SABER 3° SABER 5° SABER 9° SABER 11° SABER PRO Lenguaje Lenguaje Lenguaje Lectura Crítica Lectura Crítica
3. DISEÑO METODOLÓGICO
Many Internet attacks try to obtain private data or to damage data. In contrast, a denial-of-service attack aims to shut down an entire network, a single server, or a particular Web site. The attack tries to prevent legitimate users of a service from using that service. This can be done by one of the following methods:
Flood a network with traffic. This makes it hard or impossible for legitimate users to send or receive data.
Disrupt connections between two computers. This prevents remote access to the machines.
Attempt to prevent a particular user from accessing a service.
Disrupt or prevent network access to a particular computer or network. A hacker may open an account at an ftp site, then store data and retrieve it repeatedly, thereby consuming disk space and monopolizing network services at the site.
A denial-of-service may be part of a bigger attack, but it disables a useful resource such as a computer or a network. If the resource is private, its owner may be inconve- nienced. If the resource is public, its users may suffer loss of service. If the resource is commercial, its owner suffers monetary losses. A denial-of-service is considered an easy type of attack. Even a single hacker, using an old, slow computer and a slow modem may be able to disable (or at least slow down) faster servers or even whole networks.
There are three types of denial-of-service, (1) consumption of scarce or nonrenew- able resources, (2) destruction or alteration of network information, and (3) physical destruction or alteration of network components.
The first type, consumption of scarce resources, relies on the fact that computers and networks need resources such as electrical power, CPU time, memory space, disk space, and network connections. The easiest resource for a hacker to consume is network connectivity. It is possible to tie up the network connections of a computer, such that it waits for some data that never arrives, so it remains hung up. All that the hacker has to do is start opening a connection to a network server but never complete this process. The victim server has reserved a port and a data structure for the connection, but the port remains half open. The hacker (or a group of coordinated attackers) can very quickly tie up all the available ports of a server. In the meantime, other users, legitimate or not, who try to establish connections are denied access.
182 7 Network Security
Such an attack is called a SYN flood. Even someone with only a slow computer and slow modem can stop a large server very quickly. Here is a detailed description of this threat.
A typical client/server network consists of a server (a computer with files that are useful to a group of users) and many clients (users who want access to those files). When a client tries to connect to the server, both the client and the server have to execute a connection protocol. They have to exchange certain messages that establish the connection. This is true for all the TCP connections, such as email, telnet, and http.
In its simplest form, the protocol starts when the client sends a SYN message to the server. If the server is ready to open a connection, it sends back a SYN-ACK message, expecting to receive an ACK message from the client. When this is accomplished, the connection is open and communication can start.
In a SYN flood attack, the client simply does not send back the ACK message (Figure 7.6. This leaves the server waiting, and creates the half-open connection. The server maintains a data structure in memory with information on all the half-open connections and this data structure may overflow and damage other data in memory. The operating system may check for overflow and simply ignore any SYN messages in such a case. The half-open connections then start expiring, creating space in the structure, but the attacker can continue sending SYN requests that keep the structure full for a few hours or longer.
Client (half open) Server SYN SYN-ACK ACK
Figure 7.6: A SYN Flood Attack.
In practice, a hacker uses IP spoofing to perpetrate a DoS attack. The attacking computer sends the attacked server SYN messages that appear to come from a legitimate client. The hacker, however, selects a client that’s unable to respond to the SYN-ACK from the server, which leaves the server hung up and draws attention to the client.
Any incoming connections established before the attack are still functioning. Also, the server can send data out while this type of attack is going on. The attack affects only new clients trying to connect to the server.
Consumption of scarce resources can also take the form of the hacker using the victim’s resources against the victim. An example is an abuse of the Chargen and Echo services associated with UDP data packets. A detailed description of these services is beyond the scope of this book, but the following paragraphs provide the main facts.
Data packets are sent over computer networks all the time, and sometimes are lost (dropped). Chargen (character generator, defined in [RFC-864 04]) was developed to locate the cause for dropped packets. It is a service that generates random characters
either in one UDP packet or in a TCP session. The UDP chargen server looks for a UDP packet on port 19 and responds with the random character packet.
With TCP chargen, once a connection is established, the server sends a continuous stream of TCP packets until the connection closes. The data itself is random and is ignored.
Echo (defined in [RFC-862 04]) uses UDP and TCP port 7 and is employed as a debugging tool. It sends any data packets received from a source back to that source.
An infiltrator can create a DoS attack by spoofing an IP address and causing two computers to send packets with random data to each other. In more detail, by connecting a host’s chargen service to the echo service on the same or on a different computer, all affected computers may be effectively choked because of the huge number of packets produced and sent. In addition, if several computers are connected in this way, the network connecting them may also become congested and deny service to any other computers whose network traffic needs to be forwarded by that network.
An attacker may also generate a huge number of data packets and send them to a target computer. This is a bandwidth consumption attack that may involve a group of intruders.
Even resources that are not related to network services may be consumed. A hacker may write a program (a virus or a Trojan horse) that only creates copies of itself and starts executing them. Very quickly, the CPU will have thousands, then millions of copies to execute. This not only slows down the CPU, but may overflow operating system resources. The operating system switches the CPU from program to program, allocating each program a time slot. It therefore must have a table of all the programs (processes) currently active in the computer. When new processes are created by the virus, the table fills up quickly and the operating system must take appropriate steps to handle the new processes being created all the time. They have to be placed in a queue, and when this queue overflows, it may corrupt data in memory.
An attackers may also consume massive amounts of disk space by, for example, generating many email messages, generating errors that have to be logged, and reading huge files from anonymous ftp servers and writing them on the disk. When the disk is full, this attack stops, but when the user needs more disk space later, the operating system issues an error message (disk full).
An intruder may be able to cause an operating system to crash or to become unstable by sending unexpected data over the network. A well-known example of such an attack is called the ping of death.
The TCP/IP protocol specifies data packets that can range in size from 20 bytes (only a short header with no data bytes) up to 65,536 bytes. The protocol does not specify how to handle bigger packets, because no one envisioned an attack based on large data packets. As a result, some operating systems feature unpredictable behavior when a packet larger than 65,536 bytes is received. The operating system may crash, freeze, or reboot itself.
Hackers have discovered that such an attack is particularly “successful” when the large data packets are sent as part of the Internet control message protocol (ICMP). ICMP is a component of the TCP/IP protocol that transmits error and control messages between computers. Two specific data packets specified by ICMP are ECHO_REQUEST
184 7 Network Security
andECHO_RESPONSE. These are commonly sent by a computer to determine whether a remote computer is reachable via the network and are commonly known as “ping,” which gave this particular attack its name (the name “smurf attack” is also used sometimes). The original ping program was written as part of UNIX by Mike Muuss [ping 04] and generated so much interest that the ping concept became part of the Internet protocol.
If your operating system is experiencing frequent crashes with no apparent cause, it could be the result of this type of attack.
The obvious defense against the ping of death is to patch the low-level routine that sends data packets to never send large packets, and patch the routine that receives packets to ignore packets that are too large. In practice, this should be done by the makers of the operating system and issued as a security patch.
The second type of DoS threat involves destruction or alteration of network in- formation. An attacker may be able to change the IP number of a victim’s personal computer, change the registration of the operating system, or change prerecorded tele- phone numbers used by the modem to call outside servers.
The third type of DoS threat involves physical destruction or alteration of network components. This can be done by an intruder physically appearing in a computer center and disabling, breaking, or disconnecting cables and other hardware devices. A hacker may also climb a utility pole and disconnect telephone lines or television cables, thereby disrupting service to users in the neighborhood.
Once the DoS threat is understood, there are certain things a security expert can do to reduce the effect of DoS attacks, but most require modifications of the operating system, which can normally be done only by its manufacturer. Any half-open port should close automatically after a fraction of a second (unfortunately, this may affect legitimate users with a slow communications line). When the number of active processes in memory reaches a certain limit, the operating system simply ignores any new pro- cesses (but this may backfire when an administrator wants to run a program to monitor the state of the computer). The size of disk files may be limited to, say 2 Gb (but this may prevent users form having legitimate large files, perhaps with movies).