Identifying and Understanding the Classes of Attack
Written by LE Webmaster
Wednesday, 26 January 2005
How serious a particular attack type is depends on two things: how the attack is carried out, and what damage is done to the compromised system. An attacker being able to run code on his machine is probably the most serious kind of attack for a home user. For an e-commerce company, a denial of service (DoS) attack or information leakage may be of more immediate concern. Each vulnerability that can lead to compromise can be traced to a particular category, or class, of attack.The properties of each class give you a rough feel for how serious an attack in that class is, as well as how hard it is to defend against. In this chapter, we explain each of the attack classes in detail, including what kinds of damage they can cause the victim, as well as what the attacker can gain
by using them. As we mentioned, attacks can be placed into one of a few categories. Our assertion regarding the severity of attack is something we should look into for a little better understanding. Attacks can lead to anything from leaving your systems without the ability to function, to giving a remote attacker complete control of your systems to do whatever he pleases.We discuss severity of attacks later in this chapter, placing them on a line of severity. Lets first look at the different types of attacks and discuss them. In this section, we examine seven categorized attack types.These seven attack types are the general criteria used to classify security issues:
Denial of service Information leakage Regular file access Misinformation Special file/database access Remote arbitrary code execution Elevation of privileges
Denial of Service What is a denial of service (DoS) attack? A DoS attack takes place when availability to a resource is intentionally blocked or degraded by an attacker. In other words, the attack impedes the availability of the resource to its regular authorized users.These types of attacks can occur through one of two vectors: either on the local system, or remotely from across a network.The attack may concentrate on degrading processes, degrading storage capability, destroying files to render the resource unusable, or shutting down parts of the system or processes. Lets take a closer look at each of these items. Local Vector Denial of Service Local denial of service attacks are common, and in many cases, preventable. Although any type of denial of service can be frustrating and costly, local denial of service attacks are typically the most preferable to encounter. Given the right security infrastructure, these types of attacks are easily traced, and the attacker is easily identified. Three common types of local denial of service attacks are process degradation, disk space exhaustion, and index node (inode) exhaustion. Process Degradation One local denial of service is the degrading of processes.This occurs when the attacker reduces performance by overloading the target system, by either spawning multiple processes to eat up all available resources of the host system, by spawning enough processes to fill to capacity the system process table, or by spawning enough processes to overload the central processing unit (CPU). An example of this type of attack is exhibited through a recent vulnerability discovered in the Linux kernel. By creating a system of deep symbolic links, a user can prevent the scheduling of other processes when an attempt to dereference the symbolic link is made. Upon creating the symbolic links, then attempting to perform a head or cat of one of the deeply linked files, the process scheduler is blocked, therefore preventing any other processes on the system from receiving CPU time.The following is source code of mklink.sh; this shell script will create the necessary links on an affected system (this problem was not fully fixed until Linux kernel version 2.4.12):
#!/bin/sh # by Nergal mklink() { IND=$1 NXT=$(($IND+1)) EL=l$NXT/../ P="" I=0 while [ $I -lt $ELNUM ] ; do P=$P"$EL" I=$(($I+1)) done ln -s "$P"l$2 l$IND } #main program if [ $# != 1 ] ; then echo A numerical argument is required. exit 0 fi ELNUM=$1 mklink 4 mklink 3 mklink 2 mklink 1 mklink 0 /../../../../../../../etc/services mkdir l5 mkdir l
Disk Space Exhaustion Another type of local attack is one that fills disk space to capacity. Disk space is a finite resource. Previously, disk space was an extremely expensive resource, although the current industry has brought the price of disk storage down signifi- cantly.Though you can solve many of the storage complications with solutions such as disk arrays and software that monitors storage abuse, disk space will continue to be a bottleneck to all systems. Software-based solutions such as per-user storage quotas are designed to alleviate this problem. This type of attack prevents the creation of new files and the growth of existing files. An added problem is that some UNIX systems will crash when the root partition reaches storage capacity. Although this isnt a design flaw on the part of UNIX itself, a properly administered system should include a separate partition for the log facilities, such as /var, and a separate partition for users, such as the /home directory on Linux systems, or /export/home on Sun systems. Attackers can use this type of denial of service to crash systems, such as when a disk layout hasnt been designed with user and log partitions on a separate slice. They can also use it to obscure activities of a user by generating a large amount of events that are logged to via syslog, filling the partition on which logs are stored and making it impossible for syslog to log any further activity. Such an attack is trivial to launch. A local user can simply perform the following command: cat /dev/zero > ~/maliciousfile This command will concatenate data from the /dev/zero device file (which simply generates zeros) into maliciousfile, continuing until either the user stops the process, or the capacity of the partition is filled. A disk space exhaustion attack could also be leveraged through such attacks as mail bombing. Although this is an old concept, it is not commonly seen.The reasons are perhaps that mail is easily traced via SMTP headers, and although open relays can be used, finding the purveyor of a mail bomb is not rocket science. For this reason, most mail bombers find themselves either without Internet access, jailed, or both.
Inode Exhaustion The last type of local denial of service attack we discuss is inode exhaustion, similar to the disk capacity attack. Inode exhaustion attacks are focused specifically on the design of the file system.The term inode is an acronym for the words index node. Index nodes are an essential part of the UNIX file system. An inode contains information essential to the management of the file system.This information includes, at a minimum, the owner of a file, the group membership of a file, the type of file, the permissions, size, and block addresses containing the data of the file.When a file system is formatted, a finite number of inodes are created to handle the indexing of files with that slice. An inode exhaustion attack focuses on using up all the available inodes for the partition. Exhaustion of these resources creates a similar situation to that of the disk space attack, leaving the system unable to create new files.This type of attack is usually leveraged to cripple a system and prevent the logging of system events, especially those activities of the attacker.
Network Vector Denial of Service Denial of service attacks launched via a network vector can essentially be broken down into one of two categories: an attack that affects a specific service, or an attack that targets an entire system.The severity and danger of these attacks vary signifi- cantly.These types of attacks are designed to produce inconvenience, and are often launched as a retaliatory attack. To speak briefly about the psychology behind these attacks, network vector denial of service attacks are, by and large, the choice method of cowards.The reasons, ranging from digital vigilantism to Internet Relay Chat (IRC) turf wars, matter not. Freely and readily available tools make a subculture (and Ill borrow the term coined by Jose Oquendoalso known as sil of antioffline.com fame) called script kiddiots possible.The term script kiddiot, broken down into base form, would define script as a prewritten program to be run by a user, and kiddiot being a combination of the words kid and idiot. Fitting.The availability of these tools gives these individuals the power of anonymity and ability to cause a nuisance, while requiring little or no technical knowledge.The only group with more responsibility for these attacks than the script kiddiots is the group of professionals who continue to make them possible through such things as lack of egress filtering. Network vector attacks, as mentioned, can affect specific services or an entire system; depending on who is targeted and why, these types of attacks include client, service, and system-directed denials of service.The following sections look at each of these types of denial of service in a little more detail.
Client-Side Network DoS Client-side denials of service are typically targeted at a specific product.Their purpose is to render the user of the client incapable of performing any activity with the client. One such attack is through the use of whats called JavaScript bombs. By default, most Web browsers enable JavaScript.This is apparent anytime one visits a Web site, and a pop-up or pop-under ad is displayed. However, JavaScript can also be used in a number of malicious ways, one of which is to launch a denial of service attack against a client. Using the same technique that advertisers use to create a new window with an advertisement, an attacker can create a malicious Web page consisting of a never-ending loop of window creation.The end result is that so many windows are popped up, the system becomes resourcebound. This is an example of a client-side attack, denying service to the user by exercising a resource starvation attack as we previously discussed, but using the network as a vector.This is only one of many client-side attacks, with others affecting products such as the AOL Instant Messenger, the ICQ Instant Message Client, and similar software. Service-Based Network DoS Another type of denial of service attack launched via networks is service-based attacks. A service based attack is intended to target a specific service, rendering it unavailable to legitimate users.These attacks are typically launched at a service such as a Hypertext Transfer Protocol Daemon (HTTPD), Mail Transport Agent (MTA), or other such service that users typically require. An example of this problem is a vulnerability that was discovered in the Web configuration infrastructure of the Cisco Broadband Operating System (CBOS). When the Code Red worm began taking advantage of Microsofts Internet Information Server (IIS) 5.0 Web servers the world over, the worm was discovered to be indiscriminate in the type of Web server it attacked. It would scan networks searching for Web servers, and attempt to exploit any Web server it encountered. A side effect of this worm was that although some hosts were not vulnerable to the malicious payload it carried, some hosts were vulnerable in a different way. CBOS was one of these scenarios. Upon receiving multiple Transmission Control Protocol (TCP) connections via port 80 from Code Red infected hosts, CBOS would crash. Though this vulnerability was discovered as a casualty of another, the problem could be exploited by a user with one of any readily available network auditing tools. After attack, the router would be incapable of configuration, requiring a power-cycling of the router to make the configuration facility available.This is a classic example of an attack directed specifically at one service.
System-Directed Network DoS A denial of service directed towards a system via the network vector is typically used to produce the same results as a local denial of service: degrading performance or making the system completely unavailable.A few approaches are typically seen in this type of attack, and they basically define the methods used in entirety. One is using an exploit to attack one system from another, leaving the target system inoperable.This type of attack was displayed by the land.c, Ping of Death, and teardrop exploits of a couple years ago, and the various TCP/IP fragmented packet vulnerabilities in products such as D-Link routers and the Microsoft ISA Server. Also along this line is the concept of SYN flooding.This attack can be launched in a variety of ways, from either one system on a network faster than the target system to multiple systems on large pipes.This type of attack is used mainly to degrade system performance.The SYN flood is accomplished by sending TCP connection requests faster than a system can process them.The target system sets aside resources to track each connection, so a great number of incoming SYNs can cause the target host to run out of resources for new legitimate connections.The source IP address is, as usual, spoofed so that when the target system attempts to respond with the second portion of the three-way handshake, a SYN-ACK (synchronization-acknowledgment), it receives no response. Some operating systems will retransmit the SYN-ACK a number of times before releasing the resources back to the system.The exploit code for the SYN flooder syn4k.c was written by Zakath.This SYN flooder allows you to select an address the packets will be spoofed from, as well as the ports to flood on the victims system.We did not include the code here for the sake of brevity, but you can download it at www.cotse.com/sw/dos/syn/synk4.c. One can detect a SYN flood coming from the preceding code by using a variety of tools, such as the netstat command On several operating system platforms, using the n parameter displays addresses and port numbers in numerical format, and the p switch allows you to select only the protocol you are interested in viewing.This prevents all User Datagram Protocol (UDP) connections from being shown so that you can view only the connections you are interested in for this particular attack. Check the documentation for the version of netstat that is available on your operating system to ensure that you use the correct switches. Additionally, some operating systems support features such as TCP SYN cookies. Using SYN cookies is a method of connection establishment that uses cryptography for security.When a system receives a SYN, it returns a SYN+ACK, as though the SYN queue is actually larger.When it receives an ACK back from the initiating system, it uses the recent value of the 32-bit time counter modulus 32, and passes it through the secret server-side function. If the value fits, the extracted maximum segment size (MSS) is used, and the SYN queue entry rebuilt. Lets also look at the topic of smurfing or packeting attacks, which are typically purveyed by the previously mentioned script kiddiots.The smurf attack performs a network vector denial of service against the target host.This attack relies on an intermediary, the router, to help,The attacker, spoofing the source IP address of the target host, generates a large amount of Internet Control Message Protocol (ICMP) echo traffic directed toward IP broadcast addresses.The router, also known as a smurf amplifier, converts the IP broadcast to a Layer 2 broadcast and sends it on its way. Each host that receives the broadcast responds back to the spoofed source IP with an echo reply. Depending on the number of hosts on the network, both the router and target host can be inundated with traffic.This can result in the decrease of network performance for the host being attacked, and depending on the number of amplifier networks used, the target network becoming saturated to capacity. The last system-directed denial of service attack using the network vector is distributed denial of service (DDoS).This concept is similar to that of the previously mentioned smurf attack.The means of the attack, and method of which it is leveraged, however, is significantly different from that of smurf. This type of attack depends on the use of a client, masters, and daemons (also called zombies). Attackers use the client to initiate the attack by using masters, which are compromised hosts that have a special program on them allowing the control of multiple daemons. Daemons are compromised hosts that also have a special program running on them, and are the ones that generate the flow of packets to the target system.The current crop of DDoS tools includes trinoo, Tribe Flood Network,Tribe Flood Network 2000, stacheldraht, shaft, and mstream. In order for the DDoS to work, the special program must be placed on dozens or hundreds of agent systems. Normally an automated procedure looks for hosts that can be compromised (buffer overflows in the remote procedure call [RPC] services statd, cmsd, and ttdbserverd, for example), and then places the special program on the compromised host. Once the DDoS attack is initiated, each of the agents sends the heavy stream of traffic to the target, inundating it with a flood of traffic.To learn more about detection of DDoS daemon machines, as well as each of the DDoS tools, visit David Dittrichs Web site at http://staff.washington.edu/dittrich/misc/ddos.
Information Leakage Information leakage can be likened to leaky pipes.Whenever something comes out, it is almost always undesirable and results in some sort of damage. Information leakage is typically an abused resource that precludes attack. In the same way that military generals rely on information from reconnaissance troops that have penetrated enemy lines to observe the type of weapons, manpower, supplies, and other resources possessed by the enemy, attackers enter the network to perform the same tasks, gathering information about programs, operating systems, and network design on the target network.
Service Information Leakage Information leakage occurs in many forms. Banners are one example. Banners are the text presented to a user when they attempt to log into a system via any one of the many services. Banners can be found on such services as File Transfer Protocol (FTP), secure shell (SSH), telnet, Simple Mail Transfer Protocol (SMTP), and Post Office Protocol 3 (POP3). Many software packages for these services happily yield version information to outside users in their default configuration. Another similar problem is error messages. Services such as Web servers yield more than ample information about themselves when an exception condition is created. An exception condition is defined by a circumstance out of the ordinary, such as a request for a page that does not exist, or a command that is not recognized. In these situations, it is best to make use of the customizable error configurations supplied, or create a workaround configuration.
Protocol Information Leakage In addition to the previously mentioned cases of information leakage, there is also what is termed protocol analysis. Protocol analysis exists in numerous forms. One type of analysis is using the constraints of a protocols design against a system to yield information about a system. Observe this FTP system type query: elliptic@ellipse:~$ telnet parabola.cipherpunks.com 21 Trying 192.168.1.2... Connected to parabola.cipherpunks.com. Escape character is '^]'. 220 parabola FTP server (Version: 9.2.1-4) ready. SYST 215 UNIX Type: L8 Version: SUNOS This problem also manifests itself in such services as HTTP. Observe the leakage of information through the HTTP HEAD command: elliptic@ellipse:~$ telnet www.cipherpunks.com 80 Trying 192.168.1.2... Connected to www.cipherpunks.com. Escape character is '^]'. HEAD / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 05 Dec 2001 11:25:13 GMT Server: Apache/1.3.22 (Unix) Last-Modified: Wed, 28 Nov 2001 22:03:44 GMT ETag: "30438-44f-3c055f40" Accept-Ranges: bytes Content-Length: 1103 Connection: close Content-Type: text/html Connection closed by foreign host. Attackers also perform protocol analysis through a number of other methods. One such method is the analysis of responses to IP, an attack based on the previously mentioned concept, but working on a lower level. Automated tools, such as the Network Mapper, or Nmap, provide an easy-to-use utility designed to gather information about a target system, including publicly reachable ports on the system, and the operating system of the target. Observe the output from an Nmap scan: elliptic@ellipse:~$ nmap -sS -O parabola.cipherpunks.com Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Interesting ports on parabola.cipherpunks.com (192.168.1.2): (The 1533 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http Remote operating system guess: Solaris 2.6 - 2.7 Uptime 5.873 days (since Thu Nov 29 08:03:04 2001) Nmap run completed 1 IP address (1 host up) scanned in 67 seconds First, lets explain the flags used to scan parabola.The sS flag uses a SYN scan, exercising half-open connections to determine which ports are open on the host. The O flag tells Nmap to identify the operating system, if possible, based on known responses stored in a database. As you can see, Nmap was able to identify all open ports on the system, and accurately guess the operating system of parabola (which is actually a Solaris 7 system running on a Sparc).
Be first to comment this article
