As this discussion shows, both brute-force attacks and elegant denial-of-service attacks take advantage of flawed site and system protection. How do they know which systems to take advantage of? In some cases, attackers simply try all the addresses, hoping to get lucky. In other cases, they perform reconnaissance. One of the best tools, bar none, to do this is nmap.

nmap

nmap is the most versatile scanner available at any price for Windows and UNIX (and the price is free). This software can create a large number of traces, and in early 1999 was being called

the most potent denial-of-service engine available. Some of the best information about the denial-of-service effects of nmap was published by the National Infrastructure

Protection Center (NIPC). NIPC produces biweekly reports called CyberNotes. Electronic copies are available on the NIPC web site at http://www.nipc.gov. CyberNotes lists specific vulnerabilities that nmap exploits. Issue 99-2, for example, reports a scan on port 427 that causes the dreaded blue screen of death on Windows 98 systems running the Novell Intranet Client. I certainly do not disagree with NIPC, but if a piece of networking software dies because it receives a packet on a certain port, we should not blame the vulnerability scanner. Packets happen. In fact, in the years since nmap was first released, many stacks have crashed, but this has forced the manufacturers to fix their products because nmap is so prevalent.

nmap is a vulnerability scanner, but it operates in several powerful modes, including some that can knock out unpatched systems. These modes include the following:

●Vanilla TCP connect() scanning

●TCP SYN (half open) scanning

●TCP FIN, Xmas, or Null (stealth) scanning

●TCP FTP proxy (bounce attack) scanning

●SYN/FIN scanning using IP fragments (bypasses packet filters)

●UDP raw ICMP port unreachable scanning

●ICMP scanning (ping-sweep)

●TCP Ping scanning

●Remote OS identification by TCP/IP fingerprinting

●Reverse-indent scanning

nmap was integrated starting with Shadow 1.6. It is great. When the analyst sees a connection to a system from the Internet that causes concern, the analyst can scan the internal system. Shadow's default is to use the vanilla TCP connect, although all modes are available. The purpose is to quickly determine what services the internal system has available. And yes, from time to time when OS fingerprinting, I have crashed a system or two. I guess the good news is that it is really hard for the attackers to compromise the system if you crash it when fingerprinting it!

Mutant Packet Arms Race

In mid-1998, I was talking with the development team for Cisco's vulnerability scanner, Net Sonar. Members of the team were discussing the great pains they took to avoid crashing systems while scanning them.

Today, nmap has some serious competition from hping2 when it comes to generating some seriously funky packets. I hope that an arms race does not develop between the two of them to see which can do the most harm the fastest.