1. What is an attack ?
In general terms an attack is a "maliciously" intended act against a system.
Fig. 1-1 An attack process
- Goals The prime goal, which motivates the act. Can vary considerably, e.g. stealing money/data, breaking reputation, etc.
- Subgoals Needed to reach the above prime goal. The subgoals are reaching from getting elevated privileges on a target machine, to controlling whole networks.
- Activities The actions needed to reach one or more of the subgoals, like getting login credentials, flooding a network, etc.
- Events The results of the above activities: suspended service, halted program, granted acces, etc. - are called events.
- Consequences These are the direct business results of the events, a computer being unavailable for business transactions, or balance sheets showing biased figures.
- Impacts The impact is the business effect, the very prime damage which was intended. Examples are lost of revenue, tarnished reputation.
1.1. Who, why, how ?
This leads us to one classification approach of computer attacks, based on the attackers motives:
- Fun Goals: enjoyment, reputation (CV, prestige), ... Attackers: Script-kiddies
- Grudge Goals: revenge, ... Attackers: Script-kiddies, Crackers
- Terrorist Goals: terror, political/religious issues, .... Attackers: Script-kiddies, Crackers, Mafia
- Financial Goals: Money, clients, ... Attackers: Crackers, Companies
- Business Goals: market shares, reputation (image), ... Attackers: Companies, Corporations
- Government & Military Goals: political, national security, economy, ... Attackers: Governments (NSA), Military
2. Taxonomy an essay
To develop a taxonomy for computer and network attacks is not a straight nor easy task. Attacks can be classified by many different ways, mostly depending on the environment one stays in. For instance a network engineer will be faced with a whole bunch of different attacks than a webmaster.
For a more scientific approach to taxonomies refer to John Howards (CERT-CC) thesis (especially chapter 6) : http://www.cert.org/research/JHThesis/Chapter6.html
The following approach is based on the specific view an application developer has on computer and network attacks (as well as vulnerabilities), but not only attacks based on software flaws will be treated, for applications a broader scope is needed (applications can encompass several systems depending on a whole bunch of software and hardware). This list is far from exhaustive, giving only some common examples.
2.1. Architecture/design level attacks
- Man-in-the-middle attack
A man-in-the-middle attack (or eavesdropping) attack is performed when an attacker intercepts a communication between two or more parties, masquerades as one of them modifying or not the transmission data.
Examples:
- SSL/TLS e-banking howto: http://www.cs.umu.se/education/examina/Rapporter/MattiasEriksson.pdf
- Real world example: http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/03/18/BAG6S5MUEO1.DTL
- Race condition attack
The race condition attack is a complex one. The execution of an application is, from them computer (OS, hardware) point of view, done in discrete steps. If these steps are not atomic operations, then an attacker has a brief window of time where he could slip in some code to be executed instead of the original one.
Examples:
- wget race condition vulnerabilty allowing a symlink attack: http://www.securiteam.com/unixfocus/5AP0H2ACUY.html
- David Wheeler's article about race conditions: http://www-128.ibm.com/developerworks/library-combined/l-sprace.html
- Replay attack
A replay attack, can be performed if the attacker has the opportunites to recored an entier transaction between, say a client and a server. The attacker can then "replay" part of the conversation for his malicious intends.
Examples:
- Kerberos V and SMB: http://www.hut.fi/~autikkan/kerberos/docs/phase1/pdf/LATEST_replay_attack.pdf
- Sniffer attack A "sniffer" is a program that silently records all network traffic on a LAN, this method is often used to get usernames and/or passwords transmitted in the clear of the network.
- Session hijacking/killing attack
The TCP/IP protocol has a weakness which makes it possible to an attacker to take over, "hijack", an already established session. By sending a forge TCP reset packet the session could for isntance be prematurely be killed.
Examples:
- TCP hijacking (man-in-the-middle): http://www.giac.org/practical/gsec/Bhavin_Bhansali_GSEC.pdf
2.2. Implementation level attacks
- Buffer overflow attack
This one of the most common attacks, cause alot of programming languages are vulnerable to buffer overflows. These occur when a too large value is attributed to a fixed sized buffer, without adequate bounds checking being done.
Examples:
- PNG (Portable Network Graphics) heap corruption vulnerability: http://www.securityfocus.com/archive/1/303127
- Back door attack Back doors in the sens of application development are when a rogue programmer somehow manages to write special code in the application, during its creation process, for instance allowing to bypass acces control later on via a "magic" account.
- Parsing error attack
Programms that doesn't properly check input from users, for example, are vulnerable to parsing error attacks, that try to pass security comprimising content.
Examples:
- IIS unicode vulnerabilites: http://www.sans.org/resources/malwarefaq/wnt-unicode.php
- SQL injection attacks (used in the Slammer worm for isntance): http://www.informit.com/articles/printerfriendly.asp?p=30124
2.3. Operation level attacks
- Denial-of-service attack
Systems (applications, hosts or even networks) can be rendered unusable by cascading service requests, or high-frequency input flows. Thus legitimate users are denied of the service. These attacks can be very large-scale and coming from different sources, in this case we talk about a distributed denial-of-service attack.
Examples:
- Yahoo, Amazon, etc. DDOS case: http://www.linuxsecurity.com/resource_files/intrusion_detection/ddos-whitepaper.html
- Human-targeted DOS attacks: http://www.cs.technion.ac.il/~gabr/papers/htdos.pdf
- Defaults account attack
Many applications, especially operating systems, have default accounts with unsecure, or no passwords. This is of course a potential risk, where attackers can easily get a legitimate access to systems.
Examples:
- Alcatel Speedtouch DSL modems vulnerability: http://www.vnunet.fr/securite/piratage/20001106008
- Password cracking attack Standard cracking programs give attackers the possibility to guess passwords, so called weak passwords can this way be optained in a few seconds.
