Bypassing Firewalls

Although firewalls are meant to provide complete protection from port-scan probes and the like, several popular firewall products contain holes just waiting to be exploited. This section focuses on a hole in ZoneAlarm, Versions 2.1.10 to 2.0.26, that allows attackers to port-scan the target system. Specifically, if you system uses port 67 as the source port of a TCP or UDP scan, Zone-Alarm will let the packet through and will not notify you. That means an attacker can TCP or UDP port-scan a ZoneAlarm-protected computer as if there were no firewall, if he or she uses port 67 as the source port on the packets.

For example, in the case of a UDP scan, an attacker can use nmap to port scan the host with the following command line (notice -g67, which specifies the source port):

nmap -g67 -P0 -p130-140 -sU 192.168.128.88

After you have installed a firewall on your system, you may get a number of warnings, seemingly indicating that someone is trying to break into your system. In most cases, however, they are in fact bogus messages that are caused either by your OS or by the process of allocating dynamic IPs. For example, when you dial in to your ISP, you may receive a message that certain IP is probing a particular port on your system. This is because someone disconnected from your ISP just before you dialed in and you were assigned that person's IP address. What you are seeing are the remains of the ISP's communication with the previous user. This is most common when the person to whom the IP was previously assigned was using ICQ or a chat program, was connected to a game server, or had simply turned off his modem before his communication with remote servers was complete. Another common message is that a certain IP is trying to initiate a Net BIOS session on a particular port on your system (in fact, Net BIOS requests to UDP port 137 are among  the most common items you'll see in your  firewall reject logs). This stems from a feature in Windows: When a program resolves an IP address to a name, it may send a NEt BIOS query to an IP address. This process is just part of the background radiation of the Internet and is nothing to be concerned about. Likewise, for a TCP scan, an attacker can use nmap to port-scan the host with the folowing command line (again, notice -g67, specifying source port):

nmap -g67 -P0 -p130-140 -sS 192.168.128.88

(By Dushyant Pandya)

Read More

What are TCP Wrappers?

TCP wrappers enable you to define a set of rules, called access control rules, that define which systems are allowed to access and use the services running on the local machine (that is, the machine on which the TCP wrappers are installed and  configured) and which systems are denied access to these services. In addition, TCP wrappers enable you to log which client is using which service at what time, and even for what purpose. The best thing about TCP wrappers, however, is that they can be used to set booby traps for script kiddies. Before you can understand how TCP wrappers work, however, you must understand how Linux machines respond to connections requests.

All requests for connections received by a Linux box are transferred to the Internet daemon, or the inetd. The inetd is the main daemon on a Linux machine, and it receives all connection requests on behalf of all services or daemons running on all port numbers on that machine.

When the intetd receives a connection request, it uses two configuration files to determine what to do next::

• /etc/services. This file contains the names of the various services on the Linux box and the corresponding port numbers on which these services run. It is used by the inetd to figure out what service runs on what port number.
• /etc/inetd.conf. This file contains the names of the various services on the Linux box and the corresponding daemons or programs providing those services. It is used by inetd to figure out which program or daemon to call on when there is a request for a connection to a particular service.

Both these files work together and are interlinked.

So you can grasp how the inetd uses these two files to allow remote connections to take place, let's use an example. Suppose a client, X, wants to connect to a server, Y. Here's what happens:

1. X sends Y a packets containing the port number to which it wants to connect (in this case, 23, or the telnet port) and other information required to initiate a TCP connection.
2. In response, the inetd at Y searches the /etc/services file for the service name running on port 23(telnet).inetd  them contacts the /etc/inetd.conf file and asks for the name of the daemon or program that runs the telnet service (in this case, in.telnetd).
3. Finally, inetd runs in.telnetd, concluding its role in that particular connection, and starts listening for other connection requests.

This demonstrates that a remote system does not start out by communicating directly with the various daemons, but instead communicates at first only with the inetd.

How, then, can you restrict certain clients from accessing your system while allowing others in? This is where TCP wrappers come in. A TCP wrapper acts as a daemon that resdes between a Linux system's inetd and other programs or daemons on that system, such as in.ftpd, in.telnetd, and so on. Instead of calling programs in a system directly, as in step 3 of the preceding nubered list, inetd calls the TCP wrapper. The wrapper collects the source IP from the packet and accordingly allows or denies the connection, depending on the rules defined in the TCP wrapper. Irrespective of whether the connection is allowed or denied, the wrapper logs the connection request.

Read More

Distributed DOS Attacks

DOS attacks are not new, in fact they have been aroun for a long time. However, there has been a recent wave of Distributed Denial of services attacks, which pose a great threat to security and are on the verge of overtaking Viruses/Trojans to become  the deadliest threat to Internet security.

In a distributed DOS Attack, a group of say, five hackers join and decide to bring a Fortune 500 company's server down. Now, each one of them breaks into a smaller less-protected network and takes control. So, now they have five networks and supposing there are around 20 systems in each network, it gives these hackers, around 100 systems in all to attack from. They now connect to the network, install a Denial of Service tool on the hacked networks and using these hacked systems launch attacks on the Fortune 500 company. This makes the hackers less easy to detect and helps them do what they wanted to do without getting caught. As they have full control over the smaller less-protected networks, they can easily remove all traces before the authorities get there.

Read More

Land Attacks

A land attack is similar to a SYN attack, the only difference  being that instead of including an invalid IP address, the SYN packets include the IP address of the target system itself. More specifically, the source IP address and port number are identical to the destination IP address and port number. As a result, an infinite loop is created within the target system, which ultimately hangs and crashes.

Countermeasure :- The easiest way to protect your system against land attacks is to install a firewall or filtering utility that filters out outgoing packets whose destination IP address is the same as the IP address of the local system.

-------------------------------------------------------------------------------------------------------
Next Post   ------>>>   Smurf Attacks
-------------------------------------------------------------------------------------------------------

Read More

SYN/ACK Packets

To gain a better understanding of SYN and ACK packets, read the following:

• ACK. TCP/IP demands that both the source and destination systems transmit and receive acknowledgement messages to confirm the safe and proper transfer of data. These acknowledgement messages are known as ACK messages or ACK packets. For example, suppose there are two systems, A and B, and that A sends the first (X1) of a series of packets to B. A will not send the second packet in the series (X2) to B until B acknowledges that it received the first packet (ACK X1). If A does not receive an ACK message, then a timed-out occrs, and A will resend the data to B.
• SYN. A SYN packet is noting but a normal TCP packet with the synchronize (SYN) flat switched on. This flat indicates that the sender wants to establish a three-way TCP/IP connection with the destination system.

Read More

Ping of Death

The ping command makes use of the ICMP echo request and echo reply messages and is commonly used to determine whether the remote host is alive. In a Ping of Death attack, however, ping causes the remote system to hang, reboot, or crash. To do so, the attacker uses the ping command in conjunction with the -l argument (used to specify the size of the packet sent) to ping the target system with a data packet that exceeds the maximum bytes allowed by TCP/IP (65,536). For example, the following ping command creates a giant datagram  that is 65,540 bytes in size (the output follows):

C:\windows>ping -l 65540 hostname
Pinging hostname [xx.yy.tt.pp] with 65,540 bytes of data:

Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61
Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61
Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61
Reply from 203.94.243.71: bytes = 65540 time = 134ms TTL = 61

Countermeasure :- Fortunately, nearly all systems these days are not vulnerable to the Ping of Death. Unless you are running an ancient system with an equally ancient operating system, you are almost sure to be protected from this type of DOS attack. To make sure that your software is patched, however, visit your vendor's Web site and check.

-------------------------------------------------------------------------------------------------------
Next Post   ------>>>   Teardrop Attacks
-------------------------------------------------------------------------------------------------------

Read More

DOS attacks

A denial of service (DOS) attack is an attack that clogs up so much memory on the target system that it cannot serve its users, or it causes the target system to crash, reboot, or otherwise deny services to legitimate users. These days, DOS attacks are very common; indeed, just about every server is bound to experience such an attack at some time or another.
There are several different kinds of DOS attacks, the most popular of which are follows:

• Ping of Death
• Teardrop attacks
• SYN-flood attacks 
• Land attacks
• Smurf  attacks
• UPD-flood attacks
• Distributed DOS attacks
• Modem-disconnect attacks

Read More