B. SOME BASIC TARGETS FOR AN ATTACK ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.B.1. SWAP SPACE ---------------- Most systems have several hundred Mbytes of swap space to service client requests. The swap space is typical used for forked child processes which have a short life time. The swap space will therefore almost never in a normal cause be used heavily. A denial of service could be based on a method that tries to fill up the swap space. .B.2. BANDWIDTH --------------- If the bandwidth is to high the network will be useless. Most denial of service attack influence the bandwidth in some way. .B.3. KERNEL TABLES ------------------- It is trivial to overflow the kernel tables which will cause serious problems on the system. Systems with write through caches and small write buffers is especially sensitive. Kernel memory allocation is also a target that is sensitive. The kernel have a kernelmap limit, if the system reach this limit it can not allocate more kernel memory and must be rebooted. The kernel memory is not only used for RAM, CPU:s, screens and so on, it it also used for ordinaries processes. Meaning that any system can be crashed and with a mean (or in some sense good) algorithm pretty fast. For Solaris 2.X it is measured and reported with the sar command how much kernel memory the system is using, but for SunOS 4.X there is no such command. Meaning that under SunOS 4.X you don't even can get a warning. If you do use Solaris you should write sar -k 1 to get the information. netstat -k can also be used and shows how much memory the kernel have allocated in the subpaging. .B.4. RAM --------- A denial of service attack that allocates a large amount of RAM can make a great deal of problems. NFS and mail servers are actually extremely sensitive because they do not need much RAM and therefore often don't have much RAM. An attack at a NFS server is trivial. The normal NFS client will do a great deal of caching, but a NFS client can be anything including the program you wrote yourself... .B.5. DISKS ----------- A classic attack is to fill up the hard disk, but an attack at the disks can be so much more. For example can an overloaded disk be misused in many ways. .B.6. CACHES ------------- A denial of service attack involving caches can be based on a method to block the cache or to avoid the cache. These caches are found on Solaris 2.X: Directory name lookup cache: Associates the name of a file with a vnode. Inode cache: Cache information read from disk in case it is needed again. Rnode cache: Holds information about the NFS filesystem. Buffer cache: Cache inode indirect blocks and cylinders to realed disk I/O. .B.7. INETD ----------- Well once inetd crashed all other services running through inetd no longer will work.
Comments
Post a Comment