Sign In Sign-Up

Welcome!

Close

Would you like to make this site your homepage? It's fast and easy...

Yes, Please make this my home page!

No Thanks

  Don't show this to me again.

Close

Levels of Attack

An attack is any unauthorized action undertaken with the intent of hindering, damaging, incapacitating, or breaching the security of your server. Such an attack might range from a denial of service to complete compromise and destruction of your server. The level of attack that is successful against your network depends on the security you employ.

When Can an Attack Occur?

An attack can occur any time your network is connected to the Internet. Because most networks are connected 24 hours a day, that means attacks can occur at any time. Nonetheless, there are some conventions that you can expect attackers to follow.

The majority of attacks occur (or at least commence) late at night relative to the position of the server. That is, if you are in Los Angeles and your attacker is in London, the attack will probably occur during the late night-early morning hours Los Angeles time. You might think that crackers would work during the day (relative to the target) because the heavy traffic might obscure their activity. There are several reasons, however, why crackers avoid such times:

Ø      Practicality--The majority of crackers hold jobs, go to school, or spend time in other environments during the day that may preclude cracking. That is, these characters do more than spend time in front of a machine all day. This differs from the past, when most crackers were kids at home, with nothing to do.

Ø      Speed--The network is becoming more and more congested. Therefore, it is often better to work during times that offer fast packet transport. These windows depend largely on geographical location. Someone in the southwestern United States who is attacking a machine in London would best conduct their affairs between 10:00 p.m. and 12:00 a.m. local time. Playing the field slightly earlier will catch local traffic (people checking their mail before bed, users viewing late news, and so on). Working much later will catch Netizens of the UK waking up to check their e-mail. Going out through Mae East (the largest and busiest Internet exchange gateway) in the early morning hours may be fast, but once across the Atlantic, speed dies off quickly. Anyone who stays up all night surfing the Net will confirm this. Once you hit the morning e-mail check, the Net grinds to a halt. Try it sometime, even locally. At 4:00 a.m. things are great. By 7:00 a.m., you will be praying for a T3 (or SONET). 

Ø      Stealth--Suppose for a moment that a cracker finds a hole. Suppose further that it is 11:00 a.m. and three system administrators are logged on to the network. Just what type of cracking do you suppose can be done? Very little. Sysads are quick to track down bizarre behavior if they are there to witness it. I once had a system administrator track me down immediately after I grabbed her password file. She was in Canada and I was in Los Angeles. She issued me a talk instruct before I could even cut the line. We had a lovely, albeit short, conversation. This also happened once when I broke into a server in Czechoslovakia. The lady there had a Sun and an SGI. I cracked the SGI. The conversation there was so good, I stayed connected. We discussed her security and she actually gave me an account on an old SPARC at her university. The account probably still exists.  

Favorite targets of crackers are machines with no one on them. For a time, I used a workstation in Japan to launch my attacks because no one ever seemed to be logged in. I Telnetted out of that machine, back into the United States. I found a similar situation with a new ISP in Rome. (I can say no more, because they will definitely remember me and my identity will be blown. They actually told me that if I ever came to hack in Italy, I should look them up!) 

With such machines, you can temporarily take over, setting things to your particular tastes. Moreover, you have plenty of time to alter the logs. So be advised: Most of this activity happens at night relative to your geographical location. 

What Operating Systems Do Crackers Use? 

Operating systems used by crackers vary. Macintosh is the least likely platform for a cracker; there simply aren't enough tools available for MacOS, and the tools needed are too much trouble to port. UNIX is the most likely platform and of that class, probably FreeBSD or Linux. 

Sun 

It is fairly common to see crackers using either SolarisX86 or SCO as a platform. This is because even though these products are licenseware, they can easily be obtained. Typically, crackers using these platforms know students or are students. They can therefore take advantage of the enormous discounts offered to educational institutions and students in general. There is a radical difference between the price paid by a student and the price paid by the average man on the street. The identical product's price could differ by hundreds of dollars. Again, because these operating systems run on PC architecture, they are still more economical alternatives. (SolarisX86 2.4 became enormously popular after support was added for standard IDE drives and CD-ROM devices. Prior to the 2.4 driver update, the system supported only SCSI drives: a slightly more expensive proposition.) And of course, one can always order demo disks from Sun and simply keep the distribution, even though you are in violation of the license.

 UNIX

 UNIX platforms are popular because they generally require a low overhead. A machine with Windows 95 and all the trimmings requires a lot of RAM; in contrast, you can run Linux or FreeBSD on a paltry 386 and gain good performance (provided, of course, that you do not use X). This is reasonable, too, because even tools that have been written for use in the X environment usually have a command-line interface as well (for example, you can run SATAN in CLI).

 Micro$oft

 The Microsoft platform supports many legitimate security tools that can be used to attack remote hosts. Of that class, more and more crackers are using Windows NT. It outperforms 95,90,2000 by a wide margin and has advanced tools for networking as well. Also, Windows NT is a more serious platform in terms of security. It has access control as well, so crackers can safely offer remote services to their buddies. If those "friends" log in and attempt to trash the system, they will be faced with the same controls as they would on a non-cracker-friendly box.

 Moreover, NT is becoming more popular because crackers know they must learn this platform. As NT becomes a more popular platform for Internet servers (and it will, with the recent commitments between DEC and Microsoft), crackers will need to know how to crack these machines. Moreover, security professionals will also develop tools to test internal NT security. Thus, you will see a dramatic rise in the use of NT as a cracking platform.

 Origin of Attacks

 Years ago, many attacks originated from universities because that is where the Internet access came from. Most crackers were youngsters who had no other easy means of accessing the Internet. This naturally influenced not only the origin of the attack but also the time during which the attack happened. Also, real TCP/IP was not available as an option in the old days (at least not from the comfort of your home, save a shell account).

 Today the situation is entirely different. Crackers can crack your network from their home, office, or vehicle. However, there are some constants. For instance, serious crackers do not generally use well know ISPs.

 One reason for this is that these providers will roll over a hacker or cracker to the authorities at the drop of a hat. The suspect may not have even done anything wrong (smaller ISPs may simply cut them loose). Ironically, big providers allow spammers to pummel the Internet with largely unwanted advertising.

 What Is the Typical Cracker Like?

 The typical cracker can probably be described by at least three qualities in the following profile:

 Ø      Can code in C, C++, or Perl--These are general requirements, because many of the baseline security tools are written in one or more of these languages. At minimum, the cracker must be able to properly interpret, compile, and execute the code. More-advanced crackers can take code not expressly written for a particular platform and port it to their own. Equally, they may develop new modules of code for extensible products such as SATAN and SAFEsuite (these programs allow the integration of new tools written by the user).

 Ø      Has an in-depth knowledge of TCP/IP--No competent cracker can get along without this requirement. At minimum, a cracker must know how the Internet works. This knowledge must necessarily go deeper than just what it takes to connect and network. The modern, competent cracker must know the raw codes within TCP/IP, such as the composition of IP packet headers. This knowledge, however, need not be acquired at school and therefore, a B.S. in Computer Science is not required. Many individuals get this knowledge by networking equipment within their home or at their place of business.

 Ø      Uses the Internet more than 50 hours per month--Crackers are not casual users. To watch a cracker at work is to watch someone who truly knows not only his or her own machine, but the Net. There is no substitute for experience, and crackers must have it. Some crackers are actually habitual users and suffer from insomnia. No joke.

 Ø      Intimately knows at least two operating systems--One of these will undoubtedly be UNIX or Windows.

 Ø      Has (or had) a job using computers--Not every cracker wakes up one morning and decides to devote a major portion of his or her life to cracking. Some have had jobs in system administration or development. These individuals tend to be older and more experienced. In such cases, you are probably dealing with a professional cracker (who probably has had some experience developing client/server applications).

 Ø      Collects old, vintage, or outdated computer hardware or software--This may sound silly, but it isn't. Many older applications and utilities can perform tasks that their modern counterparts cannot.

 What Is the Typical Target Like?

 The typical target is hard to pin down because crackers attack different types of networks for different reasons. Nonetheless, one popular target is the small, private network. Crackers are well aware of organizational behavior and financial realities. Because firewalls are expensive to acquire and maintain, smaller networks are likely to go without or obtain inferior products. Also, few small companies have individuals assigned specifically to anti-cracking detail . Finally, smaller networks are more easily compromised because they fit this profile:

 Ø      The owners are new to the Internet

Ø      The sysad is experienced with LANs rather than TCP/IP

Ø      Either the equipment or the software (or both) are old (and perhaps outdated)

 This profile, however, is not set in stone. Many crackers prefer to run with the bleeding-edge target, seeing whether they can exploit a newly discovered hole before the sysad plugs it. In this instance, the cracker is probably cracking for sport.

 Another issue is familiarity. Most crackers know two or more operating systems intimately from a user standpoint, but generally only one from a cracking standpoint. In other words, these folks tend to specialize. Few crackers are aware of how to crack multiple platforms. For example, perhaps one individual knows VAX/VMS very well but knows little about SunOS. He will therefore target VAX stations and ultimately, perhaps through experience, DEC Alphas.

 Universities are major targets in part because they possess extreme computing power. For example, a university would be an excellent place to run an extensive password cracking session. The work can be distributed over several workstations and can thus be accomplished much more quickly than by doing it locally. Another reason universities are major targets is that university boxes usually have several hundred users, even in relatively small network segments. Administration of sites that large is a difficult task. There is a strong chance that a cracked account can get lost in the mix.

 Other popular targets are government sites. Here, you see the anarchistic element of the cracker personality emerging: the desire to embarrass government agencies. Such an attack, if successful, can bring a cracker great prestige within the subculture. It does not matter if that cracker is later caught; the point is, he or she cracked a supposedly secure site. This telegraphs the news of the cracker's skill to crackers across the Internet.

 Why Do They Want to Attack?

 There are a number of reasons why crackers might want to attack your system:

 Ø      Spite--Plainly stated, the cracker may dislike you. Perhaps he is a disgruntled employee from your company. Perhaps you flamed him in a Usenet group. One common scenario is for a cracker to crack an ISP with which he once had an account. Perhaps the ISP discovered the cracker was cracking other networks or storing warez on its box. For whatever reason, the ISP terminated the cracker's account, and now the cracker is out for revenge.

 Ø      Sport--Perhaps you have been bragging about the security of your system, telling people it's impenetrable. Or worse, you own a brand-spanking-new system that the cracker has never dealt with before. These are challenges a cracker cannot resist.

 Ø      Profit--Someone pays a cracker to bring you down or to get your proprietary data.

 Ø      Stupidity--Many crackers want to impress their friends, so they purposefully undertake acts that will bring the FBI to their door. These are mostly kids.

 Ø      Curiosity--Many crack purely for sake of curiosity, simple enjoyment of the process, or out of boredom.

 Ø      Politics--A small (but significant) percentage of crackers crack for political reasons. That is, they seek press coverage to highlight a particular issue. This could be animal rights, arms control, free speech, and so forth. This phenomenon is much more common in Europe than in the U.S. Americans fall victim to pride or avarice far more often than they do to ideology.

 All of these reasons are vices. These vices become excess when you break the law. With breaking the law comes a certain feeling of excitement; that excitement can negatively influence your reasoning. 

Crack Level Index

Each representing one level of depth into your network. we will refer to these as levels of sensitivity. Points along those levels identify the risks associated with each cracking technique. We will refer to those as states of attack. 

Levels of Sensitivity 

The levels of sensitivity in all networks are pretty much the same (barring those using secure network operating systems). The common risks can be summed up in a list, which has basically not changed for a decade. The list rarely changes, except with the introduction of new technologies, such as ActiveX, that allow arbitrary execution of binaries over the Net. 

The majority of crackers capitalize on the holes we hear about daily in security newsgroups. If you have frequented these groups (or a security mailing list) you will have read these words a thousand times: 

•"Oh, they had test.cgi still installed in their cgi-bin directory." 

•"It was a Linux box and apparently, they installed sudo and some of the demo users." 

•"It was the phf script that did them in."  

Level One 

Attacks classified in the level-one category are basically irrelevant. Level-one attacks include denial-of-service attacks and mail bombing. At best, these techniques require 30 minutes of your time to correct. This is because these attacks are instituted with the express purpose of nuisance. In most instances, you can halt these problems by applying an exclusionary scheme.

Levels Two and Three 

Levels two and three involve things like local users gaining read or write access to files (or directories) they shouldn't. This can be a problem, depending largely on the character of the file(s). Certainly, any instance of a local user being able to access the /tmp directory can be critical. This could potentially pave a pathway to level-three issues (the next stage) where a user could conceivably gain write access as well (and thus progress to a level-four environment). This is an issue primarily for UNIX administrators or NT administrators. 

Level Four 

Level-four issues are usually related to outsiders being able to access internal files. This access may vary. They may be able to do no more than verify the existence of certain files, or they may be able to read them. Level-four problems also include those vulnerabilities whereby remote users--without valid accounts--can execute a limited number of commands on your server. 

The highest percentage of these holes arise through misconfiguration of your server, bad CGI, and overflow problems. 

Levels Five and Six 

Levels five and six consist of conditions whereby things are allowed to occur that never should. Any level five or six hole is fatal. At these stages, remote users can read, write, and execute files (usually, they have used a combination of techniques to get to this stage). Fortunately, if you have closed levels two, three, and four, it is almost impossible that you will ever see a level five or six crisis. If you close lesser avenues of entry, a level-six vulnerability is most likely to originate with a vendor's faulty software. 

Response Levels 

What do you do if you discover an attack in progress? It depends on the situation. 

Responding to Level-One Attacks 

Level-one attacks can be treated as described previously. Filter the incoming address and contact the attacker's service provider. These are minor inconveniences. Only when the denial-of-service attack appears to be related to some other form of attack (perhaps more sophisticated) or where it continues for some time (as in the Panix.com case) should you bother to do more than exclude the incoming traffic. However, if you are in a situation identical to Panix, you may want to contact CERT or other authorities. 

Responding to Level-Two Attacks 

Level-two attacks can be dealt with internally. There is no reason to leak information that local users can access things they shouldn't. Basically, freeze or eliminate the user's account. If there are complaints, let your lawyers sort it out. If you "counsel" the individual, you will see poor results. Within a month, he or she will be at it again. You are not engaged in a game. There is no guarantee that this internal user is just an innocent, curious individual. One last thing: give no warning about freezing the account. This way, you can preserve any evidence that might otherwise be deleted. 

Responding to Level-Three, -Four, and -Five Attacks 

If you experience any sort of an attack higher than a level two, you have a problem. Your job, then, is to undertake several actions: 

Ø      Isolate the network segment so that the activity can only occur in a small area

Ø      Allow the activity to continue

Ø      Log all activity heavily

Ø      Make every effort (using a different portion of the network) to identify the source or sources of the attacks

 You are dealing with a criminal. Under state and federal statutes, this type of access is a crime. If you are to capture that criminal, you will need evidence. Generating that evidence will take time.

 The standards of evidence in an Internet criminal case are not exactly settled. Certainly, the mere act of someone trying to retrieve your /etc/passwd file by sendmail will not support a criminal case. Nor will evidence of a handful of showmount requests. In short, to build an iron-clad case against an intruder, you must have some tangible evidence that the intruder was within your network or, alternatively, some tangible evidence identifying the intruder as the one who downed your server in a denial-of-service attack. To do this, you must endure the brunt of the attack (although you can institute come safeguards to ensure that this attack does not harm your network).

 My advice in such a situation would be to call in not only some law enforcement but also at least one qualified security firm to assist in snagging the offender. The most important features of such an operation are logs and, of course, locating the perpetrator. You can provide the logs on your own. However, as far as tracing the individual, you can only go so far. You might start with a simple traceroute and, before you're finished, you may have implemented a dozen different techniques only to find that the network from which the perpetrator is hailing is either also a victim (that is, the cracker is island hopping), a rogue site, or even worse, located in a country beyond the reach of the U.S. Justice Department. In such cases, little can be done besides shoring up your network and getting on with your business. Taking any other course of action might be very costly and largely a waste of time.

 These levels of attack are defined numerically (level one being the least harmful, level six being the most harmful).