Hacker Tools: Common Network Attacks
Network attacks that are directed by a hacker are called directed attacks. For example, a hacker sending a WinNuke packet (generated by the WinNuke utility, discussed later in this chapter) to a specific machine is considered a directed attack. Viruses are traditionally not directed attacks. The virus is unknowingly copied from user to user. Viruses are some of the most prevalent attacks used on the Internet. In this section, we’ll discuss some of the techniques that hackers commonly use to attack a network
IP Spoofing
IP spoofing is the process of sending packets with a fake source address, pretending that the packet is coming from within the network that the hacker is trying to attack. The address can be considered stolen from the hacker’s target network. A router (even a packet-filtering router) is going to treat this packet as coming from within the network and will let it pass; however, a firewall can prevent this type of packet from passing into the secured network.
The Ping of Death
The Ping of Death is a type of denial of service (DoS) attack. A DoS attack prevents any users, even legitimate ones, from using the system. Ping is primarily used to see if a computer is responding to IP requests. Normally, when you ping a remote host, four normal-sized ICMP (Internet Control Message Protocol) packets are sent to the remote host to see if it is available. In a Ping of Death attack, a very large ICMP packet is sent to the remote host, whose buffer is flooded by this packet. Typically, this causes a system to reboot or hang. Patches to prevent a Ping of Death attack from working are available for most operating systems.
WinNuke
WinNuke is a Windows program that sends special TCP/IP packets with an invalid TCP header. Windows 95/98 and Windows NT/2000 computers will crash when they receive one of these packets because of the way the Windows 95/98 or Windows NT/2000 TCP/IP stack handles bad data in the TCP header. Instead of returning an error code or rejecting the bad data (Microsoft calls it out-of-band data), it sends the computer to the Blue Screen of Death (BSoD). Figuratively speaking, the hacker causes the computer to blow up, or to be nuked. This type of attack does not affect Unix boxes and NetWare servers.
Tip There is a patch to solve this particular problem, making machines invulnerable to WinNuke attacks. You can obtain it by going to Microsoft’s support website at http://support.microsoft.com/
servicedesks/technet/ and searching for WinNuke.
SYN Flood
A SYN flood is also a denial of service attack because it can barrage the receiving machine with dozens of meaningless packets. In normal communications, a workstation that wants to open a TCP/IP communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server automatically responds to the request, indicating that it is ready to start communicating. Only new communications use SYN flags. If you are in the middle of a file download, SYNs are not used. A new SYN packet is used only if you lose your connection and must reestablish communications.
To initiate a SYN flood, a hacker sends a barrage of SYN packets. The receiving station normally can’t help itself and tries to respond to each SYN request for a connection. The receiving device soon expends its resources trying to reply, and all incoming connections are rejected until all current connections can be answered. The victim machine cannot respond to any other requests because its buffers are overfilled, and it therefore rejects all packets, including valid requests for connections. Patches that can help with this problem are available for the various network operating systems.
Bookmarks