Hackers can wreak havoc without ever penetrating your system. For example, a hacker can effectively shut down your computer by flooding you with obnoxious signals or malicious code. This technique is known as a denial-of-service attack.
Hackers execute a denial-of-service attack by using one of two possible methods . The first method is to flood the target computer or hardware device with information so that it becomes overwhelmed. The alternative method is to send a well-crafted command or piece of erroneous data that crashes the target computer device.
This first type of DoS attack we will discuss is known as SYN flooding . A SYN attack will tie up a target computer's resources by making it respond to a flood of commands. To understand this, imagine you are a secretary whose job is to answer and redirect phone calls. What if 200 people called you at the same time and then hung up when you answered ? You would be so busy picking up dead lines that you would never get any work done. Eventually, you would suffer a mental breakdown and quit the job. This is the same technique that hackers use when they employ a DoS attack.
To perform a DoS attack, the hacker must first determine the IP address of the target. Using this IP address, the hacker must connect to it using a client computer. To amplify the force of the attack, the hacker will often set up several client computers programmed to attack the target at the same time. This is usually accomplished by doing some preliminary hacking to gain ownership of several computers with high bandwidth connections. The most popular source of these slave computers are university systems or broadband customers. Once the hacker has his slave computers set up, he launches the attack from a central point, called the master .
A SYN DoS attack (see Figure 6.3) takes advantage of the required TCP/IP handshake that takes place when two computers set up a communication session. The client computer first sends a SYN packet to the server computer to start the communication. When the server receives this data, it processes the return address and sends back the SYN ACK packet. The server then waits for the client to respond with a final ACK packet, which completes the connection initiation.
Figure 6.3. TCP/IP handshake.
A server has a limited number of resources designated for client connections. When a server receives the initial SYN packet from a client, the server allocates some of these resources. This limitation is meant to cap the number of simultaneous client connections. If too many clients connect at once, the server will become overloaded and will crash under the excess processing load.
The weakness in this system occurs when the hacker inserts a fake return address in the initial SYN packet (see Figure 6.4). Thus, when the server sends back the SYN ACK to the fake client, it never receives the final ACK. This means that for every fake SYN packet, further resources are tied up until the server refuses any more connections. A successful attack requires a myriad of fake packets, but if a hacker has several slave computers sending packets, he can overload a server quickly.
Figure 6.4. SYN attack using a spoofed return address.
A well-known example of this type of attack occurred late in 1999. Several high-profile Web sites were brought to their knees by a flood of signals coming from hundreds of different computers simultaneously . The Web sites would have had no problem handling an attack from one source; however, through the use of remote control programs, one or more hackers launched a concerted attack using hundreds of computers, thus quickly overloading their targets.
One variation of the flooding DoS attack is called a smurf attack. Imagine a company with 50 employees available to respond to customer questions by email. Each employee has an auto responder that automatically sends a courtesy reply when a question is received. What would happen if an angry customer mailed 100 emails copied to each of the 50 employees using a fake return email address? The 100 incoming emails would suddenly become 5,000 outgoing emailsall going to one mailbox. Whoever owned the fake return address would be overwhelmed with all that mail! And she would have to search through all of it to make sure she didn't miss an important email from her boss or friend. This is similar to how a smurf attack works. The attacker sends a request signal into a network of computers, each of which reply to a faked return address. Special programs and other techniques can amplify this until a flood of information is headed toward one unfortunate computer.
Because of the rules of TCP/IP, a computer ignores all packets that are not expressly addressed to it. One exception to this is if a computer has a network card running in promiscuous mode, as demonstrated by the sniffer example. Another exception to this is broadcast packets.
What does your company do when it needs to get an important message out to everyone in the organization? If email is an option, it sends an internal "spam" message to everyone who has an email address. Otherwise, it might play an announcement over the loudspeaker, or post a bulletin near the coffee pot. These techniques ensure that most employees will receive the information. Similarly, in a computer network, there are times when a server needs to send information to every connected computer on the network. This is accomplished using the broadcast address .
Because of the way IP addresses are set up within a network, there is always one address that every computer will answer to. This address is known as the broadcast address , and is used to update name lists and other necessary items that computers need to keep the network up and running. Although the broadcast address is necessary in some cases, it can lead to what is known as a broadcast storm .
A broadcast storm is like an echo that never dies. More specifically , it is like an echo that crescendos until you cannot hear anything over the pure noise. If a computer sends a request to a network using the broadcast address with the return address of the broadcast address, every computer will respond to every other computer's response; this continues in a snowball effect until the network is so full of echoes that nothing else can get through.
Now that you understand how a broadcast works, imagine what would happen if a hacker sent 1,000 broadcast packets into a network with a spoofed return IP address. The network would amplify the original packets into tens or hundreds of thousands of packets, all directed at one computer.
In this case, unlike the SYN attack, the target computer would be able to set up a communication session with the requesting computer. However, the overload of session requests would drown the server, thus rendering the server useless.
These types of attacks not only quickly and effectively shut down a server, but they also keep the hacker invisible. Because of the nature of the attack, the original packets sent by the hacker are untraceable. In the case of a SYN attack, the address is spoofed. Thus, the origin of the packet remains unknown. In the case of a smurf attack, the hacker does not directly attack the target, but instead uses the side effect of sending broadcast signals into a network to do the job indirectly. Therefore, the attack appears to have come from another computer or network.
Another type of DoS attack is directed against the software running on the target computer. Computer software has, on average, about one glitch per 1,000 lines of code. Because software programs can be millions of lines long, the number of bugs can run into the hundreds of thousands. If an attacker knows how to exploit a specific bug, she can shut down the target computer. For example, one well-known shopping cart software program was found to have a weakness in its programming that caused the processor load on the computer to spike to 100%, thus preventing any other programs from running. Sending one simple http:// request in the correct format could melt the target server.
This type of attack is analogous to unscrewing the cap on a salt shaker. Used normally, the salt shaker works fine, and will never give you a pile of salt for your effort. However, if someone who understands the internals of a shaker were to secretly unscrew the cap, the shaker would flood you with bitter salt.
This type of DoS attack is usually exploited through a buffer overflow. Usually, the buffer overflow will crash a computer. As previously discussed, the overflow will fill a predetermined chunk of memory, and overflow to the memory above, thus overwriting another variable's data. When the program that uses the overwritten variable attempts to retrieve the data, the program will crash, quite often taking the whole computer with it.
DoS attacks are a common threat not only for large corporations, but also for small business and home users. There are countless pre-made programs that can give anyone the power to flood a target. A simple click of the mouse can send hundreds of SYN packets hurtling directly at a victim. If you suspect a DoS attack, you can use the netstat tool to determine whether an attack is occurring; this procedure is detailed in Chapter 9, "Auditing Tools." Using this tool, an attack is readily apparent. Table 6.1 shows the netstat results of a SYN attack. The state row clearly indicates that a SYN attack is currently underway.
Table 6.1. netstat Results of a SYN Attack
As you can see, DoS attacks are not complicated. As a result of the ease with which a hacker can find pre-made attack programs, these attacks are also very common. At this point, you might be asking, "How can I can prevent a DoS attack?" Unfortunately, they can be mitigated, but not entirely prevented.
Because these attacks are based on the fundamental way that computers set up communication between each other, the only way to stop this abuse would be to re-invent the Internet. Currently, the only realistic way to mitigate such an attack is to block all traffic coming from specific parts of the Internet. However, as we discussed, hackers often use many slave computers from diverse locations. Therefore, a Web site would have to disable access to a whole community of users to successfully stop any attack.
Other types of DoS attacks work indirectly. These types of attacks usually do not involve the server; instead, they target the client. In this case, the client computer is only fooled in where it goes when ordered to retrieve information. For example, if you think your computer is going to http://www.yahoo.com, but it is instead going to a hacker site made to look like Yahoo!, you might be inadvertently supplying the hacker with passwords and other personal information. See Figure 6.5.
Figure 6.5. An example of the Domain Name Service protocol.
Normally, a client computer queries a DNS server when a domain name or Web site address needs to be converted into an IP address. This is because the client computer needs the IP address to locate the Web server or email server that uses the domain name. From Figure 6.6 shows that this is done in three steps.
Figure 6.6. Anatomy of a DNS spoof.
However, this process can be easily abused by sending unsuspecting users to false Web sites, or routing outgoing email through an unauthorized computer (see Figure 6.6). This is accomplished by writing the wrong IP address to the database in the DNS server. When this happens, it is almost impossible for the client to realize there is a problem. The only way is if the DNS server entries are specifically checked, or if the hacker's server goes down.
In the case where a DNS server entry is hacked, only the outgoing email is sent to the spoofed location, unless the email server uses the same DNS server as the client. If this is the case, all incoming and outgoing email is routed through an unauthorized computer. However, for our example, we will assume that the email server is using a secure DNS server for its domain lookups.
In the case where the DNS server is hacked:
This scenario could provide a hacker with some valuable information. For example, if Client B is a doctor or lawyer, the hacker would have access to sensitive information. If Client B is working on a top-secret project, the hacker could sell the information to a rival company. Or, if the client is an online Web store, the hacker could capture every confirmation email with customers' addresses and/or credit card numbers .
As you can see, there is a vast potential for damage from a DNS spoof. Whether a hacker wants to turn a Web site invisible or to capture email, the hacker is denying service to those who are using the hacked DNS server. Fortunately, however, there is a solution for this problem.
DNS servers can be made secure. However, it is estimated that some 5075% of all DNS servers are not secure. This is a known problem, so if you are concerned with the possibility that your DNS server is not secure, contact your ISP and ask them what software they use and whether it is safe from a spoof attack. Hopefully, they will know what you are talking about and give you an affirmative answer.