1.3 Classifying Internet-Based Attackers

The first type of threat that all publicly accessible networks are at risk from is that posed by opportunistic attackers. These attackers use auto-rooting scripts and network scanning tools to find and compromise vulnerable Internet hosts. Most opportunistic attackers fall into two distinct groups:

  • Those who compromise hosts for denial-of-service and flooding purposes

  • Those who compromise hosts through which attacks can be bounced (including port scans, breaking into other hosts, or sending spam email)

The second type of threat is that posed by determined attackers. A determined attacker will exhaustively probe every point of entry into a target network from the Internet, port scanning each and every IP address and assessing each and every network service in depth. Even if the determined attacker can't compromise the target network on his first attempt, he will be aware of areas of weakness. Detailed knowledge of a site's operating systems and network services allows the determined attacker to compromise the network upon the release of new exploit scripts in the future.

In light of this, the networks that are most at risk are those with sizeable numbers of publicly accessible hosts. Having many entry points into a network multiplies the exploitable vulnerabilities that exist at different levels; managing these risks becomes an increasingly difficult task as networks grow.