The worst case scenario is not when a hacker crashes a service, but when it finds a way to maximize the CPU usage causing a total malfunction on the system.
1. SYN Floods
You should know that when a client and a server want to transmit data over the TCP protocol, a three-way handshake occurs:- The client asks for a connection with a SYN (synchronize) package
- The server replies to the client with a SYN-ACK (syn-acknowledgments)
- The client sends a third packages as a ACK and the transmission of the data starts.
The SYN flood works by sending SYN packets from false IP addresses (IP spoofing). The server replies to that false IP address with an SYN-ACK and then waits for ACK. Doing this many times will cause the server to end up in the impossibility of opening new connection, creating a network congestion.
Another SYN flood attack involves sending a packet to the server, spoofed with the server's address (let's say the server's IP is 192.168.1.20 then you send a SYN packet from 192.168.1.20 to 192.168.1.20). Repeating this many times will make the server sending SYN-ACK and ACK to itself, blocking it.
Patches to this kind of attack used a connection number limit from the same source/timeframe. SYN cookies also hold down the handling of the packets until the sender's IP address is verified.
2. SMURF attacks
In this kind of attacks a massive amount of ping traffic (ICMP echos) is sent to the broadcast address of the network. The source IP address is spoofed to look like the target's. If this traffic is forwarded to the network, all hosts will reply with an echo to the target, believing that they receive an echo request (PING) from it. In a large networks, a targeted server for example can be flooded by hundreds of replies at once. By sending the spoofed packet several times, the server will be flooded until it crashes from the overload.This kind of attacks were mostly patched by making the routers not forwarding broadcast directed traffic to the network.
3. LAND attacks
LAND attacks take advantage of opened network services on the target. By using a port sniffer, opened ports and services are found out. Then spoofed packages are sent with IP address source the same as IP address destination (server's address) to make it reply to itself. Let's say for example that it uses SNMP (simple network management protocol - service used to report network and system's usage). By making a SNMP service to reply to itself continuously it finally crashes.4. Ping of death
This type of DoS attack takes advantage of a known issue with Windows 9x and older NT stations, as well as Linux prior to 2.0.32. Many routers and printers older then 1998 are vulnerable to this too.It works by sending a malformed format of a ping packet. Usually, ping packets are small-sized (like 32bytes or 64bytes by default). Older Operating Systems and other devices could not handle ping larger than the maximum IP packet size of 65535 bytes (defined by RFC 791). By sending a large packet or a malformed one, any system that doesn't know how to handle it crashes (eg. in Windows 9x a blue screen of death was generated).
Patches are available on the web for any old operating systems or devices.
5. Ping flooding
This is probably the simplest DoS attack that exists. It is also the most used. It works by overwhelming the target with echo requests (pings) having large packets. The target has it's bandwidth occupied by these requests already and floods itself by starting to reply back. Of course, the attacker must have a larger bandwidth than the target (for example flooding a dial-up user from a 1Mbps connection).With the increase of the servers' bandwidth, this type of attacks became useless for an ADSL user for instance.
The "problem" was solved by using multiple hosts, creating the first DDoS attacks (distributed denial of service).
DDoS attacks work by owning let's say 50 boxes each with 1Mbps bandwidth. Then the attacker uses all of them to ping flood the target, creating a great amount of traffic on the host.
Stacheldraht for example is a console that connects to owned boxes running Stacheldraht server. It then coordinates the attacks from a single point.
The solution to this type of attacks is the firewall, which filters any echo replies from being sent. Of course, firewalls can be crashed as well.
6. Fraggle attacks
A fraggle attack takes place when an attacker send massive amount of UDP echo data to network broadcast addresses, using a the target's IP as the packet's source. All hosts reply to the target, flooding it. It usually uses UDP PORT 7 (echo). This code was written by the same person who written the smurf attack.7. Teardrop attacks
This attack involves packets sent by the attacker to the target with oversized payloads. This exploits a bug in the TCP/IP protocol stack, crashing the system. Only Windows 3.11, 95 and Linux prior to 2.0.32 were vulnerable to this kind of attack.8. Other type of attacks
Other type of attacks involve application flooding, like IRC bot raw line which usually crash Windows boxes running mIRC or any other client. These attacks are based on a greater number of raw socket transactions than a computer can handle.HOW TO PROTECT YOUR COMPUTER FROM ATTACKS
First of all, firewalls (in networking) represent the virtual barrier between your computer and other parts of the network (usually the Internet).
From the home-users point of view, a software-type firewall represents the best choice. You should also know that hardware firewalls exist too in the form of dedicated equipments that are placed to form demilitarized zones (DMZ). That means that it forms a border between the local network and usually the Internet (depending on the needs). These equipments are expensive and require good configuration knowledge - that is why they are considered professional solutions implemented in large networks.
Overall, a firewall's main goal is to filter unwanted traffic that goes both in and out.
Overall, a firewall's main goal is to filter unwanted traffic that goes both in and out.
How does it do it?
Well firstly, a good firewall software will override application's permissions. This means that it will ask for your approval to allow an application to access the outer network. You can deny the access for the application that you don't want to send information over the network (useful when infected with a Trojan virus that will connect to other hosts and take control of your station). This rule is applied for all programs even usually trusted. In the picture bellow you have an example applied to Yahoo Messenger.
Well firstly, a good firewall software will override application's permissions. This means that it will ask for your approval to allow an application to access the outer network. You can deny the access for the application that you don't want to send information over the network (useful when infected with a Trojan virus that will connect to other hosts and take control of your station). This rule is applied for all programs even usually trusted. In the picture bellow you have an example applied to Yahoo Messenger.
Secondly, a firewall blocks common DoS (Denial of Service) attacks - in theory - that are sent to your computer. This includes SYN floods, Ping of death and many other known attacks. It works by ignoring all traffic that resembles with a known pattern and further ignoring the sender for a period of time. I know that these kind of organized attacks look like a long shot, but you will be surprised to see how many scan your computer for different stuff and try to get access in. Here is part of a firewall log to get a picture of what's happening when connected to the Internet.
Another useful thing that a firewall usually does is filtering the ports. Usually if you have an application that acts like a server, it opens some ports (virtual access points for data) to listen for requests from the network. Someone could "plant" such an application in your PC without even knowing it. And if it's some kind of management software, an antivirus software would not find it suspicious and block it. By doing this, people can gain administrative access in your computer. A firewall will alert you whenever an application starts listening for connections from the network. This comes in two ways, of course. If you do have a server-type application like a FTP server or a remote administration tool, your firewall will usually block it by default. You have to search in the settings of the firewall (these menus come in different forms depending on the producer) and open that port manually. It's simple on most home-user dedicated firewalls.
If you don't use any firewall software you should get one as soons as possible. That if your computer is connected to any kind of network or the Internt, otherwise it's useless.
I personally recommend ZoneAlarm (it exists in freeware version and a paid one that comes with an antivirus too - you can get it fromhttp://www.oldversion.com/program.php?n=zalarm) or Sygate Personal Firewall (get it from http://www.oldversion.com/program.php?n=sygate).
After installing it, the first thing that you should do is to set up your program access rights. So when you are asked for confirmation (let's say) for Mozilla Firefox to access the Internet, click the options that tells to use this setting next time and accept it. It will never ask you again for that confirmation.
0 comments:
Post a Comment