Common Network Attacks: David J. Marchette

Common Network Attacks
David J. Marchette
dmarchette@gmail.com
< > - +
Common Network Attacks – p.1/96
Outline
Some Common Attacks

SHADOW
EMERALD
ADAM
Utilities
< > - +
Terminology
Active. Requires action on the part of the person or system to

gather information.
Passive. Relies on information gathered without any action (e.g.
without sending any packets).
Fingerprinting. Determining the Operating System of a machine
by investigating packets/responses from the machine.
< > - +
Terminology
Stateful. A system (intrusion detection, firewall, etc) is stateful if it

retains information of the state of TCP sessions.
< > - +
References
Northcutt, Network Intrusion Detection: An Analyst’s Handbook.

www.nswc.navy.mil/ISSEC/CID
www.sans.org
www.cert.org
< > - +
Outline of an Attack
Find out what machines are on the net: IP scan.

Find out what OS/version they are running: Fingerprinting.
Find out what services they are running: Portscan.
Attack the vulnerable.
< > - +
Comments on Attack Outline
Not all attacks follow all these steps.

Some attacks skip all of them (denial of service).
Attacks that follow the pattern are usually trivial to detect.
Attacks that follow the pattern sometimes still succeed! Even
when the pattern has been detected!
< > - +
Attack Types
Denial of Service (DOS).

Probes and Network Mapping.
Fingerprinting.
TCP Hijacking.
Other ways to gain access.
< > - +
DOS: Land Attack
A single packet attack.

A packet is sent with both the source and destination IP address
set to the target machine.
Locks up the machine (only works on older systems).
Note: This, like most attacks, requires the attacker to carefully
craft packets.
This attack only worked because of a bug in the IP stack of some
operating systems.
< > - +
DOS: Ping of Death
Another single packet attack.

A ping (ICMP echo request) is sent to the target machine with an
illegally long payload (greater than 64K).
Note: some versions of ping allowed one to do this. So novices
could use this attack without any coding skills.
< > - +
DOS: Teardrop
Another single packet attack.

A UDP packet is sent fragmented, with the fragments overlapping.
< > - +
More Attacks with Fragments
Suppose a TCP packet has been fragmented, and the attacker

knows the IP ID.
The attacker can send new fragments with the same IP ID,
overwriting the legitimate data.
The TCP header is left alone, so it is a legitimate packet as far as
the receiving computer knows.
The attacker must take care that the checksum is correct.
< > - +
DOS: UDP Storm
Another single packet attack, in principle.

Was the “attack-du-jour” for a while in 1999.
A UDP packet is sent with:
Source IP victim1.
Destination IP victim2.
Source port 7 (echo).
Destination port 19 (chargen).
Causes the two victim machines to “attack” each other.
< > - +
Notes on “Old Attacks”
These attacks “only work on older systems”.

This does not mean they will never work again.
These take advantage of errors (bugs) in the programming of the
operating systems. This illustrates the basic idea of many attacks:
find an error and exploit it.
< > - +
Notes on “Old Attacks”
Note that code reuse and poor programming habits can make
some old attacks viable again.
How might one have designed a system that would detect the
above attacks before they were known?
< > - +
DOS: SYN Flood
Send a lot of SYN packets to the target.

These start half-open connections.
If enough connections are started before they start to time out, the
connection table can fill up.
The machine crashes, or cannot service legitimate connections.
< > - +
DOS: SYN Flood
Note that the packets needn’t have the source address of the
attacker. In fact, they should have an unreachable source to
ensure that the SYN/ACKs are never answered.
In actual implementations, the attack usually does not use
unreachable sources, but rather selects the sources at random (or
arbitrarily).
< > - +
DOS: Process Table
Similar to the SYN flood. Initiate a lot of TCP connections.

Requires an application that will accept the connections.
Each connection forks a process. If enough connections are
forked the process table fills up.
< > - +
DOS: Process Table Notes
Note that the attacker must appear in the source IP address, since
it must answer the SYN/ACKs. But if it’s clever, it need not fork
any processes.
This is a good attack to implement as a distributed denial of
service. By using many compromised computers, the attacker
hides his identity while multiplying the effectiveness of the attack.
< > - +
DOS: Targa3
Send a lot of malformed packets:

Invalid fragmentation, protocol, packet size, or IP header
values;
Invalid options;
Invalid TCP segments;
Invalid routing flags.
These either crash the system, or use up resources while dealing
with the strange packets.
< > - +
DOS: Targa3 Notes
The attacker need not appear in the source IP, since it doesn’t
need to handle any responses.
There need be no particular pattern to the malformed packets.
However, patterns in these might provide a way to fingerprint the
attack software.
< > - +
DOS: Smurf
Send a lot of ping packets (echo requests) to an intermediary

network with the victim as source IP.
These all generate echo replies, which all get sent to the victim.
Using broadcast (255) greatly magnifies the effect (assuming the
intermediary network doesn’t ignore broadcasts).
< > - +
DOS: Smurf Picture
Intermediary Network
172.16.x.x
Attacker Target
ICMP echo requests

From: Target (spoofed)
To: 172.16.255.255
< > - +
DOS: Smurf Picture
172.16.x.x
Attacker Target
ICMP echo replies

From 1000s of
machines
< > - +
DOS: Smurf Picture
172.16.x.x
Attacker Target
Target goes down

under the flood.
Note: Attacker is invisible
to the target.
< > - +
DOS: Syslogd
There are innumerable attacks that utilize a bug in an application.

Old versions of the syslogd daemon on Solaris would crash if sent
a packet from a source with no DNS entry.
Who would let a syslog packet in from outside the firewall
anyway? This attack is from the good old days, before firewalls
were common.
< > - +
DOS Notes
There are two generic types of denial of service attacks:

Ones in which the attacker takes an active (and detectable) part.
Spoofing attacks, where the attacker does not show up on the
packets sent to the victim.
How can one determine who the attacker is?
How does one stop such attacks?
< > - +
Network Mapping
How do you find a victim to attack?

Some are well known: ebay, amazon, Microsoft, etc.
Sometimes the attacker is after a specific individual/organization.
Even if you know you want to attack Widgets-R-Us, how do you
decide which machines are vulnerable?
One answer is to scan/map the network.
< > - +
Network Mapping Light
ping 10.10.255.255.
If this works, every machine on 10.10.xxx.xxx will respond.
It probably won’t work.
Many organizations don’t allow broadcast packets through their
firewalls.
If it did work, it would probably flood your machine, and produce a
denial of service against yourself!
< > - +
Network Mapping the Hard Way
ping 10.10.1.1.
ping 10.10.1.2.
ping 10.10.1.3. · · ·
Can be automated, and will work, assuming it isn’t blocked by a
firewall.
It is extremely easy to detect.
It can take a while to go through all the possible addresses.
To this day people (script kiddies) will do this.
< > - +
Stealthy Network Mapping
There are several ways to make the mapping harder to detect:

1. Use packets that people expect to see, and will ignore (echo
requests used to work here).
2. Use packets that are not normally logged. (example: TCP
SYN/ACK)
3. Randomizing the IPs scanned.
4. Spreading out the timing (low and slow scans).
5. Using multiple source IPs.
< > - +
Stealthy Network Mapping
6. Using different packets for the scan (some icmp, some udp, etc.).
7. Only scan a subset of the network.
< > - +
Inverse Mapping
Uses the Internet error mechanism to the attacker’s advantage.
Example:
Send a TCP packet with the RESET flag set.
If the packet reaches its destination, the packet is dropped.
If the final router cannot deliver the packet, it sends back a
“host unreachable” (ICMP) error message.
The packets that don’t generate a response went to machines that
exist.
< > - +
Inverse Mapping Example
Attacker sends RESET packets.
V6
V5
A V4
V3
V2
V1
< > - +
Router sends Host Unreachable responses.
V6
V5
A V4
V3
V2
V1
< > - +
Attacker knows the victim’s machines.
V6
V5
A V4
V3
V2
V1
< > - +
Inverse Mapping Notes
The attacker knows nothing about the machines on the victims

network except which ones are there.
The victim’s machines each receive a single RESET packet.
Intrusion detection systems often ignore RESET packets.
RESET packets happen all the time, and unless one has a stateful
system, one cannot tell if a single RESET packet is normal.
Even stateful firewall may have time-outs that are short relative to
the times observed in real networks, and may flag normal
RESETs (hence may be ignored).
< > - +
Inverse Mapping Notes
Look for many RESET packets from the same machine to many
machines.
Drop RESET packets without a response if they are to IP
addresses that aren’t populated.
< > - +
Port Mapping
The attacker is looking for specific services.

There are several variations:
Brute force: scan all 65,536 ports (UDP and TCP).
Be selective: scan for a few services such as ssh, telnet, ftp,
web, etc.
Be very selective: scan for a single service.
< > - +
Port Mapping
Sometimes this is done by a program, such as a trojan or worm.

Once a machine is found running a given service, that information
is retained for future targeting.
Brute force is easy to detect.
To detect slow scans you need to study how often machines
normally send packets to closed ports.
< > - +
Stealthy Port Mapping
One way to avoid getting caught at port mapping is to make sure

your IP address does not appear in the packet.
This seems problematic however: how do you find out if the port is
open?
Recal that if the port is open, a SYN/ACK is sent in response to a
SYN.
If it is closed, a RST is sent.
Note also that if an unsolicited SYN/ACK packet is received, a
RST packet is sent, while unsolicited RST packets are ignored.
< > - +
Patsies (Idle Scan)
Suppose you can find a computer that increments its IP ID

number in a predictable manner. Call this machine Patsy.
You want to determine if another machine, Victim, has a particular
port open, port P.
Start pinging Patsy (ICMP echo requests, for example). Each
reply shows the IP ID incremented.
Send a SYN packet to port P on Victim, with Patsy as the source.
If the port is open, a SYN/ACK is sent to Patsy, Patsy sends a
RST, and you observe a skip in the IP ID in your ping stream.
If the port is open, a RST is sent to Patsy, and there is no skip in
IP IDs.
< > - +
What to do about Patsies
“The good neighbor” approach: don’t be a patsy:

Make your IP ID unpredictable.
This can be done by adding a (small) random number to the
IP ID instead of incrementing it.
The “don’t be a victim” approach:
Change the TCP stack so that when a SYN is received at a
closed port, you send a RST followed by an ACK.
The ACK packet will generate the RST that increments the IP
ID.
Note: firewalls can’t help, since the whole point is that closed
ports don’t cause an effect.
< > - +
Downsides
“The good neighbor” approach requires everyone to change,

which can be a problem, especially with entrenched systems.
The “don’t be a victim” approach adds packets, and thus
decreases efficiency.
A combination of the two is what we have, and is probably the
best.
< > - +
Fingerprinting (Active)
Fingerprinting uses the fact that implementations are free to make

choices about how to react to certain types of packets (e.g.
improperly formed ones).
The idea is to send a series of crafted packets, and see what the
response is.
Based on the responses to the packets, a determination can be
made as to the operating system of the target.
< > - +
Fingerprinting (Active)
This is used by attackers to determine the best attack to use.

System admins use this to see if machines meet their
accreditation specs.
This assumes the target system hasn’t been modified to simulate
another OS.
It is not perfect, but most active fingerprinting programs are pretty
good.
< > - +
Fingerprinting (Passive)
Operating systems also make choices when they send packets

out.
For example:
Initial Time-to-live value.
Source port range.
Sequence number generation algorithm.
Options.
DF flag set?
Type of Service
Window Size.
< > - +
Fingerprinting (Passive)
These can, to some extent, be used to determine the operating

system of a machine passively.
No packets need be sent to the machine, so there is no way to tell
if you have been (passively) fingerprinted.
This is truly a statistical problem.
< > - +
A Comment about TTL
Note that you never see the TTL value set by the remote machine.
You see the TTL decremented by an unknown number of routers.
So, you observe T − δ where T is the original TTL and δ is a
random positive integer.
< > - +
A Comment about Source Ports
Different operating systems/applications choose different source

port ranges.
However, for any session, you only see one source port.
Thus, source port range is only useful over a long time.
How do you estimate the source port range?
< > - +
TCP Hijacking
Made famous by Kevin Mitnick.

Uses a quirk of TCP sessions to allow an attacker to take over a
session between two computers.
Relies on information gathered about the machines by the
attacker.
Relies on sequence number algorithms that are easy to predict.
For example: use the next number in the sequence, or add 1007
to the previous sequence number.
< > - +
TCP Hijacking Setup
Setup: Machine A and machine B have a trust relationship,

allowing machine B to log into machine A without requiring a
password.
Attacker must first determine the sequence number algorithm
machine A uses.
This can be accomplished by sending a bunch of SYN packets to
A and see what the responding sequence numbers look like. If
these are predictable, then the hijacking has a chance.
< > - +
TCP Hijacking Details
Attacker SYN floods machine B to make sure it doesn’t respond to

anything from A.
Attacker sends a SYN packet to A spoofed to appear to be from B.
A responds to B with a SYN/ACK.
Attacker then sends an ACK packet with the correct (inferred)
acknowledgment number. A thinks this is part of the session and
proceeds as if it were talking to B.
< > - +
TCP Hijacking Details
The attacker could in principle carry on this hijacked session as if

it were a real session.
Instead, the attacker sends the commands to put “++” in the
.rhosts file.
This makes the victim trust everyone, and the attacker can now
access the machine remotely.
< > - +
TCP Hijacking Example
Machine A Machine B
Attacker
Attacker sends SYN packets to A to determine it’s

sequence number generator.
< > - +
Machine A Machine B
Attacker
Attacker SYN floods Machine B.

< > - +
Machine A Machine B
Attacker
Machine B goes down.

< > - +
Machine A Machine B
Attacker
Attacker sends SYN packet to A

spoofed as if from B.
< > - +
Machine A Machine B
Attacker
A sends SYN/ACK to B
which is ignored since B is down.
< > - +
Machine A Machine B
Attacker
Attacker sends ACK packet to A

completing the handshake.
< > - +
Machine A Machine B
Attacker
A thinks it has an open session

with a trusted machine.
< > - +
Machine A Machine B
X
echo “++” > .rhosts
Attacker
Attacker sets A to trust his machine.

< > - +
Stopping Hijacking
Don’t be trusting.
Use a hard to predict sequence number generator.
Watch for sequence number guessing attempts.
Block all access to attackers at the firewall (if it SYN floods, block
it).
This last is potentially dangerous (what if the SYN flood appears
to come from your ISP?).
< > - +
Are Sequence Numbers Predictable?
si+1 − si × si+2 − si+1
2e+09
1e+09
0e+00
y[,2]
−1e+09
−2e+09
−3e+09
−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09
y[,1]
< > - +
si+1 − si × si+2 − si+1
2e+09
1e+09
0e+00
y[,2]
−1e+09
−2e+09
−3e+09
−4e+09 −2e+09 0e+00 2e+09
y[,1]
< > - +
si+1 − si × si+2 − si+1
4e+09
3e+09
2e+09
1e+09
y[,2]
0e+00
−1e+09
−2e+09
−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09
y[,1]
< > - +
SHADOW
Secondary Heuristic Analysis for Defensive Online Warfare

Guess which came first, the acronym or the name.
Uses a tcpdump sensor outside (and/or inside) a firewall to collect
all the packet headers within one hour.
Sensor files transfered each hour (via SSH) to an analysis station.
< > - +
SHADOW
Headers filtered with tcpdump filters and perl scripts and sent to a
web page.
Analyst reviews the web page and reports attacks or suspicious
activity.
Includes ability to search past data, do whois lookups, and nmap
machines.
< > - +
SHADOW
Collects some statistics on traffic.
Newest version allows some reduction:
10.10.10.31 -> 192.78.[1-255].[1-78].22
10.10.10.31 -> 192.78.8.52.[0-65535]
Automates some of the tedium of generating reports.
Relies on the analyst for all decisions.
Not “real time”. Always at least 1 hour after the fact. Does not take
any action. Purely a monitoring system.
< > - +
Typical SHADOW Installation
Sensor Analysis
Firewall
Internet
Internal Network
< > - +
SHADOW Advantages
It’s free.
It is easily configurable to one’s network.
It looks at all the traffic (headers) coming in or going out of the
network.
Simple web interface for the analyst.
SANS has many classes that are based around the SHADOW
idea.
Quickly points out misconfigurations on your network.
Supports multiple sensors.
< > - +
SHADOW Disadvantages
No support. You are on your own.

Not “real time”.
Does not look at content, hence many attacks are not detectable.
However, one can easily add a snort sensor alongside the
tcpdump.
You MUST know your network well in order to use this well (some
would call this an advantage).
< > - +
SHADOW Disadvantages
Since no processing is done on the sensor, the transfer of the

data can impact the network, unless a subnet is used between the
sensor and the analysis station.
< > - +
EMERALD
Event Monitoring Enabling Responses to Live Disturbances.

Environment for scalable, distributed ID and network monitoring.
Hierarchical model, highly modular.
Employs anomaly detection engines utilizing probabilistic models
of normal, attack and anomalous behavior.
< > - +
EMERALD
Three basic levels of processing:

Service Monitors.
Domain Monitors.
Enterprise-wide Monitors.
< > - +
EMERALD Monitors
Four computational units:

Signature based IDS.
Statistical profiling/anomaly detection.
Resolver, for fusing alerts, responding to attacks, and
communicating to other monitors.
Resource object, for configuration management.
< > - +
EMERALD Monitors
These tend to be stand-alone and self contained.

May be passive (reading logs, monitoring network) or active
(scanning and probing).
< > - +
Signature Engine
Analogous to a set of SHADOW filters or snort ruleset.

Utilizes a set of rules defining a signature of a known attack.
Can be configured individually to the situation.
< > - +
Profiler
Statistical anomaly detector.

Uses NIDES (next-generation intrusion detection expert system)
to statistically profile the network or host.
Allows the detection of new attacks, since they presumably look
“different” than normal traffic.
< > - +
Resolver
Coordinator between the other monitors and IDS systems.

Correlates results from profiler and signature engine.
Communicates detections to higher levels in the hierarchy.
< > - +
Resource Object
Contains all the information about data feeds, rule sets, etc.
Essentially the configuration mechanism for the module.
< > - +
Service Monitors
Lowest level of the hierarchy.

Individual ID systems or sensors.
Host-based IDS or network monitors for small networks.
Communicate to the domain monitors, and to other service
monitors.
< > - +
Domain Monitors
Correlate the results from the Service Monitors.

Same basic components as the Service Monitors.
Provide an overall picture of the health of the site.
Look for higher level correlations that are not visible at the lower
level.
< > - +
Enterprise Monitors
Correlate the results from the Domain Monitors.

Same basic components as the Service Monitors.
Provide an overall picture of the health of the entire organization,
across several sites.
Look for network-wide threats like worms, distributed attacks, etc.
< > - +
ADAM
Audit Data Analysis and Mining, GMU.

Network based anomaly detector.
TCP/IP monitor, looks for DOS, scans.
Data mining: mining association rules.
< > - +
Association Rules
An association rule is a way of expressing a relationship of the

form “If A then B”, written as A → B.
Network based anomaly detector.
Given a data set X, look for patterns where:
A and B both occur together.
A → B has support s if they occur s% of the time.
A → B has confidence c if c% of the times that A occurs, B
does as well.
< > - +
Association Rules
This provides a way of encoding patterns.

These association rules are “learned” from the data.
< > - +
ADAM Processing
Three modules:
Preprocessing engine.
Data Mining (rule set extraction) engine.
Classification Engine.
Involves a training phase and a detection phase.
< > - +
ADAM Processing
Looks for “static” rules: things that have high support in the whole
data set. Global patterns.
Also looks for “dynamic” rules: uses a sliding window to look for
local patterns.
Uses header fields:
Time.
Source/Destination IP.
Source/Destination port.
TCP flags.
< > - +
Performance
Emerald and ADAM were first and second in the 1999 DARPA
evaluation (by some measures).
This was a test on simulated data.
Researchers were given a data set with truth (attacks and normal
traffic notated).
Researchers were then given a test set without truth, and had to
detect the attacks.
No system performed perfectly. One could argue that none
performed adequately.
< > - +
SANS Top 20 List
http://www.sans.org/top20/
< > - +
An Example Microsoft FAQ
What is the scope of the vulnerability?

This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. However, attempts to exploit this vulnerability could most likely
result in a denial of service condition.
What causes the vulnerability?
An unchecked buffer in the Print Spooler service.
< > - +
Continued
What is Print Spooler service?

The Print Spooler service, Spoolsv.exe, is an executable file that is
installed as a service. The spooler is loaded when the operating
system starts, and it continues to run until the operating system is shut
down. The Print Spooler service manages the printing process, which
includes such tasks as retrieving the location of the correct printer
driver, loading that driver, spooling high-level function calls into a print
job, and scheduling print jobs. When the tasks for a particular print job
are complete, the Print Spooler service passes the job to the print
router. For more information about the Print Spooler service, visit the
following Web site.
< > - +
Continued
What might an attacker use the vulnerability to do?

An attacker who successfully exploited this vulnerability for remote
code execution could take complete control of the affected system. On
Windows XP Service Pack 2 and Windows Server 2003 this issue
would result in a denial of service condition. On other operating
system versions, attempts to exploit this vulnerability would most likely
result in a denial of service condition. However remote code execution
could be possible.
< > - +
Continued
Who could exploit the vulnerability?

On Windows 2000 and Windows XP Service Pack 1, any anonymous
user who could deliver a specially crafted message to the affected
system could try to exploit this vulnerability. On Windows XP Service
Pack 2 and Windows Server 2003, this vulnerability is restricted to
authenticated users. An authenticated attacker may also be able to log
on locally to a system and attempt to exploit this vulnerability on all
affected operating system versions.
< > - +
Continued
How could an attacker exploit the vulnerability?

An attacker could try to remotely exploit the vulnerability by creating a
specially crafted message and sending the message to an affected
system. The message could then cause the affected system to
execute code on operating system versions and configurations that
were vulnerable to remote attack vectors. By default, Windows 2000
and Windows XP Service Pack 1 are vulnerable remotely. A remote
attack vector cannot be created on Windows XP SP2 or on Windows
Server 2003 unless a user who has appropriate permission shares a
printer or tries to connect to a shared printer.
To locally exploit this vulnerability on all operating system versions, an
attacker would first have to log on to the system. An attacker could then
run a specially-crafted application that could exploit the vulnerability.
< > - +
Continued
What systems are primarily at risk from the vulnerability?

Windows 2000 and Windows XP Service Pack 1 are primarily at risk
from this vulnerability. Windows XP Service Pack 2 and Windows
Server 2003 systems are at a reduced risk because of the additional
mitigating factors that exist on these operating system versions.
However, systems configured as Printer Servers are especially at risk
to this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet.
Firewall best practices and standard default firewall configurations can
help protect against attacks that originate from the Internet. Microsoft
has provided information about how you can help protect your PC. End
users can visit the Protect Your PC Web site. IT professionals can visit
the Security Guidance Center Web site.
< > - +
Continued
What does the update do?
The update removes the vulnerability by modifying the way that Print
Spooler service validates the length of a message before it passes the
message to the allocated buffer.
< > - +
Utilities
nmap.
p0f.
snort.
< > - +
Nmap
A powerful network scanner.

Can:
scan for open ports
perform active fingerprinting
evaluate vulnerabilities
act stealthy in the scans
spoof IP address to make it difficult to determine the scanner
Useful tool for security analysis.
Useful tool for an attacker.
< > - +
Nmap Example
nmap -sS -v -O localhost
< > - +
Nmap Example
Adding TCP port 25 (state Open).

< > - +
Nmap Example

The SYN scan took 0 seconds to scan 1068 ports.
For OSScan assuming that port 1 is open and port
31200 is closed and neither are firewalled
< > - +
Nmap Example
Port State Protocol Service
1 open tcp tcpmux
9 open tcp discard
13 open tcp daytime
21 open tcp ftp
22 open tcp ssh
23 open tcp telnet
25 open tcp smtp
37 open tcp time
80 open tcp www
111 open tcp sunrpc
513 open tcp login
< > - +
Nmap Example
TCP Sequence Prediction: Class=trivial time dependency Difficulty=26

(Easy)
Sequence numbers: 799148C0 799229C0 799339A0 79943580
79952B20 79961440
Remote operating system guess: IRIX 6.4 - 6.5
Nmap run completed - 1 IP address (1 host up) scanned in 1 second
< > - +
p0f
Passive fingerprinting off of TCP SYN packets.

Uses time-to-live (TTL) (etc) to determine likely operating system.
Has extensive database of operating systems.
Must estimate TTL.
http://lcamtuf.coredump.cx/p0f.shtml
< > - +
snort
Light weight network intrusion detection system.

Uses tcpdump-like filters, plus content.
Extensible through plug-ins.
http://www.snort.org
< > - +

Common Network Attacks: David J. Marchette

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Common Network Attacks: David J. Marchette

Transféré par

Droits d'auteur :

Formats disponibles

Common Network Attacks

Some Common Attacks

Active. Requires action on the part of the person or system to

Stateful. A system (intrusion detection, firewall, etc) is stateful if it

Northcutt, Network Intrusion Detection: An Analyst’s Handbook.

Find out what machines are on the net: IP scan.

Not all attacks follow all these steps.

Denial of Service (DOS).

A single packet attack.

Another single packet attack.

Another single packet attack.

Suppose a TCP packet has been fragmented, and the attacker

Another single packet attack, in principle.

These attacks “only work on older systems”.

Send a lot of SYN packets to the target.

Similar to the SYN flood. Initiate a lot of TCP connections.

Send a lot of malformed packets:

Send a lot of ping packets (echo requests) to an intermediary

ICMP echo requests

ICMP echo replies

Target goes down

There are innumerable attacks that utilize a bug in an application.

There are two generic types of denial of service attacks:

How does one stop such attacks?

How do you find a victim to attack?

One answer is to scan/map the network.

There are several ways to make the mapping harder to detect:

The attacker knows nothing about the machines on the victims

The attacker is looking for specific services.

Sometimes this is done by a program, such as a trojan or worm.

One way to avoid getting caught at port mapping is to make sure

Suppose you can find a computer that increments its IP ID

“The good neighbor” approach: don’t be a patsy:

“The good neighbor” approach requires everyone to change,

Fingerprinting uses the fact that implementations are free to make

This is used by attackers to determine the best attack to use.

Operating systems also make choices when they send packets

These can, to some extent, be used to determine the operating

Different operating systems/applications choose different source

Made famous by Kevin Mitnick.

Setup: Machine A and machine B have a trust relationship,

Attacker SYN floods machine B to make sure it doesn’t respond to

The attacker could in principle carry on this hijacked session as if

Attacker sends SYN packets to A to determine it’s

Attacker SYN floods Machine B.

Machine B goes down.

Attacker sends SYN packet to A

Attacker sends ACK packet to A

A thinks it has an open session

Attacker sets A to trust his machine.

si+1 − si × si+2 − si+1

−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09

si+1 − si × si+2 − si+1

−4e+09 −2e+09 0e+00 2e+09

si+1 − si × si+2 − si+1

−2e+09 −1e+09 0e+00 1e+09 2e+09 3e+09 4e+09

Secondary Heuristic Analysis for Defensive Online Warfare

No support. You are on your own.

Since no processing is done on the sensor, the transfer of the

Event Monitoring Enabling Responses to Live Disturbances.

Three basic levels of processing:

Four computational units:

These tend to be stand-alone and self contained.