Dos Attack example

1. Tear Drop attack:

The modified IP packet is sent to the destination host, the length of the IP header is negative, the packet length is treated as unsigned integer, and the system attempts to replicate the extremely long packet, which may crash or restart

Detailed

For some large IP packets, it is often necessary to split the transmission, this is to meet the link layer of the MTU (maximum transmission unit) requirements. For example, a 6 000-byte IP packet needs to be divided into 3 IP packets when it is transmitted over a link on the MTU 2 000. There is an offset field and a split flag (MF) in the IP header. If the MF flag is set to 1, the IP packet is a fragment of a large IP packet, where the offset field indicates the location of the fragment in the entire IP packet. For example, if a 6 000-byte IP packet is split (the MTU is 2 000), the value of the offset field in the 3 fragment is 0, and 2 000,4 000. This enables the receiving end to reassemble the split IP packets that are received after the IP packets have been fully received. Here's a security breach that can be exploited, that is, if the hacker is intercepting the IP packet, the offset field is set to an incorrect value, so that the receiving end will not be able to combine the split packets according to the offset field values in the packet after receiving the split packets, but the receiver can keep trying, This can cause the target computer operating system to crash due to resource exhaustion.

A teardrop attack uses the information contained in the header of the packet that modifies the IP fragment in the TCP/IP stack to implement its own attack. The IP fragment contains information indicating which paragraph of the original package the fragment contains. TCP/IP for some operating systems, such as SP4 's previous Windows NT 4.0, crashes when it receives a forged fragment with overlapping offsets, but the new operating system is basically able to fend for itself against this attack.

Defense methods: The method of detecting such attacks is to analyze the packets received and calculate whether the packet offset (offset) is incorrect. The method of the counter attack is to add the system patch, discard the sick fragmented packets received and audit the attack. Use the latest operating system as much as possible, or set up a staging function on the firewall, which receives all split packets from the same original package first, and then completes the reorganization instead of forwarding directly. Because you can set the rules that are used when overlapping fields appear on the firewall.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

2.Ping of Death: Sending a large number of extra long ICMP packets (over 65500 bytes) to the destination host, consuming system resources

The death of ping Introduction:

Attack feature: The attack packet is greater than 65,535 bytes. Because some operating systems receive packets that are larger than 65535 bytes in length, they can result in memory overflow, system crash, reboot, kernel failure, and so on, to achieve the purpose of the attack.

Detection method: Determines whether the packet size is greater than 65,535 bytes.

Anti-attack method: Using a new patch, discard the packet when it receives a packet greater than 65,535 bytes, and perform a system audit.

3.Smurf attack:

Send a disguised ICMP packet, the destination is set to the broadcast address of a network, the source address is set to attack the destination host, so that all the host receiving this ICMP packet will send a response to the destination host, so that the attacked host in a certain period of time to receive thousands of packets

4.SYN overflow: Use TCP protocol flaw, send a lot of fake TCP connection request, make the victim's resources exhausted, unable to respond or handle the normal service request in time

5.DDoS: Distributed denial of service attacks are an extension of Dos attacks and are a distributed, collaborative, large-scale attack.

This article from "Hello_ Small Strong" blog, please be sure to retain this source http://xiaozhuang.blog.51cto.com/4396589/907998