Denial-of-Service Attack

The goal of a denial-of-service, or DoS, attack is to deny access to authorized users making the network unavailable (remember the three underlying security principles, confidentiality, integrity, and availability). A distributed denial-of-service, or DDoS, attack uses many zombies, or soldier attackers, to overwhelm a target. See Figure 10-1. To prevent DoS and DDoS attacks, ensure patches and upgrades are current, change time-out period for TCP connections, distribute the workload across server systems, and block external ICMP packets at the border. Recall that command line commands such as ping use ICMP packets.

Three-Way Handshake

You should have a basic understanding of the three-way handshake that the TCP/IP protocol uses to establish a connection. First, System 1 sends a SYN packet to System 2 indicating a desire to communicate with the system. Then, System 2 responds to System 1 by sending back the SYN packet combined with an ACK packet to indicate its willingness to accept communications. Once System 1 receives the SYN/ACK packet, it responds with an ACK packet, and communications are then established between the systems. Please see Figure 10-2.

SYN Flood Attack

See Figure 10-3 for an example.

Ping of Death (POD)

A Ping-of-Death attack is an example of a DoS attack which targets a specific protocol or operating system. The attacker sends an Internet Control Message Protocol (ICMP) ping packet equal to or greater than 64KB. This type of packet should not occur naturally. Some systems cannot handle the packet and will hang or crash.

Trapdoors and Backdoors

Originally, backdoors referred to efforts by software developers to ensure access to a program that bypassed the normal access methods. Over time, this practice has come to be known as creating a trapdoor into a program. One problem with a trapdoor is that since it is hard-coded into the program, it can be very difficult, if not impossible, to remove. A benefit to software developers and system administrators in using a trapdoor is that it ensures access to a program even if the normal access methods fail. However, this benefit is now a vulnerability. The trapdoor offers full access into the system where an attacker could cause serious harm.

More recently, a backdoor has come to refer to the programs or code introduced by an attacker that has compromised a system. A few common backdoor programs are Netbus and Back Orifice which both allow remote access to unauthorized system users. The purpose of the backdoor is to grant the attacker future access to the system even if the original vulnerability used to attack the system has been fixed. Usually, backdoors are installed on systems by unauthorized users or attackers. However, they can also be installed by authorized users who inadvertently run a Trojan horse program on their machine which then installs the backdoor.

Similar to the backdoor, another method employed by attackers is to install a rootkit on a system that ensures continued root access for the attacker.

Null Sessions

A null session is a connection to a Windows inter-process communication share (IPC$). A vulnerability exists in Microsoft Windows systems prior to the XP and Server 2003 versions of the operating system. The Server Message Block (SMB) system allows users to establish a null session. A wide range of tools and malware use this vulnerability to achieve their aim.

One way to defend against the creation of null sessions is to upgrade the systems to Windows XP, Server 2003, or newer version. You can also limit TCP ports 139 and 445 to only allow trusted user access.

Sniffing

Sniffing occurs when an attacker examines all network traffic as it passes their NIC independent of whether or not the traffic is addressed to them or not. Network sniffing can be accomplished with a software application, hardware device, or a combination of the two. Sniffing can be used to view all network traffic, or it can target a specific protocol, service, or even string of characters such as a log-in or password. Some network sniffers are designed not just to observe all traffic but to modify some or all of the traffic as well. Network administrators may also use sniffers to analyze network traffic, identify bandwidth issues, and troubleshoot other network issues. Physical security is important in preventing the introduction of sniffers on the internal network.

IP Address Spoofing

In a specific DoS attack known as a smurf attack, the attacker sends a spoofed packet to the broadcast address for a network, which distributes the packet to all systems on that network. In the smurf attack, the packet sent by the attacker to the broadcast address is an echo request with the From address forged so that it appears that another system (the target system) has made the echo request.

The normal response of a system to an echo request is an echo reply, and it is used in the ping utility to let a user know whether a remote system is reachable and is responding. Should the attacker send several of these spoofed requests, or send them to several different networks, the target can quickly become overwhelmed with the volume of echo replies it receives. See Figure 10-4.

Spoofing and Trusted Relationships

Spoofing can also take advantage of a trusted relationship between two systems.

If two systems are configured to accept the authentication accomplished by each other, an individual logged onto one system might not be forced to go through an authentication process again to access the other system. An attacker can take advantage of this arrangement by sending a packet to one system that appears to have come from a trusted system. Since the trusted relationship is in place, the targeted system may perform the requested task without authentication.

Since a reply will often be sent once a packet is received, the system that is being impersonated could interfere with the attack, since it would receive an acknowledgement for a request it never made. The attacker will often initially launch a disk operating system (DoS) attack (such as a SYN flooding attack) to temporarily take out the spoofed system for the period of time that the attacker is exploiting the trusted relationship.

Once the attack is completed, the DoS attack on the spoofed system would be terminated, and the system administrator might never notice that the attack occurred. See Figure 10-5.

Firewalls should also be configured to discard any packets from outside of the firewall that have From addresses indicating they originated from inside the network. This is a situation that should not occur normally, and it indicates spoofing is being attempted.

Spoofing and Sequence Numbers

In the transmission control protocol (TCP) three-way handshake, two sets of sequence numbers are created. The first system chooses a sequence number to send with the original SYN packet. When the second host responds and sends its own SYN packet, it generates another sequence number.

The second host also sends an ACK packet in response to the first host’s SYN packet. The ACK packet includes the original sequence number incremented by 1. The original host system receives the SYN/ACK with both sequence numbers and then increments the second host’s sequence number by one and passes it back in an ACK packet response.

Spoofing attacks from inside a network are typically easier than attacks from outside a network because an attacker can more easily observe the traffic inside the network and can do a better job of formulating the necessary packets. If the attacker is inside the network and can observe the traffic with which a target host responds, the attacker can easily see the sequence number the system creates and can respond with the correct sequence number. If the attacker is external to the network and the sequence number the target system generates is not observed, it is next to impossible for the attacker to provide the final ACK with the correct sequence number. See Figure 10-6.

Man-in-the-Middle Attack

When an attacker successfully inserts themselves between two other hosts’ communications by spoofing addresses, it is referred to as a man-in-the-middle attack. A man-in-the-middle attack is usually accomplished by manipulating a router to alter the path of the traffic. The traffic is sent to the attacker rather than the intended target and then relayed onto the target host. This enables the attacker to observe the traffic from each target host in route and may even allow the attacker to modify or block certain messages. Since all expected replies are received by the target hosts, it can appear to them that communications are occurring normally. If the data being intercepted from the target hosts is encrypted, the attacker may only be able to get a limited amount of information. Review Figure 10-7 for an illustration of a man-in-the-middle Attack as described in this section.

Replay Attack

A replay attack occurs when an attacker captures a portion of a communication between two hosts and then retransmits the captured message at a later time. Replay attacks are often used to circumvent authentication mechanisms. Systems can prevent falling victim to a replay attack by encrypting traffic, providing cryptographic authentication, and including a time stamp with each portion of the message. For illustration see Figure 10-8.

TCP/IP Hijacking

Transmission Control Protocol/Internet Protocol (TCP/IP) hijacking and session hijacking are terms used to refer to the process of taking control of an already existing session between a client and a server. The advantage to an attacker of hijacking over attempting to penetrate a computer system or network is that the attacker does not have to circumvent any authentication mechanisms.

To prevent the user from noticing anything unusual, the attacker may target the user’s system with a DoS attack, taking it down so that the user, and the system, will not notice the extra traffic that is taking place.

Hijack attacks generally are used against web and Telnet sessions. Refer to Figure 10-9 for an example of TCP/IP hijacking.

Drive-By Download Attack

A drive-by download attack is accomplished by initiating downloads of malware, whether a user clicks it or not. Drive-by downloads can initiate from a couple of different mechanisms. It is possible for an ad that is rotated into content on a reputable site to contain a drive-by download. Users do not have control over what ads are presented. A second, more common method is a website that the user gets to either by mistyping a URL or by following a search link without being sure of what they are clicking for. Review Figure 10-10 for an illustration.

Summary

It is important to be aware of the various types of potential threats that an attacker may launch against a network. In this chapter you learned about different types of network attacks and the use of assessment tools that can be applied to determine security threats and vulnerabilities to safeguard against attacks.