82-03-07 DATA SECURITY MANAGEMENT A PRIMER ON CRACKING: PART 1 Edward Skoudis INSIDE General Trends in the Computer Underground; Network Mapping and Port Scanning; Vulnerability Scanning; Wardialing; Network Exploits: Sniffing, Spoofing, and Session Hijacking; Denial-of-Service Attacks INTRODUCTION Recent headlines demonstrate that the latest crop of hacker tools and techniques can be highly damaging to an organization s sensitive information and reputation. With the rise of powerful, easy-to-use, and widely distributed hacker tools, many in the security industry have observed that today is the golden age of hacking. This article describes the tools in widespread use today for compromising computer and network security. Additionally, for each tool and technique described, the article presents practical advice on defending against each type of attack. Part 1 of this article discusses network mapping and port scanning, vulnerability scanning, wardialing, network exploits, and denial-of-service attacks. Part 2 discusses stack-based buffer overflows, password cracking, backdoors, Trojan horses and rootkits, and defenses intrusion detection and incident response procedures. The terminology applied to these tools and their users has caused some controversy, particularly in the computer underground. Traditionally, and particularly in the computer underground, the term hacker is a benign word, referring to an individual who is focused on determining how things work and devising innovative approaches to addressing computer problems. To differentiate these noble individuals from a nasty attacker, this school of thought labels malicious attackers as crackers. While hackers are out to make the world a better place, crackers want to cause damage and mayhem. To avoid the confusion often associated with these terms, in this article, the terms system and security adminis- PAYOFF IDEA With the rise of powerful, easy-to-use, and widely distributed hacker tools, many in the security industry have observed that today is the golden age of hacking. This article describes the tools in widespread use today for compromising computer and network security. Additionally, for each tool and technique described, the article presents practical advice on defending against each type of attack.
DATA SECURITY MANAGEMENT trator and security practitioner will be used to indicate an individual who has a legitimate and authorized purpose for running these tools. The term attacker will refer to those individuals who seek to cause damage to systems or who are not authorized to run such tools. Many of the tools described in this article have dual personalities: they can be used for good or evil. When used by malicious individuals, the tools allow a motivated attacker to gain access to a network, mask the fact that a compromise has occurred, or even bring down service, thus, impacting large masses of users. When used by a security practitioner with proper authorization, some tools can be used to measure the security stance of their own organizations, by conducting ethical hacking tests to find vulnerabilities before attackers do. CAVEAT The purpose of this article is to explain the various computer underground tools in use today, and to discuss defensive techniques for addressing each type of tool. This article is not designed to encourage attacks. Furthermore, the tools described below are for illustration purposes only, and mention in this article is not an endorsement. If readers feel compelled to experiment with these tools, they should do so at their own risk, realizing that such tools frequently have viruses or other undocumented features that could damage networks and information systems. Curious readers who want to use these tools should conduct a through review of the source code, or at least install the tools on a separate, air-gapped network to protect sensitive production systems. GENERAL TRENDS IN THE COMPUTER UNDERGROUND The Smart Get Smarter, and the Rise of the Script Kiddie The best and brightest minds in the computer underground are conducting probing research and finding new vulnerabilities and powerful, novel attacks on a daily basis. The ideas of and deep research performed by super-smart attackers and security practitioners are being implemented in software programs and scripts. Months of research into how a particular operating system implements its password scheme is being rendered in code, so even a clueless attacker (often called a script kiddie ) can conduct a highly sophisticated attack with just a point-and-click. This can occur even if the script kiddie does not understand the tool s true function and nuances, since most of the attack is automated. In this environment, security practitioners must be careful not to underestimate their adversaries capabilities. Often, security and system administrators think of their potential attackers as mere teenage kids cruising the Internet looking for easy prey. While this assessment is sometimes accurate, it masks two major concerns. First, some of these teenage kids are amazingly intelligent, and can wreak havoc on a net-
A PRIMER ON CRACKING: PART 1 work. Second, attackers may not be just kids; organized crime, terrorists, and even foreign governments have taken to sponsoring cyber attacks. Wide Distribution of High-Quality Tools Another trend in the computing underground involves the widespread distribution of tools. In the past (a decade ago), powerful attack tools were limited to a core group of elites in the computer underground. Today, hundreds of Web sites are devoted to the sharing of tools for every attacker (and security practitioner) on the planet. FAQs abound, describing how to penetrate any type of operating system. These overall trends converge in a world where smart attackers have detailed knowledge of undermining our systems, while the not-so-smart attackers grow more and more plentiful. To address this increasing threat, system administrators and security practitioners must understand these tools and how to defend against them. The remainder of this article describes many of these very powerful tools in widespread use today, together with practical defensive tips for protecting one s network from each type of attack. NETWORK MAPPING AND PORT SCANNING When launching an attack across a TCP/IP network (such as the Internet or a corporate intranet), an attacker needs to know what addresses are active, how the network topology is constructed, and which services are available. A network mapper identifies systems that are connected to the target network. Given a network address range, the network mapper will send packets to each possible address to determine which addresses have machines. By sending a simple Internet Control Message Protocol (ICMP) packet to a server (a ping ), the mapping tool can discover if a server is connected to the network. For those networks that block incoming pings, many of the mapping tools available today can send a single SYN packet to attempt to open a connection to a server. If a server is listening, the SYN packet will trigger an ACK if the port is open, and potentially a Port Unreachable message if the port is closed. Regardless of whether the port is open or closed, the response indicates that the address has a machine listening. With this list of addresses, an attacker can refine the attack and focus on these listening systems. A port scanner identifies open ports on a system. There are 65,535 TCP ports and 65,535 UDP ports, some of which are open on a system, and most of which are closed. Common services are associated with certain ports. For example, TCP Port 80 is most often used by Web servers, TCP Port 23 is used by Telnet daemons, and TCP Port 25 is used for server-toserver mail exchange across the Internet. By conducting a port scan, an attacker will send packets to each and every port. Essentially, ports are rather like doors on a machine. At any one of the thousands of doors
DATA SECURITY MANAGEMENT available, common services will be listening. A port scanning tool allows an attacker to knock on every one of those doors to see who answers. Some scanning tools include TCP fingerprinting capabilities. While the Internet Engineering Task Force (IETF) has carefully specified TCP and IP in various Requests for Comments (RFCs), not all packet options have standards associated with them. Without standards for how systems should respond to illegal packet formats, different vendors TCP/IP stacks respond differently to illegal packets. By sending various combinations of illegal packet options (such as initiating a connection with an RST packet, or combining other odd and illegal TCP code bits), an attacker can determine what type of operating system is running on the target machine. For example, by conducting a TCP fingerprinting scan, an attacker can determine if a machine is running Cisco IOS, Sun Solaris, or Microsoft Windows 2000. In some cases, even the particular version or service pack level can be determined using this technique. After utilizing network mapping tools and port scanners, an attacker will know which addresses on the target network have listening machines, which ports are open on those machines (and therefore which services are running), and which operating system platforms are in use. This treasure trove of information is useful to the attacker in refining the attack. With this data, the attacker can search for vulnerabilities on the particular services and systems to attempt to gain access. Nmap, written by Fyodor, is one of the most full-featured mapping and scanning tools available today. It supports network mapping, port scanning, and TCP fingerprinting, and can be found at http://www.insecure. org/nmap. Network Mapping and Port Scanning Defenses To defend against network mapping and port scans, the administrator should remove all unnecessary systems and close all unused ports. To accomplish this, the administrator must disable and remove unneeded services from the machine. Only those services that have an absolute, defined business need should be running. A security administrator should also periodically scan the systems to determine if any unneeded ports are open. When discovered, these unneeded ports must be disabled. VULNERABILITY SCANNING Once the target systems are identified with a port scanner and network mapper, an attacker will search to determine if any vulnerabilities are present on the victim machines. Thousands of vulnerabilities have been discovered, allowing a remote attacker to gain a toehold on a machine or to take complete administrative control. An attacker could try each of these vulnerabilities on each system by entering individual commands to test for every vulnerability, but conducting an exhaustive search could
A PRIMER ON CRACKING: PART 1 take years. To speed the process, attackers use automated scanning tools to quickly search for vulnerabilities on the target. These automated vulnerability scanning tools are essentially databases of well-known vulnerabilities with an engine that can read the database, connect to a machine, and check to see if it is vulnerable to the exploit. The effectiveness of the tool in discovering vulnerabilities depends on the quality and thoroughness of its vulnerability database. For this reason, the best vulnerability scanners support the rapid release and update of the vulnerability database and the ability to create new checks using a scripting language. High-quality commercial vulnerability scanning tools are widely available, and are often used by security practitioners and attackers to search for vulnerabilities. On the freeware front, SATAN (the Security Administrator Tool for Analyzing Network) was one of the first widely distributed automated vulnerability scanners, introduced in 1995. More recently, Nessus has been introduced as a free, open-source vulnerability scanner available at http://www.nessus.org. The Nessus project, which is led by Renaud Deraison, provides a full-featured scanner for identifying vulnerabilities on remote systems. It includes source code and a scripting language for writing new vulnerability checks, allowing it to be highly customized by security practitioners and attackers alike. While Nessus is a general-purpose vulnerability scanner, looking for holes in numerous types of systems and platforms, some vulnerability scanners are much more focused on particular types of systems. For example, Whisker is a full-feature vulnerability scanning tool focusing on Web server CGI scripts. Written by Rain Forest Puppy, Whisker can be found at http://www.wiretrip.net/rfp. Vulnerability Scanning Defenses As described, the administrator must close unused ports. Additionally, to eliminate the vast majority of system vulnerabilities, system patches must be applied in a timely fashion. All organizations using computers should have a defined change control procedure that specifies when and how system patches will be kept up-to-date. Security practitioners should also conduct periodic vulnerability scans of their own networks to find vulnerabilities before attackers do. These scans should be conducted on a regular basis (such as quarterly, or even monthly for sensitive networks) or when major network changes are implemented. The discovered vulnerabilities must be addressed in a timely fashion by updating system configurations or applying patches. WARDIALING A cousin of the network mapper and scanner, a wardialing tool is used to discover target systems across a telephone network. Organizations of-
DATA SECURITY MANAGEMENT ten spend large amounts of money in securing their network from a full frontal assault over the Internet by implementing a firewall, intrusion detection system, and secure DMZ. Unfortunately, many attackers avoid this route and instead look for other ways into the network. Modems left on users desktops or old, forgotten machines often provide the simplest way into a target network. Wardialers, also known as demon dialers, dial a series of telephone numbers, attempting to locate modems on the victim network. An attacker will determine the telephone extensions associated with the target organization. This information is often gleaned from a Web site listing telephone contacts, employee newsgroup postings with telephone contact information in the signature line, or even general employee e-mail. Armed with one or a series of telephone numbers, the attacker will enter into the wardialing tool ranges of numbers associated with the original number (e.g., if an employee s telephone number in a newsgroup posting is listed as 555-1212, the attacker will dial 555-XXXX). The wardialer will automatically dial each number, listen for the familiar wail of a modem carrier tone, and make a list of all telephone numbers with modems listening. With the list of modems generated by the wardialer, the attacker will dial each discovered modem using a terminal program or other client. Upon connecting to the modem, the attacker will attempt to identify the system based on its banner information and see if a password is required. Often, no password is required, because the modem was put in place by a clueless user requiring after-hours access and not wanting to bother using approved methods. If a password is required, the attacker will attempt to guess passwords commonly associated with the platform or company. Some wardialing tools also support the capability of locating a repeat dial-tone, in addition to the ability to detect modems. The repeat dialtone is a great find for the attacker, as it could allow for unrestricted dialing from a victim s PBX system to anywhere in the world. If an attacker finds a line on PBX supporting repeat dial-tone in the same local dialing exchange, the attacker can conduct international wardialing, with all phone bills paid for by the victim with the misconfigured PBX. The most fully functional wardialing tool available today is distributed by The Hacker s Choice (THC) group. Known as THC-Scan, the tool was written by Van Hauser and can be found at http://inferno.tusculum.edu/thc. THC-Scan 2.0 supports many advanced features, including sequential or randomized dialing, dialing through a network out-dial, modem carrier and repeat dial-tone detection, and rudimentary detection avoidance capabilities. Wardialing Defenses The best defense against wardialing attacks is a strong modem policy that prohibits the use of modems and incoming lines without a defined busi-
A PRIMER ON CRACKING: PART 1 ness need. The policy should also require the registration of all modems with a business need in a centralized database only accessible by a security or system administrator. Additionally, security personnel should conduct periodic wardialing exercises of their own networks to find the modems before the attackers do. When a phone number with an unregistered modem is discovered, the physical device must be located and deactivated. While finding such devices can be difficult, network defenses depend on finding these renegade modems before an attacker does. NETWORK EXPLOITS: SNIFFING, SPOOFING, AND SESSION HIJACKING TCP/IP, the underlying protocol suite that makes up the Internet, was not originally designed to provide security services. Likewise, the most common data-link type used with TCP/IP Ethernet is fundamentally unsecure. A whole series of attacks are possible given these vulnerabilities of the underlying protocols. The most widely used and potentially damaging attacks based on these network vulnerabilities are sniffing, spoofing, and session hijacking. Sniffing Sniffers are extremely useful tools for an attacker and are therefore a fundamental element of an attacker s toolchest. Sniffers allow an attacker to monitor data passing across a network. Given their capability to monitor network traffic, sniffers are also useful for security practitioners and network administrators in troubleshooting networks and conducting investigations. Sniffers exploit characteristics of several data-link technologies, including Token Ring and especially Ethernet. Ethernet, the most common LAN technology, is essentially a broadcast technology. When Ethernet LANs are constructed using hubs, all machines connected to the LAN can monitor all data on the LAN segment. If userids, passwords, or other sensitive information are sent from one machine (e.g., a client) to another machine (e.g., a server or router) on the same LAN, all other systems connected to the LAN could monitor the data. A sniffer is a hardware or software tool that gathers all data on a LAN segment. When a sniffer is running on a machine gathering all network traffic that passes by the system, the Ethernet interface and the machine itself are said to be in promiscuous mode. Many commonly used applications, such as Telnet, FTP, POP (the Post Office Protocol used for e-mail), and even some Web applications, transmit their passwords and sensitive data without any encryption. Any attacker on a broadcast Ethernet segment can use a sniffer to gather these passwords and data. Attackers who take over a system often install a software sniffer on the compromised machine. This sniffer acts as a sentinel for the attacker,
DATA SECURITY MANAGEMENT gathering sensitive data that moves by the compromised system. The sniffer gathers this data, including passwords, and stores it in a local file or transmits it to the attacker. The attacker then uses this information to compromise more and more systems. The attack methodology of installing a sniffer on one compromised machine, gathering data passing that machine, and using the sniffed information to take over other systems is referred to as an island-hopping attack. Numerous sniffing tools are available across the Internet. The most fully functional sniffing tools include Sniffit (by Brecht Claerhout, available at http://reptile.rug.ac.be/~coder/sniffit/sniffit.html) and Snort (by Martin Roesch, available at http://www.clark.net/~roesch/security.html). Some operating systems ship with their own sniffers installed by default, notably Solaris (with the Snoop tool) and some varieties of Linux (which ship with tcpdump). Other commercial sniffers are also available from a variety of vendors. Sniffing Defenses. The best defense against sniffing attacks is to encrypt the data in transit. Instead of sending passwords or other sensitive data in cleartext, the application or network should encrypt the data (SSH, secure Telnet, etc.). Another defense against sniffers is to eliminate the broadcast nature of Ethernet. By utilizing a switch instead of a hub to create a LAN, the damage that can be done with a sniffer is limited. A switch can be configured so that only the required source and destination ports on the switch carry the traffic. Although they are on the same LAN, all other ports on the switch (and the machines connected to those ports) do not see this data. Therefore, if one system is compromised on a LAN, a sniffer installed on this machine will not be capable of seeing data exchanged between other machines on the LAN. Switches are therefore useful in improving security by minimizing the data a sniffer can gather, and also help to improve network performance. IP Spoofing Another network-based attack involves altering the source address of a computer to disguise the attacker and exploit weak authentication methods. IP address spoofing allows an attacker to use the IP address of another machine to conduct an attack. If the target machines rely on the IP address to authenticate, IP spoofing can give an attacker access to the systems. Additionally, IP spoofing can make it very difficult to apprehend an attacker, because logs will contain decoy addresses and not the real source of the attack. Many of the tools described in other sections of this article rely on IP spoofing to hide the true origin of the attack. Spoofing Defenses. Systems should not use IP addresses for authentication. Any functions or applications that rely solely on IP address for au-
A PRIMER ON CRACKING: PART 1 thentication should be disabled or replaced. In UNIX, the r-commands (rlogin, rsh, rexec, and rcp) are notoriously subject to IP spoofing attacks. UNIX trust relationships allow an administrator to manage systems using the r-commands without providing a password. Instead of a password, the IP address of the system is used for authentication. This major weakness should be avoided by replacing the r-commands with administration tools that utilize strong authentication. One such tool, secure shell (ssh), uses strong cryptography to replace the weak authentication of the r-commands. Similarly, all other applications that rely on IP addresses for critical security and administration functions should be replaced. Additionally, an organization should deploy anti-spoof filters on its perimeter networks that connect the organization to the Internet and business partners. Anti-spoof filters drop all traffic coming from outside the network claiming to come from inside the network. With this capability, such filters can prevent some types of spoofing attacks, and should be implemented on all perimeter network routers. Session Hijacking While sniffing allows an attacker to view data associated with network connections, a session hijack tool allows an attacker to take over network connections, kicking off the legitimate user or sharing a login. Session hijacking tools are used against services with persistent login sessions, such as Telnet, rlogin, or FTP. For any of these services, an attacker can hijack a session and cause a great deal of damage. A common scenario illustrating session hijacking involves a machine, Alice, with a user logged in to remotely administer another system, Bob, using Telnet. Eve, the attacker, sits on a network segment between Alice and Bob (either Alice s LAN, Bob s LAN, or between any of the routers between Alice s and Bob s LANs). Exhibit 1 illustrates this scenario in more detail. Using a session hijacking tool, Eve can do any of the following: Monitor Alice s session. Most session hijacking tools allow attackers to monitor all connections available on the network and select which connections they want to hijack. Insert commands into the session. An attacker may just need to add one or two commands into the stream to reconfigure Bob. In this type of hijack, the attacker never takes full control of the session. Instead, Alice s login session to Bob has a small number of commands inserted, which will be executed on Bob as if Alice had typed them. Steal the session. This feature of most session hijacking tools allows an attacker to grab the session from Alice, and directly control it. Essentially, the Telnet client control is shifted from Alice to Eve, without Bob s knowing.
DATA SECURITY MANAGEMENT EXHIBIT 1 Eve Hijacks the Session Between Alice and Bob Give the session back. Some session hijacking tools allow the attacker to steal a session, interact with the server, and then smoothly give the session back to the user. While the session is stolen, Alice is put on hold while Eve controls the session. With Alice on hold, all commands typed by Alice are displayed on Eve s screen, but not transmitted to Bob. When Eve is finished making modifications on Bob, Eve transfers control back to Alice. For a successful hijacking to occur, the attacker must be on a LAN segment between Alice and Bob. A session hijacking tool monitors the connection using an integrated sniffer, observing the TCP sequence numbers of the packets going each direction. Each packet sent from Alice to Bob has a unique TCP sequence number used by Bob to verify that all packets are received and put in proper order. Likewise, all packets going back from Bob to Alice have sequence numbers. A session hijacking tool sniffs the packets to determine these sequence numbers. When a session is hijacked (through command insertion or session stealing), the hijacking tool automatically uses the appropriate sequence numbers and spoofs Alice s address, taking over the conversation with Bob where Alice left off. One of the most fully functional session hijacking tool available today is Hunt, written by Kra and available at http://www.cri.cz/kra/index.html. Hunt allows an attacker to monitor and steal sessions, insert single commands, and even give a session back to the user. Session Hijacking Defenses. The best defense against session hijacking is to avoid the use of insecure protocols and applications for sensitive sessions. Instead of using the easy-to-hijack (and easy-to-sniff) Telnet application, a more secure, encrypted session tool should be used. Because the attacker does not have the session encryption keys, an encrypted ses-
A PRIMER ON CRACKING: PART 1 sion cannot be hijacked. The attacker will simply see encrypted gibberish using Hunt, and will only be able to reset the connection not take it over or insert commands. Secure shell (ssh) offers strong authentication and encrypted sessions, providing a highly secure alternative to Telnet and rlogin. Furthermore, ssh includes a secure file transfer capability (scp) to replace traditional ftp. Other alternatives are available, including secure, encrypted Telnet or a virtual private network (VPN) established between the source and destination. DENIAL-OF-SERVICE ATTACKS Denial-of-service (DoS) attacks are among the most common exploits available today. As their name implies, a denial-of-service attack prevents legitimate users from being able to access a system. With E-commerce applications constituting the lifeblood of many organizations and a growing piece of the world economy, a well-timed DoS attack can cause a great deal of damage. By bringing down servers that control sensitive machinery or other functions, these attacks could also present a real physical threat to life and limb. An attacker could cause the service denial by flooding a system with bogus traffic, or even purposely causing the server to crash. Countless DoS attacks are in widespread use today, and can be found at http://packetstorm.securify.com/exploits/dos. The most often used network-based DoS attacks fall into two categories: malformed packet attacks and packet floods. Malformed Packet Attacks This type of attack usually involves one or two packets that are formatted in an unexpected way. Many vendor product implementations do not take into account all variations of user entries or packet types. If the software handles such errors poorly, the system may crash when it receives such packets. A classic example of this type of attack involves sending IP fragments to a system that overlap with each other (the fragment offset values are incorrectly set). Some unpatched Windows and Linux systems will crash when they encounter such packets. The teardrop attack is an example of a tool that exploits this IP fragmentation handling vulnerability. Other malformed packet attacks that exploit other weaknesses in TCP/IP implementations include the colorfully named WinNuke, Land, LaTierra, NewTear, Bonk, and Boink. Packet Flood Attacks Packet flood denial-of-service tools send a deluge of traffic to a system on the network, overwhelming its capability to respond to legitimate users. Attackers have devised numerous techniques for creating such
DATA SECURITY MANAGEMENT floods, with the most popular being SYN floods, directed broadcast attacks, and distributed denial-of-service tools. SYN flood tools initiate a large number of half-open connections with a system by sending a series of SYN packets. When any TCP connection is established, a three-way handshake occurs. The initiating system (usually the client) sends a SYN packet to the destination to establish a sequence number for all packets going from source to destination in that session. The destination responds with a SYN-ACK packet, which acknowledges the sequence number for packets going from source to destination, and establishes an initial sequence number for packets going in the opposite direction. The source completes the three-way handshake by sending an ACK to the destination. The three-way handshake is completed and communication (actual data transfer) can occur. SYN floods take advantage of a weakness in TCP s three-way handshake. By sending only spoofed SYN packets and never responding to the SYN-ACK, an attacker can exhaust a server s ability to maintain state of all the initiated sessions. With a huge number of so-called half-open connections, a server cannot handle any new legitimate traffic. Rather than filling up all of the pipe bandwidth to a server, only the server s capacity to handle session initiations needs to be overwhelmed (in most network configurations, a server s ability to handle SYNs is lower than the total bandwidth to the site). For this reason, SYN flooding is the most popular packet flood attack. Other tools are also available that flood systems with ICMP and UDP packets, but they merely consume bandwidth; thus, an attacker would require a bigger connection than the victim to cut off all service. Another type of packet flood that allows attackers to amplify their bandwidth is the directed broadcast attack. Often called a smurf attack, named after the first tool to exploit this technique, directed broadcast attacks utilize a third-party s network as an amplifier for the packet flood. In a smurf attack, the attacker locates a network on the Internet that will respond to a broadcast ICMP message (essentially a ping to the network s broadcast address). If the network is configured to allow broadcast requests and responses, all machines on the network will send a response to the ping. By spoofing the ICMP request, the attacker can have all machines on the third-party network send responses to the victim. For example, if an organization has 30 hosts on a single DMZ network connected to the Internet, an attacker can send a spoofed network broadcast ping to the DMZ. All 30 hosts will send a response to the spoofed address, which would be the ultimate victim. By sending repeated messages to the broadcast network, the attacker has amplified bandwidth by a factor of 30. Even an attacker with only a 56-kbps dial-up line could fill up a T1 line (1.54 Mbps) with that level of amplification. Other directed broadcast attack tools include Fraggle and Papasmurf.
A PRIMER ON CRACKING: PART 1 A final type of denial-of-service that has received considerable press is the distributed denial-of-service attack. Essentially based on standard packet flood concepts, distributed denial-of-service attacks were used to cripple many major Internet sites in February 2000. Tools such as Trin00, Tribe Flood Network 2000 (TFN2K), and Stacheldraht all support this type of attack. To conduct a distributed denial-of-service attack, an attacker must find numerous vulnerable systems on the Internet. Usually, a remote buffer overflow attack (described below) is used to take over a dozen, a hundred, or even thousands of machines. Simple daemon processes, called zombies, are installed on the machines taken over by the attacker. The attacker communicates with this network of zombies using a control program. The control program is used to send commands to the hundreds or thousands of zombies, requesting them to take uniform action simultaneously. The most common action to be taken is to simultaneously launch a packet flood against a target. While a traditional SYN flood would deluge a target with packets from one host, a distributed denial-of-service attack would send packets from large numbers of zombies, rapidly exhausting the capacity of even very high-bandwidth, well-designed sites. Many distributed denial-of-service attack tools support SYN, UDP, and ICMP flooding, smurf attacks, as well as some malformed packet attacks. Any or all of these options can be selected by the attacker using the control program. Denial-of-Service Attack Defenses To defend against malformed packet attacks, system patches and security fixes must be regularly applied. Vendors frequently update their systems with patches to handle a new flavor of denial-of-service attack. An organization must have a program for monitoring vendor and industry security bulletins for security fixes, and a controlled method for implementing these fixes soon after they are announced and tested. For packet flood attacks, critical systems should have underlying network architectures with multiple, redundant paths, eliminating a single point of failure. Furthermore, adequate bandwidth is a must. Also, some routers and firewalls support traffic flow control to help ease the burden of a SYN flood. Finally, by appropriately configuring an Internet-accessible network, an organization can minimize the possibility that it will be used as a jumping-off point for smurf and distributed denial-of-service attacks. To prevent the possibility of being used as a smurf amplifier, the external router or firewall should be configured to drop all directed broadcast requests from the Internet. To lower the chance of being used in a distributed denial-of-service attack, an organization should implement antispoof filters on external routers and firewalls to make sure that all outgoing traffic has a source IP address of the site. This egress filtering prevents
DATA SECURITY MANAGEMENT an attacker from sending spoofed packets from a zombie or other denialof-service tool located on the network. Anti-spoof ingress filters, which drop all packets from an Internet claiming to come from one s internal network, are also useful in preventing some denial-of-service attacks. Edward Skoudis (ed.skoudis@globalintegrity.com) is Account Manager and Technical director for Global Integrity.