Modification and Repudiation Attacks

Modification attacks change or modify information in an unauthorized manner. These attacks are similar to access attacks in that these attacks require access to information on servers. The motivation for this type of attack may be to plant information, change grades in a class, fraudulently alter credit card records, or any number of other reasons. A variation of a modification attack is a repudiation attack.

Modification attacks involve the deletion, insertion, or alteration of information in a manner that appears genuine to the user . These attacks can be very hard to detect. In general, the attacker enters your system using an access attack and then proceeds from there. Website defacements are a very common form of modification attack.

Repudiation attacks make data or information that is used invalid or misleading, which can be even worse . An example of a repudiation attack might be someone accessing your e-mail server and sending inflammatory information to others. This information can prove embarrassing to you or your company if this happens. Repudiation attacks are fairly easy to accomplish because most e-mail systems do not check outbound mail for validity. Repudiation attacks usually begin as access attacks.

A common type of repudiation attack would involve a customer who claims that they never received a service for which they were billed. In this situation, the burden of proof is on the company to prove that the information used to generate the invoice is accurate. If the data has been modified by an external attacker, accuracy verification of the information may be difficult.

Denial of Service Attacks (DoS)

Denial of service ( DoS ) attacks prevent access to resources by users authorized to use those resources. An attacker may attempt to bring down an e-commerce website to prevent or deny usage by legitimate customers. DoS attacks are very common on the Internet. They have hit large companies such as Amazon, Microsoft, and AT&T. These attacks are often widely publicized in the media. Most simple DoS attacks occur from a single system, and a specific server or organization is the target.

Several different types of attacks can occur in this category. These attacks can deny access to information, applications, systems, or communications. In a DoS attack on an application, the attack may bring down the website while the communications and systems continue to operate . In a denial of access to a system, the operating system is crashed. A simple reboot may restore the server back to normal operation. A DoS attack against a network is designed to fill the communications channel and prevent authorized users access. A common DoS attack involves opening as many TCP sessions as possible. This type of attack is called a TCP SYN flood DoS attack.

An attack that is similar in objective is called a Distributed Denial of Service Attack. This type of attack amplifies the concepts of a DoS by using multiple computer systems to conduct the attack.

Distributed Denial of Service Attacks (DDoS)

A relatively new type of DoS attack called a Distributed Denial of Service Attack (DDoS) uses multiple computers to attack a single organization. These attacks exploit the inherent weaknesses of dedicated networks such as DSL and cable. These permanently attached systems do not usually have much, if any, protection. An attacker can load an attack program onto dozens or even hundreds of computer systems that use DSL or cable modems. The attack program will lay dormant on these computers until they get an attack signal from a master computer. This signal triggers these systems, which launch an attack simultaneously on the target network or system. Figure 2.1 shows an attack occurring and the master controller orchestrating the attack. The master controller may be another unsuspecting user. The systems taking direction from the master control computer are referred to as zombies . These systems merely carry out the instruction they have been given by the master computer.

Figure 2.1: Distributed Denial of Service attack

The nasty part of this type of attack is that the machines used to carry out the attack belong to normal computer users. The attack gives no special warning to those users. When the attack is complete, the attack program may remove itself from the system or infect the unsuspecting user with a virus that destroys the hard drive, thereby destroying the evidence.

In general, there is very little you can do to prevent DoS or DDoS attacks. Your best method of dealing with these types of attacks involves countermeasures and prevention. Many operating systems are particularly susceptible to these types of attacks. Fortunately, most operating system manufacturers have implemented updates to minimize the effects of these types of attacks. Make sure that your operating system and the applications you use are up to date and current.

Common Attacks

The common attacks that are encountered in a system are briefly described in this section. These attacks are designed to exploit potential weaknesses in the implementation of programs, as well as weaknesses in the protocols used in networks. Many of these types of attacks require a high level of sophistication and are rare. You need to know about them so that you can identify what has happened in your network.

Back Dor Attacks

The term back door can have two different meanings. The original term back door referred to troubleshooting and developer hooks into systems. During the development of a complicated operating system or application, programmers add back doors or maintenance hooks. These back doors allow them to examine operations inside the code while the code is running. The back doors are stripped out of the code when it is moved to production. When a software manufacturer discovers a hook that has not been removed, they release a maintenance upgrade or patch to close these back doors. These patches are very common when a new product is initially released.

The second type of back door refers to the entry and placement of a program or utility into a network that creates a back door for an attacker. These attacks are initiated by gaining access to a network and inserting a program or utility that creates the back door for the attacker. The program may allow a certain user ID to log on without a password, or gain administrative privileges. Figure 2.2 shows how a back door attack can be used to bypass the security of a network. In this example, the attacker is using a back door program to utilize resources or steal information.

Figure 2.2: A back door attack in progress

In either case, this attack is usually used as either an access or modification attack. A number of tools exist to create back door attacks on systems. One of the more popular tools used to create backdoors is Back Orifice. Back Orifice has been updated to work with Windows 2000. Another popular backdoor program is NetBus. Fortunately, a lot of conventional antivirus software will detect and block these types of attacks.

Spoofing Attacks

A spoofing attack is simply an attempt by someone or something to masquerade as someone else. This type of attack is usually considered an access attack. A very common spoofing attack that was popular for many years involved a programmer writing a fake logon program. This program would prompt the user for a user ID and password. No matter what the user typed, the program would indicate an invalid logon attempt and then transfer control to the real logon program. The spoofing program would write the logon and password into a disk file, which was retrieved later. This attack was very popular on early UNIX and other timesharing systems. Figure 2.3 shows a spoofing attack occurring as part of the logon process on a computer network. The attacker in this situation impersonates the server to the client attempting to login. No matter what the client attempts to do, the impersonating system will fail the login. When this process is finished, the impersonating system disconnects from the client. The client then logs into the legitimate server. In the meantime, the attacker now has a valid userid and password.

Figure 2.3: A spoofing attack during logon

The important point to remember is that a spoofing attack is accomplished to trick something or someone into thinking something legitimate is occurring.

Man in the Middle Attacks

Man in the middle attacks tends to be fairly sophisticated. This type of attack is also an access attack, but it can be used as the starting point for a modification attack. The method used in these attacks places a piece of software between a server and the user. The software intercepts and then sends the information to the server. The server responds back to the software, thinking it is the legitimate client. The attacking software then sends this information on to the server, etc. The man in the middle software may be recording this information, altering it, or in some other way compromising the security of your system. Figure 2.4 illustrates a man-in-the-middle attack. Notice how both the server and client assume that the system they are talking to is the legitimate system. The man in the middle appears to be the server to the client, and to be the client to the server.

Figure 2.4: A man in the middle attack occurring between a client and a web server

Replay Attack

Replay attacks are becoming quite common. These attacks occur when information is captured over a network. Replay attacks are used for access or modification attacks. In a distributed environment, logon and password information is sent between the client and the authentication system. The attacker can capture this information and replay it again later. This can also occur with security certificates from systems such as Kerberos. The attacker resubmits the certificate hoping to be validated by the authentication system. Figure 2.5 shows an attacker presenting a previously captured certificate to a Kerberos-enabled system. In this example, the attacker gets legitimate information from the client and records it. Then, the attacker attempts to use the information later to enter system. The attacker later relays information to gain access.

Figure 2.5: A replay attack occurring

If this attack is successful, the attacker will have all of the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session identifier and a time stamp. If the certificate has expired , the certificate will be rejected and, hopefully, an entry made in a security log to notify system administrators.