ATTACKING FROM THE OUTSIDE ~~~~~~~~~~~~~~~~~~~~~~~~~~
TAKING ADVANTAGE OF FINGER --------------------------- Most fingerd installations support redirections to an other host. Ex: $finger @system.two.com@system.one.com finger will in the example go through system.one.com and on to system.two.com. As far as system.two.com knows it is system.one.com who is fingering. So this method can be used for hiding, but also for a very dirty denial of service attack. Lock at this: $ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attack All those @ signs will get finger to finger host.we.attack again and again and again... The effect on host.we.attack is powerful and the result is high bandwidth, short free memory and a hard disk with less free space, due to all child processes (compare with .D.5.). The solution is to install a fingerd which don't support redirections, for example GNU finger. You could also turn the finger service off, but I think that is just a bit to much. UDP AND SUNOS 4.1.3. --------------------- SunOS 4.1.3. is known to boot if a packet with incorrect information in the header is sent to it. This is the cause if the ip_options indicate a wrong size of the packet. The solution is to install the proper patch. FREEZING UP X-WINDOWS --------------------- If a host accepts a telnet session to the X-Windows port (generally somewhere between 6000 and 6025. In most cases 6000) could that be used to freeze up the X-Windows system. This can be made with multiple telnet connections to the port or with a program which sends multiple XOpenDisplay() to the port. The same thing can happen to Motif or Open Windows. The solution is to deny connections to the X-Windows port. MALICIOUS USE OF UDP SERVICES ----------------------------- It is simple to get UDP services (echo, time, daytime, chargen) to loop, due to trivial IP-spoofing. The effect can be high bandwidth that causes the network to become useless. In the example the header claim that the packet came from 127.0.0.1 (loopback) and the target is the echo port at system.we.attack. As far as system.we.attack knows is 127.0.0.1 system.we.attack and the loop has been establish. Ex: from-IP=127.0.0.1 to-IP=system.we.attack Packet type:UDP from UDP port 7 to UDP port 7 Note that the name system.we.attack looks like a DNS-name, but the target should always be represented by the IP-number. Quoted from proberts@clark.net (Paul D. Robertson) comment on comp.security.firewalls on matter of "Introduction to denial of service" " A great deal of systems don't put loopback on the wire, and simply emulate it. Therefore, this attack will only effect that machine in some cases. It's much better to use the address of a different machine on the same network. Again, the default services should be disabled in inetd.conf. Other than some hacks for mainframe IP stacks that don't support ICMP, the echo service isn't used by many legitimate programs, and TCP echo should be used instead of UDP where it is necessary. "
ATTACKING WITH LYNX CLIENTS ---------------------------- A World Wide Web server will fork an httpd process as a respond to a request from a client, typical Netscape or Mosaic. The process lasts for less than one second and the load will therefore never show up if someone uses ps. In most causes it is therefore very safe to launch a denial of service attack that makes use of multiple W3 clients, typical lynx clients. But note that the netstat command could be used to detect the attack (thanks to Paul D. Robertson). Some httpd:s (for example http-gw) will have problems besides the normal high bandwidth, low memory... And the attack can in those causes get the server to loop (compare with .C.6.) MALICIOUS USE OF telnet ------------------------ Study this little script: Ex: while : ; do telnet system.we.attack & done An attack using this script might eat some bandwidth, but it is nothing compared to the finger method or most other methods. Well the point is that some pretty common firewalls and httpd:s thinks that the attack is a loop and turn them self down, until the administrator sends kill -HUP. This is a simple high risk vulnerability that should be checked and if present fixed. MALICIOUS USE OF telnet UNDER SOLARIS 2.4 ----------------------------------------- If the attacker makes a telnet connections to the Solaris 2.4 host and quits using: Ex: Control-} quit then will inetd keep going "forever". Well a couple of hundred... The solution is to install the proper patch. HOW TO DISABLE ACCOUNTS ------------------------ Some systems disable an account after N number of bad logins, or waits N seconds. You can use this feature to lock out specific users from the system. LINUX AND TCP TIME, DAYTIME ----------------------------- Inetd under Linux is known to crash if to many SYN packets sends to daytime (port 13) and/or time (port 37). The solution is to install the proper patch. HOW TO DISABLE SERVICES ------------------------- Most Unix systems disable a service after N sessions have been open in a given time. Well most systems have a reasonable default (lets say 800 - 1000), but not some SunOS systems that have the default set to 48... The solutions is to set the number to something reasonable. PARAGON OS BETA R1.4 --------------------- If someone redirects an ICMP (Internet Control Message Protocol) packet to a paragon OS beta R1.4 will the machine freeze up and must be rebooted. An ICMP redirect tells the system to override routing tables. Routers use this to tell the host that it is sending to the wrong router. The solution is to install the proper patch. NOVELLS NETWARE FTP ------------------- Novells Netware FTP server is known to get short of memory if multiple ftp sessions connects to it. ICMP REDIRECT ATTACKS ---------------------- Gateways uses ICMP redirect to tell the system to override routing tables, that is telling the system to take a better way. To be able to misuse ICMP redirection we must know an existing connection (well we could make one for ourself, but there is not much use for that). If we have found a connection we can send a route that loses it connectivity or we could send false messages to the host if the connection we have found don't use cryptation. Ex: (false messages to send) DESTINATION UNREACHABLE TIME TO LIVE EXCEEDED PARAMETER PROBLEM PACKET TOO BIG The effect of such messages is a reset of the connection. The solution could be to turn ICMP redirects off, not much proper use of the service. BROADCAST STORMS --------------- This is a very popular method in networks there all of the hosts are acting as gateways. There are many versions of the attack, but the basic method is to send a lot of packets to all hosts in the network with a destination that don't exist. Each host will try to forward each packet so the packets will bounce around for a long time. And if new packets keep coming the network will soon be in trouble. Services that can be misused as tools in this kind of attack is for example ping, finger and sendmail. But most services can be misused in some way or another.
Comments
Post a Comment