Picture This: A Visual Guide to Disruptive Attacks
An attack on your systems that is intended to be disruptive to legitimate service can take many forms, and the terms used to define such attacks can be confusing on a certification exam. In the real world, you know that your servers are responding to a lot of requests that they should not be getting, and that this is bringing your performance to a crawl. So you start taking action to put a stop to it right away.
In the exam world, you have to approach it somewhat differently: you need to pick up on a few clues here and there and be able to determine whether it is a spoofing attack or a smurfing attack, and then pick the right multiple-choice answer.
This guide looks at some of the more common disruptive attack types and consists of a subset of those you need to know to earn CompTIA’s Security+ designation (both on the current SY0-301 exam and the next version of the test that is currently slated for release in the second quarter of 2014).
To illustrate the differences between them, the analogy used throughout is that of a student just trying to make it through class and participate the same as all other students. The attacks that are occurring, exaggerated a bit for emphasis, disrupt our hypothetical student’s ability to continue to concentrate and participate as he normally would.
Spoofing, quite simply, can be described as faking. The person doing the spoofing is trying to make it look as if it is another party taking the action. Always think of spoofing as fooling. Attackers are trying to fool the user, fool the system, and/or fool the host into believing they’re something they aren’t. Because the word spoof can describe any false information at any level, spoofing can occur at any level of a network.
Figure One: With spoofing, the attacker attempts to make it look as if it is another who is interacting with you. In this case, the hands do not belong to the person it is thought they are associated with. Note that others may be able to see what is transpiring, but that does not protect you.
Some of the most common spoofing attacks use e-mail source addresses, packet source addresses, and system MAC addresses to make it look as if another party is involved. Network traffic filters and e-mail filters should be configured to check for source spoofing in network packets and emails.
It should make sense that if a packet or message is leaving your LAN, then it cannot have a valid source address from the Internet AND if the packet is entering your LAN, then it cannot have a valid source address from the LAN. Filters of this type are called egress (exiting) and ingress (entering) filters and they should be configured on every border system.
Many have come to rely on a caller ID display to inform them of who is calling and serve as a simple form of authentication. There are several programs available, however, that allow a miscreant to send fake values for both the phone number and the name display to a caller ID box. This is known as caller ID spoofing and, when coupled with other forms of social engineering, can help convince an insider that they are talking to someone trusted when the opposite is true
Denial of Service (DoS)
With a denial of service (DoS) attack, you’ve attracted the interest of someone who is now focused on attempting to disrupt your ability to interact normally. If they can keep you busy responding to illegitimate requests, they can prevent you from functioning normally.
Figure Two: A DoS attack tries to tie up all of your attention and prevent you from functioning normally.
By preventing authorized users from having access to your services, attackers can cause you great harm. Most DoS attacks come as either the exploitation of a flaw, or from excess traffic. While you can curtail the exploitation of flaws by keeping patches and updates current (as well as by using firewalls), traffic-based attacks require detection and network traffic filtering.
With the right tools, you can stop the attack from getting in your network, but you also need to stop it from upstream as well or else communication to and from your network will be slowed by the bogus attack traffic and you will be unable to support legitimate communications. Stopping the upstream traffic can mean getting help from your ISP.
Two of the most common types of DoS attacks are the ping of death and the buffer overflow. The ping of death crashes a system by sending Internet Control Message Protocol (ICMP) packets (think echoes) that are larger than the system can handle. Buffer overflow attacks, as the name implies, attempt to put more data (usually long input strings) into the buffer than it can hold.
The best way to think of smurfing is to imagine that the person wanting to conduct a DoS attack against you doesn’t have enough clout to slow you down and so they solicit help doing so from another party — sometimes without that party’s knowledge. The key to identifying a smurf attack is that another party, larger than the initiating party, is employed to harm the target system.
Figure Three: With a smurfing attack, another party that is larger is brought in to help damage your ability to interact normally.
As an example, suppose the attacker uses IP spoofing and broadcasts a ping request to a group of hosts in a network. The ICMP ping request (type 8) would be answered with an ICMP ping reply (type 0) if the targeted system is up (otherwise an unreachable message is returned). If the broadcast were to be sent to the network, all of the hosts could answer the ping and the result could be an overload of the network and the target system. In this case, rather than depending on the traffic from just one system to be able to bring the target down, the traffic of the network was employed to do the task.
The primary method of eliminating smurf attacks involves prohibiting ICMP traffic through a router. If the router blocks ICMP traffic, smurf attacks from an external attacker aren’t possible.
Distributed Denial of Service (DDoS)
A distributed denial-of-service (DDoS) attack is similar to a DoS attack except that more attack points are involved. A DDoS attack amplifies the concepts of a DoS attack by using multiple computer systems (often through botnets) to conduct the attack against a single organization.
Figure Four: With DDoS attacks, numerous entities are brought in to disrupt the normal operations of the target.
An attacker can load an attack program onto dozens or even hundreds of computer systems and have them all pointed at the same target. It is possible for the attack program to lie dormant on these computers until they get an attack signal from a master computer which then notifies them to launch an attack simultaneously on the target network or system.
The systems taking direction from the master control computer are referred to as zombies or nodes. These systems merely carry out the instruction they’ve been given by the master computer. In the past, DDoS attacks have hit large companies such as Amazon, Microsoft, and AT&T and they are often widely publicized in the media.
Man in the Middle and Replay Attacks
A man in the middle attack is also often referred to as session hijacking, for that is what transpires. An entity for whom the message (data/packet/etc.) is not intended gathers the data for some illicit purpose.
Figure Five: With a man in the middle attack, a third party gathers data about the session that they should not be privy to.
Quite often, the method used in these attacks clandestinely places a piece of software between a server and the user that neither the server administrators nor the user are aware of. The intercepted data can be used as the starting point for a modification attack that the server responds to, thinking it’s communicating with the legitimate client. The attacking software continues sending on information to the server, and so forth.
For exams, know that a man in the middle attack is an active attack. Something is actively intercepting the data and may or may not be altering it. If it’s altering the data, the altered data masquerades as legitimate data traveling between the two hosts. In recent years, the threat of man-in-the-middle attacks on wireless networks has increased. A malicious rogue can be outside the building intercepting packets, altering them, and sending them on.
A common solution to this problem is to enforce a secure wireless authentication protocol such as WPA2. IF the intercepted data is sent again, then it qualifies as a replay attack. All that differs between man in the middle and replay attacks is that in the latter intercepted data is sent again (replayed).
Figure Six: With a replay attack, the same data that was intercepted can be sent to you again by a third party that leads you to believe it is still coming from the first party.
This type of attack can occur with security certificates from systems such as Kerberos: The attacker resubmits the certificate, hoping to be validated by the authentication system and circumvent any time sensitivity. If this attack is successful, the attacker will have all the rights and privileges from the original certificate. This is the primary reason that most certificates contain a unique session identifier and a time stamp. If the certificate has expired, it will be rejected and an entry should be made in a security log to notify system administrators.
Man in the middle and replay attacks can be thwarted by complex packet sequencing rules, time stamps in session packets, periodic mid-session reauthentication, mutual authentication, the use of encrypted communication protocols, and spoof-proof authentication mechanisms.
Summing it up
For certification study, know that all of these attacks are similar and there can be overlap between them. Spoofing is often used in conjunction with other attacks, but merely involves one party pretending to be another. DoS attacks, whether spoofed or not, involve trying to disrupt your services by keeping them so busy responding to non-legitimate requests that they cannot effectively contend with the legitimate requests.
If the attacker brings in another — larger — party to act on their behalf, it is known as smurfing. If the DoS attacker brings in lots of other parties to overwhelm you, then it is known as DDoS. A man in the middle attack intercepts data that intended to only be between the sender and receiver. If the man in the middle resends the data — with or without altering it — then it becomes a replay attack.