Attack Examples
Denial of service attacks

Certainly the most publicized form of attack, DoS attacks are also among the most difficult to completely eliminate. Even within the hacker community, DoS attacks are regarded as trivial and considered bad form because they require so little effort to execute. Still, because of their ease of implementation and potentially significant damage, DoS attacks deserve special attention from security administrators. If you are interested in learning more about DoS attacks, researching the methods employed by some of the better-known attacks can be useful. DoS attacks take many forms. Ultimately, they prevent authorized people from using a service by using up system resources . The following are some examples of common DoS threats:

  • Ping of death – This attack modifies the IP portion of the header, indicating that there is more data in the packet than there actually is, causing the receiving system to crash .
  • SYN flood attack – This attack randomly opens up many TCP ports, tying up the network equipment or computer with so many bogus requests that sessions are thereby denied to others. This attack is accomplished with protocol analyzers or other programs.
  • Packet fragmentation and reassembly – This attack exploits a buffer–overrun bug in hosts or internetworking equipment.
  • E-mail bombs – Programs can send bulk e-mails to individuals, lists, or domains, monopolizing e-mail services.
  • CPU hogging – These attacks constitute programs such as Trojan horses or viruses that tie up CPU cycles, memory, or other resources.
  • Malicious applets – These attacks are Java, JavaScript, or ActiveX programs that act as Trojan horses or viruses to cause destruction or tie up computer resources.
  • Misconfiguring routers – Misconfiguring routers to reroute traffic disables web traffic.
  • The chargen attack – This attack establishes a connection between UDP services, producing a high character output. The host chargen service is connected to the echo service on the same or different systems, causing congestion on the network with echoed chargen traffic.
  • Out-of-band attacks such as WinNuke – These attacks send out-of-band data to port 139 on Windows 95 or Windows NT machines. The attacker needs the victim’s IP address to launch this attack .
  • Denial of Service – DoS can occur accidentally because of misconfigurations or misuse by legitimate users or system administrators.
  • Land.c – This program sends a TCP SYN packet that specifies the target host address as both source and destination. The program also uses the same port (such as 113 or 139) on the target host as both source and destination, causing the target system to stop functioning.
  • Teardrop.c – In this attack, the fragmentation process of the IP is implemented in such a way that reassembly problems can cause machines to crash.
  • Targa.c – This attack is a multi-platform DoS attack that integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke all into one exploit.

Masquerade/IP Spoofing
With a masquerade attack, the network intruder can manipulate TCP/IP packets by IP spoofing, falsifying the source IP address, thereby appearing to be another user. The intruder assumes the identity of a valid user and gains that user’s access privileges by IP spoofing. IP spoofing occurs when intruders create IP data packets with falsified source addresses.

During an IP spoofing attack, an attacker outside the network pretends to be a trusted computer. The attacker may either use an IP address that is within the range of IP addresses for the network or use an authorized external IP address that is trusted and provides access to specified resources on the network.

Normally, an IP spoofing attack is limited to the injection of data or commands into an existing stream of data passed between a client and server application or a peer-to-peer network connection. The attacker simply does not worry about receiving any response from the applications.

To enable bi-directional communication, the attacker must change all routing tables to point to the spoofed IP address. Another approach the attacker could take is to simply not worry about receiving any response from the applications.

If an attacker manages to change the routing tables they can receive all of the network packets that are addressed to the spoofed address, and reply just as any trusted user can. Like packet sniffers, IP spoofing is not restricted to people who are external to the network.

Some tools used to perform IP spoofing attacks are as follows:

  • Protocol analyzers, also called password sniffers
  • Sequence number modification
  • Scanning tools that probe TCP ports for specific services, network or system architecture, and the OS

After obtaining information through scanning tools, the intruder looks for vulnerabilities associated with those entities.


Web Links