ARP Attack
The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet. Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an invalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.
DRDOS Attack
A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is some ftp, web server, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be Angelfires free ftp servers, could be your neighbors web server running off his 233mhz Compaq with IIS 4.0. It doesn't matter! The SYN packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim. Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond the middle man sends even more (error correction). This allows the attacker to construct a massive attack from just one machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP, web servers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in theory this attack could use any number of 'middle man' servers to bombard your network with packets.
Bot / Trojan DrDOS Attack
Recently many IRC bots and trojan servers have found their way to users home computers via email and .exe binding etc. They are just backdoors to any system they have infected. If u really want to read into this goto www.grc.com This guy knows a lot about these attacks because he was the target of one. These bots infect a machine and join an irc server and a private channel. Its an army of zombies collecting in a room. The attacker enters the room and can issue commands at the army of bots to attack a target anywhere he wants. With any kind of attack he wants to use. This type of lameness can be easily stopped with a home firewall like zone alarm and denying internet access to the bot. Or a good virus scanner, both should come standard with every operating system. But you will have to email Bill Gates about that one. The attack its self is a bit like bandwidth hogging, the term is DrDoS (Distributed Reflected Denial of Service). Another analysis of the attack is below,
Not to go into much detail about this one, however it must be said, this attack type is full power and if used in the wrong hands could and most likely will cause serious damage, to the host attacked. Like above the attack all depends on the amount of zombies the hacker has, for example if a hacker had 30,000 infected zombies (bots) all with the upstream of 1024kbps, thats 30,000 meg upstream / a sec. Aimed at a web host for about 10 mins thats 300,000 meg a sec enough to take down some of the leading webhosts and even if the Ip's are blocked the router still has to say no to the packets, so by now you should see the problem. The fact is home users should be targeted to prevent these attacks at the source.
Once you open the bot/trojan it secretly logs you into a IRC room, where the hacker can sends group commands to all his bots. Keep protected with firewalls, such as "Sygate" www.sygate.com and anti-trojan system such as "The Cleaner" www.moosoft.com.
Worm Attack
Worms are special 'breed' of programming. There advanced, and very sophisticated. The recent SQL worm we saw came with a built in DOS attack on the servers it infected. The worm did not damage files or anything like that but it kept trying to find other servers to infect. It used big UDP packets in order to find other vulnerable servers to infect. When no servers that could be infected were, found the worm created DOS attacks on the networks it was on. The network became flooded with UDP packets, denying service to legitimate clients. A worm can also act like a Bot or trojan server. In which when it infects the target it instantly begins to attack a pre-programmed target with random source IP addresses. Its a deadly race to clean these worms, because the target may never be free of the attack if the worm infects enough people. This was the case with the Code Red worm. I suggest reading about the Code Red worm on the internet as it is very interesting :]
Unicode Ping Flood
This attack is native to the unicode bug found in most IIS web servers. Here's a sample:
http://imnotsecure.com/scripts/images/..%c0%af..%c0%af..%c0%afwinnt/
system32/cmd.exe?/c+ping+10.10.10.10-n+1000+-l
Ok this is one of MANY unicode strings that are possibly useful on a vulnerable server. But you see the unicode bug accessing the command shell on the target host. And then issuing the command to ping 10.10.10.10 forever with 1000 byte ICMP packets. Now these packets aren't spoofed but they are still traffic and with enough vulnerable machines the traffic volume begins to build up.
This section is very small, its on the topic of phasing. Phasing is a very simple yet very effective method of using DOS attacks without setting off alarms at a router somewhere for the volume of packets the attacker is sending. I will only give one example attack with this method since it is sort of self explanatory after you read it once. Lets take the DRDOS attack. Your sending spoofed SYN packets at servers all over the internet. Well without breaking a sweat you could code a program in C that simply switches the servers you are deflecting off of every 3-4 mins. It takes the server 3 or 4 mins to stop sending SYN/ACK packets when it doesn't receive any ACK in return from your victim. So after the 3 or 4 initial minutes of the attack you begin to phase your attack to a different server, and your packets take a different route. You could phase your attack over a group of 25 servers or a group of 1000 servers. Attacking with 5 at a time, and switching every 4 minutes. This method of attacking is very effective and doesn't raise any alarms. Which is not good.
TCP Hijacking
3 way handshake
[zombie machine] --> SYN packet (seq = 100) --> --> [target]
[zombie machine] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]
[zombie machine] --> SYN/ACK packets sent (seq = 101) (ack = 301) --> [target]
[zombie machine] --> SYN/ACK packets sent (seq = 101) (ack = 301)-DATA-DATA -->--> [target]
Above is the basic three way hand shake, according to design. Now there are different types of TCP hijacking. There are attacks where the attacker can actually issue commands, as the victim, to a server. This requires knowing the next sequence numbers the server is expecting from the client. This is difficult, but not impossible. And then there is passive sniffing of the traffic intended for the victim. In this method the valid traffic, after being sniffed and saved by the attacker, is all forwarded to the real client. This completely avoids any detection, the attackers machine just looks like another router. Now this is done by changing the victim or servers arp table. This attack is not limited to a subnet, it works on the internet to.
Lets say server1 has a connection going with client1. The attacker would ping his victim, client1. Capture the ICMP data and extract his MAC address from it. Now armed with that MAC address, the attack creates a spoofed arp packet and sends it to the server. The server receives the arp packet and changes its arp table. Now it thinks that client1's MAC address belongs to a new IP address, the IP address of the attacker. Now when the server constructs its packets to be sent to client1, it compares the MAC address in its packets to its arp table as it passes through the network layer of the OSI model. It matches up the MAC address with the IP address of the attacker. The traffic is then sent off directly to the attacker. Now to avoid detection, the attacker redirects the valid traffic, after logging it, to client1. Now the attackers machine looks like another router, almost unnoticeable to the average end user. This is called passive sniffing. This will only last until the server has updated its arp table. We can complicate this matter and change the clients arp table so it only sends its arp requets to the attacker first. Where he drops the packets, therefore server and client are never updating their arp tables, and the continous flow of data between them is logged by attacker.
Sniffing
There are different ways to 'sniff' the traffic of other machines. One was was described above using the arp method to redirect someone else's specific traffic at your own machine. This method only allows you to sniff the certain traffic you were looking for. But on a local subnet, say at your work or home, if you run a sniffer you can see ALL the traffic on the wire. This includes every protocol. This is called promiscuous sniffing. A packet sniffer works by capturing (copying) all the data on the wire. This traffic does reach its legitimate target, but you are viewing a copy of the raw packet in your packet sniffer. Packet sniffers usually dump the packet in the form of a HEX dump because it is easy to decipher and manipulate. Using a packet sniffer can be very useful, you can run your sniffer and ping a victim. This captures the return ICMP packet and an attacker can extract his victims MAC address from that data. A MAC address is very easy to pull from a hex dump because it is in HEX form to begin with. Some newer programs will even allow you to reassemble the packets and create what they were intended for. Now this is easier when reconstructing say HTTP packets then just a few TCP packets containing your MP3 data. The HTTP data is easier to reassemble. Another form of packet sniffing may be much more intrusive. An attacker can install a sniffer by remotely breaking into a machine. The attacker sets the sniffer to only pick up plain text login and passwords it finds in packets. Then he returns a few weeks later to retrieve the data the sniffer has found. This type of sniffing is the most dangerous because the attacker has full access to every single packet your machine generated and received since the sniffer was installed.
No comments:
Post a Comment