Attack Profiles CS-480b Dick Steflik Attack Categories • Denial-of-Service • Exploitation Attacks • Information Gathering Attacks • Disinformation Attacks Denial of Service Attacks • Ping of Death • Teardrop • UDP Floods • SYN Floods • Land Attack • Smurf Attack • Fraggle Attack • e-Main Bombs • Malformed Message Attacks Ping of Death • ICMP Echo request packet that is bigger than largest allowable • TCP/IP specification says max should be 65 Kbytes • Hacker’s goal is to crash the stack by exceeding the max size of the I/O buffer • Defense - stack must be hardened (all current popular stack implementations take care of this) Teardrop • IP implementations that trust fragmentation information in the headers of fragmented IP packets • if offsets have overlapping offsets many implementations will crash • Defenses: • apply latest patches • configure firewalls to reassemble fragments rather than forwarding (for end point to reassemble) UDP Floods • Forge a connection to a host running chargen and have it send useless chargen data to the echo server on another • makes the 2 services so busy that the host may crash or be too busy to respond to normal traffic • Defense: configure only services that are absolutely necessary (chargen and echo have no business running on a production server) SYN Floods • The goal here is to use up all of the target host’s resources (memory and processes) thereby making it unable to process legitimate traffic • each time a user sends a SYN the host accepts and allocates a process and memory • this gets done over and over until things just get used up • Defense: A firewall that can recognize the characteristics of a SYN attack and start rejecting packets Land Attack • Hardened stack inplementations have made this obsolete • send a special SYN packet with source and destination address set to the targeted machines IP address, causes recipient to acknowledge to its own address, connection is left open until OS times it out • Defense • latest patches • configure firewalls to reject inbound packets with internal addresses as the source address Smurf Attack • Flood a host with ICMP Echo Requests that have the destination address set to the subnet broadcast address • Defense • turn off broadcast addressing feature • configure firewall to drop incoming pings Fraggle Attacks • A Smurf attack using UDP echo messages rather than ICMP echo requests • Defense: have firewall filter out incoming UDP echo requests [...]... and/or duplicate e-mails from the server Malformed Message Attacks • Send malformed messages • excessively large URLs to web servers • send random data to RPC services to try crashing • try buffer overflows by malforming protocol fields • Defense: keep up to date with vulnerability reports and patched from vendors for OEM products Exploitation Attacks • TCP/IP Connection Hijacking • Layer-2 Connection... or VNC to give remote user full access to your machine • usually installed from a e-mail attachment Information Gathering Attacks • • • • • • • • • Address Scanning Port Scanning Inverse Mapping Slow Scanning Architecture Probes DNS Zone Transfers Finger LDAP SNMP Disinformation Attacks • DNS Cache Pollution • Registrar Usurpation • Forged E-mail . Attack Profiles CS-480b Dick Steflik Attack Categories • Denial-of-Service • Exploitation Attacks • Information Gathering Attacks • Disinformation Attacks . Service Attacks • Ping of Death • Teardrop • UDP Floods • SYN Floods • Land Attack • Smurf Attack • Fraggle Attack • e-Main Bombs • Malformed Message Attacks