Certainly the most publicized form of attack, DoS attacks are also
among the most difficult to completely eliminate. Even within the hacker
community, DoS attacks are regarded as trivial and considered bad form because
they require so little effort to execute. Still, because of their ease of
implementation and potentially significant damage, DoS attacks deserve special
attention from security administrators. If you are interested in learning more
about DoS attacks, researching the methods employed by some of the better-known
attacks can be useful. DoS attacks take many forms. Ultimately, they prevent
authorized people from using a service by using up system resources
. The following
are some examples of common DoS threats:
-
Ping of death – This attack modifies the IP portion of the header,
indicating that there is more data in the packet than there actually is,
causing the receiving system to crash
.
-
SYN flood attack – This attack randomly opens up many TCP ports,
tying up the network equipment or computer with so many bogus requests that
sessions are thereby denied to others. This attack is accomplished with
protocol analyzers or other programs.
-
Packet fragmentation and reassembly – This attack exploits a
buffer–overrun bug in hosts or internetworking equipment.
-
E-mail bombs – Programs can send bulk e-mails to individuals, lists,
or domains, monopolizing e-mail services.
-
CPU hogging – These attacks constitute programs such as Trojan
horses or viruses that tie up CPU cycles, memory, or other resources.
-
Malicious applets – These attacks are Java, JavaScript, or ActiveX
programs that act as Trojan horses or viruses to cause destruction or tie up
computer resources.
-
Misconfiguring routers – Misconfiguring routers to reroute traffic
disables web traffic.
-
The chargen attack – This attack establishes a connection between
UDP services, producing a high character output. The host chargen service is
connected to the echo service on the same or different systems, causing
congestion on the network with echoed chargen traffic.
-
Out-of-band attacks such as WinNuke – These attacks send out-of-band
data to port 139 on Windows 95 or Windows NT machines. The attacker needs the
victim’s IP address to launch this attack
.
-
Denial of Service – DoS can occur accidentally because of
misconfigurations or misuse by legitimate users or system administrators.
-
Land.c – This program sends a TCP SYN packet that specifies the
target host address as both source and destination. The program also uses the
same port (such as 113 or 139) on the target host as both source and
destination, causing the target system to stop functioning.
-
Teardrop.c – In this attack, the fragmentation process of the IP is
implemented in such a way that reassembly problems can cause machines to crash.
-
Targa.c – This attack is a multi-platform DoS attack that integrates
bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke all into one
exploit.
Masquerade/IP Spoofing
With a masquerade attack, the network
intruder can manipulate TCP/IP packets by IP spoofing, falsifying the source IP
address, thereby appearing to be another user. The intruder assumes the
identity of a valid user and gains that user’s access privileges by IP
spoofing. IP spoofing occurs when intruders create IP data packets with
falsified source addresses.
During an IP spoofing attack, an attacker
outside the network pretends to be a trusted computer. The attacker may either
use an IP address that is within the range of IP addresses for the network or
use an authorized external IP address that is trusted and provides access to
specified resources on the network.
Normally, an IP spoofing attack is
limited to the injection of data or commands into an existing stream of data
passed between a client and server application or a peer-to-peer network
connection. The attacker simply does not worry about receiving any response
from the applications.
To enable bi-directional communication, the
attacker must change all routing tables to point to the spoofed IP address.
Another approach the attacker could take is to simply not worry about receiving
any response from the applications.
If an attacker manages to change the
routing tables they can receive all of the network packets that are addressed
to the spoofed address, and reply just as any trusted user can. Like packet
sniffers, IP spoofing is not restricted to people who are external to the
network.
Some tools used to perform IP spoofing attacks are as follows:
- Protocol analyzers, also called password sniffers
- Sequence number modification
- Scanning tools that probe TCP ports for specific services, network or
system architecture, and the OS
After obtaining information through scanning tools, the intruder looks
for vulnerabilities associated with those entities.