VPS
Main PagecPanel and DirectAdmin LicensingServer Management PlansVirtual Private ServersDedicated Servers
Control Panel Licensing
ServerTune ResellersResellersSpecial PromotionsServerTune SpecialsHomeAbout ServerTuneContact usTechnical SupportKB
ServerTune Main Page
Space
Space
Our most popular products: Issues, Tips, and Solutions

Protect your server with Mod Security rules written specifically for your system. more info ...
Space
Search:    Advanced search
Browse by category:
:: KB Home / Operating Systems / Security / Understanding Attack Techniques
Understanding Attack Techniques
Printer Friendly
Printer friendly
email to a friend
Email to friend
Add comment Add comment
Views: 1207
Votes: 0
Comments: 0
Posted: 04 Jun, 2007
by: Support T.
* * * * *
Updated: 02 Mar, 2008
by: Support T.

Attacks on computing systems take on different forms , depending on the goal and resources of the attacker. Some attackers want to be disruptive, while others want to access your server and utilize the resources for their own nefarious purposes. Still others are targeting your data for financial gain or blackmail. These are the major categories of attacks:

Denial of Service (DoS)
The easiest attacks to perpetrate are Denial of Service attacks. The primary purpose of these attacks is to disrupt the activities of a remote site by overloading it with irrelevant. DoS attacks can be as simple as sending thousands of page requests per second at a Web site. These types of attacks are easy to perpetrate and easy to protect against.

Distributed Denial of Service (DDoS)
This is more advanced form of attacks than DoS. DDoS attacks are much harder to perpetrate and next to impossible to stop. In this form of attack, an attacker takes control of hundreds or even thousands of weakly secured servers, then the attacker directs them in unison to send a stream of irrelevant data to a single server/host . The result is that the power of one attacker is magnified hundreds or thousands of times. Instead of an attacker is coming from one direction, as is the case in a normal DoS, it comes from thousands of directions at once.

Many people use the excuse, "I have nothing on my server anyone would want" to avoid having to consider security. More than once, authorities have shown up at the door of a dumbfounded server user asking questions about threats originating from their servers. By ignoring security, the owners have opened themselves up to a great liability.

Intrusion Attacks
To remotely use the resources of a target server, attackers must first look for an opening to exploit. In the absence of inside information such as passwords or encryption keys, they must scan the target server to see what services are offered. Perhaps one of the services is weakly secured and the attacker can use some known exploit to tingle his or her way in. A tool called nmap is generally considered the best way to scan a server for services (Note that nmap is a tool for good and bad). Once the attacker has a list of the available services running on his target, he needs to find a way to trick one of those services into letting him have privileged access to the system. usually this is done with a program called an exploit.

While DoS attacks are disruptive, intrusion type attacks are the most damaging. the reasons are varied, but the result is always the same. An uninvited guest is now taking up residence on your server and is using it in a way you have no control over.

TCP SYN Flooding
A TCP SYN flooding attack consumes you system resources until no more incoming TCP connection sare possible. The attack makes use of the basic TCP three-way handshaking protocol during connection establishment, in conjunction with IP address spoofing. The attacker spoofs his or her source address and initiates a connection to one of your TCP-based services. As a client attempting to open a TCP connection, the attacker sends you a SYN message. Your machine responds by sending an acknowledgment, a SYN-ACK. However, in this case the address you're replying to isn't the attacker's address. It's a nonexistent address. The final stage of the TCP connection establishment, receiving an ACK in response, will never happen. Consequently, finite network connection resources are consumed. The connection remains in a half-opened state until the connection attempts times out. The hacker floods your port with connection request, faster then the TCP timeouts release the resources. If this continues, all resources will be in use and no more incoming connection requests can be accepted. If the target is your smtp port, you can't receive email. If the target is your http-port, people can't connect to your site. Several aids are available to Linux users. The first is the source address filtering. This filters out the most commonly used spoofed source address. The second is to compile your kernel with SYN cookies enabled; this is a specific retardant to SYN flooding (default in RedHat 6.0).

Ping Flooding
Any message that elicits a response from your machine can be used to degrade your network connection by forcing the system to spend most of its time responding. The ICMP echo request message sent by ping is a common culprit. Additionally, an older exploit called the Ping of Death involved sending very large ping packets. Vulnerable systems could crash as a result. Linux is not vulnerable to this exploit, nor many other current UNIX operating systems.

Ping is very useful, basic networking tool. You might not want to disable ping altogether. In today's internet environment, conservative folks recommend disabling incoming ping, or at least severely limiting whom you accept echo requests from. Because of ping's history of involvement in denial-of-service attacks, many sites no longer respond to external ping requests.

UDP Flooding
The UDP protocol is especially useful as a denial-of-service tool. Unlike TCP, UDP is stateless. Flow control mechanisms aren't included. There are no connection state flags. Datagram sequence numbers aren't used. No information is maintained on which packet is expected next. It's relative easy to keep a system so busy responding to incoming UDP probes that no bandwidth is left for legitimate network traffic.

Because UDP services are inherently less secure than TCP service, many sites disable all UDP ports that aren't absolutely necessary. Almost all common Internet services are TCP-based.

ICMP Redirect Bombs
ICMP redirect message type 5 tells the target system to change its routing tables in favor of shorter route. If you run routed or gated and honor redirect messages, it's possible for a hacker to fool your system into thinking that the hacker's machine is one of your local machines or one of your ISP's machines, or even fool your system into forwarding all traffic to some other remote host.

NOTE:
Our Linux certified engineers are ready to help secure, harden, and optimize your server. Sign up for the ServerTune Plan to put your server in perfect working condition. If you have any questions, please don't hesitate to send a message to

Other articles in this Category
document The Concept of Security
document What Causes High Server Load?
document Security Tips
document Mod Security Rules and SPAM
document Limit the resources for a specific user
document Denial of Services (DoS) Detrimental to Businesses
document Protect Your Company Against DDoS Attacks
document Malecious Random JavaScript Rootkit
document Protect your server against IFRAME JS injection code with "ServerTune IFrame Shield" Plan
document Latest findings about the Random JavaScript Rootkit
document RKhunter report: The command '/usr/bin/ldd' has been replaced by a script
document Linux kernels v2.6.17+ vmsplice()Root Exploit
document Horde v3.1.6 and earlier is NOT secure
document IFRAME injection code :: infected Web sites and suggestions
document Warning :: A new wave of domain scam/spam
document Your client or your PC might be a zombie in a Botnet


RSS
Last update: August, 2008 ••• Copyright (c) 2004-2008 ServerTune Inc.