Data Centers

Examining intrusion and nonintrusion network attacks

The differences between intrusion and nonintrusion attacks are like night and day. Nevertheless, both attacks can render your server useless. Debra Littlejohn Shinder sets out to highlight these differences in this Daily Drill Down.

In her last Daily Drill Down, Debra Littlejohn Shinder defined the various types of hacking exploits, the motivations of network hackers, internal vs. external threats, and the categorizing of network attacks. This time around, Debra focuses on both intrusion and nonintrusion attacks and how to get help.

Common nonintrusion attacks
Nonintrusion attacks are those in which the goal is not to destroy or steal your data but to crash your server or clog your network to prevent access. These are also referred to as denial of service (DoS) attacks.

The distributed denial of service (DDoS) attacks use intermediary computers, called agents, to launch the attack from multiple locations. A program called a zombie is surreptitiously installed by the hacker on these agent computers, which can be anywhere on the Internet. The hacker activates the zombies to simultaneously attack, leaving the true origin of the attack obscured.
Even if your network is not the target of a DoS attack, if you don’t take strong security precautions, you could find that your computers are being used as the zombies in a DDoS attack.
DoS protocol exploits
Some common DoS attacks that exploit the TCP/IP protocols include the following:
  • DNS DoS attack: The attacker uses the difference in size between a DNS query and a DNS response to tie up the network’s bandwidth. Multiple DNS queries with a spoofed return IP address (the address of the targeted victim) are sent to each DNS server. The servers return responses (which are much larger in size) to the intended victim. All these simultaneous responses congest the link, and legitimate traffic cannot get through. See the Department of Energy site for more information.
  • SYN attack: In this DoS attack, the attacker uses the characteristics of the TCP “three-way handshake” to establish a communications session between two computers. This is a three-step process in which the client sends a synchronization request (SYN) to the server, the server sends back an acknowledgement (ACK) and a SYN of its own (client and server must synchronize each other’s sequence numbers), and the client sends an ACK back to the server. The attacker floods the victim server with multiple SYN packets that have bad (spoofed) IP addresses. The server sends its ACK and SYN and puts the waiting messages into a queue, but the final ACK never comes. The queue fills up, and all subsequent SYN requests (from legitimate users) are ignored so no TCP sessions can be established.
  • Land attack: This is a variation of the SYN attack in which the spoofed IP addresses on the attacker’s SYN packets are that of the targeted computer. The server sends multiple ACK and SYN packets to that address, and its network becomes congested.
  • Ping of Death attack: This is also called a large packet ping or killer ping. Ping is a TCP/IP utility used to test network connectivity by sending an ICMP echo request, to which the destination computer responds with an ICMP reply. For a Ping of Death, the attacker creates an IP packet that is larger than 65,536 bytes (the maximum allowed by the IP specification). This can cause the targeted system to crash, hang, or reboot.
  • Ping Flood attack: This is also called an ICMP flood. The attacker sends a huge number of ICMP (ping) packets to a computer’s Winsock or dialer software, preventing it from replying to server ping activity requests and causing the server to time out the connection.
  • Fraggle attack: For this, the attacker uses a spoofed IP address (the address of the targeted victim) to send a large number of pings to a subnet. All the computers on the subnet respond and flood the targeted address with echo reply messages.
  • Smurf attack: This is another variation on the ping flood, in which a deluge of ICMP echo request packets are sent to the network’s router with a destination address of the network’s broadcast address. This causes the router to broadcast the packets to every computer on the network or segment, congesting the network. A Smurf attack can bring down an entire ISP for several minutes or even hours because it’s easy for an attacker to send up to 50 or more ping packets per second even with a modem connection.
  • UDP Bomb attack: This is also called a UDP Flood or packet storm. The attacker congests the network by generating a flood of UDP packets between two computers using the UDP chargen service (a testing utility that generates a character string for every packet it receives), the quote-of-the-day (quotd) service, or the daytime service.
  • UDP Snork attack: This is similar to the UDP Bomb, which uses the Microsoft location service (port 135) as the destination port from port 7 or 9 (the echo or chargen port). This attack, however, will cause an NT system to use up 100 percent of its CPU.
  • Teardrop attack: With the Teardrop attack, IP fragments (pieces of an IP packet into which an original packet is divided) are created. When a packet is fragmented, offset fields in the header are used to designate the bytes of the original packet that are contained in the fragment. For example, fragment one’s offset field might be set to 100-300, showing which bytes are in that fragment, while fragment two’s offset might be 301-600. The attacker modifies the offset fields to overlap (fragment one: 100-300, fragment two: 200-400). When the fragments reach the destination computer, and it tries to reassemble them, it cannot do so. This would crash or hang the computer.
There are several variations on the Teardrop attack that use some sort of fragment overlap to crash the computer. These attacks include: NewTear, Boink, SynDrop, and TearDrop2.
DoS OS and application exploits
The DoS attacks discussed above are protocol exploits. Other types of DoS attacks exploit OS or application vulnerabilities, including:
  • WinNuke: This is also called a Windows out-of-band or OOB attack. In this attack, a vulnerability in Microsoft networks is used to create an out-of-band transmission that crashes the machine to which it is sent by using a flag called MSG_OOB (or Urgent) in the packet header. The destination server expects the packet header to contain a pointer to the position in the packet where the urgent data ends, and normal data is supposed to follow. The WinNuke program creates an OOB pointer that points to the end of the frame, with no normal data following. Windows machines that cannot handle this type of pointer shut down network communications and deny service to any machine that subsequently tries to establish a connection. Windows NT is vulnerable to this attack until Service Pack 3 or later is installed.
  • Mail Bomb: In this attack, a mail server is overwhelmed and ceases to function due to a massive amount of e-mail sent to a specified e-mail address. Another type of Mail Bomb is when a targeted victim is subscribed to a huge number of high-volume mailing lists. Mail Bombing can be automated by using mail-bomb programs such as Unibomber, Extreme Mail, Avalanche, and Kaboom.

Common intrusion types
Intrusion attacks are those in which an attacker enters your network to read, damage, and/or steal your data. These attacks can be divided into two subcategories: preintrusion activities and intrusions.

Preintrusion activities
Preintrusion activities are used to prepare for intruding into a network. These include port scanning to find a way to get into the network and IP spoofing to disguise the identity of the attacker or intruder.
  • Port scans: A program used by hackers to probe a system remotely and determine what TCP/UPD ports are open (and vulnerable to attack) is called a scanner. A scanner can find a vulnerable computer on the Internet, discover what services are running on the machine, and then find the weaknesses in those services. There are 65,535 TCP ports and an equal number of UDP ports. For a list of well-known ports and the services they use, see Freesoft for more details. An open port replies to attempts to contact it over the network. Scanning does not harm your network—it is, however, one way hackers gather information that they can use to mount an intrusion. Stealth scanners use what is called an IP half scan, sending only initial or final packets instead of establishing a connection, to avoid detection.
  • IP spoofing: This is a means of changing the information in the headers of a packet to forge the source IP address. Spoofing is used to impersonate a different machine from the one that actually sent the data. This can be done to avoid detection and/or to target the machine to which the spoofed address belongs for a deluge of responses, as done in several types of DoS attacks. By spoofing an address that is a trusted port, the attacker can get packets through a firewall that would otherwise be filtered out.
Port scanning has a legitimate purpose: Network administrators use it to test the security of their own systems. Popular diagnostic utilities such as Security Administrator’s Tool for Analyzing Networks (SATAN) include scanning capabilities, and there are a number of freeware scanning programs. Take a look at this site for information on scanners.
Intrusion types
Ways of intruding into your network to do damage include the following:
  • Source routing attack: This is a protocol exploit that is used by hackers to reach private IP addresses on an internal network by routing traffic through another machine that can be reached from both the Internet and the local network. Source routing is supported by TCP/IP to allow those sending network data to route the packets through a specific network point for better performance. It is also used by administrators to map their networks or to troubleshoot routing problems.
  • Trojan attacks: Trojans are programs that masquerade as something else and allow hackers to take control of your machine, browse your drives, upload or download data, etc. For example, in 1999, a Trojan program file called Picture.exe was designed to collect personal data from the hard disk of an infiltrated computer and send it to a specific e-mail address. So-called Trojan ports are popular avenues of attack for these programs. A list of these hostile ports and the types of attacks that use them is located on the DoShelp site.
  • Registry attack: In this type of attack, a remote user connects to a Windows machine’s registry and changes the registry settings. To prevent such an attack, configure permissions so that the Everyone group does not have access.
  • Password hijacking attacks: The easiest way to gain unauthorized access to a protected system is to find a legitimate password. This can be done via social engineering (getting authorized users to divulge their passwords via persuasion, intimidation, or trickery) or using brute force—that is, trying one possible password after another until one works. Password cracker programs automate this guessing process.

Protecting your network from intruders and attackers
To be effective, network security should be multilayered. You would protect your home from burglars by installing fencing at the property line (perimeter), putting locks on the doors and windows, installing a motion detector inside the house, and finally putting very valuable items in a safe concealed in the wall.

Likewise, your network needs its own levels of protection: perimeter protection (a firewall) at the point it connects to the Internet, access controls (user accounts and permissions) to restrict access to data if someone does get into the network, and encryption of particularly sensitive data.

A good firewall is your first line of defense, so ensure that the one you choose allows you to filter incoming data at more than one layer of the OSI networking model. For example, ISA Server’s firewall function supports packet filtering, circuit filtering, and application filtering. It also integrates with Windows 2000’s Active Directory. Modern dedicated firewall appliances such as Cisco’s PIX can provide high-speed throughput and built-in IPSec encryption and are easy to install and configure. Whether you choose a hardware- or software-based solution, a good firewall should offer centralized management, the ability to work transparently with common Internet applications, and support for virtual private networking. For a good list of available firewall products, see the Firewall site. For more information on Microsoft’s ISA Server, take a look at the ISA Server site, and for more information on Cisco’s PIX and IOS firewall solutions, see Cisco’s site.

Protection against network intrusions and attacks is a topic that’s on every IT professional’s mind today. Before you can effectively secure your network, it’s important to know thine enemy and understand the types of attacks to which your network may be vulnerable. In this Daily Drill Down, I have provided a broad overview of how intrusions and attacks can be categorized and how the most common application, operating system, and protocol exploits work.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

About Deb Shinder

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

Editor's Picks

Free Newsletters, In your Inbox