Malicious intruders use literally hundreds of methods and tools when they attempt to compromise PCs. The following are some the most common attacks:
Port scan. To attack a PC, an intruder must determine which TCP or UDP ports (and thus services and programs) are open on that computer. Each program that connects to or accepts connections from the Internet is assigned an IP port number (0 to 65536). Port numbers often indicate a particular type of service. For example, Internet email often uses port 25 for SMTP or port 110 for POP. If you go to an FTP site to download files, your computer uses port 20 or 21. Intruders often scan (connect to multiple ports) victim computers to see which ports are active. After they identify the open ports, intruders (or their malicious programs) narrow down future attacks to a particular port type. Firewalls should notice this activity because it’s unusual for a remote computer to connect to more than a few ports at one time.
Network traffic flood. The principle behind network traffic flood attacks is that too much of a good thing can be bad. Instead of trying to determine which weaknesses exist on a given computer, special programs called flooders send hundreds to tens of thousands of legitimate network packets to one PC hoping to overwhelm the PC’s capacity to respond. This process often causes a Denial of Service (DoS) attack, but flooders have successfully bypassed firewalls and taken control of victim PCs.
Malformed network packets. Most computers are too polite. If someone sends them a badly formed network packet, they either try to reassemble it (often allowing something to sneak around a firewall or virus scanner) or reject the network packet and wait for a retransmission. Anyone who owns a Windows PC knows software programs can wait a long time. Intruders who use this type of attack are either trying to sneak past a particular security tool or cause a DoS attack by making the PC wait a long, long time and ignore legitimate packets.
Fragmentation attacks. Intruders can break up IP packets into smaller packets and reassemble them at the destination computer. Intruders have learned they can manipulate the reassembly so that they can sneak rogue traffic and programs past computer security defenses.
IP spoofing. All firewalls work by filtering network traffic based on IP addresses (e.g., 192.168.10.2). The computers behind the firewall are usually allowed to perform more functions than the untrusted computers on the outside. Rogue intruders can send their traffic with IP addresses that make the packet appear as if it originated from inside the firewall, which allows more access than would usually be allowed.
Some of these attacks are technically sophisticated and require the skills of a learned intruder. But more and more these days, worms and Trojan horses automate external attacks that scour the Internet looking for vulnerable machines. Compromised machines often are used as a staging area for more attacks against new machines. Security experts expect both manual and automated cracking to rise for the next few years until the Internet becomes more secure.
