If you are a network administrator, you might have faced the problem of IP conflicts while configuring the IP addresses of hosts on your network. Now say goodbye to all those problems. Windows 2000 server comes with DHCP which enables the server to automatically assign IP addresses to all the hosts on the network. Lets first look how this mechanism works.
For the DHCP to automatically assign IP addresses to the hosts on the networks. There must be a DHCP server running on the server and the clients must be acting as DHCP clients. Below is a simple diagram to show the entire process.
The DHCP client first searches the network (DHCP DISCOVER) for a DHCP server by sending data packets to the machines on the network (see pic.1). The DHCP server on the network responds to the DHCP client offering an IP address (DHCP OFFER) from the preset range of IP addresses (I will tell how to configure the DHCP server afterwards). The DHCP client then sends a request message to the DHCP SERVER (DHCP REQUEST) accepting the IP address. The DHCP server then confirms that IP address to that client with a ACK message (DHCP ACK) back to the client. After the completion on all the four processes the client machine will have a dynamically assigned IP address on the network.
DHCP server: To install a DHCP server on your Windows 2000 server follow the procedure: Open the Control Panel -> Add/Remove Programs -> Add/Remove Windows Components. In the new window click Networking Services and then Details. Now select the Dynamic Host Configuration Protocol (DHCP) in the new window and click OK. Now the DHCP server is installed on your machine.
Before you configure and start your DHCP server, there are two basic requirements. (see pic.2)
1. The DHCP server must have a static IP address
2. The DHCP client service must be stopped before running the DHCP server service.
So make sure that your server has a static IP address on the network. To stop the DHCP client, click start -> Programs ->Administrative Tools ->Services. Now in the right pane of the services window, you must see the DHCP client service and the DHCP server service. Right-click the DHCP client service and then click STOP. Now you have stopped the DHCP client and ready to configure your DHCP server.
Now in the Administrative Tools, click DHCP. If every thing is correct you must see a Window similar to the one at right. (see pic.3)
Now right-click the server system name in the list and click New Scope… The scope tells the DHCP server about the range of IP addresses, their Lease Duration etc… In the new window give some name and description to the scope. Click next and then define the range of the IP addresses that you want the DHCP server to allocate for its clients. (see pic.4)
Click next and then you can define the range of the IP addresses that you want to exclude from the IP range you gave or you can also exclude individual IP addresses. Next comes the Lease Duration. This is the period that an assigned IP address is valid for a client machine. By default the lease duration is 8 Days. So, by the completion of 8th day of the IP application the IP will no longer be valid on the client machine.
But the client machine after reaching 50% to 87.6% completion of the lease duration (i.e. after completion of 4 days to 7 days and 11.52 minutes of the lease duration), the DHCP client request the DHCP server for the renewal of the lease duration. If the DHCP server is not in a position to renew the lease duration then after 87.6% completion of the lease duration a new IP address will be assigned to that machine. The 87.6% was kept as a factor of safety here, if the lease duration completely expires for a client then the client will not have any IP address.
If you click next in the wizard, you will be asked for the DNS configuration. That is beyond the scope of this article. Select No there. Click next and then finish. Now you have defined the scope. In the DHCP window, expand the tree view of the scope that you have defined now and then right-click the scope. Click activate to set the scope configuration active on your network. You have successfully installed the DHCP server on your network.
DHCP client: Configuring a DHCP is very easy. Actually you don’t have to anything to setup a DHCP client by default. Just make sure that the option Automatically obtain an IP address is enabled in the properties of your network connection.
Go to Control Panel ->Network and Dial-up connections->Right-click the connection->Properties. Click the Internet Protocol (TCP/IP) and then click properties. In the new pop-up, make sure that you select the option “Obtain an IP address automatically”. Click OK and then refresh (Press F5). Now your server must have randomly assigned your client machine an IP address from the range you have configured for the scope.
Now to find out the IP address that your DHCP server has assigned for the client, go to DOS and then type the command “ipconfig” or “ipconfig/all” (this gives the complete information about the IP configuration of your system). Isn’t it cool??
Monday, April 30, 2007
DDOS Attack
Distributed Denial of Service Attacks have recently emerged as one of the most newsworthy, if not the greatest, weaknesses of the Internet. Overview Distributed Denial of Service (DDoS) attacks are a relatively new development; reports of the first DDoS attacks surfaced in mid-1999, with the highest-profile attacks coming in early 2000 against sites like Amazon.com, CNN.com, eBay and E-Trade. Just a few weeks ago, SCO website suffered heavy DDoS attack that made it unaccessible for days. Clearly, the challenge these attacks present is a serious one. While you alone can't do much to protect yourself, as a community we can improve the situation.
A brief note on usage: the network where these attacks are taking place is called the ``Internet'', with a capital ``I''; it is the public network shared by people all over the world. An ``internet'', with a lower-case ``i'', is a collection of networks interconnected; many organizations have private internets. The Internet is the result of inter-connecting a gigantic number of private internets.
The advent of DDoS marked an escalation in Internet Relay Chat (IRC) wars. Relying on networks of linked servers, IRC offers channels, or chat rooms, that users can join to exchange ideas, pictures, sounds, and programs. Channel operator (ruling) status is assigned by default to a channel's creator, to someone who inherits channel operator privileges, or to some- one who simply asks for it (assuming there is no current channel operator).
Explanation of DDoS attacks
DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS programs on them, allowing them to control all these exploited machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.
Cracker starts by breaking into weakly secured computers, using well-known exploits in standard network service programs, and common weak configurations in operating systems. On each system, once they break in, they perform some additional steps. First, they install software to conceal the fact of the break-in, and to hide the traces of their subsequent activity. For example, the standard commands for displaying running processes are replaced with versions that fail to display the attacker's processes. These replacement tools are collectively called a ``rootkit'', since they are installed once you have ``cracked root'', taken over system administrator privileges, to keep other ``root users'' from being able to find you. Then they install a special process, used to remotely-control the burgled machine. This process accepts commands from over the Internet, and in response to those commands it launches an attack over the Internet against some designated victim's site. And finally, they can have there so called "Bots or Zombies"� report to private chat rooms on IRC. A cautious hacker will begin by breaking into just a few sites, then using them to break into some more, and repeating this cycle for several steps, to reduce the chance they are caught during this, the riskiest part of the operation. By the time they are ready to mount the kind of attacks we've seen recently they have taken over thousands of machines and assembled them into a DDoS network; this just means they all have the attack software installed on them, and the attacker knows all their addresses.
Now its time for the attack. The attacker runs a single command, which sends command packets to all the captured machines, instructing them to launch a particular attack against a specific victim. When the attacker decides to stop the attack, they send another single command.
The packets used in today's DDoS attacks use forged (or Spoofed) source addresses; they are lying about where the packet comes from. The very first router to receive the packet can very easily catch the lie; it has to know what addresses lie on every network attached to it, so that it can correctly route packets to them. If a packet arrives, and the source address doesn't match the network it's coming from, the router should dump the packet. This style of packet checking is called variously Ingress or Egress filtering, depending on the point of view; it is Egress from the customer network, or Ingress to the heart of the Internet. If the packet is allowed past the border, catching the lie is nearly impossible. Returning to our analogy, if you hand a letter to a letter-carrier who delivers to your home, there's a good chance he could notice if the return address is not your own. If you deposit a letter in the corner letter-box, the mail gets handled in sacks, and routed via high-volume automated sorters; it will never again get the close and individual attention required to make any intelligent judgments about the accuracy of the return address. Likewise with forged source addresses on internet packets: let them past the first border router, and they are unlikely to be detected.
Today there's no possibility of performing more than a few back-traces at most, in as little as a few hours. Even that would require some luck to favor your efforts. So as long as the attacker turns their attack off after at most a few hours, you are unlikely to find more than a few of the thousands of machines used to launch the attack; the remainder will remain available for further attacks. And the compromised machines that are found will contain no evidence that can be used to locate the original attacker; your trace will stop with them.
Tools of the Trade
Many tools are available to perpetrate DDoS attacks. Because source code is available for a number of these tools, many of the findings about a particular set of DDoS tools change over time. In fact, the characteristics that are seen "in the wild" often do not match those seen by analysis of the available source code. DDoS tools typically follow a three-tier architecture, known as a DDoS constellation. The attacker (controlling console) is used to issue commands to the master controller layer. The master controllers are then responsible for controlling a given number of agents that do the actual labor of the attack. The attacker can control a large number of masters, and each master can control a large number of agents. Since any traceback of flooding traffic to ascertain the source of the attack will result in an agent system, finding the master controllers is very difficult, and finding the attacker consoles is even more difficult.
There are basically five methods of attack that are supported by known DDoS tools:
* Smurf -- ICMP (Internet Control Message Protocol) ping requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast ping request respond to the request and flood the target's network.
* ICMP flood -- Similar to Smurf, but without the amplification caused by requests to a directed broadcast address.
* UDP flood -- Sending large numbers of UDP (User Datagram Protocol) packets to the target system, thus tying up network resources.
* TCP flood -- Sending large numbers of TCP packets to the target system, thus tying up network resources.
* TCP SYN flood -- Sending large numbers of TCP connection initiation requests to the target. The target system must consume resources to keep track of these partially opened connections.
The most prominently seen DDoS tools vary by their methods of attack, communication between master and agents, and the system privileges needed to execute an attack. The more recent and sophisticated DDoS tools even come with functionality to update software automatically, easing the burden of running a large DDoS constellation. Seven families of DDoS tools have been seen in the wild. The more common families are trinoo, Tribe Flood Network (TFN and TFN2K) and Stacheldraht.
Trinoo, an early DDoS tool, is relatively unsophisticated by current standards. It initiates only a UDP flood attack. Communication between the master and agents uses unencrypted TCP and UDP. Root/administrator privileges are not needed to use trinoo. This means that any regular user can deploy a trinoo constellation without having to compromise a systems administration account. Given trinoo's relative simplicity, it is easier to detect and combat than more recently developed tools.
TFN and TFN2K use multiple attack types, including UDP, ICMP and TCP SYN floods. It can also emulate a Smurf attack. Communication between the master and the agents uses ICMP_ECHOREPLY packets. Commands and arguments are sent as part of the ICMP ID field and in the data portion of the packets. The main difference between TFN2K and TFN is that the agent is silent in TFN2K, making it more difficult to detect. The master sends multiple commands to the agent and relies on the probability that at least one will get through. In addition, the command packets are mixed with a number of decoy packets sent to random destinations. As TFN evolves, it becomes easier to cause outages and more difficult to detect. TFN and TFN2K are more difficult to deploy than trinoo, because they require root or administrator privileges on the system running the agent.
Like TFN, Stacheldraht has multiple attack options, including UDP, ICMP, TCP SYN and broadcast ping floods. Its use of ICMP_ECHORE
PLY is similar to TFN's, but Stacheldraht can encrypt the console-to-master TCP session. Stacheldraht also has an auto-update feature. Like TFN and TFN2K, Stacheldraht requires root or admin privileges on the system running the agent as well as the master.
Key Trends and Factors
The recent attacks against e-commerce sites demonstrate the opportunities that attackers now have because of several Internet trends and related factors:
* Attack technology is developing in an open-source environment and is evolving rapidly. Technology producers, system administrators, and users are improving their ability to react to emerging problems, but they are behind and significant damage to systems and infrastructure can occur before effective defenses can be implemented. As long as defensive strategies are reactionary, this situation will worsen.
* Currently, there are tens of thousands - perhaps even millions - of systems with weak security connected to the Internet. Attackers are (and will) compromising these machines and building attack networks. Attack technology takes advantage of the power of the Internet to exploit its own weaknesses and overcome defenses.
* Increasingly complex software is being written by programmers who have no training in writing secure code and are working in organizations that sacrifice the safety of their clients for speed to market. This complex software is then being deployed in security-critical environments and applications, to the detriment of all users.
* User demand for new software features instead of safety, coupled with industry response to that demand, has resulted in software that is increasingly supportive of subversion, computer viruses, data theft, and other malicious acts.
* Because of the scope and variety of the Internet, changing any particular piece of technology usually cannot eliminate newly emerging problems; broad community action is required. While point solutions can help dampen the effects of attacks, robust solutions will come only with concentrated effort over several years.
* The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrator technical competence has decreased dramatically in the last 5 years as non-technical people are pressed into service as system administrators. Additionally, there has been little organized support of higher education programs that can train and produce new scientists and educators with meaningful experience and expertise in this emerging discipline.
* The evolution of attack technology and the deployment of attack tools transcend geography and national boundaries. Solutions must be international in scope.
* The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer crime is unlikely, and thus little deterrent value is realized.
* The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These "always-on, rarely-protected" systems allow attackers to continue to add new systems to their arsenal of captured weapons.
Resource Consumption
An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect.
In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For example, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes. Consult your operating system vendor or operating system manuals for details on available quota facilities for your system.
Security Considerations
The primary intent of this document is to inherently increase security practices and awareness for the Internet community as a whole; as more Internet Providers and corporate network administrators implement ingress filtering, the opportunity for an attacker to use forged source addresses as an attack methodology will significantly lessen. Tracking the source of an attack is simplified when the source is more likely to be "valid." By reducing the number and frequency of attacks in the Internet as a whole, there will be more resources for tracking the attacks which ultimately do occur.
Thoughts
On closing, I just wanted to make some comments regarding security. Try to subscribe to a couple of security alert digests so that you are alerted to new exploits and try to keep up on bugs that effect your systems (SANS, CERT, and SecurityFocus.com (Bugtraq) Security-Protocols.com are a few good security sites with digests) and visit your operating system's site for current information regarding your specific system. As for the research done, I have really enjoyed it and learned a lot about DoS and DDoS.
Thanks,
-------------------------------------
badpack3t
www.security-protocols.com
-------------------------------------
References:
Cert. "Denial of Service Attacks."� June, 2001.
Url: http://www.cert.org/tech_tips/denial_of_service.html
Staff Washington Education. DDoS - Is There Really a Threat? 1998
Url: http://staff.washington.edu/dittrich/talks/sec2000/
Secure Computing. "Analysis and Partial Solutions."�
Url: http://www.securecomputing.com/index.cfm?sKey=416
CERT's stacheldraht advisory, CA-99-17
Url: www.cert.org/ advisories/ CA-99-17-denial-of-service-tools.html
SANS Global Incident Analysis Center
Url: http://www.sans.org/ddos_roadmap.htm
RFC 2267. "Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,"�
Url: www.landfield.com/rfcs/rfc2267.html
A brief note on usage: the network where these attacks are taking place is called the ``Internet'', with a capital ``I''; it is the public network shared by people all over the world. An ``internet'', with a lower-case ``i'', is a collection of networks interconnected; many organizations have private internets. The Internet is the result of inter-connecting a gigantic number of private internets.
The advent of DDoS marked an escalation in Internet Relay Chat (IRC) wars. Relying on networks of linked servers, IRC offers channels, or chat rooms, that users can join to exchange ideas, pictures, sounds, and programs. Channel operator (ruling) status is assigned by default to a channel's creator, to someone who inherits channel operator privileges, or to some- one who simply asks for it (assuming there is no current channel operator).
Explanation of DDoS attacks
DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS programs on them, allowing them to control all these exploited machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.
Cracker starts by breaking into weakly secured computers, using well-known exploits in standard network service programs, and common weak configurations in operating systems. On each system, once they break in, they perform some additional steps. First, they install software to conceal the fact of the break-in, and to hide the traces of their subsequent activity. For example, the standard commands for displaying running processes are replaced with versions that fail to display the attacker's processes. These replacement tools are collectively called a ``rootkit'', since they are installed once you have ``cracked root'', taken over system administrator privileges, to keep other ``root users'' from being able to find you. Then they install a special process, used to remotely-control the burgled machine. This process accepts commands from over the Internet, and in response to those commands it launches an attack over the Internet against some designated victim's site. And finally, they can have there so called "Bots or Zombies"� report to private chat rooms on IRC. A cautious hacker will begin by breaking into just a few sites, then using them to break into some more, and repeating this cycle for several steps, to reduce the chance they are caught during this, the riskiest part of the operation. By the time they are ready to mount the kind of attacks we've seen recently they have taken over thousands of machines and assembled them into a DDoS network; this just means they all have the attack software installed on them, and the attacker knows all their addresses.
Now its time for the attack. The attacker runs a single command, which sends command packets to all the captured machines, instructing them to launch a particular attack against a specific victim. When the attacker decides to stop the attack, they send another single command.
The packets used in today's DDoS attacks use forged (or Spoofed) source addresses; they are lying about where the packet comes from. The very first router to receive the packet can very easily catch the lie; it has to know what addresses lie on every network attached to it, so that it can correctly route packets to them. If a packet arrives, and the source address doesn't match the network it's coming from, the router should dump the packet. This style of packet checking is called variously Ingress or Egress filtering, depending on the point of view; it is Egress from the customer network, or Ingress to the heart of the Internet. If the packet is allowed past the border, catching the lie is nearly impossible. Returning to our analogy, if you hand a letter to a letter-carrier who delivers to your home, there's a good chance he could notice if the return address is not your own. If you deposit a letter in the corner letter-box, the mail gets handled in sacks, and routed via high-volume automated sorters; it will never again get the close and individual attention required to make any intelligent judgments about the accuracy of the return address. Likewise with forged source addresses on internet packets: let them past the first border router, and they are unlikely to be detected.
Today there's no possibility of performing more than a few back-traces at most, in as little as a few hours. Even that would require some luck to favor your efforts. So as long as the attacker turns their attack off after at most a few hours, you are unlikely to find more than a few of the thousands of machines used to launch the attack; the remainder will remain available for further attacks. And the compromised machines that are found will contain no evidence that can be used to locate the original attacker; your trace will stop with them.
Tools of the Trade
Many tools are available to perpetrate DDoS attacks. Because source code is available for a number of these tools, many of the findings about a particular set of DDoS tools change over time. In fact, the characteristics that are seen "in the wild" often do not match those seen by analysis of the available source code. DDoS tools typically follow a three-tier architecture, known as a DDoS constellation. The attacker (controlling console) is used to issue commands to the master controller layer. The master controllers are then responsible for controlling a given number of agents that do the actual labor of the attack. The attacker can control a large number of masters, and each master can control a large number of agents. Since any traceback of flooding traffic to ascertain the source of the attack will result in an agent system, finding the master controllers is very difficult, and finding the attacker consoles is even more difficult.
There are basically five methods of attack that are supported by known DDoS tools:
* Smurf -- ICMP (Internet Control Message Protocol) ping requests to a directed broadcast address. The forged source address of the request is the target of the attack. The recipients of the directed broadcast ping request respond to the request and flood the target's network.
* ICMP flood -- Similar to Smurf, but without the amplification caused by requests to a directed broadcast address.
* UDP flood -- Sending large numbers of UDP (User Datagram Protocol) packets to the target system, thus tying up network resources.
* TCP flood -- Sending large numbers of TCP packets to the target system, thus tying up network resources.
* TCP SYN flood -- Sending large numbers of TCP connection initiation requests to the target. The target system must consume resources to keep track of these partially opened connections.
The most prominently seen DDoS tools vary by their methods of attack, communication between master and agents, and the system privileges needed to execute an attack. The more recent and sophisticated DDoS tools even come with functionality to update software automatically, easing the burden of running a large DDoS constellation. Seven families of DDoS tools have been seen in the wild. The more common families are trinoo, Tribe Flood Network (TFN and TFN2K) and Stacheldraht.
Trinoo, an early DDoS tool, is relatively unsophisticated by current standards. It initiates only a UDP flood attack. Communication between the master and agents uses unencrypted TCP and UDP. Root/administrator privileges are not needed to use trinoo. This means that any regular user can deploy a trinoo constellation without having to compromise a systems administration account. Given trinoo's relative simplicity, it is easier to detect and combat than more recently developed tools.
TFN and TFN2K use multiple attack types, including UDP, ICMP and TCP SYN floods. It can also emulate a Smurf attack. Communication between the master and the agents uses ICMP_ECHOREPLY packets. Commands and arguments are sent as part of the ICMP ID field and in the data portion of the packets. The main difference between TFN2K and TFN is that the agent is silent in TFN2K, making it more difficult to detect. The master sends multiple commands to the agent and relies on the probability that at least one will get through. In addition, the command packets are mixed with a number of decoy packets sent to random destinations. As TFN evolves, it becomes easier to cause outages and more difficult to detect. TFN and TFN2K are more difficult to deploy than trinoo, because they require root or administrator privileges on the system running the agent.
Like TFN, Stacheldraht has multiple attack options, including UDP, ICMP, TCP SYN and broadcast ping floods. Its use of ICMP_ECHORE
PLY is similar to TFN's, but Stacheldraht can encrypt the console-to-master TCP session. Stacheldraht also has an auto-update feature. Like TFN and TFN2K, Stacheldraht requires root or admin privileges on the system running the agent as well as the master.
Key Trends and Factors
The recent attacks against e-commerce sites demonstrate the opportunities that attackers now have because of several Internet trends and related factors:
* Attack technology is developing in an open-source environment and is evolving rapidly. Technology producers, system administrators, and users are improving their ability to react to emerging problems, but they are behind and significant damage to systems and infrastructure can occur before effective defenses can be implemented. As long as defensive strategies are reactionary, this situation will worsen.
* Currently, there are tens of thousands - perhaps even millions - of systems with weak security connected to the Internet. Attackers are (and will) compromising these machines and building attack networks. Attack technology takes advantage of the power of the Internet to exploit its own weaknesses and overcome defenses.
* Increasingly complex software is being written by programmers who have no training in writing secure code and are working in organizations that sacrifice the safety of their clients for speed to market. This complex software is then being deployed in security-critical environments and applications, to the detriment of all users.
* User demand for new software features instead of safety, coupled with industry response to that demand, has resulted in software that is increasingly supportive of subversion, computer viruses, data theft, and other malicious acts.
* Because of the scope and variety of the Internet, changing any particular piece of technology usually cannot eliminate newly emerging problems; broad community action is required. While point solutions can help dampen the effects of attacks, robust solutions will come only with concentrated effort over several years.
* The explosion in use of the Internet is straining our scarce technical talent. The average level of system administrator technical competence has decreased dramatically in the last 5 years as non-technical people are pressed into service as system administrators. Additionally, there has been little organized support of higher education programs that can train and produce new scientists and educators with meaningful experience and expertise in this emerging discipline.
* The evolution of attack technology and the deployment of attack tools transcend geography and national boundaries. Solutions must be international in scope.
* The difficulty of criminal investigation of cybercrime coupled with the complexity of international law mean that successful apprehension and prosecution of computer crime is unlikely, and thus little deterrent value is realized.
* The number of directly connected homes, schools, libraries and other venues without trained system administration and security staff is rapidly increasing. These "always-on, rarely-protected" systems allow attackers to continue to add new systems to their arsenal of captured weapons.
Resource Consumption
An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect.
In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For example, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes. Consult your operating system vendor or operating system manuals for details on available quota facilities for your system.
Security Considerations
The primary intent of this document is to inherently increase security practices and awareness for the Internet community as a whole; as more Internet Providers and corporate network administrators implement ingress filtering, the opportunity for an attacker to use forged source addresses as an attack methodology will significantly lessen. Tracking the source of an attack is simplified when the source is more likely to be "valid." By reducing the number and frequency of attacks in the Internet as a whole, there will be more resources for tracking the attacks which ultimately do occur.
Thoughts
On closing, I just wanted to make some comments regarding security. Try to subscribe to a couple of security alert digests so that you are alerted to new exploits and try to keep up on bugs that effect your systems (SANS, CERT, and SecurityFocus.com (Bugtraq) Security-Protocols.com are a few good security sites with digests) and visit your operating system's site for current information regarding your specific system. As for the research done, I have really enjoyed it and learned a lot about DoS and DDoS.
Thanks,
-------------------------------------
badpack3t
www.security-protocols.com
-------------------------------------
References:
Cert. "Denial of Service Attacks."� June, 2001.
Url: http://www.cert.org/tech_tips/denial_of_service.html
Staff Washington Education. DDoS - Is There Really a Threat? 1998
Url: http://staff.washington.edu/dittrich/talks/sec2000/
Secure Computing. "Analysis and Partial Solutions."�
Url: http://www.securecomputing.com/index.cfm?sKey=416
CERT's stacheldraht advisory, CA-99-17
Url: www.cert.org/ advisories/ CA-99-17-denial-of-service-tools.html
SANS Global Incident Analysis Center
Url: http://www.sans.org/ddos_roadmap.htm
RFC 2267. "Defeating Denial of Service Attacks which Employ IP Source Address Spoofing,"�
Url: www.landfield.com/rfcs/rfc2267.html
DNS-Abuse
About DNS
DNS, or the domain name system is one of the core protocols on the internet. Without DNS we would all be stuck remembering the addresses of our favorite web and mail servers. While being a key part of the internet, DNS still remains out of view from the majority of internet users.
DNS' predecessor, hosts.txt still exists in almost every modern operating system, but it is now more of a fallback. Originally when the internet consisted of only several hundred networks, the existed one central file, hosts.txt, that contained the names and addresses of all hosts on the fledgling internet. When new networks or hosts were connected to the network their names and addresses were added to hosts.txt. Every network on the internet would periodically download the updated copy of hosts.txt so that they were able to access the new networks or hosts that were being added. This solution soon proved to be inadequate as the internet began to grow faster and faster. A new solution was needed, and that solution was DNS.
The Domain Name System is a distributed database that relies on several root servers for connectivity. Each network or domain has several central servers, to which each host on the network is configured to query. When a host in a domain attempts to resolve a name, which is to attempt to find its address, that domains name server attempts to track down the information by finding the closest name server to the target, and asking that server for the information. If the local name server doesn't know any close name servers it simply asks the root name servers. The beauty of this system is that the load is spread out. There are eight central name servers, and at least three more per country that are responsible for the country specific domains, such as .ca. This system has several main advantages over hosts.txt. First of all the actual load of querying the servers is spread out between many authoritative name servers, or name servers responsible for a domain. Secondly updates to a domain only have to done at the name server authoritative for that domain. From a glance DNS seems to be the perfect solution, however as usual this is not the case.
General Exploits and Use
-Explain query/response
DNS relies on a query response system. A domain or zone has at least one primary server, and several slaves. The zone should be configured so that each host on the network queries one of the slaves or the master, and the slave/master will return the next closest server to the target lookup. There is however another mode servers can operate in, which is when they are permitted to do recursive lookups. When a server is configured to allow recursive lookups hosts querying it can ask it to look up a target, and the name server will follow the path of name servers until it retrieves the address of the target host. As you can imagine this is much more resource intensive, so it best common practice to disable recursive lookups, except for internal hosts.
-Zone transfers
When attackers attempt to penetrate a network, much like when a person is attempting to explore a new city, the best tool to have is a map. DNS zone transfers provide a map for hackers to go by when exploring networks. DNS zone files contain a list of every DNS configured host on a network as well as their IP address. Even worse is Microsoft's implementation of DNS, which provides a list of all services running on the DNS configured hosts. These records provide a list of exploitable targets to an intruder. When configuring DNS servers that are connected to the internet is it best to disable zone transfers to all hosts except slaves, which must be able to transfer the zone to update their records. This can be accomplished using an Access Control List which would contain the IP addresses of all your slave name servers. Only the hosts contained in that list are able to transfer the zone.
-ICMP unreachable for DNS servers
Although the ICMP echo is the most well known ICMP message, there are several others types of ICMP message, one of which is used to exploit DNS servers. The message that I speak of is the Server Unreachable message. It is possible to disrupt all network communication on a network by denying access to the DNS servers. By intercepting every DNS lookup request and responding with Server Unreachable messages the attacker fools the hosts on the networking into thinking the DNS servers are down. Unfortunately there aren't many ways of preventing this attack, however the attack is easy to react to. When a large amount of Server Unreachable messages are detected on a network steps can be taken to disconnect the source of those messages such as disabling the attackers switch port. These attacks usually rely on the attack ARP poisoning the network, so another way of tracking potential attacks is to use a utility such as arpwatch to monitor when the MAC address of the gateway or the DNS servers has been changed. Once again, the attacker can be traced back to their switch port and that port can be disabled. Of course there are many other ways to stop these attackers however the quickest solution on enterprise networks is to track down the switch port and disabling it.
-spoofs and redirects
Spoofs and redirects are a sophisticated way of modifying network traffic. DNS spoofing and redirecting go hand in hand, so I will refer to this attack as DNS spoofing henceforth. DNS Spoofing occurs when a host on a network intercepts all DNS requests intended for the server. The interceptor modifies the DNS response to return the IP address of another site, the site the interceptor wants to direct traffic to. In essence the attacker would make www.microsoft.com appear to be www.linux.org just by changing the server's response to the client. Usually this attack is performed in conjunction with an ARP spoof.
-Cache Poisoning
DNS Cache Poisoning is another sophisticated attack that acts in much the same way as spoofing. The end result of Cache poisoning, henceforth referred to as poisoning, is the same are spoofing, however the results are achieved in a different manner. Instead of intercepting traffic a client will query the server for a host, but include the response in the query. The server will cache, or temporarily register this address for the host, which will achieve the same results as DNS spoofing, however without the mess of an ARP storm. Cache poisoning has many implementations. The most basic implementation of cache poisoning can be attempted on servers that do not track DNS lookup requests that they have sent. These weak servers can be exploited by simply sending an DNS response containing the IP address of a hostname that the attacker wishes to redirect traffic to. More advanced implementations of this attack involved forging a request, or forging the source IP to make the response look like it originated from the authoritative name server. Regardless of the implementation, the result stays the same.
Defense Against the Dark Arts
-Updating and patching
Of course the same litany heard everywhere. Software bugs are never totally eradicated at release, and for this reason it is crucial to update your DNS servers to the most recent version, and apply all security patches. Many critical flaws in DNS servers such as BIND are easily preventable if the server is patches frequently.
-ACL's
DNS ACL's combined with DNS views are a great defense against intruders mapping your network. ACL's, or access control lists contain a list of internet name servers, who are permitted to carry out a certain action. They can also be used to contain a list of all internal clients. In the first instance the server has an ACL of all internal name servers both masters and slaves. When a request comes in for a zone transfer the server compares the IP address of the server with the permitted servers in the ACL. If the requester is permitted to transfer the zone the zone is transferred. Otherwise the request is ignored.
When DNS views are used to represent all internal and external hosts in a network and ACL is created containing the valid IP range of all internal hosts. A second ACL is created that matches every other host on the internet. The two groups are allowed access to one of two copies of the zone files. The external hosts making requests of the name server will only be allowed to see hosts that are deemed to be publicly accessible by the network administrator. The hosts that match the internal list will be allowed to browse any of the hosts in the zone, and make requests of them.
-Network monitoring
When charged with administering a large network, network administrators should do the same thing that any other new manager does, which is to learn the lay of the land. By learning the lay of the land I mean learning what normal traffic is on the network, what a normal work load on the network server, and DNS servers look like. This is by far the best defense against spoofing and other network attacks such as using "Server Unreachable"� packets to make the servers appear offline. By detecting a spike in ICMP packets, or massive amounts of ARP packets, and taking steps to disconnect the source network integrity can be maintained. Detecting and responding to these attacks are the only way currently available to defend against them.
Conclusion
In the above paper I have present several features of DNS to make the reader familiar with the basics of the Domain Name System. I have also covered several well known and wide spread attacks that are used to exploit DNS. These attacks are by no means theoretical. In truth they grow more and more common as attackers become more sophisticated. The suggested defense methods outlined at the end of each section cover only the basic recommendations that can be used to thwart attackers. The alarming fact is that these defenses, some of which are simply good practice when administering large networks, are not followed on many critical networks. Due to either misconceptions about attackers and network security, or simply lack of training attackers gain more and more ground over network administrators. In today's massive high speed networks these attacks are even more effective, because while the efforts of attackers is whole hearted network administrators are slow and not very committed to the defense of their networks. If you administer a domain you are highly encouraged to follow the above steps, as well as researching more common attacks and their defenses, and putting that knowledge to good use.
Saturday, April 28, 2007
Want To Know Generaly About Wireless Hacking??
Intro
Wireless LANs are popping up here, there and everywhere. Many businesses are implementing wireless LAN segments on their internal LANs because it is easy to setup and obviously there are no wires to run.
Wireless allows users with laptops and other mobile devices to roam the enterprise and not have to plug in wherever they go. As part of the process of implementing a wireless network segment on the corporate LAN of the company that I presently work for, I did some research and testing of wireless security. This white paper outlines how hackers are exploiting vulnerabilities in 802.11 wireless LANs and the widely available wireless hacking tools that are used.
Too often people think that because the setup of a wireless segment is literally plug and go that everything is functioning properly and securely. Wireless is a virtual playground for hackers, the technology is still quite new, most admins are not anywhere near up to speed on it and security protocols and procedures are still being developed; giving quick-learning hackers the edge.
Any wireless access point attached to a network segment is essentially bridging the internal network to the surrounding area directly, without any firewall protection. After only installing one low-budget wireless access point (WAP) I could get access to the LAN anywhere in the shop, the office and in the parking lot!! I don't know how many square feet of shop floor and office space we have, but it isn't small. I was getting 15% connection strength sitting in my car in the parking lot!! Without proper security measures for authentication, any laptop with a wireless card can access the network or stealthy listen in on all network traffic across that access point from any area within the WAPs range.
It is important to realize the potential for rogue wireless access points in an enterprise. WAPs can be hooked up by anyone, just take the cable plugging into your computer and plug it into a WAP, throw a wireless card into your PC and you now have a wireless segment. The network admins wouldn't even know. There are several documented cases of rogue WAPs
found in corporations and universities.
The Hackers WLAN toolbox:
This section provides a few examples of the hardware and freeware tools available.
Freeware Tools:
New wireless LAN hacking tools are introduced every week and are widely available on the Internet for anyone to
download. The table below lists some of these hacking tools:
| Freeware wireless access point identifier - listens for SSIDs & sends beacons as probes searching for access points | ||
| Freeware wireless sniffer and monitor - passively monitors wireless traffic & sorts data to identify SSIDs, MAC addresses, channels and connection speeds | ||
| Freeware WLAN discovery tool - Uses brute force to identify low traffic access points; hides your real MAC; integrates with GPS | ||
| Freeware WLAN discovery tool - Uses brute force to identify low traffic access points | ||
| Freeware WLAN analyzer - interactively browse the capture data, viewing summary and detail information for all observed wireless traffic | ||
| Freeware encryption breaker - Cracks 802.11 WEP encryption keys using the latest discovered weakness of RC4 key scheduling | ||
| Freeware encryption breaker - passively monitoring transmissions, computing the encryption key when enough packets have been gathered | ||
| Converts a WLAN station to function as an access point; (Available for WLAN cards that are based on Intersil's Prism2/2.5/3 chipset) |
Antennas:
To connect with wireless LANs from distances greater than a few hundred feet, sophisticated hackers use long-range antennas that are either commercially available or home built and can pick up 802.11 signals from up to 2,000 feet away. The intruders could be in the parking lot or completely out of sight.
Breaking Encryption:
The industry's initial encryption technology, WEP, was quickly broken by published tools WEPCrack and AirSnort, which exploit vulnerabilities in the WEP encryption algorithm. WEPCrack and AirSnort passively observe WLAN traffic until it collects enough data by which it recognizes repetitions and breaks the encryption key.
Authentication:
The next step in the evolution of wireless LAN security was the introduction of 802.1x for port-based authentication. However, papers have already been published to demonstrate how the newly proposed standard can be defeated. A new standard is expected to be designed within the next two years.
War Driving:
War driving is simply driving around in a car to discover unprotected wireless LANs. Windows-based freeware tools such as NetStumbler, probe the airwaves in search of access points that broadcast their SSIDs and offer easy ways to find open networks. More advanced tools, such as Kismet, were then introduced on Linux platforms to passively monitor wireless traffic.
Both Netstumbler and Kismet work in tandem with a global positioning system (GPS) to map exact locations of the identified WLANs. These maps and data are posted on web sites such as www.wigle.net and www.wifinder.com.
Attacks explained
Malicious Association:
Using widely available tools, hackers can force unsuspecting stations to connect to an undesired 802.11 network or alter the configuration of the station to operate in ad-hoc networking mode. A hacker begins this attack by using freeware HostAP to convert the attacking station to operate as a functioning access point. As the victim's station broadcasts a probe to associate with an access point, the hacker's new malicious access point responds to the victim's request for association and begins a connection between the two. After providing an IP address to the victim's workstation (if needed), the malicious access point can begin its attacks. The hacker - acting as an access point - can use a wealth of available hacking tools available that have been tested and proven in a wireless environment. At this time, the hacker can exploit all vulnerabilities on the victim's laptop, which can include installing the HostAP firmware or any other laptop configuration or programmatic changes.
The malicious association attack shows that wireless LANs are subject to diversion and stations do not always know which network or access point they connect to. Stations can be tricked or forced to connect to a malicious access point. Even wireless LANs that have deployed VPNs are vulnerable to malicious associations. This attack does not try to break the VPN. Rather, it takes over the security-poor client.
Enterprises must monitor the airwaves of their wireless LAN to make sure their stations only connect to authorized access points and networks. Monitoring the network is the only way to know whom your stations connect to and which stations connect to your access points.
MAC Spoofing - Identity theft:
Many enterprises secure their wireless LAN with authentication based on an authorized list of MAC addresses. While this provides a low level of security for smaller deployments, MAC addresses were never intended to be used in this manner. Any user can easily change the MAC address of a station or access point to change its 'identity' and defeat MAC address-based authentication.
Software tools such as Kismet or Ethereal, are available for hackers to easily pick off the MAC addresses of an authorized user. The hacker can then assume the identity of that user by asserting the stolen MAC address as his own. The hacker then connects to the wireless LAN as an authorized user.
By monitoring the airwaves of their wireless LAN, enterprises are able to detect MAC spoofing by identifying when more than one MAC address is simultaneously on the network. Wireless LAN intrusion detection systems also identify when a MAC address is spoofed by analyzing the vendor 'fingerprints' of the wireless LAN card. This enables the IDS to see when, for example, a Orinoco wireless LAN card connects to the network using a MAC address of a Cisco WLAN card.
Man-in-the-middle Attacks:
As one of the more sophisticated attacks, a man-in-the-middle attack can break a secure VPN connection between an authorized station and an access point. By inserting a malicious station between the victim station and the access point, the hacker becomes the "man in the middle" as he tricks the station into believing that he is the access point and tricks the access point into thinking he is the station.
This attack preys upon an authentication implementation to randomly force a connected station to re-authenticate with the access point. The station must respond to a random challenge from the access point, and the access point must respond to a successful challenge response with a success packet.
To begin this attack, the hacker passively observes the station as it connects to the access point, and the hacker collects the authentication information, including the username, server name, client and server IP address, the ID used to compute the response, and the challenge and associate response.
The hacker then tries to associate with the access point by sending a request that appears to be coming from the authenticated station. The access point sends the VPN challenge to the authenticated station, which computes the required authentic response, and sends the response to the access point. The hacker observes the valid response. The hacker then acts as the access point in presenting a challenge to the authorized station. The station computes the appropriate response, which is sent to the access point. The access point then sends the station a success
packet with an imbedded sequence number. Both are captured by the hacker. After capturing all this data, the hacker then has what he needs to complete the attack and defeat the VPN. The hacker sends a spoofed reply, with large sequence number, which bumps the victim's station off the network and keeps it from re-associating (ie 0x00ffffff). The hacker then enters the network as the authorized station.
Only 24/7 monitoring and a highly capable wireless IDS can detect this type of attack on a wireless LAN. An effective security solution must first keep a constant watch over the wireless LAN while it analyzes the activity it observes.
Denial-of-Service Attacks:
Every network and security manager fears the downtime and loss of productivity from a crippling Denial-of-Service attack. In the wireless world, this damaging attack can come from any direction, and the most basic variations of DoS attacks can be just as worrisome as the most sophisticated.
Because 802.11b wireless LANs operate on the unregulated 2.4GHz radio frequency that is also used by microwave ovens, baby monitors, and cordless phones, commonly available consumer products can give hackers the tools for a simple and extremely damaging DoS attack. Unleashing large amounts of noise from these other devices can jam the airwaves and shut down a wireless LAN.
Hackers can launch more sophisticated DoS attacks by configuring a station to operate as an access point. As as access point, the hacker can flood the airwaves with persistent disassociate commands that force all stations
within range to disconnect from the wireless LAN. In another variation, the hacker's malicious access point broadcasts periodic disassociate commands every few minutes that causes a situation where stations are continually kicked off the network, reconnected, and kicked off again.
In addition to malicious disassociation attacks, hackers are now abusing the Extensible Authentication Protocol (EAP) to launch DoS attacks. There are several forms of DoS attacks from various ways a hacker can manipulate EAP protocols by targeting wireless stations and access points with log-off commands, start commands, premature successful connection messages, failure messages, and other modifications of the EAP protocol.
Conclusion:
To better secure a wireless network segment, a layered approach should be used. Similar to a wired network infrastructure, I have implemented several security features that each alone would not be sufficient, but together with monitoring create a much more secure WLAN. On my network there is only one access point and one wireless user to date, so the traffic can be monitored from an old laptop that I have on my desk running RedHat.I occasionally boot up and trap sections of traffic to look for any attack signatures. We are also not located in a city or industrial complex and our grounds are quite large and secured. The user is connecting via a vpn, the access point is secured so it cannot be reset, WEP is enabled, the access point is in a position that limits travel of the radio frequency outside of the building, and mine and the mobile user's MAC addresses are the only two that are registered with the access point. I also check for rogue access points, as every other laptop user wants to be mobile now as well. The traffic between the access point and the LAN passes through a firewall to help block any possible DoS attacks on the wireless LAN from entering the enterprise LAN.
Wireless networks are a great alternative or addition to ethernet networks, they can bridge two segments of traditional cable ethernet network segments or allow laptop users to wander the enterprise and stay connected to the LAN at all times. WLANs are definitely here to stay, but pose definite security issues.
Subscribe to:
Posts (Atom)
