Network Attack type

1. Denial of service attack
A service denial attack attempts to prevent you from providing services by crashing or crimping your service computer, which is the most easily implemented attack behavior, mainly including:

Ping of Death (ping of Death)
Overview: Due to the limitation of the maximum size of the router in the early stages, many operating system implementations on the TCP/IP stack are 64KB on the ICMP packet, and after reading the header header of the packet, generate buffers for payload based on the information contained in the header, and when the deformity is generated, A memory allocation error occurs when a packet that claims its size exceeds the ICMP limit, which is the size of the load above the 64K limit, causes the TCP/IP stack to crash, causing the receiver to become a machine.
Defense: All standard TCP/IP implementations are now implemented against oversized packages, and most firewalls can automatically filter these attacks, including: After Windows98 windows,nt (after Service Pack 3), Linux, Solaris, and Mac OS both have the ability to withstand general ping of death attacks. In addition, firewalls are configured to block ICMP and any unknown protocols, all of which prevent such attacks.

Tear Drops (teardrop)
Overview: Teardrop Attacks Use the information contained in the header header of the packet that trusts the IP fragment in the TCP/IP stack implementation to implement its own attack. The IP fragment contains information that indicates which segment of the original package The fragment contains, and some TCP/IP (including NT prior to Service Pack 4) crashes when it receives forged fragments that contain overlapping offsets.
Defense: The server applies the latest service pack, or reorganizes the segments when the firewall is set up instead of forwarding them.

UDP flood (UDP flood)
Overview: A variety of impersonation attacks use simple TCP/IP services such as Chargen and Echo to deliver useless, full-bandwidth data. By forging a UDP connection to a host's Chargen service, the reply-to address points to a host that is open with the Echo service, thus generating enough useless traffic between the two hosts, if enough traffic causes a service attack on the bandwidth.
Defense: Turn off unnecessary TCP/IP services, or configure the firewall to block UDP requests from the Internet for these services.

Syn flood (syn Flood)
Overview: Implementations of some TCP/IP stacks can only wait for ACK messages from a limited number of computers, because they have only a limited memory buffer to create the connection, and if the buffer is filled with the initial information of the spurious connection, the server will stop responding to the next connection until the connection attempt in the buffer expires. In some implementations that create connections without restrictions, SYN flooding has a similar effect.
Defense: Filter subsequent connections from the same host on the firewall.
The future of SYN floods is worrying, because the release of flooding does not seek to respond, so it cannot be identified from a simple high-capacity transmission.

Land attack
Overview: In a land attack, a specially crafted SYN packet whose original address and destination address are set to a server address, this will cause the receiving server to send an syn-ack message to its own address, which sends back an ACK message and creates an empty connection. Each such connection will remain until the timeout is exceeded, and the response to the land attack is different, many UNIX implementations will crash, and NT becomes extremely slow (about five minutes).
Defense: Make the latest patches, or configure them in a firewall, and filter out the internal source addresses that are inbound on the external interface. (includes 10 domains, 127 domains, 192.168 domains, 172.16 to 172.31 domains)

Smurf attack
Overview: A simple Smurf attack occurs by using an ICMP answer request (ping) packet that sets the reply address to the broadcast address of the victim network to overwhelm the victim host, eventually causing all hosts on the network to respond to this ICMP reply request, causing the network to block, more than the ping of The flow of death floods is one or two orders of magnitude higher. More complex Smurf change the source address to a third-party victim, eventually leading to a third-party avalanche.
Defense: To prevent hackers from exploiting your network to attack others, turn off the broadcast address feature of an external router or firewall. To prevent attacks, set rules on the firewall and discard the ICMP packets.

Fraggle Attack
Overview: The Fraggle attack made a simple modification to the Smurf attack, using a UDP reply message instead of ICMP
Defense: Filter out UDP response messages on the firewall

Email bombs
Overview: E-mail bombs are one of the oldest anonymous attacks by setting up a machine that constantly sends e-mail to the same address, and attackers can run out of bandwidth on the recipient's network.
Defense: Configure the email address to automatically delete excessive or duplicate messages from the same host.

Malformed message attack
Overview: This is a problem with many services on various types of operating systems, which may crash when receiving malformed information because these services do not perform proper error checking before processing information.
Defense: Hit the latest service patches.

2. Use-type attack

Exploit attacks are a class of attacks that attempt to control your machine directly, with three of the most common:

Password guessing
Overview: Once a hacker identifies a host and discovers a user account that is available for services based on NetBIOS, Telnet, or NFS, a successful password guess provides control of the machine.
Defense: Use a hard-to-guess password, such as a combination of words and punctuation. Ensure that services such as NFS, NetBIOS, and Telnet are not exposed to public scopes. If the service supports locking policies, it locks.

Trojan horse
Overview: A Trojan Horse is a program that is either directly or secretly installed into the target system by a hacker or by an unsuspecting user. Once the installation is successful and administrator privileges are available, the person installing the program can remotely control the target system directly. The most effective one is called the backdoor, malicious programs include: NetBus, BackOrifice and bo2k, for the control system of benign procedures such as: Netcat, VNC, PcAnywhere. The ideal backdoor program transparently runs.
Defense: Avoid downloading suspicious programs and refuse execution, and use network scanning software to monitor the TCP service on the internal host regularly.

Buffer overflow
Overview: Because programmers in many service programs use a function like strcpy (), strcat () that does not perform a valid bit check, it can eventually lead to a malicious user writing a small piece of the program to further open the security gap and then prefix the code at the end of the buffer payload. This way, when a buffer overflow occurs, the return pointer points to the malicious code so that control of the system is captured.
Defense: Use programs such as Safelib, tripwire to protect your system, or browse the latest security bulletins to constantly update your operating system.

3. Information collection type attack

Information-gathering attacks do not harm the target itself, as the name suggests, such attacks are used to provide useful information for further intrusions. Mainly includes: scanning technology, architecture spying, using information service

Scanning technology

Address scanning
Overview: Use a program such as ping to detect the target address, and respond to it by indicating its existence.
Defense: Filter out ICMP Reply messages on the firewall.

Port scan
Overview: Typically, some software is used to connect a range of TCP ports to a wide range of hosts, and the scanning software reports that it successfully establishes the port on which the connected host is opened.
Defense: Many firewalls can detect if they are scanned and automatically block scanning attempts.

Response mapping
Overview: Hackers send false messages to the host and then determine which hosts are present based on the message characteristics that return "host unreachable". Currently, because normal scan activity is easily detected by firewalls, hackers switch to common message types that do not trigger firewall rules, including: Reset message, Syn-ack message, DNS response packet.
Defense: Nat and non-routed proxy servers can automatically defend against such attacks, or you can filter the "host unreachable" ICMP response on the firewall.

Slow scan
Overview: Since the general scan detector is implemented by monitoring the number of connections initiated by a particular host in a timeframe (for example, 10 times per second), the hacker can scan by scanning software with a slower scanning speed.
Defense: The slow scan is detected by luring the service.

Architecture detection
Overview: Hackers use automated tools that have a database of known response types to check the response from the target host for bad packet delivery. Because each operating system has its own unique response method (example NT and Solaris's TCP/IP stack implementation is different), by comparing this unique response to a known response in the database, the hacker is often able to identify the operating system that the target host is running on.
Defense: Remove or modify various banner, including the operating system and various application services, to block the identified ports from disturbing each other's attack plans.

Use of information Services

DNS Domain conversions
Overview: The DNS protocol does not authenticate conversions or informational updates, which allows the protocol to be exploited in a number of different ways. If you maintain a public DNS server, hackers can get all of your host names and internal IP addresses by simply implementing a domain conversion operation.
Defense: Filter out domain translation requests at the firewall.

Finger Service
Overview: Hackers use the finger command to spy on a finger server for information about users of the system.
Defense: Turn off the finger service and record the IP address of the other person attempting to connect to the service, or filter on the firewall.

LDAP Service
Overview: Hackers use LDAP protocols to spy on systems inside the network and their users ' information.
Defense: For blocking and logging of LDAP spying on the internal network, if the LDAP service is provided on the public machine, the LDAP server should be put into the DMZ.

4. False message attack
The message used to attack the target configuration is incorrect, including DNS cache pollution, forged e-mail.

DNS Cache pollution
Overview: Because the DNS server does not authenticate when exchanging information with other name servers, this allows the hacker to mix the incorrect information and direct the user to the hacker's own host.
Defense: Filtering Inbound DNS updates on the firewall, external DNS servers should not be able to change your internal server's knowledge of internal machines.

Forge e-Mail
Overview: Because SMTP does not authenticate the sender of a message, hackers can forge e-mail messages to your internal customers claiming to be from someone they know and trust, with an installable Trojan, or a connection to a malicious Web site.
Defense: Use security tools such as PGP and install e-mail certificates.

Network Attack type