Anatomy of an Attack

Now that we've discussed the various forms and methods of attack, let's look at an example involving a combination of what we've learned.

Let's assume a bank, the ACME Bank, has on online account system by which bank patrons access their accounts and assets. Sally, a fairly knowledgeable hacker, wants to create some trouble via a DoS attack on the bank. She's upset that her mother's account was accidentally closed and wants to teach the bank a lesson. This makes Sally an external and structured threat.

Sally begins by slowly performing reconnaissance attacks on the bank's network and system infrastructure. Using a series of readily available hacking software tools, she determines the bank's IP network address ranges and critical systems including web, mail, and Domain Name Servers (DNS). From her reconnaissance attacks, Sally determines that the weakest link at the bank appears to be the DNS; the DNS servers are poorly configured to allow unrestricted zone transfers and report that they are running outdated and vulnerable code.

From an anonymous dialup account, Sally uses a script to perform a DoS attack based on the "zxfr" bug. She remotely causes the DNS servers to repetitively crash by requesting compressed zone file transfers using commonly available tools. Because of the DoS attack, bank customers without cached DNS information effectively cannot "find" all of the bank's services, including web, e-mail, and other vital customer support functions.

Had the DNS administrators properly restricted zone transfers or maintained recent revisions of code, this incident could have been prevented. Had security administrators positioned IDS sensors near the DNS servers, they might have been alerted to the situation. Are your systems and network properly secured? Could this happen to you? How would you react should this situation occur?