CSCE 4560/5560 - Secure Electronic Commerce

Overview of Threats and Attacks

Structure

  • Part 1: Threat Components

  • Part 2: Distributed Denial of Service (DDoS)

  • Part 3: Malicious Software, Social Engineering, String Vulnerabilities, SQL Injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Buffer Overflow

Part 1: Threats and Attacks

Definitions and Concepts

  • Threat Components

    • Identification and analysis of various elements that contribute to threats in electronic commerce.

Reasons for Cyber Criminal Behaviors

Cyber Criminal Motivations

  • Power assurance: To bolster the criminal’s self-esteem through non-violent means.

    • Examples: Cyberstalking, control without harm.

  • Power assertive: A moderate to high aggression approach focusing on control.

  • Anger (Retaliatory): Acting out of rage against perceived injustices.

  • Sadistic: Gaining pleasure from inflicting pain on others.

  • Profit-oriented: Seeking financial or material gain.

Types of Damage from Cyber Attacks

Damage Categories

  • Interruption: Making assets unavailable (availability).

  • Redirection: Unauthorized access to assets (confidentiality).

  • Modification: Unapproved alterations to assets (integrity).

  • Fabrication: Inserting false objects into the system (integrity).

  • Denial: Falsely denying an action taken (authenticity).

Components of a Threat (Part 1)

Threat Agents

  • Entities deliberately manifesting threats.

    • Types include criminals, terrorists, disgruntled employees, hackers, and commercial attackers.

Capability

  • Resources enabling a threat: Software, technology, methods, education.

Components of a Threat (Part 2)

Threat Inhibitors

  • Elements that prevent or reduce the likelihood of a threat.

    • Examples: Fear of capture, cost, technical difficulties, public perception.

Threat Amplifiers

  • Factors that strengthen or encourage the manifestation of threats.

    • Examples: Peer influence, information access, changing technologies.

Threat Catalysts

  • Events or changes prompting the activation of threats.

Threat Agent Motivators

  • Motivations behind threats: Political, personal gain, religion, curiosity.

Threat Likelihood/Feasibility

  • Analyzed by method (skills, knowledge), opportunity (access), and motive (money, fame).

Types of Threats

Classification of Threats

  • Natural Threats: Fires, floods, general system failures, power outages.

  • Human Threats:

    • Benign: Unintentional damage.

    • Malicious: Intentional attacks.

    • Non-hostile: Curiosity-driven unauthorized access.

    • Hostile: Intent to cause harm or exploit systems.

Steps in a Successful Cyber Attack

Attack Phases

  1. Reconnaissance: Investigating the target network/system.

  2. Scanning: Identifying vulnerabilities.

  3. Access and Escalation: Gaining admin privileges.

  4. Exfiltration: Stealing/modifying data.

  5. Sustainment: Establishing backdoors for future access.

  6. Assault: Optionally launching overt attacks.

  7. Obfuscation: Covering tracks by disabling logs/audits.

Types of Attacks

Non-technical Attacks

  • Social Engineering: Tactics to manipulate individuals into compromising security.

Technical Attacks

  • Any exploit of system knowledge or software for unauthorized access.

Part 2: Distributed Denial of Service (DDoS) Attacks

Overview of DDoS Attacks

  • A subclass of DoS attacks involving multiple compromised devices to inundate a target with traffic.

  • Goal: Render websites or services unavailable to legitimate users.

Botnets

  • A botnet is a collection of compromised devices (bots) controlled by an attacker.

  • Characteristics: Built over time, used to generate DDoS attacks and spam, not typically directly breaching security but overwhelming resources.

Objectives of DDoS Attacks

  • Primary Goal: Disrupt availability to legitimate users, causing financial loss and reputational damage.

  • Secondary Strategy: Often distract security teams to mask further malicious activities.

Types of DDoS Attacks

A. Network Layer Attacks

  • Target network infrastructure with high traffic.

  • Examples: UDP floods, ICMP floods, amplification attacks.

  • Characteristics: High volume, generally short-term duration (hours to 2 days).

B. Application Layer Attacks

  • Target specific applications and services, often harder to detect due to legitimate-looking traffic.

  • Examples: HTTP floods, slowloris attacks.

  • Characteristics: Mimic legitimate behavior, can persist for weeks to months, Measured in Requests Per Second (RPS).

DDoS Attack Methods

  • UDP Flood:

    • Send a UDP packet with different port. First checks if programs are listening for requests, if no programs are receiving packets. The server responds with a ICMP(ping) packet to tell the destination it is unreachable.

    • Used because it doesn’t require a request.

  • ICMP (Ping) flood

    • Attack aims to overwhelm the target’s ability to respond and/or overload with fake traffic.

    • Attacker sends many ICMP echo requests to server with multiple deceives

    • Server then sends an ICMP echo reply to each request

  • SYN flood

    • Attacker sends SYN packets to every port on server using fake IP address, meaning the server is unable to establish a connection.

  • Ping of Death

    • Attacker sends overside packets, when the server attempts to reassemble the fragments it causes a memory overflow.

    • Using firewalls, sites block ICMP ping message, good short term fix.

  • Slowloris:

    • Uses partial HTTP request to open connections but keeps those connections open as long as possible.

  • NTP Amplification:

    • Sends the requester a 600 Host list

  • HTTP flood:

    • The attack is most effective when it forces the server or application to allocate the maximum resources possible in response to each request.

DDoS Attack Patterns

  • Attacks can be short bursts, continuous, or in waves, with recovery taking days or weeks after an attack.

Real-World Example

  • DNS Flood Attack: A gaming website faced peak traffic of 25 million packets per second, illustrating the extensive impact of DDoS attacks on mid-sized websites.

DDoS Protection Strategies

Mitigation Services and Platforms

  1. SolarWinds Security Event Manager: Detects DDoS attacks and blocks malicious IPs.

  2. Indusface AppTrana: WAF with DDoS protection and bot control.

  3. Sucuri Website Firewall: Blocks suspicious HTTP traffic using Geo-blocking.

  4. Cloudflare: Handles large-scale attacks using IP reputation and content distribution.

  5. AWS Shield: Monitors traffic to prioritize legitimate requests during an attack.

Best Practices for DDoS Protection

  1. Implementation of Cloud-based DDoS Mitigation Services.

  2. Use of CDNs: Spread traffic over several servers globally to absorb spikes.

  3. Rate Limiting and Traffic Shaping: Control the number of requests per time interval.

  4. Real-Time Traffic Monitoring: Detect unusual spikes in traffic quickly.

  5. Regular Testing and Updates: Perform penetration tests and keep software updated.

Important Notes on VPNs

  • VPNs can protect individual users but are inadequate for website DDoS mitigation.

  • They conceal user IPs, not server IPs, and have limited traffic absorption capabilities.

Legal Considerations

  • Using DDoS attacks is illegal under the Computer Misuse Act 1990.

Tools for Testing and Simulation

  1. HULK: Generates high-volume traffic for testing.

  2. Slowloris: Maintains many connections open to exhaust server resources.

  3. Loic: Generates traffic for network stress testing.

Payload Data Header Setup

  1. Link Header: MAC Source & Destination

  2. IP Header: IP Source & Destination

  3. UDP: Port Sources & Destination

  4. Application Header

Encouragement for Ethical Use

  • Many DDoS tools are dual-use; unauthorized use against real systems is illegal and unethical.

Key Takeaway

  • Building robust protections against DDoS attacks involves layered strategies combining technology, traffic analysis, and proactive management.