3.4 Active attacks
An active attack is one in which an unauthorised change of the system is attempted. This could include, for example, the modification of transmitted or stored data, or the creation of new data streams. Figure 2 (see Section 3.2) shows four sub-categories here: masquerade or fabrication, message replay, message modification and denial of service or interruption of availability.
Masquerade attacks, as the name suggests, relate to an entity (usually a computer or a person) taking on a false identity in order to acquire or modify information, and in effect achieve an unwarranted privilege status. Masquerade attacks can also incorporate other categories.
Message replay involves the re-use of captured data at a later time than originally intended in order to repeat some action of benefit to the attacker: for example, the capture and replay of an instruction to transfer funds from a bank account into one under the control of an attacker. This could be foiled by confirmation of the freshness of a message.
Message modification could involve modifying a packet header address for the purpose of directing it to an unintended destination or modifying the user data.
Denial-of-service attacks prevent the normal use or management of communication services, and may take the form of either a targeted attack on a particular service or a broad, incapacitating attack. For example, a network may be flooded with messages that cause a degradation of service or possibly a complete collapse if a server shuts down under abnormal loading. Another example is rapid and repeated requests to a web server, which bar legitimate access to others. Denial-of-service attacks are frequently reported for internet-connected services.
Because complete prevention of active attacks is unrealistic, a strategy of detection followed by recovery is more appropriate.
What example of a replayed message could lead to a masquerade attack?
If an attacker identified and captured a data sequence that contained a password allowing access to a restricted service, then it might be possible to assume the identity of the legitimate user by replaying the password sequence.
In this unit I shall not deal with the detailed threats arising from computer viruses, but just give a brief explanation of some terms. The word ‘virus’ is used collectively to refer to Trojans and worms, as well as more specifically to mean a particular type of worm.
A Trojan is a program that has hidden instructions enabling it to carry out a malicious act such as the capture of passwords. These could then be used in other forms of attack.
A worm is a program that can replicate itself and create a level of demand for services that cannot be satisfied.
The term virus is also used for a worm that replicates by attaching itself to other programs.
How might you classify a computer virus attack according to the categories in Figure 2 (see Section 3.2)?
A virus attack is an active attack, but more details of the particular virus mechanism are needed for further categorisation. From the information on computer viruses, Trojans can lead to masquerade attacks in which captured passwords are put to use, and worms can result in loss of the availability of services, so denial of service is appropriate here. However, if you research further you should be able to find viruses that are implicated in all the forms of active attack identified in Figure 2.
An attack may also take the form of a hoax. A hoax may consist of instructions or advice to delete an essential file under the pretence, for instance, of avoiding virus infection. How would you categorise this type of attack?
Denial of service will result if the instructions are followed and an essential file is removed.
Threats to network security are not static. They evolve as developments in operating systems, application software and communication protocols create new opportunities for attack.
During your study of this unit it would be a good idea to carry out a web search to find the most common forms of network attack. A suitable phrase containing key words for searching could be:
most common network security vulnerabilities
Limit the search to reports within a year. Can you relate any of your findings to the general categories discussed above? What areas of vulnerability predominate? When I searched in early 2003, the most commonly reported network attacks were attributable to weaknesses in software systems (program bugs) and protocol vulnerabilities. Poor discipline in applying passwords rigorously and failure to implement other security provision were also cited. Another particular worry was the new opportunities for attack created by wireless access to fixed networks.