Published on Wed 28 March 2012 by Gary Hall in Security with tag(s): threats
It is important to understand the different types of network attacks used by hackers. To mitigate these attacks, it is useful to first categorize the various types of attacks. The most common categories of network attacks are reconnaissance attacks, access attacks, and denial of service (DoS)/distributed denial of service (DDoS) attacks.
A reconnaissance attack is an attempt to learn more about the intended victim before attempting a more intrusive attack. Hackers use reconnaissance (or recon) attacks to do unauthorized discovery and mapping of systems, services, or vulnerabilities. Tools such as information queries via the WHOIS service, ping sweeps, port scans, vulnerability scanners, and exploitation tools are common techniques used by hackers when performing reconnaissance attacks.
After gathering the necessary information during the reconnaissance phase of the attack, the hacker will usually attempt to access the network. Access attacks exploit known vulnerabilities in authentication services, FTP services, and web services to gain entry to web accounts, confidential databases, and other sensitive information. The hacker's main objectives may be to retrieve protected information, gain access to secure areas of the network, or escalate its access privileges.
There are six common types of access attacks:
Password attack: A hacker attempts to discover critical system passwords using various methods, such as social engineering, dictionary attacks, brute-force attacks, or network sniffing.
Trust exploitation: A hacker uses unauthorized privileges to gain access to a system, possibly compromising the target. For example, if a DMZ device has access to the inside network, an attacker could leverage that by gaining access to the DMZ device and using that location to launch his attacks from there to the inside network.
Port redirection: A hacker uses a compromised system as a base for attacks against other targets.
Man-in-the-middle attack: An attacker places himself in line between two legitimate devices that are communicating, with the intent to perform reconnaissance or to manipulate the data as it moves between them. This can happen at Layer 2 or Layer 3. The main purpose is eavesdropping, so the attacker can see all the traffic.
Buffer overflow attack: An attacker exploits a buffer overflow vulnerability, which is a programming flaw. If a service accepts input and expects the input to be within a certain size but does not verify the size of input upon reception, it may be vulnerable to a buffer overflow attack. This means that an attacker can provide input that is larger than expected, and the service will accept the input and write it to memory, filling up the associated buffer and also overwriting adjacent memory. This overwrite may corrupt the system and cause it to crash, resulting in a DoS. In the worst cases, the attacker can inject malicious code, leading to a system compromise.
IP, MAC, DHCP spoofing: An attacker injects traffic that appears to be sourced from a system other than the attacker's system itself. To perform MAC or IP spoofing, the attacker uses MAC or source IP addresses that are different than their real addresses. DHCP spoofing can be done with either the DHCP server or the DHCP client. To perform DHCP server spoofing, the attacker enables on a network a rogue DHCP server that will then respond to client requests with attacker-defined parameters. From the client side, an attacker can spoof many DHCP client requests, specifying a unique MAC address per request in the hope of exhausting the DHCP server's IP address pool.
DoS and DDoS Attacks
DoS attacks attempt to consume all of the resources of a critical computer or network in order to make it unavailable for valid use. A DoS attack typically results in some sort of interruption of service to users, devices, or applications. Malicious hosts can also coordinate to flood a victim with an abundance of attack packets, so that the attack takes place simultaneously from potentially thousands of sources.
This type of attack is called a DDoS attack. DDoS attacks typically emanate from networks of compromised systems, known as botnets. DDoS attacks can also use reflection and amplification to augment their impact on the victim. A reflection attack is a type of DoS attack in which the attacker sends a flood of protocol request packets to various IP hosts. These reflectors respond by sending response packets to a specific target, thus flooding it. In an amplification attack, a small forged packet elicits a large reply from the reflectors.
Examples of DoS attacks are
Ping of death: An attacker sends a malformed or otherwise malicious ping to a network computer, in this case, a packet larger than the maximum packet size of 65,535 bytes, which then causes legacy systems to hang or crash.
Smurf attack: A hacker sends numerous ICMP echo-request packets to the broadcast address of a large network. These packets contain the victim's address as the source IP address. Every host that belongs to the large network responds by sending ICMP echo-reply packets to the victim.
TCP SYN flood attack: An attacker exploits the TCP three-way handshake design by sending multiple TCP SYN packets with random source addresses to a victim host, forcing the host to respond and wait for an ACK packet that never arrives, thus leaving the victim with a large number of half-open TCP connections.