Common Attacks

 

While there are many types of attacks, the most common include Denial of Service (DoS) attacks, Spoofing, Man-in-the-Middle attacks and Replay attacks. Man-in-the-middle and replay attacks are very similar. A man-in-the middle attack involves intercepting data by sitting at a point between two systems, typically a user’s computer and a server. A simple analogy would be the process of sending a secure physical package. One way to do this would be to put a lock on the box before sending it, the recipient would add their lock once received and send it back. The sender could then remove their padlock and send it once again so the recipient only has their lock to deal with. If, however, when the package is originally sent an attacker intercepts and attaches their own lock, sends it back and then has it sent back to them, they have now gained access to the contents with relative ease. A replay attack is essentially a type of man-in-the-middle attack and involves intercepting and copying data in transmission before continuing transmission of the data. This intercepted data is then used at a later time to gain illicit access to the network. Replay attacks are actually less and less common as modern authentication procedures involving one time use passwords have eliminated their chances of success. A recent significant example of man-in-the-middle and (to some extent) replay attacks is Firesheep. This browser add-on simplified the process of hijacking session cookies from users on one’s local wi-fi hotspot. While it was possible to use more complicated applications to sniff airwaves for particular streams of data and intercept that data, Firesheep handles all of this behind the scene and generates a simple GUI showing what users are accessing certain websites from a long list. The Firesheep user could then simply click on a user and would be using their session cookie to gain access to their account providing the ability to post to Twitter, Facebook and many other services. While a resolution was not swift, most of the accessible sites have added stronger authentication including SSL sessions and one time use passcode verification, ensuring that such attacks are substantially more difficult, if not impossible.

Spoofing can be a very dangerous type of attack because of the number of people that can be impacted by such an attack. Spoofing is essentially impersonating or pretending to be something or someone else on the network. Spoofing can be used in many different ways. An attacker could emulate a wireless access point so traffic from any machines attempting to connect could be intercepted. By pretending to be a legitimate user, spoofing ones IP address, any illicit activities could be attributed to that user. If a server only accepts incoming traffic from specific IP addresses, spoofing the IP would also allow an attacker to take control of a server. Finally a type of spoofing that is becoming more and more common is emulating new user or log in pages for financial or other websites to obtain login credentials directly from the user trying to access the information. An excellent, but unfortunate, example where spoofing can be extremely damaging involves falsifying SSL security certificates for websites. An attack on certificate issuer RSA allowed attackers to gain certificate information for some high profile websites. Google, Skype, Yahoo and even Lockheed Martin are some of the companies whose certificates were leaked. An attacker with these certificates can trick a browser into thinking that an illegitimate website is not only legitimate but signed to be secure. Luckily in this case the infiltration was discovered early, but had it been too late and many people could have been negatively impacted.

Denial of Service (DoS) attacks seem to be the attacks most often covered by the press, perhaps due to increasing frequency or even the ease of launching such an attack. A denial of service attack attempts to use so many network resources that legitimate traffic is unable to get through. For all networking connections the most basic connection involves sending a SYN to initialize a connection and the server following up by sending a SYN+ACK or acknowledgement of receipt of the information. The original machine responds with its own SYN+ACK. At least this is how this connection is normally handled. In certain types of DOS attacks a SYN is sent, the server responds with a SYN+ACK, but the starting machine never responds causing the server to wait. When this is done enough times it wipes out the servers resources and ensures no new connections can be established. The most common DoS attack today is the distributed DoS or DDoS attack. A DDoS attack involves many individual machines spread out over space and external resources each launch their own small attack which nets to huge damage to the server. DDoS attacks seem to be becoming more common because of how simple they are to launch, and how difficult it can be to track down anyone involved. Today there are even simple applications that can be run from the desktop and used to participate easily in a large scale DDoS attack. The hacker group Anonymous uses DDoS attacks frequently as a means of protest and speaking out against companies or causes with which they disagree. Attacks by Anonymous have been launched against organizations from Sony to the Westboro Baptist Church, bringing their network services and website (respectively) to a halt.

Having an awareness and understanding of the most common attacks is the first step in being able to defend against them. While it is easy to feel secure and that such attacks will never be able to damage the company, more and more large organizations are being impacted by such attacks. Poor security and overconfidence in security occurs all too frequently, and attackers are now able to more easily utilize more resources at lower cost – it is also easier for smart attackers to hide. An organization must be prepared for these common attacks as even the smallest slip up can lead to substantial damages to data, company image, or both.