THIS CHAPTER FOCUSES ON three broad types of network attacks: sniffers, session hijacking, and denial of service (DoS) attacks. Each of these is a dangerous tool in the hands of a skilled attacker, so you must have a thorough understanding of each one.
The first discussion in this chapter is on the topic of sniffing, or observing communications on the network in either a passive or an active mode. With sniffing you can see what is being transmitted on the network unprotected and potentially intercept sensitive information to use against the network or system owner. Sniffers are designed to go after and compromise the confidentiality of data as it flows across the network, capturing this data, and putting it in the hands of an unauthorized party.
An extension or upgrade to sniffing is the session hijack, which is a more aggressive and powerful weapon in the hacker's arsenal. A session hijack involves taking over an existing authenticated session and using it to monitor or manipulate the traffic and potentially execute commands on a system remotely. In its most advanced stages, session hijacking directly affects and attacks the integrity of information in an organization. Attackers using this technique can modify information at will as they have the credentials of the victim and whatever they have access to.
Denial of service (DoS) is the third type of attack covered in this chapter. It generally involves one computer targeting another, seeking to shut it down and deny legitimate use of its services. A distributed denial of service attack (DDoS) involves hundreds or even thousands of systems seeking to shut down a targeted system or a network. Such large-scale attacks are typically accomplished with the aid of botnets—networks of infected systems conscripted to do hackers' dirty work for them.
A sniffer is a valuable piece of software or a dangerous piece of software, depending on who is using the application. Before getting into a discussion of sniffers, it is necessary to understand what the program actually does. The simple definition of sniffers is that they are an application or device that is designed to capture, or "sniff," network traffic as it moves across the network itself. In the context of this book, sniffers are a technology used to steal or observe information that you may not otherwise have access to. A sniffer can give an attacker access to a large amount of information, including e-mail passwords, Web passwords, File Transfer Protocol (FTP) credentials, e-mail contents, and transferred files.
Note
Like most technologies, sniffers are not inherently bad or evil—it all depends on the intent of the user of the technology. Sniffers in the hands of a network administrator can be used to diagnose network problems and uncover design problems in the network.
Sniffers rely on the inherent insecurity in networks and the protocols that are in use on them. Recall that the Transmission Control Protocol/Internet Protocol (TCP/IP) suite was designed for a more trusting time, and therefore the protocols do not offer much in the way of security. Several protocols lend themselves to easy sniffing:
Telnet—Keystrokes, such as those including usernames and passwords, that can be easily sniffed.
Hypertext Transfer Protocol (HTTP)—Designed to send information in the clear without any protection and as such, a good target for sniffing
Simple Mail Transfer Protocol (SMTP)—Commonly used in the transfer of e-mail, the protocol is simple and efficient, but it does not include any protection against sniffing.
Network News Transfer Protocol (NNTP)—All communication is sent in the clear, including passwords and data.
Post Office Protocol (POP)—Designed to retrieve e-mail from servers, but again does not include protection against sniffing as passwords and usernames can be intercepted
File Transfer Protocol (FTP)—A protocol designed to send and receive files; all transmissions are sent in the clear in this protocol.
Internet Message Access Protocol (IMAP)—Similar to SMTP in function and lack of protection
Sniffers are a powerful part of the security professional's toolkit, offering the ability to peek into the traffic that is on the network and observe the communications that are taking place. How does a sniffer get this ability? Typically a computer system can see only the communications that are specifically addressed to it or from it, but a sniffer possesses the ability to see all communications, whether they are addressed to the listening station or not. This ability is made possible by switching the network card into promiscuous mode. Promiscuous mode is the ability of the network card to see all traffic and not just the traffic specifically addressed to it. Of course, the traffic that a station can see varies depending on the network design, as you can't sniff what you can't see. There are two types of sniffing that can be used to observe traffic: passive and active. Passive sniffing takes place on networks such as those that have a hub as the connectivity device. With a hub in place, all stations are on the same collision domain, so all traffic can be seen by all other stations. In networks that have connectivity hardware that is smarter or more advanced, such as those with a switch, active sniffing is needed. For example, when a switch is in use, if traffic is not destined for a specific port, it isn't even sent to the port; therefore, there is nothing to observe.
In the Open Systems Interconnection (OSI) reference model, the sniffer functions at the data link layer. This layer is low in the hierarchy of layers, so not much "intelligence" is present (meaning that little filtering or refinement of the data is occurring). A sniffer is able to capture any and all data that happens to pass by on the wire, which even includes data that would otherwise be hidden by activities occurring at higher layers.
Note
Understanding the OSI reference model is an essential skill, and you should make sure to spend time reviewing and understanding the model well.
Passive sniffing works when the traffic you wish to observe and the station that will do the sniffing are in the same collision domain. Passive sniffing works when a device known as a hub is in use. This is the key feature that makes this setup work. Think of the way a hub functions: traffic that is sent to one port on a hub is automatically sent to all ports on the hub. Because any station can transmit at any time, collisions can and do happen and can lead to a collision domain. When this type of situation exists, it is possible to listen in on traffic on the network quite easily because every station shares the same logical transmission area. What thwarts passive sniffing is a switch that separates the networks into multiple collision domains, therefore creating a situation in which stations do not transmit in the same logical area. Basically, passive sniffing is effective when the observer and the victim exist so that each can see each other's actions.
The key to getting the most from passive sniffing is to plan carefully. Look for those locations on the network that will act as chokepoints for traffic, or those locations that the traffic that you are looking for will pass. Placing a sniffer on a collision domain different from the one that is to be observed will not yield the results that you desire, so placement must always be considered.
Some points to remember about passive sniffing:
Passive sniffing is difficult to detect because the attacker does not broadcast anything on the network as a practice.
Passive sniffing takes place and is effective when a hub is present.
Passive sniffing can be done very simply. It can be as simple as an attacker plugging into a network hub and loading a sniffer.
So what happens if a network is broken into different collision domains using the power of switches? It would seem in these situations that the target is out of reach, but this problem can be overcome with the power of active sniffing. Because a switch limits the traffic, a sniffer can see the traffic that is specifically addressed to a system. Active sniffing is necessary to see the traffic that is not addressed to that system.
Active sniffing involves sniffing when a switch is present on the network. This technique is employed in environments where sniffing using passive methods would be ineffectual due to the presence of switches. Active sniffing requires the introduction of traffic onto the network and as such can be detected relatively easily.
In order to use active sniffing, an understanding of two techniques is necessary, both of which are used to get around the limitations that switches put in place. These techniques are known as media access control (MAC) flooding and Address Resolution Protocol (ARP) poisoning, both of which are valuable tools in your arsenal.
The first technique to bypass switches is MAC flooding: the ability to overwhelm the switch with traffic designed to cause it to fail. A closer look at this attack reveals how it succeeds in its task of causing the switch to fail. Switches contain some amount of memory (known as content addressable memory, or CAM) onboard that is used to build what is called a lookup table, which is then used to track which MAC addresses are present on which ports on the switch. This memory allows a lookup to be performed to let the switch get traffic to the correct port and host as intended. This lookup table is built by the switch during normal operation and resides in the CAM. The goal of MAC flooding is to exploit a design defect or oversight in some switches, which is that they have only a limited amount of memory. An attacker can flood this memory with information in the form of MAC addresses and fill it up quickly until it cannot hold any more information. In the event that this memory fills up, some switches will enter a fail-open state.
When a switch enters this fail-open state, the switch now becomes functionally a hub, and you are back to where you started with passive sniffing. By performing this attack on a switched network with a vulnerable switch, it is possible to attain a state where traffic that might not otherwise be sniffed now can be. Of course, you don't get something for nothing; in this case, the amount of traffic that is introduced on the network can make sniffing impossible, as well as send up a huge red flag to anyone or anything that may be watching for traffic anomalies.
MAC flooding involves overwhelming or flooding the switch with a high volume of requests. This technique overwhelms the memory on the switch used to map MAC addresses to ports. MAC flooding is performed by sending enough traffic through the switch that the memory and switch cannot keep up. Once CAM is overwhelmed, the switch acts like a hub.
To make this attack easy there are a diverse set of tools available for the security professional and hacker:
EtherFlood—This utility has the ability to clog a switch and network with Ethernet frames with bogus, randomized hardware addresses. By flooding the network with such frames, the net effect is what is expected with MAC flooding: a switch that fails over to hub behavior.
SMAC—A MAC spoofing utility that is designed to change the MAC address of a system to one that the attacker specifies.
In modern operating systems from Windows XP forward, and in most Linux variants, this utility is not even necessary because the MAC address can be changed in the graphical user interface (GUI) or at the command line using tools bundled with the operating system (OS) itself.
Macof—Designed to function like EtherFlood and overwhelm the network with bogus or false MAC addresses to cause the switch to fail to hub behavior
Technetium MAC Address Changer—Designed to function much like SMAC, in that it can change the MAC address of a system to one the user desires instead
The other method of bypassing a switch to perform sniffing is via Address Resolution Protocol (ARP) poisoning. Here are some key points:
Address Resolution Protocol (ARP) is a protocol defined at the network layer which is used to resolve an IP address to a physical or MAC address.
In order to locate a physical address, the requesting host will broadcast an ARP request to the network.
The host that has the IP address that is sought after will return its corresponding physical address.
Note
If you are still unclear about the ARP process, refer to Chapter 2 and the discussion on ARP and the OSI reference model.
ARP resolves logical addresses to the physical address of an interface.
ARP packets can be spoofed or custom crafted to redirect traffic to another system such as the attacker's.
ARP poisoning can be used to intercept and redirect traffic between two systems on the network.
MAC flooding can clog and overwhelm a switch's CAM, forcing it into what is known as forwarding mode.
With knowledge of the ARP process in hand, it is very easy to understand the mechanics of ARP poisoning or ARP spoofing. ARP poisoning works by sending out bogus ARP requests to any requesting device and the switch. The idea is to force traffic to a location other than the intended target and therefore sniff what is being sent and received. When the bogus requests are sent out, the switch stores them. Other clients will then automatically send traffic to the new target, as they will check their cache first where the bogus entry has been stored.
Figure 12-1 illustrates ARP poisoning in practice.
Here are the steps in the process:
Attackers send out a broadcast stating that a given IP address (such as a router or gateway) maps to their own MAC address.
A victim on the network initiates a communication that requires exiting the network or subnet.
When the traffic is transmitted, the ARP mapping shows that the router's IP address maps to a specific MAC address, so traffic is forwarded to the attacker instead.
To complete the sequence and avoid arousing suspicion, the attacker forwards traffic to the real destination (in this case, the router).
Note
Not forwarding traffic on to the original destination would arouse suspicion that would tip off the network administrator to the attacker's presence.
Here are some points to remember about ARP poisoning:
Anyone can download malicious software used to run ARP spoofing attacks from the Internet.
Attackers can use bogus ARP messages to redirect traffic.
It is possible to run DoS attacks with this technique.
It can be used to intercept and read data.
It can be used to intercept credentials such as usernames and passwords.
It can be used to alter data in transmission.
It can be used to tap voice over IP (VoIP) phone calls.
Several utilities in your security professional toolbox are specifically designed to carry out ARP spoofing, no matter what your OS of choice may be. The following list details some of the options available to you:
Arpspoof—Designed to redirect traffic in the form of packets from a victim's system. Performs redirection by forging ARP replies. This utility is part of the popular Dsniff suite of utilities.
Cain—The "Swiss army knife" of tools; can perform ARP poisoning, enumeration of Windows systems, sniffing, and password cracking
Ettercap—An old but very capable protocol analyzer that can perform ARP poisoning, passive sniffing, protocol decoding, and as a packet capture
Internal Revenue Service (IRS)—Not a port scanner; it is a "valid source IP address" scanner for a given service. Combines ARP poisoning and half-scan processes and attempts TCP connections to a specific victim.
ARPWorks—Utility for creating customized packets over the network that perform the ARP announce feature
Nemesis—Can perform some ARP spoofing
Several very capable sniffing tools are available, including the popular ones in the following list:
Wireshark—One of the most widely known and used packet sniffers. Offers a tremendous number of features designed to assist in the dissection and analysis of traffic. Wireshark is the successor to the Etheral packet sniffer.
Tcpdump—A well-known command line packet analyzer. Provides the ability to intercept and observe TCP/IP and other packets during transmission over the network.
Windump—A port of the popular Linux packet sniffer known as TCPdump, which is a command line tool that is great for displaying header information. TCPdump is available at
http://www.tcpdump.org.Omnipeek—Manufactured by Wildpackets, Omnipeek is a commercial product that is the evolution of the product Etherpeek.
Dsniff—A suite of tools designed to perform sniffing with different protocols with the intent of intercepting and revealing passwords. Dsniff is designed for UNIX and Linux platforms and does not have a complete equivalent on the Windows platform.
Etherape—A Linux/UNIX tool that is designed to graphically display the connections incoming and outgoing from a system
MSN Sniffer—A sniffing utility specifically designed for sniffing traffic generated by the MSN messenger application
Netwitness Nextgen—A hardware-based sniffer, plus other features, designed to monitor and analyze all traffic on a network; a popular tool in use by the FBI and other law enforcement agencies
With this powerful technique, an attacker can reveal a wealth of information that can be used against you as a defender, but this information does not have to be accessible to an attacker, because it takes just a little care to take the teeth from these attacks. In this section you will learn some of the techniques that can be used to limit or block the effects of sniffing.
Note
Not all traffic needs to be protected, and it may not even be feasible to do so. Remember that all extra countermeasures that are deployed are extra devices and processes to support and are extra overhead
To defeat sniffing, a number of countermeasures can be employed, including the following:
Encryption—Protecting traffic from being sniffed can be as simple as making it undecipherable to those not having the key. Encrypting select data through the use of technologies such as IPSec, SSL, virtual private networks (VPNs), and other related techniques can be a simple but effective way of thwarting sniffing. The downside here is that the process of encryption costs in processor power and performance.
Static ARP entries—Configuring a device with the MAC addresses of the devices that may use it can block a number of attacks, but can be difficult to manage.
Port security—Switches have the ability to be programmed to allow only specific MAC addresses to send and receive data on each port.
When considering network security and thwarting the power of sniffing, you should consider which protective measures are appropriate and which are not. In the case of encryption, for example, not all traffic needs to be encrypted because not all network traffic is of a sensitive nature. Always consider the exact nature of the traffic, too. Remember, just because you can do something does not mean you should.
The next type of attack that can be used to alter and interrupt communications on a network is the technique known as session hijacking. Hijacking a session falls under the category of active attacks in that you must directly and somewhat aggressively interact with the network and the victims on it. Hijacking builds on the techniques discussed in our previous section of sniffing and raises the stakes by taking over the communication between two parties. Once attackers decide to undertake a session hijacking, they will be actively injecting packets into the network with the goal of disrupting and taking over an existing session on the network. Ultimately the session hijack will attempt to take over a session that is already authenticated to a resource to be attacked.
Here's a high-level view of what session hijacking looks like:
Insert yourself between Party A and Party B.
Monitor the flow of packets using sniffing techniques.
Analyze and predict the sequence number of the packets.
Sever the connection between the two parties.
Seize control of the session.
Perform packet injection into the network.
To summarize, session hijacking is the process of taking over an already established session between two parties. Some points to remember about session hijacking:
TCP session hijacking is in process when an attacker seizes control of an existing TCP session between two systems.
Session hijacking takes place after the authentication process that occurs at the beginning of a session. Once this process has been undertaken, the session can be hijacked, and access to the authenticated resources can take place.
Session hijacking relies on a basic understanding of how messages and their associated packets flow over the Internet.
Session hijacking, much like sniffing, has two forms: active and passive. Each form of session hijacking has its advantages and disadvantages that make it an attractive option to the attacker. Let's compare and contrast the two to see what they offer an attacker.
Active session hijacking—Active attacks are effective and useful to the attacker because they allow the attacker to search for and take over a session at will. In active session hijacking, the attacker will search for and take over a session and then interact with the remaining party as if the attacker were the party that has been disconnected. The attacker assumes the role of the party he has displaced, in other words.
Passive session hijacking—Passive attacks are different in that the attacker locates and hijacks a session of interest, but does not interact with the remaining party. Instead, in passive session hijacking, attackers switch to an observation type mode where they record and analyze the traffic as it moves. Passive hijacking is functionally no different from sniffing.
Earlier, when sniffing was discussed, the process was that of observing traffic on the network. Session hijacking builds on this process and refines it. Session hijacking adds the goal of not only observing the traffic and sessions currently active on the network but also taking over one of these sessions that has authenticated access to the resource you want to interact with. For a session hijack to be successful, the attacker must locate and identify a suitable session for hijacking. It sounds like a simple process until factors such as different network segments, switches, and encryption come into play. If you factor in the very real issue of having to uncover sequence numbers on packets in order to properly take control of a session, the challenges mount significantly. But they are not insurmountable. Remember that while the challenges are not small, what is on the line is the ability to interact with and execute commands against authenticated resources.
Note
Session hijacking builds on the techniques and lessons learned in passive and active sniffing so you may want to review those lessons again if you are not completely clear on them. Session hijacking takes sniffing and moves these lessons to the next level where you move from listening to interacting, which is more aggressive by nature.
Consider some of the challenges standing in the way of successful session hijacking:
Sequence numbers—Every packet has a unique 32-bit number embedded into its header that identifies it and how it should be reassembled with its fellow packets to regenerate the original message.
Network segments—When the attacker and victims are on the same network segment or on a network that uses a hub, observing traffic works like basic sniffing. However, if the victim and the attacker are on two different network segments separated by a switch, it becomes more difficult to carry out an attack, and techniques akin to the active sniffing techniques are needed.
Take a look at the sequence number problem. Let's review the steps involved in session hijacking once again:
Insert yourself between Party A and Party B.
Monitor the flow of packets using sniffing techniques.
Analyze and predict the sequence number of the packets.
Sever the connection between the two parties.
Seize control of the session.
Perform packet injection into the network.
Note
In the past, some operating systems did allow for the methodical and mathematical creation of sequence numbers. This was possible because these operating systems implemented very predictable sets of sequence numbers. Most operating systems now avoid this by randomly generating sequence numbers as a security measure.
Look at Step 3—this step is easy on a network on which you can see both parties. On these types of networks you can sniff the traffic passively and read the sequence numbers off of the packets themselves. On a switched network, it becomes much more of an issue because you cannot see the other party(ies) so you must use techniques to guess the sequence number correctly (you can't just stumble in with whatever number you want). In this situation, you will send several packets to the victim or target in order to solicit a response with the sequence numbers on it.
Sequence numbers are a cornerstone of TCP that makes a number of features that you may take for granted possible. In TCP every piece or byte of data must have a sequence number assigned to it to track the data, assemble it with its fellow packets, and perform flow control. So where and when do the sequence numbers get assigned? During the three-way handshake, which is illustrated in Figure 12-2.
Here are some points to bear in mind about sequence number prediction:
When a client transmits a SYN packet to a server the response will be a SYN-ACK. This SYN-ACK will be responded to with an ACK.
During this handshake, the starting sequence number will be assigned using a random method if the operating system supports this function.
If this sequence number is predictable, the attacker will initiate the connection to the server with a legitimate address and then open up a second connect from a forged address.
Once an attacker has determined the correct sequence numbers, the next move is to inject packets into the network. Of course, this is easier said than done, and just injecting packets into the network is not useful in every case because a few details must be in place first. Consider the two extremes of the session: the beginning and the end. At the beginning of the session, the process of authentication takes place, and injecting packets into the network and taking over the session here would be worthless if done prior to the authentication process (after all, you want an authenticated session). On the other hand, injecting packets too late, such as when the session is getting torn down or closed, will mean that the session you want to hijack is no longer present.
Note
You must wait for authentication to take place prior to taking over a session because without doing so you don't have trust, and in this case the system you are trying to interact with has no knowledge of you.
With the proper sequence numbers predicted and known the attack can move to the next phase which is to unplug one of the parties, such as a server if one is present. The goal at this stage is to knock out or remove one of the parties from the communication in order to get them out of the way. The removal can be performed by any method the attacker chooses, from a simple DoS to sending a connection reset request to the victim.
At this point, the attacker now has control of a session and can move toward carrying out dirty work, whatever it may be. The trick for the attacker is to keep the session maintained and active because as long as this connection is maintained and kept alive, the attacker has an authenticated connection to their intended target.
In order to perform session hijacking you can use a number of different tools, each having its own advantages and disadvantages. Each of the tools on this list has seen widespread use by hackers and will offer you the ability to perform session hijacking quite easily. Each of these tools is essentially a packet sniffer with the enhanced capability needed to perform session hijacking.
Ettercap—An old-school tool that has the advantage of being multiplatform so you can learn how to use it on one platform and move those skills over easily to another platform such as Mac OS X. Ettercap possesses robust capabilities that enable it to perform its duties quite well. Included in this functionality is the ability to perform man-in-the-middle attacks, ARP spoofing, and session hijacking.
Hunt—This is a commonly used tool for performing session hijacking; in fact, it is the first one most hackers and security professionals are introduced to. This software has the ability to observe and hijack a session between two parties, and also has the ability to fire off TCP resets to shut down a victim system. This software package is designed to work on Ethernet-based networks and can work in both passive and active modes.
IP Watcher—This utility is a commercial-grade tool (read: you have to pay for it) that can perform session hijacking and monitor connections so you can choose the session you wish to take over.
T-Sight—Another commercial offering that can hijack TCP sessions on a network much like IP watcher
Remote TCP Reset—Is designed to find and reset an existing TCP connection
Session hijacking is dangerous. But you can limit its impact to a great degree through the proper application of your two best lines of defense: being proactive and looking for the signs of an attack. One of your tools for this is something you read about earlier: encryption. After all, it is hard for troublemakers to hijack a session if they can't see what is being transmitted. Other measures you can use include configuring routers to block spoofed traffic from outside the protected network. Additionally, you can use counter-measures such as an intrusion detection system (IDS) that can watch for suspicious activity and alert you to it, or even actively block this traffic automatically.
An older type of attack that still plagues the Internet and the computer systems attached to it is the DoS, which is a threat against one of the core tenets of security: availability. This makes sense when you consider that a DoS is designed to target a service or resource, and deny access to it by legitimate users. In this section, you will take a look at this simple form of hacking: what it can do as well as how it works.
A DoS functions by tying up valuable resources that could be used to service legitimate needs and users. In essence, a DoS functions like this: Imagine someone calling your cell phone over and over again; at some point they call often enough that no one else could call you nor could you call out. At that point you would become the victim of a DoS. Translate this scenario into the world of computer networks, and you have a situation where availability of a service is similarly threatened.
Note
DoS attacks are commonly used by those who fall in the category of script kiddies due to the relative simplicity of the attack. Don't be lulled into a false sense of security, however, as more advanced hackers have been known to use this attack as a last resort (as a way of shutting down a service that they were unable to get access to).
DoS attacks used to be used to annoy and irritate a victim, but over the past few years these attacks have evolved into something much more ominous: a means to extort money and commit other crimes. For example, a criminal may contact a victim and ask for protection money to prevent any unfortunate "accidents" from happening.
Note
The use of DoS to extort money has increased over the past few years as criminals have become more adept at using technology.
To summarize, the main points of a DoS action are to:
Deny the use of a system or service through the systematic overloading of its resources. An attacker is seeking a result in which the system becomes unstable, substantially slower, or overwhelmed to the point it cannot process any more requests.
Be carried out when an attacker fails at other attempts to access the system and just decides to shut down a system in retaliation
DoS attacks are not all the same. They can be broken down into three broad categories based on how they carry out their goal of denying the service to legitimate uses and users:
Bandwidth exhaustion is one of the more common attacks to be observed in the wild. This type of attack is in effect when the network bandwidth flowing to and from a machine is consumed to the point of exhaustion. It may seem to some that the solution here would be to add enough bandwidth that it cannot be easily exhausted, but the keyword is "easily" exhausted—it does not matter how much bandwidth is allocated to a system; it is still a finite amount. In fact, an attacker does not have to completely exhaust bandwidth to and from a system, but rather use up so much of it that performance becomes unacceptable to users. So the attacker's goal is to consume enough bandwidth to make the service unusable.
Some well-known forms of attacks in this category include:
Smurf—Through the exploitation of the Internet Control Message Protocol (ICMP) and spoofed packets to the broadcast address of a network, the attacker can generate a torrent of traffic from the sheer number of systems that may reply.
Fraggle—This type of attack is similar to the smurf attack with the difference being what it uses to consume bandwidth. In the case of fraggle attacks, bandwidth is consumed through the use of User Datagram Protocol (UDP) packets instead.
Chargen—This protocol was originally designed for testing and evaluation purposes, but it can be used to perform a DoS by generating traffic rapidly. By doing so, chargen can consume the bandwidth on a network rapidly, at which point a DoS will have occurred.
Much like bandwidth consumption, the goal of resource consumption-based attacks is to eat up a limited resource. However, unlike bandwidth consumption, the goal is not shared among multiple systems; instead it is targeting the resources on a single system. When an attack of this nature is carried out, a service or an entire system may become overloaded to the point where it slows, locks, or crashes.
This type of attack can vary in how it is approached; the following list is some of the more common forms of this attack:
SYN flood—This type of attack uses forged packets with the SYN flag set. When the victim receives enough of the packets, the result is an overwhelmed system as the SYN flood consumes connection resources to the point where no resources are available for legitimate connections.
ICMP flood—This type of attack comes in two variants: smurf attack and ping flood.
Smurf attack—Carried out when a large amount of traffic is directed to the broadcast address of a network instead of to a specific system. By sending traffic to a broadcast address of a network, the request is sent to all hosts on the network, which respond in turn. However, because the attacker will take the extra step of configuring the packet with the intended victim as the source, all the hosts on the network will respond to the victim instead of to the attack. The result is that a flood of traffic overwhelms the victim causing a DoS.
Ping flood—Carried out by sending a large amount of ping packets to the victim with the intent of overwhelming the victim. This attack is incredibly simple, requiring only basic knowledge of the ping command, the victim's IP, and more bandwidth than the victim. In Windows, the command to pull off such an attack would be:
ping -t <victim IP address>
Teardrop attack—In this type of attack, the attacker manipulates IP packet fragments in such a way that when reassembled by the victim, a crash occurs. This process involves having fragments reassembled in illegal ways or having fragments reassembled into larger packets than the victim can process.
Reflected attack—This type of attack is carried out by spoofing or forging the source address of packets or requests and sending them to numerous systems, which in turn respond to the request. This type of attack is a scaled-up version of what happens in the ping flood attack.
Consuming bandwidth isn't the only way to carry out a DoS attack on a system. Another is to exploit known weaknesses in the system's design. Vulnerabilities of this type may have been exposed due to flaws in the system's design that were inadvertently put in place by the programmers or developers of the system.
The following list has some of the more common methods of exploiting programming defects:
Ping of death (PoD)—This type of attack preys upon the inability of some systems to handle oversized packets. An attacker sends them out in fragments; when these fragments reach the system they are reassembled by the victim, and when the "magic size" of the 65,536 bytes allowed by the IP protocol is reached, some systems will crash or become victim to a buffer overflow.
Teardrop—This attack succeeds by exploiting a different weakness in the way packets are processed by a system. In this type of attack, the packets are sent in a malformed state with their offset values adjusted so they overlap, which is illegal. When a system that does not know how to deal with this issue is targeted, a crash or lock may result.
Land—In this type of attack, a packet is sent to a victim system with the same source and destination address and port. The result of this action is that systems that do not know how to process this crash or lock up.
Note
All these attacks have been around for years and so you would expect systems to be designed to be less susceptible to them. However, this is not the case. It has been discovered time and time again that modern systems from all vendors can be vulnerable to these attacks if they are not patched and managed correctly.
There are plenty of tools available to the hacker to perform a DoS attack, including:
Jolt2—A piece of software designed to flood a system with incorrectly formatted packets
Targa—This software is designed to attempt different types of attacks and has eight different variations to choose from.
Crazy Pinger—This software is designed to send ping packets of varying sizes and other parameters to a victim.
Note
Some of these tools have been known to appear on systems seemingly inexplicably, which may be a sign of a system that has become part of a botnet, which will be discussed later in this chapter.
A distributed denial of service (DDoS) attack is a powerful tool for those who know how to use it. Security professionals have developed techniques to prevent these attacks, but hackers keep developing new methods of carrying them out.
As you can readily imagine, a distributed attack, involving many compromised machines, is a more devastatingly effective way to commit a denial of service attack than simply using one machine to attack another. Here are some specifics you should know:
Attacks of this type are characterized by being very large, using hundreds or thousands of systems to conduct the attack.
DDoS has two types of victims; namely, primary and secondary. The former is the recipient of the actual attack; the latter are the systems used to launch the attack itself.
The attack can be very difficult if not impossible to track back to its true source because of the sheer number of systems involved.
Defense is extremely difficult due to the number of attackers. Configuring a router or firewall to block a small number of single IP addresses is child's play. Larger numbers of attackers are nearly impossible to block.
Impact of this attack is increased over standard DoS because many hosts are involved in the attack, multiplying the attack's strength and power.
A DDoS is an "upgraded" and advanced version of the DoS. The DDoS has the same goal as the DoS, which is to shut a system down by consuming resources, but does so through sheer force of numbers. This type of attack generally tends to occur in two waves designed to position and carry out the attack.
In the first wave, the attack is staged, and the targets that will be the "foot soldiers" are infected with the implements that will be used to attack the final victim. Targets for infection in this phase include systems that have high-speed connections, poorly defended home and business networks, and poorly patched systems. What is infecting these systems can and will vary, but it could include software such as the ones mentioned previously for a traditional DoS.
Wave 2 is the attack itself. Foot soldiers form the army of systems that will collectively attack a designated target. These infected systems can number in the thousands, hundreds of thousands, or even millions awaiting the instruction that will turn their collective attention toward a target (these infected systems are called "zombies"). These are the steps of the attack itself:
Construct a piece of malware that will transmit packets to a target network/Web site.
Initiate the attack by sending signals to the drones to attack a specific target.
Have drones initiate an attack against a target until they are shut down or disinfected.
Note
The infected systems are not always referred to as "zombies"; they are sometimes called "bots" (short for robots) or, like the Borg in Star Trek, "drones." Whatever you call them, the goal is the same: to target a system and steamroll it with traffic.
A DDoS attack like this sounds simple, but in practice it is not, because it takes quite a bit of planning and knowledge to set up, not to mention a good amount of patience. To set this type of attack up, two components are needed: a software component and a hardware component.
On the software side, two items are needed to make the attack happen:
Client-side software—This is the software that ultimately will be used to send command and control requests to launch an attack against the target. This software will be used by the attacker to initiate the opening stages of the attack.
Daemon software—This software is resident on the infected systems or bots. This software is installed on a victim and then waits for instructions to be received. If you have software of this type installed, you are the one actually attacking a system.
The second requirement that is essential is the hardware; more specifically, these are the systems that will be components of the attack:
Master or control system—The system responsible for sending out the initial messages to start the attack; also the system that has the client software present and installed
Zombie—The system that is the one carrying out the attack against the victim. The number of zombies can vary wildly in number.
Target—The system that is the actual victim or recipient of the attack
You may be wondering whether, all things considered, a DDoS is unstoppable.
DDoS attacks rely on locating and using vulnerable hosts that are connected to the Internet. These systems are then targeted for these known vulnerabilities and taken over. Once the attack is initiated and the command sent out to the attackers, the DDoS is nearly impossible to stop.
Routers and firewalls may be configured to block the attack, but the attack can overwhelm these devices and shut down the connection anyway. The sheer volume of attackers involved in DDoS attacks makes them difficult to stop.
To initiate a DDoS requires the proper tools, and there are a number available. The tool or tools you use will ultimately depend on what your preferences are as well as other factors such as platform, but the following list is a sampling of these tools:
Tribal Flood Network (TFN)—TFN can launch ICMP, Smurf, UDP, and SYN flood attacks at will against an unsuspecting victim. TFN has the distinction of being the first publicly available DDoS tool.
Trinoo—Trinoo can claim to be the first widely used DDoS application largely because it is easy to use and has the ability to command and control many systems to launch an attack.
Stacheldraht—The best of both worlds is available in this tool, which offers features that are seen both in Trinoo and TFN. Stacheldraht uses TCP and ICMP to send commands and control its agents in order to attack. This software also includes what could be considered advanced features in the form of encrypted communication from client to handlers.
TFN2K—An upgrade to TFN, it provides some more advanced features including spoofing of packets and port configuration options. As opposed to TFN, this software does include encryption features, but not as strong as those of Stacheldraht.
WinTrinoo—This software is a Windows port of Trinoo and has the ability to use Windows clients as drones.
Shaft—This works much the same way as Trinoo, but includes the ability for the client to configure the size of the flooding packets and the duration of attack.
MStream—This utilizes spoofed TCP packets to attack a designated victim.
Trinity—This performs several DDoS functions, including fraggle, fragment, SYN, RST, ACK, and others.
An advanced type of attack mechanism is a botnet, which consists of systems that are infected with software such as those used in DDoS attacks. When enough of these systems are infected, and a critical mass has been reached, it is possible to use these machines to do tremendous damage to a victim. Botnets can stretch from one side of the globe to another and be used to attack a system or carry out a number of other tasks.
Botnets can perform several attacks, including:
DDoS—This construct makes sense as an attack method based on the way a DDoS works and the number of systems that can be infected.
Sending—Botnets have been used to transmit spam and other bogus information on behalf of their owner.
Stealing information—Attacks have also been carried out with botnets to steal information from unsuspecting users' systems.
Clickfraud—This attack is where the attacker infects a large number of systems with the idea that they will use the infected systems to click on ads on their behalf, generating revenue for themselves.
Note
Remember that a botnet can easily number into the hundreds of thousands or millions of systems, stretching from one end of the globe to another. With these kinds of numbers, the attacks noted here take on a new meaning and destructive capability.
A "bot" is a type of malware that allows an attacker to take control over an affected computer. Also known as "Web robots," bots are usually part of a network of infected machines known as a "botnet," which is typically made up of victim machines that stretch across the globe.
This chapter focused on three types of network attacks: sniffing, session hijacking, and DoS attacks. Each of these attacks represents a powerful weapon in the hands of a skilled attacker.
Sniffing is the process of capturing and analyzing traffic in an effort to observe information that is confidential. Sniffing can be performed on just about any network, but the technique may require that you adapt based on how the network operates. In networks with a hub, you can easily sniff using any packet sniffer and starting the process. On networks that use switches, however, it is different as the switch prevents you from seeing what is on a different collision domain. On networks where switching is used, you will have to use techniques such as MAC flooding and ARP spoofing to bypass the switch prior to sniffing.
Moving beyond or building upon the techniques that were introduced in sniffing is the session hijack, which is an aggressive and powerful weapon in the hacker's arsenal. A session hijack takes over an existing authenticated session and uses it to monitor or manipulate the traffic, and even execute commands on a system remotely. Session hijacking in its most advanced stages directly affects and attacks the integrity of information in an organization. An attacker using this technique can modify information at will as they have the credentials of the victim and whatever the victim has access to.
DoS attacks were discussed and you learned how these attacks are used to shut down and deny legitimate access to and usage of services to users. A DoS is used to target a service or system and prevent it from being used for legitimate uses for as long as the attacker wishes. Under the right conditions, a DoS directly attacks the confidentiality and integrity of data that users have been granted the right to use.
Active session hijacking
Active sniffing
Address Resolution Protocol (ARP) poisoning
Botnet
Collision domain
Content addressable memory (CAM)
Fail-open
Hub
Lookup table
Passive session hijacking
Passive sniffing
Promiscuous mode
Session hijacking
Switch
A DoS is meant to deny a service from legitimate usage.
True
False
Sniffers can be used to:
Decrypt information
Capture information
Hijack communications
Security enforcement
Session hijacking is used to capture traffic.
True
False
Session hijacking is used to take over an authenticated session
True
False
Active sniffing is used when switches are present.
True
False
_______ is used to overwhelm a service.
_______ is used to flood a switch with bogus MAC addresses.
_______ is used to fake a MAC address.
Spoofing
Flooding
Poisoning
Hijacking
What type of device can have its memory filled up when MAC flooding is used?
Hub
Switch
Router
Gateway
What technique is used when traffic is captured on a network with hubs?
Active sniffing
Passive sniffing
MAC Flooding
Ether flooding