The Revoluti0n
| last article | table of contents | next article |
|---|
| last article | table of contents | next article |
|---|
DOS and DDOS Attacks Explained by assassin007
All of you might have heard about the hackers attacks on the major websites like Microsoft,
Yahoo!, Ebay etc.. during these days. But how do the hackers do that???
How they disconnect the servers from the network or crash them? Let's get into the article..
During these days DOS service attacks have become a common thing and even a school going kid
using a small tool can completely paralyse a major server. These attacks are sometimes also
called as "nukes". During a "Denial of Service" attack, the server is overloaded with too
many packets or custom design faulty packets. All the system resources like processing power,
memory etc.. are excessively used-up and the server cannot perform its tasks.
The most popular Denial Of Service attacks are "Ping of Death", "Land", "bonk" etc..
Ping of Death: Ping stands for "Packet Internet Groper".
A ping command is normally used to find whether a remote system is alive or not.
When we send a packet to a remote system, if the system is alive it sends back a reply packet.
The largest packet that the TCP/Ip protocol suite can handle is 65536 bytes(64KB) long.
The TCP/IP protocols has the ability to segment the larger packets and reassemble them,
making it easier to send packets. But the larger packets can be broken down in a special way
and once they reassemble the size of the packet was larger than 64KB.
The server which receives this type of faulty packets, instead of rejecting them,
crashed or performed very slowly.
"Ping Of Death" is one of such tools which is used for this type of attack. Currently
almost all the servers can detect this type of attack and knows the way to handle them.
Land attack: Land attack works by sending spoofed TCP/IP SYN packets.
These packets have the same destination and source IP address.
When these packers are sent to the victims system, the machine thinking itself
sending packets, depending on the operation, will crash.
Routers are more vulnerable to this type of attack and single computers connected to the
internet are not heavily damaged. This type of attack can also effect some CISCO routers.
Newtear/Bonk/Boink: This type of attacks effects systems running on
Windows 95 and Windows NT 4.0. Newtear exploits a way, the TCP/IP stack handles
the misformed UDP header information. The fragmented data sent to a system is
reassembled at the server into an invalid UDP packets. The headers in the UDP datagram
are overwritten and this results in an incomplete packet with false headers.
The system receiving this type of packets usually crashes.
Till now we looked at DOS and various type of DOS attacks.
Next comes the Distributed Denial Of Service(DDOS), the advanced attack of the two.
In this type of attack the actual attacker stays behind and controls a number of systems.
These systems enables the attacker to send a lot of (false) packets to the target
system while the actual attacker remains anonymous.
TRINOO, Tribe Flood Network (TFN) are some of such DDOS programs.
TRINOO: Trinoo is one of the DDOS programs in which the attacker is in
a position to control one or more client(s)/master(s). Trinoo is an open source program.
It consists of master server (master.c) and the agent or daemon (ns.c).
The trinoo network would look something like this:
++++++++++++
| ATTACKER |
++++++++++++
|
------------------+------------------
| |
++++++++++ ++++++++++
| MASTER | | MASTER |
++++++++++ ++++++++++
| |
-------------------+-----------------------------------+-------------------
| | |
++++++++++ ++++++++++ ++++++++++
| DAEMON | | DAEMON | | DAEMON |
++++++++++ ++++++++++ ++++++++++
| | |
+------------------------------------+------------------------------------+
|
----+-----
| VICTIM |
----------
In this type of attack the attacker contols more or more "master" servers
and each of them inturn control many daemons. Each of such daemons may be
instructed to launch attack against one or more victim systems.
Trinoo uses the following ports:
Attacker->Master:27665(TCP)
Master->Daemon:27444(UDP)
Daemon->master:31335(UDP)
Tribe Flood Network(TFN): TFN is made up of client and daemon programs
which are capable of doing ICMP flooding, SYN flood, UDP flood etc.. The TFN
is made up of a tribe client program (tribe.c) and the tribe daemon(td.c).
++++++++++++
| ATTACKER |
++++++++++++
|
------------------+------------------
| |
++++++++++ ++++++++++
| CLIENT | | CLIENT |
++++++++++ ++++++++++
| |
-------------------+-----------------------------------+-------------------
| | |
++++++++++ ++++++++++ ++++++++++
| DAEMON | | DAEMON | | DAEMON |
++++++++++ ++++++++++ ++++++++++
| | |
+------------------------------------+------------------------------------+
|
----+-----
| VICTIM |
----------
The attacker may control one or more clients which in-turn control one or more daemons.
Each such daemon may be instructed to perform an attack against one or more victims
by the client. The attacker controls the clients over a TCP port and communication
between client and the daemon takes place through ICMP Echo packets.
There are several other types of programs to perform a successful DDOS.
But let's stop this here for now. If you still want to know about them go to
http://www.packetstromsecurity.org or go to http://www.google.com and search there.
Sincerely yours
assassin007
admin, hrvg.tk