2.

1 Denial of Service Attacks

The first type of attack to examine is the denial of service (DoS). A denial of service attack
is any attack that aims to deny legitimate users of the use of the target system. This class of
attack does not actually attempt to infiltrate a system or to obtain sensitive information. It
simply aims to prevent legitimate users from accessing a given system.

This type of attack is one of the most common categories of attack. Many experts feel that
it is so common because most forms of denial of service attacks are fairly easy to execute.
The ease with which these attacks can be executed means that even attackers with minimal
technical skills can often successfully perform a denial of service.

The concept underlying the denial of service attack is based on the fact that any device has
operational limits. This fact applies to all devices, not just computer systems. For example,
bridges are designed to hold weight up to a certain limit, aircraft have limits on how far
they can travel without refuelling, and automobiles can only accelerate to a certain point.
All of these various devices share a common trait: They have set limitations to their
capacity to perform work. Computers are no different from these, or any other machine;
they, too, have limits. Any computer system, web server, or network can only handle a
finite load.

How a workload (and its limits) is defined varies from one machine to another. A workload
for a computer system might be defined in a number of different ways, including the
number of simultaneous users, the size of files, the speed of data transmission, or the
amount of data stored. Exceeding any of these limits will stop the system from responding.
For example, if you can flood a web server with more requests than it can process, it will
be overloaded and will no longer be able to respond to further requests. This reality
underlies the DoS attack. Simply overload the system with requests, and it will no longer
be able to respond to legitimate users attempting to access the web server.

2.1.1 SYN Flood

Simply sending a flood of pings is the most primitive method of performing a DoS. More
sophisticated methods use specific types of packets. One popular version of the DoS attack
is the SYN flood. This particular attack depends on the hacker’s knowledge of how
connections are made to a server. When a session is initiated between the client and server
in a network using the TCP protocol, a small buffer space in memory is set aside on the
server to handle the “hand-shaking” exchange of messages that sets up the session. The
session-establishing packets include a SYN field that identifies the sequence in the
message exchange.

A SYN flood attempts to disrupt this process. In this attack, an attacker sends a number of
connection requests very rapidly and then fails to respond to the reply that is sent back by
the server. In other words, the attacker requests connections, and then never follows
through with the rest of the connection sequence. This has the effect of leaving connections
on the server half open, and the buffer memory allocated for them is reserved and not
available to other applications. Although the packet in the buffer is dropped after a certain
period of time (usually about three minutes) without a reply, the effect of many of these
false connection requests is to make it difficult for legitimate requests for a session to be
established.

2.1.2 Smurf Attack

The Smurf attack is a popular type of DoS attack. It was named after the application first
used to execute this attack. In the Smurf attack, an ICMP packet is sent out to the broadcast
address of a network, but its return address has been altered to match one of the computers
on that network, most likely a key server. All the computers on the network will then
respond by pinging the target computer. 

ICMP packets use the Internet Control Message Protocol to send error messages on the
Internet. Because the address of packets are sent to is a broadcast address, that address
responds by echoing the packet out to all hosts on the network, who then send it to the
spoofed source address. 

Continually sending such packets will cause the network itself to perform a DoS attack on
one or more of its member servers. This attack is both clever and simple. The greatest
difficulty is getting the packets started on the target network. This can be accomplished via
some software such as a virus or Trojan horse that will begin sending the packets.

2.1.3 Ping of Death

The Ping of Death (PoD), is perhaps the simplest and most primitive form of DoS attack
and is based on overloading the target system. TCP packets have limited size. In some
cases by simply sending a packet that is too large, can shut down a target machine.

The aim of this attack is to overload the target system and cause it to quit responding. The
PoD works to compromise systems that cannot deal with extremely large packet sizes. If
successful, the server will actually shut down. It can, of course, be rebooted.

The only real safeguard against this type of attack is to ensure that all operating systems
and software are routinely patched. This attack relies on vulnerabilities in the way a
particular operating system or application handles abnormally large TCP packets. When
such vulnerabilities are discovered, the vendor customarily releases a patch. The possibility
of PoD is one reason, among many, why you must keep patches updated on all of your
systems.

This attack is becoming less common as newer versions of operating systems are better
able to handle the overly large packets that Ping of Death depends on. If the operating
system is properly designed, it will drop any oversized packets, thus negating any possible
negative effects a PoD attack might have.

2.1.4 UDP Flood

UDP (User Datagram Protocol) is a connectionless protocol and it does not require any
connection setup procedure to transfer data. TCP packets connect and wait for the recipient
to acknowledge receipt before sending the next packet. Each packet is confirmed. UDP
packets simply send the packets without confirmation. This allows packets to be sent much
faster, making it easier to perform a DoS attack.

A UDP flood attack occurs when an attacker sends a UDP packet to a random port on the
victim system. When the victim system receives a UDP packet, it will determine what
application is waiting on the destination port. When it realizes that no application is
waiting on the port, it will generate an ICMP packet of destination unreachable to the
forged source address. If enough UDP packets are delivered to ports on the victim, the
system goes down.

2.1.5 DoS Tools

One reason that DoS attacks are becoming so common is that a number of tools are
available for executing DoS attacks. These tools are widely available on the Internet, and in
most cases are free to download. This means that any cautious administrator should be
aware of them. In addition to their obvious use as an attack tool, they can also be useful for
testing your anti-DoS security measures.

Low Orbit Ion Cannon (LOIC) is probably the most well know and one of the simplest
DoS tool. You first put the URL or IP address into the target box. Then click the Lock On
button. You can change settings regarding what method you choose, the speed, how many
threads, and whether or not to wait for a reply. Then simply click the IMMA CHARGIN
MAH LAZER button and the attack is underway.

High Orbit Ion Cannon (HOIC) is a bit more advanced than LOIC, but actually simpler
to run. Click the + button to add targets. A popup window will appear where you put in the
URL as well as a few settings.
2.2 Buffer Overflow Attacks

Another way of attacking a system is called a buffer overflow (or buffer overrun) attack.
Some experts would argue that the buffer overflow occurs as often as the DoS attack, but
this is less true now than it was a few years ago. A buffer overflow attack is designed to put
more data in a buffer than the buffer was designed to hold. This means that although this
threat might be less than it once was, it is still a very real threat.

Any program that communicates with the Internet or a private network must receive some
data. This data is stored, at least temporarily, in a space in memory called a buffer. If the
programmer who wrote the application was careful, the buffer will truncate or reject any
information that exceeds the buffer limit. 

Given the number of applications that might be running on a target system and the number
of buffers in each application, the chance of having at least one buffer that was not written
properly is significant enough to cause any cautious system administrator some concern. A
person moderately skilled in programming can write a program that purposefully writes
more data into the buffer than it can hold. For example, if the buffer can hold 1024 bytes of
data and you try to fill it with 2048 bytes, the extra 1024 bytes is then simply loaded into
memory.

If the extra data is actually a malicious program, then it has just been loaded into memory
and is running on the target system. Or perhaps the perpetrator simply wants to flood the
target machine’s memory, thus overwriting other items that are currently in memory and
causing them to crash. Either way, the buffer overflow is a very serious attack.
Fortunately, buffer overflow attacks are a bit harder to execute than the DoS or a simple
MS Outlook script virus. To create a buffer overflow attack, a hacker must have a good
working knowledge of some programming language (C or C++ is often chosen) and
understand the target operating system/application well enough to know whether it has a
buffer overflow weakness and how it might exploit the weakness.
2.3 IP Spoofing
IP spoofing is essentially a technique used by hackers to gain unauthorised access to
computers. Although this is the most common reason for IP spoofing, it is occasionally
done simply to mask the origins of a DoS attack. In fact DoS attacks often mask the actual
IP address from which the attack is originating.

With IP spoofing, the intruder sends messages to a computer system with an IP address
indicating that the message is coming from a different IP address than it is actually coming
from. If the intent is to gain unauthorised access, then the spoofed IP address will be that of
a system the target considers a trusted host. 

To successfully perpetrate an IP spoofing attack, the hacker must first find the IP address
of a machine that the target system considers a trusted source. Hackers might employ a
variety of techniques to find an IP address of a trusted host. After they have that trusted IP
address, they can then modify the packet headers of their transmissions so it appears that
the packets are coming from that host.

IP spoofing, unlike many other types of attacks, was actually known to security experts on
a theoretical level before it was ever used in a real attack. The concept of IP spoofing was
initially discussed in academic circles as early as the 1980s. Although the concept behind
this technique was known for some time, it was primarily theoretical until Robert Morris
discovered a security weakness in the TCP protocol known as sequence prediction. 

IP spoofing attacks are becoming less frequent, primarily because the venues they use are
becoming more secure and in some cases are simply no longer used. However, spoofing
can still be used, and all security administrators should address it. 

A couple of different ways to address IP spoofing include:

 Do not reveal any information regarding your internal IP addresses. This helps
prevent those addresses from being “spoofed.”
 Monitor incoming IP packets for signs of IP spoofing using network monitoring
software. One popular product is Netlog. This and similar products seek incoming
packets to the external interface that have both the source and destination IP
addresses in your local domain, which essentially means an incoming packet that
claims to be from inside the network, when it is clearly coming from outside your
network. Finding one means an attack is underway.

The danger from IP spoofing is that some firewalls do not examine packets that appear to
come from an internal IP address. Routing packets through filtering routers is possible if
they are not configured to filter incoming packets whose source address is in the local
domain.

Examples of router configurations that are potentially vulnerable include:

 Routers to external networks that support multiple internal interfaces
 Proxy firewalls where the proxy applications use the source IP address for
authentication
 Routers with two interfaces that support subnetting on the internal network
 Routers that do not filter packets whose source address is in the local domain
2.4 Guided Exercise: Preventing IP Spoofing
Resources                      
Files None
Machines Ubuntu Server

In this exercise you will need to configure the Ubuntu Server to avoid IP Spoofing.

Login to Ubuntu Server and once logged in run the command “sudo gedit /etc/host.conf”.
Sudo will ask the user password and enter “Pa$$w0rd”. The host configuration file will
open. The host.conf configuration file contains configuration information specific to the
resolver library

Make the changes shown in the screenshot below which you simply change the word multi
to nospoof. 

By adding the value nospoof on the resolver library will attempt to prevent hostname
spoofing for enhanced security. 

After making the changes press SAVE to to save the changes and then close the file.
2.5 Session Hijacking
Another form of attack is session hacking or hijacking. TCP session hijacking is a process
where a hacker takes over a TCP session between two machines. Because authentication
frequently is done only at the start of a TCP session, this allows the hacker to break into the
communication stream and take control of the session. For example, a person might log on
to a machine remotely. After establishing a connection with the host, the hacker might use
session hacking to take over that session and thereby gain access to the target machine.

One popular method for session hacking is using source-routed IP packets. This allows a
hacker at point A on the network to participate in a conversation between B and C by
encouraging the IP packets to pass through the hacker’s machine.

The most common sort of session hacking is the “man-in-the-middle attack.” In this
scenario, a hacker uses some sort of packet-sniffing program to simply listen the
transmissions between two computers, taking whatever information he or she wants but not
actually disrupting the conversation. A common component of such an attack is to execute
a DoS attack against one end point to stop it from responding. Because that end point is no
longer responding, the hacker can now interject his own machine to stand in for that end
point.

The point of hijacking a connection is to exploit trust and to gain access to a system to
which one would not otherwise have access.
Quiz