Network Attacks

By Dijiang Huang

Outline

ARP Attacks IP Attacks ICMP Attacks UDP Attacks TCP Attacks DNS Attacks DoS Attacks

ARP Attacks

ARP

The Address Resolution Protocol is used by each host on an IP netwo k to !a" #oca# IP add esses to ha dwa e add esses o MAC add esses$ He e is a %uick #ook at how this " otoco# wo ks$

Say that Host A &IP add ess '()$'*+$'$ ',,- wants to send data to Host B &IP add ess '()$'*+$'$).,-$ No " io co!!unications ha/e occu ed between Hosts A and B0 so the ARP table entries 1o Host B on Host A a e e!"ty$ Host A b oadcasts an ARP request packet indicating that the owne o1 the IP add ess '()$'*+$'$)., shou#d es"ond to Host A at '()$'*+$'$',, with its MAC add ess$ The b oadcast "acket is sent to e/e y !achine in the netwo k seg!ent0 and on#y the t ue owne o1 the IP add ess '()$'*+$'$)., shou#d es"ond$ A## othe hosts disca d this e%uest "acket0 but Host A ecei/es an ARP e"#y "acket 1 o! Host B indicating that its MAC add ess is BB:BB:BB:BB:BB:BB$ Host A u"dates its ARP tab#e0 and can now send data to Host B$
4

Finding the Owner of a MAC Address

To educe co!!unication cost0 co!"ute s that use ARP !aintain a cache o1 ecent#y ac%ui ed IP2to2 "hysica# add ess bindings$ 3ach ent y has a ti!e &usua# ti!eout "e iod is ), !inutes-

ARP is state#ess0 and !ost o1 o"e ating syste!s u"date thei cache when ecei/ing an ARP e"#y0 ega d#ess o1 whethe they ha/e actua##y sent out a e%uest o not$
5

ARP Table Modifications

Howe/e Host A doesn4t know that Host B ea##y did send the ARP reply$ In the " e/ious e5a!"#e0 attacke s cou#d s"oo1 an ARP reply to Host A be1o e Host B es"onded0 indicating that the ha dwa e add ess E0:E0:E0:E0:E0:E0 co es"onds to Host B6s IP add ess$

Host A wou#d then send any t a11ic intended 1o Host B to the attacke 0 and the attacke cou#d choose to 1o wa d that data &" obab#y a1te so!e ta!"e ing- to Host B$

!oofed Re!l"

A "s"oo1 Consu#t a netwo k !a" 3nab#e IP 1o wa ding Acti/e the Dsniff arpspoof " og a! Send 1ake ARP e"#ies to the /icti!4s !achine The attacke 4s 1ake ARP !essage changes the /icti!4s ARP tab#e by e!a""ing the de1au#t oute 4s 7aye 28 IP add ess to the attacke 4s own 7aye 2) Mac add ess 9icti! sends the data to what it thinks is the de1au#t oute Attacke sni11 the in1o !ation Attacke 1o wa d the in1o !ation to the de1au#t oute

Man#$n#The#Middle Attack

So!e se /e s use IP add esses 1o authentication$ This is the case 1o !any a""#ication #ike A"ache AC70 2co!!ands0 N:S0 TCP ; a""e 0 est icted ad!inist ation too#s0 etc < =oa#> the se /e t usts T4s IP add ess? e/i# host 3 wants to connect to the se /e $ How> #et the se /e be#ie/e the e/i# host &3- has the #egiti!ate IP$

Setting> e/i# host 30 t usted host T0 and se /e S$ 3> ARP cache "oisoning 3> :o wa d e5isting se /e 2to2T t a11ic 3> use T6s IP to co!!unicate with S$

M$TM Attacks

P ob#e!> T !ight b oadcast new ARPs0 which can co ect S6s ARP cache$ S then sends TCP e"#ies to T0 who wi## send back TCP eset to S &because such TCP connection does not e5ist between S and T-$ This wi## end the e/i# host6s connection with S$ How to " e/ent this 1 o! ha""ening@ Shutdown T &denia# o1 se /ice :#ood S with 1o ged ARP !essage P e/ent T 1 o! sending ARP b oadcast> how@ gi/e T e/e ything be1o e it needs the!$

Other Attacks

By"assing :i ewa##s> !any 1i ewa##s on#y a##ow outgoing t a11ic 1 o! a 1ew identi1ied co!"ute s$ The e/i# host &3- can by"ass this u#e using DNS cache "oisoning &wi## be add essed #ate -$

Protect ARP %ache

Use int usion detection too#s>

Detect 1ake ARP !essages and !aintain consistency o1 the ARP tab#e$ A/ai#ab#e on !any UNIA "#at1o !s0 arpwatch !aintains a database o1 3the net MAC add esses seen on the netwo k0 with thei associated IP "ai s$ A#e ts the syste! ad!inist ato /ia e2!ai# i1 any change ha""ens$

Use st ong authentication athe than sou ce IP add ess$ 9PN " otoco#s #ike SSH0 SS7 o IPSec can g eat#y i!" o/e secu ity by achie/ing authentication0 integ ity and con1identia#ity$

$P Attacks

IP (eader [networksorcery]

S"eci1ies the #ength o1 the IP "acket heade in 8) bit wo ds$ The !ini!u! /a#ue 1o a /a#id heade is .$

&'

$P Attacks

Tea D o"

Send a "acket with>

o11set B , "ay#oad siCe N Mo e : ag!ents bit on Mo e : ag!ents bit o11 o11set D "ay#oad siCe E N i$e$0 the )nd 1 ag!ent 1its enti e#y inside the 1i st one$

Second "acket>

;hen so!e FS t ies to "ut these two 1 ag!ents togethe 0 it c ashes$

$P Attacks

F/e #a""ing attacks against 1i ewa##s

Many 1i ewa##s ins"ect "acket se"a ate#y$ ;hen the 1i#te ing u#e is based on TCP heade 0 but the TCP heade is 1 ag!ented0 the u#e wi## 1ai#$ TCP heade is at the beginning o1 the data a ea o1 an IP "acket$

$P !oofing

S"oo1ing>

Any host can send "ackets " etending to be 1 o! any IP add ess S"oo1ing is he#"1u# 1o attacke s who don4t want to ha/e thei actions t aced back$ The "ackets wi## a""ea to be co!ing 1 o! the syste! whose add ess the attacke is using$ It he#"s attacke s unde !ine /a ious a""#ications0 "a ticu#a #y those that dange ous#y e#y on#y on IP add esses 1o authentication o 1i#te ing

An attacke can econ1igu e hisGhe syste! to ha/e a di11e ent IP add ess %uite t i/ia##y0 such as ifconfig o ;indows4 cont o# "ane#$ Use too#s to change desi ed IP add ess0 such as N!a" and Dsni11$

Hust want the "acket #ooks #ike 1 o! so!ewhe e e#se To obscu e the sou ce o1 a "acket 1#ood o othe denia#2o12se /ice attack$

i)!le !oofing * +i)itations

Fne di ection I on#y send out t a11ic but not ecei/ing t a11ic$

;ithout inte action with a ta get$ The TCP th ee2way handshake !aking things es"ecia##y cha##enging 1o the attacke $

Against any TCP2based se /ice

i)!le !oofing * +i)itations

;hat i1 the si!"#e s"oo1ing ha""ens on 7AN@

;hen 3/e is on the sa!e 7AN as B0 3/e can sni11 the es"onses 1 o! B di ect#y o11 o1 the 7AN0 and use ARP s"oo1ing to " e/ent A4s eset 1 o! tea ing down the connection

$ntroduction of ,sniff

Acti/e#y !ani"u#ate t a11ic

Sni11ing th ough a switch Re!a""ing DNS na!es to edi ect netwo k connections Sni11ing SS7 and SSH connections

,sniff * niffing on witch

Maco1

Sending out a 1#ood o1 t a11ic with ando! MAC add esses on the 7AN The switch wi## sto e the MAC add esses used by each #ink on the switch0 e/entua##y0 the switch4s !e!o y is e5hausted$ So!e switch i!"#e!entations sta t 1o wa ding data onto a## #inks$

Re1e to " e/ious s#ides on ARP s" oo1

$P Address !oofing * !oofing with ource Routing

St ict sou ce outing a##ows the sou ce !achine sending a "acket to s"eci1y the "ath &enti e oute- it wi## take on the netwo k$ 7oose sou ce outing a##ows the attacke to s"eci1y just so!e o1 the ho"s that !ust be taken as the "acket t a/e ses the netwo k$

$P Address !oofing * !oofing with ource Routing

$P !oofing ,efenses

A/oid using 2co!!and A/oid a""#ications that use IP add esses 1o authentication "u "oses I!"#e!ent Janti2s"oo1K "acket 1i#te s an you bo de oute s and 1i ewa##s Disab#e sou ce outing A/oid e5tending t ust e#ations a!ong di11e ent do!ains

$%MP Attacks

ICMP (eader

-5

$%MP Attacks

Ma""ing a ta get netwo k is a /e y st ategic "a t o1 !ost inte##igent#y "#anned attacks$ This initia# ste" atte!"ts to disco/e the #i/e hosts in a ta get netwo k$ An attacke then can di ect a !o e 1ocused attack towa d #i/e hosts on#y$ Sending indi/idua# ICMP echo> this is what the "ing co!!and does$ Sending ICMP echo e%uests to the b oadcast add esses o1 a netwo k$ Sending ICMP echo e%uests to netwo k and b oadcast add ess o1 subdi/ided netwo ks Sending an ICMP add ess !ask e%uest to a host on the netwo k to dete !ine the subnet !ask to bette unde stand how to !a" e11icient#y

)urf Attacks

Ping a b oadcast add ess0 with the &s"oo1ed- IP o1 a /icti! as sou ce add ess A## hosts on the netwo k es"ond to the /icti! The /icti! is o/e whe#!ed Leys> A!"#i1ication and IP s"oo1ing P otoco# /u#ne abi#ity? i!"#e!entation can be J"atchedK by /io#ating the " otoco# s"eci1ication0 to igno e "ings to b oadcast add esses ICMP echo just used 1o con/enience A## ICMP !essages can be abused this way

Ping of ,eath

ICMP echo with 1 ag!ented "ackets Ma5i!u! #ega# siCe o1 an ICMP echo "acket> *..8. 2 ), 2 + B *..,M : ag!entation a##ows by"assing the !a5i!u! siCe> &o11set D siCe- N *..8. Reasse!b#ed "acket wou#d be #a ge than *..8. bytes FS c ashes Sa!e attack with di11e ent IP " otoco#s

$%MP Redirect Attack

Ask a host to send thei "acket to the ta get J oute K$ Use1u# 1o !an2in2the2!idd#e attacks ;in1 eeCe

Ta geted to ;indows F"e ating Syste!s ICMP Redi ect !essage> OFU a e the %uickest #ink to host P Host changes its outing tab#e 1o P to itse#1 Host sends "ackets to itse#1 in an in1inite #oo"

.,P Attacks

UDP (eader For)at

The #ength in bytes o1 the UDP heade and the enca"su#ated data$ The !ini!u! /a#ue 1o this 1ie#d is +$
'&

.,P Attacks

: agg#e

B oadcast UDP "acket sent to the QechoJ se /ice$ A## co!"ute s e"#y &a!"#i1ication-$ Sou ce IP was s"oo1ed0 /icti! is o/e whe#!ed Si!i#a to the ICMP S!u 1 attack$

.,P Ping#Pong

So!e se /ice o a""#ication issues a UDP e"#y no !atte what is the in"ut "acket &e$g$0 e o !essage-$ Set the sou ce and destination "o ts o1 a UDP to be one o1 the 1o##owing "o ts

dayti!e &"o t '8ti!e &"o t 8M-

This causes a Ping2Pong e11ect between the sou ce and the destination$

,O Attacks

Ley> A""#ications that e"#y with #a ge "ackets to s!a## e%uests0 e$g$0 ga!es

Batt#e:ie#d '(R) Suake Un ea# Tou na!ent

Hosts can be attacked by using these a""#ications as a!"#i1ie s0 with 1o ged sou ce IP "ackets

T%P Attacks

TCP (eader For)at

'6

Three#wa" (andshaking
C#ient SYN &se%T B 5Se /e

SYN / ACK ackT B 5D' se%T B y

ACK &se%T B 5 ? ackT B yD'-

'7

T%P /N Attacks

An attacke sends !any SON "ackets to c eate !u#ti"#e connections without e/e sending an ACL to co!"#ete the connection$ The /icti! has to kee" the ha#12o"ened connection in its !e!o y 1o ce tain a!ount o1 ti!e &e$g$ M. seconds-$ I1 the e a e so !any o1 these !a#icious "ackets0 the /icti! %uick#y uns out o1 !e!o y$ Those SON "ackets usua##y use s"oo1ed IP add esses$ ;hen the ta get ecei/es !o e SON "ackets than it can hand#e0 othe #egiti!ate t a11ic wi## not be ab#e to each the /icti!$ &Two ways to e5haust the co!!unications esou ce o1 the ta get-

&th0 Fill the connection 1ueue of the target s"ste) with half#o!en connections

Fnce the ta get syste! ecei/es the SON "acket and sends its SON2ACL es"onse0 it wi## wait "atient#y 1o the thi d "a t o1 the th ee2way handshake Ti!eout a#ways o/e a !inute The ta get syste! a##ocate so!e esou ce on its connection %ueue to e!e!be each inco!ing SON "acket Attacke s send SON "ackets to e5haust a## s#ots a##ocated in the connection %ueue0 no new connections can be initiated by #egiti!ate use s

-nd0 Fill the entire co))unications link

I1 the connection %ueue is eno !ous and can hand#e a /e y #a ge nu!be o1 SON "ackets

:i## the enti e co!!unications #ink0 s%ueeCing out any #egiti!ate t a11ic$ It e%ui es the attacke !ust ha/e !o e tota# bandwidth than the /icti! !achine0 and the abi#ity to gene ate "ackets to 1i## that bandwidth$

23a)!le /N Flood Attacks

:eb ua y ),,,

9icti!s inc#uded CNN0 eBay0 Oahoo0 A!aCon Attacke s &a##eged#y- used si!"#e0 eadi#y a/ai#ab#e too#s &sc i"t2kiddies7aw en1o ce!ent unab#e &unwi##ing@- to he#"

Fctobe ),,)

Root DNS se /e s ( o1 '8 se /e s b ought down

/N Flood ,efenses

Ha/e ade%uate bandwidth and edundant "aths 1 o! a## o1 you c itica# syste!s &Using two o !o e ISPs 1o connecti/ityTCPGIP stack enhance!ent

Inc ease the siCe o1 the connection %ueue 7owe the a!ount o1 ti!e to wait 1o ha#12o"en connections

/N %ookies

=ene a# idea

C#ient sends SON wG ACL nu!be Se /e es"onds to C#ient with SON2ACL cookie

s%n B 1&s c add 0 s c "o t0 dest add 0 dest "o t0 andSe /e does not sa/e state

Honest c#ient es"onds with ACL&s%nSe /e checks es"onse I1 !atches SON2ACL0 estab#ishes connection

:o !o e detai#s e1e to #ink0 htt">GGen$wiki"edia$o gGwikiGSONUcookie

T%P /N cookie

TCP SONGACL se%no encodes a cookie

8)2bit se%uence nu!be

t mod 32: counte to ensu e se%uence nu!be s inc ease e/e y *R seconds MSS: encoding o1 se /e MSS &can on#y ha/e + settings Cookie: easy to c eate and /a#idate0 ha d to 1o ge

32

Inc#udes ti!esta!"0 nonce0 R2tu"#e

0

t mod 32

MSS

Cookie=HMAC(t, Ns, SIP, SPort, DIP, DPort)

5 bits

' bits

/N %ookies

c#ient sends SON "acket and ACL nu!be to se /e waits 1o SON2ACL 1 o! se /e wG !atching ACL nu!be se /e es"onds wG SON2ACL "acket wG initia# SON2 cookie se%uence nu!be Se%uence nu!be is c y"tog a"hica##y gene ated /a#ue based on c#ient add ess0 "o t0 and ti!e$ c#ient sends ACL to se /e wG !atching se%uence nu!be se /e I1 ACL is to an uno"ened socket0 se /e /a#idates etu ned se%uence nu!be as SON2 cookie I1 /a#ue is easonab#e0 a bu11e is a##ocated and socket is o"ened

SON ack2nu!be SON2ACL se%2nu!be as SON2cookie0 ack2nu!be NO BUFFER ALLOCA ED ACL se%Unu!be ack2nu!be Ddata SON2ACL se%2nu!be 0 ack2nu!be CP BUFFER ALLOCA ED

Another ,efense0 Rando) ,eletion

SYNC
half-open connections

121.17.182.45 231.202.1.16 121.100.20.14 5.17.95.155

I1 SON %ueue is 1u##0 de#ete ando! ent y

7egiti!ate connections ha/e a chance to co!"#ete :ake add esses wi## be e/entua##y de#eted

3asy to i!"#e!ent

TCP ession (i4acking

CP session hijacking is when a hacke takes o/e a CP session between two !achines$ Since !ost authentication on#y occu s at the sta t o1 a CP session0 this a##ows the hacke to gain access to a !achine$

47

%ategories of TCP ession (i4acking

Based on the antici"ation o1 sequence numbers the e a e two ty"es o1 CP hijacking>

Man2in2the2!idd#e &MI MB#ind Hijack

45

Man#in#the#)iddle 7MITM8

A hacke can a#so be Qin#ineQ between B and C using a sniffing program to watch the se%uence nu!be s and acknow#edge nu!be s in the IP "ackets t ans!itted between B and C$ And then hijack the connection$ This is known as a Qman-in-the-middle attackQ$

46

Man in the Middle Attack .sing Packet niffers

This techni%ue in/o#/es using a packet sniffer to inte ce"t the co!!unication between c#ient and the se /e $ Packet sni11e co!es in two catego ies>

Acti/e sni11e s Passi/e sni11e s$

59

Passi:e niffers

Passive sniffers !onito s and sni11s "acket 1 o! a netwo k ha/ing sa!e co##ision do!ain &i$e$ netwo k with a hub0 as a## "ackets a e b oadcasted on each "o t o1 hub$-

5&

Acti:e niffers

Fne way o1 doing so is to change the de1au#t gateway o1 the c#ient4s !achine so that it wi## oute its "ackets /ia the hijacke 4s !achine$ This can be done by ARP spoofing &i$e$ by sending !a#icious ARP "ackets !a""ing its MAC add ess to the de1au#t gateways IP add ess so as to u"date the ARP cache on the c#ient0 to edi ect the t a11ic to hijacke -$

5-

;lind (i4acking

I1 you a e NO ab#e to sni11 the "ackets and guess the co ect se%uence nu!be e5"ected by se /e 0 you ha/e to i!"#e!ent JBlind Session Hijacking$44 Oou ha/e to b ute 1o ce R bi##ion co!binations o1 se%uence nu!be which wi## be an un e#iab#e task$ Discussion> Machine A and B$ I1 a use #ogin 1 o! B to A0 A wi## not ask 1o a "asswo d &e$g$ $ hosts-$ Oou a e an attacke $ Can you #ogin to A 1 o! you own !achine@ Hint '> se%uence nu!be Hint )> B4s o#e =uessing the se%uence nu!be s Session Hijacking Disab#e B &e$g$0 use SON 1#ooding o othe DoS !ethods-$

5'

<a"s to u!!ress a (i4acked (ost to end Packets

A co!!on way is to e5ecute a enial-ofService ! oS" attack against one end2"oint to sto" it 1 o! es"onding$

This attack can be eithe

against the !achine to 1o ce it to c ash o against the netwo k connection to 1o ce hea/y "acket #oss$

Send "ackets with co!!ands that e%uest the eci"ient not to send back es"onse$ F "e 1o ! MITM$
54

TCP ession (i4acking Tools

T-Sight Hunt Paros Juggernaut sslstrip < and so on$

55

ession (i4acking with (unt

TCP ACK Packet tor)s

Assu!e that the attacke has 1o ged the co ect "acket in1o !ation &heade s0 se%uence nu!be s0 and so on- at so!e "oint du ing the session$

;hen the attacke sends to the se /e 2injected session data0 the se /e wi## acknow#edge the ecei"t o1 the data by sending to the ea# c#ient an ACK packet$

This "acket wi## !ost #ike#y contain a se%uence nu!be that the c#ient is not e5"ecting0 so when the c#ient ecei/es this "acket0 it wi## t y to esynch oniCe the CP session with the se /e by sending it an ACK packet with the se%uence nu!be that it is e5"ecting$ This ACK "acket wi## in tu n contain a se%uence nu!be that the se /e is not e5"ecting0 and so the se /e wi## esend its #ast ACK "acket$ This cyc#e goes on and on and on0 and this a"id "assing back and 1o th o1 ACK "ackets c eates an ACK storm$

57

ACK tor)

55

(andling TCP ACK tor)s 7Attacker8

Attacke s can a#so use ARP packet !ani"u#ation to %uiet CP ACK storms0 which a e noisy and easi#y detected by de/ices such as int usion detection syste! &IDS- senso s$ Session hijacking too#s such as hunt acco!"#ish this by sending unso#icited ARP replies$ Most syste!s wi## acce"t these "ackets and u"date thei ARP tables with whate/e in1o !ation is " o/ided$

In ou Host A#Host B e5a!"#e0 an attacke cou#d send Host A a spoofed ARP reply indicating that Host B6s MAC add ess is so!ething none5istent &#ike C0:C0:C0:C0:C0:C0-0 and send Host B anothe s"oo1ed ARP e"#y indicating that Host A6s MAC add ess is a#so so!ething none5istent &such as D0:D0:D0:D0:D0:D0-$ Any ACK "ackets between Host A and Host B that cou#d cause a $%P A%& storm du ing a netwo k2#e/e# session hijacking attack a e sent to in/a#id MAC add esses and #ost$
56

to!!ing a TCP ACK tor)

69

%ounter)easures # 2ncr"!tion

The !ost e11ecti/e is enc y"tion such as IPSe!$

'nternet Protocol Security has the abi#ity to enc y"t you 'P packets based on a P e2Sha ed Ley o with !o e co!"#e5 syste!s #ike a Pub#ic Ley In1 ast uctu e PKI$ This wi## a#so de1end against !any othe attack /ecto s such as sniffing$ The attacke !ay be ab#e to "assi/e#y !onito you connection0 but they wi## not be ab#e to ead any data as it is a## enc y"ted$

6&

%ounter)easures * 2ncr"!ted A!!lication

Fthe counte !easu es inc#ude enc y"ted applications #ike ssh &Secu e SHe##0 an enc y"ted telnet- o ssl &Secu e Sockets 7aye 0 H PS t a11ic-$

Again this e1#ects back to using enc y"tion0 but a subt#e di11e ence being that you a e using the enc y"tion within an a""#ication$ Be awa e though that the e a e known attacks against ssh and ssl$ O"A0 Fut#ook ;eb Access uses ssl to enc y"t data between an inte net c#ient b owse and the 35change !ai# se /e 0 but too#s #ike Cain & Abel & dsniff & sslstrip can s"oo1 the ssl ce ti1icate and !ount a Man2In2The2Midd#e &MI Mattack and dec y"t e/e ythingV

6-

.se ,sniff to niffing (TTP and *%ontinue

;eb!it! and ssh!it!

.se ,sniff to niffing (TTP and

HTTPS connection

S> ce ti1icate 2N C#ient C#ient /e i1y the ce ti1icate

Auto!atica##y /e i1ied i1 the ce ti1icate is signed by a we##2known CA$ Fthe wise the use !ake the decision

SSH is the sa!e as HTTPS

The connection sti## can be setu"

.se ,sniff to niffing (TTP and *%ontinue

.se ,sniff to niffing (TTP and *%ontinue

;eb!it! can dis"#ay the enti e contents o1 the SS7 session on the attacke 4s sc een Dsni11 can be used to sni11 SSH sessions by conducting a !an2in2the2!idd#e attack in a si!i#a 1ashion$

Dsni11 su""o ts sni11ing o1 on#y SSH " otoco# /e sion '0 but who knows in the 1utu e

ession (i4acking ,efenses

Using enc y"tion too#s #ike SSH o /i tua# " i/ate netwo ks 1o secu ing sessions Fn#y acce"t known ce ti1icate

T%P R T Attacks

Attacke s inject an RST seg!ent into an e5isting TCP connection0 causing it to be c#osed$ The TCP Reset attack is !ade "ossib#e due to the e%ui e!ents that a TCP end"oint !ust acce"t out o1 o de "ackets that a e within the ange o1 a window siCe0 and the 1act that Reset 1#ags shou#d be " ocessed i!!ediate#y$ ;hat a e the di11icu#ties o1 s"oo1ing a RST "acket to b eak a e!ote connection@

Se%uence nu!be o1 the connection Sou ce "o t o1 the connection &destination "o t is usua##y we## known 1o so!e a""#ications0 e$g$ SSH uses ))-

T%P $nitial e1uence Nu)ber 7$ N8 a)!ling

The idea he e is to 1ind "atte ns in the initia# se%uence nu!be s chosen by TCP i!"#e!entations when es"onding to a connection e%uest$ ISN sa!"#ing can be catego iCed in to !any g ou"s such as the t aditiona# *RL &!any o#d UNIA bo5es-0 Rando! inc e!ents &newe /e sions o1 So#a is0 IRIA0 : eeBSD0 Digita# UNIA0 C ay0 and !any othe s-0 T ue Q ando!J &7inu5 )$,$W0 F"en9MS0 newe AIA0 etc-$ ;indows bo5es &and a 1ew othe s- use a Qti!e de"endentJ !ode# whe e the ISN is inc e!ented by a s!a## 1i5ed a!ount each ti!e "e iod$ Using JICMP Message SuotingK to disco/e FS$ :o a "o t un eachab#e !essage0 a#!ost a## i!"#e!entations send on#y the e%ui ed IP heade D + bytes back$ Howe/e 0 So#a is sends back a bit !o e and 7inu5 sends back e/en !o e than that$ The beauty with this is it a##ows n!a" to ecogniCe 7inu5 and So#a is hosts e/en i1 they don6t ha/e any "o ts #istening$

The ecurit" of the $nitial e1uence Nu)ber 7$ N8

I1 an attacke can 1ind out cu ent se%uence nu!be that is being used by an e5isting TCP connection0 it can inject a /a#id TCP seg!ent into the e5isting TCP connection$

I1 the attacke is within the sa!e 7AN0 it can sni11 the se%uence nu!be $ I1 the attacke is not within the sa!e 7AN0 it has to guess the se%uence nu!be $

To guess $ N

A## "ossib#e /a#ues 1o ISN> )8)$ ;e on#y need to !ake su e that the guessed ISN is within the ecei/e 4s cu ent window? othe wise0 the TCP "acket with this guessed ISN wi## be disca ded by the ecei/e $ I1 '*L window siCe is used0 on a/e age0 it on#y takes )8) G )'R B )'+ B )*)0'RR t ies to hit the window$ ;ith a T' #ine &'$.!Gs- at R08M, "ackets a second0 the attacke wou#d be ab#e to e5haust a## "ossib#e windows within on#y *, seconds$

$nitial <indow i=es

Initia# window siCe 1o /a ious o"e ating syste!s$ The "ackets e%ui ed 1o a success1u# guess a e based on the e%uation: #2$32 / I%iti&' "i%do( Si)e* It te##s how !uch data the ecei/e e5"ects to ecei/e$

>uessing the ource Port

;hen a TCP connection is !ade0 the co!bination o1 the sou ce "o t and IP add ess and the destination "o t and IP add ess esu#ts in a uni%ue 1inge " int that can be used to di11e entiate between a## acti/e TCP connections Most o1 the TCP attacks assu!e that the attacke a# eady knows the destination "o t and IP add ess as we## the sou ce "o t and IP add ess$ The destination "o t and IP add ess a e easy0 as they a e gene a##y "ub#ished$ The sou ce IP add ess is a#so gene a##y easy to get0 as this is si!"#y the c#ient that is being s"oo1ed$ The on#y "iece that can 1 e%uent#y be di11icu#t to 1ind is the sou ce "o t$ :o e5a!"#e0 i1 an o"e ating syste! ando!#y assigns sou ce "o ts 1 o! a "oo# that anges 1 o! ',). th ough R(0'.) &such as F"enBSD-0 this inc eases the di11icu#ty o1 "e 1o !ing a eset attack R+0')M ti!es as the attacke wou#d ha/e to t y thei se%uence attack with e/e y "ossib#e "o t nu!be $ In ou e5a!"#e with '*k windows0 we dete !ined that with known end"oints it wou#d e%ui e )*)0'RR "ackets to gua antee a success1u# eset attack$ Howe/e 0 i1 using ando! "o ts as we6/e desc ibed0 it wou#d now e%ui e )*)0'RR ti!es R+0')M0 o ')0*'*0),R0)++ "ackets$ An attack o1 that siCe wou#d a## but ce tain#y be detected and dea#t with be1o e a b ute 1o ce eset wou#d occu $

>uessing the ource Port

Un1o tunate#y0 !ost o"e ating syste!s a##ocate sou ce "o ts se%uentia##y0 inc#uding ;indows and 7inu5$ A notab#e e5ce"tion is F"enBSD0 which began ando!iCing sou ce "o t a##ocation in '((*$ The 1o##owing cha t e" esents obse /ations o1 sou ce "o t se#ection 1 o! /a ious F"e ating Syste!s

,N Attacks

,N %ache Poisoning 7an old stor"8

7ate and du"#icated e"#y can be igno ed$

%ounter)easures to ,N Poisoning

DNS se /e s use TT7 on thei cache$ The TT7B'hou in !ost o1 the cases$ Attacke s can send a 1ew nu!be o1 e"#ies be1o e the ea# do!ain answe s$ Thus0 the attacke can on#y send in a cou"#e o1 attacks once "e hou 0 which !ake it di11icu#t to guess the ight se%uence nu!be in a sho t ti!e "e iod$ Attacke s can t y to b#ock the ea# e"#ies th ough MITM o DoS which !ay o !ay not di11icu#t de"ending on the ea# netwo k con1igu ations and secu ity setu" o1 the syste!$ New DNS attacks disco/e ed by Dan La!insky> htt">GGwww$de1con$o gGht!#G#inksGdc2a chi/esGdc2'*2a chi/e$ht!#TLa

,o Attacks

,o %ategories

to!!ing +ocal er:ices

35a!"#es o1 sto""ing #oca# se /ices

In Uni50 an attacke with oot " i/i#eges &o 0 /ia bu11e o/e 1#ow attack- !ay shut down the JinetdK " ocess Attacke s who ha/e accounts on a syste! can un #oca# " og a!s and su""#y in"ut di ect#y into " ocesses on the !achine th ough the #oca# account$ &e$g$0 e!"#oyee o cont acto o th ough so!e o1 the gaining access !ethods0 such as "asswo d attack0 session hijacking-

to!!ing +ocal er:ices

P ocess ki##ing> An attacke with su11icient " i/i#eges can si!"#y ki## #oca# " ocesses in a DFS attack0 such as ;eb o DNS se /e Syste! econ1igu ation> Attacke s with su11icient " i/i#eges can econ1igu e a syste! so that it doesn4t o11e the se /ice any!o e o 1i#te s s"eci1ic use s 1 o! the !achine$ P ocess c ashing> The attacke s !ay not ha/e the su"e 2use " i/i#eges0 they !ay be ab#e to c ash " ocesses by e5"#oiting /u#ne abi#ities in the syste!$ &e$g$0 bu11e o/e 1#ow0 stack bu11e o/e 1#ow e5a!"#e htt">GGns1secu ity$" $e au$eduGbo!GStacks$ht!#-

+ogic ;o)b

The attacke "#ants a #ogic bo!b " og a! on a !achine0 which can be t igge ed based on a nu!be o1 1acto s>

3#a"sed ti!e The acti/ation o1 ce tain othe " og a!s The #ogging in o1 s"eci1ic use s etc$

Fnce the #ogic bo!b t igge is acti/ated0 the " og a! wi## sto" o c ash a #oca# " ocess I te o ists "u "oses

,efenses fro) +ocall" to!!ing er:ices

Make su e the syste!s "atched I in a ti!e#y !anne to " e/ent outside attacke Make su e to ca e1u##y do#e out " i/i#eges to use s on you syste! I P inci"#e o1 7east P i/i#ege Suick#y detect changes to the con1igu ation o1 the syste! I use t i"wi e & htt">GGwww$t i"wi e$co!G-

+ocall" 23hausting Resources

;hen attacke s gain su"e 2use " i/i#eges

:i##ing u" the " ocess tab#e> w ite a " og a! that si!"#y 1o ks anothe " ocess to un a co"y o1 itse#1$ :i##ing u" the 1i#e syste!> continuous#y w iting an eno !ous a!ount o1 data to the 1i#e syste!

Sending outbound t a11ic that 1i##s u" the co!!unications #ink

,efenses fro) +ocall" 23hausting Resources

A""#y the P inci"#e o1 7east P i/i#ege Make su e that you sensiti/e syste!s ha/e ade%uate esou ces0 such as !e!o y0 " ocesso s"eed and co!!unication #ink bandwidth Use host based Int usion Detection Syste!s o othe syste! !onito ing too#s that can wa n you when you syste! esou ces a e getting #ow0 "ossib#y indicating this ty"e o1 esou ce e5haustion attack

Re)otel" to!!ing er:ices

Attacke s e5"#oit an e o in the TCPGIP stack o1 the ta get !achine by sending one o !o e unusua##y 1o !atted "ackets I1 the ta get !achine is /u#ne ab#e to the "a ticu#a !a#1o !ed "acket0 it wi## c ash0 "ossib#y shutting down a s"eci1ic " ocess0 a## netwo k co!!unication0 o e/en causing the ta get4s o"e ating syste! to ha#t$

Other tools

Ta ga I !o e "owe 1u# suites o1 !a#1o !ed "acket attack too#s &htt">GG"acketsto !$secu ity$co!GDoSGDsni11 &ARP s"oo1-0 attacke !ust be on the sa!e 7AN o1 se /e o /icti! & oute wou#d not 1o wa d ARP !essage-

,efenses fro) Re)otel" to!!ing er:ices

9endo s need to 1 e%uent#y e#ease "atches to thei TCPGIP stacks to 1i5 " ob#e!$ Anti2s"oo1 1i#te I gua d against IP s"oo1ing0 such as 7and$ C eate static ARP tab#es on sensiti/e netwo ks to " e/ent ARP s"oo1$

Re)otel" 23hausting Resources * /N Flood

35"#oit TCP th ee way handshake

To e!e!be the initia# se%uence nu!be 1 o! the sou ce0 the TCPGIP stack on the destination !achine wi## a##ocate a s!a## "iece o1 !e!o y on its connection %ueue0 to t ack the status o1 this new ha#12o"en connection$ A SON 1#ood attack atte!"ts to unde !ine this !echanis! by sending a #a ge nu!be o1 SON "ackets to the ta get syste!$ ;hen the ta get ecei/es !o e SON "ackets than it can hand#e0 othe #egiti!ate t a11ic wi## not be ab#e to each the /icti!$ &two ways to e5haust the co!!unications esou ce o1 the ta get-

&th0 Fill the connection 1ueue of the target s"ste) with half#o!en connections

Fnce the ta get syste! ecei/es the SON "acket and sends its SON2ACL es"onse0 it wi## wait "atient#y 1o the thi d "a t o1 the th ee2way handshake Ti!eout a#ways o/e a !inute The ta get syste! a##ocate so!e esou ce on its connection %ueue to e!e!be each inco!ing SON "acket Attacke s send SON "ackets to e5haust a## s#ots a##ocated in the connection %ueue0 no new connections can be initiated by #egiti!ate use s

-nd0 Fill the entire co))unications link

I1 the connection %ueue is eno !ous and can hand#e a /e y #a ge nu!be o1 SON "ackets

:i## the enti e co!!unications #ink0 s%ueeCing out any #egiti!ate t a11ic$ It e%ui es the attacke !ust ha/e !o e tota# bandwidth than the /icti! !achine0 and the abi#ity to gene ate "ackets to 1i## that bandwidth$

/N Flood ,efenses

Ha/e ade%uate bandwidth and edundant "aths 1 o a## o1 you c itica# syste!s &Using two o !o e ISPs 1o connecti/ityTCPGIP stack enhance!ent

Inc ease the siCe o1 the connection %ueue 7owe the a!ount o1 ti!e to wait 1o ha#12o"en connections

/N Flood ,efenses

SON Cookies :ocus on e#i!inating the connection %ueue as a bott#eneck

SON &A0 ISNASON &B0 ISNB- ACL &A0 ISNAACL &B0 ISNB-

ISNB is a 1unction o1 the sou ce IP add ess0 destination IP add ess0 "o t nu!be s0ti!e0 and a sec et seed$ Bob does not e!e!be ISNB0 o sto e any in1o !ation about the ha#12o"en connection in the %ueue$

A#ice
A SN I 0

Bob ;hen the ACL &B0 ISNB- a i/es0 Bob

a""#ies the sa!e 1unction to the ACL "acket to check i1 the /a#ue o1 ISNB is &A N #egiti!ate$ I1 this is a /a#id ISNB0 the SO connection is estab#ished$ 393 sends s"oo1ed "ackets 1 o! A0 but Bob wi## ne/e sto e in1o !ation in the connection %ueue 1o these SONs? instead0 Bob sends SON2ACLs with SON cookies$

3/e

/N %ookie

)urf Attacks * ,irected ;roadcast Attack

S"oo1 the sou ce IP add ess Send "ing to a netwo k b oadcast add ess The /icti! &with the o igina# sou ce IP add ess- wi## ecei/e !u#ti"#e ICMP es"onses$
w$5$y$C
B oadcast "ing S"oo1ed 1 o! w$5$y$C Res"onsesV

3/e

S!u 1 A!"#i1ie

)urf#Attack ,efenses

Ha/e ade%uate bandwidth and edundant "aths :i#te ICMP !essages at you bo de oute Test you netwo k to !ake su e no one use you netwo k to de"#oy s!u 1 attack &disab#e di ected b oadcast "ackets at you bo de oute o 1i ewa##-

,istributed ,enial#of# er:ice 7,,o 8 Attacks

Take o/e a #a ge nu!be o1 /icti! !achines &o1ten e1e ed to as JCo!biesKThe attacke uses one o1 !o e c#ient !achines to te## a## o1 the Co!bies to si!u#taneous#y e5ecute a co!!and0 usua##y to conduct a DoS attack against the ta get$ The c#ient co!!unicates with the Co!bies0 but the attacke usua##y accesses the c#ient 1 o! a se"a ate syste!$ A "owe 1u# DDoS too#> T:N)L

Ta ga0 UDP 1#ood0 SON 1#ood0 ICMP 1#ood0 S!u 1 attack0 etc$

,istributed ,enial#of# er:ice 7,,o 8 Attacks

;ot Nets 7)ore than 4ust ,o 8

A botnet is a co##ection o1 co!" o!ised co!"ute sXbots0 a#so known as Co!biesXunde the cont o# o1 a sing#e entity0 usua##y th ough the !echanis! o1 a sing#e co!!and and cont o# se /e &a botnet cont o##e -$ Any co!"ute connected to the Inte netX " e1e ab#y with a b oadband connectionXis a desi ab#e base o1 co!"uting "owe to be used as a bot$ Bots a e a#!ost a#ways co!" o!ised ;indows !achines? botnet cont o##e s a e a#!ost a#ways co!" o!ised Uni5 !achines unning i cd &Inte net Re#ay Chat dae!on*$ Co!!on bot so1twa e> Lo gobot0 S"yBot0 F"ti5 P o0 Bot0 SDBot0 Agobot0 Phatbot$ Most s"a! is sent 1 o! bots &M,Y acco ding to Message7abs0 Fctobe ),,R-$ Most wo !s and /i uses today a e being used to "ut bot so1twa e on end2use co!"ute s$ Most denia# o1 se /ice attacks a e o iginated 1 o! bots$ Bots can be used as " o5ies 1o a#!ost any kind o1 !a#icious acti/ity on the Inte net &DoS0 ID The1t0 Phishing0 key#ogging0 s"a!0 etc$ -$

canning for recruits

;lack * %@% Red * can info

?A %AN -995 %o!"right Marchan" -995

&9&

,istributed ,enial#of# er:ice ,efenses

Lee"ing Co!bies o11 o1 you syste!s and de1ending against a DDoS 1#ood

Lee" you syste!s "atched and u" to date 3!"#oy eg ess anti2s"oo1 1i#te s on you e5te na# oute Use too#s to 1ind DDoS attack0 such as J:ind DDoSK by NIPC &Nationa# In1 ast uctu e P otection Cente -

Inc ease the bandwidth is a good so#ution@ I NF Suick es"onse to DDoS

In1o ! you ISP to b#ock the DDoS whe e it ente s the netwo k$