Attacks Flashcards
A packet containing a long string of NOP’s followed by a command is usually indicative of what?
A buffer overflow attack.
A series of the same control, hexidecimal, characters imbedded in the string is usually an indicator of a buffer overflow attack. A NOP is a instruction which does nothing (No Operation - the hexadecimal equivalent is 0x90)
The Intel x86 processors use the hexadecimal number 90 to represent NOP (no operation). Many buffer overflow attacks use long strings of control characters and this is representative of that type of attack.
A piece of malicious code that can take many forms and serve many purposes. Needs a host in which to live, and an action by the user to spread.
Virus
A type of malicious code that lays dormant until a logical event occurs (such as a specific person’s name is no longer in the payroll database)
Logic Bomb
Many small attacks add up to equal a large attack (Movie: Office Space: stealing a fraction of a penny)
Salami
Similar to a virus, but does not need a host and is self replicating
Worm
One program (usually some type of malicious code) masquerades as another. Common means of distributing Back Door Programs
Trojan Horse
Altering/Manipulating data, usually before entry (Taco Bell: charge 50-cents for a taco and pocket other $1.50)
Data Diddling
Capturing and Viewing packets through the use of a protocol analyzer. (Passive Man-in-the Middle attack) Best defense: Encryption
Sniffing
Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one.
Session Hijacking
Where an attacker steps in between two hosts and either monitors the exchange, or often disconnects one. Session hijacks are active types of Man-in-the Middle attacks. Encryption prevents sniffing and mutual authentication would prevent a session hijack
A Program that allows access (often administrative access) to a system that bypasses normal security controls. Examples are NetBus, Back Orifice, SubSeven
Back Door Programs
An attack on a RAS (Remote Access Server) where the attacker tries to find the phone number that accepts incoming calls. RAS should be set to use caller ID (can be spoofed), callback (best), and configured so that modem does not answer until after 4 calls.
Wardialing
The purpose of these attacks is to overwhelm a system and disrupt its availability
Denial of Service (DoS)
Characterized by the use of Control Machines (Handlers) and Zombies (Bots) An attacker uploads software to the control machines, which in turn commandeer unsuspecting machines to perform an attack on the victim. The idea is that if one machine initiating a denial of service attack, then having many machines perform the attack is better.
Distributed Denial of Service (DDoS)
Sending a Ping Packet that violates the Maximum Transmission Unit (MTU) size—a very large ping packet.
Ping of Death
Considered a DoS
Overwhelming a system with a multitude of pings
Ping Flooding
Considered a DoS
Sending Malformed packets which the Operating System does not know how to reassemble. Layer 3 attack
Tear Drop
Attacks that overwhelm a specific type of memory on a system—the buffers. Is best avoided with input validation
Buffer Overflow
Similar to the Teardrop attack. Manipulates how a PC reassembles a packet and allows it to accept a packet much too large
Bonk
Creates a “circular reference” on a machine. Sends a packet where source and destination are the same.
Land Attack
Type of attack that exploits the three way handshake of TCP. Layer 4 attack. Stateful firewall is needed to prevent
Syn Flood
Uses an ICMP directed broadcast. Layer 3 attack. Block distributed broadcasts on routers (aka block ICMP at the firewall)
Smurf
Considered a DDoS
Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack. Block distributed broadcasts on routers
Fraggle
What is the best defense for sniffing?
Encryption
How would you prevent a session hijack?
Mutual Authentication
How do you protect against wardialing?
RAS should be set to use caller ID (can be spoofed), callback (best but could be call forwarded), and configured so that modem does not answer until after 4 calls. Use authentication
Use a different number than your normal extension range for your modems
How do you protect against buffer overflow?
Is best avoided with input validation
How do you prevent against SYN flood?
Stateful firewall is needed to prevent
How do you protect against Smurf?
Block distributed (directed) broadcasts on routers
aka block ICMP at the firewall
How do you protect against Fraggle?
Block distributed (directed) broadcasts on routers
Similar to Smurf, but uses UDP instead of ICMP. Layer 4 attack.
Sending malformed or improper data in the IMCP header. Considered a “covert channel” attack
Loki
Driving around looking for unsecured wireless networks
War driving
Unauthorized wireless access points offer the opportunity for what type of attack?
Man in the middle attacks
Sniffing wireless signals
Airsnarfing
Sending SPAM to nearby bluetooth devices
Blue Jacking
Mitigation:
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairing
Copies information off of remote devices
Blue Snarfing
Mitigation:
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairing
Allows full use of phone
Allows one to make calls
Can eavesdrop on calls
Blue Bugging
Most serious of Bluetooth attacks
Mitigation:
Disable it if you’re not using it
Disable auto-discovery
Disable auto-pairingx
Whats is a TCP SYN flood?
Category: Network Attack
Type: common TCP denial of service
Info: A system must keep track of any remote system that starts a TCP three-way handshake. Attacker sends many SYNs but never ACKs. The victims half-open connection table will start to fill.
Result: If the attacker can exhaust that table then no new connections can be made.
What is a LAND attack?
Category: Network Attack
Type: Single Packet DoS
Info: a single packet DoS attack involving the victim’s web service listening on Port 80. A packet is forged from the victim’s IP Address / Port 80 to the victim’s IP Address / Port 80.
Result: The victim’s computer sometimes get confused and crashes.
What is a Fraggle Attack?
Category: Network Attack
Type: DoS
Info: Based on Smurf Attack using UDP echo packets in place of ICMP. Attacker forges UDP packets from the victim to the UNIX services Port 7 (echo, which “echos” characters back tot he sender) and Port 19 (which is Character Generator, which sends a stream of characters back to the sender).
Result: Victim is overwhelmed by characters.
What is a Teardrop attack?
Category: Network Attack
Type: DoS
Info: Attack replies on fragmentation reassembly. The attacker sends multiple large overlapping IP fragments.
Result: System may crash as it attempts to reassemble the bogus fragments.
What is an ARP scan attack?
Once an attacker is on the LAN, Layer 2 scans and attacks are possible.
ARP scan is a Layer 2 scan that sends ARP requests for each IP address on a subnet, learning the MAC address of each system.
What is a TCP scan attack?
Sends a TCP SYV packet to ports on a host, reporting those that answer SNY/ACK.
A “connect scan” completes the three way handshake
A “half-open scan” does not complete the TCP handshake
half-open connections have advantages because they often are not logged.
Attackers can also craft packets with strange flag combinations (SYN/RST, all TCP flags set, no flags set, etc.). Attackers may be able to determine OS version by the way these packets are handled.
What is a UDP scan attack?
Sends UDP packets to ports on a system and listens for answers.
UDP scans are harder and slower than TCP scans. Unlike TCp, there is no connection and no universal way for UDP service to respond to a UDP packet.
What type of attack inserts tagging values into network and switch-based protocols with the goal of manipulating traffic at the Data Link Layer?
VLAN Hopping
Attacker can have a system act as though it is a switch. The system understands the tagging values being used in the network and trunking protocols, and can insert itself between other VLAN devices and gain access tot he traffic going back and forth.
