Analysis of common network attack methods

Reprinted: http://blog.chinaunix.net/uid-11572501-id-2868683.html

1. tcp syn Denial of Service Attack

Generally, the establishment of a TCP connection requires three handshakes, namely: 1. the initiator sends a tcp syn packet to the target computer; 2. After receiving the SYN packet, the target computer creates a TCP connection control block (TCB) in the memory and sends a tcp ack packet back to the initiator, waiting for the response from the initiator; 3. After receiving the tcp ack packet, the initiator returns an ACK packet, so that the TCP connection is established. Using this process, some malicious attackers can launch so-called tcp syn Denial of Service attacks: 1. The attacker sends a tcp syn packet to the target computer; 2. After receiving the packet, the target computer, establish a TCP connection control structure (TCB) and respond to an ACK, waiting for the response from the initiator; 3. The initiator does not respond to the ACK packet from the target computer, as a result, the target computer remains in the waiting state. It can be seen that if the target computer receives a large number of tcp syn packets, but does not receive the third ack response from the initiator, it will remain waiting. If there are many semi-connections in this embarrassing state, the resources of the target computer (TCB control structure, TCB, which is limited in general) are used up, and cannot respond to normal TCP connection requests. Ii. ICMP flood

Under normal circumstances, in order to diagnose the Network, some diagnostic programs, such as ping, will send ICMP response request packets (ICMP echo), after receiving the ICMP echo from the computer, an ICMP echo reply message is returned. However, this process requires CPU processing. In some cases, a large amount of resources may be consumed, such as processing parts. In this way, if an attacker sends a large number of icmp echo packets (resulting in ICMP flood) to the target computer, the target computer will be busy processing these ECHO packets and cannot continue to process other network data packets, this is also a Denial of Service (DoS) attack ).

Iii. UDP flood principle is similar to ICMP flood. attackers send a large number of UDP packets to the target computer, so that the target computer is busy processing these UDP packets and cannot continue to process normal packets. 4. port scanning according to the TCP protocol specification, when a computer receives a TCP connection to establish a request message (tcp syn), it will do the following: 1. If the requested TCP port is open, a tcp ack packet is returned and a TCP connection control structure (TCB) is established. 2. If the requested TCP port is not open, response to a tcp rst (the RST flag in the TCP header is set to 1) message, telling the initiator that the port is not open. Correspondingly, if the IP protocol stack receives a UDP packet, it performs the following processing: 1. If the target port of the packet is open, the UDP packet is sent to the upper-layer protocol (UDP) for processing, does not respond to any packets (the upper-layer protocol responds to the packet based on the processing result); 2. If the target port of the packet is not open, it responds to an ICMP inaccessibility packet to the initiator, tell the initiator that the port of the UDP packet cannot be reached.

Using this principle, attackers can send appropriate packets to determine which TCP or UDP ports are open on the target computer. The process is as follows:

1. Send tcp syn or UDP packets whose port numbers increase sequentially from 0 (the port number is a 16-bit number, so the maximum value is 65535, and the number is very limited ); 2. If you receive an RST packet for this TCP packet or an ICMP inaccessible packet for this UDP packet, this port is not open. 3. On the contrary, if an ACK packet is received for the tcp syn packet or no ICMP packet is received for the UDP packet, the TCP port is open, UDP port may be open (because some implementations may not respond to ICMP inaccessibility packets, even if the UDP port is not open ). In this way, you can easily determine which TCP or UDP ports are open to the target computer, and then perform the next attack on the specific port numbers. This is the so-called Port Scan attack. 5. Partition IP packet attacks in order to send a large IP packet, the IP protocol stack needs to partition the IP packet based on the MTU of The Link Interface, by filling in the partition field in the appropriate IP header, the receiving computer can easily assemble these IP segment packets.

When the target computer processes these multipart packets, it will cache the first part of the packet and wait until the subsequent part of the packet is sent. This process will consume part of the memory, and the data structure of some IP protocol stacks. If the attacker sends only one part of the packet to the target computer, instead of all the parts, the attacker computer will wait until an Internal timer arrives ), if the attacker sends a large number of multipart packets, it will consume the resources of the target computer, resulting in the failure of corresponding normal IP packets. This is also a DoS attack.

6. Syn bit and fin bit are both set in the TCP packet header. There are several flag fields: 1. Syn: Connection establishment flag. tcp syn packets set this flag to 1, 2. Ack: Response flag. In a TCP connection, this field is set for all packets except the first packet (tcp syn, 3. Fin: End mark. When a computer receives a TCP packet with the FIN flag, the TCP connection is removed. 4. rst: reset flag. When the IP protocol stack receives a TCP packet that does not exist on the target port, it will respond to the packet set with the RST flag. 5. Psh: the notification protocol stack submits TCP data to the upper-Layer Program for processing as soon as possible.

Under normal circumstances, the SYN mark (connection request mark) and the fin mark (connection removal mark) cannot appear in a TCP packet at the same time. Moreover, the RFC does not specify how the IP protocol stack handles malformed packets. Therefore, the protocol stacks of each operating system have different processing methods after receiving such packets, attackers can use this feature to determine the operating system type by sending both SYN and FIN packets, and then conduct further attacks against the operating system.

7. TCP packet attacks without any flag

Under normal circumstances, any TCP packet will be set with at least one of the SYN, FIN, ack, RST, and PSH signs, the first TCP packet (TCP connection request packet) set the SYN flag and the ACK flag for subsequent messages. Some protocol stacks do not process TCP packets without any flag based on this assumption. Therefore, if such a protocol stack receives such packets, it may crash. Attackers exploit this feature to attack the target computer.

8. TCP packet attacks with the FIN flag but no ACK flag

Under normal circumstances, apart from the first packet (SYN Packet), all packets are set, including TCP connection removal packets (packets set by the FIN flag ). However, some attackers may send TCP packets with the FIN flag but no ACK flag to the target computer, which may cause the target computer to crash. 9. The death Ping TCP/IP specification requires that the IP packet length be within a certain range (for example, 0-64 K ), however, some attacking computers may send ping packets larger than 64 KB to the target computer, resulting in the crash of the IP protocol stack of the target computer. 10. Address guessing attacks are similar to port scanning attacks. Attackers can detect the existence of the target computer by sending a large number of icmp echo packets with a changed target address. If the corresponding ecmp echo reply message is received, it indicates that the target computer exists, and the next attack can be performed on the computer. 11. For some large IP packets, tear-down attacks require multipart transmission to meet the MTU (maximum transmission unit) requirements at the link layer. For example, a 4500-byte IP packet is divided into three IP packets when the MTU is transmitted over a 1500 link.

There is an offset field and a partition mark (MF) in the IP header. If the MF mark is set to 1, the IP package is a piece of a large IP package, the offset field indicates the position of the chip in the entire IP package. For example, if a 4500-byte IP packet is partitioned (MTU is 1500), the values of the Offset fields in the three segments are respectively 3000. The receiver can assemble the IP package based on the information.

If an attacker breaks this normal situation, setting the offset field to an incorrect value may cause a coincidence or disconnection, which may cause the target operating system to crash. For example, set the offset to 3000. This is called a tear attack. 12. In order to implement some additional functions of IP packets with source routing options, the IP protocol specification adds an option field to the IP header. This field can carry some data, to specify the intermediate device (router) or the final target computer for additional processing of these IP packets.

The source route option is one of them. It can be seen from the name that the source route option aims to guide the intermediate device (router) to forward the data packet, that is, the transmission path of the message is clearly specified. For example, if an IP packet passes through three routers R1, R2, and R3, the interface addresses of the three routers can be explicitly specified in the source route option, in this way, no matter what the route table on the three routers is, the IP packets pass through R1, R2, and R3 in sequence. In addition, the source address and target address of these IP packets with source route options are constantly changing during transmission, attackers can forge some legitimate IP addresses and bypass the network.

13. The IP packet record routing option with the record routing option is also an IP option that carries the IP packet of this option, the router then fills in its interface address in the option field. In this way, the entire path of the message is recorded in the option data when the packets arrive at the destination. Through such packets, attackers can easily determine the path through which the packets pass, so that they can easily find their attack vulnerabilities. 14. IP packets in unknown protocol fields

There is a protocol field in the IP packet header, which specifies the Protocol that the IP packet carries. For example, if the field value is 1, it indicates that the IP packet carries the ICMP packet. If it is 6, it is TCP, and so on. Currently, the value of this field is less than 100, because an IP packet with a protocol field greater than 100 may be invalid, such packets may damage the protocol stacks of some computer operating systems.

15. IP Address Spoofing

Generally, when a router forwards a packet, it only queries the route table based on the destination address of the packet, regardless of the source address of the packet. Therefore, it may face a risk: if an attacker sends a packet to a target computer and fills in the source address of the packet as an IP address of a third party, after the packet arrives at the target computer, the target computer may respond to an imperceptible third-party computer. This is the so-called IP Address Spoofing Attack.

The famous SQL Server Worm adopts this principle. This virus (which can be understood as an attacker) sends a Resolution Service UDP packet to a server running the SQL Server Resolution Service, enter the source address of the report as another server that runs the SQL Server Parsing Program (SQL Server 2000 or later). This is due to a vulnerability in the SQL Server Parsing service, this may cause the UDP packet to reciprocating between the two servers, resulting in paralysis of the server or network.

16. winnuke attack

As a basic network resource access interface, NetBIOS is widely used in file sharing, Print Sharing, inter-process communication (IPC), and data exchange between different operating systems. Generally, NetBIOS runs on the llc2 Link Protocol and is a multicast-based network access interface. To implement NetBIOS on the TCP/IP protocol stack, RFC sets a series of interaction standards and several common TCP/UDP ports:

139: TCP port of NetBIOS session service; 137: UDP port of NetBIOS Name Service; 136: UDP port of NetBIOS datagram service.

Earlier versions of Windows (Win95/98/NT) Network Services (file sharing, etc.) are built on NetBIOS. Therefore, these operating systems are all open to port 139 (the latest version of Windows 2000/XP/2003, and so on). For compatibility, NetBIOS over TCP/IP is also enabled, and port 139 is enabled ).

The winnuke attack uses a Windows operating system vulnerability to send TCP out-of-band (OOB) data packets to port 139, however, the difference between these attack packets and the normal OOB data packets is that the pointer field is inconsistent with the actual location of the data, that is, there is a coincidence, so that when the Windows operating system processes the data, it will crash.

17. Land attacks

The land attack uses the three-way handshake established by a TCP connection to attack the target computer by sending a tcp syn Packet (connection request packet) to a target computer. Different from normal tcp syn packets, the source IP address and destination IP address of the land attack packets are the same and are the IP addresses of the target computer. After receiving the SYN packet, the target computer will send an ACK packet to the source address of the packet and establish a TCP connection control structure (TCB ), the source address of the message is itself, so the ACK packet is sent to itself. In this way, if the attacker sends enough Syn packets, the TCB of the target computer may run out and the service will fail. This is also a DoS attack.

18. script/ActiveX attacks

A script is an executable script. It is generally written in some scripting languages, such as common Java scripts and VB scripts. When executing these scripts, you need a dedicated interpreter to translate them into computer commands and then run them on the local computer. The advantage of this script is that a large number of functions can be completed by writing a small number of programs.

An important application of this script is to embed it into a web page and execute some functions that cannot be completed by the static Web Page Markup Language (HTML), such as local computing, database query and modification, and system information extraction. These scripts provide convenience and powerful functions, while also providing a convenient way for attackers to attack. If attackers write some scripts that damage the system and embed them into the web page, once these pages are downloaded to the local computer, the computer will execute these scripts with the permissions of the current user, the script can be used for any permissions of the current user. We can imagine how powerful these malicious scripts are. This is the so-called Script attack.

Ctivex is a control object built on Microsoft's Component Object Model (COM), while com is almost the basic structure of the Windows operating system. It can be simply understood that these control objects are composed of methods and properties, namely some operations, and the properties are some specific data. This control object can be loaded by the application, and then access the methods or properties to complete some specific functions. It can be said that com provides a binary compatibility model (binary compatibility means that the program module has nothing to do with the calling compiling environment, or even the operating system ). However, it should be noted that such an object control cannot be executed by itself, because it does not have its own process space, but can only be loaded by other processes and the methods and properties in the control can be called. At this time, these controls are loaded into the process
It is similar to the executable modules of the operating system, such as the dll library.

ActiveX controls can be embedded in Web pages. When a browser downloads these pages locally, ActiveX controls embedded in them are also downloaded accordingly, in this way, these controls can be run in the local browser process space (ActiveX space does not have its own process space and can only be loaded and called by other processes). Therefore, the current user's permissions are large, activeX is broken. If a malicious attacker writes an ActiveX control containing malicious code and then embeds it in a web page and is downloaded and executed by a browser user, the damage is very high. This is the so-called ActiveX attack.

19. Smurf attacks

The ICMP echo request packet is used to diagnose the network. When a computer receives such a packet, it returns an ICMP echo reply to the source address of the packet. Generally, the computer does not check the source address of the echo request. Therefore, if a malicious attacker sets the source address of the ECHO as a broadcast address, when the computer recovers reply, the destination address is the broadcast address, so that all computers on the local network must process these broadcast packets. If the attacker sends enough echo request packets, the whole network may be overwhelmed by the generated reply broadcast packets. This is the so-called Smurf attack.

In addition to setting the source address of the ECHO packet as the broadcast address, attackers may also set the source address as a subnet broadcast address, so that the computer where the subnet is located may be affected. 20. virtual terminal (vty) depletion attack this is an attack against network devices, such as routers and switches. To facilitate remote management, these network devices are usually configured with some Telnet user interfaces, that is, users can telnet to the device to manage these devices.

Generally, the number of Telnet user interfaces for these devices is limited, for example, five or ten. In this way, if an attacker establishes five or ten Telnet connections to the same network device at the same time, the remote management interface of these devices will be exhausted, in this way, if a valid user remotely manages these devices, the telnet connection resource usage will fail.

21. Route Protocol Attacks

Network devices often run dynamic routing protocols to exchange route information. These routing protocols can complete functions such as creating route tables and distributing route information. Common routing protocols include rip, OSPF, is-is, and BGP. These routing protocols facilitate route information management and transmission, but also have some defects. If attackers exploit these permissions to attack the network, the route table of network devices may be disordered (which may lead to network interruptions), the resources of network devices may be greatly consumed, or even the network devices may be paralyzed.

The following lists the attack methods and principles of some common routing protocols: 1. Attacks against the RIP Protocol

Rip, which is a route information protocol, maintains the route table through a periodic (usually 30 s) route update report. It is a router that runs the rip routing protocol, if an interface receives a route update packet, it analyzes the route information and compares it with its route table, if the router considers the routing information to be more effective than its own, it will introduce the routing information into its own routing table.

In this way, if an attacker sends a manually constructed destructive route update packet to a router running the RIP Protocol, the route table of the router is easily disordered, resulting in network interruption. If the router running the rip routing protocol enables HMAC Verification for route update information, this attack can be avoided to a large extent.

2. OSPF route protocol attacks

OSPF is a widely used link status routing protocol that gives priority to open shortest paths. Based on the Link State algorithm, this routing protocol has the advantages of fast convergence, stability, and loop elimination, and is suitable for large-scale computer networks. The OSPF routing protocol exchange the local link information of the router by establishing the adjacent relationship, and then forms a whole-network link status database. For this database, the router can easily calculate the route table.

It can be seen that if an attacker impersonates a legitimate router and establishes an adjacent relationship with a vro in the network, and enters a large number of link status broadcasts (LSA, data Units that constitute the link status database) will guide the router to form an incorrect network topology, leading to disorder of the route table of the entire network, resulting in paralysis of the entire network. In the current version of Windows (WIN 2 k/XP, etc.), all implement the OSPF routing protocol function, therefore, an attacker can easily use the routing function modules provided by these operating systems to launch attacks. Similar to rip, if OSPF enables packet verification (HMAC Verification), this attack can be avoided to a large extent. 3. Attacks against the is-is Routing Protocol

The is-is routing protocol, that is, the intermediate system to the intermediate system, is a protocol proposed by ISO to route the ISO clns network service. This protocol is also based on the link status, the principle is similar to that of OSPF. The is-is routing protocol is extended and can run in an IP network to Route IP packets. This routing protocol also completes link status Database Synchronization by establishing a neighbor relationship and collecting the Local Link Status of the router. The establishment of the neighbor relationship of the Protocol is simpler than that of OSPF, and some special characteristics of OSPF are also omitted, making the Protocol simpler and more scalable.

Attacks against this Protocol are similar to OSPF. A simulation software is used to establish a neighbor relationship with the router running the protocol, and then a large number of link status data units (LSP) are transmitted to the attacked router ), the link status database of the entire network router is inconsistent (because the link status databases of all routers in the network need to be synchronized to the same State), resulting in inconsistency between the route table and the actual situation, network interruption.

Similar to OSPF, if the vro running this routing protocol enables the is-is Protocol Unit (PDU) HMAC Verification function, this attack can be avoided to a large extent. 22. Attacks against device Forwarding Table

For reasonable and limited data forwarding, some register table items, such as MAC address table, ARP table, route table, and quick forwarding table, are usually created on network devices, and some tables based on more packet header fields, such as multi-layer exchange tables and flow project tables. These table structures are stored in the local memory of the device, or the chip memory is limited. If an attacker sends an appropriate datagram to encourage the device to create a large number of such tables, the storage structure of the device will be exhausted, and thus the data cannot be forwarded or crashed normally.

The following describes the attack principles for several common table items: 1. Attacks against the MAC address table are generally stored on an Ethernet switch, by analyzing the destination MAC address of the received data volume, Ethernet queries the local MAC address table and makes appropriate forwarding decisions. These MAC address tables are generally obtained through learning. After the switch receives a data token, it has a learning process, which is like this:) extract the source MAC address of the Data consumer and the port number of the worker that receives the data; B) Check the MAC address table to check whether the MAC address exists and whether the corresponding port is consistent; c) if the MAC address does not exist in the local MAC address table, a MAC Address Table item is created. d) if the MAC address exists, the corresponding output port does not match the port that received the data token, update the table. e) If the table exists and the port meets the requirements, proceed to the next step. The analysis process shows that if an attacker sends a large number of data shards with different source MAC addresses to a switch, the switch may fill up its local MAC address table. Once the MAC address table overflows, the switch cannot continue to learn the correct Mac table items. As a result, a large amount of redundant network data may be generated, or even cause the switch to crash. It is very easy to construct data shards with different source MAC addresses.

2. ARP table attacks

The ARP table is a ing table between IP addresses and MAC addresses. Any device that implements the IP protocol stack usually maintains the ing between IP addresses and MAC addresses, this is to avoid the impact of broadcast data packets caused by ARP Resolution on the network. The establishment of ARP tables generally follows two channels: 1) Active resolution. If one computer wants to communicate with another computer that does not know the MAC address, then the computer initiates an ARP request and establishes it through the ARP Protocol (provided that the two computers are located on the same IP subnet); 2) passive request, if a computer receives an ARP request from a computer, a table corresponding to the IP address and MAC address of the requesting computer is created locally. Therefore, if an attacker sends a large number of ARP requests to the same device, such as a layer-3 Switch, by changing different IP addresses and MAC addresses, the attacked device may crash due to ARP cache overflow. Another possible attack against ARP table items is to mislead the computer into creating a correct ARP table. According to the ARP protocol, if a computer receives an ARP request packet, the computer will update its ARP cache using the source IP address and source MAC address in the ARP request packet: 1) If the IP address initiating the ARP request is in its local ARP cache; 2) the target IP address of the request is not its own. An example is provided to illustrate this process. Assume that there are three computers A, B, and C, where B has correctly set up the ARP table items for computers A and C. Assume that A is an attacker. At this time, a sends an ARP request message, which is constructed as follows: 1) the source IP address is the IP address of C, and the source MAC address is the MAC address of a; 2) the target IP address of the request is the IP address of.

In this way, after receiving the ARP request packet (ARP request is a broadcast packet and can be received by all devices on the Network), B's ARP table entry is already in its own cache, however, the MAC address does not match the source MAC address of the received request. Therefore, according to the ARP protocol, update the ARP table using the source MAC address (that is, the MAC address of A) of the ARP request.

In this way, the ARP mixed storage of B has such an error ARP table entry: the IP address of C corresponds to the MAC address of. As a result, all data sent by B to C is received by computer. 3. Some network devices attacked the Stream project table. In order to speed up forwarding efficiency, a so-called stream cache is established. A stream can be understood as a data stream between a computer's process and a process on another computer. If it is displayed in the TCP/IP protocol, all data packets are identified by a group of five elements (source IP address, destination IP address, Protocol Number, source port number, and destination port number.

A stream cache table is usually indexed by the quintuple. When a device receives an IP packet, it first analyzes the IP header and extracts the corresponding quintuple of data, perform a hash operation and then query the stream cache based on the operation results. If the query is successful, it is processed based on the search results. If the search fails, a new stream cache item is created to query the route table, based on the query results of the route table, fill in the complete stream slow storage, and then forward the data packets (the specific Forwarding is not important before or after the flow project is created ).

It can be seen that if an attacker sends a large number of source IP addresses or data packets with a changed destination IP address, a large number of stream projects may be created on the device, because different source IP addresses and target IP addresses correspond to different streams. This may cause stream cache overflow.