OpenStack Cloud Security
上QQ阅读APP看书,第一时间看更新

The possible attacks

There are multiple kinds of attacks that can be put into action. The main kinds are as follows:

  • Denial of Service
  • 0-day
  • Brute force
  • Advanced Persistent Threat
  • Automated exploitation tools
  • ISP intercept
  • Supply chain attack
  • Social engineering
  • Hypervisor Breakout

Denial of Service

A Denial of Service (DoS) attack is an attack that aims to make some service unavailable. In the last few years, usually we speak about DDoS, since those are very effective and cheap and for those reasons have become the most used DoS attack. DDoS attacks consist in multiple machines trying to overload a server or its connection to make the services that are running on that server unavailable.

The good part about DoS attacks is that in majority of the cases, as soon as they end it, all is back to normal. When this is not true, small actions have to be executed by system administrators, such as restarting a service or rebooting a machine.

Note

There is no way to completely protect a server from a DoS attack.

Even if you cannot protect your company completely from such attacks, you can mitigate them in two ways:

  • Having a lot of spare resources such as CPU, RAM, and bandwidth makes harder to knockdown the service
  • Writing rules on firewalls (or having an Intrusion Prevention System (IPS) or an DoS Defense System (DDS) that do it for you) that drop all traffic coming from IPs that are currently attacking your servers

There are companies that provide clean pipes that are connected with only good traffic since have already been filtered by the ISP using IPSes and DDSes.

Usually, DDoSes are used by automated attacks/script kiddies, motivated inpiduals, and highly capable groups. It could so happen that organized hackers too use DDoS attacks, but, in this case, it's usually an Advanced Persistent DoS (APDoS), where the attack lasts for long periods (the longest APDoS registered was 38 days), moves from server to server to be harder to detect, and involves a huge amount of traffic (usually more than 50Pb in total).

In the history of DoS attacks, the following methods have been heavily used:

  • Buffer overflow attacks: In this kind of attack, the attacker looks for buffers that are filled with input from the user without prior validation. Since buffers have a fixed length, we can't put only a certain amount of data that can fit in the buffer; the rest of the data will be written in other parts of RAM and could be executed by the program.
  • SYN Flood attacks: As we will see more deeply in the next chapter, the computers expect certain handshakes at the beginning of a communication. This attack violates this convention forcing the server to open more connections than needed. At a certain point, the server will not be able to open a new connection, making the service unavailable.
  • Teardrop attacks: Network packages should be of certain sizes. If bigger packages are found, the machines split them into smaller packages to manage them properly. Old machines have problems recognizing and properly managing packages that are smaller than expected. In this attack, this bug is exploited by sending smaller packages than expected to the machines, which in old systems often resulted in system crashes and reboots.
  • Smurf attacks: In this kind of attack, the attacker uses badly configured machines in the network to amplify the attack. Usually, the attacker sends a forged package (that is, ICMP ECHO package) that seems to arrive from the victim to a broadcast address. All the machines in the broadcast domain that are tricked by this package, will respond to the victim. So, if in the network there are 100 machines with poor configuration, an attacker could be able to create an amount of traffic that is 100 times its maximum amount of traffic.
  • Viruses/Worms: In this kind of attack, the attacker creates a self-replicating program that can consume resources or destroy the systems.

0-day

A 0-day attack is an attack that exploits a vulnerability that was not known (or thought not to be exploitable) until that day. In these cases, there is no patch available when the attack is used the first time.

In a 0-day case, no specific measurement can protect a company, but all general security measurements we already talked about in the previous chapter will help mitigate this risk.

0-day attacks can only be done by highly capable groups, organized hackers, and intelligence agencies/services because those are the only players that have the resources needed to do such an attack.

Brute force

Since many attackers cannot afford to invest to research 0-day attacks, they use Brute force. Brute force is very noisy and the majority of system administrators, and IDSes will recognize and block them.

To prevent these kinds of attacks, you should have an IDS and good policies for passwords.

These attacks are so noisy that only automated attacks/script kiddies and motivated inpiduals will use them.

Advanced Persistent Threat

An Advanced Persistent Threat (APT) is a kind of attack in which expert attackers use stealthy and continuous attacks targeting a specific entity.

During an APT attack, it is common to find many attacks that we already discussed, such as APDoS, and 0-day exploitations. Often also involved are Social Engineering techniques and Supply Chain attacks, which we will talk about shortly.

Since these are very expensive attacks that require multiple people, they can only be done by highly capable groups, organized hackers, and intelligence agencies/services.

Automated exploitation tools

Since APT attacks are very expensive, automated attacks/script kiddies, and motivated inpiduals will prefer Automated exploitation tools. These tools allow the attacker to test multiple already known exploits to search for a known exploit that the system administrator has not yet patched.

Examples of Automated exploitation tools are Metasploit and Nessus.

Tip

To prevent these kinds of attacks, you need to always keep your system updated and frequently check online whether there are new ways to exploit software applications you use become known.

The ISP intercept

The ISP intercept is a category in which a lot of possible attack vectors fall into. The baseline is that somehow the attacker is able to see all traffic moving into your connection at the border of your property. This attack can be executed legally by Intelligence agencies/services with a warrant, or could be executed illegally.

I've seen an example of an illegal execution of this kind of attack in a company, where the attacker has cut the company's Internet connection cable and has added its own box that allowed the traffic to be normally received and sent, but also copied all the passing data to the attacker systems.

Preventing those kinds of attacks is impossible because they are executed outside your competence limits. The only possible way to mitigate these attacks is to encrypt all the data you share with the outside world.

Sometimes even companies' private networks can be compromised with this attack. Recently, there have been rumors that the NSA was able to retrieve data from Google and Yahoo! by tapping their fiber optics cables that connect the datacenters. Even if there hasn't been any official confirmation, in a few months' since these rumors, both Google and Yahoo! announced that they now encrypt all traffic between datacenters to prevent this from happening.

The only kind of attacker that can do this legally are the Intelligence agencies/services. But organized hackers can also perpetrate such attacks.

The supply chain attack

In a supply chain attack, the attacker tempers a cryptographic component, such as a device that performs encryption or secure transactions, when it is still in the supply chain of the device, so that it is not yet in the hands of the client. This could happen during the manufacture of the device or at a certain point before it is put into the production environment. For this kind of attack, the attacker needs physical access to the device. A common type of tempering is the installation of a rootkit or specific hardware design to spy on the user.

From the documents written by Edward Snowden, it seems that the NSA has been able to perform multiple Supply Chain Attacks in the last few years. This has not been confirmed as of today by the NSA itself.

Due to its complexity, only Organized hackers and Intelligence agencies/services can perform this kind of attack.

Social engineering

As we have already seen in the previous chapter, social engineering could be a good option for an attacker who would like to attack an organization.

All kinds of attackers can perform social engineering attacks, but the most effective will be the ones perpetrated by the most skilled groups.

The Hypervisor breakout

Since we are focusing on OpenStack, the Hypervisor breakout is an attack your company could suffer from.

In an Hypervisor breakout, the user of a virtual machine is able to escape from his virtual machine and connect to the host that is running the virtual machine. In the history of virtualization, there have been multiple cases of possible Hypervisor Breakout attacks and pretty much all hypervisors have been objects of such unwanted attention.

At the moment, there is no known case of Hypervisor Breakout in real-world attacks, but it is possible that some companies have been compromised by this kind of feature but has not made it public due to the possible consequences to the company's image.

The real risk with an attack of this kind is that a person with such a level of access will probably be able to attack every machine in the cluster and will be able to access all resources available to those machines.

We will see how to prevent this kind of attack in the last chapter of this book.

These attacks are really hard to perform and are very expensive, so only organized hackers and intelligence agencies/services will be able to perform them.