Some Background on Attacks


Some Background.  Trying to give some overall frameworks and/or classifications for attacks is really very difficult.  Unfortunately, there are myriad ways in which computer systems can be attacked and many approaches make use of at least some aspects of other approaches.    Regardless of these difficulties I think it is important to try.

Some considerations that help to organize attacks are to consider the following.

  • what is the target of the attack?
    • application
    • network
    • mixed
  • is the attack active or passive?
  • does it focus on hardware or software?
  • does it focus on particular services?
  • does it focus on particular protocols?
  • how does the attack work?
    • password cracking
    • exploiting code
    • cryptographic algorithms
    • ??

Obviously, there are many other targets and ways that attacks work.  But it is also important to realize that the boundaries between these aspects or categories are generally not very well defined.

Some other issues that can be important to keep in mind are

  • motivation for an attack
    • political reasons
    • espionage
      • industrial/business/organizational
      • government
    • fraud
    • targets of opportunity
    • ??

While talking about attacks we will also try to present ways to avert, intercept and stymie attacks and future attacks.  Some of the easiest ways to stymie attacks are listed below.

  • make sure all appropriate patches are installed
    • operating system patches
    • software patches
  • make sure that only important services are provided
  • make sure to stay abreast of different types of attacks and sources of vulnerabilities

Now for a bit on ports and sockets.

Ports and Sockets Refresher.  What happens if two network applications running on the same device are sending and receiving packets at the same time?  Remember that an IP address is used to route the messages to particular devices.  Port numbers are used to route messages within the device to ensure there isn't confusion about what packets go with what message.  Port numbers are used as add ons to the IP address.  They are used by TCP and UDP to identify the specific application that is sending or receiving the message.

Common internet applications have predefined port numbers.  This sort of standardization makes communication easier.  These assigned port numbers are called well known ports and contained in the following table.


Application TCP Port UDP Port
FTP - Data 20  
FTP 21  
SSH 22  
Telnet 23  
SMTP 25 25
TIME 37 37
TACACS+ Login 49 49
DNS 53 53
TACACS+ Database 65 65
HTTP 80 80
Kerberos 88 88
POP3 110 110
NNTP 119 119
NetBIOS name service 137 137
SNMP 161 161
IRC 194 194
LDAP 389 389
NetWare over IP 396 396
Apple QuickTime 458 458
ISAKMP 500 500
rexec 512  
UNIX rlogin 513  
UNIX Broadcast Naming - rwho   513
UNIX rsh and rep 514  
SSL Shell - SSHELL 614 614
L2TP 1701  
PPTP 1723 1723
RADIUS - authorization 1812 1812
RADIUS accounting 1813 1813


There are 65,536 usable ports.  Ports 0 through 1024 are reserved as well known ports.

So you can see there are a large number of ports available that a vulnerability scanner might find open or exploitable.  Fortunately, defaults are almost always configured to keep ports closed and secure unless they are intentionally open for providing some service.

A socket is the endpoint of a connection.  You must have a socket in order for communication to happen.  Different socket types use different addressing methods.  The most common approach is to use an IP address combined with a port number.  In UNIX this is called AF_NET addressing.  Another UNIX approach called AF_UNIX uses pathnames to identify sockets.

BSD - Berkeley Sockets became the standard for TCP/IP communications.  Winsock - Windows Sockets are loaded as a DLL - Dynamic Link Library in Windows operating system platforms.

If you have multiple versions of an application open, such as Internet Explorer, packets associated with an HTTP request will be configured to use port 80.  But how will your system know which of the open Internet Explorer sessions should be receiving the packets?  This is done using a different socket designation for each port.