Documente Academic
Documente Profesional
Documente Cultură
1
1 General Definitions
The following definitions and terms will be used throughout this document:
DoS Attack: Refers to all Denial of Service related attacks including DoS, DDoS and DRDoS
attacks (unless specified otherwise).
Victim: the target network, host or hosts of a DoS Attack.
Attacker: the initiator of the attack.
Intermediary: innocent hosts or networks exploited for the attack.
2 Attacks classification
DoS attacks exploit the asymmetric nature of certain types of network traffic. One attack method
seeks to cause the target to use more resources processing traffic than the attacker does sending
the traffic. Another method is to control multiple attackers. Therefore DoS attacks can be
classified into three categories – bandwidth/Throughput attacks, Protocol attacks and Software
Vulnerability Attacks.
2.1.5 Naptha
Naptha is a name used to describe a set of network DoS vulnerabilities. Naptha attacks exploit
weaknesses in the way some TCP stacks and applications handle large numbers of connections in
states other than "SYN RECVD", including "ESTABLISHED" and "FIN WAIT-1". By creating
a suitably large number of TCP connections and leaving them in certain states, individual
applications or the operating system itself can be starved of resources to the point of failure. In
the past, attacks that would exploit TCP connections in this manner have not been implemented
because they would typically exhaust the resources of the attacker as well. The innovation
provided by the Naptha attack is that it is possible to easily create a DoS on the target with little
resource consumption on the part of the attacker. 78
The first part sends out a sequence of SYN packets from all possible ports of a forged IP address
to the victim. This sounds like a SYN flood, but more happens. The second half runs on a LAN
where the forged IP address would be, if it were a real host. The program first makes sure that the
router has an entry for this phantom host in its ARP table. Next, it listens for a packet from the
victim to the phantom host. The program responds with a packet with the appropriate flags and
sequence numbers. Typically, it listens for SYN/ACK packets and replies with an ACK. It could
also set the FIN flag and leave the connection waiting for a FIN-WAIT-1 packet. To keep
connections alive longer, it can listen for 'regular' data packets or 'keep alive' packets and send
ACK in reply. This 'phantom' nature makes it hard to track down and eliminate as it is almost
impossible to discriminate between a bogus connection and valid one.7
(6) The Strange Tale of the Denial Of Service Attacks Against GRC.COM
http://grc.com/dos/grcdos.htm
(16)Security Info Online, CI-98.03: Cisco PIX and CBAC Fragmentation Attack
http://online.securityfocus.com/advisories/1428
(18)