/-----------------------------\ | Xine - issue #1 - Phile 012 | \-----------------------------/ Kernel Panic presents: *************************************************** * Denial of Service Attacks in TCP/IP networks. * *************************************************** Denial of Service attacks are one of the most dangerous form of Internet abuse. They are not true cracking, because you don't get control on another machine, but just make it unfunctional. Here is just an overview of some kind of them. ** Simple Flooding This is just sending so many packets to a host to make it unfunctional for normal use. Usually they are ping requests. Under UNIX a common way to send them is to use ping -f [hostname]. You need root privileges to issue such a dangerous command. Of course any other method of placing a high load on a machine can do the same harm. Anyway some clever servers (for example some better inetd superdaemons) place a limitation on the number of network connections to every service. So you block that sevice but the host is otherwise still up. ** Route Changing The idea behind this is to change the routing table of some host, so it loses knowledge of others hosts. The most known way to do this is send an ICMP message Host Unrechable. The receiver of such a message is supposed to don't send anymore packets to the originator. A similar result can be obtained by others ICMP messages: Redirect, Time Exceded, Service Unavaible, Parameter Problem and maybe others. The point is that the receviver makes some checks on the ICMP message. For example a Redirect is passed to the routing table manager only if it comes from the old gatway for the address that is being redirected. You have to use a tool that gives you 100% control on the built of the ICMP packet to have good results (for example Injector :-). A more advanced method is to create fake gateway information. You can put yourself in place of gateway and broadcast every routes you want. Some gateway protocols are quite simple and programs that implement them can be or not be careful about the authenticy of the packet. ** Services War A war between 2 host is origintated when they continue to send each other packets. Usually there is a message from host A to host B that triggers a response. But the original message is modified so that the response triggers on its turn another one from A to B and so on. An important point here is that the same message must act as a query and a response. Otherwise stated the service cannot (or simply doesn't) check to see if what it is sending make something comes back. A known case is finger war. Some hosts do a finger to the originator of a request for some services (usually finger because it is know to be used by crackers to gather user information) on them. If 2 servers that employ this policy try to use a finger they get in war. Similar situtation can be triggered by an automatic mail replier. It is enough to make a fake mail from one such replier and another. If they don't make some check on the received mail the will send mail to each other forever. Of course many good programs that handle automatic mail replies do some kind of check. Perhaps the most dangerous abuse of this kind are UDP wars. Here you place in contact 2 UDP services, each one on a different machine. For example they can be echo (port 7) and chargen (port 19). The former simply resend to the originator what it got, the later instead sends back some copies of the ascii charter set when triggered. The result is a very heavy load on the network. By the way note that this can't be done for TCP ports because this protocol requires a three-way handshaking before the connection goes active and the frames involved in it cannot be exchanged. ** Internal Tables Overflow Nowdays the most known type of this kind of attacks is SYN flood. It consists in beginning lots of TCP connections with a host by actually send a packet with the SYN field in the TCP header set. The server keeps a list of TCP handshakings that are going on. This table has, of course, a defined dimension (no more than the host total memory !) and when it is filled there cannot be any other connection to the host. And because the Internet is slow the host must keep connection that are, technically speaking, in a SYN recevied state, for rather a long time. So with a low bandwith occupation (in contrast, for example, to simple flood) you can put out of order a host at least as far as TCP services as concerned. It is difficult to think of a defense against SYN flooding and the packets can be made with a fake source IP address making very difficult the discovery of the sender. Another table that can be overflown is in the IP reassembler. The role of this data strucure is doing housekeeping about reconstructing fragmented packet. If ther are too many fragmented IP packets also this table can be brought to overflow. Of course here only connections that get fragmented are concerned. ** Host Miming In this case you send responses on behalf of another host to prevent correct functionality. You must be on the way between the two communicating computers so the attack can be triggered by packets. This is because most interesting protocols need some sequence information in packets they handle (TCP) or an identification to match queries and responses (for example DNS). Anyway if the protocol you are hacking doesn't have such needs you can just keep sending fraudolent packets and it' s very likely that one of them will reach the attacked host a short while after its query, before the real answer which will be ignored. You can send fake response to DNS queries for a specified host. In this way whatever domain name can be resolved to a bogus IP. This can be unreachable or even of a host that you control. The most difficult point here is that you need to match the query identification so the response is accepted. Another simply way to prevent normal functionality is to answer to every packet that ask to start a TCP connection (that with a SYN) with one that refuse to do it (that with a FIN). Also here a sequence number must be matched, what helps us from simple repeated sending attacks.