1.1. Hacker Attacks

Before starting to explore Linux and its security system, you have to know how hackers can penetrate computer systems. To protect the system effectively, you have to be familiar with the possible ways hackers can use to break into it. To this effect, take a brief look at the break-in process. You must know what hackers think, what food they eat, and what air they breathe. Only in this way can you build an impenetrable firewall for your server or network.

It is impossible to provide a general formula that can be used for all break-ins. Each case is different and requires an individual, creative approach that depends on the system and its security configurations. Computer systems are most compromised by hackers taking advantage of the software errors, and each administrator can have different software on his or her network.

Why do attacks on computers continue to increase with each passing year? The information about the security holes and vulnerabilities in computer systems used to be stored on Bulletin Board Systems (BBSs) and only a few people with special privileges had access to it. So it was these hackers who carried out attacks with impunity, because their level of education and experience was high.

The hacker elite consisted mostly of honest people who conducted their research in the security area with the goal of improving this security, not compromising it.

The way things stand now, any information about vulnerabilities holes, bugs , and so on can be found in any corner of the Internet. Now anyone can be a hacker. The freedom-of-information fighters are to blame: How this came to be? Unlimited freedom always leads to destruction in the end. I guess that the urge to destroy is in the blood of all of us. Most of us suppress this, just like we do many other primitive desires, but some give in and use the publicly available information to become crackers.

When breaking into a system, hackers pursue one or a combination of the following goals:

Obtaining information. The system is broken into to obtain information that is not available to the common public. Such break-ins are usually directed at stealing business or financial secrets, software source codes, confidential data, and so on. They are usually carried out by professional hackers fulfilling an order or for personal gain.
Modifying or destroying data . All Internet or intranet servers are susceptible to this type of attack. They can be carried out not only by professional hackers but also by amateurs, including disgruntled employees .
Denial of Service (DoS). The purpose of the attack is to render the server's service unavailable without actually destroying any data. These attacks are mainly carried out by amateurs whose only goal is to do damage.
Zombification . This type of attack has become quite common of late. The purpose of the attack is to put the server under the hacker's control (in the parlance, to turn it into a zombie) and use it to attack other servers. For example, carrying out a DoS attack most often requires powerful resources (a powerful processor, broad-bandwidth Internet access, etc.), which are generally not available on home computers. To carry out such an attack, a hacker first takes over a poorly-protected Internet server that has the necessary resources and then uses it to carry out the attack itself.

Attacks can be classified into the following three groups, based on the manner, in which they are executed:

Local attacks . These attacks are executed by an intruder with physical access to the computer being broken into. This sort of attack is not difficult to protect against because all that is necessary is to restrict physical access to the server by, for example, placing it in a limited-access room and guarding it.
Remote attacks . These are carried out remotely via networks from a physical location other than where the computer being broken into is located. This type of attack is the most difficult to protect against. Even the installation of the best firewalls and monitoring and logging software cannot guarantee complete security. Proof of this can be seen in the many break-ins suffered by some of the world's most protected Internet servers (Yahoo, Microsoft, NASA, etc.).
Remote attacks carried out by users of the local network . Yes, not only bad dudes somewhere on the Internet can be hackers but also the guy next cubicle who may try to break into your computer for fun, profit, or revenge .

When designing your defenses, you must understand the techniques used by hackers to break into computers. Only then will you be able to prevent unwanted intrusions and protect your computers. Consider the main attack techniques used by hackers and how they are used. To help you understand the process better, I will look at them from the standpoint of the perpetrator.

I will not consider social engineering. This subject is worth a separate book, and it makes no sense to only touch on the topic.

1.1.1. Research

Suppose that you want to break into a certain server to test how well it is protected. What should you start with? There is no clear-cut answer to this question. Again, any break-in is a creative process and requires an individual, creative approach. There are no set rules or ready-made templates. However, a few practical recommendations for you to follow can be provided.

Scanning

The first thing to do is test the system's vulnerability by scanning its ports. What for? To find out what services (in Linux, daemons) are installed in the system. Each open port is a service program installed on the server, to which you can connect and make it do certain things for you. For example, port 21 is used by the File Transfer Protocol (FTP) service. If you connect to this port, you will be able to download files from and upload files to the server. You will have to have the corresponding privileges, however, to be able to do this.

First, you need to scan the first 1,024 ports. Many of them are used by standard services such as FTP, HyperText Transfer Protocol (HTTP), and Telnet. An open port is just like a locked entrance door to the server. The more entrances of this type there are, the greater the chances that the lock for one of them will succumb to picking and swing open to let you in.

A good administrator leaves only the most necessary ports open. For example, if your server is used only to serve Web pages but not email, there is no need to keep the mail servers open. The only port that a Web server needs is port 80, so only it should be left open.

A good port scanner reports not only the open-port number but also the names of the service using them. Unfortunately, the service name is not real; it is only the name of the server installed on the port. Thus, the name of port 80 will be given as HTTP. It is desirable that the scanner could save the scanning results to a file and even print them out. If your scanner does not have these features, you will have to write down all the information yourself and save it. You will need this information for your future exploits.

After scanning the first 1,024 ports, you can move on to scanning the rest. Standard services are a rare occurrence in this port range. Why bother scanning them then? Well, there is always a chance that someone has already visited this area and left an open door or installed a Trojan horse on the server. Most Trojan horses keep open ports in the range above port 1,024. So if you are a server administrator, an open port above 1,024 should make you sit up and take notice. If you're a hacker and stumble on an open port above 1,024, you should find out what Trojan horse server is installed on it and find a client for it to control the machine.

This will be all you need to do to break into the server. By using the Trojan horse installed by a stranger, you can obtain access to the server without any great effort on your part. Unfortunately, life is rarely a bowl of cherries and discoveries of this kind are the exception rather than the rule. In most cases, you will have to do all the dirty work yourself.

About ten years ago, ports could be scanned in batches. Nowadays, administrators in ever increasing numbers install utilities on their servers that detect scanning attempts and do everything possible to prevent this process. The subject of protecting from scanning and the utilities used for this will be discussed in Chapter 12 .

Consequently, because ports cannot be scanned in batches, scanning has become a rather difficult task. This is why professional hackers prefer to do manual scanning. This is done by executing the following command:

 telnet server port

The first parameter is the server address and the second parameter is the port number.

Here, the telnet command is executed, which tries to connect to the specified port at the specified server. A successful attempt means that the port is open; otherwise , the port is closed. If no more than five ports per hour are checked in this way, most of scanning-detection utilities will not react ; the scanning process, however, will stretch on for weeks.

Sometimes, scanning using various methods of the nmap utility may be helpful. This utility allows scanning be carried out using incomplete cycle packets. But even these methods can be easily detected by modern security utilities.

Because the administrator of the computer you are trying to scan can enter your Internet protocol (IP) address into the suspect list, it is a wise move to conduct scanning from a computer other than your own. To this end, crackers set up Web sites on free servers that allow them to use PHP and Perl scripts. Free servers usually do not require personal data to be provided during the registration, but even if they do, you can simply supply any made-up data because no one is going to check them. As the next step, you establish a safe connection to the server via a proxy server and run your scripts to scan the target's computer.

After the scanning, you will know, which doors are on the server that you can use. But this is not enough; the doors also have to be open. This will take much greater effort.

The most popular scanning tool is the nmap utility. It has conquered the hearts of hackers because it offers a great many features and not all scanning-detection tools can detect it. For example, a scanning-detection program can watch for attempts to connect to several ports sequentially or at once. But nmap may not establish an actual connection.

The process of establishing a connection with a remote server is carried out in several steps. First, the computer sends a request packet to the necessary port of the server. The server answers the request with a special packet. (I will not go into the details of the Transmission Control Protocol, or TCP, because the general idea will suffice for now.) Only then can a virtual connection be established. The nmap scanner can break off contact after the server's first response: It has accomplished its main goal in establishing that the port is open, and there is no need to continue the connection-establishment handshake.

Scanning-detection programs interpret such contacts as errors and do not log them as potential attacks.

Identifying the Server's Operating System

Scanning ports is just the first stage in breaking in. It is similar to casing the place before a robbery. There remains the most important thing to do before attempting the actual break-in: determining the operating system installed on the machine. The specific version of the operating system would also be a welcome piece of intelligence, but you can live without this information in the beginning.

How do you determine, which operating system is in use? This can be done in one of the following ways:

By examining the implementation of TCP/IP used . Different operating systems implement the protocol stack in different ways. The program simply analyzes the responses to requests from the server and draws conclusions about the operating system installed based on these analyses. In most cases, the answer is vague, with only the general type of the operating system provided, Windows or Linux, for example. The exact version of the operating system cannot be determined in this way because the protocol stack is implemented in virtually the same manner in Windows 2000, Windows XP, and Windows 2003, so the responses these versions give to the requests are the same. So you can find out that the server runs under Linux, but you cannot find out, under which version. Different versions of the same operating system have different vulnerabilities, so just knowing the basic operating system brand is only half of the information you need to break into the server.
By examining responses from various services. Suppose the victim's computer allows autonomous FTP access. All you need to do is connect to the server and check the system prompt. The default welcome prompt looks something like this: "Welcome to the X.XXX client FTP Version of FreeBSD Server." The message could reflect the true state of things. On the other hand, it also might not.

If the welcome prompt reflects reality, the administrator is still wet around the ears. An experienced administrator will always change the default welcome message. And a really canny administrator can make the welcome message show something different altogether. For example, a Windows NT 4.0 server can be made to display a Linux welcome message. This will make an unsophisticated hacker waste lots of time using Linux vulnerabilities to break into the Windows NT server. Therefore, don't put too much trust into the welcome message. Try to ascertain the type of the operating system by some other method.

To avoid being fooled, always pay attention to the services used on the server. For example, a Linux server will not serve Active Server Pages (ASPs). Although things like this can be faked, it is not often done. To make an ASP run under Linux, PHP script files are saved with ASP extensions and are redirected to the PHP interpreter. So it looks like the server serves ASP files, but these are actually PHP scripts.

As you can see, the defending side goes to great lengths to make life as difficult as possible for hackers. Most inexperienced hackers believe everything they see and spend lots time trying to break in using methods that have not got the slightest chance of success. Consequently, breaking in becomes too expensive an option, and the hacker gives up.

The hacker's task is to untangle all of the false leads left by the administrator and determine exactly what system he or she is dealing with. Unless this preliminary task has been completed successfully, any further actions would be like looking for a needle in a haystack. The hacker will not even know, which commands to use or what executable files can be infiltrated onto the server.

Hackers like using the nmap utility for determining the operating system. Although the programs main functionality is geared toward port scanning, if run with the O switch, it will attempt to determine the operating system. There is a chance that this attempt will not succeed, but there also is a chance that it will.

Using Scripts

Now you know, which operating system is running the server, which ports are open, and the services that are sitting on these ports. You should write down all of this information either to a file or on paper. The important thing is that it should be convenient to work with.

This concludes the research part. Now you have enough information to attempt a basic break-in using the vulnerabilities in the server's operating system and services. The information about which vulnerabilities to use can be found by regularly visiting the www.securityfocus.com site. Information about new vulnerabilities is updated often on this site, and it is a longstanding and well-known fact that most servers (70% to 90%, depending on the source) simply are not patched. Therefore, you should use all known vulnerabilities on the victim and hope that something works.

If the server is well patched, you will have to wait for new holes to be discovered and for exploits to be written for them. (An exploit is a program written to exploit a specific vulnerability.) As soon as you see a new vulnerability has been discovered and an exploit for it has been written, download the exploit and use it before the administrator patches the hole.

1.1.2. Breaking into a Web Server

Breaking into a Web server involves its own specific considerations. Breaking a server that allows execution of Common Gateway Interface (CGI), PHP, or other scripts requires a different approach than for other server types. The break-in is started by scanning the server for vulnerable CGI scripts. You may find it hard to believe, but research conducted by various companies indicates that many vulnerable scripts are employed on Internet sites.

Scripts are vulnerable because pages are programmed by people, who have an inherent propensity to err. Novice programmers seldom test the incoming parameters, hoping that the users won't change the page code or the Uniform Resource Locator (URL), through which the data necessary for executing certain actions are passed to the server. But I have already considered how to modify page code and fake IP addresses in this chapter. This was possible because the programmers relied on visitors being conscientious . They shouldn't have.

One popular program for site control PHP-Nuke contains a parameter vulnerability problem. The program is a collection of scripts used to create a forum, chat, and news service on the site and to control the site's contents. All script parameters are passed through the URL string of the browser, and the error was located in the ID parameter. The developers assumed that only a number would be passed in this parameter, but did not check if this was actually the case. A hacker who knows the structure of the database (which is not that difficult to learn, because the source codes of PHP-Nuke are public) can easily place a structured query language (SQL) request to the database server in the ID parameter and obtain the passwords of all visitors registered at the site. The information is encrypted, but, as you will see later, it would not be difficult to decrypt it.

The problem is aggravated because some programming languages (e.g., Perl) were not intended for use with the Internet. They contain some functions for manipulating the system, and if a programmer inadvertently uses them in his or her work, hackers can take advantage of them to obtain control over the system.

All programming languages have functions that have the potential for misuse, but some languages have more than others. The only more or less secure language is Java. But it places such a drag on system resources that Webmasters are reluctant to use it. In addition, even this language, if used by an unskilful programmer, can leave great gaps that, to hackers, would be like a wide-open hangar door with a welcome sign above it.

Thus, an ignorant programmer is the biggest vulnerability. Because of the shortage of professionals in this area, anyone who completes a crash programming course becomes a programmer. Many such "accelerated programmers" do not have the slightest idea about computer security, which is not about to become a point of complaint for hackers.

So your main task is to add a couple of good CGI scanners into your toollit. Which CGI scanner should you obtain? It does not matter; anyone of them is better than nothing. Even the worst scanner can find vulnerabilities, about which even the best hackers are unaware. And it just may happen that it will find this vulnerability on the server you are trying to break into. In addition, you should become a frequent visitor to www.securityfocus.com , where they regularly put out descriptions of the latest vulnerabilities of various Web site programming languages.

1.1.3. Brute Force

When your attempts to break into a server using your basic brain power have failed, you can always fall back on the brute-force method. No, brute force does not mean that you will have to grab the site administrator by the throat, knock his head on the wall, and demand that he surrender the passwords. Brute force means simply trying different passwords until you hit on the right one.

Look at the statistics. Every security-research project reaches same conclusion regarding the passwords people use: Most beginners use names of their pets, birthdays, phone numbers, and the like as their passwords. A well-compiled password dictionary can let you break into practically any system, because there are inexperienced users everywhere that use these types of passwords. And if these users have high enough privileges, hackers can have a real field day!

Are you still skeptical? Then let me remind you about the famous Morris worm, which used the dictionary method to break into systems. Its own dictionary contained fewer than 100 words. In addition to its own dictionary, the worm used the dictionaries from the compromised computers. But those did not have too many passwords in them either. Using such a primitive algorithm, the worm was able to spread through a huge number of the Internet computers. This was one of the largest-scale infections ever! Yes, it happened a long time ago, but the level of professionalism of the average user has not grown since then. There are many experienced users, but there are many more green beginners.

1.1.4. Local Networks

Hacking a local network is easier than hacking the Internet for the following reasons: The computers are connected using a high-speed connection (10 MB/sec and higher), the traffic of the other network computers can be monitored , fake servers can be created, and firewalls are seldom used because they are mostly used as a shield between the local network and the Internet. Consider the most popular local network hacking techniques.

Traffic Monitoring

Local networks have certain inherent features. For example, if a local network is built using coaxial or twisted-pair cable and hubs to connect the computers, all the network traffic passes through all the computers in the network. Why can't you see this traffic? Because the operating system and the network card are joined in a conspiracy and do not show you the traffic that is not yours. But if you really want to read other people's network traffic, you can obtain a sniffer program and monitor all data that pass through your network card even if they are not intended for you.

The sniffer trick will not work on the Internet; you will see only your own traffic. To be able to monitor the Internet traffic of other participants , you would have to hack into the provider's server and install your sniffer there. This is a rather involved undertaking, fraught with the danger of being found and lacked out. Therefore, sniffers are generally used only on local networks.

Why can you see other people's traffic on a local network but not on the Internet or switched local networks? When the computers are connected into a network using a coaxial cable, they all sit on a common bus serially . The bus can be made into a ring, with the computers at the bus ends connected to each other. When the computers at the bus ends exchange data, all packets pass through the network adapter of the computer (or computers) between them.

Coaxial cable is seldom used as the choice network medium because such a connection is unreliable and its bandwidth is limited to 10 MB/sec.

Since the early 1990s, the preferred network configuration has been the star-connected topology, with computers connected to one central point using a hub or a switch. If the central connecting device is of the hub type (also known as a multiport repeater), all packets that it receives from one of the computers are simply resent to the rest of the network computers. If the central connecting device is of the switch type, the packets are delivered only to the recipient because the switch has built-in routing capabilities.

Switches usually route Medium Access Control (MAC) address-level packets. This type of addressing is used to exchange packets only in local networks (even if data are sent to an IP address). In the Internet, packets are addressed using IP addressing, but far from all switches can handle this type of addressing. In this case, a more intelligent device is needed to send packets to the right place: a router. Like switches, routers send packets only to the computer, to which they are addressed, or to another router that knows where the addressee computer is located.

Consequently, switches in local networks and routers on the Internet make sniffing difficult, because sniffers must be placed directly on the switches or routers.

Intercepting packets is only half of the job: The information contained in them is in a form difficult for humans to interpret. It is mostly just fragments of larger data blocks that have been broken into parts to be transmitted.

Today, you can find any type of sniffer, as well as add-ons for it, on the Internet. Different versions are optimized for different tasks , so you should select the one suited to your particular task If you are after passwords, you need a sniffer that can isolate the registration information from the overall network traffic. This task is not difficult because, unless the Secure Sockets Layer (SSL) protocol is used, all passwords are sent to the Internet in open text, just like the rest of the information.

The advantage of using sniffers when perpetrating a break-in is that they do not interact with the computer being attacked , which means that they are hard to detect. In most cases, it is simply impossible to know that your traffic is being monitored by someone.

Fake Address

It has already been mentioned that firewalls allow or disallow user access based on a set or rules. But it is not always convenient to disallow all accesses to all ports. For example, access to the management programs can be disallowed for all IP addresses except the one used by the system administrator. Anyone trying to enter the restricted area from a different IP address will be stopped by the firewall.

At first glance, the defense seems perfect. This would be the case were it not for an attack technique called spoofing. This attack is carried out by faking the address of an authorized user to enter the server under attack. Old firewalls and cheaper contemporary examples cannot detect the faked address in the packets. A good firewall should ping the computer trying to connect to ascertain that it is turned on and that this computer is actually requesting the connection to the restricted resources.

Fake Servers

Attacks using fake servers or services are much easier to carry out in local networks than on the Internet. For example, the following well-known fake Address Resolution Protocol (ARP) record attacks can be carried out only on local networks.

As you should already know, when a computer is addressed by the IP address, its MAC address is determined first and then the message is sent to this address. But how can the MAC address be determined when you only know the IP address and do not know the network interface used? This is done with the help of ARP, which broadcasts a request for the computer with the specified IP address to all computers in the network. Only the IP address is provided in the request packet, with the unknown MAC address given as FFFFFFFFFFFFh. If there is a computer with the specified IP address in the network, it replies with a packet, in which its MAC address is specified. ARP operates transparently to the user.

If there is no computer with the specified IP address on the given network segment, a router may reply by sending its own MAC address. In this case, the computer will exchange data with the router, which will resend the packet into another network segment or to another router until it reaches its destination.

But what if the computer that replies is not the specified computer but, instead, an impostor with a different IP address? When sending packets on a local network, computers do not use IP addresses but go by MAC addresses. So the packets will be sent to whichever computer claims that its MAC address corresponds to the specified IP address, regardless of what its real IP address is. The hacker's task, therefore, is to intercept an ARP request and answer it, instead of the intended recipient doing so. In this way, a connection can be taken over.

Suppose that a network computer makes a request to be connected to the server. If you intercept this request and emulate the server's password request, you will discover that computer's password to enter the network. The problem with this method is that it is almost impossible to implement manually. This requires writing a corresponding program, which means you need to have programming knowledge.

1.1.5. Trojan Horses

Using Trojan horses is the stupidest and unreliable method to employ against network administrators, but good enough against regular users, because they are easier to fool. Although there are network administrators not quite up to their position, very few of them will fall for this trick. But who says that there are only administrators on networks? There also are plenty of regular users with high access privileges and trusting souls. They are the ones you can horse around with, so to speak.

A Trojan program consists of two parts: a server and a client. The server needs to be installed on the victim's computer, one way or another, and started. Most often, a Trojan program places itself into the start-up folder, starts automatically with the system, and runs surreptitiously in the background. With the server part planted on the victim's computer, you can use the client part to communicate with the server and make it do all kinds of things, such as rebooting the computer and checking its hard drives for interesting information.

But how do you plant a Trojan horse on someone's computer? The most common way is to send it using email. Simply give the executable file of the server part some intriguing name, attach it to the message, and send it to the victim. The message text should be persuasive enough for the victim to launch the attached file. This is the same method used to insert viruses. If the user falls for your ruse and launches the server part, his computer becomes as good as if it were on your desk.

If the Trojan program is intended to steal passwords, it can send them in a file to an email address specified in advance. The address can be figured out easily by professionals (by examining the Trojan), but this is as far as they will get. Professional hackers are not stupid, and they send their wares from mailboxes they register on free mailbox services under assumed names. When a mailbox is created and checked for mail only through an anonymous proxy server, figuring out the owner is next to impossible ( assuming that no secret service agency becomes interested in the case).

Trojan programs are so popular because, by following a few simple rules, the perpetrator will likely remain anonymous. In addition, today's Trojan programs are easy to use.

The danger presented by Trojan horses is indirectly confirmed by the fact that most new antivirus programs check not only for viruses but also for Trojan programs. For example, antivirus programs identify Back Orifice as the Win32.BO virus.

1.1.6. Denial of Service

The stupidest attack thought up by hackers is the DoS attack. The essence of such an attack is that the hacker attempts to make the server stop answering requests for pages. How can this be done? This is often achieved by making the server enter an endless loop. For example, if the server does not check that incoming packets are in the proper format, the hacker may send it a request that will make the server servicing this request endlessly, leaving no processor time for servicing other requests and, thus, denying service to other clients .

A DoS attack can be executed in two ways: by exploiting a bug in the server program or by overloading the server's communications channel and/or resources. The first method requires that the server have a vulnerability and that you know what it is. The most often used vulnerability is the buffer overflow error.

The procedure for the executing a buffer overflow DoS attack is as follows : Suppose that you want to send the string "HELLO" to the server. To accept this string, the server software allocates enough memory to store five characters . The program code may look like this:

 Program code A buffer to store five characters Program code

If the program has no provisions for checking the actual size of the data it receives and writes to the data buffer, the buffer is subject to overflow. If a user sends 100 characters instead of just 5, when all these characters are written to the buffer intended to hold only 5 characters, the other characters will be written into the program code area overwriting the code. This means that the program code will be corrupted and will not be able to execute as intended. The program will most likely hang. The server then stops responding to the client requests, and you have carried out a successful buffer overflow DoS attack.

Consequently, the computer was not broken into, no information was touched, but the computer has been put out of the network service. DoS attacks are even easier to execute in a local network. All you have to do is to replace the IP address of your machine with the IP address of the machine under the attack. This will result, in the best case, in the machine under attack becoming inaccessible or, in the worst case, in both machines becoming inoperable.

To execute a resource-overload attack, little or no knowledge is needed about the machine under attack. Here, the stronger machine wins. The resources of any computer are limited. For example, a Web server can organize only so many virtual channels to communicate with clients. If the number of channels exceeds the limit, the server becomes inaccessible. All you have to do for executing this attack is to write a program whose only function is to keep opening connections. Sooner or later, the connection limit will be exceeded, and the server will not be able to open new connections.

If there are no limitations on the resources, the server will process as many requests as it can. In this case, either the communications channel or the server can be attacked. The choice of the target depends on which is weaker. For example, if a 100-MB/sec channel is serviced by a Pentium 100 server, it is much easier to kill the computer than to overload the communications channel. But if a relatively powerful server is sitting on a narrow bandwidth channel, it is easier to overload the channel.

How can a communications channel be overloaded? Suppose that someone flamed you in a chat room. You find out his or her IP address and learn that the offender uses a simple 56-KB/sec dial-up Internet connection. Even if you use the same connection, you can overload the smart aleck's channel with no problem. You do this by sending an endless stream of large-packet ping requests to his or her IP address. The victim's computer will receive these packets and will have to answer them. If you send enough packets, receiving the ping requests and answering them will be the sole activity of the victim's computer, leaving no channel capacity for anything else and effectively taking your offender out of the chat room. If your channel capacity does not exceed the victim's, you will not be able to do anything but send and receive large ping packets. If you think this price is acceptable to take your revenge, go ahead and have fun.

If you decide to attack a server, your communications channel will be much narrower than the server's total bandwidth, and you will have to determine a weak spot for the attack to be successful. Suppose that the server offers a service for downloading files from other sites and saving them in its storage. To overload the communications channel of such a server, you may ask to download several large files simultaneously . The server will devote most, if not all, of its bandwidth to carrying out your request and, during this time, will leave other clients without service. Your own Internet connection will not be affected by this process.

A wide bandwidth channel is not needed to overload a server's processor. All that is necessary is to send it a time- intensive request. Suppose that you want to attack a server that offers online translation services for Web pages. In this case, you find a page containing lots of text (e.g., a book, a technical manual, or a request for comment) and send the server a bunch of requests to translate it. In addition to the server having to load its channel for downloading the book, it will have to load its processor to translate it. Sending about 100 requests a second to translate, for example, the King James Bible will take the server out of commission. If the server is equipped with protection against multiple requests of the same material, you can send it several large books.

DoS attacks are quite easy to defend against. The server software must control and limit the number of requests that can be submitted from one IP address. But this is only a theory, and a check of this type will only protect you from inexperienced hackers. An experienced hacker will have no problems counterfeiting IP addresses and flooding the server with packets supposedly issued from those addresses. This makes the situation even worse for the server, because, if the attack is conducted over TCP/IP, the server will have to establish a connection for each of those requests.

If a hacker sends a large number of requests to establish connections with different IP addresses, the server will send acknowledgements to those addresses and wait further actions from the computers at those addresses. Because, in the reality, there are no such addresses, waiting is useless. Consequently, filling the server's incoming connection queue buffer puts the server out of service while it waits for a connection with the nonexistent computer. How long this wait will last depends on the time-out value, which can be as large as 5 seconds. During this time, the hacker can flood the buffer with new requests and extend the wait. The process can be repeated for as long as desired.

Distributed Denial of Service

DoS attacks are suitable for attacking servers with narrow bandwidth communications channels. Large servers like www.microsoft.com or www.yahoo.com are difficult to take out with these attacks because they have wide bandwidth channels and powerful processing resources. No hacker can ever match this bandwidth or these processing resources. However, there is more than one way to skin this cat. To match a large server's bandwidth and processing resources, hackers resort to Distributed DoS (DDoS) attacks.

By "distributed" I mean that the communications channels and processing resources of many computer users are allied to execute the attack. However, there aren't too many users who would volunteer their resources for such purposes. Hackers solve the problem of lack of cooperation by taking over users' machines using special-purpose viruses. For example, the Mydoom.C virus searched in the Internet for computers infected with Mydoom.A and Mydoom.B viruses and used them to attack Microsoft servers. Fortunately, this virus did not manage to take over enough machines to execute a full-fledged attack. The Microsoft administration maintained that the servers were working as usual, but some customers did notice some lag in the servicing of their requests.

It is difficult to protect computers from a distributed DoS, because the numerous requests are sent by existing computers. It is difficult for the server to determine that these are not bona fide requests but are, instead, directed at taking the server out of commission.

1.1.7. Password Cracking

When a hacker is trying to break into a system, he or she most often uses one of the following methods:

If he or she already has an account on the server under attack (even if it is just a guest account), the hacker may try to obtain greater privileges.
The hacker obtains the account of a specific user.
He or she obtains the password file and uses the accounts belonging to other users.

Even when hackers manage to obtain privileged system rights, they still strive to lay their hands on the password file. Succeeding in this endeavor gives them access to the root account (in UNIX systems) and, correspondingly, rights to the entire system. But the passwords are encrypted and the successful hacker will, at most, see the hash sums produced by irreversible password encryption.

When the administrator adds a new user, his or her password is irreversibly encrypted (most often, using the MD5 algorithm), meaning that the plain password cannot be reproduced from the encrypted form. The obtained hash sum is saved in the password file. When the user enters the password, it is encrypted and compared with the hash sum saved in the file. If the results match, the password entered is accepted. The subject of how passwords are stored in Linux will be covered later.

Because the encrypted password cannot be decrypted, it may seem at first that the hash file is of no use. But appearances can be deceiving. Even though the password cannot be decrypted, it can be picked by the brute-force method. There are many programs for this task, John the Ripper ( www.openwall.com/john ) and Password Pro ( www.insidepro.com ), for example.

Why can utilities like these be freely obtained on the Internet by anyone when they can be used for criminal purposes? Any program has negative as well as positive aspects. What should you do when you forget the administrator password or the administrator has forgotten to tell you what it was when you fired him? Reinstall the system? This will take a long time and is fraught with the danger of losing data. It is easier to remove the hard drive, connect it to another computer (or simply load it from a diskette), take the password file, and break the necessary password.

1.1.9. Summary

Each cracker has numerous break-in techniques and instruments in his or her toolkit. The more experienced a hacker is, the more techniques he or she collects and tries against the target server. Having determined the server's operating system and the services running on it, the cracker starts using the attack methods in his or her arsenal one after another.

Any hacker can try password picking. This technique, however, is usually the last one resorted to because it can take too much time and produce no results in the end. In addition, password picking may fail if the server is configured to detect a password-picking attempt and the administrator reacts properly to such attempts. One of the things the administrator could do after detecting that someone is trying to pick the password to the server is configure the firewall to prohibit connections from the IP address, from which the password-picking activity was detected. This will render any other miscreant's actions useless until he or she manages to change the IP address.

The preceding review of hacker attacks is not exhaustive. I tried to provide the most essential basic information. I did not describe any specific break-in methods. Doing this could be considered a call to action, and the purpose of this book is not to add to the already overly large host of crackers. My goal is to show how hackers see the computer and how they use it. This should help you learn more about the computer and make it more secure.

I mainly considered only theory, rather than practice. To implement the break-ins described previously, you would need specialized programs and, for certain tasks, you would have to write custom programs yourself.

You must understand the theory underlying breaking-in well to know what to protect yourself from. Without this knowledge, you will not be able to build defenses capable of deflecting even the simplest hacker attacks. How can you defend yourself without knowing how the attack will be carried out? You can't.

The reliability of your defense is directly proportional to the number of attacks that can be used by hackers against your machine. The Internet is a huge world, and hackers that live in this world use various break-in techniques. To protect your house, you must know what types of criminals are likely to try to break into it. If these are petty juvenile de linquents, a good lock and alarm system will do. But if there is something in your house that may attract really bad guys, you will need window bars, armored doors, and barbed wire on the fence.

It is even more difficult to organize adequate defense on the Internet, because hackers that may try to move into your computer have different degrees of skill and use different attack techniques. It is impossible to foresee, which method will be used against you. You must be ready to defend yourself from any type of attack.