Introduction

To date, the security industry has seen many attacks specifically directed at Windows-based platforms. Due to the overwhelming market share commanded by Microsoft, these attacks receive massive amounts of media exposure and attention. This chapter explores three lesser-known attacks. Exploring these attacks is relevant so that security professionals can fully grasp the importance of security attacks that are not necessarily being reported on in the mainstream media and which are attacking fundamental pieces of security infrastructure and architecture. In the overall context of Intrusion, Detection, and Prevention, these attacks are additionally broken down and described at the Application, Transport, Network, and Data Link layers. Breaking down these attacks in this way grants the ability to comprehensively understand the Intrusion Prevention Service (IPS) response and its impact on the attack at each of the aforementioned layers.

Intrusion prevention and active response are terms that are becoming more fused over time. However, there are very real differences between the two, which can mean the difference between hack attempt and just plain hacked The nature of active response dictates a type of action (i.e., response) based on a matching pattern or signature. With a single-packet attack, by the time active response measures kick in, the attack is over. A good example of an active response tool is Cipherdyne s Port Scan Attack Detector (PSAD). However, PSAD obtains its data from Netfilter logs and hence does not have the ability to drop packets that have generated log messages (the Netfilter firewall itself...