You are on page 1of 9

List of cyber-attack threat trends is presented in the order of sophistication which generally

corresponds to the chronology of computer network used between the 1990s till date.

Internet social engineering attacks

Network sniffers

Packet spoofing

Session-hijacking

Cyber-threats & bullying (not illegal in all jurisdictions)

Automated probes and scans

GUI intrusion tools

Automated widespread attacks

Widespread, distributed denial-of-service attacks

Industrial espionage

Executable code attacks (against browsers)

Analysis of vulnerabilities in compiled software without source code

Widespread attacks on DNS infrastructure

Widespread attacks using NNTP to distribute attack

"Stealth" and other advanced scanning techniques

Windows-based remote access trojans (Back Orifice)

Email propagation of malicious code

Wide-scale trojan distribution

Distributed attack tools

Targeting of specific users

Anti-forensic techniques

Wide-scale use of worms

Sophisticated botnet command and control attacks

Session hijacking
In computer science, session hijacking, sometimes also known as cookie hijacking is the exploitation
of a valid computer sessionsometimes also called a session keyto gain unauthorized access to
information or services in a computer system. In particular, it is used to refer to the theft of a magic
cookie used to authenticate a user to a remote server. It has particular relevance to web developers, as
the HTTP cookies used to maintain a session on many web sites can be easily stolen by an attacker
using an intermediary computer or with access to the saved cookies on the victim's computer (see HTTP
cookie theft).
A popular method is using source-routed IP packets. This allows a hacker at point A on the network to
participate in a conversation between B and C by encouraging the IP packets to pass through its
machine.
If source-routing is turned off, the hacker can use "blind" hijacking, whereby it guesses the responses of
the two machines. Thus, the hacker can send a command, but can never see the response. However, a
common command would be to set a password allowing access from somewhere else on the net.
A hacker can also be "inline" between B and C using a sniffing program to watch the conversation. This is
known as a "man-in-the-middle attack".

History
Session hijacking was not possible with early versions of HTTP.
HTTP protocol versions 0.8 and 0.9 lacked cookies and other features necessary for session hijacking.
Version 0.9beta of Mosaic Netscape, released on October 13, 1994, supported cookies.
Early versions of HTTP 1.0 did have some security weaknesses relating to session hijacking, but they
were difficult to exploit due to the vagaries of most early HTTP 1.0 servers and browsers. As HTTP 1.0
has been designated as a fallback for HTTP 1.1 since the early 2000sand as HTTP 1.0 servers are all
essentially HTTP 1.1 servers the session hijacking problem has evolved into a nearly permanent security
risk.

The introduction of supercookies and other features with the modernized HTTP 1.1 has allowed for the
hijacking problem to become an ongoing security problem. Webserver and browser state machine
standardization has contributed to this ongoing security problem.

Methods
There are four main methods used to perpetrate a session hijack. These are:

Session fixation, where the attacker sets a user's session id to one known to him, for example

by sending the user an email with a link that contains a particular session id. The attacker now only
has to wait until the user logs in.
Session sidejacking, where the attacker uses packet sniffing to read network traffic between two
parties to steal the session cookie. Many web sites use SSL encryption for login pages to prevent
attackers from seeing the password, but do not use encryption for the rest of the site
once authenticated. This allows attackers that can read the network traffic to intercept all the data that
is submitted to the server or web pages viewed by the client. Since this data includes the
session cookie, it allows him to impersonate the victim, even if the password itself is not
compromised.Unsecured Wi-Fi hotspots are particularly vulnerable, as anyone sharing the network
will generally be able to read most of the web traffic between other nodes and the access point.

Alternatively, an attacker with physical access can simply attempt to steal the session key by, for
example, obtaining the file or memory contents of the appropriate part of either the user's computer
or the server.

Cross-site scripting, where the attacker tricks the user's computer into running code which is
treated as trustworthy because it appears to belong to the server, allowing the attacker to obtain a
copy of the cookie or perform other operations.

Prevention
Methods to prevent session hijacking include:

Encryption of the data traffic passed between the parties; in particular the session key, though

ideally all traffic for the entire session by using SSL/TLS. This technique is widely relied-upon by webbased banks and other e-commerce services, because it completely prevents sniffing-style attacks.
However, it could still be possible to perform some other kind of session hijack. In response,
scientists from the Radboud University Nijmegen proposed in 2013 a way to prevent session
hijacking by correlating the application session with the SSL/TLS credentials
Use of a long random number or string as the session key. This reduces the risk that an attacker
could simply guess a valid session key through trial and error or brute force attacks.

Regenerating the session id after a successful login. This prevents session fixation because the
attacker does not know the session id of the user after s/he has logged in.

Some services make secondary checks against the identity of the user. For example, a web
server could check with each request made that the IP address of the user matched the one last used
during that session. This does not prevent attacks by somebody who shares the same IP address,
however, and could be frustrating for users whose IP address is liable to change during a browsing
session.

Alternatively, some services will change the value of the cookie with each and every request. This
dramatically reduces the window in which an attacker can operate and makes it easy to identify
whether an attack has taken place, but can cause other technical problems (for example, two
legitimate, closely timed requests from the same client can lead to a token check error on the server).

Users may also wish to log out of websites whenever they are finished using them. However this
will not protect against attacks such as Firesheep.

Denial-of-service attack
In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to
make a machine or network resource unavailable to its intended users. Although the means to carry out,
motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or
indefinitely interrupt or suspend services of a host connected to the Internet. As clarification, DDoS
(Distributed Denial of Service) attacks are sent by two or more persons, or bots. (See botnet) DoS (Denial
of Service) attacks are sent by one person or system.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as
banks, credit card payment gateways, and even root nameservers. This technique has now seen
extensive use in certain games, used by server owners, or disgruntled competitors on games, such as
server owners' popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of
resistance. Richard Stallman has stated that DoS is a form of 'Internet Street Protests. [1] The term is
generally used relating to computer networks, but is not limited to this field; for example, it is also used in
reference to CPU resource management.
One common method of attack involves saturating the target machine with external communications
requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered
essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are
implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can
no longer provide its intended service or obstructing the communication media between the intended
users and the victim so that they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the Internet Architecture Board's Internet proper use
policy, and also violate the acceptable use policies of virtually all Internet service providers. They also
commonly constitute violations of the laws of individual nations.

.
DDoS Stacheldraht Attack diagram.

Symptoms and manifestations


The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of denial-ofservice attacks to include:

Unusually slow network performance (opening files or accessing web sites)

Unavailability of a particular web site

Inability to access any web site

Dramatic increase in the number of spam emails received(this type of DoS attack is considered
an e-mail bomb)

Disconnection of a wireless or wired internet connection

Long term denial of access to the web or any internet services

Denial-of-service attacks can also lead to problems in the network 'branches' around the actual computer
being attacked. For example, the bandwidth of a router between the Internet and a LANmay be consumed
by an attack, compromising not only the intended computer, but also the entire network or other
computers on the LAN.
If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet connectivity
can be compromised without the attacker's knowledge or intent by incorrectly configured or flimsy network
infrastructure equipment.

Methods of attack
A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users
of a service from using that service. There are two general forms of DoS attacks: those that crash
services and those that flood services.
A DoS attack can be perpetrated in a number of ways. Attacks can fundamentally be classified into five
families:
1. Consumption of computational resources, such as bandwidth, memory, disk space,
or processor time.
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and the victim so that they can
no longer communicate adequately.
A DoS attack may include execution of malware intended to:[citation needed]

Max out the processor's usage, preventing any work from occurring.

Trigger errors in the microcode of the machine.

Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state
or lock-up.

Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up
all available facilities so no real work can be accomplished or it can crash the system itself

Crash the operating system itself.

In most cases DoS attacks involve forging of IP sender addresses (IP address spoofing) so that the
location of the attacking machines cannot easily be identified and to prevent filtering of the packets based
on the source address.

Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks.
The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are
different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not
have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master,"
instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and
to connect to the victim's website instead. As a result, several thousand computers may aggressively try
to connect to a target website. While a typical web server can handle a few hundred connections per
second before performance begins to degrade, most web servers fail almost instantly under five or six
thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be
hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the
incoming connections.
While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that
need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of
attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses,
there are other problems to consider. For instance, there is a brief moment where the connection is
opened on the server side before the signature itself comes through. Only once the connection is opened
to the server can the identifying signature be sent and detected, and the connection torn down. Even
tearing down connections takes server resources and can harm the server.
This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed
or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited.

Reflected / Spoofed attack


A distributed reflected denial of service attack (DRDoS) involves sending forged requests of some type to
a very large number of computers that will reply to the requests. Using Internet Protocol address spoofing,

the source address is set to that of the targeted victim, which means all the replies will go to (and flood)
the target.
ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the
flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby
enticing hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a
distributed form of this attack.
Many services can be exploited to act as reflectors, some harder to block than others. [16] DNS
amplification attacks involve a new mechanism that increased the amplification effect, using a much
larger list of DNS servers than seen earlier.SNMP and NTP can also be exploited as reflector in an
amplification attack.

Teardrop attacks
A teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the
target machine. This can crash various operating systems because of a bug in their TCP/IPfragmentation
re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions
of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.
Around September 2009, a vulnerability in Windows Vista was referred to as a "teardrop attack", but the
attack targeted SMB2 which is a higher layer than the TCP packets that teardrop used.

Peer-to-peer attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks.
The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are
different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not
have to communicate with the clients it subverts. Instead, the attacker acts as a "puppet master,"
instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and
to connect to the victim's website instead. As a result, several thousand computers may aggressively try
to connect to a target website. While a typical web server can handle a few hundred connections per
second before performance begins to degrade, most web servers fail almost instantly under five or six
thousand connections per second. With a moderately large peer-to-peer attack, a site could potentially be
hit with up to 750,000 connections in short order. The targeted web server will be plugged up by the
incoming connections.
While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that
need to be blocked (often over 250,000 during the course of a large-scale attack) means that this type of
attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses,
there are other problems to consider. For instance, there is a brief moment where the connection is
opened on the server side before the signature itself comes through. Only once the connection is opened
to the server can the identifying signature be sent and detected, and the connection torn down. Even
tearing down connections takes server resources and can harm the server.
This method of attack can be prevented by specifying in the peer-to-peer protocol which ports are allowed
or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited.

WhatsApp sniffer attack


An app named "WhatsApp Sniffer" was made available on Google Play in May 2012, able to display
messages from other WhatsApp users connected to the same network as the app user.WhatsApp uses
an XMPP infrastructure with unencrypted, plain-text communication.