too different to an ICT system. Following, there is an example of typical attack phases:
1. Password guessing 2. Port scanning 3. Exploitation
4. Man-In-The-Middle (MITM) 5. Denial of Service (DoS)
3.1 Password guessing
An attacker that tries to find a password can work in two ways: − dictionary
− brute-force
the first one simply tries all the words in a set. This set can be big enough to include special characters and lower and upper case. This method can be very efficient due to the fact that usually the passwords are simply actual words. The second one, the brute-force attack, tries all the combination of characters of a certain length. If the length is unknown, usually it tries from a min to a max number of characters. Due to the high complexity of the combinatorial problem, this method is very inefficient when the length and the sets of characters grow.
3.2 Port Scanning
A port scanning consists in sending client requests to a range of server port addresses on a host, with the goal of finding an active port and exploiting a known vulnerability of that service [ (http://tools.ietf.org/html/ rfc2828)]
3.3 Exploitation
The term exploitation refers to the act of successfully making an attack (i.e. Denial of Service (DoD)) on a computer system, taking advantage of a particular vulnerability that the system offers to the intruders.
3.4 Man In The Middle
The MITM attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. A MITM attack can succeed only when the
Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx
Final version Page 34 on 153
attacker can impersonate each endpoint to the satisfaction of the other; it’s an attack on mutual authentication. All the communications are subjected to eavesdropping, it all depends on how smart is the attacker. Technically, even an encryption without the exchange of the encryption key over the communication link can be considered unsecure; in fact, a social engineering attacker is capable to obtain locally the key. The best solution is to use an algorithm that takes time to decrypt/crypt the message, but it can’t be used if the application is time critical. Social engineering techniques [3] are based on specific attributes of human decision making known as cognitive biases. With social engineering (such as pretexting, phishing, Interactive Voice Response (IVR) or phone phishing, baiting), one can deceive a person by tricking him/her into supplying personal information and passwords. Any method of communication can be used to perpetrate this fraud. Using viruses or downloading files which have Backdoor or Trojan horses within, if the user of a remote management tool has been infected or tries to place the backdoor or Trojan horse which executes tasks similar to Back Orifice, Net bus, Netcat and Key Logger, in most cases, those become shut-off by a virus vaccine or security tool. However, new types of these cannot be blocked. That is, there are not many means of defence if perpetrators try to make an attack with new viruses and hacking patterns after setting a target. It would not be difficult to acquire information about access codes and passwords using Backdoor or a Trojan horse. If things have already progressed up to this point, the control power of the control system will be handed over to the organizations or users with malicious.
3.5 Denial of Service
A DoS attack or Distributed DoS (DDoS) attack is an attempt to make a computer resource unavailable to its intended uses. Although the means to carry out, motives for, and targets of DoS attack may vary, it generally consists of the concerted efforts of a person, or multiple people to prevent an internet site or service from functioning efficiently or at all, temporarily or indefinitely. One common method of attack involves saturating the target machine with external communication requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
In Figure 3.1 there’s an example of DDoS attack.
Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx
Final version Page 35 on 153
The attacker, to perform the DoS attack, first infects a set of machines, called zombies or bots (needed to meet the problems of different values of upload and download bandwidth). When the attacker obtains the control of the machines, checks if they are online, and if a certain number of zombies are online, then starts the DDoS attack, launching several requests (like SYN or PING) that require from the victim to send an ACK and make the buffer of the victim’s router in overflow. Once in overflow, the devices can fail in two ways: fail open and fail close ( like a open circuit or an short circuit). In one case, a malicious package could pass, in the other case, the net could be considered like broken in one point, and the problems associated to this event are only about topology and then connectivity.
Ref. CockpitCI-D2.1-Overview of modelling techinques and tools for SCADA systems under attacks.docx
Final version Page 36 on 153