Computer Attacks and Vulnerabilities

Many organizations acquire intrusion detection systems (IDSs) because they know that IDSs are a necessary complement to a comprehensive system security architecture.
However, given the relative youth of commercial IDSs, most organizations lack experienced IDS operators. Despite vendors claims about ease of usage, such training or experience is absolutely necessary. An IDS is only as effective as the human operating it.
IDSs user interfaces vary greatly in quality. Some produce responses in the form of cryptic text logs while others provide graphical depictions of the attacks on the network. Despite this wide variance in display techniques, most IDSs output the same basic information about computer attacks. If users understand this common set of outputs, they can quickly learn to use the majority of commercial IDSs.


Attack Types

Most computer attacks only corrupt a system’s security in very specific ways. For example, certain attacks may enable an attacker to read specific files but don’t allow alteration of any system components. Another attack may allow an attacker to shut down certain system components but doesn’t allow access to any files. Despite the varied capabilities of computer attacks, they usually result in violation of only four different security properties:
availability, confidentiality, integrity, and control. These violations are described below.

• Confidentiality: An attack causes a confidentiality violation if it allows attackers to access data without authorization (either implicit or explicit) from the owner of the information.

• Integrity: An attack causes an integrity violation if it allows the (unauthorized) attacker to change the system state or any data residing on or passing through a system

• Availability: An attack causes an availability violation if it keeps an authorized user (human or machine) from accessing a particular system resource when, where, and in the form that they need it.

• Control: An attack causes a control violation if it grants an (unauthorized) attacker privilege in violation of the access control policy of the system. This privilege enables a subsequent confidentiality, integrity, or availability violation.
  

Types of Computer Attacks Commonly Detected by IDSs

Three types of computer attacks are most commonly reported by IDSs: system scanning,
denial of service (DOS), and system penetration. These attacks can be launched locally, on the attacked machine, or remotely, using a network to access the target. An IDS operator must understand the differences between these types of attacks, as each requires a different set of responses.


Scanning Attacks

A scanning attack occurs when an attacker probes a target network or system by sending different kinds of packets.
Using the responses received from the target, the attacker can learn many of the system’s characteristics and vulnerabilities. Thus, a scanning attack acts as a target identification tool for an attacker. Scanning attacks do not penetrate or otherwise compromise systems. Various names for the tools used to perform these activities include: network mappers, port mappers, network scanners, port scanners, or vulnerability scanners. Scanning attacks may yield:

• The topology of a target network

• The types of network traffic allowed through a firewall

• The active hosts on the network

• The operating systems those hosts are running

• The server software they are running

• The software version numbers for all detected software

Vulnerability scanners are a special type of scanner that check for specific vulnerabilities in hosts. Thus, an attacker can run a vulnerability scanner and it will output a list of hosts (IP addresses) that are likely to be vulnerable to a specific attack.
With this information, an attacker can precisely identify victim systems on the target network along with specific attacks that can be used to penetrate those systems. Thus, attackers use scanning software to “case” a target before launching a real attack.
Unfortunately for victims, just as it is legal for a person to enter a bank and to survey the visible security system, some lawyers say that it is legal for an attacker to scan a host or network. From the perspective of someone performing a scan, they are legally scouring the Internet to find publicly accessible resources.


Denial of Service Attacks

Denial Of Service (DOS) attacks attempt to slow or shut down targeted network systems or services. In certain Internet communities, DOS attacks are common. For example, Internet Relay Chat users engaged in verbal disputes commonly resort to
DOS attacks to win arguments with their opponents. While often used for such trivial purposes, DOS attacks can also be used to shut down major organizations. In well publicized incidents, DOS attacks were charged with causing major losses to electronic commerce operations, whose customers were unable to access them to make purchases. There are two main types of DOS attacks: flaw exploitation and flooding. It is important for an IDS operator to understand the difference between them.

Flaw exploitation DOS Attacks

Flaw exploitation attacks exploit a flaw in the target system’s software in order to cause a processing failure or to cause it to exhaust system resources. An example of such a processing failure is the ‘ping of death’ attack. This attack involved sending an unexpectedly large ping packet to certain Windows systems. The target system could not handle this abnormal packet, and a system crash resulted. With respect to resource exhaustion attacks, the resources targeted include CPU time, memory, disk space, space in a special buffer, or network bandwidth. In many cases, simply patching the software can circumvent this type of DOS attack.

Flooding DOS Attacks

Flooding attacks simply send a system or system component more information than it can handle. In cases where the attacker cannot send a system sufficient information to overwhelm its processing capacity, the attacker may nonetheless be able to monopolize the network connection to the target, thereby denying anyone else use of the resource. With these attacks, there is no flaw in the target system that can be patched. This is why such attacks represent a major source of frustration and concern to organizations. While there are few general solutions to stop flooding
attacks, there are several technical modifications that can be made by a target to mitigate such an attack.
The term “distributed DOS” (DDOS) is a subset of DOS attacks. DDOS attacks are simply flooding DOS attacks where the attacker uses multiple computers to launch the attack. These attacking computers are centrally controlled by the attacker’s computer and thus act as a single immense attack system. An attacker cannot usually bring down a major e-commerce site by flooding it with network packets from a single host.
However, if an attacker gains control of 20,000 hosts and subverts them to run an attack under his direction, then the attacker has a formidable capability to successfully attack the fastest of systems, bringing it to a halt.

Penetration Attacks

Penetration attacks involve the unauthorized acquisition and/or alteration of system privileges, resources, or data. Consider these integrity and control violations as contrasted to DOS attacks that violate the availability of a resource and to scanning attacks, which don’t do anything illegal. A penetration attack can gain control of a system by exploiting a variety of software flaws. The most common flaws and the security consequences of each are explained and enumerated below.
While penetration attacks vary tremendously in details and impact, the most common types are:

• User to Root: A local user on a host gains complete control of the target host

• Remote to User: An attacker on the network gains access to a user account on the target host
  

• Remote to Root: An attacker on the network gains complete control of the target host

• Remote Disk Read: An attacker on the network gains the ability to read private data files on the target host without the authorization of the owner
  

• Remote Disk Write: An attacker on the network gains the ability to write to private data files on the target host without the authorization of the owner
  

Remote vs. Local Attacks

DOS and penetration attacks come in two varieties: local and remote.

Authorized User Attack:

Authorized user attacks are those that start with a legitimate user account on the target system. Most authorized user attacks involve some sort of privilege escalation.

Public User Attack:

Public user attacks, on the other hand, are those launched without any user account or privileged access to the target system. Public user attacks are launched remotely through a network connection using only the public access granted by the target.
One typical attack strategy calls for an attacker to use a public user attack to gain
initial access to a system. Then, once on the system, the attacker uses authorized user attacks to take complete control of the target.

I'm reading: Computer Attacks and Vulnerabilities