API tools faq
paste
Advertisement
FederationHax

PACKET ATTACKS

FederationHax
Sep 24th, 2016
386
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 17.38 KB | None | 0 0
raw download clone embed print report
  1. PACKET ATTACKS - VERSION 1.1
  2.  
  3.  
  4. Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
  5. increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
  6. much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
  7. paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
  8. those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
  9. have enjoyed writing it.
  10.  
  11. The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
  12. Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
  13. entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
  14. specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
  15. its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
  16. name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
  17. new methods to help us stop them and secure our networks.
  18.  
  19.  
  20. Introduction:
  21. TCP/IP Packet Switching Networks
  22. OSI MODEL
  23.  
  24.  
  25. ---Chapter 1.---
  26. Section a.
  27. Introduction to DDOS/DOS & Packet Attacks
  28. Section b.
  29. How attacks are crafted
  30.  
  31. ---Chapter 2.---
  32. Section a. (attacks)
  33. ICMP
  34. Smurf
  35. SYN/ACK
  36. UDP
  37. DNS
  38. ARP
  39. DrDOS
  40. Special Bot / Trojans
  41. Worm DOS
  42. Unicode ping flood (new!)
  43. Section b.
  44. Phasing
  45. Section c. (hacks)
  46. TCP hijacking
  47. Sniffing
  48. Scans
  49. Information gathering / Footprinting
  50. Section d.
  51. Defense against these attacks
  52. Attack Detection
  53. Intrusion Detection
  54. Section e.
  55. IPSEC
  56. NAT as a means of security
  57.  
  58. ---Chapter 3.---
  59. Section a.
  60. The future of TCP/IP as a means of using IPv6
  61.  
  62. ---Chapter 4. ---
  63. Section a.
  64. New security application / protocol
  65.  
  66. -----
  67. Introduction.
  68.  
  69. Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
  70. much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
  71. machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
  72. lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
  73. applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
  74. carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
  75. as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
  76. as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
  77. craft many different types of packets. And they are all read differently when they are received at the other end. Where as
  78. an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
  79. MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
  80. possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
  81. running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
  82. familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
  83. engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
  84. embedded in our infrastructure we must adapt and learn to defend each new attack.
  85.  
  86. OSI MODEL
  87.  
  88. Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
  89. data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
  90. internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.
  91.  
  92. Layer Seven : Application Layer
  93. This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
  94. list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.
  95.  
  96. Layer Six : Presentation Layer
  97. This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
  98. this means in a few minutes)
  99.  
  100. Layer Five : Session Layer
  101. Think of this layer as Establishment, Control and Termination of the sessions formed by the
  102. application(client) to a remote host(server).
  103.  
  104. Layer Four : Transport Layer
  105. This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
  106. goes accordingly. The protocols used are, UDP and TCP.
  107.  
  108. Layer Three : Network Layer
  109. This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
  110. another function of this layer in inter-networking.
  111.  
  112. Layer Two : Data Link Layer
  113. This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
  114. in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
  115. (media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
  116. sub layer controls how a computer on your network has access to data.
  117.  
  118. Layer One : Physical Layer
  119. This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
  120. bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
  121. protocols within this layer.
  122.  
  123. You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
  124. really comes first, the end user types something into his instant messenger (for example) and the data flows down through
  125. the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
  126. and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
  127. the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
  128. host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
  129. understanding.
  130.  
  131. To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
  132. Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the way
  133. TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :( On the other hand if you dont
  134. understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
  135. technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)
  136. Data_Clast
  137.  
  138. ---------------------------------------------------------------------------------------
  139. Chapter 1.
  140.  
  141. Section a.
  142.  
  143. The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
  144. that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
  145. destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
  146. Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
  147. any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
  148. hijacking and your typical port and vulnerability scans among other things.
  149.  
  150. Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
  151. Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
  152. script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
  153. person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
  154. launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
  155. whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
  156. individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
  157. slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
  158. reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.
  159.  
  160. The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
  161. servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
  162. hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
  163. it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
  164. none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
  165. attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
  166. on that later though.
  167.  
  168. Section b.
  169.  
  170. You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
  171. small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
  172. IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
  173. openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
  174. create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
  175. allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few
  176. tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you
  177. learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty
  178. much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
  179. attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
  180. because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft
  181. these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how
  182. easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie
  183. machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and
  184. hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost
  185. every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will
  186. distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say
  187. "attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to
  188. construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this
  189. instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And
  190. no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used
  191. different versions of RedHat Linux, Mandrake Linux, and Windows XP.
  192.  
  193.  
  194. Chapter 2.
  195.  
  196. Section a.
  197.  
  198. There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network
  199. and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.
  200. All of these attacks target different things. While the SMURF attack may target the general network its attacking, the
  201. SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is
  202. attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point
  203. A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top
  204. of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks
  205. all over the web. Lets take a more detailed look at each attack.
  206.  
  207.  
  208. ICMP brute flood attack.
  209.  
  210. ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network
  211. connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of
  212. arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is
  213. called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.
  214. Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my
  215. tutorial on that!
  216. http://www.theory-x.org/dataclast/_content/MPS.txt
  217.  
  218. In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their
  219. destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.
  220. The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for
  221. every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back
  222. to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming
  223. from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one
  224. attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because
  225. with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with
  226. the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack
  227. can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an
  228. advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in
  229. this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet
  230. addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4
  231. or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the
  232. victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive
  233. ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.
  234.  
  235. [zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
  236. [??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]
  237.  
  238. Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with
  239. spoofed address's taking up network resources. The simplest of attacks.
  240.  
  241.  
  242. Smurf attack.
  243.  
  244. (first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call
  245. amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either
  246. one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or
  247. subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as
  248. IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other
  249. attacks, as it works for those to.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!