This page has been robot translated, sorry for typos if any. Original content here.

Network attacks and something else

Introduction to Network Attacks

Brief descriptions of network attacks

Data fragmentation

Transmit Fragmented IP Packets

Ping flooding attack

PingOfDeath or SSPing

UDP bomb

SYN flooding

Non-standard IP Encapsulated Protocols

TFTP protocol application

Smurf attack

Land Attack

Introduce a false server into the Internet by creating a directional “storm” of false DNS responses to the attacked host

Deploying a false server to the Internet by intercepting a DNS query or creating a directional “storm” of false DNS responses to the attacked DNS server

Introducing a spurious DNS server to the Internet by intercepting a DNS query

DNS attack flooding

DNS spoofing attack

IP spoofing attack

Imposing packages

Sniffing - listening to the channel (only possible in the local network segment)

Packet capture on the router

Imposing a spurious route on a host using ICMP

Winnuke

False ARP server

TCP sequence prediction number (IP-spoofing)

Local storm

Ip hijacking

Attack Detection and Protection

Scan methods

Using the ARP protocol

Network scanning via DNS

UDP bomb

TCP port scan

Scan UDP ports

Stealth scan

Passive scan

Invitation system and the danger of the information contained in it

Some tips for network research

Some other ways to get information

Holes and administration errors in Windows NT

Spam

How to protect the mail system from spammers

How spammers work

Holes IIS, WWW, FTP

Introduction to Network Attacks

Increased interest in TCP / IP-networks due to the rapid growth of the Internet. However, this raises questions about how to protect your information resources from attacks from an external network. If you are connected to the Internet, your system may be attacked. Protocols of the IP family are the basis for the construction of Intranets and the global Internet. Although TCP / IP development was funded by the United States Department of Defense, TCP / IP is not completely secure and allows for various types of attacks discussed in this chapter. To carry out such attacks, a potential attacker must have control of at least one of the systems connected to the Internet. One of the approaches to the analysis of threats to the security of computer systems is the allocation to a separate class of threats inherent only in computer networks. This class of threats is called the class of remote attacks. This classification approach seems to be valid due to the presence of fundamental features in the construction of network operating systems. The main feature of any network operating system is that its components are distributed in space, and the connection between them is physically carried out using special network connections (coaxial cable, twisted pair, optical fiber, etc.) and programmatically using the message mechanism. In this case, all control messages and data sent by one component of a networked OS to another component are transmitted over network connections in the form of exchange packets. This feature is the main reason for the emergence of a new class of threats - remote attacks. With this type of attack, the attacker interacts with the recipient of information, the sender and / or intermediate systems, possibly modifying and / or filtering the contents of TCP / IP packets. These types of attacks often seem technically difficult to implement, but for a good programmer it is not difficult to implement the appropriate tools. The ability to generate arbitrary IP packets is a key point for active attacks. Remote attacks can be classified by type of impact: active or passive. Active attacks can be divided into two parts. In the first case, the attacker takes certain steps to intercept and modify the network stream or attempt to "pretend" to be another system. In the second case, TCP / IP is used to render the victim system inoperative. In passive attacks, the attackers in no way reveal themselves and do not directly interact with other systems. In fact, it all comes down to monitoring the available data or communication sessions. Although passive attacks can violate network security policies. The idea of ​​detecting an attack is simple: any attack corresponds to a certain network traffic, therefore, the traffic analysis allows you to identify the attack and detect the attacker's “traces”, i.e. determine the IP addresses from which the information impact was made. Thus, the detection of attacks is carried out by controlling the flow of information, which is achieved by analyzing network traffic.

Brief descriptions of network attacks

It should be remembered that coarse methods like pinging in large packets or SYN flooding can flood any Internet machine or subnet, regardless of configuration.

Data fragmentation

When an IP data packet is transmitted over a network, this packet can be divided into several fragments. Later, upon reaching the addressee, the packet is restored from these fragments. An attacker can initiate sending a large number of fragments, which leads to an overflow of software buffers on the receiving side and, in some cases, to a system crash.

Transfer of fragmented IP packets with a total volume of more than 64KB

The number of implementations of attacks using the possibility of fragmentation of IP packets is quite large. Several fragmented IP packets are transmitted to the victim computer, which, when assembled, form one packet larger than 64K (the maximum IP packet size is 64K minus the header length). This attack was effective against computers running Windows. Upon receipt of such a package, Windows NT, which does not have a special icmp-fix patch, freezes or crashes. Other variants of such attacks use incorrect offsets in IP fragments, which leads to incorrect memory allocation, buffer overflow and, ultimately, system malfunctions.

Counteraction: to identify such attacks, it is necessary to carry out and analyze the assembly of packets "on the fly", and this will significantly increase the hardware requirements.

Ping flooding attack

It appeared because the program "ping", designed to assess the quality of the line, has the key for "aggressive" testing. In this mode, requests are sent as fast as possible and the program allows you to evaluate how the network works at maximum load. This attack requires the attacker to access fast channels on the Internet. Recall how ping works. The program sends an ICMP packet of type ECHO REQUEST, setting the time and its identifier in it. The host machine's core responds to a similar request with the ICMP ECHO REPLY packet. After receiving it, ping gives the speed of the packet. In the standard mode of operation, the packages are sent at certain intervals, almost without loading the network. But in the “aggressive” mode, the ICMP echo request / reply-packet stream can overload a small line, depriving it of its ability to transmit useful information. Naturally, the case of ping is a special case of a more general situation related to channel overload. For example, an attacker can send multiple UDP packets to the 19th port of the victim machine, and if, following generally accepted rules, it has a character generator on the 19th UDP port that responds to packets with lines of 80 bytes. Note that an attacker can also fake the return address of such packets, making it more difficult to detect. Only the coordinated work of specialists on intermediate routers will help track it, which is practically unrealistic. One of the attack options is to send ICMP echo request packets with the source address pointing to the victim to the broadcast addresses of large networks. As a result, each of the machines will respond to this fake request, and the sending machine will receive a greater number of responses. Sending a lot of broadcast-echo requests on behalf of the "victim" to the broadcast addresses of large networks can be abruptly filled with the "victim" channel. Signs of flooding - a sharply increased load on the network (or channel) and an increase in the number of specific packets (such as ICMP). As a protection, we can recommend the configuration of routers, in which they will filter the same ICMP traffic exceeding some predetermined value (packets / unit of time). In order to make sure that your machines cannot serve as a source of ping flood, restrict access to ping.

PingOfDeath or SSPing

Its essence is as follows: a heavily fragmented ICMP packet of large size (64KB) is sent to the victim's machine. The response of Windows systems to receiving such a package is an unconditional hang, including a mouse and keyboard. The attack program is widely available online as a C source and as launch files for some versions of Unix. It is curious that, in contrast to WinNuke, not only Windows machines can be victims of such an attack, MacOS and some versions of Unix can be attacked. The advantages of this method of attack are that the firewall usually skips ICMP packets, and if the firewall is configured to filter the addresses of the senders, then using simple spoofing techniques, you can also deceive such a firewall. The disadvantage of PingOfDeath is that for a single attack, you need to send more than 64KB over the network, which makes it generally not very useful for large-scale diversions.

UDP bomb

The transmitted UDP packet contains the wrong format of service fields. Some older versions of the network software lead to a system crash when receiving such a package.

SYN flooding

The flooding of SYN-packets is the most well-known way to “hammer out” an information channel. Recall how TCP / IP works for incoming connections. The system responds to the incoming C-SYN - S-SYN / C-ACK packet with a packet, transfers the session to the SYN_RECEIVED state and puts it into a queue. If within a specified time from the client does not come S-ACK, the connection is removed from the queue, otherwise the connection is transferred to the state ESTABLISHED. Consider the case when the input connection queue is already full, and the system receives a SYN packet that prompts you to establish a connection. By RFC, it will be silently ignored. The flooding of SYN packets is based on overflowing the server queue, after which the server stops responding to user requests. The most famous attack of this kind is the attack on Panix, a New York provider. Panix did not work for 2 weeks. In various systems, work with the queue is implemented in different ways. So, in BSD systems, each port has its own queue with a size of 16 items. On the SunOS systems, on the contrary, there is no such separation and the system simply has a large common queue. Accordingly, in order to block, for example, the WWW port on BSD, 16 SYN packets are enough, and for Solaris 2.5, their number will be much larger. After some time (depending on implementation), the system removes requests from the queue. However, nothing prevents the attacker from sending a new batch of requests. Thus, even while on a 2400 bps connection, an attacker can send 20-30 packets every minute and a half to the FreeBSD server, keeping it in a down state (of course, this error has been corrected in recent versions of FreeBSD). As usual, an attacker can use random IP return addresses in the formation of packets, which makes it difficult to detect and filter its traffic. Detection is easy - a large number of connections are in the SYN_RECEIVED state, ignoring attempts will connect to this port. As protection, you can recommend patches that implement automatic “thinning” of the queue, for example, based on the Early Random Drop algorithm. To find out if your system is protected against SYN-flooding, contact your system vendor. Another security option is to configure the firewall so that all incoming TCP / IP connections are set by him, and only after that he will transfer them inside the network to the specified machine. This will allow you to restrict syn-flooding and not to miss it inside the network. This attack refers to a denial of service attack, which results in the inability to provide services. The attack is usually directed at a specific, specific service, such as telnet or ftp. It consists in transmitting packets to establish a connection to the port corresponding to the attacked service. When a request is received, the system allocates resources for a new connection, after which it tries to respond to the request (send a "SYN-ACK") to an unavailable address. By default, NT versions 3.5-4.0 will try to repeat the confirmation 5 times - after 3, 6, 12, 24 and 48 seconds. After that, another 96 seconds the system can wait for a response, and only after that it will release the resources allocated for the future connection. Total resource busy time is 189 seconds.

Non-standard IP Encapsulated Protocols

The IP packet contains a field that defines the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use a nonstandard value of this field to transmit data that will not be recorded by standard means of controlling information flows.

TFTP protocol application

This protocol does not contain authentication mechanisms, therefore it is attractive to intruders.

Smurf attack

The smurf attack consists of sending requests to the ICMP broadcast network on behalf of the victim computer. As a result, computers that have received such broadcast packets respond to the victim computer, which leads to a significant reduction in the bandwidth of the communication channel and, in some cases, to the complete isolation of the attacked network. The smurf attack is exceptionally effective and widespread. Counteraction: in order to recognize this attack, it is necessary to analyze the channel load and determine the reasons for the decrease in throughput.

Land Attack

Land attack exploits TCP / IP stack implementation vulnerabilities in some operating systems. It consists of sending a TCP packet to the open port of the victim computer, with the SYN flag set, and the source address and port of the packet are respectively equal to the address and port of the attacked computer. This leads to the fact that the victim computer is trying to establish a connection with itself, as a result of which the processor load greatly increases and a “hangup” or reboot can occur. This attack is very effective on some models of Cisco Systems routers, and the successful application of the attack to the router can disable the entire network of the organization. Counteraction: you can protect yourself from this attack, for example, by installing a packet filter between the internal network and the Internet, setting a filtering rule on it that indicates to suppress packets coming from the Internet, but with the original IP addresses of the internal network computers.

Introduce a false server into the Internet by creating a directional “storm” of false DNS responses to the attacked host

Another variant of the implementation of a remote attack aimed at the DNS service is based on the second type of typical remote attack “false object of the sun”. In this case, the attacker permanently sends to the attacked host a previously prepared false DNS response on behalf of the real DNS server without receiving a DNS request. In other words, an attacker creates a directed “storm” of false DNS responses on the Internet. This is possible, since usually the UDP protocol is used to transmit a DNS request, in which there are no means of identifying packets. The only criteria shown by the host’s network OS to the response received from the DNS server are, first, the matching of the sender’s IP address with the DNS server’s IP address, and second, that the same name is specified in the DNS response, as in the DNS request, thirdly, the DNS response must be directed to the same UDP port from which the DNS request was sent (in this case, this is the first problem for the attacker), and fourthly, in the DNS - the response field identifier of the request in the DNS header (ID) must contain the same value as in the transmitted DNS query (and this is the second problem). In this case, since the attacker is unable to intercept the DNS query, the main problem for him is the UDP port number from which the request was sent. But the port number of the sender accepts a limited set of values ​​(1023?), Therefore, it is enough for an attacker to act by simply iterating, sending false answers to the appropriate list of ports. At first glance, the second problem may be a two-byte identifier of the DNS query, but in this case it is either equal to one or has a value close to zero (one query - the ID is incremented by 1). Therefore, to carry out this remote attack, an attacker needs to select the host (A) of interest, the route to which you want to change so that it passes through a false server - the attacker's host. This is achieved by constant transmission (directed by the “storm”) to the attacker of false DNS responses to the attacked host on behalf of the real DNS server to the corresponding UDP ports. These false DNS responses indicate the IP address of the host A as the attacker's IP address. Next, the attack develops as follows. As soon as the attack target (attacked host) addresses host A by name , a DNS request will be sent to the network from this host, which the attacker will never receive, but this is not necessary because the host will immediately receive a constantly transmitted false The DNS response, which will be perceived by the OS of the attacked host as the real response from the DNS server. The attack took place and now the attacked host will transfer all packets destined for A to the attacker's host’s IP address, which, in turn, will forward them to A , affecting the intercepted information according to the “false object of the distributed VS” scheme. Consider the functional scheme of the proposed remote attack on the DNS service: • continuous transmission of false DNS responses to the attacked host to various UDP ports and, possibly, with different IDs, on behalf of (from the IP address) the real DNS server, indicating the name of the host of interest and its false IP address, which will be be the IP address of the false server - the attacker's host; • in the case of receiving a packet from a host, changing the IP header of the packet to its IP address to the attacker's IP address and sending the packet to the server (that is, the fake server is working with the server on its own behalf from its IP address); • in the case of receiving a packet from the server, changing its IP address in the packet's IP header to the IP address of the spurious server and transferring the packet to the host (for the host, the fake server is the real server). Thus, the implementation of this remote attack, which uses security gaps in the DNS service, makes it possible to disrupt routing between two specified objects from anywhere on the Internet. That is, this remote attack is intersegmental to the target of the attack and threatens the security of any Internet host using normal DNS.

Deploying a false server to the Internet by intercepting a DNS query or creating a directional “storm” of false DNS responses to the attacked DNS server

From the remote DNS lookup scheme, it follows that if the name of the DNS server specified in the request did not find names in its database, the request is sent by the server to one of the root DNS servers whose addresses are contained in the server settings file root.cache . That is, if the DNS server does not have information about the requested host, then it forwards the request further, which means that now the DNS server itself is the initiator of the remote DNS search. Therefore, nothing prevents the attacker, using the methods described in the previous paragraph, to direct their attack to the DNS server. That is, the target of the attack now will not be the host, but the DNS server and false DNS responses will be sent by the attacker on behalf of the root DNS server to the attacked DNS server. It is important to consider the following features of the DNS server. To speed up the operation, each DNS server caches its own host name and IP address map in the memory area. Including the cache contains dynamically changeable information about the names and IP addresses of hosts found during the operation of the DNS server. That is, if the DNS server, upon receiving a request, does not find the corresponding record in its cache table, it forwards the answer to the next server and, upon receiving the answer, stores the information found in the cache table in memory. Thus, when the next request is received, the DNS server is no longer required to conduct a remote search, since the necessary information is already in its cache table. From the analysis of the remote DNS search scheme that has just been described in detail, it becomes obvious that if an attacker sends a false DNS response in response to a request from the DNS server (or in the case of a “storm”, false answers will continuously transfer them) then a corresponding entry with false information will appear in the server's cache table, and further, all hosts accessing this DNS server will be misinformed and when accessing the host, the route to which the attacker decided to change, the connection with it will be done through the attacker's host according to schemes f "false object sun." And over time, this false information entered into the cache of the DNS server will be distributed to neighboring DNS servers of higher levels, and, therefore, more and more hosts on the Internet will be misinformed and attacked. Obviously, in the event that an attacker cannot intercept a DNS query from a DNS server, then in order to launch an attack, he needs a “storm” of false DNS responses sent to the DNS server. In this case, the following main problem arises, different from the problem of port selection in the event of an attack aimed at the host. As previously noted, the DNS server, sending a request to another DNS server, identifies this request with a two-byte value (ID). This value is incremented by one with each request sent. To find out the attacker is the current value of the identifier of the DNS query is not possible. Therefore, nothing more than enumeration of 2 16 possible ID values ​​is rather difficult to propose. But the problem of port busting disappears, since all DNS queries are transmitted by the DNS server to port 53. The next problem, which is a prerequisite for the implementation of this remote attack on the DNS server in the case of a “storm” of false DNS responses, is that the attack will succeed only if the DNS server sends a request to search for a specific name (which contains in a false DNS response). The DNS server sends this request, which is so necessary and desirable for an attacker, if a DNS request comes from a host to search for a given name and that name either in the DNS server's cache table. In principle, this request can come at any time and the attacker may have to wait for the results of the attack for an arbitrarily long time. However, nothing prevents the attacker, without waiting for anyone, to send a similar DNS query to the DNS server being attacked and provoke the DNS server to search for the name specified in the query. Then this attack is likely to be successful almost immediately after the start of its implementation.

Introducing a spurious DNS server to the Internet by intercepting a DNS query

In this case, it is a remote attack based on a standard typical remote attack related to waiting for a DNS search query. Before you consider the algorithm of attacks on the DNS service, you need to pay attention to the following subtleties in the work of this service. First, by default, the DNS service operates on the basis of the UDP protocol (although it is possible to use the TCP protocol), which naturally makes it less secure, since the UDP protocol, unlike TCP, does not provide for means of identifying messages. In order to switch from UDP to TCP, the DNS server administrator will have to study the documentation very seriously. In addition, this transition will slow down the system somewhat, because, firstly, when using TCP, a virtual connection is required and, secondly, the final network OSs first send a DNS request using UDP protocol and if they come to a special response from the DNS server, then the network OS will send a DNS request using TCP. Secondly, the next subtlety that needs attention is that the value of the field "port of the sender" in the UDP packet first takes the value 1023 (?) And then increases with each transmitted DNS request. Third, the value of the identifier (ID) of the DNS query behaves as follows. In the case of a DNS query transfer from a host, its value depends on the specific network application generating the DNS query. The author's experiments showed that in the case of a request transfer from the shell of the command interpreter of the Linux and Windows '95 operating systems (for example, ftp nic.funet.fi), this value is always equal to one. In the event that a DNS query is transmitted from Netscape Navigator, then with each new query, the browser itself increases this value by one. In that case, if the request is transmitted directly by the DNS server, then the server increases this identifier value by one with each newly transmitted request. All these subtleties matter in the event of an attack without intercepting a DNS query. To implement an attack by intercepting a DNS query, an attacker needs to intercept the DNS query, extract from it the UDP port of the sender of the request, the two-byte ID value of the DNS query identifier and the search name and then send a false DNS response to the DNS query retrieved A UDP port in which to specify the real IP address of a false DNS server as the required IP address. This will make it possible in the future to completely intercept and actively influence the scheme “False object RVS” on the traffic between the “deceived” host and the server. Consider a generalized scheme of a false DNS server: • waiting for a DNS query; • after receiving a DNS query, extracting the necessary information from it and sending a false DNS response over the network to the requesting host, on behalf of (from the IP address) the real DNS server, which indicates the IP address of the false DNS server; • in the case of receiving a packet from a host, changing its packet’s IP address in the IP header to the false DNS server’s IP address and sending the packet to the server (that is, the false DNS server works with the server on its own behalf); • in the case of receiving a packet from the server, changing its IP address in the packet's IP header to the IP address of the spurious DNS server and sending the packet to the host (for the host, the spurious DNS server is the real server). A prerequisite for the implementation of this type of attack is to intercept a DNS query. This is only possible if the attacker is either on the main traffic path or in a segment of a real DNS server. Fulfillment of one of these conditions for the location of an attacker in a network makes such a remote attack difficult to implement in practice (it is likely that an attacker will not be able to get to the DNS server segment and, moreover, to the inter-segment communication channel). However, if these conditions are met, it is possible to perform an inter-segment remote attack on the Internet . We note that the practical implementation of this remote attack revealed a number of interesting features in the operation of the FTP protocol and in the mechanism for identifying TCP packets. If the FTP client on the host connects to the remote FTP server through a false DNS server, it turns out that every time the user issues an FTP application command (for example, ls, get, put, etc.), the FTP client developed the PORT command, which consisted in sending a port number and client -server IP address to the FTP server in the TCP packet data field (it’s hard to find a special meaning in these actions — why send the client’s IP address to the FTP server every time)! This led to the fact that if on a false DNS server you do not change the transmitted IP address in the data field of the TCP packet and transfer this packet to the FTP server in the usual way, then the next packet will be transmitted by the FTP server to the FTP client host, bypassing a false DNS server and, most interestingly, this packet will be perceived as a normal packet, and, further, a false DNS server will lose control over the traffic between the FTP server and the FTP client! This is due to the fact that a regular FTP server does not provide for any additional identification of the FTP client, but it shifts all the problems of packet identification and connection to a lower level — the TCP level.

DNS attack flooding

DNS flooding is an attack directed at Internet name servers. It consists in transmitting a large number of DNS queries and leads to the fact that users are not able to access the name service and, therefore, it is impossible for ordinary users to work. Counteraction: to detect this attack, it is necessary to analyze the DNS server load and identify sources of queries.

DNS spoofing attack

The result of this attack is the introduction of the imposed match between the IP address and the domain name in the DNS server cache. As a result of the success of such an attack, all users of the DNS of the north will receive incorrect information on domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some parameters of the DNS exchange. Counteraction: to detect such an attack, it is necessary to analyze the contents of the DNS traffic.

IP spoofing attack (syslog)

A large number of attacks on the Internet is associated with the substitution of the source IP address. These attacks include syslog spoofing, which consists of sending a message to the victim’s computer on behalf of another computer on the internal network. Since the syslog protocol is used to keep system logs, it is possible to impose information or to remove traces of unauthorized access by sending false messages to the victim computer. Counteraction: the detection of attacks related to the substitution of IP addresses is possible when monitoring the receipt of a packet with the source address of the same interface on one of the interfaces or when controlling the receipt of packets with the IP addresses of the internal network on the external interface.

Imposing packages

An attacker sends packets with a false return address to the network. With this attack, an attacker can switch connections between other computers to his computer. In this case, the access rights of the attacker become equal to the rights of the user whose connection to the server has been switched to the attacker's computer.

Sniffing - listening to the channel (only possible in the local network segment)

Almost all network cards support the possibility of intercepting packets transmitted over a common channel of the local network. In this case, the workstation can receive packets addressed to other computers of the same network segment. Thus, the entire information exchange in the network segment becomes available to the attacker. To successfully implement this attack, the attacker's computer must be located on the same LAN segment as the attacked computer.

Packet capture on the router

The network software of the router has access to all network packets transmitted through this router, which allows the interception of packets. To implement this attack, the attacker must have privileged access to at least one network router. Since a lot of packets are usually transmitted through a router, their total interception is almost impossible. However, individual packets may well be intercepted and saved for later analysis by an attacker. The most effective interception of FTP packets containing user passwords, as well as e-mail.

Imposing a spurious route on a host using ICMP

On the Internet, there is the Internet Control Message Protocol (ICMP), one of the functions of which is to inform the hosts about the change of the current router. This control message is called redirect. It is possible to send a false redirect message from any host in the network segment on behalf of the router to the attacked host. As a result, the host changes the current routing table and, in the future, all the network traffic of this host will pass, for example, through the host that has sent a false redirect message. Thus, it is possible to actively impose a false route within one segment of the Internet.

Winnuke

Along with the usual data sent over the TCP connection, the standard also sends the Out Of Band data. At the level of TCP packet formats, this is expressed in a non-zero urgent pointer. Most PCs with Windows installed have a NetBIOS network protocol that uses 3 IP ports for their needs: 137, 138, 139. As it turned out, if you connect to a Windows machine at 139 ports and send several bytes of OutOfBand data, then the NetBIOS implementation without knowing what to do with this data, the machine simply hangs or reboots. For Windows 95, it usually looks like a blue text screen, reporting an error in the TCP / IP driver and the inability to work with the network before the OS reboots. NT 4.0 without a service pack is restarted, NT 4.0 with a second service pack falls into a blue screen. A similar sending of data to 135 and some other ports leads to a significant load on the RPCSS.EXE processor. On NTWS, this leads to a significant slowdown, the NTS is almost frozen.

False ARP server

On the Internet, each host has a unique IP address, which receives all messages from the global network. However, the IP protocol is not so much a network as an Internet exchange protocol designed for communication between objects in a global network. At the link level, packets are addressed to the hardware addresses of network cards. The Internet uses the Address Resolution Protocol (ARP) for a one-to-one correspondence between IP and Ethernet addresses. Initially, a host may not have information about the Ethernet addresses of other hosts that are with it in the same segment, including the Ethernet address of the router. Accordingly, when you first access network resources, the host sends a broadcasting ARP request that all stations in a given network segment will receive. Upon receiving this request, the router sends an ARP reply to the requesting host, in which it reports its Ethernet address. This operation scheme allows an attacker to send a false ARP response, in which to declare itself the desired host (for example, a router), and, subsequently, to actively monitor all network traffic of the "cheated" host.

TCP sequence prediction number (IP-spoofing)

In this case, the attacker's goal is to pretend to be another system, which, for example, is “trusted” by the victim system. The method is also used for other purposes - for example, to use the victim's SMTP to send fake emails. The TCP connection is established in three stages: the client selects and sends the sequence number to the server (let's call it C-SYN), in response to this, the server sends a data packet to the client containing a confirmation (C-ACK) and its own sequence number (S-SYN) ). Now the client must send a confirmation (S-ACK). After that, the connection is considered established and data exchange begins. In addition, each packet has in the header a field for the sequence number and acknowledge number. These numbers increase with the exchange of data and allow you to control the correctness of the transfer. Suppose that an attacker can predict which sequence number (S-SYN under the scheme) will be sent by the server. This can be done based on knowledge of a specific TCP / IP implementation. For example, in 4.3BSD, the value of the sequence number, which will be used when setting the next value, increases by 125000 every second. Thus, by sending one packet to the server, the attacker will receive a response and will be able to (probably with several attempts and corrected connection speed) The sequence number for the next connection. If the TCP / IP implementation uses a special algorithm to determine the sequence number, then it can be clarified by sending several dozen packets to the server and analyzing its responses. So, suppose that system A trusts system B, so that the user of system B can do "rlogin A" and end up on A without entering a password. Suppose the attacker is located on system C. System A acts as a server, System B and C as clients. The attacker's first task is to put System B into a state where it cannot respond to network requests. This can be done in several ways, in the simplest case, you just need to wait for the system B to reboot. A few minutes, during which it will be inoperative, should be enough. After that, the attacker can try to pretend to be a system B, in order to gain access to system A (at least short-term). The attacker sends several IP packets that initiate the connection, to system A, to find out the current state of the sequence number of the server. The attacker sends an IP packet in which the address of system B is already specified as the return address. System A responds with a packet with a sequence number that is sent to system B. However, System B will never receive it (it is disabled), as, indeed, the attacker. But based on the previous analysis, he guesses which sequence number was sent to system B. The attacker confirms that the packet was received from A, sending a packet with an estimated S-ACK on behalf of B (note that if the systems are located in the same segment, the attacker will figure out the sequence number is enough to intercept a packet sent by system A). After that, if the attacker is lucky and the server’s sequence number has been correctly guessed, the connection is considered established. Now an attacker can send another fake IP packet, which will already contain data. For example, if the attack was directed at rsh, it could contain commands for creating a .rhosts file or sending / etc / passwd to an attacker by email. Counteraction: the simplest signal of IP-spoofing will be packets with internal addresses that come from the outside world. The router software can alert the administrator. However, do not flatter yourself - the attack may be from inside your network. In the case of more intelligent network monitoring tools, the administrator can monitor (in automatic mode) packets from systems that are in an unavailable state. However, what prevents an attacker from imitating the operation of system B by responding to ICMP packets? What are some ways to protect against IP spoofing? Firstly, it is possible to make it difficult or impossible to guess the sequence number (the key element of the attack). For example, you can increase the rate of change of the sequence number on the server or select the increase number of the sequence number randomly (preferably using a cryptographically robust algorithm to generate random numbers). If the network uses a firewall (or another IP filter), it should be added to the rules by which all packets that come from outside and have return addresses from our address space should not be allowed inside the network. In addition, you should minimize the trust of machines to each other. Ideally, there should be no way to get directly to the next network machine, having obtained the superuser rights on one of them. Of course, this will not save from using services that do not require authorization, for example, IRC (an attacker can pretend to be an arbitrary Internet machine and send a set of commands to enter the IRC channel, issue arbitrary messages, etc.). Encryption of a TCP / IP stream solves the IP spoofing problem in general (provided that cryptographically strong algorithms are used). In order to reduce the number of such attacks, it is also recommended to configure the firewall to filter packets sent by our network to the outside, but having addresses that do not belong to our address space.

Local storm

Let us make a small digression towards the implementation of TCP / IP and consider the "local storms" as an example of UDP storms. As a rule, by default, systems support the operation of such UDP ports as 7 ("echo", the received packet is sent back), 19 ("character generator", the character generator string is sent to the sender in response to the received packet) and others (date etc). In this case, the attacker can send a single UDP packet, where 7 will be specified as the source port, 19th as the recipient, and, for example, two machines of your network (or even 127.0) will be indicated as the address of the recipient and the sender. 0.1). Having received the packet, the 19th port responds with a string that goes to port 7. The seventh port duplicates it and sends it again to 19 .. and so on to infinity. The infinite loop eats up the resources of the machines and adds a meaningless load to the channel. Of course, with the first lost UDP packet, the storm will stop. Counteraction: as protection it is worth recommending once again not to allow packets with internal addresses, but those that come from outside, to pass through the network. It is also recommended to close the use of most services on the firewall.

Ip hijacking

The method is a combination of eavesdropping and IP spoofing. Prerequisites - the attacker must have access to the machine that is in the path of the network stream and have sufficient rights on it to generate and intercept IP packets. Recall that during data transmission, the sequence number and acknowledge number are constantly used (both fields are in the IP header). Based on their value, the server and client verify the correctness of packet transmission. It is possible to enter a connection in the "desynchronized state" when the sequence number and acknowledge number sent by the server do not match the expected client value, and vice versa. In this case, the attacker, "listening to" the line, can take over the functions of an intermediary, generating the correct packets for the client and server and intercepting their answers. The method allows you to completely bypass such protection systems as, for example, one-time passwords, since the attacker starts working after the user is authorized. There are two ways to unsynchronize a connection. • Early desynchronization. The connection is desynchronized at the stage of its installation. The attacker listens on the network segment on which the packets of the session of interest will pass. Having waited for the S-SYN packet from the server, the attacker sends the server an RST (reset) packet, of course, with the correct sequence number, and immediately after it a fake C-SYN packet on behalf of the client. The server drops the first session and opens a new one. to the same port, but with a new sequence number, after which it sends a new S-SYN packet to the client. The client ignores the S-SYN packet, but the attacker listening on the line sends an S-ACK packet to the server on behalf of the client. So, the client and the server are in the ESTABLISHED state, but the session is desynchronized. Naturally, this scheme has no 100% response, for example, it is not insured that some packets sent by an intruder will not be lost along the way. To handle these situations correctly, the program must be complicated. • Desynchronization by zero data. In this case, the attacker listens on the session and at some point sends the server a packet with "zero" data, i.e. such that will actually be ignored at the application level and not visible to the client (for example, for telnet this could be IAC NOP data, IAC NOP, IAC NOP ...). A similar packet is sent to the client. It is obvious that after this session goes into a desynchronized state. ACK-storm One of the problems with IP Hijacking is that any packet sent at the moment when the session is in a desynchronized state causes a so-called ACK-storm. For example, the packet is sent by the server, and for the client it is unacceptable, therefore, it responds with an ACK packet. In response to this unacceptable package for the server, the client again receives a response. And so on to infinity. Fortunately, modern networks are built on technologies, when the loss of individual packets is allowed. Since ACK packets do not carry data, no retransmissions occur and the storm subsides. Experiments have shown that the stronger the ACK storm, the faster it “calms down” itself — this happens in 10MB ethernet in a split second. On unreliable connections like SLIP - not much more. Detection and protection There are several ways. For example, you can implement a TCP / IP stack that will control the transition to a desynchronized state by exchanging information about the sequence number / acknowledge number. However, in this case we are not insured against an attacker who changes these values. Therefore, a more reliable way is to analyze the network load and track emerging ACK storms. This can be implemented using specific network controls. If the attacker does not bother to maintain a desynchronized connection until it is closed or does not begin to filter the output of his commands, this will also be immediately noticed by the user. Unfortunately, the vast majority will simply open a new session without contacting the administrator. Full-time protection against this attack is provided, as always, by encrypting TCP / IP traffic (at the application level — secure shell) or at the protocol level — IPsec. This eliminates the possibility of modifying the network flow. PGP can be used to protect email messages. It should be noted that the method also does not work on some specific implementations of TCP / IP. So, despite the [rfc ...], which requires the silent closing of the session in response to the RST packet, some systems generate a counter RST packet. This makes early desynchronization impossible.

Attack Detection and Protection

• To detect attacks, you can analyze broadcast activity — these are UDP, NBF, SAP packets. • To protect the internal network connected to the Internet, you should not pass incoming packets from the external network, which originate from the internal network address. You can allow packets to go only to port 80. • Set packet filtering, if necessary (you should not even neglect
Control Panel \ Network \ Protocols \ Properties \ Advanced on Windows NT).

Scan methods

Using the ARP protocol

This type of query can be used by attackers to identify functioning systems in the segments of the local network.

Network scanning via DNS

It is known that before launching an attack, attackers identify targets, i.e. identification of computers that will be victims of the attack, as well as computers that carry out information exchange with the victims. One way to identify targets is to poll the name server and get all available information about the domain from it. Counteraction: to determine such a scan, it is necessary to analyze DNS requests (address in name) coming, perhaps from different DNS servers, but for a certain, fixed period of time. At the same time, it is necessary to view what information is transmitted in them and track the search of addresses.

UDP bomb

Ping sweep network scanning

Ping sweep or pinpointing using ICMP is an effective method.

Counteraction: to determine the fact of ping-scan targets that are inside the subnet, it is necessary to analyze the source and destination addresses of ICMP packets.

TCP port scan

Port scanning is a well-known method for recognizing computer configuration and available services. There are several TCP scanning methods, some of them are called stealth, since they exploit the vulnerabilities of the TCP / IP stack implementations in most modern operating systems and are not detected by standard means. Counteraction: counteraction can be accomplished, for example, by sending TCP packets with the RST flag set on behalf of the scanned computer to the attacker's computer.

Scan UDP ports

Another type of port scan is based on the use of the UDP protocol and consists of the following: a UDP packet addressed to the port is transmitted to the scanned computer, which is checked for availability. If the port is unavailable, then an ICMP message of unavailability (destination port unreachable) comes in response, otherwise there is no answer. This type of scan is quite effective. It allows you to scan all the ports on the victim computer in a short time. Counteraction: it is possible to counteract scanning of this kind by sending messages about the port inaccessibility to the attacker's computer.

Stealth scan

The method is based on an incorrect network code, so you cannot guarantee that it will work normally in any particular situation. TCP packets with installed ACK and FIN flags are used. They should be used because if such a packet is sent to the port with an unopened connection, always return the packet with the RST flag. There are several methods using this principle: • Send a FIN package. If the receiving host returns an RST, then the port is inactive, if the RST is not returned, then the port is active. This method works in most operating systems. • Send an ACK packet. If the TTL of the returned packets is smaller than in the other received RST packets, or if the window size is greater than zero, then the port is most likely active.

Passive scan

Scanning is often used by attackers in order to find out on which TCP ports the demons respond to requests from the network. A regular scanner program opens connections to various ports in sequence. In the case when the connection is established, the program resets it, informing the port number of the attacker. This method is easily detected by the messages of demons, surprised by an instantly interrupted connection after installation, or by using special programs. The best of these programs have some attempts to introduce elements of an artificial element in tracking attempts to connect to different ports. However, the attacker may use another method - passive scanning (the English term "passive scan"). When it is used, the attacker sends a TCP / IP SYN packet to all ports in a row (or according to some given algorithm). For TCP ports accepting connections from the outside, a SYN / ACK packet will be returned as an invitation to continue the 3-way handshake. The rest will return RST packets. After analyzing the response data, an attacker can quickly understand which ports the program is running on. In response to SYN / ACK packets, it can also respond with RST packets, indicating that the connection setup process will not continue (in general, RST packets will automatically respond to the attacker’s TCP / IP implementation if he does not take special measures). The method is not detected by previous methods, because the real TCP / IP connection is not established. However (depending on the behavior of the attacker), you can track the dramatically increased number of sessions that are in the SYN_RECEIVED state. (provided that the attacker does not send an RST in reply) receiving from the client an RST packet in response to a SYN / ACK. Unfortunately, with a sufficiently intelligent behavior of an attacker (for example, scanning at a low speed or checking only specific ports), it is impossible to detect passive scanning, since it is no different from the usual attempts to establish a connection. As a defense, you can only advise to close all services on the firewall, access to which is not required from the outside.

Invitation system and the danger of the information contained in it

It is necessary to remove the "system prompts" displayed by the central computers on the remote access terminals for the user to log in to the system. This requirement is due to the following reasons: • The “system prompt” usually contains information that allows an intruder to identify the type and version of the central computer's operating system, the type of remote access software, etc. Such information can significantly simplify the task of entering the system, since the intruder can use unlawful access tools that exploit the weaknesses of a particular system; • "invitation system" usually indicates the departmental affiliation of the system. In the case when the system belongs to a secret agency or financial structure, the interest of the offender may increase significantly; • A recent trial dismissed the company’s claim against a person who had illegally entered the company’s network, as he explained his actions with an inscription on the “Welcome to ...” remote access terminal to the central computer.

Some tips for network research

• Scan the server for open ports and services. • Try logging in to the server as IUSR_ <name of the machine with balls> • Try to smash SAM._ from / REPAIR (SAM passwords are obtained from the expand command). • The / scripts and / cgi-bin directories, as many probably know, can run any files from these directories in NT, so you should close access to these directories. The launch is performed by the following command (if the executable file in / scripts) from the browser is http: //www.idahonews/scripts/getadmin.exe? Test. You can get admin rights as follows: the programs from / scripts are not run under the user's username, but from the same web account, from which it can be concluded that the admin passwords can be easily removed from the registry using PWDUMP.exe. • It should be remembered that the programs from / SCRIPTS are run under the Web account, and not under the account of the starting user. Therefore, you can try to reset passwords from the registry using PWDUMP.EXE. Passwords will be encrypted. In this case, you should save the page as a text file and try to decode the passwords using the BRUTEFORCE program. • Under the administrator account, you can change the aliases on ftp and http.

Some other ways to get information

• Using whois or NSLookUp to find out alternative names, find out who owns the network. Remember the range of ip-addresses for later scanning. • Go to the nearest router and find out something. To find the router, you need to route the path to any ip-address from the detected range. The nearest router is determined by the response time. • Try to log into the router by telnet. • Start the scanner of the range of ip-addresses to detect services running on the PC.

Holes and administration errors in Windows NT

• Consider a vulnerability associated with an error in the implementation of the system. This vulnerability leads to the possibility of an attack called GetAdmin . Vulnerable is the NtAddAtom system service, which does not check the parameters passed to it, and sets bit 0 to NtGlobalFlag + 2. To do this, open the file ntoskrnl.exe and find the entry point to NtAddAtom. Setting this bit disables debugger privilege checking in NtOpenProcess and NtOpenThread. Thus, any user has the right to open any process in the system. The attack opens the process Winlogon process and embeds dll to it. Since this service has the privileges of SYSTEM, it can add a user to the Administrator group or remove it from this group. Theoretically, there are other possible security breaches. • One of the popular methods of penetration into the system is password guessing. To combat this, it is common to lock the user account after a certain number of failed login attempts. A pleasant exception is the admin account. And if he has access to the entrance through the network, it opens a loophole for quiet guessing the password. For protection, it is recommended to rename the Administrator user, set account lockout, prohibit the administrator from logging in via the network, prohibit the transfer of SMB packets via TCP / IP (ports 137,138,139), and set up logging of failed inputs.

Spam

Spammers will find not just an ISP, but, most likely, will choose a corporation, since It is easier for the Internet provider to understand what happened, and he can probably get rid of such messages faster. Recurring spamming can disrupt legitimate users due to overloading the email server. The problem is that connecting to an SMTP server is not that difficult. To do this, you need to know only 7-8 commands to SMTP-server began to distribute your messages. To protect against this, you can verify the addresses of incoming messages on the database of registered server users. If the address of the person sending the message or one of the addresses requested by him is not in the list, e-mail will not be transmitted.

How to protect the mail system from spammers

• If you do not read the logs, then spammers will act with impunity. • Program all but one of your company's mail servers so that they do not respond to the message transfer request. The remaining server must carefully filter the IP addresses. • Keep all email servers that can receive message forwarding requests within range of your firewall.

How spammers work

• Target selected - the spammer randomly chooses the domain name of the company and then guesses the host name of the SMTP mail service provider. If the server accepts mail, the spammer asks him to spread the message by address list. • The server executes the request, giving the impression that the messages are leaving the victim's IP address.

Holes IIS, WWW, FTP

• The sender can leave his fake address as follows: the sender can connect to the SMTP port on the machine on whose behalf he wants to send the letter and enter the text of the letter. • FTP service allows you to establish passive connections based on the address of the port specified by the client. This can be used by an attacker to issue dangerous commands to the FTP service. The registry contains the key: <HKLM \ System \ CurrentControlSet \ Services \ MSFTPSVC \ Parameters> with the value <EnablePortAttack: REG_DWORD:> Ensure that the value is set to '0' and not '1'. • If you connect via telnet to port 80, the command "GET ../ .." will lead to crash of IIS and the message "The application, exe \ inetinfo.dbg, generated an application error message at the time of the address generated by c0000005 at address 53984655. • Address' http://www.domain.com/scripts .. \ .. \ scriptname "allows you to execute the specified script. Default is Guest or IUSR_WWW has permission to read all files in all directories. So these files can be viewed, downloaded and launched. • Directory \ script \ cgi-bin should be closed, because from these directories you can run any files directly from the browser window. • When requested by IIS for a very long URL (4-8KB), the server hangs and does not respond to further requests. The problem is that the exact size of the URL depends on the specific server, so killer programs, starting with a certain basic request size and gradually increasing the size, are trying to find the critical point that will suspend the server. • Users of Outlook Express 98 have to reckon with the fact that this mailer allows processing, including for execution, Visual-Basic-scripts that can be easily hidden in the letter. Such a script has full access to the file system. The real protection can only be setting the "security level" in Outlook to "maximum". • If the html tags are allowed in the chat, no one will interfere with inserting something like <img src = "http://www.mysite.com/cgi-bin/sniffer.cgi"> into your message. As a result, all those present in the chat (not even registered) will, without knowing it, call the script. • Restrict access to port 25 only to certain users.