Hackers Beware

have been around for a while, but they are still widely used, for example in the DDOS attacks that occurred February of 2000.

This is not meant to be a complete list because new Denial of Service attacks are coming out daily, however it is meant to show you the wide range of attacks that exist. Now, let’s start covering each exploit in detail.

Ping of Death

A Denial of Service attack that involves sending a very large ping packet to a host machine.

Exploit Details

•Name: Ping of Death

•Operating System: Most Operating Systems

•Protocols/Services: ICMP Ping

The ping of death attack is a category of network-level attacks against hosts with the goal of denying service to that host. A perpetrator sends a large ping packet to the victim’s machine. Because most operating systems do not know what to do with a packet that is larger than the maximum size, it causes most operating systems to either hang or crash. For example, this causes the blue screen of death in Microsoft NT.

Protocol Description

Ping of death uses large Internet Control Message Protocol (ICMP) or ping packets to cause a Denial of Service attack against a given system. To understand how ping of death works, you need to have a basic understanding of ICMP. This exploit operates at the network layer, which is layer 3 in the OSI model. This is the same layer that IP operates at. ICMP was developed to test connectivity to various machines on the Internet. ICMP handles error and exchange control messages. ICMP can be used to convey status and error information, including network transport and network congestion problems.

Ping is a program that uses ICMP to see if a machine connected to a network is responding. It does this by sending an echo request packet to a particular address. If the machine successfully receives the packet, it sends an ICMP echo reply. ICMP, and especially ping, can be a valuable tool for troubleshooting and diagnosing host or network problems.

The following is a successful ping request showing that the destination host is active:

Pinging 10.159.90.17 with 32 bytes of data:

Reply from 10.159.90.17: bytes=32 time=4ms TTL=255 Reply from 10.159.90.17: bytes=32 time=2ms TTL=255 Reply from 10.159.90.17: bytes=32 time=2ms TTL=255 Reply from 10.159.90.17: bytes=32 time=2ms TTL=255 Ping statistics for 10.159.90.17:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 2ms, Maximum = 4ms, Average = 2ms

Notice that the ping packets have a size of 32 bytes. By using the command-line options, you can specify a different packet size for the ping program to send. In Microsoft, to send a larger ping packet, you use the –l (letter l) option. So, by typing ping –l 500 10.159.90.17, you would get the following results:

Pinging 10.159.90.17 with 500 bytes of data:

Reply from 10.159.90.17: bytes=500 time=3ms TTL=255 Reply from 10.159.90.17: bytes=500 time=3ms TTL=255 Reply from 10.159.90.17: bytes=500 time=3ms TTL=255 Reply from 10.159.90.17: bytes=500 time=3ms TTL=255 Ping statistics for 10.159.90.17:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 3ms, Maximum = 3ms, Average = 3ms

Notice now that the packet size is 500 bytes instead of the default 32 bytes.

Detailed Description

The TCP/IP specification (the basis for many protocols used on the Internet) allows for a maximum packet size of up to 65536 octets (1 octet = 8 bits of data), containing a minimum of 20 octets of IP header information and 0 or more octets of optional information, with the remainder of the packet consisting of data. It is known that some systems will react in an unpredictable fashion when receiving oversized IP packets. Reports indicate a range of reactions including crashing, freezing, and rebooting.

In particular, most attacks show that the ICMP packets issued through the ping command have been used to trigger these attacks. As discussed in the previous section, ICMP is a subset of the TCP/IP suite of protocols that transmit error and control messages between systems. Two specific instances of ICMP packets are the ICMP ECHO_REQUEST and ICMP ECHO_RESPONSE datagrams. A local host can use these two instances to determine whether a remote system is reachable through the network, and they are commonly achieved using the ping command. A host sends

a machine an ICMP_ECHO-REQUEST packet, and if the machine is active, it processes the packet and replies by sending an ICMP_ECHO-RESPONSE.

Attackers use the ping command to construct oversized ICMP datagrams (which are encapsulated within an IP packet). Many ping implementations send ICMP datagrams consisting only of the 8 octets of ICMP header information by default, yet they enable the user to specify a larger packet size if desired. With this exploit, an attacker uses this feature to send an oversized ping packet or one that is larger than the 65536 byte specification.

Signature of the Attack

The following is the output from a TCP dump when the ping of death is run against a victim’s machine:

10:03:14..690000 192.168.15.5 > 192.168.20.10: icmp: echo request (frag

11267:1480@0+)

10:03:14.690000 192.168.15.5 > 192.168.20.10: (frag 11267:1480@1480+)

10:03:14.690000 192.168.15.5 > 192.168.20.10: (frag 11267:1480@5920+)

10:03:14.690000 192.168.15.5 > 192.168.20.10: (frag 11267:1480@7400+)

10:03:14.690000 192.168.15.5 > 192.168.20.10: (frag 11267:1480@8880+)

........

10:03:14.740000 192.168.15.5 > 192.168.20.10: (frag 11267:1480@65527)

As you can see, the source IP address sends the destination IP address (victim’s machine) a ping packet that is 65527 in size.

Source Code/Pseudo Code

Most operating systems come with a version of ping as part of the standard operating system. Based on this fact, it is very easy to perform an attack using this program because all the tools needed are already installed by default. For example, from a Windows machine, an attacker would open up a DOS window and issue this command:

ping -l 65527 [followed by the IP address of the victims machine]

On a UNIX machine, an attacker would issue the following command:

ping –s 65527 followed by the IP address of the victim's machine.

Because ping is such a popular program, there really is no source or pseudo code for this exploit.

How to Protect Against It

The best way to fix this problem is to apply the latest patch from the appropriate vendor. Most operating systems that have been impacted by this exploit have patches that will remove the vulnerability.

If applying the patch is not an option, or additional protection is desired, large ping packets can be blocked at routers or firewalls, which stops them from getting to the victim’s machine.

Additional Information

The following sites contain additional information on the ping of death exploit:

•http://www.cert.org

•http://microsoft.com

The CERT keeps track of most security vulnerabilities and provides detailed information on how to protect against them. The CERT Coordination Center studies Internet security vulnerabilities, provides incident response services to sites that have been the victims of an attack, publishes a variety of security alerts, researches security and survivability in wide-area-networked computing, and develops information to help you improve security at your site.

Microsoft also provides detailed information on its operating systems’ vulnerabilities and what can be done to protect those vulnerabilities from exploit.

SSPing

A Denial of Service attack that involves sending a series of highly fragmented, oversized ICMP data packets.

Exploit Details

•Name: SSPing

•Operating System: Microsoft Windows (95 and NT)

•Protocols/Services: ICMP Ping

SSPing is a program that uses ICMP data packets to freeze any computer connected to the Internet or on a network running Windows 95, Windows NT, and older versions of the MAC Operating system. SSPing is based on old code that freezes old SYS V and Posix implementations. Because of this, it is possible to use SSPing against systems that are also running these implementations.

Protocol Description

SSPing uses fragmented ICMP packets to cause a Denial of Service attack. To understand how SSPing works, you need to have a basic understanding of ICMP and how fragmented packets work. Because ICMP was covered in the previous section, let’s look at fragmented packets.

If a machine attempts to send a large packet on a network or over the Internet, there is a good chance that one of the routers that processes the packet will break it up into smaller pieces, so it can be properly routed to its destination. When this occurs, the destination machine receives the pieces and puts them back together. This process occurs all the time on the Internet and is called fragmentation. As you will see in this section, by tinkering with the fragmentation options, you can cause certain machines to crash.

Detailed Description

SSPing is a program that can freeze any computer connected to the Internet or on a network running Windows 95, Windows NT, or older versions of the MAC OS before version 6.

The SSPing program sends the victim’s computer a series of highly fragmented, oversized ICMP data packets over the connection. The computer receiving the data packets locks when it tries to put the fragments together. Highly fragmented packets require the TCP/IP stack to keep track of additional information to reassemble the packets. If the TCP/IP stack was not built properly, when it tries to keep track and put together several packets, the result is a memory overflow, which in turn causes the machine to stop responding. Usually, the attacker only needs to send a few packets, locking the victim’s computer instantaneously. When the victim restarts his computer, the connection with the attacker is lost, so in some cases, the attacker is able to remain anonymous.

Jolt and Jolt2 are two more exploits that take advantage of fragmentation. Because Jolt2 is a newer program, it is covered in the section, “Jolt2” later in this chapter.

Signature of the Attack

Because this is a relatively simple attack, requiring only a few packets, there is really only one main symptom to look for, and that is ICMP packets that are large and highly fragmented.

Because SSPing only uses a few packets, and because ICMP packets are fairly common, it is hard to detect this exploit by either the protocol or frequency. Also, large, fragmented packets occur on the Internet, however, it is very rare for large, highly fragmented ICMP packets to occur, so it is only when you put these two pieces together that you can detect the attack.

To run this attack, the source IP address sends highly fragmented ICMP packets to the destination IP address (victim’s machine). The following is the TCP dump output from running this exploit:

10:03:14.690000 192.168.10.5> 192.168.20.10: icmp: echo request (frag

11267:1480@0+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@5920+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@44400+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@7400+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@37000+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@8880+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@48840+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@56240+)

10:03:14.690000 192.168.10.5 > 192.168.20.10: (frag 11267:1480@53280+)

This packet dump shows the signature of an SSPing attack. The first packet tells you this is an ICMP packet. By looking at the far right of each of the remaining lines, you can see that the packets are fragmented. By looking at the sequence order, you can also see that they are not in order, which requires additional resources for the TCP/IP stack to track.

Source Code/Pseudo Code

Because this attack is relatively straightforward, there is source code available at the following address: http://newdata.box.sk/neworder/xforces/sspingeggdrop.zip/.

Also, aggressor is a program you can use to launch several Denial of Service attacks, including the SSPing attack, and is available from http://neworder.box.sk/.

The pseudo code for this is extremely straightforward. Anyone can use a packet generator program to create an ICMP packet that is fairly large and highly fragmented.

How to Protect Against It

Because this attack mainly impacts Microsoft operating systems, the only way to protect against this attack is to download the latest patches from its web site.

To prevent this type of attack, Microsoft has updated the TCP/IP protocol stack. Updates and instructions can be downloaded from Microsoft’s ftp site. To find out additional information and download the patches, you can search for SSPing under Microsoft’s Knowledge Base, which is located under Support on its main page.

Additional Information

Additional information can be found at the following sites:

•http://www.cert.org

•http://microsoft.com

•http://www.winplanet.com

Because this attack mainly affects Microsoft operating systems, most of the patches are available from its web site. Winplanet also provides adequate details on the exploit and additional information on how to apply and download the patches.

Land Exploit

A Denial of Service attack in which a program sends a TCP SYN packet where the target and source address are the same and the port numbers are the same.

Exploit Details

•Name: Land

•Variants: none

•Operating System: Most Operating Systems and routers

•Protocols/Services: IP

The land attack is a program used to launch a Denial of Service attack against various TCP implementations. The program sends a TCP SYN

packet (which is the first part of the three-way handshake) where the source and destination addresses are the same and the source and destination port numbers are the same.

Protocol Description

IP packets are used to send information across the Internet. IP packets contain information that specifies who the recipient and sender of the packets are. IP packets also contain port numbers that specify which TCP service the packet should be sent to. The following are the key fields that an IP packet contains:

•Source address

•Source port number

•Destination address

•Destination port number

The above information as a whole is also referred to as a socket because this is what is needed to make a successful connection to a remote host. It is important to point out that the destination port number also indicates what protocol is being used. Under normal circumstances, the source and destination address and source and destination port numbers are different. In these cases, IP works as designed. Unfortunately, when IP packets contain unconventional information, most TCP/IP stacks do not know how to handle it and they crash. One instance where this is true is when someone sets the source and destination addresses and source and destination ports to the same value.

Detailed Description

Some implementations of TCP/IP are vulnerable to SYN packets when the source address and port are the same as the destination. For this to occur, an attacker has to spoof both the source address and port number. The following are the properties of a land attack:

•Source and destination address have the same value

•Source and destination port numbers have the same value

TCP is a reliable connection-oriented protocol that operates at layer 4, the transport layer. Because TCP is reliable, it requires a three-way handshake to initiate new connections. When a new connection is opened, it uses SYN packets to synchronize the two machines. SYN packets are similar to normal packets, except they have the SYN bit set, which means it is one of the first packets in a new connection. Because land attacks occur when a new session is opened, attackers use SYN packets.

When an attacker wants to attack a machine using the land exploit, he sends a packet to the target machine opening a new connection. The

packet has the source address and port number spoofed by setting the source address and port number to be the same as the destination address and port number.

The destination machine receives the packet and replies to the source address and port number. Because this is the destination machine, most machines will crash or hang because they do not know how to handle it.

Signature of the Attack

The signature of the attack is fairly simple. Any packet that has the following properties is a land attack:

•Source and destination address having the same value

•Source and destination port numbers having the same value

These characteristics do not occur in normal packets, so any packets that have these features should be flagged and dropped. The following is TCPdump output from running two different land attacks:

A key point to remember is that a variety of operating IP stack implementations are unable to process packets sent from themselves to themselves using the same source and destination ports. Remember TCP replies to the source address and source port.

Source Code/Pseudo Code

Because this attack is relatively straightforward, there is source code available at the following addresses. However, if a hacker wanted to launch such an attack, it would be very easy to write code to do so:

•Source code: http://www.insecure.org/

•Aggressor: http://neworder.box.sk/

•Spike: http://hackersclub.com/

Aggressor and spike are two programs you can use to launch several Denial of Service attacks, including the land attack.

The pseudo code for this is extremely straightforward. Anyone can use a packet generator program to create a packet with a spoofed source address set to the destination address, and a spoofed source port number set to the destination port number.

Also, juggernaut, which is covered in Chapter 5, “Session Hijacking” has a built-in packet generator program. This enables an attacker to craft a packet that launches the land attack against a victim host.

How to Protect Against It

The easiest way to protect against this type of attack is to apply the latest patches from your vendor. This exploit has been out for a while, so most vendors have patches that fix the problem. Most vendor’s web sites contain sections on security patches for known exploits. If you go to the appropriate web site, you can download the proper patch and apply it to your system.

For example, Microsoft has the following patches:

Windows NT 4.0

ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hot- fixes-postSP3/land-fix/Q165005.txt

Windows 95

ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hot- fixes-postSP3/land-fix/Q177539.TXT

If applying the latest vendor patch is not an option, there is a workaround. Any packet that is coming into your network from the Internet should not have a source address from your internal network. This is the case because (as mentioned earlier) any packets originating on your internal network never come in on the external interface of your router. Therefore, your router can block all incoming packets that have a source address that matches an address on your internal network. However, this does not protect against an attacker who breaks into an internal host and launches an attack against another internal host.

The fix that uses router filters is the same fix used to stop IP spoofing attacks on networks.

Additional Information

Additional information can be found at the following sites:

•http://www.cert.org

•http://www.insecure.org