DoS(Denial of Service) :
It is an attack through which a person can render a system unusable unusable, or significantly slow it down for legitimate users, by overloading its resources.
Attempt to flood a network, thereby preventing legitimate network traffic
Attempt to disrupt connections between two machines, thereby preventing access to a service
Attempt to prevent a particular individual/system from accessing a service.
Distributed Denial of Service (DDoS) :
one in which a multitude of compromised systems attack a single target.
The Impact: Disabled network,Disabled organization,Financial loss,Loss of goodwill.
The Modes: Consumption of Scarce, limited, or non-renewable resources such as Network bandwidth, memory, disk space,CPU time,data structures,certain environmental resources such as power, cool air, or even water ; Destruction or Alteration of Configuration Information ; Physical destruction or alteration of network components, resources such as power, cool air, or even water.
Smurf Attack : The attacker generates a large amount of ICMP echo (ping) traffic to a network broadcast address with a spoofed source IP set to a victim host.The result will be lots of ping replies (ICMP Echo Reply) flooding the spoofed host.
Buffer Overflow Attack : Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory.The attacker can overwrite the data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead of the process code. Sending email messages that have attachments with 256-character file names can cause buffer overflow.
There are two main types of buffer overflow attacks: stack based and heap based. Heap-based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common.
In a stack-based buffer overrun, the program being exploited uses a memory object known as a stack to store user input. Normally, the stack is empty until the program requires user input. At that point, the program writes a return memory address to the stack and then the user's input is placed on top of it. When the stack is processed, the user's input gets sent to the return address specified by the program.
However, a stack does not have an infinite potential size. The programmer who develops the code must reserve a specific amount of space for the stack. If the user's input is longer than the amount of space reserved for it within the stack, then the stack will overflow. This in itself isn't a huge problem, but it becomes a huge security hole when combined with malicious input.
For example, suppose a program is waiting for a user to enter his or her name. Rather than enter the name, the hacker would enter an executable command that exceeds the stack size. The command is usually something short. In a Linux environment, for instance, the command is typically EXEC("sh"), which tells the system to open a command prompt window, known as a root shell in Linux circles.
Yet overflowing the buffer with an executable command doesn't mean that the command will be executed. The attacker must then specify a return address that points to the malicious command. The program partially crashes because the stack overflowed. It then tries to recover by going to the return address, but the return address has been changed to point to the command specified by the hacker. Of course this means that the hacker must know the address where the malicious command will reside. To get around needing the actual address, the malicious command is often padded on both sides by NOP instructions, a type of pointer. Padding on both sides is a technique used when the exact memory range is unknown. Therefore, if the address the hacker specifies falls anywhere within the padding, the malicious command will be executed.
The last part of the equation is the executable program's permissions. As you know, most modern operating systems have some sort of mechanism to control the access level of the user who's currently logged on and executable programs typically require a higher level of permissions. These programs therefore run either in kernel mode or with permissions inherited from a service account. When a stack-overflow attack runs the command found at the new return address, the program thinks it is still running. This means that the command prompt window that has been opened is running with the same set of permissions as the application that was compromised. Generally speaking, this often means that the attacker will gain full control of the operating system.
Ping of Death Attack : Fragmentation allows a single IP packet to be broken down into smaller segments.The fragments can add up to more than the allowed 65,536 bytes. The operating system, unable to handle oversized packets freezes, reboots, or simply crashes.
Teardrop Attack : IP requires that a packet that is too large for the next router to handle should be divided into fragments
The attacker's IP puts a confusing offset value in the second or later fragment.If the receiving operating system is not able to aggregate the packets accordingly, it can crash the system .It is a UDP attack, which uses overlapping offset fields to bring down hosts
The Unnamed Attack : Variation of the Teardrop attack .Fragments are not overlapping but gaps are incorporated
SYN Attack : The attacker sends bogus TCP SYN requests to a victim server. The host allocates resources (memory sockets) to
the connection.Prevents the server from responding to the legitimate requests.This attack exploits the three-way handshake.Malicious flooding by large volumes of TCP SYN packets to the victim’s system with spoofed source IP addresses can cause DoS
Initially, after receiving a connection request (a packet with SYN flag set), a victim host puts this half-open connection to the backlog queue and sends out the first response (a packet with SYN and ACK flags set). When the victim does not receive a response from a remote host, it tries to retransmit this SYN+ACK packet until it times out, and then finally removes this half-open connection from the backlog queue. In some operating systems this process for a single SYN request can take about 3 minutes!. The other important information you need to know is that the operating system can handle only a defined amount of half-open connections in the backlog queue. This amount is controlled by the size of the backlog queue. For instance, the default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000 Professional. When this size is reached, the system will no longer accept incoming connection requests.
SYN Flooding : A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK
DoS Attack Tools :
Jolt2 :denial of service attack against Windows-based machines,consume 100% of the CPU time on processing the illegal packets.Cisco routers
and other gateways may be vulnerable
Bubonic.c : against Windows 2000.It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.
Land and LaTierra : IP spoofing in combination with the opening of a TCP connection.Both IP addresses, source, and destination, are modified to
be the same—the address of the destination host.This results in sending the packet back to itself, because the addresses are the same
Targa : eight different DoS attacks.It integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke into one multi-platform DoS attack
Blast : small, quick TCP service stress test tool that does a large amount of work quickly and can spot potential weaknesses in your network servers
Nemesy : generates random packets (protocol,port,etc)
Panther2 : UDP-based attack is designed for 28.8-56k connection.Comes under flooder ( overloads a connection by any mechanism, such as fast pinging, causing a DoS attack).
Crazy Pinger : send large packets of ICMP to a remote target network.
SomeTrouble :remote flooder.3 remote functions: Mail Bomb (Self Resolve for Smtp),Icq Bomb,Net Send Flood.
ICQ ( homophone for the phrase "I seek you") is a popular instant messaging computer program, which was first developed by the Israeli company Mirabilis, now owned by AOL.
Net send ,command in Windows Sends messages to other users, computers, or messaging names on the network.
UDP Flood : sends out UDP packets to the specified IP and port at a controllable rate.Packets can be made from a typed text string; a given number of random bytes or data from a file.
FSMax : A scriptable, server stress testing tool .It takes a text file as input and runs a server through a series of tests based on the input.The purpose of this tool is to find buffer overflows of DOS points in a server.
It is an attack through which a person can render a system unusable unusable, or significantly slow it down for legitimate users, by overloading its resources.
Attempt to flood a network, thereby preventing legitimate network traffic
Attempt to disrupt connections between two machines, thereby preventing access to a service
Attempt to prevent a particular individual/system from accessing a service.
Distributed Denial of Service (DDoS) :
one in which a multitude of compromised systems attack a single target.
The Impact: Disabled network,Disabled organization,Financial loss,Loss of goodwill.
The Modes: Consumption of Scarce, limited, or non-renewable resources such as Network bandwidth, memory, disk space,CPU time,data structures,certain environmental resources such as power, cool air, or even water ; Destruction or Alteration of Configuration Information ; Physical destruction or alteration of network components, resources such as power, cool air, or even water.
Smurf Attack : The attacker generates a large amount of ICMP echo (ping) traffic to a network broadcast address with a spoofed source IP set to a victim host.The result will be lots of ping replies (ICMP Echo Reply) flooding the spoofed host.
Buffer Overflow Attack : Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory.The attacker can overwrite the data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead of the process code. Sending email messages that have attachments with 256-character file names can cause buffer overflow.
There are two main types of buffer overflow attacks: stack based and heap based. Heap-based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common.
In a stack-based buffer overrun, the program being exploited uses a memory object known as a stack to store user input. Normally, the stack is empty until the program requires user input. At that point, the program writes a return memory address to the stack and then the user's input is placed on top of it. When the stack is processed, the user's input gets sent to the return address specified by the program.
However, a stack does not have an infinite potential size. The programmer who develops the code must reserve a specific amount of space for the stack. If the user's input is longer than the amount of space reserved for it within the stack, then the stack will overflow. This in itself isn't a huge problem, but it becomes a huge security hole when combined with malicious input.
For example, suppose a program is waiting for a user to enter his or her name. Rather than enter the name, the hacker would enter an executable command that exceeds the stack size. The command is usually something short. In a Linux environment, for instance, the command is typically EXEC("sh"), which tells the system to open a command prompt window, known as a root shell in Linux circles.
Yet overflowing the buffer with an executable command doesn't mean that the command will be executed. The attacker must then specify a return address that points to the malicious command. The program partially crashes because the stack overflowed. It then tries to recover by going to the return address, but the return address has been changed to point to the command specified by the hacker. Of course this means that the hacker must know the address where the malicious command will reside. To get around needing the actual address, the malicious command is often padded on both sides by NOP instructions, a type of pointer. Padding on both sides is a technique used when the exact memory range is unknown. Therefore, if the address the hacker specifies falls anywhere within the padding, the malicious command will be executed.
The last part of the equation is the executable program's permissions. As you know, most modern operating systems have some sort of mechanism to control the access level of the user who's currently logged on and executable programs typically require a higher level of permissions. These programs therefore run either in kernel mode or with permissions inherited from a service account. When a stack-overflow attack runs the command found at the new return address, the program thinks it is still running. This means that the command prompt window that has been opened is running with the same set of permissions as the application that was compromised. Generally speaking, this often means that the attacker will gain full control of the operating system.
Ping of Death Attack : Fragmentation allows a single IP packet to be broken down into smaller segments.The fragments can add up to more than the allowed 65,536 bytes. The operating system, unable to handle oversized packets freezes, reboots, or simply crashes.
Teardrop Attack : IP requires that a packet that is too large for the next router to handle should be divided into fragments
The attacker's IP puts a confusing offset value in the second or later fragment.If the receiving operating system is not able to aggregate the packets accordingly, it can crash the system .It is a UDP attack, which uses overlapping offset fields to bring down hosts
The Unnamed Attack : Variation of the Teardrop attack .Fragments are not overlapping but gaps are incorporated
SYN Attack : The attacker sends bogus TCP SYN requests to a victim server. The host allocates resources (memory sockets) to
the connection.Prevents the server from responding to the legitimate requests.This attack exploits the three-way handshake.Malicious flooding by large volumes of TCP SYN packets to the victim’s system with spoofed source IP addresses can cause DoS
Initially, after receiving a connection request (a packet with SYN flag set), a victim host puts this half-open connection to the backlog queue and sends out the first response (a packet with SYN and ACK flags set). When the victim does not receive a response from a remote host, it tries to retransmit this SYN+ACK packet until it times out, and then finally removes this half-open connection from the backlog queue. In some operating systems this process for a single SYN request can take about 3 minutes!. The other important information you need to know is that the operating system can handle only a defined amount of half-open connections in the backlog queue. This amount is controlled by the size of the backlog queue. For instance, the default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000 Professional. When this size is reached, the system will no longer accept incoming connection requests.
SYN Flooding : A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK
DoS Attack Tools :
Jolt2 :denial of service attack against Windows-based machines,consume 100% of the CPU time on processing the illegal packets.Cisco routers
and other gateways may be vulnerable
Bubonic.c : against Windows 2000.It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.
Land and LaTierra : IP spoofing in combination with the opening of a TCP connection.Both IP addresses, source, and destination, are modified to
be the same—the address of the destination host.This results in sending the packet back to itself, because the addresses are the same
Targa : eight different DoS attacks.It integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke into one multi-platform DoS attack
Blast : small, quick TCP service stress test tool that does a large amount of work quickly and can spot potential weaknesses in your network servers
Nemesy : generates random packets (protocol,port,etc)
Panther2 : UDP-based attack is designed for 28.8-56k connection.Comes under flooder ( overloads a connection by any mechanism, such as fast pinging, causing a DoS attack).
Crazy Pinger : send large packets of ICMP to a remote target network.
SomeTrouble :remote flooder.3 remote functions: Mail Bomb (Self Resolve for Smtp),Icq Bomb,Net Send Flood.
ICQ ( homophone for the phrase "I seek you") is a popular instant messaging computer program, which was first developed by the Israeli company Mirabilis, now owned by AOL.
Net send ,command in Windows Sends messages to other users, computers, or messaging names on the network.
UDP Flood : sends out UDP packets to the specified IP and port at a controllable rate.Packets can be made from a typed text string; a given number of random bytes or data from a file.
FSMax : A scriptable, server stress testing tool .It takes a text file as input and runs a server through a series of tests based on the input.The purpose of this tool is to find buffer overflows of DOS points in a server.
No comments:
Post a Comment