Documente Academic
Documente Profesional
Documente Cultură
By Dijiang Huang
Outline
ARP Attacks IP Attacks ICMP Attacks UDP Attacks TCP Attacks DNS Attacks DoS Attacks
ARP Attacks
ARP
The Address Resolution Protocol is used by each host on an IP netwo k to !a" #oca# IP add esses to ha dwa e add esses o MAC add esses$ He e is a %uick #ook at how this " otoco# wo ks$
Say that Host A &IP add ess '()$'*+$'$ ',,- wants to send data to Host B &IP add ess '()$'*+$'$).,-$ No " io co!!unications ha/e occu ed between Hosts A and B0 so the ARP table entries 1o Host B on Host A a e e!"ty$ Host A b oadcasts an ARP request packet indicating that the owne o1 the IP add ess '()$'*+$'$)., shou#d es"ond to Host A at '()$'*+$'$',, with its MAC add ess$ The b oadcast "acket is sent to e/e y !achine in the netwo k seg!ent0 and on#y the t ue owne o1 the IP add ess '()$'*+$'$)., shou#d es"ond$ A## othe hosts disca d this e%uest "acket0 but Host A ecei/es an ARP e"#y "acket 1 o! Host B indicating that its MAC add ess is BB:BB:BB:BB:BB:BB$ Host A u"dates its ARP tab#e0 and can now send data to Host B$
4
To educe co!!unication cost0 co!"ute s that use ARP !aintain a cache o1 ecent#y ac%ui ed IP2to2 "hysica# add ess bindings$ 3ach ent y has a ti!e &usua# ti!eout "e iod is ), !inutes-
ARP is state#ess0 and !ost o1 o"e ating syste!s u"date thei cache when ecei/ing an ARP e"#y0 ega d#ess o1 whethe they ha/e actua##y sent out a e%uest o not$
5
Howe/e Host A doesn4t know that Host B ea##y did send the ARP reply$ In the " e/ious e5a!"#e0 attacke s cou#d s"oo1 an ARP reply to Host A be1o e Host B es"onded0 indicating that the ha dwa e add ess E0:E0:E0:E0:E0:E0 co es"onds to Host B6s IP add ess$
Host A wou#d then send any t a11ic intended 1o Host B to the attacke 0 and the attacke cou#d choose to 1o wa d that data &" obab#y a1te so!e ta!"e ing- to Host B$
!oofed Re!l"
A "s"oo1 Consu#t a netwo k !a" 3nab#e IP 1o wa ding Acti/e the Dsniff arpspoof " og a! Send 1ake ARP e"#ies to the /icti!4s !achine The attacke 4s 1ake ARP !essage changes the /icti!4s ARP tab#e by e!a""ing the de1au#t oute 4s 7aye 28 IP add ess to the attacke 4s own 7aye 2) Mac add ess 9icti! sends the data to what it thinks is the de1au#t oute Attacke sni11 the in1o !ation Attacke 1o wa d the in1o !ation to the de1au#t oute
Man#$n#The#Middle Attack
So!e se /e s use IP add esses 1o authentication$ This is the case 1o !any a""#ication #ike A"ache AC70 2co!!ands0 N:S0 TCP ; a""e 0 est icted ad!inist ation too#s0 etc < =oa#> the se /e t usts T4s IP add ess? e/i# host 3 wants to connect to the se /e $ How> #et the se /e be#ie/e the e/i# host &3- has the #egiti!ate IP$
Setting> e/i# host 30 t usted host T0 and se /e S$ 3> ARP cache "oisoning 3> :o wa d e5isting se /e 2to2T t a11ic 3> use T6s IP to co!!unicate with S$
M$TM Attacks
P ob#e!> T !ight b oadcast new ARPs0 which can co ect S6s ARP cache$ S then sends TCP e"#ies to T0 who wi## send back TCP eset to S &because such TCP connection does not e5ist between S and T-$ This wi## end the e/i# host6s connection with S$ How to " e/ent this 1 o! ha""ening@ Shutdown T &denia# o1 se /ice :#ood S with 1o ged ARP !essage P e/ent T 1 o! sending ARP b oadcast> how@ gi/e T e/e ything be1o e it needs the!$
Other Attacks
By"assing :i ewa##s> !any 1i ewa##s on#y a##ow outgoing t a11ic 1 o! a 1ew identi1ied co!"ute s$ The e/i# host &3- can by"ass this u#e using DNS cache "oisoning &wi## be add essed #ate -$
Detect 1ake ARP !essages and !aintain consistency o1 the ARP tab#e$ A/ai#ab#e on !any UNIA "#at1o !s0 arpwatch !aintains a database o1 3the net MAC add esses seen on the netwo k0 with thei associated IP "ai s$ A#e ts the syste! ad!inist ato /ia e2!ai# i1 any change ha""ens$
Use st ong authentication athe than sou ce IP add ess$ 9PN " otoco#s #ike SSH0 SS7 o IPSec can g eat#y i!" o/e secu ity by achie/ing authentication0 integ ity and con1identia#ity$
$P Attacks
IP (eader [networksorcery]
S"eci1ies the #ength o1 the IP "acket heade in 8) bit wo ds$ The !ini!u! /a#ue 1o a /a#id heade is .$
&'
$P Attacks
Tea D o"
o11set B , "ay#oad siCe N Mo e : ag!ents bit on Mo e : ag!ents bit o11 o11set D "ay#oad siCe E N i$e$0 the )nd 1 ag!ent 1its enti e#y inside the 1i st one$
Second "acket>
$P Attacks
Many 1i ewa##s ins"ect "acket se"a ate#y$ ;hen the 1i#te ing u#e is based on TCP heade 0 but the TCP heade is 1 ag!ented0 the u#e wi## 1ai#$ TCP heade is at the beginning o1 the data a ea o1 an IP "acket$
$P !oofing
S"oo1ing>
Any host can send "ackets " etending to be 1 o! any IP add ess S"oo1ing is he#"1u# 1o attacke s who don4t want to ha/e thei actions t aced back$ The "ackets wi## a""ea to be co!ing 1 o! the syste! whose add ess the attacke is using$ It he#"s attacke s unde !ine /a ious a""#ications0 "a ticu#a #y those that dange ous#y e#y on#y on IP add esses 1o authentication o 1i#te ing
An attacke can econ1igu e hisGhe syste! to ha/e a di11e ent IP add ess %uite t i/ia##y0 such as ifconfig o ;indows4 cont o# "ane#$ Use too#s to change desi ed IP add ess0 such as N!a" and Dsni11$
Hust want the "acket #ooks #ike 1 o! so!ewhe e e#se To obscu e the sou ce o1 a "acket 1#ood o othe denia#2o12se /ice attack$
Fne di ection I on#y send out t a11ic but not ecei/ing t a11ic$
;ithout inte action with a ta get$ The TCP th ee2way handshake !aking things es"ecia##y cha##enging 1o the attacke $
;hen 3/e is on the sa!e 7AN as B0 3/e can sni11 the es"onses 1 o! B di ect#y o11 o1 the 7AN0 and use ARP s"oo1ing to " e/ent A4s eset 1 o! tea ing down the connection
$ntroduction of ,sniff
Sni11ing th ough a switch Re!a""ing DNS na!es to edi ect netwo k connections Sni11ing SS7 and SSH connections
Maco1
Sending out a 1#ood o1 t a11ic with ando! MAC add esses on the 7AN The switch wi## sto e the MAC add esses used by each #ink on the switch0 e/entua##y0 the switch4s !e!o y is e5hausted$ So!e switch i!"#e!entations sta t 1o wa ding data onto a## #inks$
St ict sou ce outing a##ows the sou ce !achine sending a "acket to s"eci1y the "ath &enti e oute- it wi## take on the netwo k$ 7oose sou ce outing a##ows the attacke to s"eci1y just so!e o1 the ho"s that !ust be taken as the "acket t a/e ses the netwo k$
$P !oofing ,efenses
A/oid using 2co!!and A/oid a""#ications that use IP add esses 1o authentication "u "oses I!"#e!ent Janti2s"oo1K "acket 1i#te s an you bo de oute s and 1i ewa##s Disab#e sou ce outing A/oid e5tending t ust e#ations a!ong di11e ent do!ains
$%MP Attacks
ICMP (eader
-5
$%MP Attacks
Ma""ing a ta get netwo k is a /e y st ategic "a t o1 !ost inte##igent#y "#anned attacks$ This initia# ste" atte!"ts to disco/e the #i/e hosts in a ta get netwo k$ An attacke then can di ect a !o e 1ocused attack towa d #i/e hosts on#y$ Sending indi/idua# ICMP echo> this is what the "ing co!!and does$ Sending ICMP echo e%uests to the b oadcast add esses o1 a netwo k$ Sending ICMP echo e%uests to netwo k and b oadcast add ess o1 subdi/ided netwo ks Sending an ICMP add ess !ask e%uest to a host on the netwo k to dete !ine the subnet !ask to bette unde stand how to !a" e11icient#y
)urf Attacks
Ping a b oadcast add ess0 with the &s"oo1ed- IP o1 a /icti! as sou ce add ess A## hosts on the netwo k es"ond to the /icti! The /icti! is o/e whe#!ed Leys> A!"#i1ication and IP s"oo1ing P otoco# /u#ne abi#ity? i!"#e!entation can be J"atchedK by /io#ating the " otoco# s"eci1ication0 to igno e "ings to b oadcast add esses ICMP echo just used 1o con/enience A## ICMP !essages can be abused this way
Ping of ,eath
ICMP echo with 1 ag!ented "ackets Ma5i!u! #ega# siCe o1 an ICMP echo "acket> *..8. 2 ), 2 + B *..,M : ag!entation a##ows by"assing the !a5i!u! siCe> &o11set D siCe- N *..8. Reasse!b#ed "acket wou#d be #a ge than *..8. bytes FS c ashes Sa!e attack with di11e ent IP " otoco#s
Ask a host to send thei "acket to the ta get J oute K$ Use1u# 1o !an2in2the2!idd#e attacks ;in1 eeCe
Ta geted to ;indows F"e ating Syste!s ICMP Redi ect !essage> OFU a e the %uickest #ink to host P Host changes its outing tab#e 1o P to itse#1 Host sends "ackets to itse#1 in an in1inite #oo"
.,P Attacks
The #ength in bytes o1 the UDP heade and the enca"su#ated data$ The !ini!u! /a#ue 1o this 1ie#d is +$
'&
.,P Attacks
: agg#e
B oadcast UDP "acket sent to the QechoJ se /ice$ A## co!"ute s e"#y &a!"#i1ication-$ Sou ce IP was s"oo1ed0 /icti! is o/e whe#!ed Si!i#a to the ICMP S!u 1 attack$
.,P Ping#Pong
So!e se /ice o a""#ication issues a UDP e"#y no !atte what is the in"ut "acket &e$g$0 e o !essage-$ Set the sou ce and destination "o ts o1 a UDP to be one o1 the 1o##owing "o ts
This causes a Ping2Pong e11ect between the sou ce and the destination$
,O Attacks
Ley> A""#ications that e"#y with #a ge "ackets to s!a## e%uests0 e$g$0 ga!es
Hosts can be attacked by using these a""#ications as a!"#i1ie s0 with 1o ged sou ce IP "ackets
T%P Attacks
'6
Three#wa" (andshaking
C#ient SYN &se%T B 5Se /e
'7
T%P /N Attacks
An attacke sends !any SON "ackets to c eate !u#ti"#e connections without e/e sending an ACL to co!"#ete the connection$ The /icti! has to kee" the ha#12o"ened connection in its !e!o y 1o ce tain a!ount o1 ti!e &e$g$ M. seconds-$ I1 the e a e so !any o1 these !a#icious "ackets0 the /icti! %uick#y uns out o1 !e!o y$ Those SON "ackets usua##y use s"oo1ed IP add esses$ ;hen the ta get ecei/es !o e SON "ackets than it can hand#e0 othe #egiti!ate t a11ic wi## not be ab#e to each the /icti!$ &Two ways to e5haust the co!!unications esou ce o1 the ta get-
&th0 Fill the connection 1ueue of the target s"ste) with half#o!en connections
Fnce the ta get syste! ecei/es the SON "acket and sends its SON2ACL es"onse0 it wi## wait "atient#y 1o the thi d "a t o1 the th ee2way handshake Ti!eout a#ways o/e a !inute The ta get syste! a##ocate so!e esou ce on its connection %ueue to e!e!be each inco!ing SON "acket Attacke s send SON "ackets to e5haust a## s#ots a##ocated in the connection %ueue0 no new connections can be initiated by #egiti!ate use s
I1 the connection %ueue is eno !ous and can hand#e a /e y #a ge nu!be o1 SON "ackets
:i## the enti e co!!unications #ink0 s%ueeCing out any #egiti!ate t a11ic$ It e%ui es the attacke !ust ha/e !o e tota# bandwidth than the /icti! !achine0 and the abi#ity to gene ate "ackets to 1i## that bandwidth$
:eb ua y ),,,
9icti!s inc#uded CNN0 eBay0 Oahoo0 A!aCon Attacke s &a##eged#y- used si!"#e0 eadi#y a/ai#ab#e too#s &sc i"t2kiddies7aw en1o ce!ent unab#e &unwi##ing@- to he#"
Fctobe ),,)
/N Flood ,efenses
Ha/e ade%uate bandwidth and edundant "aths 1 o! a## o1 you c itica# syste!s &Using two o !o e ISPs 1o connecti/ityTCPGIP stack enhance!ent
Inc ease the siCe o1 the connection %ueue 7owe the a!ount o1 ti!e to wait 1o ha#12o"en connections
/N %ookies
=ene a# idea
C#ient sends SON wG ACL nu!be Se /e es"onds to C#ient with SON2ACL cookie
s%n B 1&s c add 0 s c "o t0 dest add 0 dest "o t0 andSe /e does not sa/e state
Honest c#ient es"onds with ACL&s%nSe /e checks es"onse I1 !atches SON2ACL0 estab#ishes connection
T%P /N cookie
32
t mod 32
MSS
5 bits
' bits
/N %ookies
c#ient sends SON "acket and ACL nu!be to se /e waits 1o SON2ACL 1 o! se /e wG !atching ACL nu!be se /e es"onds wG SON2ACL "acket wG initia# SON2 cookie se%uence nu!be Se%uence nu!be is c y"tog a"hica##y gene ated /a#ue based on c#ient add ess0 "o t0 and ti!e$ c#ient sends ACL to se /e wG !atching se%uence nu!be se /e I1 ACL is to an uno"ened socket0 se /e /a#idates etu ned se%uence nu!be as SON2 cookie I1 /a#ue is easonab#e0 a bu11e is a##ocated and socket is o"ened
SON ack2nu!be SON2ACL se%2nu!be as SON2cookie0 ack2nu!be NO BUFFER ALLOCA ED ACL se%Unu!be ack2nu!be Ddata SON2ACL se%2nu!be 0 ack2nu!be CP BUFFER ALLOCA ED
7egiti!ate connections ha/e a chance to co!"#ete :ake add esses wi## be e/entua##y de#eted
3asy to i!"#e!ent
CP session hijacking is when a hacke takes o/e a CP session between two !achines$ Since !ost authentication on#y occu s at the sta t o1 a CP session0 this a##ows the hacke to gain access to a !achine$
47
45
Man#in#the#)iddle 7MITM8
A hacke can a#so be Qin#ineQ between B and C using a sniffing program to watch the se%uence nu!be s and acknow#edge nu!be s in the IP "ackets t ans!itted between B and C$ And then hijack the connection$ This is known as a Qman-in-the-middle attackQ$
46
This techni%ue in/o#/es using a packet sniffer to inte ce"t the co!!unication between c#ient and the se /e $ Packet sni11e co!es in two catego ies>
59
Passi:e niffers
Passive sniffers !onito s and sni11s "acket 1 o! a netwo k ha/ing sa!e co##ision do!ain &i$e$ netwo k with a hub0 as a## "ackets a e b oadcasted on each "o t o1 hub$-
5&
Acti:e niffers
Fne way o1 doing so is to change the de1au#t gateway o1 the c#ient4s !achine so that it wi## oute its "ackets /ia the hijacke 4s !achine$ This can be done by ARP spoofing &i$e$ by sending !a#icious ARP "ackets !a""ing its MAC add ess to the de1au#t gateways IP add ess so as to u"date the ARP cache on the c#ient0 to edi ect the t a11ic to hijacke -$
5-
;lind (i4acking
I1 you a e NO ab#e to sni11 the "ackets and guess the co ect se%uence nu!be e5"ected by se /e 0 you ha/e to i!"#e!ent JBlind Session Hijacking$44 Oou ha/e to b ute 1o ce R bi##ion co!binations o1 se%uence nu!be which wi## be an un e#iab#e task$ Discussion> Machine A and B$ I1 a use #ogin 1 o! B to A0 A wi## not ask 1o a "asswo d &e$g$ $ hosts-$ Oou a e an attacke $ Can you #ogin to A 1 o! you own !achine@ Hint '> se%uence nu!be Hint )> B4s o#e =uessing the se%uence nu!be s Session Hijacking Disab#e B &e$g$0 use SON 1#ooding o othe DoS !ethods-$
5'
A co!!on way is to e5ecute a enial-ofService ! oS" attack against one end2"oint to sto" it 1 o! es"onding$
against the !achine to 1o ce it to c ash o against the netwo k connection to 1o ce hea/y "acket #oss$
Send "ackets with co!!ands that e%uest the eci"ient not to send back es"onse$ F "e 1o ! MITM$
54
55
Assu!e that the attacke has 1o ged the co ect "acket in1o !ation &heade s0 se%uence nu!be s0 and so on- at so!e "oint du ing the session$
;hen the attacke sends to the se /e 2injected session data0 the se /e wi## acknow#edge the ecei"t o1 the data by sending to the ea# c#ient an ACK packet$
This "acket wi## !ost #ike#y contain a se%uence nu!be that the c#ient is not e5"ecting0 so when the c#ient ecei/es this "acket0 it wi## t y to esynch oniCe the CP session with the se /e by sending it an ACK packet with the se%uence nu!be that it is e5"ecting$ This ACK "acket wi## in tu n contain a se%uence nu!be that the se /e is not e5"ecting0 and so the se /e wi## esend its #ast ACK "acket$ This cyc#e goes on and on and on0 and this a"id "assing back and 1o th o1 ACK "ackets c eates an ACK storm$
57
ACK tor)
55
Attacke s can a#so use ARP packet !ani"u#ation to %uiet CP ACK storms0 which a e noisy and easi#y detected by de/ices such as int usion detection syste! &IDS- senso s$ Session hijacking too#s such as hunt acco!"#ish this by sending unso#icited ARP replies$ Most syste!s wi## acce"t these "ackets and u"date thei ARP tables with whate/e in1o !ation is " o/ided$
In ou Host A#Host B e5a!"#e0 an attacke cou#d send Host A a spoofed ARP reply indicating that Host B6s MAC add ess is so!ething none5istent &#ike C0:C0:C0:C0:C0:C0-0 and send Host B anothe s"oo1ed ARP e"#y indicating that Host A6s MAC add ess is a#so so!ething none5istent &such as D0:D0:D0:D0:D0:D0-$ Any ACK "ackets between Host A and Host B that cou#d cause a $%P A%& storm du ing a netwo k2#e/e# session hijacking attack a e sent to in/a#id MAC add esses and #ost$
56
69
%ounter)easures # 2ncr"!tion
'nternet Protocol Security has the abi#ity to enc y"t you 'P packets based on a P e2Sha ed Ley o with !o e co!"#e5 syste!s #ike a Pub#ic Ley In1 ast uctu e PKI$ This wi## a#so de1end against !any othe attack /ecto s such as sniffing$ The attacke !ay be ab#e to "assi/e#y !onito you connection0 but they wi## not be ab#e to ead any data as it is a## enc y"ted$
6&
Fthe counte !easu es inc#ude enc y"ted applications #ike ssh &Secu e SHe##0 an enc y"ted telnet- o ssl &Secu e Sockets 7aye 0 H PS t a11ic-$
Again this e1#ects back to using enc y"tion0 but a subt#e di11e ence being that you a e using the enc y"tion within an a""#ication$ Be awa e though that the e a e known attacks against ssh and ssl$ O"A0 Fut#ook ;eb Access uses ssl to enc y"t data between an inte net c#ient b owse and the 35change !ai# se /e 0 but too#s #ike Cain & Abel & dsniff & sslstrip can s"oo1 the ssl ce ti1icate and !ount a Man2In2The2Midd#e &MI Mattack and dec y"t e/e ythingV
6-
HTTPS connection
Auto!atica##y /e i1ied i1 the ce ti1icate is signed by a we##2known CA$ Fthe wise the use !ake the decision
;eb!it! can dis"#ay the enti e contents o1 the SS7 session on the attacke 4s sc een Dsni11 can be used to sni11 SSH sessions by conducting a !an2in2the2!idd#e attack in a si!i#a 1ashion$
Dsni11 su""o ts sni11ing o1 on#y SSH " otoco# /e sion '0 but who knows in the 1utu e
Using enc y"tion too#s #ike SSH o /i tua# " i/ate netwo ks 1o secu ing sessions Fn#y acce"t known ce ti1icate
T%P R T Attacks
Attacke s inject an RST seg!ent into an e5isting TCP connection0 causing it to be c#osed$ The TCP Reset attack is !ade "ossib#e due to the e%ui e!ents that a TCP end"oint !ust acce"t out o1 o de "ackets that a e within the ange o1 a window siCe0 and the 1act that Reset 1#ags shou#d be " ocessed i!!ediate#y$ ;hat a e the di11icu#ties o1 s"oo1ing a RST "acket to b eak a e!ote connection@
Se%uence nu!be o1 the connection Sou ce "o t o1 the connection &destination "o t is usua##y we## known 1o so!e a""#ications0 e$g$ SSH uses ))-
The idea he e is to 1ind "atte ns in the initia# se%uence nu!be s chosen by TCP i!"#e!entations when es"onding to a connection e%uest$ ISN sa!"#ing can be catego iCed in to !any g ou"s such as the t aditiona# *RL &!any o#d UNIA bo5es-0 Rando! inc e!ents &newe /e sions o1 So#a is0 IRIA0 : eeBSD0 Digita# UNIA0 C ay0 and !any othe s-0 T ue Q ando!J &7inu5 )$,$W0 F"en9MS0 newe AIA0 etc-$ ;indows bo5es &and a 1ew othe s- use a Qti!e de"endentJ !ode# whe e the ISN is inc e!ented by a s!a## 1i5ed a!ount each ti!e "e iod$ Using JICMP Message SuotingK to disco/e FS$ :o a "o t un eachab#e !essage0 a#!ost a## i!"#e!entations send on#y the e%ui ed IP heade D + bytes back$ Howe/e 0 So#a is sends back a bit !o e and 7inu5 sends back e/en !o e than that$ The beauty with this is it a##ows n!a" to ecogniCe 7inu5 and So#a is hosts e/en i1 they don6t ha/e any "o ts #istening$
I1 an attacke can 1ind out cu ent se%uence nu!be that is being used by an e5isting TCP connection0 it can inject a /a#id TCP seg!ent into the e5isting TCP connection$
I1 the attacke is within the sa!e 7AN0 it can sni11 the se%uence nu!be $ I1 the attacke is not within the sa!e 7AN0 it has to guess the se%uence nu!be $
To guess $ N
A## "ossib#e /a#ues 1o ISN> )8)$ ;e on#y need to !ake su e that the guessed ISN is within the ecei/e 4s cu ent window? othe wise0 the TCP "acket with this guessed ISN wi## be disca ded by the ecei/e $ I1 '*L window siCe is used0 on a/e age0 it on#y takes )8) G )'R B )'+ B )*)0'RR t ies to hit the window$ ;ith a T' #ine &'$.!Gs- at R08M, "ackets a second0 the attacke wou#d be ab#e to e5haust a## "ossib#e windows within on#y *, seconds$
Initia# window siCe 1o /a ious o"e ating syste!s$ The "ackets e%ui ed 1o a success1u# guess a e based on the e%uation: #2$32 / I%iti&' "i%do( Si)e* It te##s how !uch data the ecei/e e5"ects to ecei/e$
;hen a TCP connection is !ade0 the co!bination o1 the sou ce "o t and IP add ess and the destination "o t and IP add ess esu#ts in a uni%ue 1inge " int that can be used to di11e entiate between a## acti/e TCP connections Most o1 the TCP attacks assu!e that the attacke a# eady knows the destination "o t and IP add ess as we## the sou ce "o t and IP add ess$ The destination "o t and IP add ess a e easy0 as they a e gene a##y "ub#ished$ The sou ce IP add ess is a#so gene a##y easy to get0 as this is si!"#y the c#ient that is being s"oo1ed$ The on#y "iece that can 1 e%uent#y be di11icu#t to 1ind is the sou ce "o t$ :o e5a!"#e0 i1 an o"e ating syste! ando!#y assigns sou ce "o ts 1 o! a "oo# that anges 1 o! ',). th ough R(0'.) &such as F"enBSD-0 this inc eases the di11icu#ty o1 "e 1o !ing a eset attack R+0')M ti!es as the attacke wou#d ha/e to t y thei se%uence attack with e/e y "ossib#e "o t nu!be $ In ou e5a!"#e with '*k windows0 we dete !ined that with known end"oints it wou#d e%ui e )*)0'RR "ackets to gua antee a success1u# eset attack$ Howe/e 0 i1 using ando! "o ts as we6/e desc ibed0 it wou#d now e%ui e )*)0'RR ti!es R+0')M0 o ')0*'*0),R0)++ "ackets$ An attack o1 that siCe wou#d a## but ce tain#y be detected and dea#t with be1o e a b ute 1o ce eset wou#d occu $
Un1o tunate#y0 !ost o"e ating syste!s a##ocate sou ce "o ts se%uentia##y0 inc#uding ;indows and 7inu5$ A notab#e e5ce"tion is F"enBSD0 which began ando!iCing sou ce "o t a##ocation in '((*$ The 1o##owing cha t e" esents obse /ations o1 sou ce "o t se#ection 1 o! /a ious F"e ating Syste!s
,N Attacks
%ounter)easures to ,N Poisoning
DNS se /e s use TT7 on thei cache$ The TT7B'hou in !ost o1 the cases$ Attacke s can send a 1ew nu!be o1 e"#ies be1o e the ea# do!ain answe s$ Thus0 the attacke can on#y send in a cou"#e o1 attacks once "e hou 0 which !ake it di11icu#t to guess the ight se%uence nu!be in a sho t ti!e "e iod$ Attacke s can t y to b#ock the ea# e"#ies th ough MITM o DoS which !ay o !ay not di11icu#t de"ending on the ea# netwo k con1igu ations and secu ity setu" o1 the syste!$ New DNS attacks disco/e ed by Dan La!insky> htt">GGwww$de1con$o gGht!#G#inksGdc2a chi/esGdc2'*2a chi/e$ht!#TLa
,o Attacks
,o %ategories
In Uni50 an attacke with oot " i/i#eges &o 0 /ia bu11e o/e 1#ow attack- !ay shut down the JinetdK " ocess Attacke s who ha/e accounts on a syste! can un #oca# " og a!s and su""#y in"ut di ect#y into " ocesses on the !achine th ough the #oca# account$ &e$g$0 e!"#oyee o cont acto o th ough so!e o1 the gaining access !ethods0 such as "asswo d attack0 session hijacking-
P ocess ki##ing> An attacke with su11icient " i/i#eges can si!"#y ki## #oca# " ocesses in a DFS attack0 such as ;eb o DNS se /e Syste! econ1igu ation> Attacke s with su11icient " i/i#eges can econ1igu e a syste! so that it doesn4t o11e the se /ice any!o e o 1i#te s s"eci1ic use s 1 o! the !achine$ P ocess c ashing> The attacke s !ay not ha/e the su"e 2use " i/i#eges0 they !ay be ab#e to c ash " ocesses by e5"#oiting /u#ne abi#ities in the syste!$ &e$g$0 bu11e o/e 1#ow0 stack bu11e o/e 1#ow e5a!"#e htt">GGns1secu ity$" $e au$eduGbo!GStacks$ht!#-
+ogic ;o)b
The attacke "#ants a #ogic bo!b " og a! on a !achine0 which can be t igge ed based on a nu!be o1 1acto s>
3#a"sed ti!e The acti/ation o1 ce tain othe " og a!s The #ogging in o1 s"eci1ic use s etc$
Fnce the #ogic bo!b t igge is acti/ated0 the " og a! wi## sto" o c ash a #oca# " ocess I te o ists "u "oses
Make su e the syste!s "atched I in a ti!e#y !anne to " e/ent outside attacke Make su e to ca e1u##y do#e out " i/i#eges to use s on you syste! I P inci"#e o1 7east P i/i#ege Suick#y detect changes to the con1igu ation o1 the syste! I use t i"wi e & htt">GGwww$t i"wi e$co!G-
:i##ing u" the " ocess tab#e> w ite a " og a! that si!"#y 1o ks anothe " ocess to un a co"y o1 itse#1$ :i##ing u" the 1i#e syste!> continuous#y w iting an eno !ous a!ount o1 data to the 1i#e syste!
A""#y the P inci"#e o1 7east P i/i#ege Make su e that you sensiti/e syste!s ha/e ade%uate esou ces0 such as !e!o y0 " ocesso s"eed and co!!unication #ink bandwidth Use host based Int usion Detection Syste!s o othe syste! !onito ing too#s that can wa n you when you syste! esou ces a e getting #ow0 "ossib#y indicating this ty"e o1 esou ce e5haustion attack
Attacke s e5"#oit an e o in the TCPGIP stack o1 the ta get !achine by sending one o !o e unusua##y 1o !atted "ackets I1 the ta get !achine is /u#ne ab#e to the "a ticu#a !a#1o !ed "acket0 it wi## c ash0 "ossib#y shutting down a s"eci1ic " ocess0 a## netwo k co!!unication0 o e/en causing the ta get4s o"e ating syste! to ha#t$
Other tools
Ta ga I !o e "owe 1u# suites o1 !a#1o !ed "acket attack too#s &htt">GG"acketsto !$secu ity$co!GDoSGDsni11 &ARP s"oo1-0 attacke !ust be on the sa!e 7AN o1 se /e o /icti! & oute wou#d not 1o wa d ARP !essage-
9endo s need to 1 e%uent#y e#ease "atches to thei TCPGIP stacks to 1i5 " ob#e!$ Anti2s"oo1 1i#te I gua d against IP s"oo1ing0 such as 7and$ C eate static ARP tab#es on sensiti/e netwo ks to " e/ent ARP s"oo1$
To e!e!be the initia# se%uence nu!be 1 o! the sou ce0 the TCPGIP stack on the destination !achine wi## a##ocate a s!a## "iece o1 !e!o y on its connection %ueue0 to t ack the status o1 this new ha#12o"en connection$ A SON 1#ood attack atte!"ts to unde !ine this !echanis! by sending a #a ge nu!be o1 SON "ackets to the ta get syste!$ ;hen the ta get ecei/es !o e SON "ackets than it can hand#e0 othe #egiti!ate t a11ic wi## not be ab#e to each the /icti!$ &two ways to e5haust the co!!unications esou ce o1 the ta get-
&th0 Fill the connection 1ueue of the target s"ste) with half#o!en connections
Fnce the ta get syste! ecei/es the SON "acket and sends its SON2ACL es"onse0 it wi## wait "atient#y 1o the thi d "a t o1 the th ee2way handshake Ti!eout a#ways o/e a !inute The ta get syste! a##ocate so!e esou ce on its connection %ueue to e!e!be each inco!ing SON "acket Attacke s send SON "ackets to e5haust a## s#ots a##ocated in the connection %ueue0 no new connections can be initiated by #egiti!ate use s
I1 the connection %ueue is eno !ous and can hand#e a /e y #a ge nu!be o1 SON "ackets
:i## the enti e co!!unications #ink0 s%ueeCing out any #egiti!ate t a11ic$ It e%ui es the attacke !ust ha/e !o e tota# bandwidth than the /icti! !achine0 and the abi#ity to gene ate "ackets to 1i## that bandwidth$
/N Flood ,efenses
Ha/e ade%uate bandwidth and edundant "aths 1 o a## o1 you c itica# syste!s &Using two o !o e ISPs 1o connecti/ityTCPGIP stack enhance!ent
Inc ease the siCe o1 the connection %ueue 7owe the a!ount o1 ti!e to wait 1o ha#12o"en connections
/N Flood ,efenses
ISNB is a 1unction o1 the sou ce IP add ess0 destination IP add ess0 "o t nu!be s0ti!e0 and a sec et seed$ Bob does not e!e!be ISNB0 o sto e any in1o !ation about the ha#12o"en connection in the %ueue$
A#ice
A SN I 0
3/e
/N %ookie
S"oo1 the sou ce IP add ess Send "ing to a netwo k b oadcast add ess The /icti! &with the o igina# sou ce IP add ess- wi## ecei/e !u#ti"#e ICMP es"onses$
w$5$y$C
B oadcast "ing S"oo1ed 1 o! w$5$y$C Res"onsesV
3/e
S!u 1 A!"#i1ie
)urf#Attack ,efenses
Ha/e ade%uate bandwidth and edundant "aths :i#te ICMP !essages at you bo de oute Test you netwo k to !ake su e no one use you netwo k to de"#oy s!u 1 attack &disab#e di ected b oadcast "ackets at you bo de oute o 1i ewa##-
Take o/e a #a ge nu!be o1 /icti! !achines &o1ten e1e ed to as JCo!biesKThe attacke uses one o1 !o e c#ient !achines to te## a## o1 the Co!bies to si!u#taneous#y e5ecute a co!!and0 usua##y to conduct a DoS attack against the ta get$ The c#ient co!!unicates with the Co!bies0 but the attacke usua##y accesses the c#ient 1 o! a se"a ate syste!$ A "owe 1u# DDoS too#> T:N)L
Ta ga0 UDP 1#ood0 SON 1#ood0 ICMP 1#ood0 S!u 1 attack0 etc$
A botnet is a co##ection o1 co!" o!ised co!"ute sXbots0 a#so known as Co!biesXunde the cont o# o1 a sing#e entity0 usua##y th ough the !echanis! o1 a sing#e co!!and and cont o# se /e &a botnet cont o##e -$ Any co!"ute connected to the Inte netX " e1e ab#y with a b oadband connectionXis a desi ab#e base o1 co!"uting "owe to be used as a bot$ Bots a e a#!ost a#ways co!" o!ised ;indows !achines? botnet cont o##e s a e a#!ost a#ways co!" o!ised Uni5 !achines unning i cd &Inte net Re#ay Chat dae!on*$ Co!!on bot so1twa e> Lo gobot0 S"yBot0 F"ti5 P o0 Bot0 SDBot0 Agobot0 Phatbot$ Most s"a! is sent 1 o! bots &M,Y acco ding to Message7abs0 Fctobe ),,R-$ Most wo !s and /i uses today a e being used to "ut bot so1twa e on end2use co!"ute s$ Most denia# o1 se /ice attacks a e o iginated 1 o! bots$ Bots can be used as " o5ies 1o a#!ost any kind o1 !a#icious acti/ity on the Inte net &DoS0 ID The1t0 Phishing0 key#ogging0 s"a!0 etc$ -$
&9&
Lee"ing Co!bies o11 o1 you syste!s and de1ending against a DDoS 1#ood
Lee" you syste!s "atched and u" to date 3!"#oy eg ess anti2s"oo1 1i#te s on you e5te na# oute Use too#s to 1ind DDoS attack0 such as J:ind DDoSK by NIPC &Nationa# In1 ast uctu e P otection Cente -
In1o ! you ISP to b#ock the DDoS whe e it ente s the netwo k$