Types of attacks. DOS and DDoS attacks: concept, types, methods of detection and protection

The Internet completely changes our way of life: work, study, leisure. These changes will occur both in areas we already know (electronic commerce, access to real-time information, increased communication capabilities, etc.) and in those areas about which we do not yet have an idea.

The time may come when a corporation will make all its telephone calls over the Internet, completely free of charge. In private life, special Web sites may appear, with the help of which parents can find out at any time how their children are doing. Our society is just beginning to realize the limitless possibilities of the Internet.

Introduction

Simultaneously with the enormous growth in the popularity of the Internet, an unprecedented danger of disclosure of personal data, critical corporate resources, state secrets, etc. arises.

Every day, hackers threaten these resources by trying to gain access to them using special attacks that are gradually becoming more sophisticated on the one hand and easier to execute on the other. Two main factors contribute to this.

Firstly, this is the widespread penetration of the Internet. There are millions of devices connected to the Internet today, and many millions of devices will be connected to the Internet in the near future, making it increasingly likely that hackers will gain access to vulnerable devices.

In addition, the widespread use of the Internet allows hackers to exchange information on a global scale. A simple search for keywords like “hacker”, “hacking”, “hack”, “crack” or “phreak” will return you thousands of sites, many of which contain malicious code and how to use it.

Secondly, this is the widest distribution of easy-to-use operating systems and development environments. This factor sharply reduces the level of knowledge and skills required by a hacker. Previously, in order to create and distribute easy-to-use applications, a hacker had to have good programming skills.

Now, to gain access to a hacker's tool, you only need to know the IP address of the desired site, and to carry out an attack, just a click of the mouse.

Classification of network attacks

Network attacks are as varied as the systems they target. Some attacks are very complex, while others are within the capabilities of an ordinary operator, who does not even imagine the consequences of his activities. To evaluate the types of attacks, you need to know some of the inherent limitations of the TPC/IP protocol. Net

The Internet was created for communication between government agencies and universities to assist educational process and scientific research. The creators of this network had no idea how widespread it would become. As a result, the specifications of early versions of the Internet Protocol (IP) lacked security requirements. This is why many IP implementations are inherently vulnerable.

After many years, after many complaints (Request for Comments, RFC), security measures for IP finally began to be implemented. However, due to the fact that security measures for the IP protocol were not initially developed, all its implementations began to be supplemented with a variety of network procedures, services and products that reduce the risks inherent in this protocol. Next, we'll briefly look at the types of attacks that are commonly used against IP networks and list ways to combat them.

Packet sniffer

A packet sniffer is an application program that uses a network card operating in promiscuous mode (in this mode, the network adapter sends all packets received over physical channels to the application for processing).

In this case, the sniffer intercepts all network packets that are transmitted through a specific domain. Currently, sniffers operate on networks on a completely legal basis. They are used for fault diagnosis and traffic analysis. However, due to the fact that some network applications transmit data in text format ( Telnet, FTP, SMTP, POP3, etc..), using a sniffer you can find out useful and sometimes confidential information (for example, usernames and passwords).

Login and password interception poses a major threat because users often use the same login and password for multiple applications and systems. Many users generally have a single password to access all resources and applications.

If the application runs in client-server mode, and authentication data is transmitted over the network in readable text format, then this information can most likely be used to access other corporate or external resources. Hackers know and exploit human weaknesses too well (attack methods are often based on social engineering methods).

They are well aware that we use the same password to access many resources, and therefore they often manage to gain access to important information by learning our password. In the worst case scenario, a hacker gains system-level access to a user resource and uses it to create a new user who can be used at any time to access the Network and its resources.

You can reduce the threat of packet sniffing by using the following tools::

Authentication. Strong authentication is the most important defense against packet sniffing. By “strong” we mean authentication methods that are difficult to bypass. An example of such authentication is One-Time Passwords (OTP).

OTP is a two-factor authentication technology that combines what you have with what you know. A typical example of two-factor authentication is the operation of a regular ATM, which identifies you, firstly, by your plastic card, and secondly, by the PIN code you enter. A PIN code and your personal card are also required for authentication in the OTP system.

By “card” (token) we mean a hardware or software tool that generates (by a random principle) a unique one-time, one-time password. If a hacker finds out this password using a sniffer, then this information will be useless, since at that moment the password will already be used and retired.

Note that this method of combating sniffing is effective only in cases of password interception. Sniffers that intercept other information (such as email messages) remain effective.

Switched infrastructure. Another way to combat packet sniffing in your network environment is to create a switched infrastructure. If, for example, the entire organization uses dial-up Ethernet, hackers can only access traffic coming into the port they are connected to. A switched infrastructure does not eliminate the threat of sniffing, but it does significantly reduce its severity.

Antisniffers. The third way to combat sniffing is to install hardware or software that recognizes the sniffers running on your network. These tools cannot completely eliminate the threat, but, like many other network security tools, they are included in the overall protection system. Antisniffers measure host response times and determine whether hosts are having to process unnecessary traffic. One such product, available from LOpht Heavy Industries, is called AntiSniff.

Cryptography. This most effective way to combat packet sniffing, although it does not prevent interception and does not recognize the work of sniffers, but makes this work useless. If the communication channel is cryptographically secure, then the hacker does not intercept the message, but the ciphertext (that is, an incomprehensible sequence of bits). Cisco network-layer cryptography is based on IPSec, which is a standard method for secure communication between devices using the IP protocol. Other cryptographic network management protocols include SSH (Secure Shell) and SSL (Secure Socket Layer) protocols.

IP spoofing

IP spoofing occurs when a hacker, inside or outside a corporation, impersonates an authorized user. This can be done in two ways: the hacker can use either an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources.

IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack, which starts from someone else's address, hiding the hacker's true identity.

Typically, IP spoofing is limited to inserting false information or malicious commands into the normal flow of data transmitted between a client and server application or over a communication channel between peer devices.

For two-way communication, the hacker must change all the routing tables to direct traffic to the false IP address. Some hackers, however, don't even try to get a response from the applications - if the main goal is to get an important file from the system, then the applications' responses don't matter.

If a hacker manages to change the routing tables and direct traffic to a false IP address, he will receive all packets and will be able to respond to them as if he were an authorized user.

The threat of spoofing can be mitigated (but not eliminated) by the following measures:

  • Access control. The easiest way to prevent IP spoofing is to properly configure access controls. To reduce the effectiveness of IP spoofing, configure access control to reject any traffic coming from an external network with a source address that should be located inside your network.

    True, this helps combat IP spoofing, when only internal addresses are authorized; if some external network addresses are also authorized, this method becomes ineffective;

  • RFC 2827 filtering. You can stop users on your network from spoofing other people's networks (and become a good online citizen). To do this, you must reject any outgoing traffic whose source address is not one of your organization's IP addresses.

    This type of filtering, known as RFC 2827, can also be performed by your Internet Service Provider (ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if an ISP provides a connection to the IP address 15.1.1.0/24, it can configure a filter so that only traffic originating from 15.1.1.0/24 is allowed from that interface to the ISP's router.

Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible. Additionally, the further away you are from the devices being filtered, the more difficult it is to perform accurate filtration. For example, RFC 2827 filtering at the access router level requires passing all traffic from the main network address (10.0.0.0/8), while at the distribution level (in a given architecture) it is possible to restrict traffic more precisely (address - 10.1.5.0/24).

The most effective method to combat IP spoofing is the same as in the case of packet sniffing: you need to make the attack completely ineffective. IP spoofing can only work if authentication is based on IP addresses.

Therefore, the introduction of additional authentication methods makes such attacks useless. The best type of additional authentication is cryptographic. If this is not possible, two-factor authentication using one-time passwords can give good results.

Denial of service

Denial of Service (DoS) is without a doubt the most well-known form of hacking attacks. In addition, these types of attacks are the most difficult to create 100% protection against. Among hackers, DoS attacks are considered child's play, and their use causes contemptuous grins, since organizing DoS requires a minimum of knowledge and skills.

Nevertheless, it is precisely the ease of implementation and the enormous scale of harm caused that DoS attracts the close attention of administrators responsible for network security. If you want to learn more about DoS attacks, you should consider the most famous types, namely:

  • TCP SYN Flood;
  • Ping of Death;
  • Tribe Flood Network (TFN) and Tribe Flood Network 2000 (TFN2K);
  • Trinco;
  • Stacheldracht;
  • Trinity.

An excellent source of security information is the Computer Emergency Response Team (CERT), which has published excellent work on combating DoS attacks.

DoS attacks are different from other types of attacks. They are not aimed at gaining access to your network, nor at obtaining any information from that network, but a DoS attack makes your network unavailable for normal use by exceeding the acceptable limits of the network, operating system, or application.

In the case of some server applications (such as a Web server or FTP server), DoS attacks can involve taking over all connections available to those applications and keeping them occupied, preventing ordinary users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP ( Internet Control Message Protocol).

Most DoS attacks do not target software bugs or security holes, but rather general weaknesses in the system architecture. Some attacks cripple network performance by flooding it with unwanted and unnecessary packets or misleading information about the current state of network resources.

This type of attack is difficult to prevent because it requires coordination with the provider. If you do not stop the traffic intended to overwhelm your network at the provider, then you will no longer be able to do this at the entrance to the network, since all the bandwidth will be occupied. When this type of attack is carried out simultaneously through many devices, we talk about a distributed DoS attack ( distributed DoS, DDoS).

The threat of DoS attacks can be reduced in three ways:

  • Anti-spoofing features. Properly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. At a minimum, these features should include RFC 2827 filtering. If a hacker cannot disguise his true identity, he is unlikely to carry out an attack.
  • Anti-DoS functions. Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These features often limit the number of half-open channels at any given time.
  • Traffic rate limiting. An organization may ask its Internet Service Provider (ISP) to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic that passes through your network. A typical example is limiting the volume of ICMP traffic, which is used only for diagnostic purposes. (D)DoS attacks often use ICMP.

Password attacks

Hackers can carry out password attacks using a number of methods, such as brute force attack, Trojan horse, IP spoofing and packet sniffing. Although login and password can often be obtained through IP spoofing and packet sniffing, hackers often try to guess the password and login through multiple access attempts. This approach is called a simple search (brute force attack).

Often, such an attack uses a special program that tries to gain access to a public resource (for example, a server). If, as a result, the hacker is granted access to resources, then he receives it with the rights of a regular user whose password was selected.

If this user has significant access privileges, the hacker can create a "pass" for future access that will remain valid even if the user changes his password and login.

Another problem arises when users use the same (even very good) password to access many systems: corporate, personal, and Internet systems. Since the strength of a password is equal to the strength of the weakest host, a hacker who learns the password through that host gains access to all other systems where the same password is used.

Password attacks can be avoided by not using plain text passwords. One-time passwords and/or cryptographic authentication can virtually eliminate the threat of such attacks. Unfortunately, not all applications, hosts and devices support the above authentication methods.

When using regular passwords, try to come up with one that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and special characters (#, %, $, etc.).

The best passwords are difficult to guess and difficult to remember, forcing users to write them down on paper. To avoid this, users and administrators can use a number of recent technological advances.

For example, there are application programs that encrypt a list of passwords that can be stored in a pocket computer. As a result, the user only needs to remember one complex password, while all others will be reliably protected by the application.

There are several methods for an administrator to combat password guessing. One of them is to use the L0phtCrack tool, which is often used by hackers to guess passwords in the Windows NT environment. This tool will quickly show you whether the user's chosen password is easy to guess. For more information, visit http://www.l0phtcrack.com/.

Man-in-the-Middle attacks

For a Man-in-the-Middle attack, a hacker needs access to packets transmitted over the network. Such access to all packets transmitted from a provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack.

Attacks are carried out with the aim of stealing information, intercepting the current session and gaining access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distortion of transmitted data and entering unauthorized information into network sessions.

Man-in-the-Middle attacks can only be effectively combated using cryptography. If a hacker intercepts data from an encrypted session, what will appear on his screen is not the intercepted message, but a meaningless set of characters. Note that if a hacker obtains information about a cryptographic session (for example, a session key), this could make a Man-in-the-Middle attack possible even in an encrypted environment.

Application level attacks

Application-level attacks can be carried out in several ways. The most common of them is the use of well-known weaknesses in server software (sendmail, HTTP, FTP). By exploiting these weaknesses, hackers can gain access to a computer as the user running the application (usually not a regular user, but a privileged administrator with system access rights).

Information about application-level attacks is widely published to give administrators the opportunity to correct the problem using corrective modules (patches). Unfortunately, many hackers also have access to this information, which allows them to improve.

The main problem with application-level attacks is that hackers often use ports that are allowed to pass through the firewall. For example, a hacker exploiting a known weakness in a Web server will often use port 80 in a TCP attack. Since the Web server provides Web pages to users, the firewall must provide access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.

Application-level attacks cannot be completely eliminated. Hackers are constantly discovering and publishing new vulnerabilities in application programs on the Internet. The most important thing here is good system administration. Here are some measures you can take to reduce your vulnerability to this type of attack:

  • read operating system and network log files and/or analyze them using special analytical applications;
  • Subscribe to the application vulnerability reporting service: Bugtrad (http://www.securityfocus.com).

Network intelligence

Network intelligence refers to the collection of network information using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information about it as possible. Network reconnaissance is carried out in the form of DNS queries, pings and port scanning.

DNS queries help you understand who owns a particular domain and what addresses are assigned to that domain. Pinging addresses revealed by DNS allows you to see which hosts are actually running in a given environment. After receiving a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. Finally, the hacker analyzes the characteristics of the applications running on the hosts. As a result, he obtains information that can be used for hacking.

It is impossible to completely get rid of network intelligence. If, for example, you disable ICMP echo and echo reply on edge routers, you get rid of ping testing, but you lose the data needed to diagnose network failures.

In addition, you can scan ports without preliminary ping testing - it will just take more time, since you will have to scan non-existent IP addresses. Network- and host-level IDS systems typically do a good job of alerting administrators to ongoing network reconnaissance, allowing them to better prepare for an upcoming attack and alert the Internet Service Provider (ISP) on whose network the system is being overly curious:

  1. use the latest versions of operating systems and applications and the latest correction modules (patches);
  2. In addition to system administration, use attack detection systems (IDS) - two complementary ID technologies:
    • Network IDS System (NIDS) monitors all packets passing through a specific domain. When the NIDS system sees a packet or series of packets matching the signature of a known or probable attack, it generates an alarm and/or terminates the session;
    • IDS system (HIDS) protects the host using software agents. This system only combats attacks against a single host.

In their work, IDS systems use attack signatures, which are profiles of specific attacks or types of attacks. Signatures define the conditions under which traffic is considered hacker. Analogues of IDS in the physical world can be considered a warning system or surveillance camera.

The biggest disadvantage of IDS is their ability to generate alarms. To minimize the number of false alarms and ensure correct functioning of the IDS system on the network, careful configuration of the system is necessary.

Breach of trust

Strictly speaking, this type of action is not in the full sense of the word an attack or assault. It represents the malicious exploitation of trust relationships that exist in a network. A classic example of such abuse is the situation in the peripheral part of the corporate network.

This segment often houses DNS, SMTP, and HTTP servers. Since they all belong to the same segment, hacking any one of them leads to hacking all the others, since these servers trust other systems on their network.

Another example is a system installed on the outside of the firewall that has a trust relationship with a system installed on the inside of the firewall. If an external system is compromised, the hacker can use the trust relationship to penetrate the system protected by the firewall.

The risk of breach of trust can be reduced by more tightly controlling the levels of trust within your network. Systems located outside the firewall should never have absolute trust from systems protected by the firewall.

Trust relationships should be limited to specific protocols and, if possible, authenticated by parameters other than IP addresses.

Port Forwarding

Port forwarding is a form of abuse of trust in which a compromised host is used to pass traffic through a firewall that would otherwise be rejected. Let's imagine a firewall with three interfaces, each of which is connected to a specific host.

An external host can connect to a shared host (DMZ), but not to one installed on the inside of the firewall. A shared host can connect to both an internal and external host. If a hacker takes over a shared host, he can install software on it that redirects traffic from the external host directly to the internal one.

Although this does not violate any of the rules on the screen, the external host gains direct access to the protected host as a result of the redirection. An example of an application that can provide such access is netcat. More information can be found at http://www.avian.org.

The main way to combat port forwarding is to use strong trust models (see previous section). In addition, a host IDS system (HIDS) can prevent a hacker from installing his software on a host.

Unauthorized access

Unauthorized access cannot be identified as a separate type of attack, since most network attacks are carried out precisely to gain unauthorized access. To guess a Telnet login, a hacker must first get a Telnet hint on his system. After connecting to the Telnet port, the message “authorization required to use this resource” appears on the screen (“ Authorization is required to use this resource.»).

If the hacker continues to attempt access after this, they will be considered unauthorized. The source of such attacks can be either inside the network or outside.

Methods to combat unauthorized access are quite simple. The main thing here is to reduce or completely eliminate the hacker's ability to gain access to the system using an unauthorized protocol.

As an example, consider preventing hackers from accessing the Telnet port on a server that provides Web services to external users. Without access to this port, a hacker will not be able to attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.

Viruses and Trojan horse applications

End user workstations are very vulnerable to viruses and Trojan horses. Viruses are malicious programs that are inserted into other programs to perform a specific unwanted function on the end user's workstation. An example is a virus that is written in the command.com file (the main interpreter of Windows systems) and erases other files, and also infects all other versions of command.com it finds.

A Trojan horse is not a software insert, but a real program that at first glance seems to be a useful application, but in fact plays a harmful role. An example of a typical Trojan horse is a program that looks like a simple game for the user's workstation.

However, while the user is playing the game, the program sends a copy of itself by email to every subscriber in that user's address book. All subscribers receive the game by mail, causing its further distribution.

The fight against viruses and Trojan horses is carried out with the help of effective anti-virus software that works at the user level and, possibly, at the network level. Antivirus products detect most viruses and Trojan horses and stop their spread.

Getting the latest information about viruses will help you fight them more effectively. As new viruses and Trojan horses emerge, businesses must install new versions of antivirus tools and applications.

Our computer systems are vulnerable to various types of attacks. To protect the system from these attacks, it is important to know the common computer attacks. In today's world, it has become almost a common situation when we hear about personal computer systems or networks being attacked. In this age of technology, there are various types of computer attacks from which you need to protect your precious data, systems and networks. While some attacks may simply damage the data on the computer, there are other attacks where data from the computer system may be stolen. as well as other attacks where the entire network can be shut down.

Simply put, there are two main types of attacks, passive attacks and active attacks. Passive attacks are those where data on a computer is monitored and later used for malicious interests, while active attacks are those where there are either changes to the data or data will be deleted or networks will be completely destroyed. Below are some of the most common types of active and passive attacks that can affect computers.

Active types of computer attacks

Virus

The most famous computer attacks and viruses have been around for a long period of time. They are installed on computers and spread to other files on the system. They are often distributed through external hard drives, or through certain Internet sites or as email attachments. Once viruses are launched, they become independent from the creator, and their goal is to infect many files and other systems.

Root Kit

Hackers gain access to the system using the root set of drivers and take complete control of the computer. They are among the most dangerous computer attacks because the hacker can gain more control over the system than the owner of the system. In some cases, hackers can also turn on a webcam and monitor the victim's activities, knowing everything about him.

Trojan

In the list of computer attacks, Trojan horses rank highest after viruses. They are often embedded in a piece of software, in screen savers, or in games that will run normally. However, once they are copied onto the system, they will infect computer with a virus or root kit. In other words, they act as virus carriers or rootkits to infect the system.

Worm

Worms can be called relatives of viruses. The difference between viruses and Internet worms is that worms infect a system without any help from the user. The first step is that the worms scan computers for vulnerabilities. They then copy themselves into the system and infect the system, and the process repeats.

Passive types of computer attacks

Eavesdropping

As the name suggests, hackers will stealthily hear conversations taking place between two computers on a network. This can happen in a closed system, as well as over the Internet. Other names with which it is associated are snooping. With eavesdropping, sensitive data can make its way across the network and can be accessed by other people.

Password attacks

One of the most common types of cyber attacks is password attacks. Here, hackers gain access to a computer and network resources by obtaining a control password. It is often seen that the attacker has changed the server and network configuration and in some cases can even delete data. Additionally, the data can transmitted to different networks.

Compromised attack key

To store confidential data, a secret code or number can be used. Obtaining the key is without a doubt a real huge task for a hacker, and it is possible that after intensive research the hacker is actually able to put his hands on the keys. When a key is in the possession of a hacker, it is known as a compromised key. The hacker will now have access to confidential data and can make changes to the data. However, there is also the possibility that the hacker will try different permutations and combinations of the key to access other sets of sensitive data.

Identity impersonation

Every computer has an IP address due to which it is valid and independent on the network. One of the common computer attacks is to assume the identity of another computer. Here IP packets can be sent from valid addresses and access a specific IP. Once access is gained, system data can be deleted, modified, or redirected. Additionally, a hacker can use this compromised IP address to attack other systems within or outside the network.

Application Layer attacks

The goal of an application-level attack is to cause a crash in the server's operating system. Once a fault is created in the operating system, the hacker can gain access to control the server. This in turn leads to data being modified in various ways. A virus may be introduced into the system, or multiple requests may be sent to the server, which may cause it to crash, or security controls may be disabled, making it difficult to recover the server.

These were some of the types of attacks that servers and individual computer systems can be subjected to. The list of latest computer attacks continues to increase every day, for which hackers are using new hacking methods.

Table 9.1.
Protocol name Level protocol stack Name (characteristic) of the vulnerability Content of the violation information security
FTP (File Transfer Protocol) – protocol for transferring files over a network
  • Based authentication plaintext(passwords are sent unencrypted)
  • Default access
  • Availability of two open ports
  • Opportunity data interception
telnet - control protocol remote terminal Application, representative, session Based authentication plaintext(passwords are sent unencrypted)
  • Opportunity data interception account (registered user names, passwords).
  • Gaining remote access to hosts
UDP- data transfer protocol connectionless Transport No mechanism to prevent buffer overloads
  • Possibility of implementing UDP storm.
  • As a result of packet exchange, there is a significant decrease in server performance
ARP – IP Address to Physical Address Protocol Network Based authentication plaintext(information is sent unencrypted) Possibility of interception of user traffic by an attacker
RIP – Routing Information Protocol Transport Lack of authentication of route change control messages Ability to redirect traffic through the attacker's host
TCP control protocol transfer Transport Lack of a mechanism for checking the correct filling of packet service headers Significant reduction in communication speed and even complete interruption of arbitrary connections via the TCP protocol
DNS – protocol for establishing correspondence between mnemonic names and network addresses Application, representative, session Lack of means to verify the authentication of received data from the source Tampering with DNS server response
IGMP – Routing Message Protocol Network Lack of authentication of messages about changing route parameters Win 9x/NT/2000 systems freeze
SMTP – protocol for providing e-mail message delivery service Application, representative, session Possibility of forging email messages as well as addresses sender of the message
SNMP control protocol routers in networks Application, representative, session No support for message header authentication Possibility of network bandwidth overload

Threats carried out over the network are classified according to the following main characteristics:

  1. nature of the threat.

    Passive - a threat that does not affect the operation of the information system, but can violate the rules of access to protected information. Example: using a sniffer to “listen” to a network. Active – a threat that affects the components of an information system, the implementation of which has a direct impact on the operation of the system. Example: DDOS attack in the form of a TCP request storm.

  2. goal of the threat(respectively, confidentiality, availability, integrity of information).
  3. attack start condition:
    • upon request from the attacked. That is, the attacker expects the transmission of a request of a certain type, which will be the condition for the start of the attack.
    • upon the occurrence of an expected event at the attacked object.
    • unconditional impact - the attacker does not wait for anything, that is, the threat is implemented immediately and regardless of the state of the attacked object.
  4. availability of feedback with the attacked object:
    • with feedback, that is, the attacker needs to receive an answer to some requests. Thus, there is feedback between the target and the attacker, allowing the attacker to monitor the state of the attacked object and adequately respond to its changes.
    • without feedback - accordingly, there is no feedback and no need for the attacker to react to changes in the attacked object.
  5. location of the intruder relative to the attacked information system: intra-segment and inter-segment. A network segment is a physical association of hosts, hardware and other network components that have a network address. For example, one segment is formed by computers connected to a common bus based on Token Ring.
  6. ISO/OSI reference model layer at which the threat is implemented: physical, channel, network, transport, session, representative, application.

Let's look at the currently most common attacks in networks based on protocol stack TCP/IP.

  1. Network traffic analysis. This attack is implemented using a special program called sniffer. Sniffer is an application program that uses a network card operating in promiscuous mode, the so-called “promiscuous” mode in which the network card allows all packets to be accepted, regardless of who they are addressed to. In normal state, link layer packet filtering is used on the Ethernet interface and if the MAC address in the destination header of the received packet does not match the MAC address of the current network interface and is not a broadcast, the packet is discarded. In "promiscuous" mode, filtering by network interface is disabled and all packets, including those not intended for the current node, are allowed into the system. It should be noted that many such programs are used for legal purposes, for example, for diagnosing faults or analyzing traffic. However, the table we reviewed above lists the protocols that send information, including passwords, in clear text - FTP, SMTP, POP3, etc. Thus, using a sniffer, you can intercept your username and password and gain unauthorized access to confidential information. Moreover, many users use the same passwords to access many online services. That is, if there is a weakness in one place in the network in the form of weak authentication, the entire network can suffer. Attackers are well aware of human weaknesses and widely use social engineering methods.

    Protection against this type of attack may include the following:

    • Strong authentication eg using one-time passwords(one-time password). The idea is that the password can be used once, and even if an attacker intercepts it using a sniffer, it has no value. Of course, this protection mechanism only protects against interception of passwords, and is useless in the event of interception of other information, for example, email.
    • Anti-sniffers are hardware or software that can detect the operation of a sniffer in a network segment. As a rule, they check the load on network nodes in order to determine the “excess” load.
    • Switched infrastructure. It is clear that network traffic analysis is only possible within one network segment. If the network is built on devices that divide it into many segments (switches and routers), then an attack is possible only in those parts of the network that belong to one of the ports of these devices. This does not solve the problem of sniffing, but it does reduce the boundaries that an attacker can "listen" to.
    • Cryptographic methods. The most reliable way to deal with sniffer work. The information that can be obtained through interception is encrypted and therefore has no use. The most commonly used are IPSec, SSL and SSH.
  2. Network Scan.The purpose of network scanning is to identify services running on the network, open ports, active network services, protocols used, etc., that is, collecting information about the network. The most commonly used methods for network scanning are:
    • DNS queries help an attacker find out the domain owner, address area,
    • ping testing – identifies working hosts based on DNS addresses obtained previously;
    • port scanning - a complete list of services supported by these hosts, open ports, applications, etc. is compiled.

    A good and most common countermeasure is the use of IDS, which successfully finds signs of network scanning and notifies the administrator about it. It is impossible to completely get rid of this threat, since if, for example, you disable ICMP echo and echo reply on your router, you can get rid of the ping threat, but at the same time lose the data needed to diagnose network failures.

  3. Password Reveal.The main goal of this attack is to gain unauthorized access to protected resources by overcoming password protection. To obtain a password, an attacker can use many methods - simple brute force, dictionary brute force, sniffing, etc. The most common is a simple brute force search of all possible password values. To protect against simple brute force, it is necessary to use strong passwords that are not easy to guess: 6-8 characters long, use upper and lower case letters, use special characters (@, #, $, etc.).

    Another information security problem is that most people use the same passwords for all services, applications, sites, etc. Moreover, the vulnerability of a password depends on the weakest area of ​​its use.

    These types of attacks can be avoided by using one-time passwords, which we discussed earlier, or cryptographic authentication.

  4. IP spoofing or substitution of a trusted network object.Trusted in this case means a network object (computer, router, firewall, etc.) legally connected to the server. The threat consists of an attacker impersonating a trusted network object. This can be done in two ways. First, use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed access to certain network resources. This type of attack is often the starting point for other attacks.

    Typically, spoofing a trusted network entity is limited to inserting false information or malicious commands into the normal flow of data transmitted between network entities. For two-way communication, an attacker must change all routing tables to direct traffic to a false IP address, which is also possible. To mitigate the threat (but not eliminate it), you can use the following:

    • access control. You can configure access control to reject any traffic coming from an external network with a source address inside the network. This method is effective if only internal addresses are authorized and does not work if there are authorized external addresses.
    • RFC 2827 filtering – this type of filtering allows you to stop attempts by users of your network to spoof other networks. To do this, you must reject any outgoing traffic whose source address is not one of your organization's IP addresses. Often this type of filtering is performed by the provider. As a result, all traffic that does not have a source address expected on a particular interface is rejected. For example, if an ISP provides a connection to the IP address 15.1.1.0/24, it can configure a filter so that only traffic originating from 15.1.1.0/24 is allowed from that interface to the ISP's router. Note that until all providers implement this type of filtering, its effectiveness will be much lower than possible.
    • Implementation of additional authentication methods. IP spoofing is only possible with IP-based authentication. If you introduce some additional authentication measures, for example, cryptographic ones, the attack becomes useless.
  5. Denial of Service (DoS)- an attack on a computer system with the aim of bringing it to failure, that is, creating conditions under which legitimate users of the system cannot access the resources provided by the system, or this access is difficult.

    A DoS attack is the most common and well-known attack recently, which is primarily due to the ease of implementation. Organizing a DOS attack requires a minimum of knowledge and skills and is based on the shortcomings of network software and network protocols. If an attack is carried out on many network devices, it is called a distributed DoS attack (DDoS).

    Today, the following five types of DoS attacks are most commonly used, for which there is a large amount of software and from which it is most difficult to protect:

    • Smurf- ICMP ping requests. When a ping packet (ICMP ECHO message) is sent to a broadcast address (for example, 10.255.255.255), it is delivered to every machine on that network. The principle of the attack is to send an ICMP ECHO REQUEST packet with the source address of the attacked host. An attacker sends a constant stream of ping packets to a network broadcast address. All machines, upon receiving the request, respond to the source with an ICMP ECHO REPLY packet. Accordingly, the size of the response packet flow increases proportional to the number of hosts a number of times. As a result, the entire network is subject to denial of service due to congestion.
    • ICMP flood- an attack similar to Smurf, but without the amplification created by requests to a directed broadcast address.
    • UDP flood- sending multiple UDP (User Datagram Protocol) packets to the address of the attacked node.
    • TCP flood- sending multiple TCP packets to the address of the attacked node.
    • TCP SYN flood- when carrying out this type of attack, a large number of requests are issued to initialize TCP connections with the attacked node, which, as a result, has to spend all its resources tracking these partially open connections.

    If you are using a Web server or FTP server application, a DoS attack causes all connections available to those applications to be busy and users cannot access them. Some attacks can bring down an entire network by flooding it with unnecessary packets. To counter such attacks, the involvement of the provider is necessary, because if it does not stop unwanted traffic at the entrance to the network, the attack will not be stopped because the bandwidth will be occupied.

    The following programs are most often used to implement a DoS attack:

    • Trinoo- is a rather primitive program, which historically became the first to organize DoS attacks of a single type - UDP flood. Programs of the "trinoo" family are easily detected by standard security tools and do not pose a threat to those who care at least a little about their security.
    • TFN and TFN2K- a more serious weapon. Allows you to simultaneously organize several types of attacks - Smurf, UDP flood, ICMP flood and TCP SYN flood. Using these programs requires the attacker to be much more skilled.
    • The latest tool for organizing DoS attacks - Stacheldracht("barbed wire"). This package allows you to organize a variety of types of attacks and avalanches of broadcast ping requests. In addition, data exchange between controllers and agents is encrypted, and an auto-modification function is built into the software itself. Encryption makes it very difficult to detect an attacker.

    To mitigate the threat, you can use the following:

    • Anti-spoofing features - Properly configuring anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. If a hacker cannot disguise his true identity, he is unlikely to carry out an attack.
    • Anti-DoS Features - Proper configuration of anti-DoS features on routers and firewalls can limit the effectiveness of attacks. These features often limit the number of half-open channels at any given time.
    • Traffic rate limiting - an organization can ask the ISP to limit the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic that passes through your network. A common example is limiting the volume of ICMP traffic, which is used only for diagnostic purposes. DoS attacks often use ICMP.

    There are several types of threats of this type:

    • Hidden denial of service, when part of the network resources is used to process packets transmitted by an attacker, reducing channel capacity, disrupting request processing time, and disrupting the performance of network devices. Example: a directed ICMP echo request storm or a TCP connection request storm.
    • An apparent denial of service caused by network resources being exhausted as a result of processing packets sent by attackers. At the same time, legitimate user requests cannot be processed due to the fact that the entire channel bandwidth is occupied, buffers are full, disk space is full, etc. Example: directed storm (SYN-flooding).
    • An obvious denial of service caused by a violation of logical connectivity between network technical means when an attacker transmits control messages on behalf of network devices. In this case, the routing and address data changes. Example: ICMP Redirect Host or DNS flood.
    • An explicit denial of service caused by an attacker transmitting packets with non-standard attributes (for example, UDP-bomb) or having a length exceeding the maximum (Ping Death).

    DoS attacks are aimed at disrupting the availability of information and do not violate integrity and confidentiality.

  6. Application level attacks. This type of attack involves exploiting holes in server software (HTML, sendmail, FTP). Using these vulnerabilities, an attacker gains access to a computer on behalf of the application user. Application layer attacks often use ports that can "pass" through the firewall.

    The main problem with application-layer attacks is that they often use ports that are allowed to pass through the firewall. For example, a hacker attacking a Web server might use TCP port 80. In order for the Web server to serve pages to users, port 80 on the firewall must be open. From the firewall's point of view, the attack is treated as standard traffic on port 80.

    It is impossible to completely eliminate application-level attacks, since application programs with new vulnerabilities appear regularly. The most important thing here is good system administration. Here are some measures you can take to reduce your vulnerability to this type of attack:

    • reading logs (system and network);
    • tracking vulnerabilities in new software using specialized sites, for example, http://www.cert.com.
    • use of IDS.

From the very nature of a network attack, it is clear that its occurrence is not controlled by each specific network node. We have not considered all the attacks possible on the network; in practice, there are many more of them. However, it does not seem possible to protect against all types of attacks. The best approach to protecting the network perimeter is to eliminate the vulnerabilities that are used in most cybercriminal attacks. Lists of such vulnerabilities are published on many sites that collect such statistics, for example, the SANS Institute website: http://www.sans.org/top-cyber-security-risks/?ref=top20. An ordinary attacker is not looking for any original methods of attack, but scans the network for a known vulnerability and exploits it.

There are four main categories of attacks:

· access attacks;

· modification attacks;

· denial of service attacks;

· attacks on disclaimer.

Let's take a closer look at each category. There are many ways to carry out attacks: using specially developed tools, social engineering methods, and through vulnerabilities in computer systems. In social engineering, technical means are not used to gain unauthorized access to a system. An attacker obtains information through a simple telephone call or penetrates an organization under the guise of an employee. These types of attacks are the most destructive.

Attacks aimed at capturing information stored electronically have one interesting feature: the information is not stolen, but copied. It remains with the original owner, but the attacker also receives it. Thus, the owner of the information suffers losses, and it is very difficult to detect the moment when this happened.

Access attacks

Access attack is an attempt by an attacker to obtain information that he does not have permission to view. Such an attack is possible wherever information and means for its transmission exist. An access attack is aimed at violating the confidentiality of information. The following types of access attack are distinguished:

· peeping;

· eavesdropping;

· interception.

Peeping(snooping) is viewing files or documents to search for information of interest to the attacker. If documents are stored in the form of printouts, then the attacker will open the desk drawers and rummage through them. If the information is on a computer system, he will look through file after file until he finds the information he needs.

Eavesdropping(eavesdropping) is the unauthorized eavesdropping of a conversation in which the attacker is not a participant. To gain unauthorized access to information, in this case, the attacker must be close to it. Very often he uses electronic devices. The introduction of wireless networks has increased the likelihood of successful eavesdropping. Now the attacker does not need to be inside the system or physically connect the eavesdropping device to the network.

Unlike eavesdropping interception(interception) is an active attack. The attacker captures information as it is being transmitted to its destination. After analyzing the information, he makes a decision to allow or prohibit its further passage.

Access attacks take different forms depending on how the information is stored: as paper documents or electronically on a computer. If the information an attacker needs is stored in paper documents, he will need access to these documents. They may be found in the following places: in filing cabinets, in drawers or on tables, in a fax machine or printer in the trash, in an archive. Therefore, an attacker needs to physically enter all of these locations.

Thus, physical access is the key to obtaining data. It should be noted that reliable protection of premises will protect data only from unauthorized persons, but not from employees of the organization or internal users.

Information is stored electronically: on workstations, on servers, on laptop computers, on floppy disks, on CDs, on backup magnetic tapes.

An attacker can simply steal the storage medium (floppy disk, CD, backup tape, or laptop). Sometimes this is easier to do than to access files stored on computers.

If an attacker has legal access to the system, he will analyze the files by simply opening them one by one. With proper permission control, access for an illegal user will be denied and access attempts will be recorded in logs.

Correctly configured permissions will prevent accidental information leakage. However, a serious attacker will try to bypass the control system and gain access to the necessary information. There are a large number of vulnerabilities that will help him in this.

As information passes through the network, it can be accessed by listening to the transmission. The attacker does this by installing a network packet analyzer (sniffer) on the computer system. Typically this is a computer configured to capture all network traffic (not just traffic destined for that computer). To do this, the attacker must increase his authority in the system or connect to the network. The analyzer is configured to capture any information passing through the network, but especially user IDs and passwords.

Eavesdropping is also carried out in global computer networks such as leased lines and telephone connections. However, this type of interception requires appropriate equipment and special knowledge.

Interception is possible even in fiber-optic communication systems using specialized equipment, usually performed by a skilled attacker.

Information access using interception is one of the most difficult tasks for an attacker. To succeed, he must place his system in the transmission lines between the sender and receiver of information. On the Internet, this is done by changing the name resolution, causing the computer name to be converted to an incorrect address. Traffic is redirected to the attacker's system instead of the actual destination node. If such a system is configured appropriately, the sender will never know that his information did not reach the recipient.

Interception is also possible during a valid communication session. This type of attack is best suited to hijack interactive traffic. In this case, the attacker must be in the same network segment where the client and server are located. The attacker waits for a legitimate user to open a session on the server, and then, using specialized software, hijacks the session while it is running.

Modification attacks

Modification attack is an attempt to unauthorizedly change information. Such an attack is possible wherever information exists or is transmitted. It is aimed at violating the integrity of information.

One type of modification attack is replacement existing information, for example, a change in an employee's salary. A replacement attack targets both secret and public information.

Another type of attack is addition new data, for example, into information about the history of past periods. In this case, the attacker performs a transaction in the banking system, as a result of which funds from the client's account are moved to his own account.

Attack removal means moving existing data, such as canceling a transaction entry from a bank's balance sheet, leaving the funds withdrawn from the account to remain in the account.

Like access attacks, modification attacks are carried out against information stored as paper documents or electronically on a computer.

It is difficult to change documents without anyone noticing: if there is a signature (for example, in a contract), you need to take care to forge it, and the sealed document must be carefully reassembled. If there are copies of the document, they also need to be redone, just like the original one. And since it is almost impossible to find all copies, it is very easy to spot a fake.

It is very difficult to add or remove entries from activity logs. Firstly, the information in them is arranged in chronological order, so any change will be immediately noticed. The best way is to remove the document and replace it with a new one. These types of attacks require physical access to information.

It is much easier to modify information stored electronically. Considering that the attacker has access to the system, such an operation leaves behind a minimum of evidence. If there is no authorized access to files, the attacker must first secure a login to the system or change the file access control settings.

Modifying database files or transaction lists must be done very carefully. Transactions are numbered sequentially and the removal or addition of incorrect transaction numbers will be noted. In these cases, extensive work must be done throughout the entire system to prevent detection.

In most cases, the appearance of any malicious code on a website is not a consequence of any malicious behavior on the part of the site owner, but often turns out to be a surprise for the site owner, being a consequence of hacking.

We have been working with this for many years, we have looked at many different cases, and in recent years I have also seen quite a large number of different cases of hacking of various sites. These are both very large sites, for example, such as the most famous online media, banks, sites of large companies, and sometimes very small sites, business card sites, some sites of educational and religious institutions.

How to protect your website

All of them are, to one degree or another, susceptible to some threats, risks that are associated with computer security, and this will be discussed. We will also talk about how to reduce these risks, about some basic minimum, a general overview of everything connected with this, what threats exist, what the webmaster of a particular site faces in his work.

Today we will talk about the most common example, when we have some kind of external attacker who threatens the site in one way or another.

In order to understand what to expect, what damage is possible, what attacks are possible, you need to understand who the attacker is.

All these attackers and types of attacks fall into two broad categories. By what criteria can they be divided?

  • on the attack approaches used;
  • by groups of sites that are susceptible to one or another group of attacks;
  • according to appropriate risk reduction techniques for each of these groups.

For example, mass attacks are largely automated, such as gaining unauthorized access, for example. Mass attacks are an attempt to always gain access to the entire site. Mass extortion also happens here, but it is also implemented through gaining unauthorized access.

Often, entire automatic systems simply work, a script runs that simply looks for vulnerable versions of various software components that interest it. For example, vulnerable versions of a content management system, or vice versa, or it looks for some typical problems with the configuration of the server environment. For example, that you have some kind of HTTP server sticking out and passwords are being searched for.

Since everything is automated, the exploitation of the access received is also automated, and if you have a database with payment details on your website, in the event of an automatic attack, you can consider yourself lucky, because the script will not be understood, they are for the most part rather stupid.

He will not figure out what important data you have on your site, he will implement some very simple scheme in the style of sending spam, organizing distributed denial of service attacks, some simple petty extortion, infecting visitors to your site.

In the case of targeted attacks, everything is somewhat sadder for the site owner. Often subject to a major attack, a person comes with his hands with so much experience and well-developed tools, and begins to look for characteristic problems. With a very high probability, as practice shows, it does.

And then a particularly villainous exploitation begins, which, firstly, is much more difficult to detect than in the case of mass attacks, and secondly, it is much more difficult to minimize possible damage in advance. Therefore, once an attacker gets into the system with his hands, he understands the context very well and often initially knows why he is coming.

Which is safer to use? For example, some popular stock content management system or something homemade? To reduce the risk of mass attacks, it is better to use something non-standard.

Because all this is automated, some standard solutions are being looked for and the use of some kind of self-written content management system, practically, a self-written captcha - any self-written solutions against some kind of mass attacks, when a script comes to your site that is looking for something familiar , but all this will not work.

In the case of targeted attacks, the opposite is true. That is, the likelihood that typical critical errors will be made in some self-written solution, which then become vulnerabilities and are exploited to gain access, is much higher than if you used some popular software solutions that, over the long history of their development We have collected a lot of "rakes" in this area. Therefore, when vulnerabilities in them are published, they are often either intricate or occur at the intersection of different systems.


The attack consists of the following steps:


Especially for mass occasions. Take some special line, such as Power Add Buy, phpBB version 1.6.1. A set of sites is automatically searched using a specific technology - one of the vectors. All these sites are found, a script is launched on them, the script goes, looks for some vulnerabilities, various admins. panels along standard paths, some standard tools, such as php my admin, which are also located along standard paths.

And, accordingly, if a vulnerability is found, they are automatically exploited if there are any admins. panels where you can enter passwords and there is no protection against brute force, the search begins for simple cases, which, as practice shows, is also very effective.

After access is obtained, a component called web-shell is uploaded - this is such a tool, such a piece of a web application, a script that opens up a wide range of possibilities, leaving a permanent back “door” on your server to continue further actions.

After this, when the attacker has a stable access to your server past all the means of auto-integration, the attacker tries to gain a foothold in the system and, for example, scatter all sorts of spare web shells around, exploit, for example, a vulnerability in the operating system, and raise privileges. For example, becoming root, which is often also automated and after that the exploitation becomes even more severe. And then the money squeezing begins due to the fact that the site was hacked. Nowadays, it is rare to find cases where someone or something hacks a site with anything other than money as a motive in one way or another.

This is what this web-shell looks like from the attacker’s point of view:


This is a system that allows you to work through an interface, as well as automatically. What’s interesting is that there’s a line at the top that gives very detailed information about the operating system kernel. Just to automate the operation of raising privileges right there.

When vulnerabilities are found in the operating system kernel, exploits are published on popular sites. What is an exploit? A program that uses this vulnerability to realize its own goal, and privileges are raised. It roughly looks like this:


In addition to the fact that various malicious scripts begin to spread throughout the server, sometimes binary components also end up on the site. For example, such as the main binary assembly or plugins for the web server itself. These can be modules for a patch, for njinx, rebuilt njinx, or some other important binary component that you have on the system, SSHD.

This is a Virustotal site where you can check any file, what 50 antivirus engines think about it.

These are examples of some binary components when added, what various anti-virus scanners say about various malicious web servers, or modules for them that we have found:


I would like to note that when we found them, everything was empty here, and no one often detected anything. It was only later that sometimes we started sending these examples to antivirus companies, and detections appeared.

Sometimes, if you are already trying to find the source of malicious code on your site, the antivirus industry can help you in some way. All preparatory files can be “fed” either to the site or to specific utilities, but we’ll talk about this a little later, but this is the point.


After exploitation, server scripts appear, as well as modified web server configs. There was an example that was often encountered when, when a site was hacked, the configuration of the web server was also automatically modified by adding conditional redirects.

All mobile visitors to your website were redirected to various scam sites, thus monetizing them. And, since not so long ago, a couple of years ago, many webmasters did not think about mobile users for their sites, they could not even notice for a long time that mobile visitors, when visiting their site, are sent to various scams. Many webmasters set this up consciously, trying to do such monetization, but there really were such massive cases when all this appeared as part of a hack.

It is also possible that there is malicious code in the database. The most common example is when an attack is made using the XXS class. For example, you have some form for entering comments on the site and there is insufficient validation of the parameters.

The attacker, as I already said, is often fully automated systems that search for your site themselves; they load there not just text, but a special load, which, when the page is rendered, will become a script controlled by the attacker. And this way you can do whatever you want with your website visitors.

It happens statically, when they simply add some malicious code to templates or static JavaScript. As I already said, it happens that binary files are replaced. There are very cunning cases when, for example, attackers create such a cunning system, we have already encountered this.

The main file of the web server is taken, for example, if it is a web server patch, this is an sshd binary file that is copied to another location, a malicious assembly is placed in its place, and then it is launched.

After this, the modified file is erased from the file system and the original one is placed. You are running a malicious web server, but you have an unchanged version of it in your file system, and even the integrity check does not show any problems.

When attackers get onto a server, especially in the case of targeted attacks, they are quite cunning in their inventions and sometimes, mostly for targeted attacks, when real people come, you have to show some considerable dexterity in order to generally find the source of the site’s compromise.

Why is all this being done? It is also important to understand in order to keep a certain threat model in mind, to predict what will happen to the site and what problems there may be. As I said before, the monetization methods that motivate attackers to attack differ between these groups for targeted and mass attacks.


If for mass attacks we have something that can be pulled off without delving into the context of the site. We just ended up on an abstract server, what can we do with it? It has visitors, so they can be infected. It is most likely to appear in the search engine, so it can be used in the search engine position for various black hat SEO optimizations.

Add catalogs with doorways to it, list it on the link exchange, in general, everything related to this. Sending spam, organizing DDoS attacks, for example. For DDoS attacks, which we will talk about later, attackers also need some resources, for example, many, many different servers.

The line “extortion” is very interesting. This has also been developing a lot lately. Everyone has heard many times and may have encountered such ransomware Trojans, for example, on desktops, on the Windows operating system. A few years ago, they more or less began to fill in and get onto Android phones when...

Everyone knows, everyone has encountered it in one way or another, or at least heard about how a malicious file is launched. It starts encrypting the entire file system and then asks for a ransom. So, over the last year we have seen that such things began on servers. The site is hacked, after which the entire contents of the databases are encrypted, as well as the entire file system, and the attacker asks the administrator for ransom, hoping that the administrator does not have current backups of the file system and database.

In targeted attacks, things are even more sophisticated. Often, if a targeted attack is carried out, it is already known what can be obtained from the site. This is either a customer base or a very, very large number of visitors, who can also be monetized in various ways. Often unnoticed by the resource administrator for months.

You can, once inside, interfere with the site in every possible way, create various technical difficulties for the purpose of unfair competition. It is necessary to understand that in fact there is such a myth in the anti-virus environment that, for example, I have a computer on the outskirts or in the case of a site, the site has little traffic, which means that no one needs it. It is not true.

Even the most seedy website on some free hosting is somehow monetized at least a little, and it will always represent some desirable target for mass attacks. Not to mention, of course, large sites, which are even easier to monetize.

Attack on visitors: drive-by download

Yes, we talked about infection of visitors, literally, in a nutshell. Probably, in the last year, this threat is now fading away on its own. What is visitor infection? An attacker hacked a site and what happens next if he wants to make money by infecting visitors:


As I already said, it can redirect mobile users to some site where they are offered to install an application under the guise of some flash player update or something like that. And for desktops, such a popular scheme is when a vulnerability in the visitor’s browser or in one of the plugins in his environment is exploited.

For example, in 2012, the most exploited vulnerabilities were in the Java plugin, which cost more than half of the users exploited in Adobe Reader in 2012. Now they do not exploit Adobe Reader, they do not exploit Java, now they exploit Flash Player.

New vulnerabilities in Flash Player are released regularly, and each of them often allows for an attack called drive-by download. What does it mean? This means that the visitor simply visits the site, does nothing additional, and due to exploitation of the plugin’s vulnerability, a malicious program appears in his system, which automatically runs and infects the system.

Denial of Service, aka DDoS

This is if we are talking about when an attacker still gains access to the site and its management. In many cases, the attacker is not even trying to gain access, he just wants to interfere with the normal functioning of your site in one way or another. Everyone has probably heard and encountered a denial of service, which is called Distributed Denial of Service.


Main motives: competition and extortion. Competition - it’s clear, while users don’t go to your site, they go to a competitor’s site, extortion - it’s also quite obvious that an attack on your site begins, you receive some kind of letter calling on you to pay someone something, and there you have to do something about it.

Attacks fall into three main categories

The simplest attack is an attack on the application. The most typical scenario for an attack on an application is that you have some kind of website, say an online store with some kind of search. You have there an advanced search with a bunch of parameters, which creates a relatively heavy database query. An attacker comes, sees your advanced search option and makes a script that starts pushing heavy, heavy queries into your advanced search form. The database quickly collapses even under the pressure of one standard host for many sites in practice and that’s all. For this, no special resources are needed on the part of the attacker.

Transport layer attack. At the transport layer, there are essentially two protocols. Attacks on UDP, they rather refer to an attack on the channel, because there is no session there. And if we are talking about the TCP protocol, then this is a fairly common case of attacks.

What is the TCP protocol? The TCP protocol means that you have a server and it has a table of open connections with users. It is clear that this table cannot be of infinite size and the attacker specifically designs many, many packets that initiate the creation of a new connection, and the packets often even come from fake IP addresses.

It overflows this table, and accordingly, legitimate users who come to your site cannot get into this connection table and, as a result, do not receive your service. This is a typical example of a common attack that people have learned to combat in recent years.

And the worst thing is the attack on the channel. This is when you have an incoming channel through which some requests can come to your server and the entire channel is simply clogged.

If in two higher-level attacks you can still apply some kind of logic on the server itself in order to somehow give these attacks a turn, then in the case of an attack on the channel on the server itself it is impossible to do anything, because in order to do something you need to I would like to accept the request, but the entire channel is already clogged, users generally cannot knock on the door.

Why? Why are we even discussing this classification and why do you need it? Yes, simply because each of these types of attacks has its own countermeasure. If you encounter this, you understand that you are experiencing a denial of service attack and the first thing you should do is decide what type of attack is going on and choose the right way to start fighting this attack. Although they can also be combined.

Magomed Cherbizhev

Related publications