Typical Attacks

Some would say that there is no such thing as a "typical" attack and that each is unique. On some level, that is true, but certain types of attack are more common. The common denominator of all attacks is that they exploit defects in design, configuration, or implementation of systems. Before there can be an attack, there needs to be a vulnerability.

Denial of Service

The denial of service (DoS) attack is one of the most common launched across the Internet. DoS attacks are not meant to damage systems or steal data. Instead, they seek to deny the use of the system. Some common methods of performing DoS attacks are to overload a host or network interface, to cause a system or application to crash, or to fill up memory.

In many cases, recovery from a DoS attack requires little more than temporarily shutting down access to a computer or network port. Others are more persistent.

Exploiting Programmer Errors

Two words sum up why so many vulnerabilities exist in computer systems: bad programming. There are a lot of programming errors that create security holes, but the two most frequent are buffer overruns and poor exception handling.

Buffer overruns happen when a programmer has neglected to place boundary checks around an input buffer. The attacker then sends input to the program that exceeds the size of the allocated memory for the buffer. The extra data is actually executable code that is then placed on the system stack and run. What happens after that is up to the warped imagination and skill of the attacker. It might simply crash the application or OS. Worse things can happen, though, and often do. In many cases, the rogue program stays in memory and continues to execute until the system is shut down.

Another common and related problem is poor exception handling. One common attack against UNIX and Linux computers exploits poor exception handling in a piece of network code and crashes it. Now, on the surface, this seems more like a DoS attack. Unfortunately, many UNIX and Linux daemons and applications are run from high-level or even root level shells. If these programs crash, they will transfer control to a root-level shell. When that happens, commands sent along with the ones that crashed the application will run as root, giving them carte blanche to do tremendous damage.

Man-in-the-Middle Attacks

Man-in-the-middle attacks occur when a hacker has hijacked your connection. Using a computer that mimics both ends of a network connection, the attacker makes each end appear to be talking to the other when, in fact, both ends are talking to the hacker's computer. This allows the attacker to snoop on the data moving between the two computers.

With information gleaned from the man-in-the-middle attack, the hacker can launch a replay attack. Assuming the identity of one of the endpoints of the conversation, the hacker computer sends its own data and messages to the other end (Figure 5-1). An intruder might now request data from the remote computer or even damage it.

Viruses and Trojan Horses

A few years ago, network-based DoS attacks were in the news. Now all the press is about viruses and Trojan horses. Although downloaded files still represent a vector for these types of attacks, e-mail, web pages, and instant messaging have become major conduits for delivering these maladjusted programs.

Viruses consist of computer code, usually very compact, that is carried to a computer from a downloaded file, message, or e-mail. Viruses attempt to hide themselves and can often attach themselves to other programs. When run, they remain resident in memory and are reloaded when another infected program runs. Some viruses automatically duplicate themselves by sending an e-mail containing the virus to everyone in a user's address book. Others leave behind a small program that opens a network connection. This allows an attacker to get access to the infected host over the Internet.

Trojan horses are programs that seem innocuous but are really malicious code. Like the Trojan horse from the Greek epic poem The Iliad, they look harmless or even beneficial but are not what they seem. When activated, many act in a way similar to viruses. The most obnoxious thing about Trojan horses is that they rely on the assistance of the users themselves. This makes them malicious and rude.

Whether a virus or Trojan horse, these are programs that, when run, can do almost anything. This includes wiping out a hard drive and filling up memory so that the computer grinds to a halt. Viruses represent one of the greatest threats to data today.