Anatomy and Types of Attacks against Computer Networks

Ass. Prof. Ion Tutnescu, Ph.D. Prof. Emil Sofron, Ph.D. Department of Electronics and Computers, University of Piteti, ROMANIA Abstract
The computer networks are based on free circulation of the information; they are built so to facilitate the users' access and to be very wide open to the information process. These facts make them vulnerable to the intruders' attacks. Once the local area networks get connected to Internet, the attack number and strength grows very much. All the attacks exploit the network security breaches. In this paper we intend to present some of the passive and active attacks against the computer networks. Also we present the attack's anatomy, meaning the phases of the attacks and the techniques that are used in order to penetrate a network. Our purpose is to stress the several dangers the network administrators face and the necessity of setting a proper network security policy. The problem of attack detection is difficult because the detection technology is at beginning. Many times, when the attack is detected, the hacker remains unknown. After detection, the analyst needs some time to establish the attack nature. interconnection needs make this unsuitable. The different compartments need to communicate one with the other and there is a real necessity of information, therefore to be connected to Internet. For this reason, new protection solutions are searched for assuring the security of the own computer networks, keeping in the same time the interconnection with the extern networks (Internet). In this paper we approach a part of the aspects of this very complex problem. We refer to the aggressions against the computer and computer networks connected to the Internet or to other extern computer networks. We refer these aggressions as attacks. Also, we present some symptoms of the attacked networks and some measures one can take in order to protect the computer networks and the transmitted data.

2. Types of attacks
The computer networks are based on free circulation of the information. They are built so to facilitate the users' access and to be very wide open to the information process. These facts make them vulnerable to the intruders' attacks. In future the networks should be accessible, too, but in the acceptable range of security assurance. The potential threats to network security are: disasters, hardware faults, human errors and frauds. The first three are accidental threats while the last is a deliberate one. The computer security studies estimate that 50 % of total costs are determined by frauds and 25 % by human errors. These could be avoided through a better use of security procedures (periodical data backups, mirroring disks, limitation of access rights). Once the local area networks get connected to Internet, the attack number and strength grows a lot. The connection to Internet is a necessity and opens wide windows for information and communication. But, the Internet is populated with individuals, groups, even powerful organizations which, for pleasure or with aggressive goals and intentions, exploit the breaches in the network security. The persons, who deliberately (having the aggressive goals to destroy, mislead, spy, etc.) or wishing to display their skills, transfer private information or steal/destroy the computer network data are named

1. Introduction
The needs of communication among the computers of different institutions, firms and organizations are in a continuous growth. The computer networks' number grows day by day and they interconnect among them or to Internet, resulting complex, wide area networks. More and more important sectors (energetic system, gas distribution system, transports, financial institutions, national security institutions and others) are based on computer networks' interconnection. Once with the networks' connection to Internet or to other external computer networks, the aggression risks grow very much. The Internet evolution is and is estimated to be very fast. The Internet exposes the connected computers to attacks and the subsequent losses are in rise. Each network has its own risks, but the Internet-connected networks are more exposed in comparison with the networks without exterior access. The ideal solution would be the network's physical separation by other extern networks, but the

265

hackers. The hackers are in several cases good programmers, who know and exploit the security breaches. The singular attempt to get the unauthorised access in a computer or in a computer network is named attack. The incident consists of a group of attacks, which are characterised by other attacks through the

existence of specific aggressors and attacked locations, the used techniques and the aggressions' synchronisation. There are two main categories of attacks: passive attacks (data interception) and active attacks (data flow interruption, data modification and disinformation) as shown in Fig. 1.

Source

Destination

(a) Normal flow

(b) Interruption

(c) Interception

(d) Modification

(e) Disinformation

Fig. 1: Passive (c) and active attacks (b, d, e). a. The passive attacks are characterised by: they violate the confidentiality rules; they do not generate damages (do not delete or modify the data); transmitted data are intercepted using tapping wires, electromagnetic radiation interception, etc. b. The active attacks are more dangerous, because they modify the status of data, computers or communication systems. There are the following main types of active attacks: Interruption uses the replay of a message or of a part of a message in order to produce an unauthorised access. For example, the authentication information of a previously sent Interruption often means the denial of service, when a system can not do its function because of the attacks (flooding with data packets). Modification - represents an attack that modifies (through insertion and/or deletion of characters) a part or all transmitted data. Disinformation represents a type of attack where an unauthorised user pretends that is

an authorised user. For example, an user tries to substitute another user with the intention to get secret data. A disinformation is accompanied, as a rule, by another active attack as modification or interruption. The most frequent attacks from Internet against the networks are: 1) Password attacks. The password attacks are used by hackers for the on-line networks. They use programs that automatically test the password, trying step by step each word from dictionary, until they find the used password. For this reason, this attack is named "dictionary-based attack". 2) IP sniffing. The hackers use a packet sniffer which records the Internet data packets. Among these packets there are those with logging messages, e-mail, etc. So, the hackers could determine the accessed computer name, the user name, his password, the content of e-mail messages. 3) Trusted access attacks. These attacks frequently act in Unix and Windows NT networks,

266

which incorporates trusted access mechanisms. In this way a hacker could obtain the extended over the network if he guesses the name of a trusted access system. 4) IP spoofing. The computers that communicate data each other include in their transmissions the identities of sending and receiving computer. These attacks act against packet addresses used by Internet Protocol for transmission. The method allows the hacker to get the access to network computer and services. In present, modern equipment are used to develop successfully such an attack in less than 30 seconds. 5) Social engineering attacks. This type of attack became frequently and dangerous. A common example is the case when a hacker sends e-mail or telephonic messages to users for announcing them that he is the new system administrator and the user must send him the password. This attack is based on user ignorance and the best remedy is a suitable training of the users. 6) Sequence number prediction attacks. The computers that connect together for a session send each other initialisation data (handshake). These data include the sequence numbers. Monitoring the initialisation data, a hacker can determine how to access those computers. 7) Session hijacking attacks. Using this technique, the intruder finds an unprotected connection between two computers and (penetrating the unprotected routers) detects important sequence numbers. In this manner he gets the address of a legitimate user and hijacks the user session. After the session hijacking, the accessed computer disconnects legitimate user and the hacker gains the user files access. The protection against the session hijacking and its detection are very difficult a (the intruder access the system being disguised in real user). Special network security methods should be used, as the elimination of unprotected logins and, especially, the use of encryption. 8) Attacks that exploits the weakness of technology. Every operating system has its own weak parts. Some of these are true security breaches and could be detected by hackers to access the network. 9) Attacks that exploits the shared libraries. A shared library is a set of common program functions that is loaded in server's RAM on the demand of any program. The hacker replaces the programs with new ones which serve to his goals (as the permission for a privileged access). For protection against these

attacks, it is necessary to periodically check the share libraries integrity. 10) The flooding of server (router). The hacker sends an invalid data packet towards server or router and, through this, generates a permanent data packets transmission. A specific type of this attack is when the hacker sends data packets with false addresses towards a certain router that are not sent forward, the router blocks and can not receive the new data packets. Another variant of this attack is the attack with SYN packets which causes the blocking of the network. Also, there could be a flooding with ACK packets which produces the server entering in an infinite cycle, blocking it for a time. The attacks are addressed either to unauthorised read the information, or to destroy (partially or entirely) the programs and data. What is the worst is the infestation through network of a great number of computers. The most important threats are: Viruses. They are small programs inserted in files, which duplicates themselves in other files. Then, either they fill all the internal memory or hard disk space and block the system, or became active (after a certain number of duplications) and begin to destroy the data. "Software bombs". They are procedures or small programs inserted in a file and could be activated by a predefined event The "bomb" author warns about the bomb and then leave it to "explode". "Worms". The effects are similar as those of the bombs. The main difference is the worm does not stay in a fixed location and/or does not duplicate itself; it moves permanently and it is very difficult to locate it. "Trapdoors". The trapdoors are a special type of access into system, reserved for remote loading or for some of software developers. They allow to access the computer avoiding the usual identification procedures. "Trojan horse". It is a small program that seems to execute a very known user function, but in reality it execute an intruder's function. It does not create copies. For example, a hacker could replace the login program with an another one, that seems to execute the same activity, but it copies in reality the user name and password in a file.

267

3. Anatomy of an Attack
In Table 1 we present in a synthetic manner the anatomy of an attack (phases of attack, targeted objectives and used techniques). The attack techniques are in a continuous development and refinement.

Table 1: Anatomy of an Attack Phase of attack Footprint Objective Target address range and naming acquisition and information gathering are essential to a "surgical" attack; the key here is not to miss any details. Target address range, naming acquisition and information gathering are essential to a surgical attack. It is very important not to miss any details. Bulk target assessment and identification of listening services focusing on the most promising avenues of entry. Enough data has been gathered at this point to make an informed attempt to access the target Technique Search engines, WHOIS database, Web interface to WHOIS, DNS zone transfer. Ping sweep, Port scan.

Scanning

Enumeration

List user accounts, List file shares, Identify applications. Password eavesdropping, File share brute forcing, Password file grabbing, Buffer overflows. Password cracking, Known exploits.

Gaining Access

Escalating Privilege

If only user level access was gained in the last step, the attacker will now seek to gain complete control of the system. The information-gathering process begins again to identify mechanisms to gain access to trusted systems. Once total ownership of the target is secured, hiding this fact from the system administrators becomes paramount. Trapdoors will be laid in various parts of the system to ensure that privileged access is easily regained at the whim of the intruder.

Acquisition

Evaluate trusts, Search for passwords. Clearing log files, Hiding tools.

Cover Tracks

Back Doors

Create rogue user accounts, Schedule batch jobs, Infect startup files, Plant remote control services, Install monitoring mechanisms, Replace apps with trojans.

4. Detection of attacks
4.1. Symptoms of network's aggressions

The problem of attack detection is difficult. The detection technology is at beginning. Many times, when the attack is detected, the hacker remains unknown. After detection, the analyst needs some time to establish the attack nature.

268

Some of the following actions could be considered as symptoms of network's aggression:

f) The flooding of server (router).This type of attack can be detected through the countering of ACK/SYN packet numbers and their relating to the total data packet number. Normally, this ratio is 1/3 1/2. If the ratio grows very much (during an attack this ratio could reach 300/1) the aggression is detected and protection methods are necessary.

unexplained poor system performance or system crashes. new user accounts or high activity on a previously low usage account. new files (usually with novel or strange file names, such as data.xx or k or .xx). accounting discrepancies. changes in file lengths or dates (especially the grown of executable files). attempts to write to system. data modification or deletion (files start to disappear). denial of service and anomalies (frequent unexplained "beeps"). suspicious probes (there are numerous unsuccessful login attempts from another node) or suspicious browsing.

4.3. Digital signatures

A very good solution for detecting the attacks is the use of digital signatures, too. The digital signatures confirm the user identity and, moreover, the fact that the files were not altered during the transmission. The DSA (Digital Signature Algorithm) algorithm for digitally signing a message uses the following global parameters: p - a prime number (512 bits), q - a prime divisor of p-1 (160 bits), g - an integer with the property: g = h(p-1)/q mod(p), where h is an integer, so as h(p-1)/q mod(p) > 1 and H - a hash function. The user parameters are: x - an integer (the secret key) and y=gx mod (p) - an integer. a. To digitally sign with the signature (r,s) a message M: An integer k, prime with q, is chosen in the range (0, q). Then r and s are calculated: r = (gk mod(p)) mod(q); s = ((k-1)(H(M)+xr)) mod(q). b. To check the digital signature of a message is calculated w: w = s - 1 mod(q), where s should be reversible. The digital signature is valid if: r = (gH(M)w yrw mod(p)) mod(q) .

4.2. Detection methods

If we previously mentioned the most frequent attacks against the computer networks, we try now to give some detection methods for some of these attacks. Some methods for detecting the hacker attacks are: a) IP sniffing. For detection are used identification schemes with one-time passwords or token authentication systems, simultaneously with the opening of a logfile. b) IP spoofing. For its detection is necessary to check the network input traffic which pass the router. It is used for this a system log that records all the source and destination addresses. The messages with internal source and destination addresses must not enter in the network. The presence of such messages is a clear indication about an IP spoofing. c) Sequence number prediction attacks. They could be detected through the implementation on server (router, firewall if the case) of audit trails. Audit trails determine the displaying of warning messages when the hacker tries to find the sequence numbers. Using the operation system event logger, could be realized an automated alarm after a certain number of successive denials of access. d) Session hijacking attacks. In this case, it could be noticed an unusual activity (the displaying of the hacker keystrokes on the screen, the connection loosing). The user must report immediately these suspect activities. e) Attacks that exploits the shared libraries. For detecting these attacks it is necessary to periodically check the shared libraries integrity.

5. Conclusions
In this paper we want to refer to hacker attacks against computer networks. Once the local area networks get connected to Internet, the attack

269

number and strength grows very much. All the attacks exploit the network security breaches. For this reason is necessary a network security policy. The network security is very complex, difficult to be designed and - more then all - difficult to be assured. It is easier to prove that a network can be

penetrated, than to prove that it is completely sure. Security system is expensive and introduces unpleasant user limitations. The security system does not grow the network performance, but the threats are real and the risk is too big without a proper security policy.

6. References:
[1.] CERT - "Annual Report", 1996, 1997, 1998, 1999, 2000, 2001; [2.] Cronin D.J- Microcomputer Data Security, Prentice Hall Press, New York; [3.] Klander L. - Anti Hacker, Jamsa Press, 1997; [4.] Fraser B. - Site Security Handbook, 1997; [5.] Libicki M. - What is Information Warfare?, National Defense University Press, 1995; [6.] Sullivan G.R War in the Information Age, Military Review, April 1994, pp. 46-62; [7.] White G.B., Fish E.A., Pooch E.W.Computers System and Network Security, 1996; [8.] Patriciu V.V., Pietroanu-Ene M., Bica I., Cristea C. - Securitatea informatic n UNIX i INTERNET (Information Security in UNIX and INTERNET), Editura Tehnic, Bucureti, 1998.

270