Copy Link
Add to Bookmark
Report
xine-1.012
/-----------------------------\
| Xine - issue #1 - Phile 012 |
\-----------------------------/
Kernel Panic presents:
***************************************************
* Denial of Service Attacks in TCP/IP networks. *
***************************************************
Denial of Service attacks are one of the most dangerous form of Internet
abuse. They are not true cracking, because you don't get control on
another machine, but just make it unfunctional. Here is just an overview
of some kind of them.
** Simple Flooding
This is just sending so many packets to a host to make it unfunctional for
normal use. Usually they are ping requests. Under UNIX a common way to
send them is to use ping -f [hostname]. You need root privileges to issue
such a dangerous command. Of course any other method of placing a high
load on a machine can do the same harm. Anyway some clever servers (for
example some better inetd superdaemons) place a limitation on the number
of network connections to every service. So you block that sevice but the
host is otherwise still up.
** Route Changing
The idea behind this is to change the routing table of some host, so it
loses knowledge of others hosts. The most known way to do this is send an
ICMP message Host Unrechable. The receiver of such a message is supposed
to don't send anymore packets to the originator. A similar result can be
obtained by others ICMP messages: Redirect, Time Exceded, Service
Unavaible, Parameter Problem and maybe others. The point is that the
receviver makes some checks on the ICMP message. For example a Redirect is
passed to the routing table manager only if it comes from the old gatway
for the address that is being redirected. You have to use a tool that
gives you 100% control on the built of the ICMP packet to have good
results (for example Injector :-).
A more advanced method is to create fake gateway information. You can put
yourself in place of gateway and broadcast every routes you want. Some
gateway protocols are quite simple and programs that implement them can be
or not be careful about the authenticy of the packet.
** Services War
A war between 2 host is origintated when they continue to send each other
packets. Usually there is a message from host A to host B that triggers a
response. But the original message is modified so that the response
triggers on its turn another one from A to B and so on. An important point
here is that the same message must act as a query and a response.
Otherwise stated the service cannot (or simply doesn't) check to see if
what it is sending make something comes back.
A known case is finger war. Some hosts do a finger to the originator of a
request for some services (usually finger because it is know to be used by
crackers to gather user information) on them. If 2 servers that employ
this policy try to use a finger they get in war. Similar situtation can be
triggered by an automatic mail replier. It is enough to make a fake mail
from one such replier and another. If they don't make some check on the
received mail the will send mail to each other forever. Of course many
good programs that handle automatic mail replies do some kind of check.
Perhaps the most dangerous abuse of this kind are UDP wars. Here you place
in contact 2 UDP services, each one on a different machine. For example
they can be echo (port 7) and chargen (port 19). The former simply resend
to the originator what it got, the later instead sends back some copies of
the ascii charter set when triggered. The result is a very heavy load on
the network. By the way note that this can't be done for TCP ports because
this protocol requires a three-way handshaking before the connection goes
active and the frames involved in it cannot be exchanged.
** Internal Tables Overflow
Nowdays the most known type of this kind of attacks is SYN flood. It
consists in beginning lots of TCP connections with a host by actually send
a packet with the SYN field in the TCP header set. The server keeps a list
of TCP handshakings that are going on. This table has, of course, a
defined dimension (no more than the host total memory !) and when it is
filled there cannot be any other connection to the host. And because the
Internet is slow the host must keep connection that are, technically
speaking, in a SYN recevied state, for rather a long time. So with a low
bandwith occupation (in contrast, for example, to simple flood) you can
put out of order a host at least as far as TCP services as concerned. It
is difficult to think of a defense against SYN flooding and the packets
can be made with a fake source IP address making very difficult the
discovery of the sender.
Another table that can be overflown is in the IP reassembler. The role of
this data strucure is doing housekeeping about reconstructing fragmented
packet. If ther are too many fragmented IP packets also this table can be
brought to overflow. Of course here only connections that get fragmented
are concerned.
** Host Miming
In this case you send responses on behalf of another host to prevent
correct functionality. You must be on the way between the two
communicating computers so the attack can be triggered by packets. This is
because most interesting protocols need some sequence information in
packets they handle (TCP) or an identification to match queries and
responses (for example DNS). Anyway if the protocol you are hacking
doesn't have such needs you can just keep sending fraudolent packets and
it' s very likely that one of them will reach the attacked host a short
while after its query, before the real answer which will be ignored.
You can send fake response to DNS queries for a specified host. In this
way whatever domain name can be resolved to a bogus IP. This can be
unreachable or even of a host that you control. The most difficult point
here is that you need to match the query identification so the response is
accepted.
Another simply way to prevent normal functionality is to answer to every
packet that ask to start a TCP connection (that with a SYN) with one that
refuse to do it (that with a FIN). Also here a sequence number must be
matched, what helps us from simple repeated sending attacks.
