• Choose a category
• All
• Classic-Fiction

FIGURE 2.13 TCP/IP hijacking attack

UDP Attacks

A UDP attack attacks either a maintenance protocol or a UDP service in order to overload services and initiate a DoS situation. UDP attacks can also exploit UDP protocols.

One of the most popular UDP attacks is the ping of death discussed earlier in the section “Identifying Denial-of-Service and Distributed Denial-of-Service Attacks.”

UDP packets aren’t connection oriented and don’t require the synchronization process described in the previous section. UDP packets, however, are susceptible to interception, and UDP can be attacked. UDP, like TCP, doesn’t check the validity of IP addresses. The nature of this layer is to trust the layer below it, the IP layer.

The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing the UDP services on that host to shut down. UDP floods also overload the network bandwidth and cause a DoS situation to occur.

ICMP Attacks ICMP attacks occur by triggering a response from the ICMP protocol to a seemingly legitimate maintenance request. From earlier discussions, you’ll recall that ICMP is often associated with echoing.

ICMP supports maintenance and reporting in a TCP/IP network. It is part of the IP level of the protocol suite. Several programs, including Ping, use the ICMP protocol. Until fairly recently, ICMP was regarded as a benign protocol that was incapable of much damage. However, it has now joined the ranks of protocols used in common attack methods for DoS attacks. Two primary methods use ICMP to disrupt systems: smurf attacks and ICMP tunneling.

Smurf Attacks Smurf attacks can create havoc in a network. A smurf attack uses IP spoofing and broadcasting to send a ping to a group of hosts in a network. An ICMP ping request (type 8) is answered with an ICMP ping reply (type 0) if the targeted system is up, otherwise an unreachable message is returned. If a broadcast is sent to a network, all of the hosts will answer back to the ping. The result is an overload of the network and the target system.

Figure 2.14 shows a smurf attack under way in a network. The attacker sends a broadcast message with a legal IP address. In this case, the attacking system sends a ping request to the broadcast address of the network. The request is sent to all the machines in a large network. The reply is then sent to the machine identified with the ICMP request (the spoof is complete). The result is a DoS attack that consumes the network bandwidth of the replying system, while the victim system deals with the flood of ICMP traffic it receives.

The primary method of eliminating smurf attacks involves prohibiting ICMP traffic through a router. If the router blocks ICMP traffic, smurf attacks from an external attacker aren’t possible.

FIGURE 2.14 A smurf attack under way against a network

ICMP Tunneling ICMP messages can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. This is a relatively new opportunity to create havoc and mischief in networks.

The countermeasure for ICMP attacks is to deny ICMP traffic through your network. You can disable ICMP traffic in most routers, and you should consider doing so in your network.

Many of the newer SOHO router solutions (and some of the personal firewall solutions on end-user workstations) close down the ICMP ports by default. Keep this in mind, as it can drive you nuts when you are trying to see if a brand-new station/server/router is up and running.

Understanding Software Exploitation

The term software exploitation refers to attacks launched against applications and higher-level services. They include gaining access to data