August 2nd, 2008 — Attack types
Smurf attacks works the same way as ICMP flood, however it uses other networks to multiply the number of requests. Smurf attack is based on sending a large amount of ICMP echo traffic (for more information about ICMP echo requests, read the article on ICPM flood) with a spoofed source address of the victim network to broadcast server. Spoofing source address is tricking the receiving system to think, that the request came from a third server and thereby making it respond to some other computer than the one that sent the request.
When the broadcast server (amplifier) receives the echo/ping traffic it automatically delivers it to all the computers in its network. All computers in the network respond to the request, thereby multiplying the amount of requests sent to the victim by the number of computers in the network.
How not to become amplifier for Smurf attack
1. Configure individual computers and routers in your network not to respond to broadcast pings.
2. Configure routers not to forward any packets that are directly sent to broadcast addresses. Until 1999 it was a standard for routers to broadcast the packets, making Smurf attacking much easier. However now days it is recommended to switch off the direct broadcasting feature.
3. Use ingress filtering to sort out spoofed packets. This might, however have a negative effect on performance, however is also a great tool for tracking the attack.
How to stop Smurf attack?
Just like ICMP floods, Smurf attacks are very hard to stop. Few steps can be taken to stop them once they have started.
1. Set a rate limit on ICMP traffic volume on your network. By doing this not all of the packets reach your service, thereby not halting it.
2. Contact your internet service provider immediately. Only they can totally limit the number of packets that reach your site. A poorly configured firewall can be brought to the knees despite the traffic filters applied.
August 2nd, 2008 — Attack types
ICMP flood (also known as ping flood) is probably the most common denial of service attack methods. It takes advantage of Internet Control Message Protocol (ICMP) that is used to exchange system messages and handle errors between computer systems. ICM protocol is commonly used for determining, if host is online and responding (ping command has been built into most of Operating systems for that). To determine, if the server responds an ICMP echo packet is used. Once server recieves the echo packet it responds to the IP address that sent the ping.
In ICMP flood hacker sends big or just many ICPM echo packets or UDP packets at the server. Due to the huge amount of packets server is trying to respond it won’t be able to respond to other requests thereby making the service unavailable.
ICMP attacks can be redular or distributed. Distributed ICPM floods are especially dangerous as a whole network of computers is pinging the same service.
How to stop ICMP flood?
Sadly there are few methods for victim to fight ICPM floods. Once the attack has started it is very hard to stop it, preventing it is equally hard. However there are some steps you can take to ensure your network safety.
- 1. Block icmp-type 8 thereby blocking all the echo requests to your server. This is advisable only during heavy attack as it will also block all ping requests.
- 2. Firewall and packet filtering can help, but probably won’t block all the attack packets without making any of your services unavailable.
- 3. Use client bottlenet to reduce the number of malicious requests that reach designated network/router/server.
August 2nd, 2008 — Attack types
Most network technologies have a limit to the size of packets they can handle called Maximum Transfer Unit (MTU). Teardrop attacks exploits the way IP protocol splits packets, that are bigger than the systems MTU. The packets are divided into segments with each having an offset referring to the previous packet that later enables the packet to be reassembled from the segments by the receiving system. In teardrop attack, hacker sends packets with confusing offsets (for instance, the byte set as offset being in the middle of the segment) in the second or later segment to the target. If the server doesn’t know how to handle such packets it will crash.
Even though only Windows NT and Linux 2.0.30 (and below) operation systems are vulnerable to Teardrop attack, making it a pretty old method, it is still used sometimes. Even though today there are efficient ways to sort out broken and overlapped packets using firewalls, sending thousands of teardrop packets can still crash the system.
How to protect yourself against TearDrop attacks?
- 1.The most efficient way to protect yourself is to update your operation system to the latest version, thereby making you invulnerable to tear drop attacks.
- 2. Installing batches to make your system invulnerable to tear drop attacks.
- 3. Firewalls can provide protection against various Denial of service attacks, however as mentioned before it won’t guarantee 100% protection from tear drop attacks.
August 2nd, 2008 — What are Ddos attacks?
DDoS (Distributed Denial of Service) attacks are a growing concern in todays internet world. The point of DDoS attacks is to make computer or server resources unavailable for it’s intended traffic by sending it a huge amount of external communication requests, thereby halting it’s performance. Ddos attacks can either make the service responses very slow or not at all by consuming all the server/network resources.
Ddos attacks, unlike regular Denial of service methods includes several (sometimes up to thousands) of machines attacking one target.
Bot nets are usually used by hackers to carry out Ddos attacks. Hacker infects insecure computers with worm/Ddos tool and later on orders them to start performing an attack on the server. The computer in the bot net might not even notice being the member of it as the traffic consumption is really low, thereby you might not even know your computer is being used to attack a third party system.