Menu
homeSocial network

Types of attacks. What is a network attack. Passive types of computer attacks

1. Packet interception.

A packet sniffer (from the English sniff - sniff) is an application program that uses a network interface operating in promiscuous mode. In this mode, the network adapter allows you to receive all packets received over physical channels, regardless of who they are addressed to, and sends them to the application for processing. Currently, sniffers are used in networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, due to the fact that some network applications transfer data in text format (Telnet, FTP, SMTP, POP3, etc.), using a sniffer can reveal useful and sometimes sensitive information (for example, usernames and passwords) .

Interception of logins and passwords creates a great danger. If the application runs in client-server mode, and authentication data is transmitted over the network in readable text format, then this information can most likely be used to access other corporate or external resources. In the worst case scenario, an attacker will gain access to a user resource at the system level and use it to create a new user who can be used at any time to access the network and its resources.

2. IP spoofing.

IP spoofing (from the English spoof - hoax) occurs when an attacker, inside or outside a corporation, impersonates an authorized user. This can be achieved in two ways:

a) use of an IP address that is within the range of authorized IP addresses;

IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts from someone else's address, hiding the true identity of the attacker.

Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices. For two-way communication, the attacker must modify all routing tables to direct traffic to the false IP address.

If the attacker managed to change the routing tables and direct network traffic to a false IP address, then he will receive all packets and will be able to respond to them as if he were an authorized user.

3. Denial of service.

Denial of Service (Denial of Service, abbreviated as DoS) is without a doubt the most well-known form of network attacks. In addition, these types of attacks are the most difficult to create 100% protection against. To organize DoS, a minimum of knowledge and skills is required. Nevertheless, it is the ease of implementation and the enormous scale of harm caused that attracts attackers to DoS attacks.

This attack is significantly different from other types of attacks. Attackers do not intend to gain access to the network or obtain any information from that network, but a DoS attack makes your network unavailable for normal use by exceeding the permissible limits of the network, operating system or application. In the case of some server applications (such as a Web server or FTP server), DoS attacks can involve taking over all connections available to those applications and keeping them occupied, preventing ordinary users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP.

Some attacks cripple network performance by flooding it with unwanted and unnecessary packets or misleading information about the current state of network resources. When an attack of this type is carried out simultaneously through many devices, we talk about a distributed DoS attack (from the English distributed DoS, abbreviated DDoS).

4. Password attacks.

Attackers can conduct password attacks using a variety of methods, such as brute force attack, Trojan horse, IP spoofing, and packet sniffing. Despite the fact that login and password can often be obtained using IP spoofing and packet sniffing, attackers often try to guess the password and login using multiple access attempts. This approach is called simple enumeration.

For such an attack, a special program is used that tries to gain access to a public resource (for example, a server). If, as a result, the attacker is granted access to resources, then he receives it as the user whose password was selected. If a given user has significant access privileges, an attacker can create a gateway for future access that will remain in effect even if the user changes their password.

5. Man-in-the-middle attacks.

For a Man-in-the-Middle attack, the attacker needs access to packets transmitted over the network. Such access to all packets transmitted from a provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack. Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distortion of transmitted data and entering unauthorized information into network sessions.

6. Application level attacks.

Application-level attacks can be carried out in several ways. The most common of them is the use of well-known weaknesses in server software (sendmail, HTTP, FTP). Using these weaknesses, attackers can gain access to a computer on behalf of the user running the application (usually this is not a simple user, but a privileged administrator with system access rights). Information about application-level attacks is widely published to give administrators the opportunity to correct the problem using corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to improve.

The main problem with application-level attacks is that attackers often use ports that are allowed to pass through the firewall. For example, an attacker exploiting a known weakness in a Web server will often use port 80 in a TCP attack. Since the Web server provides Web pages to users, the firewall must provide access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.

7. Network intelligence.

Network intelligence refers to the collection of network information using publicly available data and applications. When preparing an attack against a network, an attacker usually tries to obtain as much information about it as possible. Network reconnaissance is carried out in the form of DNS queries, pings and port scanning. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging addresses revealed by DNS allows you to see which hosts are actually running in a given environment. After receiving a list of hosts, the attacker uses port scanning tools to compile a complete list of services supported by those hosts. Finally, it analyzes the characteristics of the applications running on the hosts. As a result, he obtains information that can be used for hacking.

8. Breach of trust.

Strictly speaking, this type of action is not in the full sense of the word an attack or assault. It represents the malicious exploitation of trust relationships that exist in a network. A classic example of such abuse is the situation in the peripheral part of the corporate network. This segment often houses DNS, SMTP, and HTTP servers. Since they all belong to the same segment, hacking any one of them leads to hacking all the others, since these servers trust other systems on their network. Another example is a system installed on the outside of the firewall that has a trust relationship with a system installed on the inside of the firewall. If an external system is compromised, an attacker can use trust relationships to penetrate the firewall-protected system.

9. Port forwarding.

Port forwarding is a form of abuse of trust in which a compromised host is used to pass traffic through a firewall that would otherwise be rejected. Let's imagine a firewall with three interfaces, each of which is connected to a specific host. An external host can connect to a shared host (DMZ), but not to one installed on the inside of the firewall. A shared host can connect to both an internal and external host. If an attacker takes over a shared host, he can install software on it that redirects traffic from the external host directly to the internal one. Although this does not violate any of the rules on the screen, the external host gains direct access to the protected host as a result of the redirection. An example of an application that can provide such access is netcat.

10. Unauthorized access.

Unauthorized access cannot be identified as a separate type of attack, since most network attacks are carried out precisely to gain unauthorized access. To guess a Telnet login, an attacker must first get a Telnet hint on his system. After connecting to the Telnet port, the message “authorization required to use this resource” appears on the screen. If the attacker continues to attempt access after this, they will be considered unauthorized. The source of such attacks can be either inside the network or outside.

11. Viruses and Trojan horse applications

End user workstations are very vulnerable to viruses and Trojan horses. Viruses are malicious programs that are inserted into other programs to perform a specific unwanted function on the end user's workstation. An example is a virus that is written in the command.com file (the main interpreter of Windows systems) and erases other files, and also infects all other versions of command.com it finds.

A Trojan horse is not a software insert, but a real program that at first glance seems to be a useful application, but in fact plays a harmful role. An example of a typical Trojan horse is a program that looks like a simple game for the user's workstation. However, while the user is playing the game, the program sends a copy of itself by email to every subscriber in that user's address book. All subscribers receive the game by mail, causing its further distribution.

The class of network attacks includes attacks that cause suspicious, anomalous behavior of network traffic on a corporate network. These are so-called network anomalies. Network anomalies can also be classified. They can be divided into two main groups: hardware and software deviations and security problems (Fig. 1.2.1.)

1. Software and hardware deviations.

Errors in the software of information system components may result in a transfer to abnormal mode with subsequent termination of the provision of services.

Configuration errors translate the functionality of information system components into non-compliance with standard design parameters, which disrupts overall performance.

Violations of performance entail a departure of the parameters of the information system beyond the calculated values, which is accompanied by a violation of the provision of services.

Hardware faults can lead to both the complete failure of individual components of the information system, and the degrading influence of a separate subsystem on the entire complex.

2. Security violations.

Network scanning is performed to analyze the network topology and detect services available for attack. During the scanning process, an attempt is made to connect to network services by accessing a specific port. In the case of an open scan, the scanner performs a three-way handshake procedure, and in the case of a closed (stealth) scan, it does not complete the connection. Since when scanning a single host, an enumeration of services (ports) occurs, this anomaly is characterized by attempts to access from one scanner IP address to a specific IP address on multiple ports. However, most often entire subnets are scanned, which is expressed in the presence in the attacked network of many packets from one scanner IP address to multiple IP addresses of the subnet being examined, sometimes even using a sequential search method. The most famous network scanners are: nmap, ISS, satan, strobe, xscan and others.

Traffic analyzers or sniffers are designed to intercept and analyze network traffic. In the simplest case, this involves switching the network adapter of the hardware complex to listening mode and data flows in the segment to which it is connected become available for further study. Since many application programs use protocols that transmit information in clear, unencrypted form, the work of sniffers dramatically reduces the level of security. Note that sniffers do not cause pronounced anomalies in network operation. The most famous sniffers are: tcpdump, ethereal, sniffit, Microsoft network monitor, netxray, lan explorer.

In computer security, the term vulnerability is used to designate a component of an information system that is weakly protected from unauthorized influence. The vulnerability may be the result of design, programming, or configuration errors. A vulnerability can exist only theoretically or have an exploitative software implementation - an exploit. In the network aspect, information resources, such as operating systems and service software, may be vulnerable to vulnerabilities.

Viral network activity is the result of attempts to spread computer viruses and worms using network resources. Most often, a computer virus exploits a single vulnerability in a network application service, so virus traffic is characterized by the presence of many calls from one infected IP address to many IP addresses on a specific port corresponding to a potentially vulnerable service.

IP Network Security Issues

Analysis of network security threats.

To organize communications in a heterogeneous network environment, a set of TCP/IP protocols is used, ensuring compatibility between computers of different types. Compatibility is one of the main advantages of TCP/IP, which is why most computer networks support these protocols. In addition, TCP/IP protocols provide access to the resources of the global Internet.

Due to its popularity, TCP/IP has become the de facto standard for internetworking. However, the ubiquity of the TCP/IP protocol stack has also exposed its weaknesses. When creating their brainchild, the architects of the TCP/IP stack saw no reason to particularly worry about protecting the networks built on top of it. Therefore, the specifications of early versions of the IP protocol lacked security requirements, which led to the inherent vulnerability of its implementation.

The rapid growth in the popularity of Internet technologies is accompanied by an increase in serious threats of disclosure of personal data, critical corporate resources, state secrets, etc.

Every day, hackers and other malicious actors threaten online information resources by attempting to gain access to them using special attacks. These attacks are becoming more sophisticated in impact and simpler to execute. Two main factors contribute to this.

Firstly, this is the widespread penetration of the Internet. Today, millions of computers are connected to this network. With many millions of computers connected to the Internet in the near future, the likelihood of hackers gaining access to vulnerable computers and computer networks is increasing. In addition, the widespread use of the Internet allows hackers to exchange information on a global scale.

Secondly, there is the widespread proliferation of easy-to-use operating systems and development environments. This factor sharply reduces the requirements for the level of knowledge of the attacker. Previously, a hacker needed good programming knowledge and skills to create and distribute malware. Now, in order to gain access to a hacker's tool, you just need to know the IP address of the desired site, and to carry out an attack, just click the mouse.

Problems of ensuring information security in corporate computer networks are caused by security threats to local workstations, local networks and attacks on corporate networks that have access to public data networks.

Network attacks are as varied as the systems they target. Some attacks are very difficult. Others can be carried out by an ordinary operator who does not even imagine what consequences his activities may have.



An intruder, when carrying out an attack, usually sets himself the following goals:

v violation of the confidentiality of transmitted information;

v violation of the integrity and reliability of transmitted information;

v disruption of the system as a whole or its individual parts.

From a security point of view, distributed systems are characterized primarily by the presence remote attacks , since components of distributed systems usually use open data transmission channels and an intruder can not only passively eavesdrop on transmitted information, but also modify transmitted traffic (active influence). And if the active impact on traffic can be recorded, then the passive impact is practically undetectable. But since during the operation of distributed systems the exchange of service information between system components is also carried out via open data transmission channels, service information becomes the same object of attack as user data.

The difficulty of detecting the fact of a remote attack puts this type of illegal action in first place in terms of the degree of danger, since it prevents a timely response to the threat, as a result of which the violator increases the chances of successfully carrying out the attack.

Local network security compared to internetwork security differs in that in this case the security comes first in importance. violations of registered users , since, in general, local network data transmission channels are located in a controlled area and protection against unauthorized connection to them is implemented by administrative methods.

In practice, IP networks are vulnerable to a number of methods of unauthorized intrusion into the data exchange process. As computer and network technologies develop (for example, with the advent of mobile Java applications and ActiveX controls), the list of possible types of network attacks on IP networks is constantly expanding [Galitsky A.V., Ryabko S.D., Shangin V.F. Protecting information on the network - analysis of technologies and synthesis of solutions. M.: DMK Press, 2004].

Let's look at the most common types of network attacks.

Eavesdropping (sniffing). Much of the data on computer networks is transmitted in an unsecured format (plaintext), which allows an attacker with access to the data lines on your network to eavesdrop on or read the traffic. For eavesdropping on computer networks they use sniffer Packet sniffer is an application program that intercepts all network packets transmitted through a specific domain.

Currently, sniffers operate on networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, since some network applications transfer data in text format (Telnet, FTP, SMTP, POP3, etc.), using a sniffer can reveal useful and sometimes sensitive information (for example, usernames and passwords).

Password sniffing transmitted over a network in unencrypted form by “eavesdropping” on the channel is a type of eavesdropping attack. Login and password interception poses a major threat because users often use the same login and password for multiple applications and systems. Many users generally have one password to access all resources and applications. If the application runs in client/server mode and the authentication data is transmitted over the network in a readable text format, this information can likely be used to access other corporate or external resources.

In the worst case scenario, a hacker gains system-level access to a user resource and uses it to create new user attributes that can be used to access the network and its resources at any time.

You can prevent the threat of packet sniffing by using the following:
measures and means:

v use of one-time passwords for authentication;

v installation of hardware or software that recognizes
sniffers;

v application of cryptographic protection of communication channels.

Changing data. An attacker who was able to read
your data, will be able to take the next step - change them. Data in
package can be changed even if the attacker knows nothing
about the sender or the recipient. Even if you don't need strict
confidentiality of all transmitted data, you probably do not want,
so that they are changed along the way.

Network traffic analysis. The purpose of attacks like this
type are listening to communication channels and analyzing transmitted
data and service information to study topology and architecture
building a system, obtaining critical user information
(for example, user passwords or credit card numbers transmitted
in open form). Protocols such as FTP are susceptible to this type of attack.
or Telnet, the feature of which is that the user name and password
transmitted within these protocols in clear text.

Substitution of a trusted subject. Most networks and operating
systems uses the computer's IP address to determine whether
this is the addressee that is needed. In some cases it may be incorrect
assignment of an IP address (substitution of the sender’s IP address with another address) - such
the attack method is called falsification of address(IP spoofing).

IP spoofing occurs when an attacker, inside or outside a corporation, impersonates a legitimate user. An attacker could use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources. An attacker can also use special programs that shape IP packets so that they appear to be coming from authorized internal addresses on the corporate network.

IP spoofing attacks are often the starting point for other attacks. Classic example is attack like " denial of service"(DoS), which begins with someone else's address, hiding the true identity of the hacker. Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices.

The threat of spoofing can be mitigated (but not eliminated) by the following measures:

v correct configuration of access control from the external network;

v suppression of attempts to spoof other people's networks by users of their network.

It should be kept in mind that IP spoofing can occur if users are authenticated based on IP addresses, so introducing additional user authentication methods (based on one-time passwords or other cryptographic methods) can prevent IP spoofing attacks.

Mediation. A man-in-the-middle attack involves active eavesdropping, interception, and control of transmitted data by an invisible intermediate node. When computers communicate at low network levels, they cannot always determine with whom they are communicating.

Mediation in the exchange of unencrypted keys (Man-in-the-Middle attack). To carry out a Man-in-the-Middle attack, an attacker needs access to packets transmitted over the network. Such access to all packets transmitted from an ISP to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack.

In a more general case, Man-in-the-Middle attacks are carried out to steal information, intercept the current session and gain access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, and distort transmitted data. and entering unauthorized information into network sessions.

Man-m-the-Middle attacks can only be effectively combated using cryptography. To counter this type of attack, the PKI (Public Key Infrastructure) public key management infrastructure is used.

Session hijacking. After the initial authentication procedure is completed, the connection established by the legitimate user, for example, with a mail server, is switched by the attacker to a new host, and the original server is commanded to terminate the connection. As a result, the “interlocutor” of the legitimate user is quietly replaced.

After gaining access to the network, the attacker has great opportunities:

v it may send incorrect data to applications and network services, causing them to crash or malfunction;

v it can also flood a computer or entire network with traffic until the system crashes due to overload;

v Finally, the attacker can block traffic, which will lead to loss of access to network resources for authorized users.

Denial of Service (DoS). This attack is different from other types of attacks. It is not aimed at gaining access to your network or extracting any information from that network. A DoS attack makes an organization's network unavailable for normal use by exceeding the permissible limits of the network, operating system, or application. Essentially, this attack denies normal users access to resources or computers on an organization's network.

Most DoS attacks rely on general weaknesses in the system architecture. In the case of some server applications (such as a Web server or FTP server), DoS attacks can involve taking over all connections available to those applications and keeping them busy, preventing

services for ordinary users. DoS attacks can use common Internet protocols such as TCP and ICMP (Internet Control Message Protocol).

DoS attacks are difficult to prevent because they require coordination with your ISP. If the traffic intended to overwhelm your network cannot be stopped at the provider, then at the entrance to the network you will no longer be able to do this, because all the bandwidth will be occupied.

If this type of attack is carried out simultaneously through many devices, we say about distributed denial of service DDoS attack(distributed DoS).

The ease of implementation of DoS attacks and the enormous harm they cause to organizations and users attract the close attention of network security administrators to these attacks.

Password attacks. The goal of these attacks is to obtain the password and login of the legitimate user. Attackers can conduct password attacks using methods such as:

v O IP address substitution (1P spoofing);

v eavesdropping (sniffing);

v simple search.

IP spoofing and packet sniffing were discussed above. These methods allow you to capture a user's password and login if they are transmitted in clear text over an insecure channel.

Often hackers try to guess the password and login, using numerous access attempts. This approach is called brute force attack(brute force attack). This attack uses a special program that tries to gain access to a public resource (for example, a server). If, as a result, the attacker manages to guess the password, he gains access to the resources as a regular user. If this user has significant access privileges, an attacker can create a "pass" for themselves for future access that will remain in effect even if the user changes their password and login.

Tools for intercepting, selecting and cracking passwords are currently considered practically legal and are officially produced by a fairly large number of companies. They are marketed as security auditing and lost password recovery software and can be legally purchased from the developers.

Password attacks can be avoided by not using plain text passwords. The use of one-time passwords and cryptographic authentication can virtually eliminate the threat of such attacks. Unfortunately, not all applications, hosts, and devices support these authentication methods.

When using regular passwords, you need to come up with a password that is difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters (#, $, &, %, etc.).

Guessing the key. A cryptographic key is a code or number needed to decrypt protected information. Although finding out the access key is difficult and requires a lot of resources, it is nevertheless possible. In particular, to determine the value of a key, a special program that implements the exhaustive search method can be used. The key that the attacker gains access to is called compromised. The attacker uses the compromised key to gain access to protected transmitted data without the knowledge of the sender and recipient. The key makes it possible to decrypt and change data.

Application level attacks. These attacks can be carried out in several ways. The most common of them is to exploit known weaknesses in server software (FTP, HTTP, Web servers).

The main problem with application-layer attacks is that they often use ports that are allowed to pass through the firewall.

Information about application-level attacks is widely published to enable administrators to correct the problem using corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to learn.

It is impossible to completely eliminate application-level attacks. Hackers are constantly discovering and publishing new vulnerabilities in application programs on their Internet sites.

Good system administration is important here. To reduce your vulnerability to this type of attack, you can take the following steps:

v analyze operating system log files and network log files using special analytical applications;

v monitor CERT data on application software weaknesses;

v use the latest versions of operating systems and applications and the latest correction modules (patches);

v use IDS (Intrusion Detection Systems) attack detection systems.

Network intelligence is the collection of network information using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible.

Network reconnaissance is carried out in the form of DNS queries,
echo testing (ping sweep) and port scanning. DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging addresses revealed by DNS allows you to see which hosts are actually running in a given environment. After receiving a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. As a result, information is obtained that can be used for hacking.

It is impossible to completely get rid of network intelligence. If, for example, you disable ICMP echo and echo reply on edge routers, you get rid of ping testing, but you lose the data needed to diagnose network failures. In addition, you can scan ports without prior ping testing. It will just take more time, since you will have to scan non-existent IP addresses.

Network- and host-level IDS systems typically do a good job of alerting administrators to ongoing network reconnaissance, allowing them to better prepare for an upcoming attack and alert the ISP on whose network a system is being overly nosy.

Breach of trust. This type of action is not an attack in the full sense of the word. It represents the malicious exploitation of trust relationships that exist in a network. A typical example of such abuse is the situation in the peripheral part of the corporate network. This segment typically houses DNS, SMTP, and HTTP servers. Since they all belong to the same segment, hacking one of them leads to hacking of all the others, since these servers trust other systems on their network.

The risk of breach of trust can be reduced by more tightly controlling the levels of trust within your network. Systems located outside the firewall should never have absolute trust from systems protected by the firewall.

Trust relationships should be limited to specific protocols and, if possible, authenticated not only by IP addresses, but also by other parameters. Malicious programs. Such programs include computer viruses, network worms, and Trojan horse programs.

Viruses are malicious programs that are inserted into other programs to perform a specific unwanted function on the end user's workstation. A virus is usually developed by attackers in such a way as to remain undetected in a computer system for as long as possible. The initial period of dormancy of viruses is a mechanism for their survival. The virus manifests itself in full at a specific point in time, when some calling event occurs, for example Friday the 13th, a known date, etc.

A type of virus program is network worm, which is distributed over the global network and does not leave a copy of itself on a magnetic medium. This term is used to name programs that, like tapeworms, move across a computer network from one system to another. The worm uses network support mechanisms to determine which host may be affected. Then, using the same mechanisms, the worm transfers its body to this node and either becomes activated or waits for suitable conditions for activation. Network worms are a dangerous type of malware because the target of their attack can be any of the millions of computers connected to the global Internet. To protect against a worm, you must take precautions against unauthorized access to your internal network.

Computer viruses are related to the so-called "Trojan horses"(Trojan programs). A “Trojan horse” is a program that looks like a useful application, but in fact performs harmful functions (destruction of software
provision, copying and sending files with confidential data to the attacker, etc.). The danger of a Trojan horse lies in an additional block of commands inserted into the original harmless program, which is then provided to AS users. This block of commands can be triggered upon the occurrence of any condition (date, system state) or upon an external command. A user who runs such a program endangers both his files and the entire system as a whole.

According to the Sophos Security Threat Management Report, Trojan horses outnumbered viruses and worms by four to one in the first half of 2006, up from doubling in the first six months of 2005. Sophos also reports the emergence of a new type of " Trojan programs, called ransomware. Such programs steal data from infected computers, and then the user is asked to pay a certain ransom for it.

End user workstations are highly vulnerable to viruses, worms and Trojan horses.

A feature of modern malware is its targeting of specific application software, which has become a de facto standard for most users, primarily Microsoft Internet Explorer and Microsoft Outlook. The massive creation of viruses for Microsoft products is explained not only by the low level of security and reliability of the programs, but also by the global distribution of these products. Authors of malicious software are increasingly beginning to explore “holes” in popular DBMSs, middleware, and corporate business applications built on top of these systems.

Viruses, worms and Trojan horses are constantly evolving, and the main trend in their development is polymorphism. Today it is already quite difficult to draw a line between a virus, a worm and a Trojan; they use almost the same mechanisms; the slight difference lies only in the degree of this use. The design of malicious software has become so unified today that, for example, it is almost impossible to distinguish an email virus from a worm with destructive functions. Even “Trojan” programs have a replication function (as one of the means of counteracting anti-virus tools), so that if desired, they can be called viruses (with a distribution mechanism in the form of masquerading as application programs).

To protect against these malicious programs, it is necessary to take a number of measures:

v preventing unauthorized access to executable files;

v testing of purchased software;

v monitoring the integrity of executable files and system areas;

v creation of a closed program execution environment.

Viruses, worms and Trojan horses are combatted using effective antivirus software that operates at the user level and possibly at the network level. As new viruses, worms and Trojan horses appear, new databases of antivirus tools and applications need to be installed.

Spam and phishing refer to non-software threats. The prevalence of these two threats has increased significantly in recent times.

Spam, the volume of which now exceeds 80% of the total volume of mail traffic, can pose a threat to the availability of information by blocking mail servers, or be used to distribute malicious software.

Phishing(phishing) is a relatively new type of Internet fraud, the purpose of which is to obtain user identification data. This includes the theft of passwords, credit card numbers, bank accounts, PIN codes and other confidential information that gives access to the user's money. Phishing does not exploit the technical flaws of the software, but rather the gullibility of Internet users. The term phishing itself, consonant with fishing, stands for password harvesting fishing - fishing for a password. Indeed, phishing is very similar to fishing. The attacker throws bait onto the Internet and “catch all the fish” - Internet users who will bite on this bait.

The attacker creates an almost exact copy of the website of the selected bank (electronic payment system, auction, etc.). Then, using spam technology, a letter is sent via email, composed in such a way as to be as similar as possible to a real letter from the selected bank. When composing the letter, the bank's logos, names and surnames of real bank managers are used. Such a letter, as a rule, informs that due to a change in software in the Internet banking system, the user needs to confirm or change his credentials. The reason for changing the data may be a failure of the bank's software or an attack by hackers. The presence of a plausible legend that encourages the user to take the necessary actions is an indispensable component of the success of fraudulent phishers. In all cases, the purpose of such letters is the same - to force the user to click on the link provided and then enter their confidential data (passwords, account numbers, PIN codes) on the bank’s overlay website (electronic payment system, auction). Having visited a false site, the user enters his confidential data in the appropriate lines, and then the scammers gain access to his mailbox at best, or to his electronic account at worst.

Phisher technologies are being improved and social engineering methods are being used. They are trying to scare the client and come up with a critical reason for him to give up his confidential data. Typically, messages contain threats, such as blocking an account if the recipient does not comply with the requirements set out in the message.

A conjugate appeared with phishing concept - pharming . This is also a scam, the goal of which is to obtain users’ personal data, but not through mail, but directly through official Web sites. Farmers replace the digital addresses of legitimate Web sites on DNS servers with the addresses of fake ones, as a result of which users are redirected to scam sites. This type of fraud is even more dangerous, since it is almost impossible to notice a fake.

Nowadays, scammers often use Trojan horses. In this case, the phisher’s task is greatly simplified - it is enough to force the user to go to the phishing site and “pick up” a program that will independently find everything that is needed on the victim’s hard drive. Along with Trojan programs, they began to be used keyloggers. On fake sites, spyware tools that track keystrokes are downloaded to victims' computers. When using this approach, it is not necessary to find access to clients of a specific bank or company, and therefore phishers began to fake general-purpose sites, such as news feeds and search engines.

The success of phishing scams is facilitated by the low level of user awareness about the operating rules of the companies on whose behalf the criminals act. In particular, about 5% of users do not know a simple fact: banks do not send letters asking them to confirm their credit card number and PIN online.

According to analysts (www.cnews.ru), the damage caused by phishers to the global economy amounted to $14 billion in 2003, and a year later it reached $44 billion. According to Symantec statistics, in mid-2004, the company's filters blocked up to 9 million emails with phishing content every week. By the end of the year, 33 million had already been screened out during the same period.

Spam filters remain the main defense against phishing. Unfortunately, anti-phishing software tools have limited effectiveness, since attackers primarily exploit human psychology rather than software flaws. Technical security measures are being actively developed, primarily plugins for popular browsers. The essence of the protection is to block sites that are included in the “black lists” of fraudulent resources. The next step could be systems for generating one-time passwords for Internet access to bank accounts and accounts in payment systems, and the widespread distribution of additional levels of protection through a combination of entering a password using a USB hardware key.

The listed attacks on IP networks are possible for a number of reasons:

v use of publicly available data transmission channels. Critical data is transmitted over the network in unencrypted form;

v vulnerabilities in authentication procedures implemented in the TCP/IP stack. Identity information at the IP layer is transmitted in clear text;

v the absence in the basic version of the TCP/IP protocol stack of mechanisms that ensure the confidentiality and integrity of transmitted messages;

v the sender is authenticated by its IP address. The authentication procedure is performed only at the connection establishment stage, and subsequently the authenticity of received packets is not checked;

v lack of control over the route of messages on the Internet, which makes remote network attacks virtually unpunished.

Almost any website can suffer from a hacker attack. There is no 100% protection against this. For example, a random site that is hosted on the same server as the site targeted by the attack may become the victim of an attack. If attackers have a large budget and desire, then no site can be completely protected from intentional action.

For what purpose can an attack be carried out on a site:

– data theft (for example, user passwords, access to hidden sections of the site);

– taking the server out of working condition;

– placement of hidden links, viruses, etc. on the website pages;

– obtaining full access to the server;

– a decrease in the site’s position in search engines or its complete loss.

Most hacker attacks are carried out by competitors or for the purpose of profit.

Let's consider main types of attacks on websites.

Ddos. I already discussed it in one of the previous materials. Why is this kind of attack dangerous?

The most dangerous attack on an Internet resource, Ddos completely stops the server, making the site unavailable to visitors. The server can “lie down” until the attack stops. And this, in turn, negatively affects the reputation of your site. This type of attack is accessible to many unscrupulous competitors; the only question is the amount of money they are willing to spend on organizing Ddos.

For a small DDoS, just a few computers with a wide Internet channel are enough. The attack occurs due to the organization of a huge number of requests to the server, which are made from a large number of computers. As a result, due to exceeding the permissible load many times, the server crashes. Most of the attacking computers are PCs that are infected with Trojans. The PC user himself does not even suspect that he is being used by scammers. Networks of infected computers are called botnets.

The power of DDoS attacks is measured in the volume of traffic sent to the attacked server per second. For example, if a powerful attack occurs, it is quite difficult to fight it, because such volumes of traffic are almost impossible to filter.

It is important to know that attacks are carried out not only on individual computers. National networks and root DNS servers often became victims of attacks, and this can lead to the unavailability of the Internet in certain regions.

To prevent Ddos, experts recommend placing Internet projects on a server with a reserve of resources. In this case, there will be a reserve in time to take action. To protect against Ddos, it is necessary to take comprehensive measures, for example, a firewall, traffic filtering, and the work of specialists in this field. But even large sites with powerful protection are periodically subject to attacks. Even the Microsoft website has more than once become a victim of DDoS attacks by scammers.

ABOUT Special material has been written on our blog.

Another popular attack on the site isThis is hacking a server and placing links or viruses on it.

In such cases, the webmaster discovers that the site has been hacked and used by scammers.

It is also possible that the hosting server has been hacked. But still, in most cases, viruses get onto the site due to holes in the engines or due to incorrect storage of passwords.

As you know, hidden links are one of the reasons for the imposition of sanctions by search engines, from which it is very difficult to get out. And if scammers insert not just regular links, but virus code, then such a site can be banned even by the hosting provider. And the resource itself and its IP address are included in the Spamhouse “black list”, from which it is unrealistically difficult to get out. As a preventive measure, it is necessary to monitor CMS updates, install updates and necessary additions, and of course not store passwords in the public domain.

Next on my attack list isSQL injection. It occurs due to the execution of an sql query on someone else’s server. This problem may arise due to the vulnerability of the engines or imperfection of the program code. What is the essence of an XSS attack? Arbitrary code is introduced into the page generated by the script. The main danger behind such an attack is the theft of cookies, which leads to gaining access to user accounts. As a result, the fraudster receives data about the visitor’s system, the history of sites visited, etc. In addition, not only a java script is embedded, but also a link to a php script that is hosted on a third-party server, and this is even more dangerous.

Spam with website address and details– another method of a harmless attack, thanks to which your site can be blocked on hosting, and your address will be blacklisted. Spam can be sent not only to users’ emails, but also to forums. As a result, it will be difficult for you to prove that your competitors were doing this and not you.

Spam in comments and on the forum– another way in which scammers can harm your site. After all, spammed resources not only rank poorly, but can even be banned altogether. Therefore, the owners of such sites need to install anti-spam filters and moderate user posts on the forum.

Phishing– harms the reputation of any resource. On another site with a similar address, a copy of your site with an authorization form is placed. The user enters data and it falls into the hands of scammers. If you find such a site, immediately contact the hosting provider and domain registrar of the fraudulent site. They will definitely block this dishonest resource. Read about what phishing is and how to protect yourself in in details.

Perhaps you know some other methods of scammers that directly harm websites? Share them in the comments!

4072 times 8 Viewed times today

Table 9.1.
Protocol name Level protocol stack Name (characteristic) of the vulnerability Contents of the violation information security
FTP (File Transfer Protocol) – protocol for transferring files over a network
  • Based authentication plaintext(passwords are sent unencrypted)
  • Default access
  • Availability of two open ports
  • Opportunity data interception
telnet - control protocol remote terminal Application, representative, session Based authentication plaintext(passwords are sent unencrypted)
  • Opportunity data interception account (registered user names, passwords).
  • Gaining remote access to hosts
UDP- data transfer protocol connectionless Transport No mechanism to prevent buffer overloads
  • Possibility of implementing UDP storm.
  • As a result of packet exchange, there is a significant decrease in server performance
ARP – IP Address to Physical Address Protocol Network Based authentication plaintext(information is sent unencrypted) Possibility of interception of user traffic by an attacker
RIP – Routing Information Protocol Transport Lack of authentication of route change control messages Ability to redirect traffic through the attacker's host
TCP control protocol transfer Transport Lack of a mechanism for checking the correct filling of packet service headers Significant reduction in communication speed and even complete interruption of arbitrary connections via the TCP protocol
DNS – protocol for establishing correspondence between mnemonic names and network addresses Application, representative, session Lack of means to verify the authentication of received data from the source Tampering with DNS server response
IGMP – Routing Message Protocol Network Lack of authentication of messages about changing route parameters Win 9x/NT/2000 systems freeze
SMTP – protocol for providing e-mail message delivery service Application, representative, session Possibility of forging email messages as well as addresses sender of the message
SNMP control protocol routers in networks Application, representative, session No support for message header authentication Possibility of network bandwidth overload

Threats carried out over the network are classified according to the following main characteristics:

  1. nature of the threat.

    Passive - a threat that does not affect the operation of the information system, but can violate the rules of access to protected information. Example: using a sniffer to “listen” to a network. Active – a threat that affects the components of an information system, the implementation of which has a direct impact on the operation of the system. Example: DDOS attack in the form of a TCP request storm.

  2. goal of the threat(respectively, confidentiality, availability, integrity of information).
  3. attack start condition:
    • upon request from the attacked. That is, the attacker expects the transmission of a request of a certain type, which will be the condition for the start of the attack.
    • upon the occurrence of an expected event at the attacked object.
    • unconditional impact - the attacker does not wait for anything, that is, the threat is implemented immediately and regardless of the state of the attacked object.
  4. availability of feedback with the attacked object:
    • with feedback, that is, the attacker needs to receive an answer to some requests. Thus, there is feedback between the target and the attacker, allowing the attacker to monitor the state of the attacked object and adequately respond to its changes.
    • without feedback - accordingly, there is no feedback and no need for the attacker to react to changes in the attacked object.
  5. location of the intruder relative to the attacked information system: intra-segment and inter-segment. A network segment is a physical association of hosts, hardware and other network components that have a network address. For example, one segment consists of computers connected to a common bus based on Token Ring.
  6. ISO/OSI reference model layer at which the threat is implemented: physical, channel, network, transport, session, representative, application.

Let's look at the currently most common attacks in networks based on protocol stack TCP/IP.

  1. Network traffic analysis. This attack is implemented using a special program called sniffer. Sniffer is an application program that uses a network card operating in promiscuous mode, the so-called “promiscuous” mode in which the network card allows all packets to be accepted, regardless of who they are addressed to. In normal state, link layer packet filtering is used on the Ethernet interface and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not a broadcast, the packet is discarded. In "promiscuous" mode, filtering by network interface is disabled and all packets, including those not intended for the current node, are allowed into the system. It should be noted that many such programs are used for legal purposes, for example, for diagnosing faults or analyzing traffic. However, the table we reviewed above lists the protocols that send information, including passwords, in clear text - FTP, SMTP, POP3, etc. Thus, using a sniffer, you can intercept your username and password and gain unauthorized access to confidential information. Moreover, many users use the same passwords to access many online services. That is, if there is a weakness in one place in the network in the form of weak authentication, the entire network can suffer. Attackers are well aware of human weaknesses and widely use social engineering methods.

    Protection against this type of attack may include the following:

    • Strong authentication eg using one-time passwords(one-time password). The idea is that the password can be used once, and even if an attacker intercepts it using a sniffer, it has no value. Of course, this protection mechanism only protects against interception of passwords, and is useless in the event of interception of other information, for example, email.
    • Anti-sniffers are hardware or software that can detect the operation of a sniffer in a network segment. As a rule, they check the load on network nodes in order to determine the “extra” load.
    • Switched infrastructure. It is clear that network traffic analysis is only possible within one network segment. If the network is built on devices that divide it into many segments (switches and routers), then an attack is possible only in those parts of the network that belong to one of the ports of these devices. This does not solve the problem of sniffing, but it does reduce the boundaries that an attacker can "listen" to.
    • Cryptographic methods. The most reliable way to deal with sniffer work. The information that can be obtained through interception is encrypted and therefore has no use. The most commonly used are IPSec, SSL and SSH.
  2. Network scanning.The purpose of network scanning is to identify services running on the network, open ports, active network services, protocols used, etc., that is, collecting information about the network. The most commonly used methods for network scanning are:
    • DNS queries help an attacker find out the domain owner, address area,
    • ping testing – identifies working hosts based on DNS addresses obtained previously;
    • port scanning - a complete list of services supported by these hosts, open ports, applications, etc. is compiled.

    A good and most common countermeasure is the use of IDS, which successfully finds signs of network scanning and notifies the administrator about it. It is impossible to completely get rid of this threat, since if, for example, you disable ICMP echo and echo reply on your router, you can get rid of the ping threat, but at the same time lose the data needed to diagnose network failures.

  3. Password Reveal.The main goal of this attack is to gain unauthorized access to protected resources by overcoming password protection. To obtain a password, an attacker can use many methods - simple brute force, dictionary brute force, sniffing, etc. The most common is a simple brute force search of all possible password values. To protect against simple brute force, it is necessary to use strong passwords that are not easy to guess: 6-8 characters long, use upper and lower case letters, use special characters (@, #, $, etc.).

    Another information security problem is that most people use the same passwords for all services, applications, sites, etc. Moreover, the vulnerability of a password depends on the weakest area of ​​its use.

    These types of attacks can be avoided by using one-time passwords, which we discussed earlier, or cryptographic authentication.

  4. IP spoofing or substitution of a trusted network object.Trusted in this case means a network object (computer, router, firewall, etc.) legally connected to the server. The threat consists of an attacker impersonating a trusted network object. This can be done in two ways. First, use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources. This type of attack is often the starting point for other attacks.

    Typically, spoofing a trusted network entity is limited to inserting false information or malicious commands into the normal flow of data transmitted between network entities. For two-way communication, an attacker must change all routing tables to direct traffic to a false IP address, which is also possible. To mitigate the threat (but not eliminate it), you can use the following:

    • access control. You can configure access control to reject any traffic coming from an external network with a source address inside the network. This method is effective if only internal addresses are authorized and does not work if there are authorized external addresses.
    • RFC 2827 filtering – this type of filtering allows you to stop attempts by users of your network to spoof other networks. To do this, you must reject any outgoing traffic whose source address is not one of your organization's IP addresses. Often this type of filtering is performed by the provider. As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if an ISP provides a connection to the IP address 15.1.1.0/24, it can configure a filter so that only traffic originating from 15.1.1.0/24 is allowed from that interface to the ISP's router. Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible.
    • Implementation of additional authentication methods. IP spoofing is only possible with IP-based authentication. If you introduce some additional authentication measures, for example, cryptographic ones, the attack becomes useless.
  5. Denial of Service (DoS)- an attack on a computer system with the aim of bringing it to failure, that is, creating conditions under which legitimate users of the system cannot access the resources provided by the system, or this access is difficult.

    A DoS attack is the most common and well-known attack recently, which is primarily due to the ease of implementation. Organizing a DOS attack requires a minimum of knowledge and skills and is based on the shortcomings of network software and network protocols. If an attack is carried out on many network devices, it is called a distributed DoS attack (DDoS).

    Today, the following five types of DoS attacks are most commonly used, for which there is a large amount of software and from which it is most difficult to protect:

    • Smurf- ICMP ping requests. When a ping packet (ICMP ECHO message) is sent to a broadcast address (for example, 10.255.255.255), it is delivered to every machine on that network. The principle of the attack is to send an ICMP ECHO REQUEST packet with the source address of the attacked host. An attacker sends a constant stream of ping packets to a network broadcast address. All machines, upon receiving the request, respond to the source with an ICMP ECHO REPLY packet. Accordingly, the size of the response packet flow increases proportional to the number of hosts a number of times. As a result, the entire network is subject to denial of service due to congestion.
    • ICMP flood- an attack similar to Smurf, but without the amplification created by requests to a directed broadcast address.
    • UDP flood- sending multiple UDP (User Datagram Protocol) packets to the address of the attacked node.
    • TCP flood- sending multiple TCP packets to the address of the attacked node.
    • TCP SYN flood- when carrying out this type of attack, a large number of requests are issued to initialize TCP connections with the attacked node, which, as a result, has to spend all its resources tracking these partially open connections.

    If you are using a Web server or FTP server application, a DoS attack causes all connections available to those applications to be busy and users cannot access them. Some attacks can bring down an entire network by flooding it with unnecessary packets. To counter such attacks, the involvement of the provider is necessary, because if it does not stop unwanted traffic at the entrance to the network, the attack will not be stopped because the bandwidth will be occupied.

    The following programs are most often used to implement a DoS attack:

    • Trinoo- is a rather primitive program, which historically became the first to organize DoS attacks of a single type - UDP flood. Programs of the "trinoo" family are easily detected by standard security tools and do not pose a threat to those who care at least a little about their security.
    • TFN and TFN2K- a more serious weapon. Allows you to simultaneously organize several types of attacks - Smurf, UDP flood, ICMP flood and TCP SYN flood. Using these programs requires the attacker to be much more skilled.
    • The latest tool for organizing DoS attacks - Stacheldracht("barbed wire"). This package allows you to organize a variety of types of attacks and avalanches of broadcast ping requests. In addition, data exchange between controllers and agents is encrypted, and an auto-modification function is built into the software itself. Encryption makes it very difficult to detect an attacker.

    To mitigate the threat, you can use the following:

    • Anti-spoofing features - Properly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. If a hacker cannot disguise his true identity, he is unlikely to carry out an attack.
    • Anti-DoS Features - Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These features often limit the number of half-open channels at any given time.
    • Traffic rate limiting - an organization can ask the ISP to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic that passes through your network. A common example is limiting the volume of ICMP traffic, which is used for diagnostic purposes only. DoS attacks often use ICMP.

    There are several types of threats of this type:

    • Hidden denial of service, when part of the network resources is used to process packets transmitted by an attacker, reducing channel capacity, disrupting request processing time, and disrupting the performance of network devices. Example: a directed ICMP echo request storm or a TCP connection request storm.
    • An apparent denial of service caused by network resources being exhausted as a result of processing packets sent by attackers. At the same time, legitimate user requests cannot be processed due to the fact that the entire channel bandwidth is occupied, buffers are full, disk space is full, etc. Example: directed storm (SYN-flooding).
    • An obvious denial of service caused by a violation of logical connectivity between network technical means when an attacker transmits control messages on behalf of network devices. In this case, the routing and address data changes. Example: ICMP Redirect Host or DNS flood.
    • An explicit denial of service caused by an attacker transmitting packets with non-standard attributes (for example, UDP-bomb) or having a length exceeding the maximum (Ping Death).

    DoS attacks are aimed at disrupting the availability of information and do not violate integrity and confidentiality.

  6. Application level attacks. This type of attack involves exploiting holes in server software (HTML, sendmail, FTP). Using these vulnerabilities, an attacker gains access to a computer on behalf of the application user. Application layer attacks often use ports that can "pass" through the firewall.

    The main problem with application-layer attacks is that they often use ports that are allowed to pass through the firewall. For example, a hacker attacking a Web server might use TCP port 80. In order for the Web server to serve pages to users, port 80 on the firewall must be open. From the firewall's point of view, the attack is treated as standard traffic on port 80.

    It is impossible to completely eliminate application-level attacks, since application programs with new vulnerabilities appear regularly. The most important thing here is good system administration. Here are some measures you can take to reduce your vulnerability to this type of attack:

    • reading logs (system and network);
    • tracking vulnerabilities in new software using specialized sites, for example, http://www.cert.com.
    • use of IDS.

From the very nature of a network attack, it is clear that its occurrence is not controlled by each specific network node. We have not considered all the attacks possible on the network; in practice, there are many more of them. However, it does not seem possible to protect against all types of attacks. The best approach to protecting the network perimeter is to eliminate the vulnerabilities that are used in most cybercriminal attacks. Lists of such vulnerabilities are published on many sites that collect such statistics, for example, the SANS Institute website: http://www.sans.org/top-cyber-security-risks/?ref=top20. An ordinary attacker is not looking for any original methods of attack, but scans the network for a known vulnerability and exploits it.

A DoS and DDoS attack is an aggressive external impact on the computing resources of a server or workstation, carried out with the goal of bringing the latter to failure. By failure we mean not the physical failure of a machine, but the inaccessibility of its resources to bona fide users—the system’s refusal to service them ( D enial o f S ervice, which is what the abbreviation DoS comes from).

If such an attack is carried out from a single computer, it is classified as DoS (DoS), if from several - DDoS (DiDoS or DDoS), which means "D istributed D enial o f S ervice" - distributed denial of service. Next, we’ll talk about why attackers carry out such attacks, what they are, what harm they cause to the attacked, and how the latter can protect their resources.

Who can suffer from DoS and DDoS attacks?

Corporate servers of enterprises and websites are attacked, much less often - personal computers of individuals. The purpose of such actions, as a rule, is one - to cause economic harm to the attacked person and remain in the shadows. In some cases, DoS and DDoS attacks are one of the stages of server hacking and are aimed at stealing or destroying information. In fact, a company or website belonging to anyone can become a victim of attackers.

A diagram illustrating the essence of a DDoS attack:

DoS and DDoS attacks are most often carried out at the instigation of dishonest competitors. Thus, by “crashing” the website of an online store that offers a similar product, you can temporarily become a “monopolist” and take its customers for yourself. By “putting down” a corporate server, you can disrupt the work of a competing company and thereby reduce its position in the market.

Large-scale attacks that can cause significant damage are usually carried out by professional cybercriminals for a lot of money. But not always. Your resources can be attacked by home-grown amateur hackers out of interest, avengers from among fired employees, and simply those who do not share your views on life.

Sometimes the impact is carried out for the purpose of extortion, while the attacker openly demands money from the owner of the resource to stop the attack.

The servers of state-owned companies and well-known organizations are often attacked by anonymous groups of highly skilled hackers in order to influence officials or cause public outcry.

How attacks are carried out

The operating principle of DoS and DDoS attacks is to send a large flow of information to the server, which to the maximum (as far as the hacker’s capabilities allow) loads the computing resources of the processor, RAM, clogs communication channels or fills disk space. The attacked machine is unable to process incoming data and stops responding to user requests.

This is what normal server operation looks like, visualized in the Logstalgia program:

The effectiveness of single DOS attacks is not very high. In addition, an attack from a personal computer exposes the attacker to the risk of being identified and caught. Distributed attacks (DDoS) carried out from so-called zombie networks or botnets provide much greater profit.

This is how the Norse-corp.com website displays the activity of the botnet:

A zombie network (botnet) is a group of computers that have no physical connection with each other. What they have in common is that they are all under the control of an attacker. Control is carried out through a Trojan program, which for the time being may not manifest itself in any way. When carrying out an attack, the hacker instructs the infected computers to send requests to the victim's website or server. And he, unable to withstand the pressure, stops answering.

This is how Logstalgia shows a DDoS attack:

Absolutely any computer can join a botnet. And even a smartphone. It is enough to catch a Trojan and not detect it in time. By the way, the largest botnet consisted of almost 2 million machines around the world, and their owners had no idea what they were doing.

Methods of attack and defense

Before launching an attack, the hacker figures out how to carry it out with maximum effect. If the attacked node has several vulnerabilities, the impact can be carried out in different directions, which will significantly complicate counteraction. Therefore, it is important for every server administrator to study all its “bottlenecks” and, if possible, strengthen them.

Flood

Flood, in simple terms, is information that does not carry any meaning. In the context of DoS/DDoS attacks, a flood is an avalanche of empty, meaningless requests of one level or another, which the receiving node is forced to process.

The main purpose of using flooding is to completely clog communication channels and saturate the bandwidth to the maximum.

Types of flood:

  • MAC flood - impact on network communicators (blocking ports with data flows).
  • ICMP flooding - inundating a victim with service echo requests using a zombie network or sending requests “on behalf of” the attacked node so that all members of the botnet simultaneously send it an echo response (Smurf attack). A special case of ICMP flood is ping flood (sending ping requests to the server).
  • SYN flood - sending numerous SYN requests to the victim, overflowing the TCP connection queue by creating a large number of half-open (waiting for client confirmation) connections.
  • UDP flood - works according to the Smurf attack scheme, where UDP datagrams are sent instead of ICMP packets.
  • HTTP flood - flooding a server with numerous HTTP messages. A more sophisticated option is HTTPS flooding, where the sent data is pre-encrypted, and before the attacked node processes it, it has to decrypt it.


How to protect yourself from flooding

  • Configure network switches to check the validity and filter MAC addresses.
  • Restrict or disable the processing of ICMP echo requests.
  • Block packets coming from a specific address or domain that gives reason to suspect it of unreliability.
  • Set a limit on the number of half-open connections with one address, reduce their holding time, and lengthen the queue of TCP connections.
  • Disable UDP services from receiving traffic from outside or limit the number of UDP connections.
  • Use CAPTCHA, delays and other bot protection techniques.
  • Increase the maximum number of HTTP connections, configure request caching using nginx.
  • Expand network channel capacity.
  • If possible, dedicate a separate server to handle cryptography (if used).
  • Create a backup channel for administrative access to the server in emergency situations.

Hardware overload

There are types of flooding that affect not the communication channel, but the hardware resources of the attacked computer, loading them to their full capacity and causing a freeze or crash. For example:

  • Creating a script that will post a huge amount of meaningless text information on a forum or website where users have the opportunity to leave comments until the entire disk space is filled.
  • The same thing, only the server logs will fill the drive.
  • Loading a site where some kind of transformation of the entered data is performed, continuously processing this data (sending so-called “heavy” packets).
  • Loading the processor or memory by executing code through the CGI interface (CGI support allows you to run any external program on the server).
  • Triggering the security system, making the server inaccessible from the outside, etc.


How to protect yourself from overloading hardware resources

  • Increase hardware performance and disk space. When the server is operating normally, at least 25-30% of the resources should remain free.
  • Use traffic analysis and filtering systems before transmitting it to the server.
  • Limit the use of hardware resources by system components (set quotas).
  • Store server log files on a separate drive.
  • Distribute resources across several servers independent of each other. So that if one part fails, the others remain operational.

Vulnerabilities in operating systems, software, device firmware

There are immeasurably more options for carrying out this type of attack than using flooding. Their implementation depends on the qualifications and experience of the attacker, his ability to find errors in the program code and use them to his benefit and to the detriment of the resource owner.

Once a hacker discovers a vulnerability (an error in software that can be used to disrupt the operation of the system), all he has to do is create and run an exploit - a program that exploits this vulnerability.

Exploitation of vulnerabilities is not always intended to cause only a denial of service. If the hacker is lucky, he will be able to gain control of the resource and use this “gift of fate” at his own discretion. For example, use it to distribute malware, steal and destroy information, etc.

Methods to counter the exploitation of software vulnerabilities

  • Timely install updates that cover vulnerabilities of operating systems and applications.
  • Isolate all services intended for solving administrative tasks from third-party access.
  • Use means of continuous monitoring of the operation of the server OS and programs (behavioral analysis, etc.).
  • Refuse potentially vulnerable programs (free, self-written, rarely updated) in favor of proven and well-protected ones.
  • Use ready-made means of protecting systems from DoS and DDoS attacks, which exist both in the form of hardware and software systems.

How to determine that a resource has been attacked by a hacker

If the attacker succeeds in achieving the goal, it is impossible not to notice the attack, but in some cases the administrator cannot determine exactly when it began. That is, several hours sometimes pass from the onset of the attack to noticeable symptoms. However, during hidden influence (until the server goes down), certain signs are also present. For example:

  • Unnatural behavior of server applications or the operating system (freezes, termination with errors, etc.).
  • The load on the processor, RAM and storage increases sharply compared to the original level.
  • The volume of traffic on one or more ports increases significantly.
  • There are multiple requests from clients to the same resources (opening the same website page, downloading the same file).
  • Analysis of server, firewall and network device logs shows a large number of monotonous requests from various addresses, often directed to a specific port or service. Especially if the site is aimed at a narrow audience (for example, Russian-speaking), and requests come from all over the world. A qualitative analysis of traffic shows that the requests have no practical meaning for clients.

All of the above is not a 100% sign of an attack, but it is always a reason to pay attention to the problem and take appropriate protective measures.