Network Attack Overview
 
 
 
Author: Matthew strebe
 
 
 
1. Denial of Service Attack
 
 
 
A Denial-of-Service attack attempts to stop your service from providing services by crashing your service computer or pressing it across. A denial-of-service attack is the most vulnerable to attacks, including:
 
 
 
Ping of death)
Overview: In the early stages, the maximum size of the router package is limited. Many operating systems require 64kb to implement the TCP/IP stack on the ICMP packet, after reading the title header of the package, you must generate a buffer for the payload based on the information contained in the header. When malformed, if the size of a packet exceeds the ICMP ceiling, that is, the size of the package exceeds 64 KB, a memory allocation error will occur, causing the TCP/IP stack to crash and the receiver to become a machine.
Defense: Now all standard TCP/IP implementations have been implemented to deal with ultra-large packages, and most firewalls can automatically filter these attacks, including windows after Windows 98, NT (After Service Pack 3), Linux, Solaris, and Mac OS have the ability to defend against General ping of death attacks. In addition, configuring the firewall to Block ICMP and any unknown protocols prevents such attacks.
 
 
 
Teardrop)
Overview: tear-down attacks use the information contained in the header of the packet in the trusted IP fragment in the TCP/IP stack implementation to achieve their own attacks. The IP segment contains information indicating the segment of the original package, some TCP/IP (including the NT before Service Pack 4) the system crashes when it receives forged segments that contain overlapped offsets.
Defense: the server applies the latest service packages, or reorganizing segments when setting the firewall, rather than forwarding them.
 
 
UDP flood (UDP flood)
Overview: Various counterfeit attacks use simple TCP/IP Services, such as chargen and ECHO, to transmit useless full-bandwidth data. By forging a UDP connection with the chargen service of a host, the reply address points to a host with the echo service on, in this way, enough useless data streams are generated between the two hosts. If there is enough data streams, it will lead to bandwidth service attacks.
Defense: disable unnecessary TCP/IP Services, or configure a firewall to block UDP requests from the Internet.
 
 
 
SYN Flood (SYN flood)
Overview: some TCP/IP stack implementations can only wait for ACK messages sent from a limited number of computers because they only have limited memory buffers for creating connections, if the buffer zone is filled with initial information of a false connection, the server will stop responding to the next connection until the connection attempt in the buffer zone times out. SYN flood has a similar effect in some implementations without restrictions on connection creation.
Defense: filter the subsequent connections from the same host on the firewall.
The future SYN flood is worrying, and it cannot be identified from a simple, high-capacity transport because the release flood does not seek a response.
 
 
 
Land Attack
Overview: In a land attack, the original address and target address of a specially crafted SYN Packet are set to a server address, this will cause the receiving server to send a SYN-ACK message to its own address, and the address returns the ACK message and creates an empty connection, each of which will be retained until timeout, unlike land attacks, many UNIX implementations crash and NT changes very slowly (lasting about five minutes ).
Defense: Apply the latest patch or configure the firewall to filter out the internal source addresses contained in the inbound traffic on the external interface. (Including 10 domains, 127 domains, 192.168 domains, 172.16 to 172.31 domains)
 
 
Smurf attack
Overview: A simple Smurf attack uses ICMP Response Request (PING) packets that set the reply address to the broadcast address of the affected network to overwhelm the affected host, eventually, all hosts on the network reply to this ICMP Response Request, resulting in network congestion, which is one or two orders of magnitude higher than the ping of death flood traffic. The more complex Smurf changes the source address to a third-party victim, resulting in a third-party avalanche.
Defense: to prevent hackers from using your network to attack others, disable the broadcast address feature of an external router or firewall. To prevent attacks, set rules on the firewall and discard ICMP packets.
 
 
 
Fraggle attack
Overview: Fraggle attacks make simple changes to Smurf attacks, using UDP to respond to messages rather than ICMP
Defense: filters out UDP response messages on the firewall
 
 
 
Email bomb
Overview: email bombs are one of the oldest anonymous attacks. By setting up a machine to repeatedly send emails to the same address, attackers can exhaust the bandwidth of the recipient's network.
Defense: configure the email address to automatically delete excessive or duplicate messages from the same host.
 
 
 
Malformed message attack
Overview: many services on various operating systems have such problems. As these services do not properly validate errors before processing information, malformed information may crash.
Defense: Install the latest service patches.
 
 
 
2. exploitation attacks
 
 
 
Exploitation attacks are one type of attacks that attempt to directly control your machine. The most common attacks include:
Password Prediction
Overview: Once a hacker identifies a host and finds a usable user account based on services such as NETBIOS, telnet, or NFS, successful password guesses can provide control over the machine.
Defense: You need to use a difficult-to-guess password, such as a combination of words and punctuation marks. Make sure that the available services such as NFS, NETBIOS, and telnet are not exposed to the public. If the Service supports a locking policy, the service is locked.
 
 
Trojan Horse
Overview: a Trojan Horse is installed to the target system either directly by a hacker or by a non-suspicious user.Program. Once the installation is successful and administrator permissions are obtained, the installer can directly remotely control the target system. The most effective one is a backdoor program, which includes NetBus, BackOrifice, and bo2k. It is a benign program used to control the system, such as Netcat, VNC, and pcAnywhere. The ideal backdoor program runs transparently.
Defense: avoid downloading suspicious programs and refuse to execute them. Use network scanning software to regularly monitor TCP services on internal hosts.
 
 
 
Buffer Overflow
Overview: because many programmers in many service programs use functions similar to strcpy () and strcat () that do not perform a valid bit check, in the end, malicious users may write a short program to further open the security window and thenCodeEnd with the buffer payload. In this way, when a buffer overflow occurs, the returned Pointer Points to malicious code, so that the control of the system is captured.
Defense: Use programs such as safelib and tripwire to protect the system, or browse the latest security announcements to continuously update the operating system.
 
 
 
3. Information Collection attacks
 
 
 
Information collection attacks do not pose any harm to the target. Such attacks are used to provide useful information for further intrusion, as shown in the name. It mainly includes scanning technology, architecture spying, and information service utilization.
 
 
 
Scan Technology
 
 
 
Address Scan
Overview: Use a program such as ping to detect the target address and respond to it to indicate its existence.
Defense: filters out ICMP response messages on the firewall.
 
 
 
Port Scan
Overview: some software is usually used to connect a series of TCP ports to a large range of Hosts. The scan software reports that it has successfully established the port opened by the host for the connection.
Defense: many firewalls detect scanning and automatically block scanning attempts.
 
 
Response ing
Overview: a hacker sends a false message to the host, and then determines which hosts exist based on the message feature "Host Unreachable. At present, because normal scanning activities are easy to be detected by the firewall, hackers turn to common message types that do not trigger firewall rules, including reset messages, SYN-ACK messages, DNS response packets.
Defense: Nat and non-route proxy servers can automatically defend against such attacks, or filter "Host Unreachable" ICMP responses on the firewall.
 
 
 
Slow scan
Overview: Generally, A scan detector is used to monitor the number of connections initiated by a specific host (for example, 10 times per second) in a certain period of time to determine whether the scan is being performed, in this way, hackers can scan by using scanning software with slower scanning speed.
Defense: uses the lure service to detect slow scans.
 
 
 
Architecture Detection
Overview: hackers use automatic tools for databases with known response types to check the responses from the target host to bad packet transmission. Because each operating system has its own unique response method (for example, the TCP/IP stack implementation of NT and Solaris is different ), by comparing this unique response with the known response in the database, hackers are often able to determine the operating system running on the target host.
Defense: removes or modifies various banner types, including operating systems and various application services, and blocks attack plans that disrupt the other party through identified ports.
 
 
 
Use Information Services
 
 
 
DNS domain Conversion
Overview: the DNS protocol does not authenticate the switch or information update, which allows the Protocol to be used in different ways. If you maintain a public DNS server, hackers only need to perform a domain conversion operation to obtain the names and internal IP addresses of all your hosts.
Defense: filters out domain conversion requests from the firewall.
 
 
 
Finger service
Overview: a hacker uses the finger command to probe a Finger server to obtain information about users of the system.
Defense: Shut down the Finger service and record the IP address of the other party attempting to connect to the service, or filter the IP address on the firewall.
 
 
LDAP Service
Overview: hackers use the LDAP protocol to snoop information about systems and their users in the network.
Defense: blocks and records LDAP on the internal network. If the LDAP service is provided on a public machine, put the LDAP server into DMZ.
 
 
 
4. Fake message attack
 
 
 
Messages that are incorrectly configured for attack targets include DNS high-speed cache pollution and counterfeit emails.
 
 
 
DNS high-speed cache pollution
Overview: Because the DNS server does not perform identity verification when exchanging information with other name servers, hackers can add incorrect information and direct the user to the hacker's host.
Defense: Filter inbound DNS updates on the firewall. The external DNS server should not be able to change your internal server's understanding of internal machines.
 
 
 
Counterfeit email
Overview: because SMTP does not authenticate the identity of the sender of the email, hackers can forge an email to your internal customer, claiming to be a person recognized and trusted by a customer, A Trojan program that can be installed or a connection to a malicious website is attached.
Defense: use security tools such as PGP and install email certificates.