2. Attack Profiles CS-480b Dick Steflik

3. Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks

4. Denial of Service Attacks Ping of Death Teardrop UDP Floods SYN Floods Land Attack Smurf Attack Fraggle Attack e-Main Bombs Malformed Message Attacks

5. Ping of Death ICMP Echo request packet that is bigger than largest allowable TCP/IP specification says max should be 65 Kbytes Hacker’s goal is to crash the stack by exceeding the max size of the I/O buffer Defense - stack must be hardened (all current popular stack implementations take care of this)

6. Teardrop IP implementations that trust fragmentation information in the headers of fragmented IP packets if offsets have overlapping offsets many implementations will crash Defenses: apply latest patches configure firewalls to reassemble fragments rather than forwarding (for end point to reassemble)

7. UDP Floods Forge a connection to a host running chargen and have it send useless chargen data to the echo server on another makes the 2 services so busy that the host may crash or be too busy to respond to normal traffic Defense: configure only services that are absolutely necessary (chargen and echo have no business running on a production server)

8. SYN Floods The goal here is to use up all of the target host’s resources (memory and processes) thereby making it unable to process legitimate traffic each time a user sends a SYN the host accepts and allocates a process and memory this gets done over and over until things just get used up Defense: A firewall that can recognize the characteristics of a SYN attack and start rejecting packets

9. Land Attack Hardened stack inplementations have made this obsolete send a special SYN packet with source and destination address set to the targeted machines IP address, causes recipient to acknowledge to its own address, connection is left open until OS times it out Defense latest patches configure firewalls to reject inbound packets with internal addresses as the source address

10. Smurf Attack Flood a host with ICMP Echo Requests that have the destination address set to the subnet broadcast address Defense turn off broadcast addressing feature configure firewall to drop incoming pings

11. Fraggle Attacks A Smurf attack using UDP echo messages rather than ICMP echo requests Defense: have firewall filter out incoming UDP echo requests

12. E-mail Bombs Goal is to use up the mail servers bandwidth, thus denying mail to all users repeatedly send large e-mail message to same user over and over Defense: configure mail server to delete excessive and/or duplicate e-mails from the server

13. Malformed Message Attacks Send malformed messages excessively large URLs to web servers send random data to RPC services to try crashing try buffer overflows by malforming protocol fields Defense: keep up to date with vulnerability reports and patched from vendors for OEM products

14. Exploitation Attacks TCP/IP Connection Hijacking Layer-2 Connection Hihacking Password Guessing Trojan Horses Buffer Overflows

15. TCP/IP Connection Hijacking TCP uses pseudo random number sequences to generate to order TCP packets so they can be reassembled reliably if hacker can predict the next correct sequence number he can send a fixed up packed that will cause the stream to be hijacked to his address and the valid packets will end up getting dropped Defense: use a stack with an uncompromised pseudo random number generator (OpenBSD or Linux) use a redirector to reconstruct a stream (redir)

16. Layer-2 Connection Hijacking Exploits fact the IP broadcasts ARP requests Extreemly rare, because it requires layer2 access, except in ISP colocation situations where your machine may be located on same switch as many other machines. Use hubs rather than switches or have ISP use layer-3 routers rather than layer-2 switches

17. Password Guessing Use strong passwords don’t expose exploitable services like telnet, NetBIOS or NFS use lockout policies for handling multiple unsuccessful login attempts

18. Trojan Horses Some other exploit installs a program on your computer that opens a back door into the system could open up pcAnywhere or VNC to give remote user full access to your machine usually installed from a e-mail attachment

19. Information Gathering Attacks Address Scanning Port Scanning Inverse Mapping Slow Scanning Architecture Probes DNS Zone Transfers Finger LDAP SNMP

20. Disinformation Attacks DNS Cache Pollution Registrar Usurpation Forged E-mail