CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [50]
TCP SYN or TCP ACK Flood Attack
The TCP SYN flood, also referred to as the TCP ACK attack, is common. The purpose is to deny service. The attack begins as a normal TCP connection: The client and server exchange information in TCP packets. Figure 2.11 illustrates how this attack occurs. Notice that the TCP client continues to send ACK packets to the server. The ACK packets tell the server that a connection is requested. The server responds with an ACK packet to the client. The client is supposed to respond with another packet accepting the connection, and a session is established.
FIGURE 2.11 TCP SYN flood attack
In this attack, the client continually sends and receives the ACK packets but doesn’t open the session. The server holds these sessions open, awaiting the final packet in the sequence. This causes the server to fill up the available sessions and deny other clients the ability to access the resources.
This attack is virtually unstoppable in most environments without working with upstream providers. Many newer routers can track and attempt to prevent this attack by setting limits on the length of an initial session to force sessions that don’t complete to close out. This type of attack can also be undetectable. An attacker can use an invalid IP address, and TCP won’t care because TCP will respond to any valid request presented from the IP layer.
TCP Sequence Number Attack
TCP sequence number attacks occur when an attacker takes control of one end of a TCP session. This attack is successful when the attacker kicks the attacked end off the network for the duration of the session. Each time a TCP message is sent, either the client or the server generates a sequence number. In a TCP sequence number attack, the attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can either disrupt or hijack a valid session. If a valid sequence number is guessed, attackers can place themselves between the client and server. Figure 2.12 illustrates a sequence number attack in process against a server. In this example, the attacker guesses the sequence number and replaces a real system with one of their own.
In this case, the attacker effectively hijacks the session and gains access to the session privileges of the victim’s system. The victim’s system may get an error message indicating that it has been disconnected, or it may reestablish a new session. In this case, the attacker gains the connection and access to the data from the legitimate system. The attacker then has access to the privileges established by the session when it was created.
FIGURE 2.12 TCP sequence number attack
This weakness is again inherent in the TCP protocol, and little can be done to prevent it. Your major defense against this type of attack is knowing that it’s occurring. Such an attack is also frequently a precursor to a targeted attack on a server or network.
TCP/IP Hijacking
TCP/IP hijacking, also called active sniffing, involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system. The server won’t know this has occurred and will respond as if the client is trusted. Figure 2.13 shows how TCP/IP hijacking occurs. In this example, the attacker forces the server to accept its IP address as valid.
TCP/IP hijacking presents the greatest danger to a network because the hijacker will probably acquire privileges and access to all the information on the server. As with a sequence number attack, there is little you can do to counter the threat. Fortunately, these attacks