search

Attacker sends a large number of connection or information requests to a target

1 Jahrs vor
Kommentare: 0
Ansichten: 168

Attack defense is an important network security function of the firewall. With this function, the firewall can detect various network attack behaviors and take measures to protect the network, ensuring normal running of the internal network and systems.

Show

Types of Network Attacks

Network attacks are classified into three types: Denial of Service (DoS) attacks, scanning and snooping attacks, and malformed packet attacks.

  • DoS attack

    An attacker sends a large number of data packets to the target system to prevent the system from processing requests from authorized users or make the host stop responding. DoS attackers include SYN Flood attacks and Fraggle attacks.

    DoS attacks are different from other attacks because DoS attackers do not search for the ingress of a network but prevent authorized users from accessing resources or firewall.

  • Scanning and snooping attack

    Scanning and snooping attacks identify existing systems on a network through ping scanning (including ICMP and TCP scanning), and then find out potential targets. By scanning TCP and UDP ports, the attackers can know the operating system and the monitored services.

    Through scanning and snooping, an attacker can generally know the service type of the system and prepare for further intrusion to the system.

  • Malformed packet attack

    An attacker sends malformed IP packets to a target system. The target system crashes when processing the malformed IP packets. Malformed packet attacks include Ping of Death and Teardrop.

The following describes typical attacks on networks.

Land Attack

An attacker initiates a Land attack by setting the source and destination addresses of a TCP SYN packet to the IP address of a target host. The target host then sends a SYN-ACK message to its own IP address, and the ACK message is sent back to the target host. This forms a null session. Every null session exists until it times out. Figure 6-7 shows a Land attack.

Figure 6-7  Land attack

The responses to the Land attack vary according to the targets. For instance, many UNIX hosts crash while Windows NT hosts slow down.

Smurf Attack

A simple Smurf attack is used to attack a network. The attacker sends an ICMP Echo request to the broadcast address of the network. All the hosts on the network respond to the request and the network is congested. Figure 6-8 shows a simple Smurf attack.

Figure 6-8  Simple Smurf attack

An advanced Smurf attack targets hosts. The attacker sends an ICMP Echo request packet to the network where the target host is located. The source IP address of the packet is the IP address of the target host; therefore, all ICMP Echo Reply packets are sent to the target host. This slows down packet processing on the target host or can even make the host crash. Figure 6-9 shows an advanced Smurf attack.

Figure 6-9  Advanced Smurf attack

Sending attack packets generates certain traffic and lasts for some time. Theoretically, the attack causes severe damages when there are more hosts on the network.

WinNuke Attack

Network Basic Input/Output System (NetBIOS) is a network access interface that is widely used in file sharing, print sharing, and data exchange between different operating systems. Generally, NetBIOS is a multicast-based interface and runs over the Logical Link Control Type 2 (LLC2) protocol. The common TCP/UDP ports to implement NetBIOS on the TCP/IP protocol stack:

  • 139: a TCP port used for the NetBIOS sessions.
  • 137: a UDP port used for the NetBIOS name service.
  • 136: a UDP port used for the NetBIOS datagram service.

Windows operating systems implement NetBIOS over TCP/IP and open port 139.

WinNuke attacks use the vulnerability of Windows operating systems. An attacker sends data packets carrying TCP out-of-band (OOB) packets to port 139. These attack packets differ from normal OOB packets in that the pointer field in the packets does not match the actual location of data. When the Windows operating system processes these packets, it may crash.

SYN Flood Attack

A SYN Flood attack uses the three-way handshake mechanism of the TCP protocol to attack the target host. An attacker sends a SYN packet to the target host to request for a TCP connection, but it does not respond to the SYN-ACK packet sent from the target host. If the target host does not receive the response from the attacker, it keeps waiting and forms a half connection. Figure 6-10 shows a SYN Flood attack.

Figure 6-10  Half connection

The attacker sends a lot of TCP SYN packets to make the target host set up many half connections, which occupy a large number of resources. When the resources on the target host are used up, data processing on the host slows down and authorized users cannot access the host.

The attacker can also generate a SYN packet with a pseudo or non-existent source address to attack the target host.

ICMP Flood Attack

A network administrator uses the ping program to monitor networks and locate faults. The ping process is as follows:

  1. A source host sends an ICMP Echo Request packet to a destination host.
  2. After receiving the ICMP Echo Request packet, the destination host returns an ICMP Echo Reply packet to the source host.

ICMP packets are processed by the CPU and may consume many CPU resources in some cases.

If an attacker sends a large number of ICMP Echo Request packets to a target host, the target host becomes busy processing these Echo Request packets and cannot process other data packets. Figure 6-11 shows an ICMP Flood attack.

Figure 6-11  ICMP Flood attack

UDP Flood Attack

A UDP flood attack is similar to an ICMP flood attack. An attacker sends a large number of UDP packets to a target host. The target host becomes busy processing these UDP packets and cannot process normal data packets.

IP Sweeping and Port Scanning Attack

An attacker uses a scanning tool to probe target IP addresses and ports. The targets then respond to the probes, through which the attacker can know which target systems are active and connected to the network and which ports are open or closed.

Ping of Death Attack

Ping of Death is an attack to a system by sending oversized ICMP packets.

The Length field of an IP packet is 16 bits, indicating that the maximum length of an IP packet is 65535 bytes. If the data field of an ICMP Echo Request packet is longer than 65507 bytes, the length of the ICMP Echo Request packet (ICMP data + 20-byte IP header + 8-byte ICMP header) is larger than 65535 bytes. Some systems or devices cannot process oversized ICMP packets. If they receive such packets, they may stop responding, crash, or restart. Figure 6-12 shows an oversized ICMP packet.

Figure 6-12  Oversized ICMP packet

Large-ICMP Attack

Similar to a Ping of Death attack, a Large-ICMP attack sends oversize ICMP packets to attack a system. Although the length of Large-ICMP packets does not exceed the maximum length of an IP packet (65535 bytes), the Large-ICMP packets also have great impact on some operating systems.

To prevent Large-ICMP attack, set the maximum length of ICMP packets on the firewall.

ICMP-Unreachable Attack

After receiving an ICMP network-unreachable packet (packet type field is 3 and code is 0) or host-unreachable packet (packet type is 3 and code is 1), some systems consider the subsequent packets sent to this destination unreachable. The systems then disconnect the destination from the host. Figure 6-13 shows an ICMP-Unreachable attack.

Figure 6-13  ICMP-unreachable attack

The attacker sends ICMP-Unreachable packets to the target hosts to change routes on the target hosts. In this case, packet forwarding on the hosts is abnormal.

ICMP-Redirect Attack

An ICMP-Redirect attack is similar to an ICMP-Unreachable attack.

A network device can send ICMP Redirect packets to a host in the same subnet, requesting the host to change its routes.

Similarly, an attacker sends a fake Redirect packet to the target host on another network segment, requesting the target host to modify the routing table. The attack changes routes on the target host and affects packet forwarding. Figure 6-14 shows an ICMP-Redirect attack.

Figure 6-14  ICMP-Redirect attack

IP Fragment Attack

The fields related to fragmentation of an IP packet are Don't Fragment (DF) bit, More fragments (MF) bit, Fragment Offset, and Length.

If the previous fields conflict and a device does not process the fields properly, the device may stop running or even crash. In the following cases, the fields conflict:

  • The DF bit is set, but the MF bit is also set or the fragment offset is not 0.
  • The DF bit is 0, but the sum of Fragment Offset and Length is larger than 65535.

In addition, the device must directly discard the fragment packets destined for itself because the fragment packets result in a heavy load in packet caching and reassembly.

Teardrop Attack

During packet transmission, an IP packet must be fragmented when it is longer than the maximum transmission unit (MTU) of the link layer. The IP packet header contains an offset field and an MF field. If the MF field is set to 1, the IP packet is a fragment. The offset field indicates the location of this fragment in the whole IP packet. The receiver can reassemble the IP packet based on the information carried in the IP packet header.

For example, if a large packet is transmitted over a link with a smaller MTU, the packet is fragmented into two IP packets. The receiver then reassembles the two IP packets into the original IP packet. Figure 6-15 shows the normal packet reassembling process.

Figure 6-15  Packet reassembly

If an attacker sets the offset field to an incorrect value, the receiver cannot correctly assemble packets. Some TCP/IP protocol stacks may crash when they receive a pseudo fragment containing an overlapping offset. This is a Teardrop attack. Figure 6-16 shows a Teardrop attack packet.

Figure 6-16  Teardrop attack diagram

Fraggle Attack

A Fraggle attack is similar to a Smurf attack, except that the Fraggle attack sends UDP packets but not ICMP packets. Therefore, the Fraggle attack packets can traverse some firewalls that prevent ICMP packets.

A Fraggle attack can be successful because both UDP port 7 (ECHO) and port 19 (Chargen) return responses after receiving UDP packets. The details are as follows:

  • UDP port 7 returns a response (similar to the ICMP Echo-Reply packet) after receiving a packet.
  • UDP port 19 generates a character flow after receiving the packet.

The two UDP ports send a lot of response packets, which occupy high network bandwidth.

The attacker can send a UDP packet to the target network. The source address of the UDP packet is the IP address of the attacked host and its destination address is the broadcast address or network address of the host's subnet. The destination port number of the packet is 7 or 19. All the hosts with the port open on the subnet send response packets to the attacked host. This generates heavy traffic, which blocks the network or makes the host crash.

The hosts with the port closed on the subnet generate ICMP Unreachable packets, which still consume high bandwidth. If the attacker sets the source port to 19 (Chargen) and the destination port to 7 (ECHO), severer damages are caused because the response packets are generated automatically and continuously.

Tracert Attack

Tracert is to discover the packet transmission path through the ICMP timeout packets that is returned when time to live (TTL) value is 0 or through the returned ICMP port-unreachable packets.

An attack can obtain the network structure through Tracert. This brings security risks to the network.

Malformed TCP Packet Attacks

A malformed TCP packet is a packet with an incorrect 6-bit TCP header. An error will occur when the TCP protocol stack on the receiver processes the TCP packet.

When the attacker sends a large number of connection or information requests to a target?

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS): In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target (see Figure 2-11).

Which type of attacker will hack systems to conduct terrorist activities via network or internet pathways?

Cyberterrorists hack systems to conduct terrorist activities via network or Internet pathways.

When the attacker launches stream of requests against the target from many locations simultaneously this is called?

A distributed denial-of-service (DDoS) attack occurs when multiple machines are operating together to attack one target. DDoS attackers often leverage the use of a botnet—a group of hijacked internet-connected devices to carry out large scale attacks.

What type of attack when the target vulnerabilities include headers and payloads of specific application protocols?

Header-based attacks are a form of computer offensive in which the attacker uses its ability to forge arbitrary header data to exploit a flaw in the target's software that will process this header.

attacker sends large number connection information requests target

zusammenhängende Posts

Which routing protocol sends a routing update to neighboring routers every 30 seconds?
Which routing protocol sends a routing update to neighboring routers every 30 seconds?

Which of the following protocols does DHCP use when it sends out IP configuration?
Which of the following protocols does DHCP use when it sends out IP configuration?

Which of the following is described as an attacker who pretends to be from a legitimate research firm who asks for personal information?
Which of the following is described as an attacker who pretends to be from a legitimate research firm who asks for personal information?

Which attacker category might have the objective of retaliation against an employer
Which attacker category might have the objective of retaliation against an employer

What device sends dhcp release and dhcp decline messages?
What device sends dhcp release and dhcp decline messages?

What would be the primary reason an attacker would launch a MAC address overflow attack
What would be the primary reason an attacker would launch a MAC address overflow attack

When the attacker gains access to system or network using known or previously unknown access mechanism this is called?
When the attacker gains access to system or network using known or previously unknown access mechanism this is called?

A hardware device that sends data to a computer, allowing you to interact with and control it.
A hardware device that sends data to a computer, allowing you to interact with and control it.

Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways?
Which type of attacker will hack systems to conduct terrorist activities via network or Internet pathways?

Which term describes reducing the impact should an attacker successfully exploit the vulnerability?
Which term describes reducing the impact should an attacker successfully exploit the vulnerability?

Werbung

NEUESTEN NACHRICHTEN

Borderline wer ist schuld
1 Jahrs vor . durch LunarLine-up
Wer hat mich auf Instagram blockiert
1 Jahrs vor . durch IncipientHeader
Wie geht es dir was soll ich antworten?
1 Jahrs vor . durch SolubleAuthority
Kind 1 Jahr wie oft Fleisch
1 Jahrs vor . durch ThirstyRepublic
Was müssen Sie bei der Beladung von Fahrzeugen zu beachten?
1 Jahrs vor . durch WaxedHeadquarters
Schütz Die Himmel erzählen die Ehre Gottes
1 Jahrs vor . durch ExtrinsicSaucer
In planning an IS audit, the MOST critical step is the identification of the
1 Jahrs vor . durch SteepPanther
Wie lange darf eine Kaution einbehalten werden?
1 Jahrs vor . durch SeasonalBanjo
Sarah connor nicht bei voice of germany
1 Jahrs vor . durch FloridIceberg
Kann man mit dem Fachabitur Jura studieren?
1 Jahrs vor . durch PolarIndecency

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjpkoptzhhiitthtr
Urheberrechte © © 2024 ketiadaan Inc.