The increased interest in TCP / IP networks is due to the rapid growth of the Internet. However, this makes one think about how to protect its information resources from attacks from the external network. If you are connected to the Internet, your system may be attacked. Protocols of the IP family are the basis for building Intranet networks and the global Internet. Although the development of TCP / IP was funded by the US Department of Defense, TCP / IP does not have absolute security and allows for the various types of attacks discussed in this chapter. To perform such attacks, a potential attacker must have control over at least one of the systems connected to the Internet. One approach to analyzing threats to the security of computer systems is to isolate into a separate class of threats inherent only in computer networks. This class of threats is called the class of remote attacks. This approach to classification seems eligible because of the existence of fundamental features in the construction of networked operating systems. The main feature of any network operating system is that its components are distributed in space, and the connection between them is physically carried out by means of special network connections (coaxial cable, twisted pair, fiber, etc.) and programmatically by means of the message mechanism. In this case, all control messages and data sent by one component of the network OS to another component are transmitted over network connections as exchange packets. This feature is the main reason for the emergence of a new class of threats - remote attacks. For this type of attack, the attacker interacts with the recipient of the information, the sender and / or the intermediate systems, possibly by modifying and / or filtering the contents of TCP / IP packets. These types of attacks often seem technically difficult to implement, but for a good programmer it is not difficult to implement the appropriate toolkit. The ability to create arbitrary IP packets is a key point for carrying out active attacks. Remote attacks can be classified according to the type of action: active or passive. The active attacks can be divided into two parts. In the first case, the attacker takes certain steps to intercept and modify the network stream or attempts to "pretend" by another system. In the second case, the TCP / IP protocol is used to bring the victim system to a non-operational state. With passive attacks, attackers do not in any way detect themselves and do not directly interact with other systems. In fact, it all comes down to monitoring the available data or communication sessions. Although passive attacks can violate network security policies. The idea of detecting an attack is simple: any attack corresponds to a certain network traffic, therefore, the analysis of traffic allows you to determine the attack and detect the "traces" of the attacker, i.e. Identify the IP-addresses from which the information effect was carried out. Thus, the detection of attacks is carried out by the method of monitoring information flows, which is achieved by analyzing network traffic.

Brief descriptions of network attacks

It should be remembered that crude methods such as pinging large packets or SYN flooding, can flood any Internet machine or subnet, regardless of configuration.

Fragmentation of data

When transmitting an IP data packet over a network, this packet can be divided into several fragments. Later, upon reaching the destination, the package is recovered from these fragments. An attacker can initiate the sending of a large number of fragments, which leads to overflow of program buffers on the receiving side and, in some cases, to an abnormal termination of the system.

Transmission of fragmented IP packets with a total volume of more than 64KB

The number of implementations of attacks that exploit the possibility of fragmentation of IP packets is large enough. Several fragmented IP packets are transmitted to the victim computer, which when assembled form one packet larger than 64K (the maximum size of the IP packet is 64K minus the length of the header). This attack was effective against computers running Windows. When you receive such a package, Windows NT, which does not have a special patch icmp-fix, "hangs" or crashes. Other variants of such attacks use incorrect displacements in IP fragments, which leads to incorrect allocation of memory, overflow of buffers, and, eventually, to system failures.

Counteraction: to detect such attacks, it is necessary to perform and analyze the build of packages on the fly, and this will significantly increase the hardware requirements.

Ping flooding attack

He appeared because the program "ping", designed to assess the quality of the line, has the key for "aggressive" testing. In this mode, requests are sent at the highest possible speed and the program allows you to evaluate how the network works at maximum load. This attack requires an attacker to access the fast channels on the Internet. Recall how ping works. The program sends an ICMP packet of type ECHO REQUEST, exposing the time and its identifier in it. The core of the destination machine responds to a similar request with the ICMP ECHO REPLY package. Having received it, ping gives the speed of the packet. In the standard mode of operation, packets are sent after some time intervals, practically without loading the network. But in the "aggressive" mode, the ICMP echo request / reply packet stream can cause a small line to be overloaded, depriving it of the ability to transmit useful information. Naturally, the case of ping is a special case of a more general situation, connected with the overloading of channels. For example, an attacker can send multiple UDP packets to port 19 of a victim machine, and if it follows the generally accepted rules, it has a character generator on the 19th UDP port that responds to packets with lines of 80 bytes. Note that an attacker can also forge the reverse address of such packages, making it difficult to detect it. Track it will help unless the coordinated work of specialists on intermediate routers, which is almost impossible. One variant of the attack is to send ICMP echo request packets with the source address pointing to the victim to the broadcast addresses of large networks. As a result, each of the machines will respond to this fake request, and the sending machine will receive more responses. Sending a lot of broadcast-echo requests on behalf of the "victim" to the broadcast-addresses of large networks, you can cause a sharp flood of the "victim" channel. The signs of flooding are the sharply increased load on the network (or channel) and the increase in the number of specific packets (such as ICMP). As a protection, you can recommend the configuration of routers, in which they will filter the same ICMP traffic, exceeding some predefined value (packets / unit of time). In order to ensure that your machines can not serve as a source of ping floods, restrict access to ping.

PingOfDeath or SSPing

The essence of it is as follows: a severely fragmented ICMP packet of a large size (64KB) is sent to the victim's machine. The response of Windows-systems to receive such a package is unconditional sagging, including mouse and keyboard. The program for the attack is widely available on the network in the form of source code in C and as executable files for some versions of Unix. Curiously, unlike WinNuke, a victim of such an attack can be not only Windows machines, MacOS and some Unix versions are affected. Advantages of this method of attack are that usually the firewall passes ICMP packets, and if the firewall is configured to filter the addresses of senders, then using simple spoofing techniques, you can deceive such a firewall. The drawback of PingOfDeath is that for one attack it is necessary to send more than 64KB over the network, which makes it generally speaking inapplicable for large-scale divertions.

UDP bomb

The transmitted UDP packet contains an invalid format for the service fields. Some older versions of the network software result in the receipt of a similar package for an abnormal termination of the system.

SYN flooding

Flooding with SYN-packets is the most famous way to "hammer" an information channel. Recall how TCP / IP works in the case of incoming connections. The system responds to the incoming C-SYN packet with an S-SYN / C-ACK packet, transfers the session to the SYN_RECEIVED state and queues it. If the S-ACK does not arrive within the specified time, the connection is deleted from the queue, otherwise the connection is transferred to the ESTABLISHED state. Consider the case where the queue of input connections is already full, and the system receives a SYN packet inviting the connection to be established. According to the RFC, he will be silently ignored. Flooding with SYN-packets is based on server overflow, after which the server stops responding to user requests. The most famous attack of this kind is an attack on Panix, a New York provider. Panix did not work for 2 weeks. In different systems, work with the queue is implemented in different ways. So, in BSD-systems, each port has its own queue with the size of 16 elements. In SunOS systems, on the contrary, there is no such division and the system simply has a large general queue. Accordingly, in order to block, for example, the WWW-port on the BSD is enough 16 SYN-packages, and for Solaris 2.5 their number will be much larger. After a certain amount of time has elapsed (depends on the implementation), the system removes requests from the queue. However, nothing prevents an attacker from sending a new portion of requests. Thus, even being on a connection of 2400 bps, an attacker can send every 20 minutes to 20-30 packets on a FreeBSD server, keeping it in a non-working state (of course, this error was corrected in the latest versions of FreeBSD). As usual, an attacker can take advantage of random reverse IP addresses when forming packets, which makes it difficult to detect and filter his traffic. Detection is easy - a large number of connections in the SYN_RECEIVED state, ignoring attempts will connect to this port. As a protection, you can recommend patches that implement automatic "prune" queue, for example, based on the algorithm Early Random Drop. To find out if your system is protected against SYN flooding, contact the system vendor. Another option is to configure the firewall so that all incoming TCP / IP connections are installed by the firewall itself, and only then transfer them to the inside of the network to the specified machine. This will allow you to limit syn-flooding and not to allow it to enter the network. This attack refers to the denial of service attacks, the result of which is the impossibility of providing services. The attack is usually directed at a specific, specific service, such as telnet or ftp. It consists in passing the connection establishment packets to the port corresponding to the attacked service. When the request is received, the system allocates resources for the new connection, and then attempts to respond to the request (send "SYN-ACK") to an unreachable address. By default, NT versions 3.5-4.0 will try to repeat the confirmation 5 times - after 3, 6, 12, 24 and 48 seconds. After that another 96 seconds the system can expect a response, and only after that will release the resources allocated for the future connection. Total time of resource use is 189 seconds.

Non-standard protocols encapsulated in IP

The IP packet contains a field that specifies the protocol of the encapsulated packet (TCP, UDP, ICMP). Attackers can use the non-standard value of this field to transmit data that will not be captured by standard information flow controls.

Using the TFTP protocol

This protocol does not contain authentication mechanisms, which is why it is attractive for intruders.

Smurf attack

The attack of smurf consists in the transmission to the network of broadcast ICMP requests on behalf of the victim computer. As a result, computers that have received such broadcast packets respond to the victim's computer, which leads to a significant decrease in the bandwidth of the communication channel and, in some cases, to complete isolation of the attacked network. The smurf attack is exceptionally effective and widespread. Counteraction: To recognize this attack, you need to analyze the load of the channel and determine the reasons for the decrease in bandwidth.

Attack Land

The Land attack exploits the vulnerabilities of the TCP / IP stack implementations in some operating systems. It consists in transmitting to the open port of the victim computer a TCP packet with the SYN flag set, and the source address and port of such packet are equal to the address and port of the attacked computer, respectively. This leads to the victim computer trying to establish a connection with itself, resulting in a significant increase in the CPU load and may occur "hang" or restart. This attack is very effective on some models of routers of Cisco Systems, and the successful application of an attack to the router can disable the entire network of the organization. Counteraction: You can protect yourself from this attack by installing a packet filter between the internal network and the Internet, specifying a filter rule on it, indicating that you want to suppress packets that came from the Internet, but with the original IP addresses of the computers on the internal network.

Introduction to the Internet of a false server by creating a directed "storm" of false DNS responses to the host being attacked

Another version of the remote attack directed at the DNS service is based on the second type of typical remote attack "false object VS". In this case, the attacker continuously transmits a pre-prepared false DNS response to the attacked host on behalf of the real DNS server without receiving a DNS query. In other words, the attacker creates in the Internet a directed "storm" of false DNS responses. This is possible, since usually a UDP protocol is used to send a DNS request, in which there are no means of packet identification. The only criteria for the network OS of the host to the response received from the DNS server is, first, the match of the IP address of the sender of the response with the IP address of the DNS server, and secondly, that the same name is specified in the DNS response, As in the DNS query, thirdly, the DNS response must be sent to the same UDP port from which the DNS request was sent (in this case, this is the first problem for the attacker), and, fourth, the DNS -choose the request ID field in the DNS header (ID) should contain the same value as in the transmitted DNS query (this is the second problem). In this case, since the attacker can not intercept the DNS query, the main problem for him is the UDP port number from which the request was sent. But the port number of the sender takes a limited set of values (1023?), So the attacker should just act by brute-force, sending false responses to the appropriate list of ports. At first glance, the second problem may be a two-byte DNS query ID, but in this case it is either equal to one, or has a value close to zero (one query-ID is incremented by 1). Therefore, to perform this remote attack, the attacker needs to select the host (A) of interest, the route to which must be changed so that it passes through a false server, the attacker's host. This is achieved by constantly transmitting (directed "storm") attacking false DNS responses to the host under attack from the name of the real DNS server to the corresponding UDP ports. In these false DNS responses, the IP address of the host A is the IP address of the attacker. Further, the attack develops according to the following scheme. As soon as the target of the attack (attacked host) addresses by name to host A , then a DNS request will be sent to the network from the given host, which the attacker will never receive, but this is not required, since the host will immediately receive a constantly transmitted false DNS-response, which will be perceived by the OS of the host being attacked as a real response from the DNS server. The attack took place and now the attacking host will transfer all packets destined for A to the IP address of the attacker's host, which in turn will forward them to A , influencing the intercepted information according to the "false distributed BC" scheme. Consider the functional scheme of the proposed remote attack on the DNS service: • constant transmission of false DNS responses to the attacking host on various UDP ports and, possibly, with different IDs, on behalf of (from the IP address) of the real DNS server with the name of the interesting host and its false IP address, which will be The IP address of the false server is the attacker's host; • in case of receiving a packet from the host, changing the IP header of the packet of its IP address to the IP address of the attacker and sending the packet to the server (that is, the false server is working with the server on its behalf - from its IP address); • if the packet is received from the server, change the IP header of the packet of its IP address to the IP address of the false server and send the packet to the host (for the host the false server is the real server). Thus, the implementation of this remote attack using security gaps in the DNS service allows you to disrupt routing between two specified objects from anywhere on the Internet. That is, this remote attack is carried out intersegmentally with respect to the purpose of the attack and threatens the security of any Internet host using the usual DNS service.

The introduction of a false server into the Internet by intercepting a DNS query or creating a directed "storm" of false DNS responses to the attacked DNS server

From the remote DNS lookup scheme it follows that if the DNS server specified in the query does not find names in its database, the request is sent by the server to one of the root DNS servers whose addresses are contained in the root.cache server settings file . That is, if the DNS server does not have information about the requested host, then it forwards the request further, which means that now the DNS server itself initiates a remote DNS lookup. Therefore, nothing prevents the attacker, acting in the manner described in the previous paragraph, to direct his attack on the DNS server. That is, the target of the attack will now be not the host, but the DNS server and false DNS responses will be sent to the attacker on behalf of the root DNS server on the attacked DNS server. It is important to consider the following peculiarity of the DNS server operation. To speed up the work, each DNS server caches its own table of names and IP addresses of hosts in the memory area. Including dynamically changing information about the names and IP addresses of hosts found during the operation of the DNS server. That is, if the DNS server, having received the request, does not find the corresponding entry in the cache table, it forwards the response to the next server and, having received a response, enters the information found in the cache table into memory. Thus, when the next request is received, the DNS server no longer needs to conduct a remote search, because the necessary information is already in its cache table. From the analysis of the newly described remote DNS lookup scheme, it becomes obvious that if an attacker sends a false DNS response (in the case of a "storm" of false answers will keep them in a constant transmission) in response to a request from the DNS server, Then a corresponding entry with false information will appear in the server cache table and, in the future, all hosts accessing this DNS server will be misinformed and when accessing the host, the route to which the attacker has decided to change, communication with it will be carried out through the host of the attacker According to the scheme "false object BC." And over time, this false information, caught in the cache of the DNS server, will spread to neighboring higher-level DNS servers, and, consequently, more and more hosts on the Internet will be misinformed and attacked. Obviously, if the attacker can not intercept the DNS query from the DNS server, then to implement the attack, he needs a "storm" of false DNS responses directed to the DNS server. In this case, the following main problem arises, different from the problem of selecting ports in the case of an attack directed at the host. As mentioned earlier, a DNS server sends a request to another DNS server and identifies this request with a two-byte value (ID). This value is incremented by one with each transmitted query. You can not tell the attacker of the current value of the DNS query ID. Therefore, nothing but search of 2 16 possible ID values to offer something is quite difficult. But the problem of port enumeration disappears, since all DNS queries are transmitted by the DNS server to port 53. The next problem, which is the prerequisite for this remote attack on the DNS server when the "storm" of false DNS responses is directed, is that the attack will succeed only if the DNS server sends a request to search for a specific name (which is contained In a false DNS response). The DNS server sends this much-needed and desired request to the attacker if it receives a DNS request from any host to search for the given name and this name will not appear in the cache table of the DNS server. In principle, this request can come at any time and the attacker may have to wait for the results of the attack as long as necessary. However, nothing prevents the attacker, without waiting for anyone, to send a similar DNS-query to the attacked DNS-server and provoke the DNS-server to search for the name specified in the request. Then this attack is likely to succeed almost immediately after the start of its implementation.

The introduction of a false DNS server into the Internet by intercepting a DNS query

In this case, it is a remote attack based on the standard standard remote attack associated with waiting for a DNS lookup query. Before you consider the attack algorithm for DNS, you need to pay attention to the following subtleties in the work of this service. First, by default the DNS service operates on the basis of the UDP protocol (although it is possible to use the TCP protocol), which naturally makes it less secure, since the UDP protocol, in contrast to TCP, does not provide any means of message identification. In order to switch from UDP to TCP, the DNS server administrator will have to seriously study the documentation. In addition, this transition will somewhat slow down the system, because, firstly, when using TCP, a virtual connection is required and, secondly, the end network OS first sends a DNS request using the UDP protocol and if it comes to them A special response from the DNS server, then the network OS will send a DNS request using TCP. Second, the next subtlety that you need to pay attention to is that the value of the "sender port" field in the UDP packet first takes the value 1023 (?) And then increases with each DNS query passed. Thirdly, the value of the ID of the DNS query behaves as follows. In the case of sending a DNS query from the host, its value depends on the particular network application that generates the DNS query. The author's experiments showed that in the case of sending a request from the shell of the shell operating system Linux and Windows '95 (for example, ftp nic.funet.fi) this value is always equal to one. In the event that DNS query is transmitted from Netscape Navigator, with each new request the browser itself increases this value by one. In the event that the request is transmitted directly by the DNS server, the server increases this ID value by one with each newly transmitted query. All these subtleties are important in the case of an attack without interception of a DNS query. To implement an attack by intercepting a DNS request, the attacker needs to intercept the DNS query, extract the request's UDP port number from it, double-byte ID value of the DNS request identifier and the desired name and, then, send a false DNS response to the query extracted from the DNS query UDP-port, in which to specify as the desired IP-address the real IP-address of the false DNS-server. This will in the future completely intercept and actively act on the "False IPS object" scheme on the traffic between the "deceived" host and the server. Consider the general scheme of the false DNS server: • waiting for the DNS query; • Receiving a DNS query, extracting the necessary information from it and sending the false DNS response from the host (requesting a host) from the name (from the IP address) of the present DNS server, which specifies the IP address of the false DNS server; • if the packet is received from the host, change the IP header of the packet of its IP address to the IP address of the false DNS server and send the packet to the server (that is, the false DNS server is working with the server on its behalf); • if the packet is received from the server, change the IP header of the packet of its IP address to the IP address of the false DNS server and send the packet to the host (for the host the false DNS server is the real server). A prerequisite for this option is to intercept the DNS request. This is possible only if the attacker is either in the path of the main traffic or in the segment of the real DNS server. Fulfilling one of these conditions of the attacker's location on the network makes such a remote attack difficult to implement in practice (it's likely that the attacker will not be able to get to the segment of the DNS server, and even more so in the intersegmental communication channel). However, if these conditions are met, it is possible to perform an intersegmental remote attack on the Internet . Note that the practical implementation of this remote attack has revealed a number of interesting features in the operation of the FTP protocol and in the mechanism for identifying TCP packets. In the event that an FTP client on the host connected to a remote FTP server through a false DNS server, it turned out that each time after the user issued an FTP application (for example, ls, get, put, etc.), the FTP client Worked out the PORT command, which consisted in transferring the port number and the IP address of the client host to the FTP server in the data field of the TCP packet (it is difficult to find a special meaning in these actions - why each time you send the client's IP address to the FTP server)! This resulted in the fact that if the false DNS server does not change the transmitted IP address in the data field of the TCP packet and send this packet to the FTP server using the usual scheme, the next packet will be transferred by the FTP server to the host of the FTP client, Bypassing the false DNS server and, most interestingly, this package will be perceived as a normal package, and, in the future, a false DNS server will lose control over the traffic between the FTP server and the FTP client! This is due to the fact that a normal FTP server does not provide any additional authentication for the FTP client, but shifts all problems of packet identification and connection to a lower level - the TCP layer.

DNS flooding attack

DNS flooding is an attack directed at Internet name servers. It consists in the transfer of a large number of DNS queries and leads to the fact that users do not have the ability to access the name service and, consequently, the inability of ordinary users to work. Counteraction: to detect this attack, you need to analyze the load of the DNS server and identify the sources of requests.

DNS spoofing attack

The result of this attack is the imposition of an imposed correspondence between the IP address and the domain name in the cache of the DNS server. As a result of a successful attack, all DNS users in the north will receive incorrect information about domain names and IP addresses. This attack is characterized by a large number of DNS packets with the same domain name. This is due to the need to select some DNS exchange parameters. Counteraction: to detect such an attack, you need to analyze the content of DNS traffic.

IP spoofing attack (syslog)

A large number of attacks on the Internet are associated with the substitution of the source IP address. Such attacks include syslog spoofing, which involves sending a message to the victim's computer on behalf of another computer on the internal network. Because the syslog protocol is used to maintain system logs, by sending false messages to the victim computer, you can impose information or cover up the traces of unauthorized access. Counteraction: detection of attacks associated with the substitution of IP addresses, it is possible when monitoring the receipt of one of the interfaces of the package with the source address of the same interface or when monitoring the receipt on the external interface of packets with IP addresses of the internal network.

Packet Imposition

An attacker sends packets with a false return address to the network. With this attack, an attacker can switch to a computer connections established between other computers. In this case, the access rights of the attacker become equal to the rights of the user whose connection to the server was switched to the intruder's computer.

Sniffing - listening to the channel (possible only in the LAN segment)

Virtually all network cards support the ability to intercept packets transmitted over a shared LAN channel. In this case, the workstation can receive packets addressed to other computers in the same network segment. Thus, all information exchange in the network segment becomes available to the attacker. To successfully implement this attack, the attacker's computer must be located in the same segment of the local network as the attacked computer.

Intercepting packets on the router

The network software of the router has access to all network packets transmitted through this router, which allows for interception of packets. To implement this attack, an attacker must have privileged access to at least one network router. Since a lot of packets are usually transmitted through the router, their total interception is almost impossible. However, individual packets may well be intercepted and saved for later analysis by the attacker. The most effective interception of FTP packages containing user passwords, as well as e-mail.

Imposing a rogue route host using ICMP

In the Internet there is an Internet Control Message Protocol (ICMP), one of the functions of which is to inform the hosts about the change of the current router. This control message is called redirect. It is possible to send from any host in the network segment a false redirect message from the router to the host being attacked. As a result, the host changes the current routing table and, in the future, all network traffic of this host will pass, for example, through a host sending a false redirect message. Thus it is possible to implement an active imposition of a false route within one segment of the Internet.

WinNuke

With the usual data transferred over a TCP connection, the standard also transmits out-of-band data. On the level of TCP packets, this is expressed in a non-zero urgent pointer. Most PCs with Windows have a NetBIOS network protocol, which uses for their needs 3 IP ports: 137, 138, 139. As it turned out, if you connect to the Windows machine in 139 ports and send there several bytes of OutOfBand data, the implementation of NetBIOS Not knowing what to do with this data, popostu hangs or pepezagruzhaet machine. For Windows 95, this usually looks like a blue text screen that reports an error in the TCP / IP driver and the inability to work with the network before OS reboot. NT 4.0 without service packets is restarted, NT 4.0 with the second serial pack drops into the blue screen. Similar sending of data to 135 and some other ports results in a significant load of the RPCSS.EXE processor. On NTWS, this leads to a significant slowdown, NTS practically freezes.

False ARP server

In the Internet, each host has a unique IP address, which receives all messages from the global network. However, the IP protocol is not so much a network as an inter-network exchange protocol intended for communication between objects in the global network. At the link layer, the packets are addressed to the hardware addresses of the network cards. In the Internet, the IP Address Protocol Protocol (ARP) is used for one-to-one correspondence between IP and Ethernet addresses. Initially, the host may not have information about the Ethernet addresses of other hosts that are with it in the same segment, including the Ethernet address of the router. Accordingly, when the network resources are accessed for the first time, the host sends a broadcast ARP request, which will be received by all stations in this segment of the network. Upon receipt of this request, the router sends an ARP reply to the requesting host, in which it reports its Ethernet address. This scheme of work allows an attacker to send a false ARP response in which to declare himself the desired host (for example, a router) and, in the future, actively monitor all network traffic of the "deceived" host.

Prediction TCP sequence number (IP-spoofing)

In this case, the purpose of the attacker is to pretend to be another system, which, for example, the victim system "trusts". The method is also used for other purposes - for example, to use the SMTP victim to send fake emails. The TCP connection is established in three stages: the client selects and sends the sequence number (call it C-SYN) to the server, in response, the server sends the client a data packet containing the confirmation (C-ACK) and the own sequence number of the server (S-SYN ). Now the client must send a confirmation (S-ACK). After that, the connection is established and the data exchange begins. Each packet has in its header a field for sequence number and acknowledge number. These numbers increase with data exchange and allow you to control the correctness of the transmission. Suppose that an attacker can predict which sequence number (S-SYN under the scheme) will be sent by the server. This can be done on the basis of knowledge of the specific implementation of TCP / IP. For example, in 4.3BSD, the value of the sequence number, which will be used when setting the next value, is incremented by 125000 every second. Thus, after sending one packet to the server, the attacker will receive an answer and can (with several attempts and with connection speed correction) predict Sequence number for the next connection. If the implementation of TCP / IP uses a special algorithm to determine the sequence number, then it can be clarified by sending several dozen packets to the server and analyzing its responses. So, suppose that system A trusts system B, so that the user of system B can make "rlogin A" and end up on A without entering a password. Suppose that the attacker is located on the C system. System A acts as a server, system B and C - in the role of clients. The first task of an attacker is to enter system B into a state where it can not respond to network requests. This can be done in several ways, in the simplest case, you just need to wait for the B system to reboot. A few minutes, during which it will be unworkable, should be enough. After this, the attacker can try to pretend to be system B, in order to gain access to system A (at least briefly). An attacker sends several IP packets initiating a connection, to system A, to find out the current status of the sequence number of the server. The attacker sends an IP packet, in which the address of system B is indicated as the return address. System A responds with a packet with a sequence number, which is sent to system B. However, System B will never receive it (it is disabled), as, indeed, an attacker. But, based on the previous analysis, he guesses which sequence number was sent to the B system. The attacker confirms the "receipt" of the packet from A, sending a packet with the alleged S-ACK on behalf of B (note that if the systems are located in the same segment, an attacker to find out the sequence Number is enough to intercept the packet sent by system A). After that, if the attacker was lucky and the sequence number of the server was guessed correctly, the connection is considered established. Now an attacker can send another fake IP-packet, which will already contain data. For example, if the attack was directed to rsh, it may contain commands to create a .rhosts file or send an / etc / passwd to an attacker by e-mail. Counteraction: packets with internal addresses coming from the outside world will serve as the simplest IP-spoofing signal. The router software can notify the administrator about this. However, you should not flatter yourself - the attack can be from within your network. In the case of using more intelligent network monitoring tools, the administrator can monitor (in automatic mode) packets from systems that are in inaccessible state. However, what prevents an intruder from imitating the operation of system B by responding to ICMP packets? What are the ways to protect against IP-spoofing? First, you can complicate or make it impossible to guess the sequence number (the key element of the attack). For example, you can increase the rate of change of the sequence number on the server or select a sequence number increase randomly (preferably using a cryptographically stable algorithm to generate random numbers). If the network uses a firewall (or another IP packet filter), you should add rules to it that all packets that come from outside and have back addresses from our address space should not be allowed to enter the network. In addition, it is necessary to minimize the trust of the machines to each other. Ideally, there should not be a way, directly get on the next machine of the network, having the superuser rights on one of them. Of course, this will not save you from using services that do not require authorization, for example, IRC (an attacker can pretend to be an arbitrary Internet machine and transmit a set of commands to enter the IRC channel, issue arbitrary messages, etc.). Encryption of TCP / IP-stream solves in general the problem of IP-spoofing (provided that cryptographically stable algorithms are used). In order to reduce the number of such attacks, it is also recommended to configure the firewall to filter packets sent by our network to the outside, but have addresses that do not belong to our address space.

Local storm

Let's make a small digression to the implementation of TCP / IP and consider "local storms" for example UDP storms. As a rule, by default systems support the operation of UDP ports such as 7 ("echo", the received packet is sent back), 19 (the "character generator", in response to the received packet the sender sends a string of the character generator) and others (date etc). In this case, an attacker can send a single UDP packet, with 7 as the source port, 19 as the destination, and, for example, two computers on your network (or even 127.0, for example). 0.1). After receiving the packet, the 19th port responds with a string that gets to port 7. The seventh port duplicates it and sends it back to 19 .. and so on ad infinitum. An infinite cycle eats up machine resources and adds a meaningless load to the channel. Of course, with the first lost UDP packet, the storm will stop. Counteraction: as a defense, it is worth recommending not to miss the packets with internal addresses on the network, but coming from outside. It is also recommended that you close most of the services on the firewall.

IP Hijacking

The method is a combination of 'eavesdropping' and IP-spoofing. Prerequisites - an attacker must have access to a machine on the network thread path and have sufficient rights on it to generate and intercept IP packets. Recall that when transmitting data, the sequence number and acknowledge number are always used (both fields are in the IP header). Based on their value, the server and the client verify the correctness of the transmission of packets. It is possible to enter a connection into the "desynchronized state" when the sequence number and acknowledge number sent by the server do not match the expected values of the client, and vice versa. In this case, an attacker, "listening" to a line, can take on the functions of an intermediary, generating the correct packages for the client and the server and intercepting their responses. The method allows completely to bypass such protection systems, as, for example, one-time passwords, since the attacker begins work after the authorization of the user occurs. There are two ways to sync the connection. • Early desynchronization. The connection is desynchronized at the stage of its installation. The attacker listens to the segment of the network, through which the packets of the session of interest will be transmitted. Waiting for the S-SYN packet from the server, the attacker sends the server a packet of type RST (reset), of course, with the correct sequence number, and immediately, after it a fake C-SYN packet on behalf of the client, the server resets the first session and opens a new one The same port, but with a new sequence number, and then sends the client a new S-SYN packet. The client ignores the S-SYN packet, but an attacker who listens to the line sends the S-ACK packet on behalf of the client to the server. So, the client and the server are in the ESTABLISHED state, but the session is desynchronized. Naturally, 100% of the trigger for this scheme is not, for example, it is not immune from the fact that some packets sent by the attacker will not be lost along the way. For correct handling of these situations, the program should be complicated. • Desync with zero data. In this case, the attacker listens to the session and at some point sends the server a packet with "zero" data, i.e. Those that are actually ignored at the application level and not visible to the client (for example, for telnet this can be data such as IAC NOP IAC NOP IAC NOP ...). A similar packet is sent to the client. Obviously, after this session goes into a desynchronized state. ACK-Storm One of the problems of IP Hijacking is that any packet sent at the time the session is in desynchronized state causes the so-called ACK-storm. For example, the package is sent by the server, and for the client it is unacceptable, so it responds with an ACK-package. In response to this unacceptable package for the server, the client again receives a response. And so on ad infinitum. Fortunately, modern networks are built by technology, when the loss of individual packages is allowed. Since ACK packets do not carry data, retransmissions do not occur and the "storm subsides". As experiments have shown, the stronger the ACK-storm, the faster it "calms" itself - on 10MB ethernet it happens in a fraction of a second. On unreliable connections such as SLIP - not much more. Detection and protection There are several ways. For example, you can implement a TCP / IP stack that will monitor the transition to the desynchronized state by exchanging information about the sequence number / acknowledledge number. However, in this case we are not insured against an attacker, which also changes these values. Therefore, a more reliable way is to analyze network traffic, track emerging ACK-storms. This can be done with the help of specific network monitoring tools. If an attacker does not bother maintaining a desynchronized connection before closing it, or if it does not filter the output of its commands, it will also be immediately noticed by the user. Unfortunately, the overwhelming majority simply open a new session without contacting the administrator. As always, the encryption of TCP / IP traffic (at the application level - secure shell) or to the protocol layer (IPsec) ensures the protection from this attack. This eliminates the possibility of modifying the network stream. PGP can be used to protect e-mail messages. It should be noted that the method also does not work on some specific TCP / IP implementations. So, despite [rfc ...], which requires silently closing the session in response to an RST packet, some systems generate a counter RST packet. This makes early desynchronization impossible.

Detection of attacks and protection from them

• To detect attacks, you can analyze broadcast activity - these are UDP, NBF, SAP packets. • To protect the internal network connected to the Internet, you should not pass incoming packets from the external network, the source of which is the internal network address. You can only allow packets to pass to port 80. • Set packet filtering if necessary (do not even neglect it
Control Panel \ Network \ Protocols \ Properties \ Advanced in Windows NT).

Scanning methods

Using the ARP protocol

This type of query can be used by attackers to determine the functioning systems in segments of the local network.

Scanning the network through DNS

It is known that before launching an attack, attackers carry out the identification of targets, i.e. Identifying computers that will be victims of attacks, as well as computers that carry out information exchange with victims. One way to identify targets is to query the name server and get all available domain information from it. Counteraction: to determine such a scan, you need to analyze DNS queries (address in the name) coming from, perhaps, different DNS servers, but for a certain, fixed period of time. In this case, you need to look at what information is sent to them and track the address search.

UDP bomb

Scanning a network using the ping sweep method

Ping sweep or target detection using the ICMP protocol is an effective method.

Counteraction: To determine the fact of ping-scanning of targets inside the subnet, it is necessary to analyze the source and destination addresses of ICMP packets.

Scanning TCP Ports

Port scanning is a known method for recognizing the computer's configuration and available services. There are several methods of TCP scanning, some of them are called stealth, because they use the vulnerabilities of the TCP / IP stack implementations in most modern OSes and are not detected by standard means. Counteraction: counteraction can be carried out, for example, by sending TCP packets with the RST flag set on behalf of the scanned computer to the intruder's computer.

Scanning UDP Ports

Another type of port scanning is based on the use of the UDP protocol and consists in the following: a UDP packet is sent to the scanned computer, addressed to the port, which is checked for availability. If the port is unavailable, the ICMP receives an unreachable message in response, otherwise there is no answer. This type of scan is quite effective. It allows you to scan all ports on a victim computer in a short time. Counteraction: it is possible to counteract scanning of this kind by sending messages about the inaccessibility of the port to the computer of the attacker.

Stealth-scan

The method is based on an incorrect network code, so you can not guarantee that it will work fine in any particular situation. TCP packets with ACK and FIN flag set are used. They should be used, because If such a packet is sent to the port in an unopened connection, the packet with the RST flag always returns. There are several methods that use this principle: • Send a FIN packet. If the receiving host returns RST, then the port is inactive, if RST does not return, then the port is active. This method works in most operating systems. • Send an ACK packet. If the TTL of the returned packets is less than in the other received RST packets, or if the window size is greater than zero, then the port is most likely active.

Passive scanning

Scanning is often used by attackers to find out which TCP ports are running daemons that respond to requests from the network. A regular scanner program opens connections to various ports in series. In case the connection is established, the program resets it, informing the port number of the attacker. This method is easily detected by the reports of demons, surprised instantly interrupted after installation by connection, or by using special programs. The best of these programs have some attempts to introduce elements of an artificial element in tracking attempts to connect to different ports. However, an attacker can use another method - passive scanning (the English term "passive scan"). When it is used, an attacker sends a TCP / IP SYN packet to all ports in a row (or by some given algorithm). For TCP ports that accept connections from the outside, the SYN / ACK packet will be returned as an invitation to continue the 3-way handshake. The rest will return RST packets. Analyzing the given answer, the attacker can quickly understand on what ports the program works. In response to SYN / ACK packets, it can also respond with RST packets, indicating that the connection setup process will not continue (in the general case, the TCP / IP implementation of the attacker will automatically respond with RST packets if it does not take special measures). The method is not detected by previous methods, since a real TCP / IP connection is not established. However (depending on the attacker's behavior), you can monitor the dramatically increased number of sessions in the SYN_RECEIVED state. (Provided that the attacker does not send an RST in response) the reception from the RST packet client in response to the SYN / ACK. Unfortunately, with a smart enough behavior of an attacker (for example, scanning at a low speed or checking only specific ports), it is impossible to detect passive scanning, since it is no different from the usual attempts to establish a connection. As a protection, you can only advise you to close all services on the firewall, which you do not need to access from the outside.

Invitation of the system and the danger of the information contained therein

It is necessary to remove the "system prompts" displayed by the central computers on the remote access terminals for logging on to the system. This requirement is due to the following reasons: • "system invitations", as a rule, contain information allowing the infringer to identify the type and version of the operating system of the central computer, the type of remote access software, etc. Such information can greatly simplify the task of penetrating the system, because the intruder can Use illegal access tools that exploit the weaknesses of a particular system; • "System prompt" usually indicates the departmental ownership of the system. In the case where the system belongs to a secret agency or financial structure, the interest of the offender can significantly increase; • A recent trial rejected the company's claim against a person who illegally infiltrated the company's network, as he motivated his actions with an inscription on the remote access terminal to the central computer "Welcome to ...".

A few tips for network research

• Scan the server for open ports and services. • Try to log in to the server as IUSR_ <machine name with balls> • Try to lock SAM._ from / REPAIR (passwords from SAM are obtained by the expand command). • Directories / scripts and / cgi-bin, as is probably known to many, in NT you can run any files from these directories, so you should close these directories. The launch is performed approximately by this command (if the executable file is in / scripts) from the browser - http: //www.idahonews/scripts/getadmin.exe? Test. You can get admin rights in the following way: the programs from / scripts are launched not under the user's state, but from the same web-account, from which it can be concluded that the administrator's passwords can be easily de-managed from the registry using PWDUMP.exe. • It should be remembered that programs from / SCRIPTS are started under the Web account, and not under the account of the user who launched the program. Therefore, you can try to decrypt passwords from the registry using PWDUMP.EXE. The passwords will be coded. In this case, you should save the page as a text file and try to decode passwords using the BRUTEFORCE program. • Under the administrator account, you can change the aliases to ftp and http.

Some other ways of obtaining information

• Using whois or NSLookUp to find out alternative names, find out who owns the network. Remember the range of ip-addresses for their subsequent scanning. • Go to the nearest router and find out something. To find the router, you need to trace the path to any ip-address from the detected range. The nearest router is determined by the response time. • Try to go to the router telnet'om. • Run the IP address range scanner to detect the services running on the PC.

Holes and administrative errors in Windows NT

• Consider the vulnerability associated with an error in the implementation of the system. This vulnerability leads to the possibility of an attack, called GetAdmin . Vulnerable is the NtAddAtom system service, which does not check the parameters passed to it, and sets bit 0 to the address NtGlobalFlag + 2. To do this, open the file ntoskrnl.exe and find the entry point in NtAddAtom. Setting this bit disables debugger privilege checking in NtOpenProcess and NtOpenThread. Thus, any user has the right to open any process in the system. The attack opens the process of the Winlogon process and embeds the dll to it. Since this service has SYSTEM privileges, it can add a user to the Administrator group or remove it from this group. Theoretically, other security breaches of the system are possible. • One of the most popular methods of entering the system is selecting a password. To counter this, it is usually set to lock the user account after a certain number of unsuccessful login attempts. A nice exception is the administrator account. And if he has the right to access the entrance through the network, this opens a loophole for quiet guessing the password. For protection, it is recommended that you rename the Administrator user, set account locks, prevent the administrator from logging in through the network, prevent SMB packets from being sent over TCP / IP (ports 137,138,139), and log the failed entries.

Spam

Spammers will find not just an ISP to start mailing their mail, but, most likely, they will choose a corporation because The Internet provider is easier to understand what happened, and it is likely to be able to get rid of such messages faster. Periodically spamming can disrupt legitimate users because of an e-mail server overload. The problem is that it's not so difficult to connect to an SMTP server. To do this, you only need to know 7-8 commands so that the SMTP server will distribute your messages. To guard against this, you can check the addresses of incoming messages on the database of registered users of the server. If the address of the sending message or one of the addresses requested by it is not in the list, e-mail will not be transmitted.

How to protect the mail system from spammers

• If you do not read the logs, the spammers will act with impunity. • Program all but one of your company's mail servers so that they do not respond to a message request. The remaining server must carefully filter the IP addresses. • Keep all e-mail servers that can receive message forwarding requests in the coverage area of their firewall.

How Spammers Work

• Target selected - the spammer randomly selects the company's domain name and then guesses the hostname of the SMTP server. If the server accepts the mail, the spammer asks him to distribute the message to the address list. • The server executes the request, giving the impression that the messages leave the IP address of the victim company.

IIS Holes, WWW, FTP

• The sender can leave his fake address as follows: the sender can connect to the SMTP port on the machine on whose behalf he wants to send the message, and enter the text of the message. • The FTP service allows you to establish passive connections based on the port address specified by the client. This can be used by an attacker to issue dangerous commands to the FTP service. The registry contains the key: <HKLM \ System \ CurrentControlSet \ Services \ MSFTPSVC \ Parameters> with the value <EnablePortAttack: REG_DWORD:> Ensure that the value is set to '0', not '1'. • If you connect via telnet to port 80, the command "GET ../ .." Will result in IIS crashing and the message "The application, exe \ inetinfo.dbg, generated an application error. The address' http://www.domain.com/scripts .. \ .. \ scriptname "allows you to execute the specified script. By default, Guest Or IUSR_WWW has read access to all files in all directories. So these files can be viewed, downloaded and launched. • The directories \ script \ cgi-bin should be closed, because From these directories you can run any files directly from the browser window. • When IIS has a very long URL (4 - 8KB), the server hangs and does not respond to further requests. The problem is that the exact size of the URL depends on the particular server, so the killer programs starting with some basic query size and gradually increasing the size try to find that critical point that will hang the server-tree. • Users of Outlook Express 98 have to reckon with the fact that this mailer allows processing, including execution, Visual Basic scripts that can be easily hidden in the email. A similar script has full access to the file system. Real protection can only become the installation of "security level" in Outlook to "maximum". • If you allow html tags to be entered in the chat, no one will interfere with inserting something like <img src = "http://www.mysite.com/cgi-bin/sniffer.cgi"> into your message. As a result, all those present in the chat (not even registered) will, without knowing it, call the script. • Restrict access to port 25 only for some users.

Liked? Subscribe to RSS news!
You can also support shram.kiev.ua, press:

It will not be superfluous for your friends to learn this information, share their article with them!

Expand / Collapse

Comments

When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.

All news

Site
Forum

How to choose the right wine for your dish Photo 2017-03-08
How to dress by age and not look stupid Photo 2017-03-08
Sexual variant "Follow me" Photo 2017-03-08
Plate of healthy food Photo 2017-03-08
NASA has opened free access to its software Photo 2017-03-08
Kate Moss, the main beauty of the generation, the femme fatale Photo 2017-03-08
101 Method of application of the paracord Photo 2017-03-05
Everything you wanted to know about tires. Marking, types, seasonality Photo 2017-03-05
How to choose quality natural spices and spices Photo 2017-03-04
Emma Watson (26 years) undressed for the March Vanity Fair Photo 2017-03-04
Emma Watson (Emma Watson) undressed for Natural Beauty Photo 2017-03-04
Tattoo with the image of famous heroes Photo 2017-03-03
Scheme of all municipal transport in Kiev Photo 2017-02-28
How often to have sex according to age Photo 2017-02-28
Fisherman's calendar and forecast of the biting of peaceful / predatory fish for 2017 Photo 2017-02-26
Fishing knots, how to tie a hook, prepare for summer Photo 2017-02-26
Euthanasia Coaster, a project of roller coasters designed for the death penalty Photo 2017-02-26
VEB Page can be evidence in court Photo 2017-02-26
In such a cosplay, you yourself will want to play Photo 2017-02-25
A smart selection of girls from Japan. Photo 2017-02-25
GOI paste (from GOI - State Optical Institute) Photo 2017-02-24
Unnecessary things, which you should quickly get rid of Photo 2017-02-24
Harmful daily habits, because of which there is bloating Photo 2017-02-24
The levers of control of aircraft engines (ORE), it is not enough ... Photo 2017-02-24
Modern design of the Business card Photo 2017-02-23
Cats, artist Vladimir Rumyantsev Photo 2017-02-23
Interesting facts about the film Prometheus Photo 2017-02-23
What did the NASA conference say? Photo 2017-02-21
The format of the SSL certificate, how to convert the certificate to .pem, .cer, .crt, .der, pkcs or pfx Photo 2017-02-21
Types of bleeding and first aid rules you need to know! Photo 2017-02-20
Early signs of diabetes that you should not ignore! Photo 2017-02-20

How to choose the right wine for your dish The rule "red for meat, white for fish" is in effect ... Photo 2017-03-08
How to dress by age and not look stupid How long have you felt? Go, I suppose, like a pimple ... Photo 2017-03-08
Sexual version of "Follow Me" A few years ago, Russian photographers Murad and Natalia Osman created ... Photo 2017-03-08
A plate of healthy food Harvard University and modern science conducts numerous studies to optimize ... Photo 2017-03-08
NASA has opened free access to its software NASA has opened free access to the software catalog 2017-2018. How to ... Photo 2017-03-08
Kate Moss, the main beauty of the generation, the fatal woman Every generation has its own main beauty, a fatal woman, who ... Photo 2017-03-08
101 Paracord method of use For most people the paracord is known as a very convenient device with ... Photo 2017-03-05
Everything you wanted to know about tires. Marking, types, seasonality Tires are the main link between the car and the road. From the ... Photo 2017-03-05
How to choose quality natural spices and spices How to choose natural spices and spices in the market or in ... Photo 2017-03-04
Emma Watson (26 years old) undressed for the March Vanity Fair Emma undressed for the March Vanity Fair, true, on the cover ... Photo 2017-03-04
Emma Watson (Emma Watson) undressed for the book Natural Beauty Emma decided to do this for the book Natural Beauty! And she ... Photo 2017-03-04
A tattoo featuring famous heroes A bitane tattoo artist creates incredibly realistic tattoos with images of famous heroes ... Photo 2017-03-03
Scheme of all municipal transport in Kiev The scheme indicates all buses, trolleybus and tram routes, and ... Photo 2017-02-28
How often you need to have sex according to age Many are curious to know whether they are having sex too much or too much ... Photo 2017-02-28
Fisherman's calendar and the forecast of the biting of peaceful / predatory fish for 2017 There are certain phases of the luminary, when you just need to be alone ... Photo 2017-02-26
Fishing knots how to tie a hook, prepare for the summer The type of knot is chosen taking into account the type of fishing line used (monofilament or ... Photo 2017-02-26
Euthanasia Coaster, a project of roller coasters designed for the death penalty The author acknowledges that the roller coaster is not the optimal machine for the ... Photo 2017-02-26
VEB Page can be evidence in court It is necessary to understand that, for example, copyrights are violated not by the existing ... Photo 2017-02-26
In such a cosplay, you yourself will want to play The main prototypes of a costume game - cartoon characters, anime, video games, movies, ... Photo 2017-02-25
A smart selection of girls from Japan. The Japanese (Japanese nihondzin / nipponzin, nihon-minzoku) are the people, the main (more than 98%) ... Photo 2017-02-25
GOI paste (from GOI - State Optical Institute) GOI paste can be used for polishing products from a wide variety of ... Photo 2017-02-24

Cats. Artist Vladimir Rumyantsev. Photo 2017-02-23
Prometheus - Interesting Facts Photo 2017-02-23
Did you see the Lithuanian Cheerleaders? Worth Seeing! 2017-02-23
Olsen, Elizabeth / Elizabeth Olsen Photo 2017-02-23
She sat at the Window, And He Entered Her Car ... Photo 2017-02-23
Photo of Cats, Cats, Kitties Photo 2017-02-23
How the Turtle Can Run Photo 2017-02-23
Bengal Cat Talking With a Kitten 2017-02-23
National Bank Introduces New Coin to Circulation (Photo) Photo 2017-02-23
Protasov Yar 30 Years Ago Photo 2017-02-23
Photo of the Animals Photo 2017-02-23
Nasa Broadcast What's Reported At the Nasa Photo Conference 2017-02-23
Something, Size With Jupiter, Rushing "Through" the Sun Photo 2017-02-22
Central Streets of Kiev Will Be Blocked For Five Days Photo 2017-02-20
3 Folk Ways to Make the Vagina Narrow And Elastic Photo 2017-02-20
Monica Bellucci In The Magazine Gq Italy, February 2017 Photo 2017-02-20
The Serebro Group In Maxim Magazine, March 2017 Photo 2017-02-20
What to Do If You Have been Detained by Police - 146 Article Piracy Photo 2017-02-20
New Free Os has appeared Photo 2017-02-18
Wood Under the Electron Microscope Photo 2017-02-18
The Market of Payment Cards In 2016, Demonstrated a Significant Growth Photo 2017-02-18

Social

Your IP: 66.249.93.35
Your Country: European Union

Free 50 UAH for your Monobank card?