechanisms is one of the keys to success when preventing and detecting intrusions to and taking adequate countermeasures when under attack.

Fig. 2.3. depicts the elements that make up an attack.

click to expand
Fig. 2.3. An informal attack model

In some particular cases, the attack initiator (or intruder) and attack target coincide. In these cases, the intruder has already got access (or perhaps has been granted such access within the limits of his permissions) to the host or group of hosts whose resources represent his target. Both the initiator and target of the attack can represent a stand-alone host or group of hosts (for example, a subnet).

It would be logical to assume that the elimination of one of these elements will protect you from an attack. In practice, it is often impossible to remove the attack target; on account of specific features of information-processing technology, though, this would theoretically represent an ideal solution. If the target is missing, an attack becomes impossible. Network-address translation, or locking access to specific hosts within a corporate network using a firewall, represents one of the mechanisms for removal of the attack target.

If an attack target can not be removed, it is necessary to try to eliminate the intruder or attack method. However, this task is something that current security tools can not carry out. Usually, these tools concentrate all their attention on the attack target and some on the attack method. This passive behavior in relation to the attacker results in repeated attacks from the attacker's side (even if they are not successful).

Therefore, a complex approach is required, one that complements traditional mechanisms with additional tools implementing such functions as detection of the intrusion, tracing the attacker and investigation of the incident.

An attack method depends on several parameters:

  • The type of intruder and the goals of the attack. These determine what method of attack should be expected. For example, if the target of the attack is the MS Exchange mail server, it is improbable that, to attack this server, the intruder would use methods of attacking sendmail or Qmail.

  • The result of the attack. The method that the attacker would use depends on the result he is expecting from the attack (Denial of Service, compromising the system, etc.). For example, if the intruder plans to get unauthorized access to the password file of your web server, he will mask his actions and search for vulnerabilities in open services, such as HTTP, FTP, IMAP, and so on. If he plans to bring the server down, he can send a storm of requests to it and thus make it unavailable.

  • The mechanism of attack.

  • The attack tool.

Model of a Traditional Attack

A traditional model of attack is built according to the "one-to-one" principle (Fig. 2.4) or the "one-to-many" principle (Fig. 2.5), i.e., the attack originates from a single point.

Quite often, intruders use proxy hosts to hide the source of attack or complicate the procedures of tracing it. Using this method, the intruder attacks the selected target via several proxies, rather than directly. As a result, the object under attack interprets the threat as originating from the proxy (Fig. 2.6).

click to expand
Fig. 2.4. "One-to-one" relationship

click to expand
Fig. 2.5. "One-to-many" relationship

click to expand
Fig. 2.6. Implementation of the attack via intermediate hosts

Developers of traditional security tools are oriented toward a classical model of attack. In different network locations, several security system agents are installed that transmit information to the central management console. This approach simplifies the system scaling (the increased number of agents does not have a negative impact on the console), simplifies remote control, and so on.

Distributed Attack Model

From 2 till 4 November, 1999, the Coordinate Center of the Computer Emergency Response Team (CERT) (http://www.cert.org) invited 30 leading experts in the field of information security from various organizations, including ISS, NASA, and the NSWC SHADOW Team to participate in a conference dedicated to distributed attacks and tools implementing these attacks. Distributed attacks enable a single intruder or a small group to implement hundreds or even thousands of attacks on a single host or group of hosts simultaneously. Until recently, such a capability was considered to be a myth. It was generally accepted that such an attack would be impossible to implement. The reality, however, is a different story.

One of the first warnings of the possibility of such an attack appeared in September 1998. The Naval Surface Warfare Center (http://mswc.navy.mil) analyzed several cases registered in 1998 and published one of the first reports dedicated to distributed coordinated attacks, based on this analysis. The traditional model usually operates with a single attacking host. This principle serves as a basis for most network security tools. However, the new model for distributed attacks introduces some revisions and encourages developers to design new mechanisms of intrusion detection [Stewart1-99].

Distributed Attacks in February 

On Monday, February 7, 2000, at 10:20 a.m. PST, Yahoo users noticed a significant slowdown of the services provided by the portal — e-mail, news and so on. Users accustomed to a Web page taking up to 1.7 seconds to load were annoyed by six-second delays. Later, the situation became even worse. At 10:30 a.m., about a half of all users trying to access Yahoo received only error messages. An analysis of the problem showed that Yahoo servers failed because of an immense number of small packets, which varied from simple diagnostic messages to HTML page requests. This fusillade of packets hit Yahoo servers simultaneously from several Internet hosts. Yahoo specialists counted no less than 50 such points. At 11:00 a.m., less than 10% of all users could access the resources of this portal, and even those who managed to access the server had to wait for at least 20 seconds to get answers to their requests. At 1:15 p.m., all user requests were directed to servers that were not under attacks and, at 3:00 p.m., Yahoo started to function normally.

Yahoo was the first in a series of widely known servers that became targets of a mass attack in the second week of February. The next attack came on Tuesday morning, with the target being the server of Buy.com; and that evening, the servers of eBay, CNN.com, and Amazon.com were attacked. On Wednesday morning, the targets became ZDNet.com, E*Trade, Datek, and Excite. Users were unable to access these servers for 30 minutes to several hours.

The second target, Buy.com, was attacked at 10:50 a.m. on Tuesday. A flood of packets directed to this host exceeded the maximum allowed traffic by eight times and reached 800 Mbit/second. Similar results were reported for the other companies.

The model of a distributed or coordinated attack is based on different principles than those for the classical model. In contrast to the traditional model that uses "one-to-one" or "one-to-many" relationships, the distributed model is based on "many-to-one" and "many-to-many" relationships.

All distributed attacks (Distributed Denial of Service, DDoS) are based on classical DoS attacks or, more precisely, on their subset known as Flood or Storm attacks. They involve sending a large number of packets (a flood or storm) to a specified host within the network (the attack target). The directed storm of packets causes the host to fail, since it will be flooded with a storm of packages and, consequently, will be unable to process requests from authorized users. Various attacks, such as SYN-Flood, Smurf, UDP Flood, Ping Flood, Targa3, and many more, are based on this principle. However, if the bandwidth of the channel to the attack target exceeds the throughput of the attacker, or if the target host has non-standard confuguration, this attack will not normally be successful. In the case of a distributed attack, however, this situation changes. The attack originates simultaneously from several Internet hosts rather than from one, which causes rapid growth of traffic and brings the target server down.

Attack on the White House 

On May 4, 2001, the White House server (http://www.whitehouse.gov) was blocked for three hours and, on May 22, the server was unavailable for six hours. Responsibility for these attacks, as well as for attacks on other servers located in the U.S. (for example, the CIA site was unavailable from 10 to 11 a.m. on May 1) was taken by the association of Chinese hackers, who thus celebrated the holidays (May 1 — "International Workers Day," and May 4 — "Youth Day") and the anniversary of the bombing of the Chinese Embassy in Belgrade by American pilots.

This model is illustrated by schemes presented in Figs. 2.7 and 2.8.

click to expand
Fig. 2.7. "Many-to-one" relationship

click to expand
Fig. 2.8. "Many-to-many" relationship

A distributed attack is implemented in two steps. At the first stage, attackers search Internet hosts that could possibly be used to implement a distributed attack. The more such hosts are involved, the more efficient the attack will be. As a matter of fact, the most interesting "feature" of this approach is that there are millions of such hosts on the Internet. Regular investigations have shown that most companies are careless enough to pay no attention to the security of their hosts connected to the Internet. Such hosts have become the favorite prey of intruders, who choose them as a "base" for attacks they plan. These hosts may relate not only to university and government organizations' networks, as was the case with the February attacks, but also to networks belonging to ISPs, financial or insurance companies, and so on. Having found vulnerable hosts, the intruder installs special components to implement the attack. This installation is possible thanks to the points of weakness in the host's security, exploited by the intruder to achieve his aims.

Attacks on Internet Service Providers 

The DDoS attacks implemented in February 2002 disrupted the normal operation of many ISPs, including SniffOut, TheDotComplete, The DogmaGroup, Firenet, etc. Actually, these attacks started long before 2002. For example, on December 7 and 14, 1996, the web server of Web Communications LLC was made to fail for nine and 40 hours, respectively. This attack, known as a SYN Flood, disrupted the operation of more than 2,200 corporate clients of Web Communications. As was later stated by Chris Shefler, the president of Web Communications, this happened because the company underestimated this aspect of security, and its management supposed that such a thing could never happen to them. Several months before, in September, another U.S. ISP — Panix — became the target of a similar attack. As a result, Panix servers running the SunOS operating system were down for 12 hours. In April 2000, a DDoS attack paralyzed the operation of another ISP — this time it was the AboveNet company. In August, Eircom, the largest Irish ISP, was attacked. In 2001, the Italia OnLine ISP suffered from an attack by anti-globalist hacker group.

At the second stage of a DDoS attack, several packets are sent to the host being attacked. A specific feature of this stage is that the packets originate from intermediate systems compromised by an intruder rather than from his own computer (Fig. 2.9). There are two types of such agents — masters and daemons, or clients and servers. Computers where these agents are installed are also known as zombies. The intruder manages a small number of masters, which, in turn, control the daemons.

click to expand
Fig. 2.9. Distributed attack

At first glance, this problem seems relatively simple, because, instead of the normal single-level architecture of a classical attack (intruder target), a DDoS attack implements three-level architecture (intruder master daemon target). What prevents us from tracing the whole "chain" and from detecting all hosts participating in the attack? This task, in any case, is hardly ever possible.

Detecting and locking one or more "masters" or "daemons" does not result in an attack being finished, since each "daemon" acts independently on the other computers, and, having received specific commands from the "master," does not need a further connection to it. Because "daemons" participating in a DDoS attack function autonomously, detecting and locking them all becomes rather complicated and problematic. Besides, when implementing the attack, it is possible that the originator of malignant packets will have a changed address, which also has a negative impact on the efficiency of the countermeasures. The attacker uses hundreds of unprotected hosts to coordinate the attack. These hosts may belong to various ISPs and be physically located in different countries and even on different continents. Thus, ascertaining the location of the intruder who is coordinating the whole attack is very difficult. Besides, zombie hosts do not contain a complete list of hosts participating in the attack. Therefore, the attack does not stop if a single host is detected and locked.

start sidebar
Distributed Attacks on Pentagon and US Navy Confidential Resources

On September 1998, security specialists of the US Navy reported that DDoS attacks had been performed simultaneously from no less than 15 locations and directed towards confidential resources of the US Navy.

On May 5, 1999, a Pentagon representative stated that, during recent months, most military computers were attacked by intruders, mainly of Russian origin. Approximately 80 to 100 attacks per day were reported, and this number tended to grow. During the investigation, experts discovered the following facts:

  • Usually, the attacks were implemented from several Internet hosts simultaneously.

  • Attacks were implemented by knowledgeable hackers who previously undertook a systematic investigation of the vulnerabilities of the presumed attack targets.

  • Attacks were distributed in time, which prevented security personnel from efficiently detecting them using existing intrusion detection systems [Allen1-99].

end sidebar

This approach provides the following advantages to the attacker:

  • Concealment. Working simultaneously from several addresses significantly complicates the process of tracking down the attackers using standard mechanisms (firewalls, intrusion detection systems, etc.). To thwart such attacks efficiently, it is necessary to apply a data correlation mechanism, which is not provided by most current security tools.

  • Power. Coordinating attacks from several locations enables the organization of a much more powerful attack than would be possible if attacking from a single host. Once again, the existing methods of detecting and stopping attacks are rather inefficient.

  • Obtaining various data. Working from different addresses, including those belonging to different networks, it is possible to get more data on a target in comparison to similar actions conducted from a single host. Proceeding in this way, one can determine the shortest routes to the target, detect trust relationships between network hosts, and so on. For example, this method enables the attacker to discover hosts from which it is possible to access a target using a Trojan horse program (for example, the trick works with host A, and does not work with host B).

  • Distributed attacks are hard to stop. The above-mentioned characteristics make the task of stopping the distributed attack rather difficult.

In documented cases that occurred from 1998 to 1999, distributed attacks used several hundred daemons (for example, according to a report from one of the attacked companies, up to 10,000 daemons took part in the attack). Daemons are installed by exploiting various vulnerabilities at the compromised sites, including those enabling the intruder to get root privileges. After the daemon has been successfully installed, it informs the master (usually from one to four masters). When the master receives specific commands from the intruder, it programs the daemon to accomplish specific actions against the target. Usually, these commands contain the following information:

  • The target address

  • The type of attack

  • The duration of the attack

The intruder can ensure that a large amount of data is sent simultaneously from all hosts participating in the distributed attack. In this case, intense traffic will bring the target host down. As a result, the target host will be unable to process requests from authorized users. This is what happened in early February 2000. To implement a similar attack using a classical paradigm, Internet connection of significant throughput is required in order to organize a storm of packets directed at the attack target. For a distributed attack, this requirement is not absolutely necessary. A normal dial-up Internet connection is sufficient. The flood of packets is only possible when using a large number of relatively slow connections.

It is even possible to evaluate the number of zombies sufficient to cause an Internet server to fail. When using a standard DSL connection (128 Kbit/sec), the number of packets that can be sent per second will not exceed 800 (128,000 divided by average size of an IP packet in Kbits). Since the minimum size of an IP packet is 20 bytes (the header only), a DSL connection allows you to send 128,000/20/8 = 800 packets. Everything else depends on the Internet server's performance. For example, according to tests conducted by TopLayer Networks, a Pentium 400 computer with MS IIS 5.0 installed can process 100 to 120 packets per second. Consequently, a single home PC with a DSL connection can shut down 6 to 7 web servers of poor performance. The number of hosts participating in an attack grows with the performance of the web server.

DDoS Attack Results in ISP Bankruptcy 

CloudNine Communications, one of the largest British ISPs, was attacked by intruders in late January, 2002. It became the target of DoS attacks that by that time had become "classics." CloudNine was forced to close the whole business and sell its client database to its competitor — Zetnet. Emeric Miszti, one of CloudNine's founders, declared that the attack against the company was a carefully planned action, which lasted for several months. The intruders spent quite a long time on the key servers and their throughput. They also carefully selected the moment at which to undertake the final strike, after which the company could not continue its business. Emeric Mizty could not explain why his company became the target of this attack and what forces were lurking in the background, noting that both the company and its clients have suffered significant damage.

The intruder uses hundreds of vulnerable hosts to coordinate the attack.

The tools used for implementing distributed attacks are especially dangerous, since they are so easy to use that even unskilled users (known as script kiddies) can use them, and perhaps decide to inflict damage on someone they dislike.

Attacks built according to this scheme are very hard to detect. Network-based intrusion detection systems have serious problems detecting such attacks, especially in cases when connections between agents and servers are encrypted. Hybrid-based intrusion detection systems are more suitable for this purpose. Such attacks can be detected at the agent installation stage. After the agent has been installed, the detection becomes more complicated, since the agent acts as part of the operating system. Agent installation is especially dangerous for open systems, such as Linux and OpenBSD, since the agent can be introduced into the OS kernel, which will make its detection an even more difficult problem. When implementing a "traditional" attack, the intruder visits the compromised host from time to time (for example, using Telnet or using SSH). This can be detected when the administrator views and analyzes logs, or by automated security tools. In the case of a distributed attack, this problem never arises, because it is unnecessary to visit the compromised host. After the agent is installed, it will do everything automatically.

Hybrid Attacks

Technical progress is evolving at a rapid rate, and distributed attacks, which quite recently were considered as the apex of hacker ideas, are also being constantly improved. In particular, there have appeared hybrid attacks, also known as blended threats, by an advanced worm or hydra. Nimda, Code Red, SirCam, and Klez are examples of such attacks [ISS1-02].

Denial of Service attacks (including distributed ones) dominated until summer 2001. Notice that, even now, they have not become less numerous. However, due to the epidemic of hybrid attacks, the percentage of DoS attacks has decreased, down to 9.65%.

The main difference between hybrid attacks and distributed ones (although it would be more correct to define hybrid attacks as an extension of distributed attacks) lies in the fact that they do not use master agents to manage their daemons. This complicates the detection of the source of infection, or makes it practically impossible. Most people often confuse viruses and hybrid attacks. In my opinion, viruses in their traditional form have become outdated. Previously, viruses usually infected files located on a single host. In contrast to this, hybrid attacks infect hosts rather than files. The methods they use for this purpose also differ from traditional virus technologies. For example, previously, the user had to initiate the virus intentionally or accidentally. For hybrid attacks, this condition is no longer mandatory. Advanced worms search for vulnerable hosts, automatically penetrate them, and continue to spread without any intervention from humans.

Nimda is the most famous advanced self-propagating and self-activating worm [ISS1-02]. According to X-Force data, this worm uses a unique algorithm to attack various systems at a rate of approximately 3,500 attacks per hour (the lowest rate is 800 attacks per hour, and the highest 8,000 attacks per hour). During the first quarter of 2001, the number of Nimda attacks reached 7,665,000.

The automated attack technology used in hybrid attacks often allows intruders to bypass security tools, such as antiviral software and firewalls. Older forms of attacks, such as Denial of Service, viruses, and password attacks, could be detected and blocked by one of the existing types of security systems. Hybrid attacks, which use a wide range of attack strategies, can only be thwarted by a multiple-level echelon of security tools.

Some manufacturers of antiviral software try to convince users that their products detect all Internet worms with a 100% probability. Unfortunately, this is not so. Hybrid attacks propagate using various mechanisms, which include sending e-mail as well as penetrating various hosts using different Internet pages (such as ICQ), ShockWave, or Flash technologies, etc. Beside this, such attacks use various hacker methods (such as password attacks), which can not be stopped efficiently by antiviral systems.

Using firewalls also can not be considered an efficient counter-measure against hybrid attacks. As was noted in [ISS2-02], most such attacks are implemented via Port 80, which is practically never blocked by firewalls or filtering routers.

VPN tools also can not provide complete security. Malicious traffic from compromised hosts will be encrypted just the same as from normal hosts that are not infected. Furthermore, traffic from these presumably "protected" VPN hosts will penetrate the internal network, where it will not encounter any counteraction. This is especially true since perimeter protection tools trust traffic from such hosts and never expect any attacks from them.

Intrusion detection systems can identify and block practically all propagation methods used by hybrid attacks. However, even they are not free of shortcomings, the most important among which is their inability to "cure" systems that are already infected.

The only efficient way of protecting against the threat of hybrid attacks is to implement a combined approach, which includes using the products and services outlined in Table 2.3.

Table 2.3. Protective Measures against Hybrid Threats
 

Network protection

OS protection

Application protection


Products

Network scanners

Network intrusion detection systems

Gateway antiviral software

Firewalls

Server and workstation scanners

Host-level intrusion detection systems

Personal intrusion detection systems

Personal antiviral software

Application scanners

Database scanners

Application-level intrusion detection systems

Antiviral software for specific applications (Exchange, Notes, sendmail)

Services

Remote scanning

Remote monitoring and management of intrusion detection systems

Remote management of gateway antiviral software

Remote management of VPN tools

Firewall management

Remote scanning

Remote management and monitoring of intrusion detection systems

Remote management of antiviral software

Remote scanning

Application security and monitoring

Consulting

Development, maintenance, and support of the security policy

Security analysis

Tests for system penetration

Configuration settings

Incident response

Development, maintenance, and support of the security policy

Security analysis

Tests for system penetration

OS customization and configuration

Incident response

Development and support of the application security policy

Analysis of application security

Tests for system penetration

System configuration and customization

Incident response

Training

Training course in the field of security standards and policies

Training course on hacker methods

Training courses on intrusion detection systems, security scanners, and firewalls

Training course in the field of security standards and policies

Training course on hacker methods

Training courses on intrusion detection systems, security scanners, and firewalls

Training course in the field of security standards and policies

Training course on hacker methods

Training courses on intrusion detection systems, security scanners, and firewalls

Result of an Attack

The results of an attack can be classified as follows:

  • Increased access — any unauthorized action resulting in increasing access rights within the network or specified host (a computer, router, etc.)

  • Corruption of information — any unauthorized change of the information stored within network hosts or transmitted via the network

    A Teenage Hacker Attacks the Site of the Goddard Space Flight Center 

    On February 1, 2002, the U.S. Court convicted the teenage hacker known as Pimpshiz, who, on August 14, 2000, defaced the home page of the Goddard Space Flight center by placing slogans decrying the legal prosecution of Napster there. The verdict of the court was most interesting. Besides the standard measures, such as compensation for the damage, community service, and a period of probation, the court prohibited the hacker from using e-mail and his nickname for two years.

  • Disclosure of information — distribution of information among individuals who have not been granted appropriate access rights

    Secret Information Stolen from NASA 

    As the CNews agency reported, in mid-August 2002, an intruder managed to steal important information on the new generation of space shuttles. The hacker, known by the nickname RaFa, passed on part of the stolen documents to Computerworld journalists in order to prove that the attack was successful. Approximately 43 MB of various documents were disclosed, related to the development of the new generation of space shuttles. Mainly, they all relate to recent developments of the Boeing Corporation, as well as to a joint venture organized by Pratt & Whitney and Aerojet, which develop engines for the new shuttles. RaFa gave Computerworld a PowerPoint presentation containing detailed schemes of the new engines, along with a dozen user accounts for employees working at the White Sands Test Facility. According to statements made by the hacker, in both cases he exploited security holes based on anonymous FTP access. As Computerworld stated, NASA representatives have confirmed the authenticity of the stolen documents. According to them, these documents contain quite a large amount of secret military information. Representatives of the development companies believe that the stolen information would be rather valuable to their competitors.

  • Theft of service — unauthorized usage of the computer or network services without degrading the quality of service provided to other users

    Hacker Attacks on Space Flight Centers 

    On September 6, 2001, the head of the #conflict hacker group, Raymond Torricelli, also known by the nickname Rolex, was given a jail sentence and a fine for penetrating the computers of the Jet Propulsion Laboratory of the NASA branch in Pasadena and infecting them with a Trojan horse program. The job of the infected computers was to perform several important tasks, including the development of automatic space probes and the planning of space expeditions. The laboratory was working on a space expedition to all planets of the solar system, with the exception of Pluto, and a hacker could potentially get access to all this data. According to the statements of Torricelli, the actual penetration had been made in 1998. In February 2002, another hacker also landed in court — 20-year-old Jason Allen Dickman penetrated the JPL NASA network and Stanford University computers used to develop the software responsible for the control over satellites. And it is not only U.S. Space Research Agencies that are targets of hacker attacks. In October 2001, the Russian Federal Security Service finished an investigation of a hacker who penetrated the network of the Energia corporation. During the investigation, it was revealed that the hacker used a password attack to access several computers that stored confidential data on communications and cooperation between Energia, the Khrunichev Center, and the Boeing Corporation. All of the above-mentioned attacks were implemented with "plausible" purposes, such as improving Internet access or creating electronic communities.

  • Denial of Service — purposeful degradation of performance of locking access to computer or network resources

Steps in Attack Implementation

One can distinguish the following stages of attack implementation: preliminary actions necessary to prepare the attack (information gathering), attack implementation (exploiting) and attack completion. Usually, when discussing attacks, one talks about the second stage, forgetting the first and the last ones. Gathering of information and completion of the attack (covering the traces) can in turn represent attacks, and as such, also comprise three stages (Fig. 2.10).

click to expand
Fig. 2.10. Stages of attack

The main stage of each attack is information gathering. The efficiency of the intruder's work at this stage is the key to a successful attack. First, it is necessary to select the attack target, and all information on it, such as the operating system that it runs, services, configuration and so on. After that, the intruder must identify the vulnerabilities of the system he plans to attack. Exploiting these vulnerabilities leads to the desired result.

At the first stage, the intruder attempts to detect all channels of interaction between the attack target and other network hosts. This allows the intruder to choose the type of attack to be implemented and the tools to implement it efficiently. For example, let us suppose that the host that will be attacked interacts with two servers, one of which runs UNIX, while another runs Windows NT. The attack target has trusted relationships with one of the servers. The attack type and tools used to implement it depend on which server the intruder chooses as an intermediate one. Then, based on the gathered information and the desired result, the intruder selects the attack that will be the most efficient in this particular case. For example, if the intruder wants to bring the server down, he can use SYN Flood, teardrop, UDP Bomb, and so on. On the other hand, to get unauthorized access to the host in order to steal information, he might select PHF script tools for a remote password attack and so on. Having accomplished these tasks, the intruder starts implementing the selected attack.

Traditional security tools come into action at the second stage, leaving the first and the last stages out completely. As a result, it is rather difficult to stop an active attack even provided that you have powerful and efficient security tools at your disposal. Distributed attacks can serve as the best illustration of this statement. It would be logical if security tools started their work at the first stage, i.e., if they prevented the possibility of gathering information on a system planned as an attack target. Even if this did not stop the attack completely, it would significantly complicate the tasks of the intruder.

Traditional tools do not provide the capability of detecting attacks that have already been completed, nor do they enable you to evaluate the damage caused by attack implementation. Consequently, by using these tools, it is impossible to plan the steps required to prevent such attacks in the future.

The intruder focuses his attention on a specific attack stage depending on the result of the previous attack. For example, to inflict a Denial of Service, the intruder performs a detailed analysis of the network planned for attack in order to find backdoor entrances and vulnerabilities to attack the network via these points of weakness. If the intruder wants to steal information, his main attention is drawn to the concealed intrusion of the hosts being analyzed, using vulnerabilities he manage to find.

As was mentioned earlier, a detailed description of all mechanisms used to implement attacks is not the main aim of this book. However, the most common methods are covered in brief. This is necessary in order to understand methods of detecting these attacks. On the other hand, knowing the principles of attacks is the key to successful protection of your network.

Information Gathering

The first stage of attack implementation involves gathering information on the planned target (network or host). It includes various actions, such as determining network topology, type and version of the operating system that the planned target runs, available network and application services, and so on. These actions can be implemented using various methods.

Studying the Environment

When solving this problem, the attacker investigates the environment of the planned attack target. This might include, for example, the host of the target's Internet Service Provider. At this step, the intruder might attempt to determine the addresses of the trusted systems (for example, a partner's network), hosts that have direct connection to the target of the attack (for example, ISP's routers), etc. These actions are rather hard to detect, because they are performed during a significant time period and from outside the area controlled by security tools (firewalls, intrusion detection systems, and so on).

Identifying Network Topology

There are two methods of network topology detection that are used by intruders: TTL modulation and route recording. The first method of network topology detection is implemented by the traceroute (UNIX) and tracert (Windows) commands. For this purpose, they use the TTL (Time To Live) field in the IP packet header, whose value changes depending on the number of routers that the packet has passed. The ping utility can be used to record the ICMP packet route.

Quite often, it is possible to detect network topology using the SNMP protocol installed on most network devices, where security settings are configured incorrectly. Using the RIP protocol, one can attempt to obtain information on the routing table in the network.

Most of the above-mentioned methods are used by contemporary network management and control systems for creating network maps. Intruders can successfully use the same methods.

Host Detection

As a rule, host detection is done by means of using the ping utility to send the ECHO_REQUEST command of the ICMP protocol. Delivery of the ECHO_REPLY message serves as evidence of the fact that the host is available. There are several programs that automate and simplify the process of parallel detection of a large number of hosts, for example, such as fping or nmap. This method is potentially dangerous, since the ECHO_REQUEST commands are not registered by standard tools. For this purpose, it is necessary to use specialized tools for traffic analysis, such as firewalls or intrusion detection systems.

This is the simplest method of host identification. However, it is not free of drawbacks. For example, most network devices and programs lock ICMP packets and do not pass them into the internal network (or, in contrast, do not pass the outgoing ICMP packets). For example, Microsoft Proxy Server 2.0 does not allow ICMP packets to pass. As a result, host detection will not be complete. On the other hand, locking of ICMP packets is evidence of the presence of the first line of defense — routers, firewalls, and so on.

Secondly, using ICMP requests allows one easily to detect their source, which, certainly, is undesirable from the intruder's point of view.

There is yet another method of host detection — using the promiscuous mode of the network interface, which allows one to identify a different host in the network segment. However, this method is not applicable to cases in which network-segment traffic is unavailable to the attacker from his own host (i.e., it acts only in local-area networks). Another method of host detection is represented by the so-called DNS discovery, which enables identifying corporate network hosts using a DNS service.

Service Detection or Port Scanning

Service detection is usually achievable by means of detecting open ports (port scanning). Such ports are often related to services based on TCP or UDP protocols. For example, if Port 80 is open, this means that a Web-server service is present; Port 25 means the presence of SMTP server; Port 31337 — the BackOrifice remote administration tool (often considered by administrators to be like a Trojan horse); Port 12345 — the presence of the NetBus server, and so on. To detect services and scan ports it is possible to use various programs such as nmap or netcat.

OS Fingerprinting

The main method used in detecting the operating system remotely is the analysis of the TCP/IP stack. Each OS has its own implementation of the TCP/IP stack, and thanks to this fact, it is possible to determine which OS is installed within the remote host by sending special requests and analyzing the obtained replies.

Another, less efficient and more limited method of remote OS identification is provided by an analysis of network services detected at the previous stage. For example, if Port 139 is open, one can draw the conclusion that a remote host runs an OS from the Windows family. Various programs, such as nmap or Queso, can also help to identify the OS.

Determining the Host Role

The last step in the information gathering stage is determining the host role (for example, a firewall or web server). This step is accomplished based on information already gathered, including information on active services, available hosts, network topology, etc. For example, if port 80 is open, this might be evidence of the presence of the web server. Locking of the ICMP packets can be used as an indirect indication of the presence of a firewall, and names such as proxy.domain.com or fw.domain.com speak for themselves.

Detecting Host Vulnerabilities

The last stage of information gathering deals with searching for vulnerabilities. When performing this step, the intruder (manually or using special automated tools) determines if there are vulnerabilities that can be used to implement an attack. Programs such as ShadowSecurityScanner, nmap, and Retina can play the role of such automated tools.

Implementing an Attack

At this stage, the intruder starts to make attempts to access the host being attacked. Note that this might be direct access (i.e., penetrating to the host) or indirect (for example, implementation of a DoS attack)

In cases where hosts are directly accessed, the implementation of the attack can be divided into the following two stages:

  • Penetration

  • Getting control

Penetration

By penetration we mean overcoming perimeter protection tools (such as a firewall). There are different ways to achieve this goal. For example, it is possible to exploit the vulnerability of an "outgoing" service, or by means of passing a macro-virus attached to an e-mail message or via Java applets. Such malicious contents can enable the so-called tunnels in the firewall (do not confuse them with the VPN tunnels), through which the intruder then penetrates his target. Cracking the password of an administrator or other user (by means of the L0phtCrack or Crack utilities, for example) also relates to this step.

Getting Control

After penetration, the intruder gets control over the host being attacked. This can be accomplished by means of installing a Trojan horse program (for example, ALB or SubSeven). Having obtained control over the required host and concealing all traces of his activity, the intruder can perform any unauthorized actions necessary. The intruder can do this remotely, without the authorized user's knowledge. Control over the compromised host must be maintained after rebooting the operating system. To implement this, one can replace one of the boot files or insert a link to the malignant code to the startup files or system registry. The case is reported when the intruder manages to re-program the EEPROM of the network adapter, and can thus repeat his unauthorized actions even after the operating system has been reinstalled. The simpler modification of this example would be to introduce the required code or fragment into the network logon script (for example, the one used to log on to the Novell NetWare network).

Nike.com Lost Control Over Its Own Network 

On June 21, 2000, Nike lost control over its own site for 19 hours. During this period of time, all visitors to http://www.nike.com were redirected to the page of an unknown S-11 organization calling for a protest against the routine meeting of the members of the World Economic Forum that was due to take place from the 11 to the 13 of September in Melbourne, Australia. Thanks to the redirection of the visitors from the Nike site, the number of visitors to the S-11 organization's page grew from 57,000 to 66,000 hits per hour. The total number of hits was 800,000 (only during that 19 hours). The S-11 group, however, did not take responsibility for hacking the Nike site. The administrators of the S-11 site placed a note in which they informed visitors to the site that they had no idea why the visitors of nike.com had been redirected to s11.org, nor did they know who had hacked the site. They also expressed their disapproval of the action, but thanked Nike for the additional hits. As was later reported by the BBC, control over the Nike site was obtained using the Network Solutions automatic registration system. This was not the first instance when hackers managed to change the registration data and redirect visitors to another site on account of the Network Solutions vulnerability. In the past, the internet.com domain was registered to a new owner by sending forged faxes to Network Solutions. Besides nike.com and internet.com, several other sites were "automatically re-registered," including web.net, whoami.com, exodus.net, emory.edu, w3.org and nethead.com. In Nike's case, control over the domain name was transferred to the Frugal Names domain registering company, located in Great Britain, by means of forgery. FirstNET Online Management, the owner of Frugal Names, noticed this and made an attempt to inform the person whose contact information was in the registration database. However, the contact person happened to be an ex-Web master of nike.com who no longer worked for them and did not warm his former employer.

Goals of Attack Implementation

It is necessary to mention that this stage might include two goals. The first goal is to get unauthorized access to the host itself and to the information stored there. Second, unauthorized access to the host might be required for subsequent attacks on other hosts. The first aim is normally achieved after the second one. This means that the intruder must first create a base for further attacks and only after that penetrate other hosts. This is necessary in order to hide the origin of the attack completely or at least to complicate the procedures of searching for it significantly.

There is quite a large variety of attacks, and it is impossible to cover them all in detail within the scope of this book. To anyone interested in more detailed information on this topic, I can recommend various specialized literature, such as the books in the "Hack Proofing" series.

Methods of Attack Implementation

If the intruder has physical access to the computer, they will be able to penetrate it or to execute an attack. The methods they use might vary — from using special privileges granted to the console or terminal to procedures such as the removal of hard drives and reading/writing them on another computer [Graham1-00]. This is known as a physical attack.

A system attack represents unauthorized activity under the assumption that the intruder already has a user account in the system attacked. Usually, it is a normal (unprivileged) user account. If the latest security patches have not been installed in the system, then the intruder has a good chance of carrying out the attack to get additional administrative permissions.

A remote attack presupposes that the intruder attempts to penetrate the target system remotely via the network. In this case, the intruder acts without special privileges. There are several types of such activities [Strebe1-9]:

  • Local network intrusion, where the intruder attacks the computer or group of computers located in the same network segment as his host.

    Incident in the CIA 

    According to Reuters, on December 4, 2000, the Central Intelligence Agency (CIA) fired four employees and penalized 18 more for creating and using a secret chat within the agency's network, in order to chat and flirt during business hours. This chat was discovered in May, and about 160 employees, who were found to have visited this chat regularly, got notifications of the security investigations being conducted at that time. Some of them had even been suspended from their jobs for the entire six months of investigation (though they were still collecting a salary). According to the results announced by the CIA, four employees, one of whom held a high position, were fired. Furthermore, they were claimed to be unreliable, to prevent similar organizations from hiring them. Furthermore, 18 employees had to provide explanations and were fined (from 5 to 45 days' salary). This group also included two high-ranking officers, both of whom were demoted. Officials of the CIA stated that the usage of the agency's network for private, secret chats and databases was a flagrant violation of network integrity. As was revealed by the investigation, the chat used by employees mainly consisted of joking and flirting, and had been created in the CIA network in the mid-80s. There were a total of 160 employees involved, whose communications bypassed the security systems. Seventy-nine employees got off lightly, by simply being reprimanded, and eight people who were accused of having participated were cleared of the charges. The topic of the usage of the CIA's internal network for improper purposes has continued to attract its security department's attention since the end of 1996, when its director, John Deitch, was fired for storing secret files on his home computer, which was connected to the Internet.

  • Intrusion via public networks, when the intruder attacks a computer or group of computers located in another segment. Usually, such attacks are implemented via the Internet.

    Intrusion upon NASA Computers 

    An unknown hacker who penetrated NASA computers in 1997 exposed American astronauts to danger during the docking of the Atlantis space shuttle at the Russian Mir station. On June 3, 2000, General NASA Inspector Roberta Gross gave an interview to the BBC, in which she admitted that the attack overloaded the NASA computer systems to such an extent that the connections between the flight control center, medical systems, and astronauts were terminated. According to Gross' statement, space agencies have several alternatives, and thus this attack did not pose a serious threat to the astronauts. In this case, communications were re-established via the Mir station's systems. However, Gross pointed out that she wanted to draw special attention to the fact, illustrating just how close hackers can get to vitally important systems. Until 2000, information on this 1997 incident had remained closed to the public. Even the astronauts who participated in this flight said, in an interview given to the BBC, that no one had informed them of the threat to their lives that had resulted from the intrusion into the NASA network. According to Gross, from time to time, hackers represent a serious threat to NASA. NASA has even created its own special "cyber-police" department to face this threat.

  • Intrusion via a dial-up connection, when the intruder attacks a computer or group of computers via a modem.

Accomplishing the Attack

At this stage of the attack, the intruder covers any traces left behind. Usually, this can be done by cleaning the appropriate records from the logs and performing other actions in order to return the attacked system to its initial state.

Hiding the Fact and the Source of the Attack

One of the aims of intrusion detection is identifying the attacker. This problem might be rather complicated, because intruders often use various methods of covering the traces of their unauthorized activity. These methods include [Graham1-00, Daymont1-00]:

  • Attack source address spoofing

  • Creating fake packets

  • Using someone else's computers as a basis for the attack

  • Attack fragmentation

  • Attack encryption

  • Using values different from the default ones

  • Changing the standard attack scenario

  • Attack slow-down

  • Cleaning the logs

  • Hiding files and data

  • Hiding processes

Changing the Address of the Attack Source

Most intruders organize their attacks from intermediate servers that are already cracked, or from proxy servers. Thus, it would be rather difficult to find which one had attacked your server. The more intermediate hosts used by the intruder, the more difficult the task of tracing them will be. Furthermore, if you detect an attack and start trying to lock it with firewalls, filtering at the routers, and other devices, you might lock a real address (possibly even one belonging to one of your clients or partners requiring access to your informational resources) rather than the intruder who is performing the attack.

Creating Fake Packets

The nmap scanner can perform decoy scanning, when real source addresses are substituted by fake addresses. Thus, the administrator of the intrusion detection system must solve quite difficult problem, namely, selecting the one real IP address from a large number of IP addresses registered in log files from which the scanning was actually performed.

The frequency of changing the source IP address for different types of attacks is outlined in Table 2.4 [SANS1-00].

Table 2.4. Probability of IP-Address Substitution

Attack type

Example

Probability of IP-address substitution


Information gathering

Traceroute, ping

< 1%

Port scanning

Single host or subnet

5%

Multiple-packet attacks (DoS)

Ping Flood, SMURF, Fraggle

Proxy might be used as attack origin

Single-packet DoS attacks (or attacks consisting of several packets)

WinNuke, Ping of Death, SYN Flood

95%

Buffer overflow

Long filenames, long URLs

50%

Commands

Telnet, BackOrifice, Netcat

5%

Attack Fragmentation

Fragmentation is the mechanism of fragmenting an IP packet into a set of smaller ones. When receiving such packets, the TCP/IP device reassembles them and then transmits to the receiving application, or repeatedly fragments them and transmits them further. Most up-to-date intrusion detection systems are not equipped with mechanisms of IP-packet defragmentation. These systems pass such packets (they can possibly send a warning message to the administrator console, with notification of the fragmented packets being detected). Several cases have been registered, in which intrusion detection systems go down because of fragmented attacks. Consequently, current intrusion detection systems may be bypassed using special tools (such as fragrouter, for example).

Changing Default Values

Quite often, intrusion detection systems assume that the port unambiguously identifies the protocol or service. For example, by default, Port 80 relates to HTTP protocol, Port 25 — to SMTP; Port 23 — to Telnet; Port 31337 — to BackOrifice; and so on. Intruders exploit this fact and can use standard protocols on ports different from the default ones. For example, to make the detection of BackOrifice more problematic, the intruder may change the default port (31337) to another value (for example, 31338). Most intrusion detection mechanisms will fail in this case and prove to be unable to process such unusual traffic.

Changing the Standard Attack Scenario

Most intrusion detection mechanisms work according to the principle of comparing the attack to a known template. Databases of well-known attacks enable you to detect attacks with a high level of probability. However, the intruder may slightly change the template and thus easily bypass such systems. The above-described method of changing default values represents one example of such an approach. Another example of such a method is found in replacing a blank character with the Tab character in commands implementing the attack. This problem will be covered in more detail in Chapter 12.

Attack Slow-Down

Because of a large amount of registered data, intrusion detection systems are inefficient when it is necessary to trace attacks distributed in time. Thus, it is very difficult to detect a port-scanning procedure if it is distributed in time (ping sweep or port scan), when intruders check one port or address every five minutes (or even every hour). This slow-down significantly complicates attack diagnostics using current intrusion detection systems. Some scanners provide this capability. For example, the third version of the Nmap security scanner has the specialized Idle Scan mode (enabled by the -sI command line options), which is responsible for slowed-down scanning.

Cleaning Logs

Cleaning logs is a rather common method. It requires the removal of all log records that register unauthorized actions. Proceeding in such a way, a skilful intruder can hide all traces of suspicious actions from the administrator of the system being attacked.

Hiding Files or Data

The unauthorized actions of the intruder are often concealed by way of hiding files or data. For this purpose, one can employ various methods, differing by their implementation complexity, for example, setting the Hidden attribute to the file, introducing malignant code into the OS kernel (for UNIX-like operating systems) or attaching such code to an executable file or DLL. For example, Trojan horse programs often propagate using the latter method: The intruder attaches the Trojan code to some executable file (such as game, for example), and the Trojan automatically installs itself in the system, where the changed executable file is then started for execution.

Hiding Processes

This method, similar to the previous one, is often used to conceal the unauthorized activity of the intruder at the attacked host. To achieve this, the intruder might change the kernel of the operating system or modify special utilities responsible for working with processes (such as ps utility in UNIX). Using the rootkit or SunOS represents an example of this method. This kit enables the intruder to intercept various data, substitute the checksums, and so on. It can modify several system utilities (such as login, 1S, ifconfig, ps, netstat, du), without allowing one to detect its presence in the system. The simplest method of hiding unauthorized activity of the system process is to change its name to a "standard" one (or very similar to the "standard" one). For example, a malignant process can have names such as in.netd, Winword.exe (at a host without MS Word for Windows) or NDDAGNT.EXE (which is very similar to NDDEAGNT.EXE).

Tools of Attack Implementation

The tools for attack implementation can be classified according to the list provided below [Howard1-98]:

  • Information exchange — a tool for obtaining specific information from other sources (such as IRC, FIDO and so on) or from specific individuals (social engineering).

  • User commands — a mechanism of exploiting vulnerabilities by means of entering specific commands using the command line interface (CLI) or processes (such as GUI), for example, entering the OS commands via a Telnet or FTP connection

  • Script or program — programs or sequences of commands (described in scripts) can be used by the intruder to exploit a vulnerability. In other words, the script or program represents a shell for one or more user commands. Examples of such programs are Crack or L0phtCrack (programs for password attacks) or NetBus Trojan.

  • Autonomous agent — autonomous agents are similar to the previously described tools (scripts and programs). However, in contrast to scripts or special utilities where the intruder selects the target for a manual attack, in this case the target of the attack is selected regardless of the user, according to a special algorithm. Examples of autonomous agents are computer viruses (for example, macro viruses) or worms (such as the Morris worm).

  • Toolkit — a toolkit is a set of programs, scripts and autonomous agents used to implement the attack (a rootkit is an example of such a tool).

  • Distributed tools — distributed tools are programs, scripts, or autonomous agents distributed by several hosts within a network. Attacks can take place simultaneously from several hosts. These are the most complex type of attack implementation tools (both for implementing and preventing attacks). Typical examples are TFN2K and Stacheldraht.

It is easy to notice that each category of tools (except for information exchange) can contain other categories nested within it. For example, a toolkit always includes several programs and scripts.

According to the assessments of Pentagon specialists, attack-implementation tools are improved approximately once or twice per year. Furthermore, on June 21, 2001, Lawrence Gershwin, one of the CIA's top directors, reported to Congress that his department can not keep pace with the hackers, who improve their technologies much faster than CIA manages to develop appropriate security tools. "All we can do is report the fact of attack," said Gershwin.

Automated Tools for Attack Implementation

The Internet and other public networks provide lots of resources that simplify access to corporate networks for intruders. Information on vulnerabilities is constantly being published in various newslists, bulletins, and so on. Thousands of Internet hosts provide programs implementing attacks that exploit these vulnerabilities for free downloads, thus provoking "crushing" moods. Currently, most attacks are available even for novice users, who can now download an executable file and use it to attack a neighbor just to take "revenge." Several years ago, one had at least to know UNIX and how to compile the source code of an exploit to start such programs. Now the situation has changed dramatically. Most exploits have GUI and run under Windows 95/98, which has significantly simplified things for novice "hackers."

Attack Classification

There are various types of attack classification. For example, attacks can be classified as passive or active, internal or external, intentional or unintentional, and so on. Most of these classifications are rarely used in practice. Therefore, to avoid confusing the reader with a large number of such classifications, I would like to present one that better corresponds to real life [Mell1-99]:

  • Remote penetration. Attacks that enable the intruder to implement remote controlling of the attacked host via the network. Examples of such attacks are NetBus and SubSeven.

  • Local penetration. Attacks that enable the intruder to get unauthorized access to the host where it runs. An example of such an attack is GetAdmin.

  • Remote Denial of Service. Attacks that enable the intruder to interrupt the normal mode of the system functioning or overload the computer via the Internet. Examples of such attacks are Teardrop or trin00.

  • Local Denial of Service. Attacks enabling the intruder to interrupt the normal functioning mode or overload the computer. As an example of such an attack, one can provide a malicious applet that overloads the CPU with an endless loop, thus preventing it from processing queries from other applications.

  • Network scanners. Programs that analyze network topology and detect services available for an attack. The nmap system is an example of such a program.

  • Vulnerability scanners. Special programs that search for vulnerabilities within the hosts in the network and can be used for attack implementation. Examples are systems such as SATAN or ShadowSecurityScanner.

  • Password crackers. Programs that perform password attacks by cracking user passwords, for example, L0phtCrack (Windows) or John the Ripper (Unix).

  • Sniffers. Programs that "sniff" network traffic. Using such programs, one can automatically search for such information as user IDs and passwords, information on credit cards, and so on. Examples of sniffers include such well-known programs as Microsoft Network Monitor, NetXRay from Network Associates or LanExplorer.

Note that this classification does not include the whole class of so-called "passive attacks." Besides traffic "sniffing," this category might include such attacks as a "fake DNS server," "ARP server replacement," and so on. Later in this book, the main focus will be on detecting active attacks.

Attacks on the Demos and InfoArt Russian Servers 

In September 1996, one of the first famous attacks on a Russian web server was implemented. The intruders, who were not traced, attacked the InfoArt agency's server, after which visitors were redirected to a server with pornographic content. The most interesting aspect of this attack was that it was not implemented by defacing the site itself, but rather by means of attacking the DNS server and changing the mapping of IP addresses to DNS names. This allowed the intruders to redirect all user requests from the InfoArt server to a pornography server.

Databases of Vulnerabilities and Attacks

The attack classification implemented in most intrusion detection systems should not be too stiff. For example, an attack implementation that might be very dangerous for a UNIX system (say, the statd buffer overflow) and result in serious consequences (the highest priority) will hardly be applicable to Windows NT (or present the lowest risk). Furthermore, there is no uniformity or common naming convention for the names of attacks and vulnerabilities. The same attack might have different names in products supplied by different vendors [Tasker1-99] (Table 2.5).

Table 2.5. Different Names for the Same Attack

Organization/company

Attack name


CERT

CA-96.06.cgi_example_code

CyberSafe

Network: HTTP ‘phf’ Attack

ISS

Http-cgi-phf

AXENT

Phf CGI allows remote command execution

Bugtraq

PHF Attacks — Fun and games for the whole family

BindView

#107 — cgi-phf

Cisco

#3200 — WWW phf attack

IBM ERS

Vulnerability in NCSA/Apache Example Code

CERIAS

Http_escshellcmd

L-3

#180 HTTP Server CGI example code compromises http server

MITRE CVE

To eliminate the above-described chaos with the naming conventions of vulnerabilities and attacks, in 1999, the MITRE Corporation (http://www.mitre.org) suggested an open solution, independent of specific vendors of intrusion detection systems, security tools, and so on [Mann1-99]. This solution was implemented in the form of the Common Vulnerability Enumeration (CVE) database, which was later renamed as the Common Vulnerabilities and Exposures database. This solution allowed all professionals, developers, and vendors to speak the same language. For example, an attack with the different names listed in Table 2.5 obtained the following unified code in this classification: CVE-1999-0067.

Besides MITRE experts, specialists from many well-known companies and organizations participated in the development of the CVE database, including those from ISS, Cisco, BindView, Axent, NFR, L-3, CyberSafe, CERT, Carnegie Mellon University, SANS Institute, UC Davis Computer Security Lab, CERIAS, etc.

ISS became the first company that began to refer the unified CVE codes. This served as an incentive for other vendors. Currently, Cisco, Symantec, BindView, IBM, and other vendors declared that their products supported CVE.

Other Databases

There are other databases of vulnerabilities and attacks, the best among which is SecurityFocus (http://www.securityfocus.com), which contains a vast amount of data on software and hardware vulnerabilities. Hopefully, the new owners (Symantec purchased this resource in July 2002) will keep it just as interesting and informative. The ISS X-Force Threat and Vulnerability Database (http://www.iss.net/security_center/) and ICAT are other examples of vulnerability databases.




Protect Your Information with Intrusion Detection
Protect Your Information with Intrusion Detection (Power)
ISBN: 1931769117
EAN: 2147483647
Year: 2001
Pages: 152

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net