fs) TYPES OF ATTACKS We can classify the types of attacks on computers and network systems into two categories for better understanding: (a) Theoretical concepts behind these attacks, and (b) Practical approaches used by the attackers. Let us discuss these one-by-one. 1.5.1 Theoretical Concepts Aswe have discussed earlier, the principles of security face threat from various attacks. These attacks are generally classified into four categories, as mentioned earlier. They are: * Interception—Discussed in the context of confidentiality, earlier. * Fabrication—Discussed in the context of authentication, earlier. * Modification—Discussed in the context of integrity, earlier. * Interruption—Discussed in the context of availability, earlier. ‘These attacks are further grouped into two types: passive attacks and active attacks, as shown in Fig. 1.6, Let us discuss these two types of attacks now. |, Passive attacks Passive attacks are those, wherein the attacker indulges in evesdropping or monitoring of data transmission. In other words, the attacker aims to obtain information that is in transit. ‘The term passive indicates that the attacker does not attempt to perform any modifications to the data. In fact, this is also why passive attacks are harder to detect. Thus, the general approach to deal with passive attacks is to think about prevention, rather than detection or corrective actions.Fig. 1.6 Types of attacks Noate#? Passive attacks do not involve any modifications to the contents of an original message. Figure 1.7 shows further classification of passive attacks into two sub-categories. These categories are release of message contents and traffic analysis. Passive attacks (Interception) eel ha eae ae Tate ai Fig. 1.7. Passive attacks Release of message contents is quite simple to understand. When we send a confidential email message to our friend, we desire that only she be able to access it. Otherwise, the contents of the message are released against our wishes to someone else. Using certain security mechanisms, we can prevent release of message contents. For example, we can encode messages using a code language, so that only the desired parties understand the contents of a message, because only they know the code language. However, if many such messages are passing through, a passive attacker could try to figure out the similarities between them to come up with some sort of pattern that provides her some clues regarding the communication that is taking place. Such attempts of analyzing (encoded) messages to come up with likely patterns are the work of the traffic analysis attack. 2. Active attacks Unlike passive attacks, the active attacks are based on modification of the original message in some manner, or on creation of a false message. These attacks cannot be prevented easily.However, they can be detected with some effort, and attempts can be made to recover from them, These attacks can be in the form of interruption, modification and fabrication. Uote£? In active attacks, the contents of the original message are modified in some way. + Interruption attacks are called as masquerade attacks. * Modification attacks can be classified further into replay attacks and alteration of messages. + Fabrication causes Denial Of Service (DOS) attacks. This classification is shown in Fig. 1.8. z= Fig. 1.8 Active attacks Masquerade is caused when an unauthorized entity pretends to be another entity. As we have seen, user C might pose as user A and send a message to user B. User B might be led to believe that the message indeed came from user A. In a replay attack, a user captures a sequence of events, or some data units, and resends them. For instance, suppose user A wants to transfer some amount to user C’s bank account. Both users A and C have accounts with bank B. User A might send an electronic message to bank B, requesting for the funds transfer. User C could capture this message, and send a second copy of the same to bank B. Bank B would have no idea that this is an unauthorized message, and would treat this as a second, and different, funds transfer request from user A. Therefore, user C would get the benefit of the funds transfer twice: once authorized, once through a replay attack. Alteration of messages involves some change to the original message. For instance, suppose user A sends an electronic message Transfer $1000 to D’s account to bank B. User G might capture this, and change it to Transfer $0000 to ’s account. Note that both the beneficiaryand the amount have been changed—instead, only one of these could have also caused alteration of the message. Denial Of Service (DOS) attacks make an attempt to prevent legitimate users from accessing some services, which they are eligible for. For instance, an unauthorized user might send too many login requests to a server using random user ids one after the other in quick succession, so as to flood the network and deny other legitimate users an access to the network. 1.5.2. The Practical Side of Attacks ‘The att: discussed earlier can come in a number of forms in real . They can be classified into two broad categories: application-level attacks and network-level attacks, as shown in Fig. 1.9. Fig. 1.9 Practical side of attacks Let us discuss these now. + Application level attacks: These attacks happen at an application level in the sense that the attacker attempts to access, modify or prevent access to information of a particular application, or the application itself. Examples of this are trying to obtain someone's credit card information on the Internet, or changing the contents of a message to change the amount in a transaction, etc. + Network level attacks: These attacks generally aim at reducing the capabilities of a network by a number of possible means. These attacks generally make an attempt to either slow down, or completely bring to halt, a computer network. Note that this automatically can lead to application level attacks, because once someone is able to gain access to a network, usually she is able to access/modify at least some sensitive information, causing havoc.‘These two types of attacks can be attempted by using various mechanisms, as discussed next. We will not classify these attacks into the above two categories, since they can span across application as well as network levels. 1. Virus ‘One can launch an application-level attack or a network level attack using a virus. Noate®» A virus is a piece of program code that attaches itself to legitimate program. code, and runs when the legitimate program runs. It can then infect other programs in that computer, or programs that are in other computers but on the same network. This is shown in Fig. 1.10. In this example, after deleting all the files from the current user’s computer, the virus self-propagates by sending its code to all users whose email addresses are stored in the current user’s address book. Delete alll files using this user's address book Return (0) Virus infected code 1.10 Virus Viruses can also be triggered by specific events (e.g. a virus could automatically execute at 12 PM every day). Usually viruses cause damage to computer and network systems to the extent that it can be repaired, assuming that the organization deploys good backup and recovery procedures. Note virus can be repaired, and its damage can be controlled by using good backup procedures.2. Worm Similar in concept to a virus, a worm is actually different in implementation. A virus modifies a program (ie. it attaches itself to the program under attack). A worm, however, does not modify a program. Instead, it replicates itself again and again. This is shown in Fig. 1.11. The replication grows so much that ultimately the computer or the network on which the worm resides, becomes very slow, finally coming to a halt. Thus, the basic purpose of a worm attack is different from that of a virus. A worm attack attempts to make the computer or the network under attack unusable by eating all its resources. Note£) A worm does not perform any destructive actions, and instead, only consumes system resources to bring it down. 3. Trojan horse A Trojan horse is a hidden piece of code, like a virus. However, the purpose of a Trojan horse is different. The main purpose of a virus is to make some sort of modifications to the target, computer or network, whereas a Trojan horse attempts to reveal confidential information to an attacker. The name (Trojan horse) is due to the Greek soldiers, who hid inside a large Perform Replicate | resource-eating itself tasks, but noFig. 1.11 Worm hollow horse, which was pulled by Troy citizens, unaware of its contents. Once the Greek soldiers entered the city of Troy, they opened the gates for the rest of Greek soldiers. Ina similar fashion, a Trojan horse could silently sit in the code for a Login screen by attaching itself to it. When the user enters the user id and password, the Trojan horse captures these details, and sends this information to the attacker without the knowledge of the user who had entered the id and password. The attacker can then merrily use the user id and password to gain access to the system. This is shown in Fig. 1.12. Nate£D Trojan horse allows an attacker to obtain some confidential information about ‘a computer or a network. 4. Applets and ActiveX controls Applets and ActiveX controls were born due to the technological development of the World Wide Web (WWW) application (usually referred to simply as the Web) of the Internet. In its simplest form, the Web consists of communication between client and server computers using a communications protocol called as Hyper Text Transfer Protocol (HTTP). The client uses a software called Web browser. The server runs a program called Web server. In its simplest form, a browser sends a HTTP request for a Web page to a Web server. The Web server locates this Web page (actually a computer file) and sends it back to the Web browser, again using HTTP. The Web browser interprets the contents of that file, and shows the results on the screen to the user. This is shown in Fig. 1.13. Here, the client sends a request for a Web page called as www.yahoo.com/info, which the server sends back to the client.Fig. 1.12 Trojan horse Please send me the Web page www-yahoo.com/into: Fig. 1.13 Example of HTTP interaction between client and serverMany Web pages contain small programs that get downloaded on to the client along with the Web page itself. These programs then execute inside the browser. Sun Microsystems provides Java applets for this purpose, and Microsoft's technology makes use of ActiveX controls for the same purpose. Both are essentially small programs that get downloaded along with a Web page and then execute on the client. This is shown in Fig. 1.14. Here, the server sends an applet along with the Web page to the client. Please send me the Web page www.yahoo.com/info HTP Request Fig. 1.14 Applet sent back along with a Web page Usually, these programs (applets or ActiveX controls) are used to either perform some processing on the client side, or to automatically and periodically request for information from the Web server using a technology called as client pull. For instance, a program can get downloaded on to the client along with the Web page showing the latest stock prices on a stock exchange, and then periodically issue HTTP requests for pulling the updated prices, to the Web server: After obtaining this information, the program could display it on the user’s screen. These apparently innocuous programs can sometimes cause havocs. What if such a pro- gram performs a virus-like activity by deleting files on the user's hard disk, or by stealing some personal information, or by sending junk emails to all the users whose addresses are contained in the user's address book? ‘To prevent these attacks, Java applets have strong security checks as to what they can do, and what they cannot. ActiveX controls have no such restrictions. Moreover, a new version of applets called as signed applets allows accesses similar to ActiveX. Of course, a number of checks have been in place to ensure that neither applets nor ActiveX controls can do a lot of damage, and even if they somehow manage to do it, it can be detected. However, at least in theory, they pose some sort of security risks.Note£) Java applets (from Sun Microsystems) and ActiveX controls (from Microsoft Corporation) are small client-side programs that might cause security problems, if used by attackers with a malicious intention. 5. Cookies Cookies were born as a result of a specific characteristic of the Internet. The Internet uses HTTP protocol, which is stateless. Let us understand what it means, and what are its implications. ‘Suppose that the client sends an HTTP request for a Web page to the server. The Web server locates that page on its disk, sends it back to the client, and completely forgets about this interaction! If the client wants to continue this interaction, it must identify itself to the server in the next HTTP request. Otherwise, the server would not know that this same client had sent a HTTP request earlier. Since a typical application is likely to involve a number of interactions between the client and the server, there must be some mechanism for the lent to identify itself to the server each time it sends a HTTP request to the server. For this, cookies are used. Cookies are perhaps the most popular mechanism of maintaining the state information (ie. identifying a client to a server). Moate®2 A cookie is just one or more pieces of information stored as text strings in a text file on the disk of the client computer (i.e. the Web browser). Actually, a Web server sends the Web browser a cookie and the browser stores it on the hard disk of the client computer. The browser then sends a copy of the cookie to the server during the next HTTP request. This is used for identification purposes as shown in Figs. 1.15(a) and 1.15(b).When you (from your client computer) visit an online shopping site forthe first time and fill in form, si eh oa create ae This wie iti Bored elon wt ‘computer as well as in the database on the server. Fig. 1.15(a) Creation of cookiesStep 1 When you visit the same Website again, ‘the Web browser sends the cookie back to the Web server. The Web server uses the cookie to retrieve your information from the database and uses it. A very ‘simple case could be just greeting you with a welcome message. Fig. 1.15(b) Usage of cookies (a) When you interact with a Website for the first time, the site might want you to register yourself. Usually, this means that the Web server sends a page to you wherein you have a form to enter your name, address and other details such as date of birth, interests, etc. (b) When you complete this form and send it to the server with the help of your browser, the server stores this information into its database. Additionally, it also creates a unique id for you. It stores this id along with your information in the database (as shown in the Fig. 1.15) and also sends the id back to you in the form of a cookie. (© The next time you interact with the server, you do not have to enter any information such as your name and address. Your browser would automatically send your id (i.e. the cookie) along with the HTTP request for a particular page to the server (as shown in the Fig. 1.15). (a) The server now takes this id, tries to find a match in its database, and having found it, knows that you are a registered user. Accordingly, it sends you the next page. As illustrated in the Fig. 1.15, it could be a simple welcome message. In practical situa- tions, this could be used for many other purposes. People perceive that cookies are dangerous. Actually, this is generally not true. Gookies can do little, if any, harm to you. Firstly, the Web server that originally created a cookie can only access the cookie. Secondly, cookies can contain only text-based information. Thirdly, the user can refuse accepting cookies.A Specific Attacks On the Internet, computers exchange messages with each other in the form of small groups of data, called as packets. A packet, like a postal envelope contains the actual data to be sent, and the addressing information. Attackers target these packets, as they travel from the source computer to the destination computer over the Internet. These attacks take two main forms: (a) Packet sniffing (also called as snooping) and (b) Packet spoofing. Since the protocol used in this communication is called as Internet Protocol (IP), other names for these two attacks are: (a) IP sniffing and (b) IP spoofing. The meaning remains the same. Let us discuss these two attacks. (a) Packet sniffing: Packet sniffing is a passive attack on an ongoing conversation, An attacker need not hijack a conversation, but instead, can simply observe (i.e. sniff) packets as they pass by. Clearly, to prevent an attacker from sniffing packets, the information that is passing needs to be protected in some ways. This can be done at two levels: (i) The data that is traveling can be encoded in some ways, or (ii) The transmission link itself can be encoded. To read a packet, the attacker somehow needs to access it in the first place. The simplest way to do this is to control a computer via which the traffic goes through. Usually, this is a router. However, routers are highly protected resources. 1 neretore, an attacker might not pe able to attack it, ana insteaa, attack a less-protected computer on the same path. (b) Packet spoofing: In this technique, an attacker sends packets with an incorrect source address. When this happens, the receiver (ie. the party who receives these packets containing a false source address) would inadvertently send replies back to this forged address (called as spoofed address), and not to the attacker. This can lead to three possible cases: (i) The attacker can intercept the reply—If the attacker is between the destination and the forged source, the attacker can see the reply and use that information for hijacking attacks. The attacker need not see the reply—If the attacker's intention was a Denial Of Service (DOS) attack, the attacker need not bother about the reply. The attacker does not want the reply—The attacker could simply be angry with the host, so it may put that host's address as the forged source address and send the packet to the destination. The attacker does not want a reply from the destination, as it wants the host with the forged address to receive it and get confused. Another attack, which is similar to these attacks, is the DNS spoofing attack. As we know, using the Domain Name System (DNS), people can identify Websites with human-readable names (such as www.yahoo.com), and computers can continue to treat them as IP addresses(such as 120.10.81.67). For this, a special server computer called as a DNS server maintains the mappings between domain names and the corresponding IP addresses. The DNS server could be located anywhere. Usually, itis with the Internet Service Provider (ISP) of the users. With this background, the DNS spoofing attack works as follows. 1, Suppose that there is a merchant (Bob), whose site’s domain name is www.bob.com, and the IP address is 100.10.10.20. Therefore, the DNS entry for Bob in all the DNS. servers is maintained as follows: www.bob.com 100.10.10.20 2. The attacker (Say Trudy) manages to hack and replace the IP address of Bob with her ‘own (say 100.20.20.20) in the DSN server maintained by the ISP of a user, say Alice. ‘Therefore, the DNS server maintained by the ISP of Alice now has the following entry: www.bob.com 100.20.20.20 3. When Alice wants to communicate with Bob's site, her Web browser queries the DNS server maintained by her ISP for Bob's IP address, providing it the domain name (i.e. www.bob.com). Alice gets the replaced (i.e. Trudy's) IP address, which is 100.20.20.20. 4. Now, Alice starts communicating with Trudy, believing that she is communicating with Bob! Such attacks of DNS spoofing are quite common, and cause a lot of havoc. Even worse, the attacker (Trudy) does not have to listen to the conversation on the wire! She has to simply be able to hack the DNS server of the ISP and replace a single IP address with her ow! A protocol called as DNSSec (Secure DNS) is being used to thwart such attacks, However, unfortunately it is not widely used.