ServerTune

Browse by category

Search    |    Advanced search

Understanding Attack Techniques

Attacks on computing systems take on different forms, depending on the goal and resources of the attacker. Some attackers want to be disruptive, while others want to access your server and utilize the resources for their own nefarious purposes. Still others are targeting your data for financial gain or blackmail. These are the major categories of attacks:

Denial of Service (DoS)
The easiest attacks to perpetrate are Denial of Service attacks. The primary purpose of these attacks is to disrupt the activities of a remote site by overloading it with irrelevant. DoS attacks can be as simple as sending thousands of page requests per second at a Web site. These types of attacks are easy to perpetrate and easy to protect against.

Distributed Denial of Service (DDoS)
This is more advanced form of attacks than DoS. DDoS attacks are much harder to perpetrate and next to impossible to stop. In this form of attack, an attacker takes control of hundreds or even thousands of weakly secured servers, then the attacker directs them in unison to send a stream of irrelevant data to a single server/host. The result is that the power of one attacker is magnified hundreds or thousands of times. Instead of an attacker is coming from one direction, as is the case in a normal DoS, it comes from thousands of directions at once.

Many people use the excuse, "I have nothing on my server anyone would want" to avoid having to consider security. More than once, authorities have shown up at the door of a dumbfounded server user asking questions about threats originating from their servers. By ignoring security, the owners have opened themselves up to a great liability.

Intrusion Attacks
To remotely use the resources of a target server, attackers must first look for an opening to exploit. In the absence of inside information such as passwords or encryption keys, they must scan the target server to see what services are offered. Perhaps one of the services is weakly secured and the attacker can use some known exploit to tingle his or her way in. A tool called nmap is generally considered the best way to scan a server for services (Note that nmap is a tool for good and bad). Once the attacker has a list of the available services running on his target, he needs to find a way to trick one of those services into letting him have privileged access to the system. usually this is done with a program called an exploit.

While DoS attacks are disruptive, intrusion type attacks are the most damaging. the reasons are varied, but the result is always the same. An uninvited guest is now taking up residence on your server and is using it in a way you have no control over.

TCP SYN Flooding
A TCP SYN flooding attack consumes you system resources until no more incoming TCP connection sare possible. The attack makes use of the basic TCP three-way handshaking protocol during connection establishment, in conjunction with IP address spoofing. The attacker spoofs his or her source address and initiates a connection to one of your TCP-based services. As a client attempting to open a TCP connection, the attacker sends you a SYN message. Your machine responds by sending an acknowledgment, a SYN-ACK. However, in this case the address you're replying to isn't the attacker's address. It's a nonexistent address. The final stage of the TCP connection establishment, receiving an ACK in response, will never happen. Consequently, finite network connection resources are consumed. The connection remains in a half-opened state until the connection attempts times out. The hacker floods your port with connection request, faster then the TCP timeouts release the resources. If this continues, all resources will be in use and no more incoming connection requests can be accepted. If the target is your smtp port, you can't receive email. If the target is your http-port, people can't connect to your site. Several aids are available to Linux users. The first is the source address filtering. This filters out the most commonly used spoofed source address. The second is to compile your kernel with SYN cookies enabled; this is a specific retardant to SYN flooding (default in RedHat 6.0).

ICMP Flood (also known as Ping flood or Smurf attak)
ICMP flood is type of Denial of Service attack that sends large amounts of (or just over-sized) ICMP packets to a machine in order to attempt to crash the TCP/IP stack on the machine and cause it to stop responding to TCP/IP requests.

Any message that elicits a response from your machine can be used to degrade your network connection by forcing the system to spend most of its time responding. The ICMP echo request message sent by ping is a common culprit. Additionally, an older exploit called the Ping of Death involved sending very large ping packets. Vulnerable systems could crash as a result. Linux is not vulnerable to this exploit, nor many other current UNIX operating systems.

Ping is very useful, basic networking tool. You might not want to disable ping altogether. In today's internet environment, conservative folks recommend disabling incoming ping, or at least severely limiting whom you accept echo requests from. Because of ping's history of involvement in denial-of-service attacks, many sites no longer respond to external ping requests.

UDP Flooding
The UDP protocol is especially useful as a denial-of-service tool. Unlike TCP, UDP is stateless. Flow control mechanisms aren't included. There are no connection state flags. Datagram sequence numbers aren't used. No information is maintained on which packet is expected next. It's relative easy to keep a system so busy responding to incoming UDP probes that no bandwidth is left for legitimate network traffic.

Because UDP services are inherently less secure than TCP service, many sites disable all UDP ports that aren't absolutely necessary. Almost all common Internet services are TCP-based.

ICMP Redirect Bombs
ICMP redirect message type 5 tells the target system to change its routing tables in favor of shorter route. If you run routed or gated and honor redirect messages, it's possible for a hacker to fool your system into thinking that the hacker's machine is one of your local machines or one of your ISP's machines, or even fool your system into forwarding all traffic to some other remote host.

IP Address Sweep
A malicious agent is sending continuous ICMP packets (echo requests) to different hosts within a defined interval (5 milliseconds is the default). The purpose of this is to have at least one host replying back, thus exposing itself to the attacker.

The easiest way to preclude an attacker from performing an IP address sweep is to disable all ICMP traffic., but this could mean that you lose network diagnostics. More advanced systems can monitor sessions and identify IP address sweeps by monitoring the rate of transmission of ICMP messages originating from a particular source.

Port Scanning
Port scan is a method used by hackers and/or spammers to determine what ports are open or in use on a system or network. Based on the response received, the port scan utility can determine which ports are in use. A hacker/spammer can then focus their attack on the ports that are open and try to exploit a server.

Similar to an IP address sweep, this can be avoided by applying access control lists. Sophisticated systems (such as Cisco IPS) can monitor the number of ports scanned by a given remote source and block all further requests when the number of port scans reaches a predefined value within a defined interval.

 
 
Add comment
 
Views: 871
 
Votes: 0
 
Comments: 0
 

Other articles in this Category

RSS