This page has been robot translated, sorry for typos if any. Original content here.

Network attacks and something else

Introduction to Network Attacks

Brief descriptions of network attacks

Data fragmentation

Fragmented IP Transmission

Ping flooding attack

PingOfDeath or SSPing

UDP bomb

SYN flooding

Custom IP Encapsulated Protocols

Using TFTP

Smurf attack

Attack land

Introducing a false server into the Internet by creating a directed "storm" of false DNS answers to the attacked host

Introducing a false server into the Internet by intercepting a DNS query or creating a directed “storm” of false DNS answers to the attacked DNS server

Introducing a false DNS server on the Internet by intercepting a DNS query

DNS flooding attack

DNS attack spoofing

IP spoofing attack

Imposing packages

Sniffing - listening to the channel (only possible in the local network segment)

Packet capture on the router

Imposing a False Route to a Host Using ICMP

Winnuke

False ARP Server

Prediction TCP sequence number (IP-spoofing)

Local storm

IP hijacking

Detecting and defending attacks

Scan Methods

Using ARP

Network scan through DNS

UDP bomb

TCP port scan

UDP port scan

Stealth scan

Passive scan

Invitation to the system and the danger of the information contained in it

A few tips when researching the network

Some other ways to get information

Holes and administrative errors in Windows NT

Spamming

How to protect the mail system from spammers

How spammers work

Holes IIS, WWW, FTP

Introduction to Network Attacks

The growing interest in TCP / IP networks is due to the rapid growth of the Internet. However, this makes you think about how to protect your information resources from attacks from an external network. If you are connected to the Internet, your system may be attacked. IP protocols are the foundation for building Intranet networks and the global Internet. Although TCP / IP was funded by the US Department of Defense, TCP / IP is not completely secure and allows the various types of attacks discussed in this chapter. To carry out such attacks, a potential attacker must have control over at least one of the systems connected to the Internet. One of the approaches to the analysis of threats to the security of computer systems is the allocation into a separate class of threats inherent only to computer networks. We will call this class of threats - the class of remote attacks. This approach to classification seems legitimate due to the presence of fundamental features in the construction of network operating systems. The main feature of any network operating system is that its components are distributed in space, and communication between them is physically carried out using special network connections (coaxial cable, twisted pair, fiber, etc.) and programmatically using the message mechanism. In this case, all control messages and data sent by one component of the network OS to another component are transmitted over network connections in the form of exchange packets. This feature is the main reason for the emergence of a new class of threats - remote attacks. With this type of attack, the attacker interacts with the recipient of the information, the sender and / or the intermediate systems, possibly modifying and / or filtering the contents of TCP / IP packets. These types of attacks often seem technically difficult to implement, however, for a good programmer, it is not difficult to implement the appropriate tools. The ability to generate arbitrary IP packets is a key point for the implementation of active attacks. Remote attacks can be classified by type of impact: active or passive. Active attacks can be divided into two parts. In the first case, the attacker takes certain steps to intercept and modify the network stream or attempt to "pretend" to be another system. In the second case, the TCP / IP protocol is used to bring the victim system down. In passive attacks, attackers do not detect themselves in any way and do not directly interact with other systems. In fact, it all comes down to monitoring the available data or communication sessions. Although passive attacks can violate network security policies. The idea of ​​detecting an attack is simple: a certain network traffic corresponds to any attack, therefore, traffic analysis allows you to determine the attack and detect the “traces” of the attacker, that is, determine the IP addresses from which the information impact was carried out. Thus, the detection of attacks is carried out by the method of monitoring information flows, which is achieved by analyzing network traffic.

Brief descriptions of network attacks

It should be remembered that crude methods such as pinging large packets or SYN flooding can overwhelm any Internet machine or subnet, regardless of configuration.

Data fragmentation

When an IP protocol data packet is transmitted over the network, this packet can be divided into several fragments. Subsequently, upon reaching the destination, the packet is restored from these fragments. An attacker can initiate the sending of a large number of fragments, which leads to an overflow of software buffers on the receiving side and, in some cases, to the system crash.

Transmission of fragmented IP packets with a total volume of more than 64KB

The number of attack implementations that use the ability to fragment IP packets is quite large. Several fragmented IP packets are transmitted to the victim computer, which upon assembly form one packet larger than 64K (the maximum size of the IP packet is 64K minus the length of the header). This attack was effective against computers running Windows. Upon receipt of such a package, Windows NT, which does not have a special icmp-fix patch, freezes or crashes. Other variants of such attacks use incorrect offsets in IP fragments, which leads to incorrect allocation of memory, buffer overflows and, ultimately, to system malfunctions.

Counteraction: to identify such attacks, it is necessary to carry out and analyze the assembly of packages on the fly, and this will significantly increase the hardware requirements.

Ping flooding attack

He appeared because the "ping" program, designed to assess the quality of the line, has the key to "aggressive" testing. In this mode, requests are sent as fast as possible and the program allows you to evaluate how the network works at maximum load. This attack requires an attacker to access fast channels on the Internet. Recall how ping works. The program sends an ICMP packet of type ECHO REQUEST, setting the time and its identifier in it. The kernel of the receiving machine responds to a similar request with the ICMP ECHO REPLY packet. Having received it, ping gives the speed of the packet. In the standard mode of operation, packets are sent out at some intervals, practically without loading the network. But in the “aggressive” mode, the ICMP echo request / reply packet stream can overload a small line, depriving it of the ability to transmit useful information. Naturally, the case of ping is a special case of a more general situation related to channel congestion. For example, an attacker can send many UDP packets to the 19th port of the victim machine, and if, following the generally accepted rules, it has a character generator on the 19th UDP port that responds to packets with lines of 80 bytes. Note that an attacker can also fake the return address of such packets, making it difficult to detect. Only coordinated work of specialists on intermediate routers will help to track it, which is almost impossible. One of the attack options is to send ICMP echo request packets with the source address pointing to the victim to broadcast addresses of large networks. As a result, each of the machines will respond to this fake request, and the sending machine will receive more responses. Sending a lot of broadcast-echo requests on behalf of the "victim" to the broadcast addresses of large networks, you can cause a sharp filling of the channel "victim". Signs of flooding are a sharp increase in the load on the network (or channel) and an increase in the number of specific packets (such as ICMP). As a protection, it is recommended to configure routers in which they will filter the same ICMP traffic that exceeds some predefined value (packets / time unit). To make sure that your machines cannot serve as a source of ping flood, restrict access to ping.

PingOfDeath or SSPing

Its essence is as follows: a heavily fragmented ICMP packet of large size (64KB) is sent to the victim's machine. The reaction of Windows-systems to receive such a package is an unconditional hang, including a mouse and keyboard. The attack program is widely available on the network as a source in C and as executable files for some versions of Unix. It is curious that, unlike WinNuke, not only Windows machines can become a victim of such an attack, MacOS and some Unix versions are also affected. The advantages of this method of attack are that usually the firewall passes ICMP packets, and if the firewall is configured to filter the addresses of the senders, then using simple spoofing techniques, you can also fool such a firewall. The disadvantage of PingOfDeath is that for one attack you need to send more than 64KB over the network, which makes it generally unsuitable for large-scale sabotage.

UDP bomb

The transmitted UDP packet contains the wrong service field format. Some older versions of network software lead to a crash when receiving such a package.

SYN flooding

The flooding of SYN packets is the most well-known way to “clog” an information channel. Recall how TCP / IP works with incoming connections. The system answers the incoming C-SYN packet S-SYN / C-ACK packet, puts the session in the SYN_RECEIVED state and puts it in the queue. If the S-ACK is not received from the client within the specified time, the connection is removed from the queue, otherwise the connection is transferred to the ESTABLISHED state. Consider the case when the queue of input connections is already full, and the system receives a SYN packet that invites you to establish a connection. By RFC, it will be silently ignored. The flooding of SYN packets is based on the overflow of the server queue, after which the server stops responding to user requests. The most famous attack of this kind is the attack on Panix, a New York provider. Panix did not work for 2 weeks. In different systems, work with the queue is implemented differently. So, in BSD systems, each port has its own queue of 16 elements. In SunOS systems, on the contrary, there is no such separation and the system simply has a large common queue. Accordingly, in order to block, for example, the WWW port on the BSD, 16 SYN packets are enough, and for Solaris 2.5 their number will be much larger. After some time (depending on implementation), the system removes requests from the queue. However, nothing prevents the attacker from sending a new batch of requests. Thus, even being on a 2400 bps connection, an attacker can send 20-30 packets every 1.5 minutes to the FreeBSD server, keeping it inoperative (naturally, this error was corrected in the latest versions of FreeBSD). As usual, an attacker can take advantage of random return IP addresses when generating packets, which makes it difficult to detect and filter his traffic. Detection is easy - a large number of connections are in the SYN_RECEIVED state, ignoring attempts to connect to this port. As protection, we can recommend patches that implement automatic “thinning” of the queue, for example, based on the Early Random Drop algorithm. To find out if your system is protected against SYN flooding, contact your system supplier. Another protection option is to configure the firewall so that it will establish all incoming TCP / IP connections, and only after that transfer them inside the network to the given machine. This will allow you to limit syn-flooding and not let it go inside the network. This attack refers to denial of service attacks that result in the inability to provide services. The attack is usually aimed at a specific, specific service, for example telnet or ftp. It consists in transmitting connection establishment packets to the port corresponding to the attacked service. Upon receipt of the request, the system allocates resources for the new connection, after which it tries to respond to the request (send "SYN-ACK") to an inaccessible address. By default, NT versions 3.5-4.0 will try to repeat the confirmation 5 times - after 3, 6, 12, 24 and 48 seconds. After that, for another 96 seconds, the system can wait for a response, and only after that will release the resources allocated for the future connection. The total time taken by resources is 189 seconds.

Custom IP Encapsulated Protocols

The IP packet contains a field that defines the protocol for the encapsulated packet (TCP, UDP, ICMP). Attackers can use the non-standard value of this field to transfer data that will not be recorded by standard means of controlling information flows.

Using TFTP

This protocol does not contain authentication mechanisms, which is why it is attractive to attackers.

Smurf attack

The smurf attack involves sending ICMP broadcast requests to the network on behalf of the victim computer. As a result, computers that receive such broadcast packets respond to the victim computer, which leads to a significant decrease in the bandwidth of the communication channel and, in some cases, to complete isolation of the attacked network. The smurf attack is exceptionally effective and widespread. Counteraction: to recognize this attack, it is necessary to analyze the channel load and determine the reasons for the decrease in throughput.

Attack land

The Land attack exploits TCP / IP stack implementation vulnerabilities in some operating systems. It consists in transmitting a TCP packet with the SYN flag set to the open port of the victim computer, the source address and port of such a packet being equal to the address and port of the attacked computer. This leads to the fact that the victim computer tries to establish a connection with itself, as a result of which the processor load greatly increases and a “freeze” or reboot can occur. This attack is very effective on some models of Cisco Systems routers, and the successful application of an attack on a router can damage the entire network of the organization. Counteraction: you can protect yourself from this attack, for example, by installing a packet filter between the internal network and the Internet, setting a filtering rule on it to suppress packets coming from the Internet, but with the source IP addresses of computers on the internal network.

Introducing a false server into the Internet by creating a directed "storm" of false DNS answers to the attacked host

Another embodiment of a remote attack directed to the DNS service is based on the second type of typical remote attack “fake aircraft object”. In this case, the attacker constantly transmits to the attacked host a pre-prepared false DNS response on behalf of the real DNS server without receiving a DNS query. In other words, the attacker creates a directed “storm” of false DNS answers on the Internet. This is possible, since UDP is usually used to transmit the DNS query, which does not have packet identification tools. The only criteria presented by the host network OS to the response received from the DNS server is, firstly, that the IP address of the sender of the response matches the IP address of the DNS server, and secondly, that the DNS name should contain the same name, as in the DNS query, thirdly, the DNS response should be directed to the same UDP port from which the DNS query was sent (in this case, this is the first problem for the attacker), and fourthly, in DNS -response the request identifier field in the DNS header (ID) should contain the same value as in the transmitted DNS query (and this is the second problem). In this case, since the attacker is not able to intercept the DNS query, the main problem for him is the UDP port number from which the query was sent. But the sender's port number accepts a limited set of values ​​(1023?), Therefore, it is enough for an attacker to simply brute force, sending false answers to the corresponding list of ports. At first glance, the second problem may be the double-byte identifier of the DNS query, but in this case it is either equal to one or has a value close to zero (one query - the ID is increased by 1). Therefore, to carry out this remote attack, the attacker needs to select the host (A) that interests him, the route to which you want to change so that it passes through a false server - the attacker's host. This is achieved by constant transmission (directed by a "storm") to the attacker of false DNS answers to the attacked host on behalf of the real DNS server to the corresponding UDP ports. In these false DNS responses, the IP address of the attacker is indicated as the host IP address A. Next, the attack develops as follows. As soon as the target of the attack (the attacked host) is addressed to host A by name , a DNS query will be transmitted from this host to the network, which the attacker will never receive, but this is not required, since the host will immediately receive a constantly transmitted false The DNS response, which will be perceived by the OS of the attacked host as a real response from the DNS server. The attack took place and now the attacked host will transfer all packets destined for A to the IP address of the attacker's host, which, in turn, will forward them to A , acting on the intercepted information according to the "distributed distributed aircraft false structure" scheme. Consider the functional diagram of the proposed remote attack on the DNS service: • constant transmission of false DNS answers to the attacked host to various UDP ports and, possibly, with different IDs, on behalf of the real DNS server (from the IP address) with the name of the host of interest and its false IP address, which will be is the IP address of the false server - the host of the attacker; • in case of receiving a packet from the host, changing the IP address of the packet in the IP header of the packet to the attacker's IP address and transmitting the packet to the server (that is, the false server works with the server on its behalf - from its IP address); • in case of receiving a packet from the server, changing the IP address of the packet in the IP header of the packet to the IP address of the false server and transferring the packet to the host (for the host, the false server is the real server). Thus, the implementation of this remote attack, which uses the gaps in the security of DNS, allows you to disrupt the routing between two given objects from anywhere in the Internet. That is, this remote attack is carried out inter-segment with respect to the target of the attack and threatens the security of any Internet host using the normal DNS service.

Introducing a false server into the Internet by intercepting a DNS query or creating a directed “storm” of false DNS answers to the attacked DNS server

From the remote DNS lookup scheme, it follows that if the DNS server did not find the name specified in the query in its database of names, then the query is sent by the server to one of the root DNS servers whose addresses are contained in the root.cache server settings file . That is, in the event that the DNS server does not have information about the requested host, then it forwards the request further, which means that now the DNS server itself is the initiator of the remote DNS search. Therefore, nothing prevents the attacker, using the methods described in the previous paragraph, from sending his attack to the DNS server. That is, the target of the attack will now be not the host, but the DNS server and false DNS responses will be sent by the attacker on behalf of the root DNS server to the attacked DNS server. It is important to consider the following feature of the DNS server. To speed up operation, each DNS server caches in the memory area its own table of host names and IP addresses. Including dynamically changing information about the names and IP addresses of hosts found during the operation of the DNS server is entered into the cache. That is, if the DNS server, having received the request, does not find the corresponding record in its cache table, it forwards the response to the next server and, upon receiving the answer, stores the information found in the cache table in memory. Thus, when the next request is received, the DNS server no longer needs to conduct a remote search, since the necessary information is already in its cache table. From the analysis of the just described in detail scheme of the remote DNS lookup, it becomes obvious that if the attacker sends a false DNS response in response to a request from the DNS server (or in the case of a “storm” of false answers, they will constantly transmit them), then a corresponding entry with false information will appear in the server’s cache table and, in the future, all the hosts that access this DNS server will be misinformed and when accessing the host, the route to which the attacker decided to change, communication with him will be through the attacker's host according to the schemes e "false object of the sun." And over time, this false information that gets into the cache of the DNS server will be distributed to neighboring higher-level DNS servers, and, therefore, more and more hosts on the Internet will be misinformed and attacked. Obviously, if the attacker cannot intercept the DNS query from the DNS server, then to implement the attack he needs a “storm” of false DNS answers directed to the DNS server. In this case, the following main problem arises, which is different from the problem of port selection in the event of an attack directed at the host. As previously noted, the DNS server, by sending a request to another DNS server, identifies this request with a double-byte value (ID). This value is incremented by one with each transmitted request. It is not possible for the attacker to find out the current value of the DNS query identifier. Therefore, it is rather difficult to offer anything other than enumerating 2 16 possible ID values. But the problem of port enumeration disappears, since all DNS queries are transmitted by the DNS server to port 53. The next problem, which is the condition for this remote attack on the DNS server with a directed "storm" of false DNS answers, is that the attack will succeed only if the DNS server sends a request to search for a specific name (which contains in a false DNS answer). The DNS server sends this request, which is so necessary and desirable for the attacker, if it receives a DNS request from any host to search for this name and this name does not appear in the DNS server’s cache table. In principle, this request may come at any time and the attacker may have to wait for the results of the attack for as long as desired. However, nothing prevents the attacker, without waiting for anyone to send a similar DNS query to the attacked DNS server himself and provoke the DNS server to search for the name specified in the query. Then this attack is likely to be successful almost immediately after the start of its implementation.

Introducing a false DNS server on the Internet by intercepting a DNS query

In this case, it is a remote attack based on a standard typical remote attack associated with waiting for a DNS lookup. Before you consider the algorithm for attacking the DNS service, you need to pay attention to the following subtleties in the work of this service. Firstly, by default, the DNS service operates on the basis of the UDP protocol (although it is possible to use the TCP protocol), which naturally makes it less secure, since the UDP protocol, unlike TCP, does not provide any means of identifying messages. In order to switch from UDP to TCP, the DNS server administrator will have to seriously study the documentation. In addition, this transition will slow down the system somewhat, because, firstly, when using TCP, a virtual connection is required and, secondly, the final network operating systems first send a DNS query using the UDP protocol and if it comes to them a special response from the DNS server, then the network OS will send a DNS query using TCP. Secondly, the next subtlety that you need to pay attention to is that the value of the "sender port" field in the UDP packet first takes the value 1023 (?) And then increases with each transmitted DNS query. Thirdly, the value of the identifier (ID) of the DNS query behaves as follows. If a DNS query is sent from the host, its value depends on the particular network application that generates the DNS query. The author’s experiments showed that in the case of transferring a request from the shell of the shell of the Linux and Windows '95 operating systems (for example, ftp nic.funet.fi), this value is always equal to one. In the event that a DNS query is transmitted from Netscape Navigator, then with each new query the browser itself increases this value by one. In the event that the request is transmitted directly by the DNS server, the server increases this identifier value by one with each newly transmitted request. All these subtleties matter in the event of an attack without intercepting a DNS query. To implement an attack by intercepting a DNS query, the attacker needs to intercept the DNS query, extract from it the UDP port number of the query sender, the double-byte value of the ID of the DNS query identifier and the name to be searched, and then send a false DNS response to the DNS query extracted UDP port where to specify the real IP address of the false DNS server as the IP address to be searched. This will make it possible in the future to completely intercept and actively influence the traffic between the "deceived" host and server according to the "RVS False Object" scheme. Consider a generalized scheme of a false DNS server: • waiting for a DNS query; • having received a DNS query, extracting the necessary information from it and transmitting a false DNS answer over the network to the requesting host on behalf of the real DNS server (from the IP address), which indicates the IP address of the false DNS server; • in the case of receiving a packet from the host, changing the IP address of the packet in the IP header of the packet to the IP address of the false DNS server and sending the packet to the server (that is, the false DNS server works with the server on its behalf); • in case of receiving a packet from the server, changing the IP address of the packet in the IP header of the packet to the IP address of the false DNS server and transferring the packet to the host (for the host, the false DNS server is the real server). A prerequisite for the implementation of this attack option is to intercept a DNS query. This is only possible if the attacker is either on the main traffic path or in a segment of a real DNS server. Fulfillment of one of these conditions for the attacker's location on the network makes such a remote attack difficult to practice (getting into the segment of the DNS server and, moreover, into the inter-segment communication channel, the attacker most likely will not succeed). However, if these conditions are met, it is possible to carry out an intersegment remote attack on the Internet . Note that the practical implementation of this remote attack revealed a number of interesting features in the operation of the FTP protocol and in the mechanism for identifying TCP packets. If the FTP client on the host connected to the remote FTP server via a false DNS server, it turned out that every time the user issued an FTP application command (for example, ls, get, put, etc.), the FTP client I developed the PORT command, which consisted of transferring the port number and IP address of the client host to the FTP server in the TCP packet data field (it’s hard to find a special meaning - why transfer the client IP address to the FTP server every time)! This led to the fact that if you do not change the transmitted IP address in the data field of the TCP packet on the false DNS server and transfer this packet to the FTP server in the usual way, the next packet will be transferred by the FTP server to the host of the FTP client, bypassing the false DNS server and, most interestingly, this packet will be perceived as a normal packet, and, in the future, the false DNS server will lose control over the traffic between the FTP server and the FTP client! This is due to the fact that a regular FTP server does not provide any additional identification of an FTP client, but transfers all problems of packet identification and connection to a lower level - the TCP level.

DNS flooding attack

DNS flooding is an attack directed to Internet name servers. It consists in transmitting a large number of DNS queries and leads to the fact that users are not able to access the name service and, therefore, the inability of ordinary users to work is ensured. Counteraction: to identify this attack, it is necessary to analyze the load on the DNS server and identify the sources of queries.

DNS attack spoofing

The result of this attack is the introduction of an imposed correspondence between the IP address and domain name in the DNS server cache. As a result of the success of such an attack, all users of the North DNS will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some parameters of the DNS exchange. Counteraction: in order to detect such an attack, it is necessary to analyze the contents of the DNS traffic.

IP spoofing attack (syslog)

A large number of attacks on the Internet are associated with the substitution of the source IP address. Syslog spoofing also refers to such attacks, which consists in sending a message to a victim computer on behalf of another computer on the internal network. Since the syslog protocol is used for maintaining system logs, by transmitting false messages to the victim computer, information can be imposed or traces of unauthorized access can be replaced. Countermeasures: identifying attacks related to the substitution of IP addresses is possible when controlling the receipt of a packet with the source address of the same interface on one of the interfaces or monitoring the receipt of packets on the external interface with IP addresses of the internal network.

Imposing packages

An attacker sends packets with a false return address to the network. With this attack, an attacker can switch connections established between other computers to his computer. In this case, the access rights of the attacker become equal to the rights of the user whose connection to the server was switched to the attacker's computer.

Sniffing - listening to the channel (only possible in the local network segment)

Almost all network cards support the ability to intercept packets transmitted over a common channel on a local network. In this case, the workstation can receive packets addressed to other computers of the same network segment. Thus, all information exchange in a network segment becomes available to an attacker. For the successful implementation of this attack, the attacker's computer must be located in the same segment of the local network as the computer under attack.

Packet capture on the router

The network software of the router has access to all network packets transmitted through this router, which allows packet capture. To implement this attack, an attacker must have privileged access to at least one network router. Since a lot of packets are usually transmitted through a router, their total interception is almost impossible. However, individual packets may well be intercepted and stored for subsequent analysis by an attacker. The most effective interception of FTP packets containing user passwords, as well as e-mail.

Imposing a False Route to a Host Using ICMP

On the Internet there is ICMP (Internet Control Message Protocol), one of the functions of which is to inform the hosts about the change of the current router. This control message is called redirect. There is the possibility of sending from any host in the network segment a false redirect message on behalf of the router to the attacked host. As a result, the host changes the current routing table and, subsequently, all network traffic of this host will go through, for example, the host that sent the false redirect message. Thus, it is possible to actively impose a false route within a single segment of the Internet.

Winnuke

Along with the usual data sent via a TCP connection, the standard also allows the transmission of urgent (Out Of Band) data. In terms of TCP packet formats, this translates into a nonzero urgent pointer. Most PCs with Windows have a NetBIOS network protocol, which uses 3 IP ports for their needs: 137, 138, 139. As it turned out, if you connect to a Windows machine at 139 ports and send several bytes of OutOfBand data there, then NetBIOS implementation not knowing what to do with this data simply suspends or reloads the machine. For Windows 95, this usually looks like a blue text screen, reporting an error in the TCP / IP driver and the inability to work with the network until the OS is rebooted. NT 4.0 without service packs is rebooted, NT 4.0 with a second service pack falls into the blue screen. Similar sending of data to 135 and some other ports leads to a significant load of the RPCSS.EXE processor. On NTWS this leads to a significant slowdown, NTS is practically frozen.

False ARP Server

On the Internet, each host has a unique IP address, which receives all messages from the global network. However, IP is not so much a network protocol as an internetwork exchange protocol designed for communication between objects in a global network. At the link layer, packets are addressed to the hardware addresses of the network cards. The Internet uses ARP (Address Resolution Protocol) for a one-to-one correspondence between IP and Ethernet addresses. Initially, a host may not have information about the Ethernet addresses of other hosts that are in the same segment with it, including the Ethernet address of the router. Accordingly, at the first access to network resources, the host sends a broadcast ARP request, which will be received by all stations in this network segment. After receiving this request, the router sends an ARP response to the requesting host, in which it reports its Ethernet address. This scheme of work allows an attacker to send a false ARP response, in which he declares himself to be the desired host (for example, a router), and, in the future, actively monitors all network traffic of the "cheated" host.

Prediction TCP sequence number (IP-spoofing)

In this case, the goal of the attacker is to pretend to be another system, which, for example, is “trusted” by the victim system. The method is also used for other purposes — for example, to use the victim’s SMTP to send fake emails. A TCP connection is established in three stages: the client selects and passes the sequence number to the server (let's call it C-SYN), in response to this, the server sends a data packet containing confirmation (C-ACK) and the server’s own sequence number (S-SYN) to the client ) Now the client must send a confirmation (S-ACK). After that, the connection is considered established and data exchange begins. At the same time, each packet has a field for sequence number and acknowledge number in the header. These numbers increase during data exchange and allow you to control the correctness of the transmission. Suppose an attacker can predict which sequence number (S-SYN according to the scheme) will be sent by the server. This can be done based on knowledge of a particular TCP / IP implementation. For example, in 4.3BSD, the value of the sequence number, which will be used when setting the next value, increases by 125000 every second. Thus, by sending one packet to the server, the attacker will receive a response and will be able (with a few attempts and adjusted for the connection speed) to predict sequence number for the next connection. If the TCP / IP implementation uses a special algorithm to determine the sequence number, then it can be determined by sending several dozen packets to the server and analyzing its responses. So, suppose that system A trusts system B, so that the user of system B can make "rlogin A" and end up on A without entering a password. Assume the attacker is located on system C. System A acts as a server, system B and C as clients. The first task of the attacker is to bring system B to a state where it cannot respond to network requests. This can be done in several ways, in the simplest case, you just need to wait for system B to reboot. A few minutes, during which it will be inoperative, should be enough. After that, the attacker can try to pretend to be system B in order to gain access to system A (at least for a short time). The attacker sends several IP packets initiating the connection to system A to determine the current status of the server's sequence number. The attacker sends an IP packet in which the address of system B is already indicated as the return address. System A responds with a sequence number packet, which is sent to system B. However, system B will never receive it (it is disabled), as, by the way, is an attacker. But he, based on a previous analysis, guesses which sequence number was sent to system B. The attacker confirms the “receipt” of the packet from A by sending a packet with the alleged S-ACK on behalf of B (note that if the systems are located in one segment, the attacker will need to determine the sequence number is enough to intercept the packet sent by system A). After that, if the attacker was lucky and the server sequence number was correctly guessed, the connection is considered established. Now the attacker can send another fake IP packet, which will already contain data. For example, if the attack was aimed at rsh, it may contain commands to create a .rhosts file or send / etc / passwd to an attacker by e-mail. Counteraction: packets with internal addresses coming from the outside world will serve as the simplest IP-spoofing signal. Router software may alert the administrator. However, do not flatter yourself - an attack can also be from within your network. In the case of using more intelligent means of monitoring the network, the administrator can monitor (in automatic mode) packets from systems that are in an inaccessible state. However, what prevents an attacker from simulating the operation of system B in response to ICMP packets? What methods exist to protect against IP spoofing? Firstly, it is possible to complicate or make it impossible to guess the sequence number (a key element of the attack). For example, you can increase the rate of change of the sequence number on the server or select the coefficient of increase of the sequence number randomly (preferably using a cryptographically robust algorithm to generate random numbers). If the network uses a firewall (or another filter of IP packets), you should add rules to it, according to which all packets arriving from the outside and having return addresses from our address space should not be allowed inside the network. In addition, the confidence of the machines in each other should be minimized. Ideally, there should not be a way to directly get to a neighboring network machine by obtaining superuser rights on one of them. Of course, this will not save you from using services that do not require authorization, for example, IRC (an attacker can pretend to be an arbitrary Internet machine and send a set of commands to enter the IRC channel, issue arbitrary messages, etc.). Encryption of the TCP / IP stream solves the IP-spoofing problem in the general case (provided that cryptographically strong algorithms are used). In order to reduce the number of such attacks, it is also recommended to configure a firewall to filter packets sent by our network to the outside, but having addresses that do not belong to our address space.

Local storm

Let's make a small digression towards the implementation of TCP / IP and consider "local storms" using the UDP storm as an example. As a rule, by default, systems support the operation of UDP ports such as 7 (“echo”, the received packet is sent back), 19 (“character generator”, a character generator string is sent to the sender in response to the received packet) and others (date etc). In this case, the attacker can send a single UDP packet, where 7 will be specified as the source port, the 19th as the recipient, and, for example, two machines on your network (or even 127.0) will be specified as the recipient and sender addresses. 0.1). Having received the packet, the 19th port responds with a line that goes to port 7. The seventh port duplicates it and sends it again to 19 .. and so on ad infinitum. An endless cycle eats up the resources of machines and adds a meaningless load to the channel. Of course, with the first UDP packet lost, the storm ceases. Противодействие: в качестве защиты стоит еще раз порекомендовать не пропускать в сети пакеты с внутренними адресами, но пришедшие извне. Также рекомендуется закрыть на firewall использование большинства сервисов.

IP Hijacking

The method is a combination of eavesdropping and IP-spoofing. Prerequisites - an attacker must have access to a machine that is in the path of a network stream and have sufficient rights to it to generate and intercept IP packets. Recall that when transmitting data, the sequence number and acknowledge number are constantly used (both fields are in the IP header). Based on their value, the server and the client verify the correctness of the packet transmission. It is possible to enter the connection in the “desynchronized state” when the sequence number and acknowledge number sent by the server do not match the expected value of the client, and vice versa. In this case, an attacker, "listening" to the line, can take on the functions of an intermediary, generating the correct packets for the client and server and intercepting their responses. The method allows you to completely bypass security systems such as, for example, one-time passwords, since an attacker begins to work after the user authorization occurs. There are two ways to out of sync. • Early desynchronization. The connection is desynchronized at the installation stage. An attacker listens on a network segment through which packets of the session of interest will pass. After waiting for the S-SYN packet from the server, the attacker sends the server an RST (reset) packet, of course, with the correct sequence number, and, immediately after it, the fake C-SYN packet on behalf of the client, the Server resets the first session and opens a new one, on the same port, but with a new sequence number, after which it sends a new S-SYN packet to the client. The client ignores the S-SYN packet, but the attacker listening on the line sends the S-ACK packet to the server on behalf of the client. So, the client and server are in ESTABLISHED state, however, the session is out of sync. Naturally, this scheme does not have a 100% response, for example, it is not immune to the fact that some packets sent by an attacker will not be lost along the way. For the correct handling of these situations, the program must be complicated. • Desynchronization with null data. In this case, the attacker listens for the session and at some point sends a packet with “zero” data to the server, i.e. those that will actually be ignored at the application level and not visible to the client (for example, for telnet it can be data like IAC NOP IAC NOP IAC NOP ...). A similar packet is sent to the client. Obviously, after this, the session goes into a desynchronized state. ACK storm One of the problems of IP Hijacking is that any packet sent when the session is in a desynchronized state causes the so-called ACK storm. For example, the packet was sent by the server, and it is unacceptable for the client, therefore it responds with an ACK packet. In response to this unacceptable package already for the server, the client again receives a response. And so on ad infinitum. Fortunately, modern networks are built on technology when the loss of individual packets is allowed. Since ACK packets do not carry data, no retransmissions occur and the storm subsides. As experiments have shown, the stronger the ACK storm, the faster it "pacifies" itself - on 10MB ethernet this happens in a split second. On untrusted connections like SLIP - not much more. Detection and protection There are several ways. For example, you can implement a TCP / IP stack that will control the transition to a desynchronized state by exchanging sequence number / acknowledge number information. However, in this case, we are not immune from an attacker changing these values. Therefore, a more reliable way is to analyze network congestion, tracking emerging ACK storms. This can be done using specific network controls. If an attacker does not bother to maintain a desynchronized connection until it is closed or does not filter the output of its commands, this will also be immediately noticed by the user. Unfortunately, the vast majority simply open a new session without contacting the administrator. One hundred percent protection against this attack is provided, as always, by encryption of TCP / IP traffic (at the application level - secure shell) or at the protocol level - IPsec). This eliminates the possibility of modifying the network stream. PGP can be used to protect mail messages. It should be noted that the method also does not work on some specific TCP / IP implementations. So, despite [rfc ...], which requires a silent session close in response to an RST packet, some systems generate a counter RST packet. This makes early desynchronization impossible.

Detecting and defending attacks

• To detect attacks, you can analyze broadcast activity — these are UDP, NBF, SAP packets. • To protect the internal network connected to the Internet, do not skip incoming packets from the external network, the source of which is the internal network address. You can only allow packets to pass on port 80. • Filter the packets if necessary (do not neglect even
Control Panel \ Network \ Protocols \ Properties \ Advanced on Windows NT).

Scan Methods

Using ARP

This type of request can be used by cybercriminals to determine functioning systems in local network segments.

Network scan through DNS

It is known that before starting an attack, attackers identify targets, i.e. identification of computers that will be victims of the attack, as well as computers that carry out information exchange with victims. One way to identify goals is to poll the name server and get all the available domain information from it. Counteraction: to determine such a scan, it is necessary to analyze DNS queries (address in name) coming, perhaps, from different DNS servers, but for a certain, fixed period of time. In this case, you need to look at what kind of information is transmitted in them and track the enumeration of addresses.

UDP bomb

Ping sweep network scan

Ping sweep or target detection using ICMP is an effective method.

Counteraction: to determine the fact of ping scanning of targets located inside the subnet, it is necessary to analyze the source and destination addresses of ICMP packets.

TCP port scan

Port scanning is a well-known method for recognizing computer configurations and available services. There are several TCP scanning methods, some of which are called stealth, because they use vulnerabilities of the TCP / IP stack implementations in most modern operating systems and are not detected by standard means. Countermeasures: countermeasures can be carried out, for example, by transmitting TCP packets with the RST flag set on behalf of the scanned computer to the computer of the attacker.

UDP port scan

Another type of port scanning is based on the use of the UDP protocol and consists in the following: a UDP packet addressed to the port is transmitted to the scanned computer and checked for availability. If the port is unavailable, an ICMP destination unreachable message is returned, otherwise there is no answer. This type of scan is quite effective. It allows you to scan all ports on the victim computer in a short time. Countermeasures: it is possible to counteract this kind of scanning by sending messages about the port inaccessibility to the computer of the attacker.

Stealth scan

The method is based on incorrect network code, so you can’t be sure that it will work properly in any particular situation. TCP packets with ACK and FIN flags set are used. They must be used because if such a packet is sent to the port with an open connection, the packet with the RST flag always returns. There are several methods that use this principle: • Send a FIN packet. If the receiving host returns RST, then the port is inactive, if RST is not returned, then the port is active. This method works on most operating systems. • Send an ACK packet. If the TTL of the returned packets is less than in the rest of the received RST packets, or if the window size is greater than zero, then most likely the port is active.

Passive scan

Scanning is often used by cybercriminals to find out which TCP ports the daemons that respond to requests from the network work on. A regular scanner program sequentially opens connections to various ports. In the case when the connection is established, the program resets it, reporting the port number to the attacker. This method is easily detected by the messages of demons surprised by the connection immediately interrupted after installation, or by using special programs. The best of these programs have some attempts to introduce artificial element elements into the tracking of attempts to connect to different ports. However, an attacker can use another method - passive scanning (the English term is "passive scan"). When using it, an attacker sends a TCP / IP SYN packet to all ports in a row (or according to some specified algorithm). For TCP ports that accept connections from outside, a SYN / ACK packet will be returned as an invitation to continue the 3-way handshake. The rest will return RST packets. After analyzing the response data, an attacker can quickly understand which ports the program runs on. In response to SYN / ACK packets, it can also respond with RST packets, indicating that the connection setup process will not continue (in general, the TCP / IP implementation of the attacker will automatically respond with RST packets if he does not take special measures). The method is not detected by the previous methods, since a real TCP / IP connection is not established. However (depending on the behavior of the attacker), you can monitor the sharply increased number of sessions in the SYN_RECEIVED state. (assuming that the attacker does not send an RST response) the reception of the RST packet from the client in response to the SYN / ACK. Unfortunately, with a sufficiently smart behavior of the attacker (for example, scanning at a low speed or checking only specific ports), it is impossible to detect passive scanning, since it is no different from ordinary attempts to establish a connection. As a protection, we can only advise you to close all services on the firewall, access to which is not required externally.

Invitation to the system and the danger of the information contained in it

It is necessary to remove the "system prompts" displayed by the central computers on the remote access terminals for user login. This requirement is due to the following reasons: • the “system prompt” usually contains information that allows the attacker to identify the type and version of the operating system of the central computer, the type of remote access software, etc. Such information can greatly simplify the task of penetrating the system, since the attacker can use illegal access tools that exploit the weaknesses of a particular system; • “system prompt” usually indicates a system’s departmental affiliation. In the case when the system belongs to a secret agency or financial structure, the interest of the offender may increase significantly; • A recent trial rejected the company’s lawsuit against a person who illegally entered the company’s network, as he motivated his actions by writing “Welcome to ...” (“Welcome to ...”) on the remote access terminal to the central computer.

A few tips when researching the network

• Scan the server for open ports and services. • Try to enter the server under the name IUSR_ <machine name with balls> • Try to delete SAM._ from / REPAIR (passwords from SAM are obtained by expand command). • The directories / scripts and / cgi-bin, as many probably know, in NT you can run any files from these directories, so you should close access to these directories. The launch is carried out approximately by such a command (if the executable is in / scripts) from the browser - http: //www.idahonews/scripts/getadmin.exe? Test. You can get admin rights as follows - programs from / scripts are run not under the user's username, but from the same web account, from which we can conclude that admin passwords can be easily dumped from the registry using PWDUMP.exe. • Remember that programs from / SCRIPTS are launched under the Web account, and not under the account of the user who launched it. Therefore, you can try to dump passwords from the registry using PWDUMP.EXE. Passwords will be encoded. In this case, you should save the page as a text file and try to decode the passwords using the BRUTEFORCE program. • Under the administrator account, you can change aliases to ftp and http.

Some other ways to get information

• Using whois or NSLookUp to find out alternative names to find out who owns the network. Remember the range of ip-addresses for their subsequent scanning. • Go to the nearest router and find out something. To find the router, you need to route the path to any ip-address from the detected range. The nearest router is determined by the response time. • Try logging into the telnet router. • Run an IP range scanner to detect services running on the PC.

Holes and administrative errors in Windows NT

• Consider the vulnerability associated with an error in the implementation of the system. This vulnerability leads to an attack called GetAdmin . The vulnerability is the NtAddAtom system service, which does not check the parameters passed to it and sets bit 0 to NtGlobalFlag + 2. To do this, open the ntoskrnl.exe file and find the entry point to NtAddAtom. Setting this bit disables the debugger privilege check in NtOpenProcess and NtOpenThread. Thus, any user has the right to open any process in the system. The attack opens the Winlogon process and embeds the dll to it. Since this service has SYSTEM privileges, it can add a user to the Administrator group or remove it from this group. Theoretically, other system security breaches are possible. • One of the most popular methods of entering the system is password guessing. To combat this, a user account is usually locked after a certain number of failed login attempts. A nice exception is the administrator account. And if he has the right to access through the network, this opens a loophole for easy guessing the password. For protection, it is recommended to rename the Administrator user, set up account lockout, prohibit the administrator from logging in to the system through the network, prohibit the transfer of SMB packets through TCP / IP (ports 137,138,139), and establish logging of failed logins.

Spamming

Spammers will not only find ISPs to start sending their mail junk, but they will most likely choose a corporation, as It’s easier for an Internet service provider to understand what happened, and he will probably be able to get rid of such messages faster. Intermittent spamming can disrupt legitimate users due to overloading the email server. The problem is that connecting to the SMTP server is not so difficult. To do this, you only need to know 7-8 commands for the SMTP server to distribute your messages. To protect against this, you can check the addresses of incoming messages on the database of registered server users. If the address of the person sending the message or one of the addresses requested by him is not in the list, e-mail will not be transmitted.

How to protect the mail system from spammers

• If you do not read the logs, then spammers will act with impunity. • Program all but one of your company's mail servers so that they do not respond to a message forwarding request. The remaining server must carefully filter the IP addresses. • Keep all email servers that can accept message forwarding requests in the area of ​​your firewall.

How spammers work

• Target selected — the spammer randomly selects the company’s domain name and then guesses the host name of the SMTP mail server. If the server accepts mail, the spammer asks him to distribute the message to the list of addresses. • The server executes the request, giving the impression that the messages are leaving the IP address of the victim company.

Holes IIS, WWW, FTP

• The sender can leave his fake address as follows: the sender himself can connect to the SMTP port on the machine on behalf of which he wants to send a letter, and enter the text of the letter. • FTP service allows you to establish passive connections based on the port address specified by the client. This could be used by an attacker to issue dangerous commands to the FTP service. The registry contains the key: <HKLM \ System \ CurrentControlSet \ Services \ MSFTPSVC \ Parameters> with the value <EnablePortAttack: REG_DWORD:> Make sure that the value is set to '0', not '1'. • If you connect via telnet to port 80, the command "GET ../ .." will crash IIS and the message "The application, exe \ inetinfo.dbg, generated an application error The error occurred on date @ time The exception generated was c0000005 at address 53984655. • Address' http://www.domain.com/scripts .. \ .. \ scriptname "allows you to execute the specified script. Default user is Guest or IUSR_WWW has the right to read all files in all directories. So these files can be viewed, downloaded and launched. • The directories \ script \ cgi-bin should be closed, as from these directories you can run any files directly from the browser window. • If IIS requests a very long URL (4-8KB), the server hangs and does not respond to further requests. The problem is that the exact size of the URL depends on the specific server, so killer programs, starting from some basic request size and gradually increasing the size, try to find that critical point that hangs the server from the victim. • Outlook Express 98 users have to reckon with the fact that this mailer allows you to process, including for execution, Visual-Basic-scripts, which can easily be hidden in the letter. A similar script has full access to the file system. The real protection can only be setting the "security level" in Outlook to "maximum." • If html tags are allowed in the chat, no one will interfere with inserting something like <img src = "http://www.mysite.com/cgi-bin/sniffer.cgi"> into your message. As a result, all those present in the chat (not even registered) will, without knowing it, call the script. • Restrict access to port 25 to certain users only.