Académique Documents
Professionnel Documents
Culture Documents
IP SPOOFING
In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP)
packets with a false source IP address, for the purpose of hiding the identity of the sender or
impersonating another computing system. One technique which a sender may use to maintain
anonymity is to use a proxy server.
The basic protocol for sending data over the Internet network and many other computer networks
is the Internet Protocol (IP). The protocol specifies that each IP packet must have a header which
contains, among other things, the IP address of the sender of the packet. The source IP address is
normally the address that the packet was sent from, but the sender's address in the header can be
altered, so that to the recipient it appears that the packet came from another source. The protocol
requires the receiving computer to send back a response to the source address, so that spoofing is
mainly used when the sender can anticipate the network response or does not care about the
response.
COVERT CHANNEL
In computer security, a covert channel is a type of computer security attack that creates a
capability to transfer information objects between processes that are not supposed to be allowed
to communicate by the computer security policy. The term, originated in 1973 by Lampson is
defined as channels "not intended for information transfer at all, such as the service program's
effect on system load" to distinguish it from Legitimate channels that are subjected to access
controls by COMPUSEC.
A covert channel is so called because it is hidden from the access control mechanisms of ultra-
high-assurance secure operating systems since it does not use the legitimate data transfer
mechanisms of the computer system such as read and write, and therefore cannot be detected or
controlled by the hardware based security mechanisms that underlie ultra-high-assurance secure
operating systems. Covert channels are exceedingly hard to install in real systems, and can often
be detected by monitoring system performance; in addition, they suffer from a low signal-to-noise
ratio and low data rates (on the order of a few bits per second). They can also be removed
manually with a high degree of assurance from secure systems by well established covert channel
analysis strategies.
TCP SYN/FLOOD
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN
requests to a target's system in an attempt to consume enough server resources to make the
system unresponsive to legitimate traffic.
Normally when a client attempts to start a TCP connection to a server, the client and server
exchange a series of messages which normally runs like this:
The client requests a connection by sending a SYN (synchronize) message to the server.
The server acknowledges this request by sending SYN-ACK back to the client.
This is called the TCP three-way handshake, and is the foundation for every connection established
using the TCP protocol.
A SYN flood attack works by not responding to the server with the expected ACK code. The
malicious client can either simply not send the expected ACK, or by spoofing the source IP address
in the SYN, causing the server to send the SYN-ACK to a falsified IP address - which will not send an
ACK because it "knows" that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could
also be the cause of the missing ACK. However, in an attack, the half-open connections created by
the malicious client bind resources on the server and may eventually exceed the resources
available on the server. At that point, the server cannot connect to any clients, whether legitimate
or otherwise. This effectively denies service to legitimate clients. Some systems may also
malfunction or crash when other operating system functions are starved of resources in this way.
ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or
stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service,
man in the middle, or session hijacking attacks.
The attack can only be used on networks that use the Address Resolution Protocol, and is limited
to local network segments