| Автореферат | Электронная библиотека |
Abstract
Introduction
During rapid development and introductions during a daily life of new computer technologies the leading part play reliability of systems of access to the information, and its storages. However the more important the information, the is more and the losses suffered owing to not authorized access, destruction or absence of access in general to this or that information. For an example it is enough to result a case with a server of company Yahoo (www.yahoo.com ) in February, 2000 when as a result of attack the equipment has been deduced from a working condition on three hours. By estimations of experts losses have made nearby 1.2 billion dollars. Thus, search of protective means and techniques from a similar sort of attacks remains a priority question of computer safety.
The principal cause of the removed computer systems similar to vulnerability is covered in specificity of a stack of reports TCP/IP. Network reports TCP/IP have been developed during practically full absence of real threats, and the modern fourth version of stack TCP/IP to the full reflects this approach. Besides own mistakes in realization of a stack, other modules that reduces their ability to resist to attacks have the majority of systems.
Review of present attacks based on TCP/IP
Attacks on TCP/IP can be divided into two kinds: passive and active.
1. Passive attacks at level TCP
At the given type of attacks there is no direct interaction to other systems. Actually all to be reduced to supervision over accessible data or sessions of communication.
1.1. Interception
Attack consist in interception of a network stream and its analysis (from English "sniffing"). For realization of interception it is necessary to have access to the machine located on a way of a network stream which is necessary for analyzing; for example, to a router or a PPP-server on the basis of UNIX. At presence of sufficient access rights by this machine, by means of the special software viewing all traffic which is passing through the set interface is possible. The second variant - reception of access to a computer which is located in one segment of a network with the system having access to a network stream. For example, in network Ethernet the network card can be translated in a mode in which it will receive all the packages circulating on a network, and not just addressed to it is concrete. In this case the operational system can be any, it is not obligatory UNIX (a frequent situation in university networks). As the TCP/IP-traffic, as a rule, is not ciphered, using corresponding toolkit, it is possible to intercept TCP/IP-packages, for example, telnet-sessions and to take from them names of users and their passwords. It is necessary to notice, that the given type of attack cannot be traced, not possessing access to attacking system as the network stream does not change.
2. Active attacks at level TCP At the given type of attacks there is an interaction to the addressee of the information, the sender and-or intermediate systems, probably, modifying and-or a filtration of contents of TCP/IP-packages. The given types of attacks often seem technically complex in realization, however for the good programmer it is possible to realize corresponding toolkit
Unfortunately, now such programs became accessible to broad masses of users. Active attacks can be divided on two parts. In the first case the certain steps for interception and updatings of a network stream or attempts "to pretend" to other system are undertaken. In the second case report TCP/IP is used to result system-victim in non-working a condition. Possessing sufficient privileges in Unix (or simply using DOS or Windows, not having systems of restrictions of users), it is possible to form manually IP-packages and to transfer them on a network. Naturally, fields of heading of a package can be generated arbitrarily. Having received such package, it is impossible to find out whence really it has been received, as packages do not contain a way of their passage. Certainly, at installation of a return address not conterminous with the current IP-address, attacking never will receive the answer to the sent package. However it is frequent and it is not required.
Возможность формирования произвольных IP-пакетов является ключевым пунктом для осуществления активных атак.
2.1. Prediction TCP sequence number
The given attack has been described still by Robert Morris in A Weakness in the 4.2BSD Unix TCP/IP Software. The English-speaking term - IP spoofing. In this case imitation of other system which, for example, is used is the entrusted system for system-victim (in case of use of the report rlogin/rsh for non-password an input).
The method also is used for other purposes - for example, for use SMTP of a server for dispatching counterfeit letters.
Installation of TCP-connection occurs in three stages (3-way handshake): the client chooses and transfers a server sequence number (we shall name it Client-SN), in reply to it the server sends the client a package of the data containing acknowledgement (Client-ACK) and own sequence number a server (Server-SN). Already the client should send acknowledgement (Server-ACK).
After that connection is considered established and data exchange begins. Thus the field for sequence number and acknowledge number has each package in heading. The given numbers increase at data exchange and allow to supervise a correctness of transfer.
ПLet's assume what probably to predict, what sequence number (Server-SN) will be sent by a server. It probably to make on the basis of knowledge of concrete realization TCP/IP. For example, in 4.3 BSD value sequence number which will be used at installation of following value, every second increases on 125000. Thus, having sent one package to a server, it is possible to receive the answer and having analyzed it to predict sequence number for following connection.If realization TCP/IP uses special algorithm for definition sequence number it can be found out by means of dispatching several tens packages to a server and the analysis of its answers.
System A acts in a role of a server, system B and C - in a role of clients.
Stages of carrying out of attack:
1. To enter system B into a condition when it cannot answer network inquiries. It can be made in several ways, in the elementary case it is necessary to wait simply reboot systems
2. Dispatching the several IP-packages initiating connection, system A, for finding-out of a current condition sequence number a server.
3. Dispatching an IP-package in which as a return address the address of system B is specified already.
4. System A answers with a package with sequence number which goes to system B. However system B will not receive it (it is deduced out of operation), as, however, and an attacking computer. On the basis of the previous analysis it is calculated sequence number sent to system B.
5. There Is an acknowledgement of "reception" of a package from A, sending on behalf of B a package with prospective Server-ACK After that if sequence number a server has been guessed truly, connection is considered established.
Now it is possible to send the next false IP-package which will already contain data.
2.2 IP Hijacking
If in the previous case there was an initiation of new connection interception of all network stream in this case takes place, its modifying and a filtration. The method is a combination of "interception" and IP spoofing'а.
Necessary conditions - access to the machine which is being on a way of a network stream and presence of the sufficient rights for generation and interception of IP-packages. At data transmission are constantly used sequence number and acknowledge number (both fields are in IP-heading). Proceeding from their value, a server and the client check a correctness of transfer of packages. There is an opportunity to enter connection in "desynchronizing condition " when sent by a server sequence number and acknowledge number will not coincide with expected values the client and on the contrary. In this case, the attacking computer "listening" to a line, can incur functions of the intermediary, generating correct packages for the client and a server and intercepting their answers. The method allows to bypass completely such systems of protection as, for example, disposable passwords as begins work already after there will be an authorization of the user.
2.3 An ACK-storm
One of problems IP Hijacking consists that any package sent during the moment when session is in desynchronizing condition, causes so-called an ACK-storm. For example, the package is sent by a server, and for the client it is unacceptable, therefore that answers with an ACK-package. In reply to this package unacceptable already for a server the client again receives the answer. Fortunately modern networks are under construction on technologies when loss of separate packages is supposed. As ACK-packages do not bear data, repeated transfers do not occur.
2.4 Passive scanning
Scanning is often applied to find out, on what TCP-ports the demons adequating inquiries from a network work. The usual program-scanner consistently opens connections with various ports. In case of when connection is established, the program dumps it, informing number of port to the user The given way are easily detected on contain of log-files or by means of use of special programs.
However there is other method - passive scanning (the English term " passive scan "). At its use it is sent TCP/IP a SYN-package on all ports successively (or on any set algorithm). For the TCP-ports accepting connections from the outside, the SYN/ACK-package, as the invitation to continue 3-way handshake will be returned. The others will return RST-packages. Having analyzed obtained data, it is possible to understand, on what ports work the program. In reply to SYN/ACK-packages it is necessary to answer also with RST-packages, showing, that process of installation of connection will not be continued.
2.5. Flooding by SYN-packages
For the first time this attack has been mentioned in 1986 by Robert T.Morrisom. In case of entering connections the system answers the come C-SYN-package with a S-SYN/C-ACK-package, translates session in condition SYN_RECEIVED and brings it in turn. If in current of set time from the client will not come S-ACK, connection leaves from turn, otherwise connection is translated in condition ESTABLISHED
Flooding by SYN-packages is based on overflow of turn of a server then the server ceases to answer inquiries of users.
In various systems work with turn is realized on a miscellaneous. So, in BSD-systems, each port has own turn in the size in 16 elements. In systems SunOS, on the contrary, such division also is not present also system simply has the big general turn. Accordingly, what to block, for example, the WWW-port on BSD is enough 16 SYN-packages, and for Solaris 2.5 their quantity will be much more. After the expiration of some time (depends on realization) the system deletes inquiries from turn. However nothing prevents to send a new portion of inquiries. Thus, even being on connection 2400 bps, it is possible to send each one and a half minute till 20-30 packages on a FreeBSD-server, supporting it in a non-working condition (it is natural, this mistake has been corrected in last versions FreeBSD).
List of the solved tasks
The purpose of the given work is search of effective ways of reflection of attacks, in particular attacks of kind DoS
Attacks DoS are always ill-intentioned and today there is a plenty of utilities for their realization which can be used by any not professional . In practice to disturb work of a network or system is easier, than to get non-authorized access. Network protocols TCP/IP have been developed for open and fair use, and the modern fourth version of stack TCP/IP has inherited these "lacks" of the previous variants. Besides many systems have own errors in realization of a stack that reduces their ability to resist to attacks DoS.
The basic types of DoS attacks
Capture of a passband - the most artful DoS attack which is connected with an consumption of a bandwidth . In this case attacking occupies all available bandwidth of a network. We shall consider examples of realization of this attack. Attacking overloads target network connection, having in the order a liaison channel with a greater bandwidth, sending set of packages for example, ICMP (Internet Control Message Protocol, the report of diagnostics of a network) on a target host. This way is characteristic for blocking lines T1 (1.544 Мбит/c) and more productive network connections. For filling a bandwidth of such powerful lines network lines with throughput only 56 or 128Kb/s can be used.
The Second way consists in the following: attacking strengthens DoS attack , initiating it simultaneously from several points. In this case even on a line 56 Kb/s it is possible to suppress completely line T3 (45 Mb/s). Strengthening of an attacking stream occurs due to a direction of the traffic from several servers.
The Exhaustion of resources - attack directed not on resources of a network, and on resources of system. Generally attack of an exhaustion of resources assumes an expenditure of processor cycles, memories, quotas of file system or other system resources. Attacks of the given sort usually leads to full inaccessibility of one of resources, to overflow of file system or lag of the processor .
Use of errors of programming -- the given kind of DoS attack leads to crash of appendices, operational system or hardware maintenance which cannot work in a non-standard situation. Such situations are characteristic, when is made transfer of packages not compatible to standard RFC (Request For Comments) on target system , or when p rograms expect the user input, i.e. the huge quantity of data that causes buffer overflow , and sometimes even executing of commands of privelege level . Any of systems, whether it be OS or the processor of a computer, most likely, is not protected from errors (one of DoS attacks of the given type: if on processor Pentium to execute the instruction 0xF00FC7C8A there will be a crash of any operational system). [6]
Speaking about DoS attacks, we must point to another way of realization of DoS - Distributed DoS. The main difference between these two types of DoS realization is in quantity of the attacking computers. In this simple example we have a victim (server), main attacking computer and some quantity of ancillary computers. The main attacking computer exploits ancillary computers using viruses. In some moment of time, these computers activateand began execution of the one of attack listed above.
Capture of a passband
Smurf attack concerns to the most dangerous version DoS as has the effect of strengthening which is growing out sending of direct broadcasting inquiries ping to systems which are obliged to send the answer. To use features of a multicasting it is necessary at least three participants: attacking, a strengthening network and a target host. Attacking sends forged package ICMP ECHO to the address of a multicasting of a strengthening network. The address of a source is replaced with the address of a victim to imitate that the target system has sent inquiry. As package ECHO is sent to the broadcasting address, all systems of a strengthening network return to a victim the answers. We shall consider procedure of formation false ICMP inquiry. [2]
1. With the help of the function "connect" the socket for connection under report TCP/IP is created.
2. The Parameter of socket SO_BROADCAST is installed in 1
3. The cycle in which the call of following function is made will be organized:
- Allocation of the buffer for IP a package (headings IP+ICMP)
- Clearing the allocated buffer
- Filling structure of a package:
- Clearing the allocated memory
Having sent one package ICMP in a network from 100 systems, attacking initiates strengthening attack DoS a hundred times. The factor of strengthening depends on structure of a network, therefore for successful attack it is necessary to choose a greater network capable to suppress work of target system. Let's consider an example. We shall assume, that attacking has sent 14 Kb of continuous traffic ICMP on the broadcasting address of the strengthening network containing 100 systems. The network attacking is connected to Internet fullduplex ISDN by the connection, a strengthening network - through the line T3 with a speed 45Mb/s, and a network of a target host byt he line T1 (1.544 Mb/s). Having increased 14 Kb on 100 systems, we shall receive the traffic 14Mb/s directed on target system. Result will be full blocking line T1. [7]
There is one more variant of attack based on smurf - it is the fraggle. In the given attack packages UDP instead of ICMP are used. Attacking sends forged packages UDP to the address of a multicasting of a strengthening network, it is usual on port 7 (echo). Each system in which the answer to an echo - packages is resolved, will return packages to system - to a victim. If in systems of a strengthening network are forbidden an echo - answers systems will generate messages ICMP on impossibility to receive an echo - the answer and the necessary traffic of great volume will be all the same generated not
Methods of attack's prevention
To prevent effect of strengthening the interdiction of operations of a direct multicasting on all boundary routers will allow. In devices Cisco it is necessary to apply a command "no ip directed-broadcast". In Cisco IOS the direct multicasting is forbidden to version 12 by default. It is in addition possible to install in OS a mode of rejection an echo - packages. For systems Solaris to block broadcasting an echo - inquiries it is necessary to add a line in a file/etc/rc2.d/S69inet: ndd-set/dev/ip ip_respond_to_echo_broadcast 0.
In systems Linux for prevention smurf attacks it is necessary to take advantage of firewall realized on a kernel level of a system. Resulted below a rule are intended for opposition smurf to attack and registration of attempts of its{her} carrying out. As passage broadcasting ICMP packages obviously is not authorized to any of rules such packages will be removed by default. In rules are specified not only ECHO REQUEST but also other types ICMP of packages as attack can be lead, using and other messages ICMP of the report.
Systems FreeBSD of version 2.2.5. And above by default forbid direct multicastings. Inclusion and deenergizing of the given option is made by parameter sysctl in net.inet.icmp.bmcastecho.
In systems AIX 4 or above answers to broadcasting inquiries are forbidden. The command no bcastping allows to include/switch off answers.
For prevention of attack fraggle in all versions UNIX in a "file/etc/inetd/conf" you should to comment a line of the sanction of start of services echo and chargen. It is important to prevent use of a site as the amplifier of attack, but it is even more important to reveal, that the site is used for carrying out of similar attack. It is necessary to reduce traffic ICMP and UDP on boundary routers up to the volume really necessary for systems of a network, or it will be limited to the certain type of traffic ICMP. To strengthen protection installation of mode CAR (Commited Access Rate), realized in Cisco IOS 1.1CC, 11.1CE and 12.0 will allow. In this case traffic ICMP is limited to reasonable size, for example at a level of 256 or 512 Kb. [6]
The conclusion
Among the reasons of carrying out DoS of attacks it is necessary to note a low degree of security of servers, mistakes in realizations TCP/IP of reports and the software, criminalization the Internet-community. Probably, it is necessary to expect the new version of a stack of reports TCP/IP which will differ the raised stability to influences of destructive character. For the given moment of time it is possible to take advantage only correctly adjusted firewall and to spend preventive work on reduction of effect from strengthening networks.
Used Literature
1. "Максимальная безопасность в Linux": Пер. с англ./Автор анонимный - К.: Издательство "ДиаСофт" 2000. - 400c.
2. "Брандмауэры в Linux": Пер. с англ.: Уч. пос. - М. : Издательский дом "Вильямс", 2000. - 384c.
3. "Linux IP Stacks в комментариях": Пер. с англ./Стефен Т. Сэтчелл и Х.Б. Дж. Клиффорд. - К: Издательство "ДиаСофт", 2001. - 288 c.
4. "Безопасность глобальных сетевых технологий": Зима В.М. : BHV C-Петербург, 2000 г. 320с.
5. "Защита информации и безопасность компьютерных сетей": Домарев В.Н. :DiaSoft, 2000 г. 480с.
6. "Секреты хакеров": Пер. с англ./Стюарт Макклуре, Ждоел Скембрей-К : Издательство "Лори", 2001.-435c.
7. "Атака через Internet": И. Медведовский, П. Семьянов, В. Платонов М: Москва,2000г., 334с.
8. "Системное программирование на С++ для UNIX": Теренс Чан, под редакцией М. Коломыцева, - BHV, Киев 1999 г.589с.
9. "Создание сетевых приложений в среде Linux": Пер. с англ. - М. : Издательский дом "Вильямс", 2001. - 464c.
During rapid development and introductions during a daily life of new computer technologies the leading part play reliability of systems of access to the information, and its storages. However the more important the information, the is more and the losses suffered owing to not authorized access, destruction or absence of access in general to this or that information. For an example it is enough to result a case with a server of company Yahoo (www.yahoo.com ) in February, 2000 when as a result of attack the equipment has been deduced from a working condition on three hours. By estimations of experts losses have made nearby 1.2 billion dollars. Thus, search of protective means and techniques from a similar sort of attacks remains a priority question of computer safety.
The principal cause of the removed computer systems similar to vulnerability is covered in specificity of a stack of reports TCP/IP. Network reports TCP/IP have been developed during practically full absence of real threats, and the modern fourth version of stack TCP/IP to the full reflects this approach. Besides own mistakes in realization of a stack, other modules that reduces their ability to resist to attacks have the majority of systems.
Review of present attacks based on TCP/IP
Attacks on TCP/IP can be divided into two kinds: passive and active.
1. Passive attacks at level TCP
At the given type of attacks there is no direct interaction to other systems. Actually all to be reduced to supervision over accessible data or sessions of communication.
1.1. Interception
Attack consist in interception of a network stream and its analysis (from English "sniffing"). For realization of interception it is necessary to have access to the machine located on a way of a network stream which is necessary for analyzing; for example, to a router or a PPP-server on the basis of UNIX. At presence of sufficient access rights by this machine, by means of the special software viewing all traffic which is passing through the set interface is possible. The second variant - reception of access to a computer which is located in one segment of a network with the system having access to a network stream. For example, in network Ethernet the network card can be translated in a mode in which it will receive all the packages circulating on a network, and not just addressed to it is concrete. In this case the operational system can be any, it is not obligatory UNIX (a frequent situation in university networks). As the TCP/IP-traffic, as a rule, is not ciphered, using corresponding toolkit, it is possible to intercept TCP/IP-packages, for example, telnet-sessions and to take from them names of users and their passwords. It is necessary to notice, that the given type of attack cannot be traced, not possessing access to attacking system as the network stream does not change.
2. Active attacks at level TCP At the given type of attacks there is an interaction to the addressee of the information, the sender and-or intermediate systems, probably, modifying and-or a filtration of contents of TCP/IP-packages. The given types of attacks often seem technically complex in realization, however for the good programmer it is possible to realize corresponding toolkit
Unfortunately, now such programs became accessible to broad masses of users. Active attacks can be divided on two parts. In the first case the certain steps for interception and updatings of a network stream or attempts "to pretend" to other system are undertaken. In the second case report TCP/IP is used to result system-victim in non-working a condition. Possessing sufficient privileges in Unix (or simply using DOS or Windows, not having systems of restrictions of users), it is possible to form manually IP-packages and to transfer them on a network. Naturally, fields of heading of a package can be generated arbitrarily. Having received such package, it is impossible to find out whence really it has been received, as packages do not contain a way of their passage. Certainly, at installation of a return address not conterminous with the current IP-address, attacking never will receive the answer to the sent package. However it is frequent and it is not required.
Возможность формирования произвольных IP-пакетов является ключевым пунктом для осуществления активных атак.
2.1. Prediction TCP sequence number
The given attack has been described still by Robert Morris in A Weakness in the 4.2BSD Unix TCP/IP Software
Installation of TCP-connection occurs in three stages (3-way handshake): the client chooses and transfers a server sequence number (we shall name it Client-SN), in reply to it the server sends the client a package of the data containing acknowledgement (Client-ACK) and own sequence number a server (Server-SN). Already the client should send acknowledgement (Server-ACK).
After that connection is considered established and data exchange begins. Thus the field for sequence number and acknowledge number has each package in heading. The given numbers increase at data exchange and allow to supervise a correctness of transfer.
ПLet's assume what probably to predict, what sequence number (Server-SN) will be sent by a server. It probably to make on the basis of knowledge of concrete realization TCP/IP. For example, in 4.3 BSD value sequence number which will be used at installation of following value, every second increases on 125000. Thus, having sent one package to a server, it is possible to receive the answer and having analyzed it to predict sequence number for following connection.If realization TCP/IP uses special algorithm for definition sequence number it can be found out by means of dispatching several tens packages to a server and the analysis of its answers.
System A acts in a role of a server, system B and C - in a role of clients.
Stages of carrying out of attack:
1. To enter system B into a condition when it cannot answer network inquiries. It can be made in several ways, in the elementary case it is necessary to wait simply reboot systems
2. Dispatching the several IP-packages initiating connection, system A, for finding-out of a current condition sequence number a server.
3. Dispatching an IP-package in which as a return address the address of system B is specified already.
4. System A answers with a package with sequence number which goes to system B. However system B will not receive it (it is deduced out of operation), as, however, and an attacking computer. On the basis of the previous analysis it is calculated sequence number sent to system B.
5. There Is an acknowledgement of "reception" of a package from A, sending on behalf of B a package with prospective Server-ACK After that if sequence number a server has been guessed truly, connection is considered established.
Now it is possible to send the next false IP-package which will already contain data.
2.2 IP Hijacking
If in the previous case there was an initiation of new connection interception of all network stream in this case takes place, its modifying and a filtration. The method is a combination of "interception" and IP spoofing'а.
Necessary conditions - access to the machine which is being on a way of a network stream and presence of the sufficient rights for generation and interception of IP-packages. At data transmission are constantly used sequence number and acknowledge number (both fields are in IP-heading). Proceeding from their value, a server and the client check a correctness of transfer of packages. There is an opportunity to enter connection in "desynchronizing condition " when sent by a server sequence number and acknowledge number will not coincide with expected values the client and on the contrary. In this case, the attacking computer "listening" to a line, can incur functions of the intermediary, generating correct packages for the client and a server and intercepting their answers. The method allows to bypass completely such systems of protection as, for example, disposable passwords as begins work already after there will be an authorization of the user.
2.3 An ACK-storm
One of problems IP Hijacking consists that any package sent during the moment when session is in desynchronizing condition, causes so-called an ACK-storm. For example, the package is sent by a server, and for the client it is unacceptable, therefore that answers with an ACK-package. In reply to this package unacceptable already for a server the client again receives the answer. Fortunately modern networks are under construction on technologies when loss of separate packages is supposed. As ACK-packages do not bear data, repeated transfers do not occur.
2.4 Passive scanning
Scanning is often applied to find out, on what TCP-ports the demons adequating inquiries from a network work. The usual program-scanner consistently opens connections with various ports. In case of when connection is established, the program dumps it, informing number of port to the user The given way are easily detected on contain of log-files or by means of use of special programs.
However there is other method - passive scanning (the English term " passive scan "). At its use it is sent TCP/IP a SYN-package on all ports successively (or on any set algorithm). For the TCP-ports accepting connections from the outside, the SYN/ACK-package, as the invitation to continue 3-way handshake will be returned. The others will return RST-packages. Having analyzed obtained data, it is possible to understand, on what ports work the program. In reply to SYN/ACK-packages it is necessary to answer also with RST-packages, showing, that process of installation of connection will not be continued.
2.5. Flooding by SYN-packages
For the first time this attack has been mentioned in 1986 by Robert T.Morrisom. In case of entering connections the system answers the come C-SYN-package with a S-SYN/C-ACK-package, translates session in condition SYN_RECEIVED and brings it in turn. If in current of set time from the client will not come S-ACK, connection leaves from turn, otherwise connection is translated in condition ESTABLISHED
Flooding by SYN-packages is based on overflow of turn of a server then the server ceases to answer inquiries of users.
In various systems work with turn is realized on a miscellaneous. So, in BSD-systems, each port has own turn in the size in 16 elements. In systems SunOS, on the contrary, such division also is not present also system simply has the big general turn. Accordingly, what to block, for example, the WWW-port on BSD is enough 16 SYN-packages, and for Solaris 2.5 their quantity will be much more. After the expiration of some time (depends on realization) the system deletes inquiries from turn. However nothing prevents to send a new portion of inquiries. Thus, even being on connection 2400 bps, it is possible to send each one and a half minute till 20-30 packages on a FreeBSD-server, supporting it in a non-working condition (it is natural, this mistake has been corrected in last versions FreeBSD).
List of the solved tasks
The purpose of the given work is search of effective ways of reflection of attacks, in particular attacks of kind DoS
Attacks DoS are always ill-intentioned and today there is a plenty of utilities for their realization which can be used by any not professional . In practice to disturb work of a network or system is easier, than to get non-authorized access. Network protocols TCP/IP have been developed for open and fair use, and the modern fourth version of stack TCP/IP has inherited these "lacks" of the previous variants. Besides many systems have own errors in realization of a stack that reduces their ability to resist to attacks DoS.
The basic types of DoS attacks
Capture of a passband - the most artful DoS attack which is connected with an consumption of a bandwidth . In this case attacking occupies all available bandwidth of a network. We shall consider examples of realization of this attack. Attacking overloads target network connection, having in the order a liaison channel with a greater bandwidth, sending set of packages for example, ICMP (Internet Control Message Protocol, the report of diagnostics of a network) on a target host. This way is characteristic for blocking lines T1 (1.544 Мбит/c) and more productive network connections. For filling a bandwidth of such powerful lines network lines with throughput only 56 or 128Kb/s can be used.
The Second way consists in the following: attacking strengthens DoS attack , initiating it simultaneously from several points. In this case even on a line 56 Kb/s it is possible to suppress completely line T3 (45 Mb/s). Strengthening of an attacking stream occurs due to a direction of the traffic from several servers.
The Exhaustion of resources - attack directed not on resources of a network, and on resources of system. Generally attack of an exhaustion of resources assumes an expenditure of processor cycles, memories, quotas of file system or other system resources. Attacks of the given sort usually leads to full inaccessibility of one of resources, to overflow of file system or lag of the processor .
Use of errors of programming -- the given kind of DoS attack leads to crash of appendices, operational system or hardware maintenance which cannot work in a non-standard situation. Such situations are characteristic, when is made transfer of packages not compatible to standard RFC (Request For Comments) on target system , or when p rograms expect the user input, i.e. the huge quantity of data that causes buffer overflow , and sometimes even executing of commands of privelege level . Any of systems, whether it be OS or the processor of a computer, most likely, is not protected from errors (one of DoS attacks of the given type: if on processor Pentium to execute the instruction 0xF00FC7C8A there will be a crash of any operational system). [6]
Speaking about DoS attacks, we must point to another way of realization of DoS - Distributed DoS. The main difference between these two types of DoS realization is in quantity of the attacking computers. In this simple example we have a victim (server), main attacking computer and some quantity of ancillary computers. The main attacking computer exploits ancillary computers using viruses. In some moment of time, these computers activateand began execution of the one of attack listed above.
Capture of a passband
Smurf attack concerns to the most dangerous version DoS as has the effect of strengthening which is growing out sending of direct broadcasting inquiries ping to systems which are obliged to send the answer. To use features of a multicasting it is necessary at least three participants: attacking, a strengthening network and a target host. Attacking sends forged package ICMP ECHO to the address of a multicasting of a strengthening network. The address of a source is replaced with the address of a victim to imitate that the target system has sent inquiry. As package ECHO is sent to the broadcasting address, all systems of a strengthening network return to a victim the answers. We shall consider procedure of formation false ICMP inquiry. [2]
1. With the help of the function "connect" the socket for connection under report TCP/IP is created.
2. The Parameter of socket SO_BROADCAST is installed in 1
3. The cycle in which the call of following function is made will be organized:
- Allocation of the buffer for IP a package (headings IP+ICMP)
- Clearing the allocated buffer
- Filling structure of a package:
// the General{Common} length of packet ip
ip-> tot_len = htons (sizeof (struct iphdr) + sizeof (struct icmphdr) + psize);
ip-> ihl = 5; // Length of heading in 2- byte words
ip-> version = 4; // the version of the protocol
ip-> ttl = 255; // Time of a life
ip-> tos = 0; // Type of service
ip-> frag_off = 0; // Displacement of the given package at assembly
ip-> protocol = IPPROTO_ICMP; // Type of protocol ICMP
ip-> saddr = sin.sin_addr.s_addr; // the Address of target system
ip-> daddr = dest; // the Broadcasting address
ip-> check = in_chksum ((u_short *) ip, sizeof (struct iphdr));
icmp-> type = 8; // Echo Request sm table 1.
icmp-> code = 0;
- dispatch of the generated package - Clearing the allocated memory
Having sent one package ICMP in a network from 100 systems, attacking initiates strengthening attack DoS a hundred times. The factor of strengthening depends on structure of a network, therefore for successful attack it is necessary to choose a greater network capable to suppress work of target system. Let's consider an example. We shall assume, that attacking has sent 14 Kb of continuous traffic ICMP on the broadcasting address of the strengthening network containing 100 systems. The network attacking is connected to Internet fullduplex ISDN by the connection, a strengthening network - through the line T3 with a speed 45Mb/s, and a network of a target host byt he line T1 (1.544 Mb/s). Having increased 14 Kb on 100 systems, we shall receive the traffic 14Mb/s directed on target system. Result will be full blocking line T1. [7]
There is one more variant of attack based on smurf - it is the fraggle. In the given attack packages UDP instead of ICMP are used. Attacking sends forged packages UDP to the address of a multicasting of a strengthening network, it is usual on port 7 (echo). Each system in which the answer to an echo - packages is resolved, will return packages to system - to a victim. If in systems of a strengthening network are forbidden an echo - answers systems will generate messages ICMP on impossibility to receive an echo - the answer and the necessary traffic of great volume will be all the same generated not
Methods of attack's prevention
To prevent effect of strengthening the interdiction of operations of a direct multicasting on all boundary routers will allow. In devices Cisco it is necessary to apply a command "no ip directed-broadcast". In Cisco IOS the direct multicasting is forbidden to version 12 by default. It is in addition possible to install in OS a mode of rejection an echo - packages. For systems Solaris to block broadcasting an echo - inquiries it is necessary to add a line in a file/etc/rc2.d/S69inet: ndd-set/dev/ip ip_respond_to_echo_broadcast 0.
In systems Linux for prevention smurf attacks it is necessary to take advantage of firewall realized on a kernel level of a system. Resulted below a rule are intended for opposition smurf to attack and registration of attempts of its{her} carrying out. As passage broadcasting ICMP packages obviously is not authorized to any of rules such packages will be removed by default. In rules are specified not only ECHO REQUEST but also other types ICMP of packages as attack can be lead, using and other messages ICMP of the report.
Systems FreeBSD of version 2.2.5. And above by default forbid direct multicastings. Inclusion and deenergizing of the given option is made by parameter sysctl in net.inet.icmp.bmcastecho.
In systems AIX 4 or above answers to broadcasting inquiries are forbidden. The command no bcastping allows to include/switch off answers.
For prevention of attack fraggle in all versions UNIX in a "file/etc/inetd/conf" you should to comment a line of the sanction of start of services echo and chargen. It is important to prevent use of a site as the amplifier of attack, but it is even more important to reveal, that the site is used for carrying out of similar attack. It is necessary to reduce traffic ICMP and UDP on boundary routers up to the volume really necessary for systems of a network, or it will be limited to the certain type of traffic ICMP. To strengthen protection installation of mode CAR (Commited Access Rate), realized in Cisco IOS 1.1CC, 11.1CE and 12.0 will allow. In this case traffic ICMP is limited to reasonable size, for example at a level of 256 or 512 Kb. [6]
The conclusion
Among the reasons of carrying out DoS of attacks it is necessary to note a low degree of security of servers, mistakes in realizations TCP/IP of reports and the software, criminalization the Internet-community. Probably, it is necessary to expect the new version of a stack of reports TCP/IP which will differ the raised stability to influences of destructive character. For the given moment of time it is possible to take advantage only correctly adjusted firewall and to spend preventive work on reduction of effect from strengthening networks.
1. "Максимальная безопасность в Linux": Пер. с англ./Автор анонимный - К.: Издательство "ДиаСофт" 2000. - 400c.
2. "Брандмауэры в Linux": Пер. с англ.: Уч. пос. - М. : Издательский дом "Вильямс", 2000. - 384c.
3. "Linux IP Stacks в комментариях": Пер. с англ./Стефен Т. Сэтчелл и Х.Б. Дж. Клиффорд. - К: Издательство "ДиаСофт", 2001. - 288 c.
4. "Безопасность глобальных сетевых технологий": Зима В.М. : BHV C-Петербург, 2000 г. 320с.
5. "Защита информации и безопасность компьютерных сетей": Домарев В.Н. :DiaSoft, 2000 г. 480с.
6. "Секреты хакеров": Пер. с англ./Стюарт Макклуре, Ждоел Скембрей-К : Издательство "Лори", 2001.-435c.
7. "Атака через Internet": И. Медведовский, П. Семьянов, В. Платонов М: Москва,2000г., 334с.
8. "Системное программирование на С++ для UNIX": Теренс Чан, под редакцией М. Коломыцева, - BHV, Киев 1999 г.589с.
9. "Создание сетевых приложений в среде Linux": Пер. с англ. - М. : Издательский дом "Вильямс", 2001. - 464c.