|
|
|
|
.C. ATTACKING FROM THE OUTSIDE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .C.1. TAKING ADVANTAGE OF FINGER -------------------------------- Most fingerd installations support redirections to an other host. Ex: $finger @system.two.com@system.one.com finger will in the example go through system.one.com and on to system.two.com. As far as system.two.com knows it is system.one.com who is fingering. So this method can be used for hiding, but also for a very dirty denial of service attack. Lock at this: $ finger @@@@@@@@@@@@@@@host.we.attack All those @ signs will get finger to finger host.we.attack again and again and again... The effect on host.we.attack is powerful and the result is high bandwidth, short free memory and a hard disk with less free space, due to all child processes (compare with .D.5.). The solution is to install a fingerd which don't support redirections, for example GNU finger. You could also turn the finger service off, but I think that is just a bit to much. .C.2. UDP AND SUNOS 4.1.3. -------------------------- SunOS 4.1.3. is known to boot if a packet with incorrect information in the header is sent to it. This is the cause if the ip_options indicate a wrong size of the packet. The solution is to install the proper patch. .C.3. FREEZING UP X-WINDOWS --------------------------- If a host accepts a telnet session to the X-Windows port (generally somewhere between 6000 and 6025. In most cases 6000) could that be used to freeze up the X-Windows system. This can be made with multiple telnet connections to the port or with a program which sends multiple XOpenDisplay() to the port. The same thing can happen to Motif or Open Windows. The solution is to deny connections to the X-Windows port. .C.4. MALICIOUS USE OF UDP SERVICES ----------------------------------- It is simple to get UDP services (echo, time, daytime, chargen) to loop, due to trivial IP-spoofing. The effect can be high bandwidth that causes the network to become useless. In the example the header claim that the packet came from 127.0.0.1 (loopback) and the target is the echo port at system.we.attack. As far as system.we.attack knows is 127.0.0.1 system.we.attack and the loop has been establish. Ex: from-IP=127.0.0.1 to-IP=system.we.attack Packet type:UDPfrom UDP port 7 to UDP port 7 Note that the name system.we.attack looks like a DNS-name, but the target should always be represented by the IP-number. Quoted from proberts@clark.net (Paul D. Robertson) comment on comp.security.firewalls on matter of "Introduction to denial of service" "A great deal of systems don't put loopback on the wire, and simply emulate it. Therefore, this attack will only effect that machine in some cases. It's much better to use the address of a different machine on the same network. Again, the default services should be disabled in inetd.conf. Other than some hacks for mainframe IP stacks that don't support ICMP, the echo service isn't used by many legitimate programs, and TCP echo should be used instead of UDP where it is necessary. " .C.5. ATTACKING WITH LYNX CLIENTS --------------------------------- A World Wide Web server will fork an httpd process as a respond to a request from a client, typical Netscape or Mosaic. The process lasts for less than one second and the load will therefore never show up if someone uses ps. In most causes it is therefore very safe to launch a denial of service attack that makes use of multiple W3 clients, typical lynx clients. But note that the netstat command could be used to detect the attack (thanks to Paul D. Robertson). Some httpd:s (for example http-gw) will have problems besides the normal high bandwidth, low memory... And the attack can in those causes get the server to loop (compare with .C.6.) .C.6. MALICIOUS USE OF telnet ----------------------------- Study this little script: Ex: while : ; do telnet system.we.attack & done An attack using this script might eat some bandwidth, but it is nothing compared to the finger method or most other methods. Well the point is that some pretty common firewalls and httpd:s thinks that the attack is a loop and turn them self down, until the administrator sends kill -HUP. This is a simple high risk vulnerability that should be checked and if present fixed. .C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4 ----------------------------------------------- If the attacker makes a telnet connections to the Solaris 2.4 host and quits using: Ex: Control-} quit then will inetd keep going "forever". Well a couple of hundred... The solution is to install the proper patch. .C.8. HOW TO DISABLE ACCOUNTS ----------------------------- Some systems disable an account after N number of bad logins, or waits N seconds. You can use this feature to lock out specific users from the system. .C.9. LINUX AND TCP TIME, DAYTIME ---------------------------------- Inetd under Linux is known to crash if to many SYN packets sends to daytime (port 13) and/or time (port 37). The solution is to install the proper patch. .C.10. HOW TO DISABLE SERVICES ------------------------------ Most Unix systems disable a service after N sessions have been open in a given time. Well most systems have a reasonable default (lets say 800 - 1000), but not some SunOS systems that have the default set to 48... The solutions is to set the number to something reasonable. .C.11. PARAGON OS BETA R1.4 --------------------------- If someone redirects an ICMP (Internet Control Message Protocol) packet to a paragon OS beta R1.4 will the machine freeze up and must be rebooted. An ICMP redirect tells the system to override routing tables. Routers use this to tell the host that it is sending to the wrong router. The solution is to install the proper patch. .C.12. NOVELLS NETWARE FTP -------------------------- Novells Netware FTP server is known to get short of memory if multiple ftp sessions connects to it. .C.13. ICMP REDIRECT ATTACKS ---------------------------- Gateways uses ICMP redirect to tell the system to override routing tables, that is telling the system to take a better way. To be able to misuse ICMP redirection we must know an existing connection (well we could make one for ourself, but there is not much use for that). If we have found a connection we can send a route that loses it connectivity or we could send false messages to the host if the connection we have found don't use cryptation. Ex: (false messages to send) DESTINATION UNREACHABLE TIME TO LIVE EXCEEDED PARAMETER PROBLEM PACKET TOO BIG The effect of such messages is a reset of the connection. The solution could be to turn ICMP redirects off, not much proper use of the service. .C.14. BROADCAST STORMS ----------------------- This is a very popular method in networks there all of the hosts are acting as gateways. There are many versions of the attack, but the basic method is to send a lot of packets to all hosts in the network with a destination that don't exist. Each host will try to forward each packet so he packets will bounce around for a long time. And if new packets keep coming the network will soon be in trouble. Services that can be misused as tools in this kind of attack is for example ping, finger and sendmail. But most services can be misused in some way or another. .C.15. EMAIL BOMBING AND SPAMMING --------------------------------- In a email bombing attack the attacker will repeatedly send identical email messages to an address. The effect on the target is high bandwidth, a hard disk with less space and so on... Email spamming is about sending mail to all (or rather many) of the users of a system. The point of using spamming instead of bombing is that some users will try to send a replay and if the address is false will the mail bounce back. In that cause have one mail transformed to three mails. The effect on the bandwidth is obvious. There is no way to prevent email bombing or spamming. However have a look at CERT:s paper "Email bombing and spamming". .C.16. TIME AND KERBEROS ------------------------ If not the the source and target machine is closely aligned will the ticket be rejected, that means that if not the protocol that set the time is protected it will be possible to set a kerberos server of function. .C.17. THE DOT DOT BUG ---------------------- Windows NT file sharing system is vulnerable to the under Windows 95 famous dot dot bug (dot dot like ..). Meaning that anyone can crash the system. If someone sends a "DIR ..\" to the workstation will a STOP messages appear on the screen on the Windows NT computer. Note that it applies to version 3.50 and 3.51 for both workstation and server version. The solution is to install the proper patch. .C.18. SUNOS KERNEL PANIC ------------------------- Some SunOS systems (running TIS?) will get a kernel panic if a getsockopt() is done after that a connection has been reset. The solution could be to install Sun patch 100804. .C.19. HOSTILE APPLETS ---------------------- A hostile applet is any applet that attempts to use your system in an inappropriate manner. The problems in the java language could be sorted in two main groups: 1) Problems due to bugs. 2) Problems due to features in the language. In group one we have for example the java bytecode verifier bug, which makes is possible for an applet to execute any command that the user can execute. Meaning that all the attack methods described in .D.X. could be executed through an applet. The java bytecode verifier bug was discovered in late March 1996 and no patch have yet been available (correct me if I'am wrong!!!). Note that two other bugs could be found in group one, but they are both fixed in Netscape 2.01 and JDK 1.0.1. Group two are more interesting and one large problem found is the fact that java can connect to the ports. Meaning that all the methods described in .C.X. can be performed by an applet. More information and examples could be found at address: http://www.math.gatech.edu/~mladue/HostileArticle.html If you need a high level of security you should use some sort of firewall for protection against java. As a user you could have java disable. .C.20. VIRUS ------------ Computer virus is written for the purpose of spreading and destroying systems. Virus is still the most common and famous denial of service attack method. It is a misunderstanding that virus writing is hard. If you know assembly language and have source code for a couple of virus it is easy. Several automatic toolkits for virus construction could also be found, for example: * Genvir. * VCS (Virus Construction Set). * VCL (Virus Construction Laboratory). * PS-MPC (Phalcon/Skism - Mass Produced Code Generator). * IVP (Instant Virus Production Kit). * G2 (G Squared). PS-MPC and VCL is known to be the best and can help the novice programmer to learn how to write virus. An automatic tool called MtE could also be found. MtE will transform virus to a polymorphic virus. The polymorphic engine of MtE is well known and should easily be catch by any scanner. .C.21. ANONYMOUS FTP ABUSE -------------------------- If an anonymous FTP archive have a writable area it could be misused for a denial of service attack similar with with .D.3. That is we can fill up the hard disk. Also can a host get temporarily unusable by massive numbers of FTP requests. For more information on how to protect an anonymous FTP site could CERT:s "Anonymous FTP Abuses" be a good start. .C.22. SYN FLOODING ------------------- Both 2600 and Phrack have posted information about the syn flooding attack. 2600 have also posted exploit code for the attack. As we know the syn packet is used in the 3-way handshake. The syn flooding attack is based on an incomplete handshake. That is the attacker host will send a flood of syn packet but will not respond with an ACK packet. The TCP/IP stack will wait a certain amount of time before dropping the connection, a syn flooding attack will therefore keep the syn_received connection queue of the target machine filled. The syn flooding attack is very hot and it is easy to find more information about it, for example: [.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html Article by Christopher Klaus, including a "solution". [.2.] http://jya.com/floodd.txt 2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane [.3.] http://www.fc.net/phrack/files/p48/p48-14.html IP-spoofing Demystified by daemon9 / route / infinity for Phrack Magazine .C.23. PING FLOODING -------------------- I haven't tested how big the impact of a ping flooding attack is, but it might be quite big. Under Unix we could try something like: ping -s host to send 64 bytes packets. If you have Windows 95, click the start button, select RUN, then type in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions. .C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES ---------------------------------------------------------- If someone can ping your machine from a Windows 95 machine he or she might reboot or freeze your machine. The attacker simply writes: ping -l 65510 address.to.the.machine And the machine will freeze or reboot. Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash). AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash). OSF/1, 3.2C, Solaris 2.4 x86 (reboot). .C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE -------------------------------------------------- The subnet mask reply message is used under the reboot, but some hosts are known to accept the message any time without any check. If so all communication to or from the host us turned off, it's dead. The host should not accept the message any time but under the reboot. .C.26. FLEXlm ------------- Any host running FLEXlm can get the FLEXlm license manager daemon on any network to shutdown using the FLEXlm lmdown command. # lmdown -c /etc/licence.dat lmdown - Copyright (C) 1989, 1991 Highland Software, Inc. Shutting down FLEXlm on nodes: xxx Are you sure? [y/n]: y Shut down node xxx # .C.27. BOOTING WITH TRIVIAL FTP ------------------------------- To boot diskless workstations one often use trivial ftp with rarp or bootp. If not protected an attacker can use tftp to boot the host. [UP] |
|
|
|
