-14th of November 2009
This piece of text will summarize some DoS attacks. There propably new invented all the time, so this is not an attempt of a full complete list.
Denial of Service Attacks(DoS) are defined easily by the following three lines:
1. Extensive overuse and abuse of resources that leads to downtime and instabillity of services.
2. Physical attacks on infrastructure.
3. Change or destruction of system configuration.
Aditionally, other dangers have always been rootkits, phishing, trojans, viruses, and other malware. These can ultimately end in a DoS attack. General
precoutions against DoS or DDoS attacks are installing IDS/IPS systems, make agreements with ISP's for further protection, keep an eye on vulnerabilities,
and keep you system patched and up to date.
*SYN attack: This attack occurs when the attacker floods the victim with TCP SYN packets(the first step in a three way handshake). This opens a TCP session, the victim
replies with a TCP SYN-ACK reply, but gets no reply from the initiator. The source address of the TCP SYN packets are often spoofed, and that is why
the host that receives the TCP SYN-ACK reply does not recognize the session and ignores it. There might not even be a valid source
address in the TCP SYN packet, resulting in the TCP SYN-ACK packet to be dropped somewhere in the network.
When the victim receives a flood if TCP SYN requests, this can result in a buffer overflow. The memory used to store initiated TCP sessions
is overrun before the sessions time out. This results in the victim not being able to answer more TCP request, and therefore
seems unresponsive to other clients. This attack can be prevented in several ways, including shortening timeout intervals for TCP sessions,
incresing the TCP buffer, setting up a firewall to recognize TCP SYN attacks, and installing Intrusion Detection / Intrusion Prevention Systems(IDS/IPS).
*Ping of death: Fragmented ICMP ping packets are sent to the victim, bypassing MTU, overriding the 65 535 byte limit of a ICMP packetand when the fragments are reassembled. This causes a buffer overflow that can result in DoS or other unforseen behaviour.
This attack can be prevented by properly configured firewalls.
*Teardrop: Fragmented IP packets are sent to the victim. As the firewall only checks the first packet in the fragmented
seqence, the following packets will overwrite the destination information and maybe also the source address information. This results in a
completely different receiver of the packet, and maybe also a different source address then the firewall first thought. And thus
bypassing the firewall completely.
*Smurf Attack: This is a broadcast of ICMP packets with a spoofed source address. The receiver of the ICMP broadcast packets and also the source address receiving the replies will be under a DoS attack through flooding and excessive resource usage.
Prevention against Smurf attacks include blocking of ICMP broadcasts in a firewall.
*Fraggle Attack: The same as the Smurf Attack, but then with UDP brodcasts and not ICMP broadcasts. Prevention of UDP broadcast attacks, include blocking of UDP broadcasts in a firewall. Much the same as the Smurf Attack.
*Spoofing: Setting a fake source address on a transmitted package.
*Session Hijacking: Take over one side of a communicating session, or both sides.
Session-Hijacking can be done through listening to the communication between two parties and steal the session by
answering a part of the communication with the correct session ID. This results in the host answering to the hijacker,
and dropping the correct client. The correct client will perseve the incident as just a lost connection to the host. Since the
client no longer has the correct session ID(it is incremented in the session), the client can not rejoin the communication automatically.
If the client wants the session back, he would have to hijack it back. Another way to get the session ID, would be to brute force for a session ID(more likely to be detected).
*Land.c : The victim receives a packet with the same source address as destination address. The victim will then try to reply to itself, resulting in a loop. This attack can easily be prevented by blocking all packets that have the same source address as destination address.
*Christmastree packets: The victim receives a TCP packet with all the flags set. The response is analyzed for further attacks. Can be prevented by properly configuring firewalls.
*Buffer Overflow: Excessive overrun and flooding of a victims resources, resulting in DoS(Denial Of Service).
*Factory standardized configuration of equipment: Can lead to unauthorized access, resulting in a security breach and possibly DoS.
*E-mail bombs. Excessive sending of e-mail, often as a result of a trojan or a virus. Consequences are DoS of mail or network services.
Source: Høgskolen i Sør-Trøndelag
Tagged as: Network
|Local Network Security Actions|
-16th of September 2009
1. Make sure the packages leaving your network to the internet are leaving with the same source address as the network it is leaving from. Implement a blocking of all suspicous packages with phony source addresses, to help protect the outside world from possibly owned/infected or taken over computer systems on your network.
2. Block incomming packages from the internet that are addressed to broadcast addresses on the internal network. There is no reason why external clients or devices should be allowed to broadcast on your internal network.
3. Turn off the Direct Broadcast capability of your internet router, unless it is absolutely essential. This will hinder potential attackers from the outside to broadcast various types of attacks into your network. See for instance the blog on DoS attacks for some examples.
4. Block all packages arriving from the internet that have source addresses that are within the non-routable spectre defined by RFC1918. These are 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. These addresses are set by RFC1918 to be private and non-routable on the internet. Routers on the internet will drop these by default. If you receive packages from the internet with source addresses in these address spaces, it should be seen as suspicious activity.
Source: Computer Security Handbook, 5th Edition. ISBN: 978-0-470-32722-7
Tagged as: Network