Attack Profiles
Overview
This book discusses a number of potential attacks without necessarily defining them. This chapter
profiles all of the common attacks hackers use to localize, identify, and attack your systems. Given
the information about how these attacks work, you can configure sophisticated firewall logging and
alerting mechanisms to detect them. This chapter is broken down into the following broad
categories:
• Denial of service attacks− −
• Exploitation attacks
• Information gathering attacks
• Disinformation attacks
These broad categories describe the purposes of nearly all hacking attacks.
Denial−of−Service Attacks
Denial of service attacks attempt to prevent you from providing a service by crashing or− −
overwhelming your service computers. Denial of service attacks are the easiest hacks to attempt,− −
so they are quite common. This section lists the most common of these attacks:
• Ping of Death
• Teardrop
• UDP floods
• SYN floods
• Land
• Smurf
• Fraggle
• E mail bombs−
• Malformed Messages
Ping of Death
The Ping of Death is the granddaddy of all denial of service attacks. It exploits the fact that many− −
TCP/IP implementations trust that ICMP packets are correctly formed and perform too little error
checking.
Warning
Profile

Attack Status: The original Ping of Death is obsolete; undiscovered effective
malformations of the ICMP echo request may exist, however. Also, many other
SMB, RPC, TCP, IP, or ICMP malformation attacks called "nukers" perform
similar functions.
In order to test the throughput capabilities and packet size restrictions, ICMP packets can be
created having anywhere up to 64KB. This allows you to determine the actual maximum packet size
between you and a target system on the Internet. In the early days of the Internet, this functionality
was important because many routers had maximum packet size restrictions. In large ping packets,
240
the payload portion of the packet is filled with meaningless data. The maximum payload size is 2
16
(minus packet data overhead).
Ping of Death attacks are propagated by creating a malformed ICMP echo request packet in which− −
the claimed packet size exceeds the maximum possible size. Because the payload size indicator is
16 bits, yielding a maximum possible packet size of 65,535 bytes (the actual limit is around 65,500
bytes due to packet header data overhead), packets that claim to be larger than 65,500 bytes can
cause TCP/IP errors in the receiving system.
In a typical TCP/IP implementation, when a packet header is read, the information contained in the
header is relied upon to create a buffer for the payload. When the claimed size of the packet header
plus payload exceeds the 64KB maximum defined by the TCP/IP specification, the TCP/IP
implementation may crash due to memory allocation errors.
Defense
All standard TCP/IP implementations have been hardened against oversize packets, and most
firewalls automatically filter these attacks. Windows versions since Windows 98, Windows NT since
Service Pack 3, Linux, Solaris, and the Mac OS are all immune to standard variations of the Ping of
Death. Configuring firewalls to block ICMP and any unknown protocols will prevent this attack. For
this reason, this attack in its current form is already obsolete and has no real future.
Teardrop
Teardrop attacks exploit a potential weakness in the fragment reassembly process of some TCP/IP
implementations.

Warning
Profile
Attack Status: TCP/IP implementations can easily be hardened against
Teardrop, but many operating systems are still vulnerable to it.
A teardrop attack exploits implementations that trust information in the packet headers of IP
fragments. IP fragments contain fields that indicate which portions of the original packet the
fragment contains. Some TCP/IP implementations (including Windows NT until Service Pack 4) will
crash when presented with forged fragments that have overlapping offsets.
Defense
Apply the latest patches, service packs and hotfixes for your operating system. If you run Windows
NT and must remain on Service Pack 3, apply the teardrop hotfix. For other operating systems,
check with your vendor for a patch to this problem. Configure firewalls to reassemble fragments
rather than forwarding them; most firewall TCP/IP implementations should be hardened against this
attack.
UDP Floods
Various spoofing attacks exploit simple TCP/IP services like Chargen and Echo to transmit useless
bandwidth wasting data.
Warning
Attack Status: These attacks are most easily defended against by not running
the unnecessary services they exploit.
241
Profile
UDP floods are extremely simple: By forging a UDP connection to the Chargen service running on
one host that has the reply address of a host running the Echo service, a hacker can create a
useless stream of data flowing between the two hosts. Creating enough of these streams causes a
bandwidth denial of service.
Defense
Configure hosts to disable simple TCP/IP services that are not necessary. Configure routers to
block UDP requests from the Internet to these services.
SYN Floods

SYN floods are simple attacks that exploit the connection mechanism of TCP.
Warning Attack Status: SYN Floods are easily defended against, but watch out for future variants.
Profile
The requesting client transmits a SYN message to the host service requesting service, and the
receiving server responds with a SYN ACK message accepting the connection. The client then−
responds with an ACK message, after which traffic can flow over the established bidirectional TCP
connection.
When a server receives the initial SYN message, it typically creates a new process thread to handle
the client connection requests. This process thread creation requires CPU compute time and
allocates a certain amount of memory. When the TCP session is closed or after a fairly long
time out period, the server closes the TCP session which releases the memory used. The amount−
of memory and compute time therefore determines the number of simultaneous sessions a server
can support.
SYN floods are bogus SYN messages sent to servers. How a SYN flood affects a victim computer
depends upon its implementation of TCP/IP.
Some TCP/IP stack implementations are only capable of waiting for ACK messages from a limited
number of computers because they have a limited memory buffer for connection establishments. If
this buffer is filled with bogus connection initiations, the server will cease responding to further
connection attempts until the attempts in the buffer time out.
In implementations that are not connection establishment limited, SYN floods have a similar effect.−
Since the server doesn't know a legitimate SYN message from a bogus message, it allocates
compute and memory resources to establishing a connection. By flooding the server with a large
volume of requests, the server's maximum capacity can be used by these bogus and useless
connection attempts.
Defense
The only defense against SYN floods is a good firewall that can recognize the characteristics of a
SYN flood—numerous identical connection attempts coming from the same IP address. These
firewalls can filter subsequent connections from the same host, thus eliminating these SYN floods.
242
Since the SYN flood source machine isn't looking for a response, there's no reason why the SYN

flood attack software can't simply use randomly generated IP addresses in the source field. This
sort of SYN flood can not be discerned from a simple high volume of traffic and is able to get past
SYN flood filters.
Land Attack
The Land attack is a variation of the SYN flood that can cause unhardened TCP/IP implementations
to "chase their tails" in a never ending connection establishment loop.− −
Warning Attack Status: Land attack is already obsolete and easily defended against.
Profile
In the Land attack, a specially crafted SYN packet is transmitted to a server host. Both the source
and destination addresses of the SYN packet are set to the server's IP address. This causes the
recipient server to SYN ACK to its own address, which it subsequently ACKs and establishes an−
empty connection. Each connection will remain until the server operating system times out the
c o n n e c t i o n d u e t o i n a c t i v i t y . V a r i o u s o p e r a t i n g s y s t e m s r e s p o n d t o t h e L a n d a t t a c k
differently—Windows NT becomes extremely slow for about five minutes. Many Unix
implementations crash. Most vendors have supplied a fix for the Land attack.
Defense
Apply Land attack patches, hotfixes, or the latest service packs. Configure firewalls to drop any
packets that have an internal source address inbound on the external interface. This always
indicates a spoofed address, and dropping these packets should be default policy in every firewall.
The following IP addresses are illegal on the Internet and should always be filtered in or out of your
external interface:
• 10 domain
• 127 domain
• 192.168 domain
• 172.16 through 172.31 domain
In addition, you should filter your own assigned IP addresses.
Smurf Attack
The Smurf attack is an extremely effective denial of service attack based on the direct broadcast− −
addressing feature of IP that allows a host to transmit data to all hosts in its subnet.
Warning Attack Status: Smurf attacks can be filtered by firewalls, but they may still waste the

bandwidth of your Internet connection because Smurf attacks outside your network can
affect you.
Profile
A simple Smurf attack proceeds by flooding a victim host with ICMP echo request (ping) packets
that have the reply address set to the broadcast address of the victim's network. This causes all the
hosts in the network to reply to the ICMP echo request, thereby generating even more
243
traffic—typically one to two orders of magnitude more traffic than the initial ping flood.
A more complex Smurf attack proceeds as above but with the source of the echo request set to a
third party victim, which will receive all the echo requests generated by the targeted subnet of−
hosts. This attack is useful to hackers because they can use a relatively slow link like a modem to
cause an avalanche of ping traffic to be sent to any location on the Internet. In this way, a hacker
with a slower link than his ultimate victim can still flood the ultimate victim's pipe by smurfing a
higher speed network than that of the ultimate victim.
Defense
To prevent hackers from exploiting your network to attack others, shut off the broadcast addressing
feature of your external router or firewall. To prevent being the ultimate victim of a Smurf attack,
configure your firewall to drop ICMP ping messages. If a high speed provider (like your ISP) has−
been successfully smurfed and your network is the victim, there's nothing you can do about relieving
the congestion that the ICMP traffic will cause, even if you filter it out on your end. Contact your ISP
about their firewall policy if this is a concern.
Note Check out to determine if your ISP is vulnerable to Smurf
attacks.
Fraggle Attack
The Fraggle attack is a simple modification of the Smurf attack, which uses UDP echo messages
rather than ICMP.
Warning Attack Status: Like its sibling the Smurf, the Fraggle attack can be filtered but may still
consume network bandwidth in areas outside your control.
Profile
Fraggle is a simple rewrite of the Smurf attack that uses UDP rather than ICMP. This allows the

attack to pass through firewalls that only filter ICMP.
Defense
Filter out UDP Echo messages at the firewall.
E−mail Bombs
Hackers can flood an e mail server by repeatedly sending the same large e mail file to your e mail− − −
server.
Warning Attack Status: E mail bombing and its relative, spamming, are fairly easy to filter, but−
they waste bandwidth outside your zone of control.
Profile
E mail bombs are one of the oldest annoyance attacks around. By setting up a machine to−
constantly transmit e mail to the same address, the attacker can use up bandwidth on the−
receiver's network.
244
This attack isn't all that serious, considering the fact that it requires nearly as much bandwidth on
the transmitter's end as it does on the receiver's, which makes true denial of service difficult. E mail−
bombs are also easy to trace, unless they've been transmitted through a mail host that strips
headers.
Defense
Configure mail hosts to automatically delete excessive or duplicate messages from the same host.
Malformed Message Attacks
Many services on various operating systems will crash if they receive malformed messages
because the services do not adequately check for errors in messages before processing them.
Warning
Profile
Attack Status: Malformed message attacks will always be around. The number
and variety of them makes it impossible to make general statements about
vulnerability.
All operating systems have susceptibilities (known or unknown) to various message malformation
problems. Variations include:
• E mail buffer overruns from malformed e mail messages− −

• Web services that can be exploited by providing exceptionally long URLs
• Crashing RPC services by transmitting random data to them
Defense
Stay up to date on the latest vulnerabilities reported by your software vendor. Apply patches and− −
hotfixes to production machines as soon as you're certain that they are stable.
Exploitation Attacks
Exploitation attacks are those attacks that attempt to take direct control of a machine. Here's a list of
some of the most common:
• TCP/IP connection hijacking
• Layer 2 connection hijacking−
• Password guessing
• Trojan horses
• Buffer overruns
TCP/IP Connection Hijacking
TCP/IP connection hijacking exploits the fundamental non randomness of TCP sequence−
generation algorithms to insert packets into an existing TCP/IP connection in order to "hijack" the
connection.
Warning Attack Status: This attack is hibernating. Once common because simple pseudorandom
245
Profile
number generators were used to create sequence numbers, most modern TCP/IP stacks
now have highly sophisticated sequence number generators. However, they are not yet
truly random, so there's no reason to believe that an as yet unknown algorithm can't−
make this attack common again.
TCP streams use pseudo randomly generated sequence numbers to order TCP packets −
and
ensure that the stream is reconstructed in the correct order at the remote end. If a hacker
can
predict the next correct sequence number, she can insert her own packets that will be
received as if

they were the correct packets. Subsequent packets from the original host will be discarded as
spurious retransmissions or denial of service attacks that should be dropped.− −
The problem is in predicting the next correct sequence number. The difficulty in
determining the
next valid sequence number depends entirely upon the quality of the pseudorandom
number
generation (PRNG) algorithm used by the host computer to generate the sequence numbers for
the
TCP stack.
Computers are terrible at generating random numbers; the same code run twice on any two
computers will always generate the same set of numbers. Therefore, PRNGs must rely on
some
external data as a source for "randomness." Early on, some PRNGs used sources as simple as
the
real time clock as external data, but this source isn't at all random and is easily predicted.−
Better
sources include timings between keystrokes or the frequency of other I/O operations, but
these only
work well on computers that have humans using them. Without the human element, these
operations are all just as predictably ordered as anything else in a computer. So, for devices,
there
is no truly "good" source of random numbers for TCP sequence generation.
RFC 1948 suggests using the host's IP address and the source and destination ports
along with a
fixed truly random "key" number stored on the host to generate random numbers. As long
as this
key remains secret, this mechanism should be sufficient to ensure random sequence
numbers.
Should be. The remaining problem is that no matter how random the initial number is,
subsequent

numbers are generated by a PRNG. All PRNGs, no matter how random the sequence
"looks,"
contain predilections toward certain sequences (this predilection is called strange attraction,
meaning that for some strange reason, the numbers are attracted to a certain order). These
strange
attractors can be graphed visually in two or three dimensions to show their non randomness. −
While
predicting the next random number is still very difficult, predicting a large set of numbers
of which
one might be the next random number is relatively easy. And if you remember that the remote