This page has been robot translated, sorry for typos if any. Original content here.

Network attacks and something else

Introduction to network attacks

Brief descriptions of network attacks

Fragmentation of data

Transmission of fragmented IP packets

Ping flooding attack

PingOfDeath or SSPing

UDP bomb

SYN flooding

Non-standard protocols encapsulated in IP

Using TFTP

Smurf attack

Attack Land

Introduction to the Internet of a false server by creating a directed "storm" of false DNS responses to the host being attacked

The introduction of a false server into the Internet by intercepting a DNS query or creating a directed "storm" of false DNS responses to the attacked DNS server

Introduction of a false DNS server into the Internet by intercepting a DNS query

DNS flooding attack

DNS spoofing attack

IP spoofing attack

Packet Imposition

Sniffing - listening to the channel (possible only in the LAN segment)

Intercepting packets on the router

Imposing a false route host with ICMP

WinNuke

False ARP server

Prediction TCP sequence number (IP-spoofing)

Local storm

IP Hijacking

Detection and protection against attacks

Scanning methods

Using the ARP protocol

Scanning the network through DNS

UDP bomb

Scanning TCP Ports

Scanning UDP Ports

Stealth-scan

Passive scanning

Invitation of the system and the danger of the information contained therein

A few tips for network research

Some other ways of obtaining information

Holes and administrative errors in Windows NT

Spamming

How to protect the mail system from spammers

How Spammers Work

IIS Holes, WWW, FTP

Introduction to network attacks

The increased interest in TCP / IP networks is due to the rapid growth of the Internet. However, this makes one think about how to protect its information resources from attacks from the external network. If you are connected to the Internet, your system may be attacked. Protocols of the IP family are the basis for building Intranet networks and the global Internet. Although the development of TCP / IP was funded by the US Department of Defense, TCP / IP does not have absolute security and allows for the various types of attacks discussed in this chapter. To implement such attacks, a potential attacker must have control over at least one of the systems connected to the Internet. One of the approaches to analyzing threats to the security of computer systems is to isolate into a separate class of threats inherent only in computer networks. This class of threats is called the class of remote attacks. This approach to classification seems eligible because of the fundamental features in the construction of networked operating systems. The main feature of any network operating system is that its components are distributed in space, and the connection between them is physically carried out by means of special network connections (coaxial cable, twisted pair, fiber, etc.) and programmatically by means of the message mechanism. In this case, all control messages and data sent by one component of the network OS to another component are transmitted over network connections as exchange packets. This feature is the main reason for the emergence of a new class of threats - remote attacks. For this type of attack, the attacker interacts with the recipient of the information, the sender and / or the intermediate systems, possibly by modifying and / or filtering the contents of TCP / IP packets. These types of attacks often seem technically difficult to implement, but for a good programmer it is not difficult to implement the appropriate toolkit. The ability to create arbitrary IP packets is a key point for carrying out active attacks. Remote attacks can be classified according to the type of action: active or passive. Active attacks can be divided into two parts. In the first case, the attacker takes certain steps to intercept and modify the network stream or attempts to "pretend" by another system. In the second case, the TCP / IP protocol is used to bring the victim system into an inoperable state. With passive attacks, attackers do not in any way detect themselves and do not directly interact with other systems. In fact, it all comes down to monitoring the available data or communication sessions. Although passive attacks can violate network security policies. The idea of ​​detecting an attack is simple: any attack corresponds to a certain network traffic, therefore, the analysis of traffic allows you to determine the attack and detect the "traces" of the attacker, i.e. Identify the IP-addresses from which the information effect was carried out. Thus, the detection of attacks is carried out by the method of monitoring information flows, which is achieved by analyzing network traffic.

Brief descriptions of network attacks

It should be remembered that crude methods such as pinging large packets or SYN flooding, can flood any Internet machine or subnet, regardless of configuration.

Fragmentation of data

When transmitting an IP data packet over a network, this packet can be divided into several fragments. Later, when the addressee reaches the address, the package is restored from these fragments. An attacker can initiate the sending of a large number of fragments, which leads to overflow of program buffers on the receiving side and, in some cases, to an abnormal termination of the system.

Transmission of fragmented IP packets with a total volume of more than 64KB

The number of implementations of attacks that exploit the possibility of fragmentation of IP packets is large enough. Several fragmented IP packets are transmitted to the victim machine, which when assembled form one packet larger than 64K (the maximum size of the IP packet is 64K minus the length of the header). This attack was effective against computers running Windows. When you receive such a package, Windows NT, which does not have a special icmp-fix patch, "hangs" or crashes. Other variants of such attacks use incorrect offsets in IP fragments, which leads to incorrect allocation of memory, overflow of buffers and, eventually, to system failures.

Counteraction: to detect such attacks, it is necessary to perform and analyze the build of packages "on the fly", and this will significantly increase the hardware requirements.

Ping flooding attack

It appeared because the "ping" program, designed to assess the quality of the line, has the key for "aggressive" testing. In this mode, requests are sent at the highest possible speed and the program allows you to evaluate how the network operates at maximum load. This attack requires an attacker to access the fast channels on the Internet. Recall how ping works. The program sends an ICMP packet of type ECHO REQUEST, exposing the time and its identifier in it. The core of the destination machine responds to a similar request with the ICMP ECHO REPLY package. Having received it, ping gives the speed of the packet. In the standard mode of operation, packets are sent after some time intervals, practically without loading the network. But in the "aggressive" mode, the ICMP echo request / reply packet stream can cause a small line to be overloaded, depriving it of the ability to transmit useful information. Naturally, the case of ping is a special case of a more general situation, connected with the overloading of channels. For example, an attacker can send multiple UDP packets to port 19 of a victim machine, and if it follows the generally accepted rules, it has a character generator on the 19th UDP port that responds to packets with lines of 80 bytes. Note that an attacker can also forge the reverse address of such packages, making it difficult to detect it. Track it will help unless the coordinated work of specialists on intermediate routers, which is almost impossible. One variant of the attack is to send ICMP echo request packets with the source address indicating the victim to broadcast addresses of large networks. As a result, each of the machines will respond to this fake request, and the sending machine will receive more responses. Sending a lot of broadcast-echo requests on behalf of the "victim" to broadcast-addresses of large networks, you can cause a sharp filling of the channel "victim". The signs of flooding are a sharply increased load on the network (or channel) and an increase in the number of specific packets (such as ICMP). As a protection, you can recommend configuring routers, in which they will filter the same ICMP traffic, exceeding some predefined value (packets / unit of time). In order to make sure that your machines can not serve as a source of ping floods, restrict access to ping.

PingOfDeath or SSPing

Its essence is as follows: a severely fragmented ICMP packet of a large size (64KB) is sent to the victim's machine. The response of Windows-systems to receive such a package is unconditional sagging, including mouse and keyboard. The program for the attack is widely available on the network in the form of source code in C and as executable files for some versions of Unix. Curiously, unlike WinNuke, a victim of such an attack can be not only Windows machines, MacOS and some Unix versions are affected. Advantages of this method of attack are that usually the firewall passes ICMP packets, and if the firewall is configured to filter the addresses of senders, then using simple spoofing techniques, you can deceive such a firewall. The drawback of PingOfDeath is that for one attack it is necessary to send more than 64KB over the network, which makes it generally speaking not very useful for large-scale divertions.

UDP bomb

The transmitted UDP packet contains an invalid format for the service fields. Some older versions of network software result in the receipt of a similar package to crash the system.

SYN flooding

Flooding with SYN-packets is the most famous way to "hammer" an information channel. Recall how TCP / IP works in the case of incoming connections. The system responds to the incoming C-SYN packet with an S-SYN / C-ACK packet, transfers the session to the SYN_RECEIVED state and queues it. If the S-ACK does not arrive within the specified time, the connection is deleted from the queue, otherwise the connection is transferred to the ESTABLISHED state. Consider the case where the queue of input connections is already full, and the system receives a SYN packet inviting the connection to be established. According to the RFC, he will be silently ignored. Flooding with SYN-packets is based on server queue overflow, after which the server stops responding to user requests. The most famous attack of this kind is the attack on Panix, the New York provider. Panix did not work for 2 weeks. In different systems, work with the queue is implemented in different ways. So, in BSD-systems, each port has its own queue with the size of 16 elements. In SunOS systems, on the contrary, there is no such division and the system simply has a large general queue. Accordingly, in order to block, for example, the WWW-port on the BSD is enough 16 SYN-packages, and for Solaris 2.5 their number will be much larger. After a certain amount of time has elapsed (depends on the implementation), the system removes queries from the queue. However, nothing prevents an attacker from sending a new portion of requests. Thus, even being on a connection of 2400 bps, an attacker can send every 20 minutes to 20-30 packets on the FreeBSD server, supporting it in an inoperative state (of course, this error was corrected in the latest versions of FreeBSD). As usual, an attacker can take advantage of random reverse IP addresses when forming packets, which makes it difficult to detect and filter his traffic. Detection is easy - a large number of connections in the SYN_RECEIVED state, ignoring attempts will connect to this port. As a protection, you can recommend patches that implement automatic "prune" queue, for example, based on the algorithm Early Random Drop. To find out if your system is protected against SYN flooding, contact the system vendor. Another option is to configure the firewall so that all incoming TCP / IP connections are installed by the firewall itself, and only after that they are moved to the inside of the network by the specified machine. This will allow you to limit syn-flooding and not to miss it inside the network. This attack refers to the denial of service attacks, the result of which is the inability to provide services. The attack is usually directed at a specific, specific service, such as telnet or ftp. It consists in passing the connection establishment packets to the port corresponding to the attacked service. When the request is received, the system allocates resources for the new connection, and then attempts to respond to the request (send "SYN-ACK") to an unreachable address. By default, NT versions 3.5-4.0 will try to repeat the confirmation 5 times - after 3, 6, 12, 24 and 48 seconds. After this another 96 seconds the system can wait for the response, and only after that will release the resources allocated for the future connection. Total time of resource use is 189 seconds.

Non-standard protocols encapsulated in IP

The IP packet contains a field that specifies the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use the non-standard value of this field to transmit data that will not be detected by standard means of monitoring information flows.

Using TFTP

This protocol does not contain authentication mechanisms, which is why it is attractive to intruders.

Smurf attack

The attack of smurf consists in the transmission to the network of broadcast ICMP requests on behalf of the victim computer. As a result, computers that have received such broadcast packets respond to the victim's computer, which leads to a significant decrease in the bandwidth of the communication channel and, in some cases, to complete isolation of the attacked network. The smurf attack is exceptionally effective and widespread. Counteraction: to recognize this attack, you need to analyze the load of the channel and determine the reasons for the decrease in bandwidth.

Attack Land

The Land attack exploits the vulnerabilities of the TCP / IP stack implementations in some operating systems. It consists in transmitting to the open port of the victim computer a TCP packet with the SYN flag set, and the source address and port of such packet are equal to the address and port of the attacked computer, respectively. This leads to the victim computer trying to establish a connection with itself, resulting in a significant increase in CPU usage and may cause a hang or restart. This attack is very effective on some models of routers of Cisco Systems, and the successful application of an attack to the router can disable the entire network of the organization. Counteraction: You can protect yourself from this attack by installing a packet filter between the internal network and the Internet, specifying a filter rule on it, indicating that you should suppress packets that came from the Internet, but with the original IP addresses of the computers on the internal network.

Introduction to the Internet of a false server by creating a directed "storm" of false DNS responses to the host being attacked

Another version of the remote attack aimed at the DNS service is based on the second type of typical remote attack "false object BC." In this case, the attacker continuously transmits a pre-prepared false DNS response to the attacked host on behalf of the real DNS server without receiving a DNS request. In other words, the attacker creates in the Internet a directed "storm" of false DNS responses. This is possible, since usually a UDP protocol is used to send a DNS request, in which there are no means of packet identification. The only criteria for the network OS of the host to the response received from the DNS server is, first, the match of the IP address of the sender of the response with the IP address of the DNS server, and secondly, that the DNS name has the same name, as in the DNS query, thirdly, the DNS response should be sent to the same UDP port from which the DNS request was sent (in this case, this is the first problem for the attacker), and, fourthly, in the DNS -choose the request ID field in the DNS header (ID) should contain the same value as in the transmitted DNS query (this is the second problem). In this case, since the attacker can not intercept the DNS query, the main problem for him is the UDP port number from which the request was sent. But the port number of the sender takes a limited set of values ​​(1023?), So the attacker just needs to act by simple search, sending false responses to the appropriate list of ports. At first glance, the second problem may be a two-byte DNS query ID, but in this case it is either equal to one, or has a value close to zero (one request - ID is incremented by 1). Therefore, to perform this remote attack, the attacker needs to select the host (A) of interest, the route to which it needs to be changed so that it passes through a false server, the attacker's host. This is achieved by the constant transmission (directed by the "storm") of attacking false DNS responses to the host under attack from the name of the real DNS server to the corresponding UDP ports. In these false DNS responses, the IP address of the host A is the IP address of the attacker. Further, the attack develops according to the following scheme. Once the target of the attack (attacked host) is addressed by name to host A , then a DNS request will be sent to the network from the given host, which the attacker will never receive, but this is not required, since the host will immediately receive a constantly transmitted false DNS-response, which will be perceived by the OS of the attacked host as a real response from the DNS server. The attack took place and now the attacked host will transfer all packets destined for A to the IP address of the attacker's host, which in turn will forward them to A , acting on the intercepted information according to the "false distributed BC" scheme. Consider the functional scheme of the proposed remote attack on the DNS service: • constant transmission of false DNS responses to the attacking host on various UDP ports and, possibly, with different IDs, on behalf of (from the IP address) of the real DNS server with the name of the interesting host and its false IP address, which will be is the IP address of the false server - the host of the attacker; • in case of receiving a packet from the host, changing the IP header of the packet of its IP address to the IP address of the attacker and sending the packet to the server (that is, the false server is working with the server on its behalf - from its IP address); • if the packet is received from the server, change the IP header of the packet of its IP address to the IP address of the false server and send the packet to the host (for the host the false server is the real server). Thus, the implementation of this remote attack, using security gaps in the DNS service, allows you to disrupt routing between two specified objects from anywhere on the Internet. That is, this remote attack is carried out intersegmentally with respect to the purpose of the attack and threatens the security of any Internet host using a normal DNS service.

The introduction of a false server into the Internet by intercepting a DNS query or creating a directed "storm" of false DNS responses to the attacked DNS server

From the remote DNS lookup scheme it follows that if the DNS server specified in the query does not find names in its database, the request is sent by the server to one of the root DNS servers whose addresses are contained in the root.cache server settings file . That is, if the DNS server does not have information about the requested host, then it forwards the request further, which means that now the DNS server itself initiates a remote DNS lookup. Therefore, nothing prevents the attacker, acting in the manner described in the previous paragraph, to direct his attack on the DNS server. That is, the target of the attack will now be not the host, but the DNS server and false DNS responses will be sent to the attacker on behalf of the root DNS server on the attacked DNS server. It is important to consider the following peculiarity of the DNS server operation. To speed up the work, each DNS server caches its own table of names and IP addresses of hosts in the memory area. Including in the cache dynamically changed information about the names and IP-addresses of hosts found during the operation of the DNS server. That is, if the DNS server, having received the request, does not find the corresponding entry in the cache table, it forwards the response to the next server and, having received a response, enters the information found in the cache table into memory. Thus, when the next request is received, the DNS server no longer needs to conduct a remote search, since the necessary information is already in its cache table. From the analysis of the newly described remote DNS lookup scheme, it becomes obvious that if an attacker sends a false DNS response (in the case of a "storm" of false answers will keep them in a constant transmission) in response to a request from the DNS server, then a corresponding entry with false information will appear in the server cache table and, in the future, all hosts that access this DNS server will be misinformed and when accessing the host, the route to which the attacker decided to change, communication with it will be done through the host of the attacker by schemes e "false object BC." And over time, this false information, caught in the cache of the DNS server, will spread to neighboring higher-level DNS servers, and, consequently, more and more hosts on the Internet will be misinformed and attacked. Obviously, if the attacker can not intercept the DNS request from the DNS server, then to implement the attack, he needs a "storm" of false DNS responses directed to the DNS server. In this case, the following main problem arises, different from the problem of selecting ports in the case of an attack directed at the host. As noted earlier, the DNS server sends a request to another DNS server and identifies this request with a two-byte value (ID). This value is incremented by one with each transmitted query. You can not tell the attacker the current value of the DNS query ID. Therefore, nothing but search of 2 16 possible ID values ​​to offer something is quite difficult. But the problem of port enumeration disappears, since all DNS queries are transmitted by the DNS server to port 53. The next problem, which is the prerequisite for this remote attack on the DNS server when the "storm" of false DNS responses is directed, is that the attack will succeed only if the DNS server sends a request to search for a specific name (which is contained in a false DNS response). The DNS server sends this much-needed and desired request to the attacker if it receives a DNS request from any host to search for the given name and this name will not appear in the cache table of the DNS server. In principle, this request can come at any time and the attacker may have to wait for the results of the attack as long as desired. However, nothing prevents the attacker, without waiting for anyone, to send a similar DNS-query to the attacked DNS-server and provoke the DNS-server to search for the name specified in the request. Then this attack is likely to succeed almost immediately after the start of its implementation.

Introduction of a false DNS server into the Internet by intercepting a DNS query

In this case, this is a remote attack based on the standard standard remote attack associated with waiting for a DNS lookup query. Before you consider the attack algorithm for DNS, you need to pay attention to the following subtleties in the work of this service. First, by default the DNS service operates on the basis of the UDP protocol (although it is possible to use the TCP protocol), which naturally makes it less secure, since the UDP protocol, in contrast to TCP, does not provide any means for identifying messages. In order to switch from UDP to TCP, the administrator of the DNS server will have to seriously study the documentation. In addition, this transition will somewhat slow down the system, because, firstly, when using TCP, a virtual connection is required and, secondly, the end network OS first sends a DNS request using the UDP protocol and if it comes to them a special response from the DNS server, then the network OS will send a DNS request using TCP. Secondly, the next subtlety that needs to be paid attention is that the value of the "sender port" field in the UDP packet first becomes 1023 (?) And then increases with each DNS query passed. Thirdly, the value of the ID of the DNS query behaves as follows. In the case of sending a DNS request from the host, its value depends on the specific network application that generates the DNS query. The author's experiments showed that in the case of sending a request from the shell of the shell of the Linux and Windows 95 operating systems (for example, ftp nic.funet.fi) this value is always equal to one. In the event that DNS query is transmitted from Netscape Navigator, with each new request the browser itself increases this value by one. In the event that the request is transmitted directly by the DNS server, the server increments this ID value by one with each newly transmitted query. All these subtleties are important in case of an attack without interception of the DNS query. To implement an attack by intercepting a DNS request, the attacker needs to intercept the DNS query, extract the request's UDP port number from it, double-byte ID value of the DNS request identifier and the desired name and, then, send a false DNS response to the query extracted from the DNS query UDP-port, in which to specify as the desired IP-address the real IP-address of the false DNS-server. This will in the future completely intercept and actively act on the "False PBC" scheme on the traffic between the "deceived" host and the server. Consider the general scheme of the false DNS server: • waiting for the DNS query; • Receiving a DNS query, extracting the necessary information from it and sending it to the host of a false DNS response, on behalf of (from the IP address) of the present DNS server, which specifies the IP address of the false DNS server; • if the packet is received from the host, change the IP header of the packet of its IP address to the IP address of the false DNS server and send the packet to the server (that is, the false DNS server is working with the server on its behalf); • if the packet is received from the server, change the IP header of the packet of its IP address to the IP address of the false DNS server and send the packet to the host (for the host the false DNS server is the real server). A prerequisite for this option is to intercept the DNS request. This is possible only if the attacker is either in the path of the main traffic or in the segment of the real DNS server. Fulfillment of one of these conditions of the attacker's location on the network makes such a remote attack difficult to implement in practice (it's likely that the attacker will not be able to get into the segment of the DNS server, and even more so in the intersegmental communication channel). However, if these conditions are met, it is possible to conduct an intersegmental remote attack on the Internet . Note that the practical implementation of this remote attack has revealed a number of interesting features in the operation of the FTP protocol and in the mechanism for identifying TCP packets. In the event that an FTP client on the host connected to a remote FTP server through a false DNS server, it turned out that each time after the user issued an FTP application (for example, ls, get, put, etc.), the FTP client produced the PORT command, which consisted in transferring to the FTP server in the TCP packet data field the port numbers and IP addresses of the client host (it is difficult to find a special meaning in these actions - why each time you send the client's IP address to the FTP server)! This resulted in the fact that if the false DNS server does not change the transmitted IP address in the data field of the TCP packet and sends this packet to the FTP server in the usual way, the next packet will be transferred by the FTP server to the host of the FTP client, bypassing the false DNS server and, most interestingly, this package will be perceived as a normal package, and, in the future, a false DNS server will lose control over the traffic between the FTP server and the FTP client! This is due to the fact that a normal FTP server does not provide any additional authentication for the FTP client, but shifts all problems of packet identification and connection to a lower level - the TCP layer.

DNS flooding attack

DNS flooding is an attack directed at Internet name servers. It consists in the transfer of a large number of DNS queries and leads to the fact that users do not have access to the name service and, consequently, the inability of ordinary users to work. Counteraction: to detect this attack, you need to analyze the load of the DNS server and identify the sources of requests.

DNS spoofing attack

The result of this attack is the imposition of an imposed correspondence between the IP address and the domain name in the cache of the DNS server. As a result of this successful attack, all DNS users in the north will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some DNS exchange parameters. Counteraction: to detect such an attack, you need to analyze the content of DNS traffic.

IP spoofing attack (syslog)

A large number of attacks on the Internet are associated with the substitution of the source IP address. Such attacks include syslog spoofing, which involves sending a message to the victim's computer on behalf of another computer on the internal network. Because the syslog protocol is used to maintain system logs, you can impose information or cover up unauthorized access to a victim computer by sending false messages. Counteraction: detection of attacks related to the substitution of IP addresses, it is possible when monitoring the receipt on one of the interfaces of the package with the source address of the same interface or when monitoring the receipt on the external interface of packets with IP addresses of the internal network.

Packet Imposition

An attacker sends packets with a false return address to the network. With this attack, an attacker can switch to a computer connections established between other computers. In this case, the access rights of the attacker become equal to the rights of the user whose connection to the server was switched to the intruder's computer.

Sniffing - listening to the channel (possible only in the LAN segment)

Virtually all network cards support the ability to intercept packets transmitted over a shared LAN channel. In this case, the workstation can receive packets addressed to other computers in the same network segment. Thus, all information exchange in the network segment becomes available to an attacker. To successfully implement this attack, the attacker's computer must be located in the same segment of the local network as the attacked computer.

Intercepting packets on the router

The network software of the router has access to all network packets transmitted through this router, which allows you to intercept packets. To implement this attack, an attacker must have privileged access to at least one network router. Since a lot of packets are usually transmitted through the router, their total interception is almost impossible. However, individual packets may well be intercepted and saved for later analysis by the attacker. The most effective interception of FTP packages containing user passwords, as well as e-mail.

Imposing a false route host with ICMP

In the Internet there is an Internet Control Message Protocol (ICMP), one of the functions of which is to inform the hosts about the change of the current router. This control message is called redirect. It is possible to send from any host in the network segment a false redirect message on behalf of the router to the host being attacked. As a result, the host changes the current routing table and, in the future, all network traffic of this host will pass, for example, through a host sending a false redirect message. Thus, it is possible to implement an active imposition of a false route within one segment of the Internet.

WinNuke

As with normal data transferred over a TCP connection, the standard also transmits out-of-band data. On the level of TCP packets, this is expressed in a non-zero urgent pointer. Most PCs with Windows have a NetBIOS network protocol, which uses for their needs 3 IP ports: 137, 138, 139. As it turned out, if you connect to the Windows machine in 139 ports and send there a few bytes of OutOfBand data, the implementation of NetBIOS not knowing what to do with these data, popsto suspend or perezazgruzhaet machine. For Windows 95, this usually looks like a blue text screen that reports an error in the TCP / IP driver and the inability to work with the network until OS reboots. NT 4.0 without the service packs is overwritten, NT 4.0 with the second serial pack is dropped into the blue screen. Similar sending of data to 135 and some other ports results in a significant load of the RPCSS.EXE processor. On NTWS this leads to a significant slowdown, NTS is practically frozen.

False ARP server

In the Internet, each host has a unique IP address, which receives all messages from the global network. However, the IP protocol is not so much a network as an inter-network exchange protocol intended for communication between objects in the global network. At the link layer, packets are addressed to the hardware addresses of network cards. In the Internet, the IP Address Protocol Protocol (ARP) is used for one-to-one correspondence between IP and Ethernet addresses. Initially, the host may not have information about the Ethernet addresses of other hosts that are with it in the same segment, including the Ethernet address of the router. Accordingly, when the network resources are accessed for the first time, the host sends a broadcast ARP request, which will be received by all stations in this segment of the network. Upon receipt of this request, the router sends an ARP reply to the requesting host, in which it reports its Ethernet address. This scheme of work allows an attacker to send a false ARP response in which to declare himself the desired host (for example, a router) and, in the future, actively monitor all network traffic of the "deceived" host.

Prediction TCP sequence number (IP-spoofing)

In this case, the purpose of the attacker is to pretend to be another system that, for example, the victim system "trusts". The method is also used for other purposes - for example, to use the SMTP victim to send fake emails. The TCP connection is established in three stages: the client selects and sends the sequence number (call it C-SYN) to the server, in response, the server sends the client a data packet containing the confirmation (C-ACK) and the own sequence number of the server (S-SYN ). Now the client must send a confirmation (S-ACK). After that, the connection is established and the data exchange begins. Each packet has in its header a field for sequence number and acknowledge number. These numbers increase with data exchange and allow you to control the correctness of the transmission. Suppose that an attacker can predict which sequence number (S-SYN by scheme) will be sent by the server. It is possible to do this based on knowledge of the specific implementation of TCP / IP. For example, in 4.3BSD, the value of the sequence number, which will be used when setting the next value, increases by 125000 every second. Thus, by sending one packet to the server, the attacker will receive an answer and can (probably with several attempts and with connection speed correction) predict sequence number for the next connection. If the TCP / IP implementation uses a special algorithm to determine the sequence number, then it can be determined by sending several dozen packets to the server and analyzing its responses. So, suppose that system A trusts system B, so that the user of system B can make "rlogin A" and end up on A without entering a password. Suppose that the attacker is located on the C system. System A acts as a server, system B and C - in the role of clients. The first task of the attacker is to introduce system B into a state where it can not respond to network requests. This can be done in several ways, in the simplest case you just need to wait for the B system to reboot. A few minutes, during which it will be unworkable, should be enough. After this, the attacker can try to pretend to be system B, in order to gain access to system A (at least briefly). An attacker sends several IP packets initiating a connection, to system A, to find out the current state of the sequence number of the server. The attacker sends an IP packet, in which the address of the system B is indicated as the return address. System A responds with a packet with a sequence number, which is forwarded to system B. However, System B will never receive it (it is disabled), as, indeed, an attacker. But he, on the basis of the previous analysis, guesses which sequence number was sent to system B. The attacker confirms the "receipt" of the packet from A, sending a packet with the alleged S-ACK on behalf of B (note that if the systems are located in the same segment, an attacker to find out the sequence number is enough to intercept the packet sent by system A). After that, if the attacker was lucky and the sequence number of the server was guessed correctly, the connection is considered established. Now an attacker can send another fake IP-packet, which will already contain data. For example, if the attack was directed to rsh, it may contain the commands for creating the .rhosts file or for sending the / etc / passwd to the attacker via e-mail. Counteraction: packets with internal addresses coming from the outside world will serve as the simplest IP-spoofing signal. The router software can notify the administrator about this. However, do not delude yourself - the attack can be from within your network. In the case of using more intelligent network monitoring tools, the administrator can monitor (in automatic mode) packets from systems that are in inaccessible state. However, what prevents an intruder from imitating the operation of the B system by responding to ICMP packets? What are the ways to protect against IP-spoofing? First, you can complicate or make it impossible to guess the sequence number (the key element of the attack). For example, you can increase the rate of changing the sequence number on the server or select a sequence number increase randomly (preferably using a cryptographically stable algorithm to generate random numbers). If the network uses a firewall (or other IP packet filter), you should add rules to it that all packets that come from outside and have back addresses from our address space should not be allowed to enter the network. In addition, it is necessary to minimize the trust of the machines to each other. Ideally, there should not be a way to directly access the neighboring network machine, having the superuser rights on one of them. Of course, this will not save you from using services that do not require authorization, for example, IRC (an attacker can pretend to be an arbitrary Internet machine and send a set of commands to enter the IRC channel, issue arbitrary messages, etc.). Encryption of TCP / IP-stream solves in the general case the problem of IP-spoofing (provided that cryptographically stable algorithms are used). In order to reduce the number of such attacks, it is also recommended to configure the firewall to filter packets sent by our network to the outside, but having addresses that do not belong to our address space.

Local storm

Let's make a small digression to the implementation of TCP / IP and consider "local storms" for example UDP storms. As a rule, by default systems support the operation of UDP ports such as 7 ("echo", the received packet is sent back), 19 (the "character generator", in response to the received packet the sender sends the character generator string) and others (date etc). In this case, an attacker can send a single UDP packet, with 7 as the source port, 19 as the destination, and two computers on your network (or even 127.0, for example). 0.1). Having received the packet, the 19th port responds with a string that gets to port 7. The seventh port duplicates it and sends it back to 19 .. and so on ad infinitum. An infinite cycle eats up machine resources and adds a meaningless load to the channel. Of course, with the first UDP packet lost, the storm will cease. Противодействие: в качестве защиты стоит еще раз порекомендовать не пропускать в сети пакеты с внутренними адресами, но пришедшие извне. Также рекомендуется закрыть на firewall использование большинства сервисов.

IP Hijacking

Метод является комбинацией 'подслушивания' и IP-spoofing'а. Необходимые условия - злоумышленник должен иметь доступ к машине, находящейся на пути сетевого потока и обладать достаточными правами на ней для генерации и перехвата IP-пакетов. Напомним, что при передаче данных постоянно используются sequence number и acknowledge number (оба поля находятся в IP-заголовке). Исходя из их значения, сервер и клиент проверяют корректность передачи пакетов. Существует возможность ввести соединение в "десинхронизированное состояние", когда присылаемые сервером sequence number и acknowledge number не будут совпадать с ожидаемым значениеми клиента, и наоборот. В данном случае злоумышленник, "прослушивая" линию, может взять на себя функции посредника, генерируя корректные пакеты для клиента и сервера и перехватывая их ответы. Метод позволяет полностью обойти такие системы защиты, как, например, одноразовые пароли, поскольку злоумышленник начинает работу уже после того, как произойдет авторизация пользователя. Есть два способа рассинхронизировать соединение. • Ранняя десинхронизация. Соединение десинхронизируется на стадии его установки. Злоумышленник прослушивает сегмент сети, по которому будут проходить пакеты интересующей его сессии. Дождавшись пакета S-SYN от сервера, злоумышленник высылает серверу пакет типа RST (сброс), конечно, с корректным sequence number, и, немедленно, вслед за ним фальшивый C-SYN-пакет от имени клиента Сервер сбрасывает первую сессию и открывает новую, на том же порту, но уже с новым sequence number, после чего посылает клиенту новый S-SYN-пакет. Клиент игнорирует S-SYN-пакет, однако злоумышленник, прослушивающий линию, высылает серверу S-ACK-пакет от имени клиента. Итак, клиент и сервер находятся в состоянии ESTABLISHED, однако сессия десинхронизирована. Естественно, 100% срабатывания у этой схемы нет, например, она не застрахована от того, что по дороге не потеряются какие-то пакеты, посланные злоумышленником. Для корректной обработки этих ситуаций программа должна быть усложнена. • Десинхронизация нулевыми данными. В данном случае злоумышленник прослушивает сессию и в какой-то момент посылает серверу пакет с "нулевыми" данными, т.е. такими, которые фактически будут проигнорированы на уровне прикладной программы и не видны клиенту (например, для telnet это может быть данные типа IAC NOP IAC NOP IAC NOP...). Аналогичный пакет посылается клиенту. Очевидно, что после этого сессия переходит в десинхронизированное состояние. ACK-буря Одна из проблем IP Hijacking заключается в том, что любой пакет, высланный в момент, когда сессия находится в десинхронизированном состоянии вызывает так называемый ACK-бурю. Например, пакет выслан сервером, и для клиента он является неприемлимым, поэтому тот отвечает ACK-пакетом. В ответ на этот неприемлимый уже для сервера пакет клиент вновь получает ответ. And so on ad infinitum. К счастью современные сети строятся по технологиям, когда допускается потеря отдельных пакетов. Поскольку ACK-пакеты не несут данных, повторных передачи не происходит и "буря стихает". Как показали опыты, чем сильнее ACK-буря, тем быстрее она "утихомиривает" себя - на 10MB ethernet это происходит за доли секунды. На ненадежных соединениях типа SLIP - ненамного больше. Детектирование и защита Есть несколько путей. Например, можно реализовать TCP/IP-стек, который будут контролировать переход в десинхронизированное состояние, обмениваясь информацией о sequence number/acknowledge number. Однако в данном случае мы не застрахованы от злоумышленника, меняющего и эти значения. Поэтому более надежным способом является анализ загруженности сети, отслеживание возникающих ACK-бурь. Это можно реализовать при помощи конкретных средств контроля за сетью. Если злоумышленник не потрудиться поддерживать десинхронизированное соединение до его закрытия или не станет фильтровать вывод своих команд, это также будет сразу замечено пользователем. К сожалению, подавляющее большинство просто откруют новую сессию, не обращаясь к администратору. Стопроцентную защиту от данной атаки обеспечивает, как всегда, шифрование TCP/IP-трафика (на уровне приложений - secure shell) или на уровн протокола - IPsec). Это исключает возможность модификации сетевого потока. Для защиты почтовых сообщений может применяться PGP. Следует заметить, что метод также не срабатывает на некоторых конкретных реализациях TCP/IP. Так, несмотря на [rfc...], который требует молчаливого закрытия сесии в ответ на RST-пакет, некоторые системы генерируют встречный RST-пакет. Это делает невозможным раннюю десинхронизацию.

Обнаружение атак и защита от них

• Для обнаружения атак можно анализировать широковещательную активность - это пакеты UDP, NBF, SAP. • Для защиты внутренней сети, подключенной к Internet'у, не стоит пропускать из внешней сети входящие пакеты, источником в которых стоит внутренний сетевой адрес. Можно разрешить проходить пакетам только на порт 80. • Ставьте фильтрацию пакетов, если необходимо (не стоит пренебрегать даже
Control Panel\Network\Protocols\Properties\Advanced в Windows NT).

Методы сканирования

Использование протокола ARP

Данный тип запросов может быть использован злоумышленниками для определения функционирующих систем в сегментах локальной сети.

Сканирование сети посредством DNS

It is known that before launching an attack, attackers perform the identification of targets, i.e. Identifying computers that will be victims of attacks, as well as computers that carry out information exchange with victims. One way to identify targets is to query the name server and get all available domain information from it. Counteraction: to determine such a scan, you need to analyze DNS queries (address in the name) coming from, perhaps, different DNS servers, but for a certain, fixed period of time. In this case, you need to look at what information is sent to them and track the search of addresses.

UDP bomb

Scanning a network using the ping sweep method

Ping sweep or target detection using the ICMP protocol is an effective method.

Countermeasures: To determine the fact of ping-scanning of targets inside the subnet, it is necessary to analyze the source and destination addresses of ICMP packets.

Scanning TCP Ports

Port scanning is a known method for recognizing the configuration of a computer and the available services. There are several methods of TCP scanning, some of them are called stealth, because they use the vulnerabilities of the TCP / IP stack implementations in most modern OSes and are not detected by standard means. Counteraction: counteraction can be carried out, for example, by transferring TCP packets with the RST flag set on behalf of the scanned computer to the intruder's computer.

Scanning UDP Ports

Another kind of port scanning is based on the use of the UDP protocol and consists in the following: a UDP packet is sent to the scanned computer, addressed to the port, which is checked for availability. If the port is unavailable, an ICMP unreachable message arrives in response, otherwise there is no answer. This type of scan is quite effective. It allows you to scan all ports on a victim computer in a short time. Counteraction: to counteract scanning of this kind is possible by sending messages about the unavailability of the port to the computer of the attacker.

Stealth-scan

The method is based on an incorrect network code, so you can not guarantee that it will work fine in any particular situation. TCP packets are used with ACK and FIN flags installed. They should be used, because if such a packet is sent to the port in an unopened connection, the packet with the RST flag always returns. There are several methods that use this principle: • Send a FIN packet. If the receiving host returns RST, then the port is inactive, if RST does not return, then the port is active. This method works in most operating systems. • Send an ACK packet. If the TTL of the returned packets is less than in the other received RST packets, or if the window size is greater than zero, then the port is most likely active.

Passive scanning

Scanning is often used by attackers to find out which TCP ports are running daemons that respond to requests from the network. A common scanner program opens connections to various ports in series. In case the connection is established, the program resets it, informing the port number of the attacker. This method is easily detected by the reports of demons, surprised instantly interrupted after installation by connection, or by using special programs. The best of these programs have some attempts to introduce elements of an artificial element in tracking attempts to connect to different ports. However, an attacker can use another method - passive scanning (the English term "passive scan"). When it is used, an attacker sends a TCP / IP SYN packet to all ports in a row (or by some given algorithm). For TCP ports that accept connections from the outside, the SYN / ACK packet will be returned as an invitation to continue the 3-way handshake. The rest will return RST packets. Analyzing the given answer, the attacker can quickly understand which ports the program runs on. In response to SYN / ACK packets, it can also respond with RST packets, indicating that the connection setup process will not continue (in the general case, the TCP / IP implementation of the attacker will automatically respond with RST packets if it does not take special measures). The method is not detected by previous methods, since a real TCP / IP connection is not established. However (depending on the attacker's behavior), you can monitor the dramatically increased number of sessions in the SYN_RECEIVED state. (provided that the attacker does not send a RST in response) the reception from the RST packet client in response to the SYN / ACK. Unfortunately, with a smart enough behavior of an attacker (for example, scanning at a low speed or checking only specific ports), it is impossible to detect passive scanning, since it is no different from the usual attempts to establish a connection. As a protection, you can only advise you to close all services on the firewall, which you do not need to access from the outside.

Invitation of the system and the danger of the information contained therein

It is necessary to remove the "system prompts" displayed by the central computers on the remote access terminals for logging on to the system. This requirement is caused by the following reasons: • "system invitations", as a rule, contain information allowing the infringer to identify the type and version of the operating system of the central computer, the type of remote access software, etc. Such information can greatly simplify the task of penetrating the system, since the intruder can Use illegal access tools that exploit the weaknesses of a particular system; • "system prompt" usually indicates the departmental ownership of the system. In the case where the system belongs to a secret agency or financial structure, the interest of the offender can significantly increase; • A recent trial rejected the company's suit against a person who illegally infiltrated the company's network, as he motivated his actions with an inscription on the remote access terminal to the central computer "Welcome to ...".

A few tips for network research

• Scan the server for open ports and services. • Try logging in to the server as IUSR_ <machine name with balls> • Try to unlock SAM._ from / REPAIR (passwords from SAM are obtained by the expand command). • Directories / scripts and / cgi-bin, as is probably known to many, in NT you can run any files from these directories, so you should close these directories. The launch is performed by approximately such a command (if the executable file is in / scripts) from the browser - http: //www.idahonews/scripts/getadmin.exe? Test. You can get admin rights in the following way: programs from / scripts are launched not under the user's user's management, but from the same web-account, from which it can be concluded that the administrator's passwords can be easily de-managed from the registry using PWDUMP.exe. • It should be remembered that programs from / SCRIPTS are started under the Web account, and not under the account of the user who launched the program. Therefore, you can try to decrypt passwords from the registry using PWDUMP.EXE. Passwords will be encoded. In this case, you should save the page as a text file and try to decode passwords using the BRUTEFORCE program. • Under the administrator account, you can change the aliases to ftp and http.

Some other ways of obtaining information

• Using whois or NSLookUp to find out alternative names, find out who owns the network. Remember the range of ip-addresses for their subsequent scanning. • Go to the nearest router and find out something. To find the router, you need to trace the path to any ip-address from the detected range. The nearest router is determined by the response time. • Try to go to the router telnet'om. • Run the IP address range scanner to detect the services running on the PC.

Holes and administrative errors in Windows NT

• Consider the vulnerability associated with an error in the implementation of the system. This vulnerability leads to the possibility of an attack, called GetAdmin . Vulnerable is the NtAddAtom system service, which does not check the parameters passed to it, and sets Bit 0 to NtGlobalFlag + 2. To do this, open the file ntoskrnl.exe and find the entry point to NtAddAtom. Setting this bit disables debugger privilege checking in NtOpenProcess and NtOpenThread. Thus, any user has the right to open any process in the system. The attack opens the process of the Winlogon process and embeds the dll to it. Since this service has SYSTEM privileges, it can add a user to the Administrator group or remove it from this group. Theoretically, other security violations of the system are possible. • One of the most popular methods of entering the system is selecting a password. To counter this, it is usually set to lock the user account after a certain number of unsuccessful login attempts. A nice exception is the administrator account. And if he has the right of access to the entrance through the network, this opens a loophole for quiet guessing the password. For protection, it is recommended that you rename the Administrator user, set account lockout, prohibit the administrator from logging in through the network, prevent SMB packets from being sent over TCP / IP (ports 137,138,139), and set logging of failed entries.

Spamming

Spammers will find not just an ISP to start mailing their mail garbage, but, most likely, they will choose a corporation. the Internet provider can more easily understand what happened, and it is likely to be able to get rid of such messages faster. Periodically spamming can disrupt legitimate users because of an e-mail server overload. The problem is that it's not so difficult to connect to an SMTP server. To do this, you need to know only 7-8 commands so that the SMTP server will distribute your messages. To guard against this, you can check the addresses of incoming messages on the database of registered users of the server. If the address of the sending message or one of the addresses requested by it is not in the list, e-mail will not be transmitted.

How to protect the mail system from spammers

• If you do not read the logs, the spammers will act with impunity. • Program all but one of your company's mail servers so that they do not respond to the message request. The remaining server must carefully filter the IP addresses. • Keep all e-mail servers that can receive message forwarding requests in the coverage area of ​​their firewall.

How Spammers Work

• Target is selected - the spammer randomly selects the company's domain name and then guesses the host name of the SMTP server. If the server accepts the mail, the spammer asks him to distribute the message to the address list. • The server executes the request, giving the impression that the messages leave the IP address of the victim company.

IIS Holes, WWW, FTP

• The sender can leave his fake address as follows: the sender can connect himself to the SMTP port on the machine on whose behalf he wants to send the message and enter the text of the message. • The FTP service allows you to establish passive connections based on the port address specified by the client. This can be used by an attacker to issue dangerous commands to the FTP service. The registry contains the key: <HKLM \ System \ CurrentControlSet \ Services \ MSFTPSVC \ Parameters> with the value <EnablePortAttack: REG_DWORD:> Ensure that the value is set to '0', not '1'. • If you connect via telnet to port 80, the command "GET ../ .." will result in IIS crashing and the message "The application, exe \ inetinfo.dbg, generated an application error. The address' http://www.domain.com/scripts .. \ .. \ scriptname "allows you to execute the specified script. Default Guest or IUSR_WWW has read access to all files in all directories. So these files can be viewed, downloaded and launched. • The \ script \ cgi-bin directories should be closed. from these directories you can run any files directly from the browser window. • When IIS has a very long URL (4 - 8KB), the server hangs and does not respond to further requests. The problem is that the exact size of the URL depends on the particular server, so the killer programs starting with some basic query size and gradually increasing the size try to find that critical point that will hang the server-port. • Users of Outlook Express 98 have to reckon with the fact that this mailer allows processing, including execution, Visual Basic scripts that can be easily hidden in the email. A similar script has full access to the file system. Real protection can only become the installation of a "security level" in Outlook to "maximum". • If you allow html tags to be entered in the chat room, no one will interfere with inserting something like <img src = "http://www.mysite.com/cgi-bin/sniffer.cgi"> into your message. As a result, all those present in the chat (not even registered) will, without knowing it, call the script. • Restrict access to port 25 only for some users.