Exploit TCP SYN vulerability and illustrate the pr

Exploit TCP SYN vulerability and illustrate the process.

(refer to TCP SYN-flood and Land attack)

 
     Denial of Service (DoS) 攻擊的對象是針對連上Internet的網路和裝置。他的目的並不是要偷取您的資料，而是而是
要讓您的網路無法正常運作，導致使用者無法再存取網路資源。

   DoS 攻擊並不需要攻擊者具備什麼技術能力，任何人只需要一支攻擊程式，就可以讓未受保護的網路或裝置失
效。例如"WinNuke"這支攻擊程式，就可以讓Internet上未受保護的Windows電腦當機。

  How a DoS Attack Works

目前有三種型態的DoS攻擊，他們皆是利用TCP/IP的漏洞，讓網路塞滿了垃圾封包，而導致網路停擺。
第一種是利用主機系統的TCP/IC漏洞，例如"Ping of Death" 和 "Teardrop" 攻擊。

"Ping of Death"利用"ping"這支工具程式來產生超過IP協定所能夠允許的最大封包。當這個封包送到沒有檢查功能
的系統，則可能會造成系統當機。

Teardrop攻擊則是利用IP封包重組的漏洞。當資料經由網路傳送，IP封包經常會被切割成許多小片段。每個小片
段和原來封包的結構大致都相同，除了一些記載位移的資訊。而Teardrop 則創造出一些IP片段，這些片段包含重
疊的位移值。當這些片段到達目的地而被重組時，可能就會造成一些系統當機。

第二種是利用TCP/IP規格本身的漏洞，例如"SYN Flood" 和 "LAND" 攻擊。一般來說，甲端想和乙端的應用程式
溝通，甲端會先送出 SYN 封包給乙端。當乙端收到之後，他會回應一個 SYN-ACK 封包給甲端，最後甲端會送
出一個 ACK 封包給乙端當作確認。在完成這些程序之後，甲端和乙端才可以開始收發資料。

"SYN Flood"攻擊會針對欲攻擊的系統發送一連串的SYN封包，每個封包會讓系統回應一個 SYN-ACK 封包，然後
系統會等待對方送出 ACK 封包。系統貯列裡的SYN-ACK封包必須等到接收到對方的ACK封包或是超過逾時時間
之後才會移除。最後系統貯列會因為充滿了SYN-ACK封包而造成無法再處理其他使用者的要求。

"LAND"攻擊會送出一連串的SYN封包給網路上的系統，並且利用"IP Spoofing"的技術讓系統以為這些封包都是他
自己發送的。當系統在處理這些封包時，由於他自己並不能回應給自己，而造成系統當機。
 

1. Denial of service attacks.

A Denial of service attack is one where the attacker tries to make some resource too busy to answer legitimate requests, or to deny
legitimate users access to your machine.

Denial of service attacks have increased greatly in recent years. Some of the more popular and recent ones are listed below. Note that
new ones show up all the time, so this is just a few examples. Read the linux security lists for more current information.

SYN flooding. SYN flooding is a network denial of service attack. It takes advantage of a "loophole" in the way TCP connections are
created. The newer linux kernels (2.0.30 and up) have several configurable options to prevent SYN flood attacks from denying people
access to your machine or services. CONFIG_SYN_COOKIES and CONFIG_RST_COOKIES. Rebuild your kernel with these
options to reduce your susceptibility to SYN flood attacks.

Pentium "F00F" bug. It was recently discovered that a series of assembly codes send to a genuine Intel Pentium processor would lock
the machine up totally. This affects every machine with a Pentium processor (not clones, not Pentium Pro or PII), no matter what
operating system it's running. Linux kernel 2.0.32 and up contain a work around for this bug, preventing it from locking your
machine. If you are running on a pentium, you should upgrade now!

Ping flooding. Ping flooding is a simple brute force denial of service attack. Your attacker send a "flood" of ICMP packets to your
machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the
network. A variation on this attack "surfing" sends ICMP packets to a host with _your_ machines return IP, allowing them to flood
you less detectably. If you are under a ping flood attack, use a tool like tcpdump to determine where the packets are coming from (or
appear to be coming from), then contact your provider with this information. Ping floods can most easily be stopped at the router
level.
 

2. What is a SYN attack?

SYN attack is a denial of service attack in that at least one
internet port is blocked from legitimate access.  The attacker
achieves this by sending enough packets to targeted ports to
completely block or severely curtail access to these ports.  These
packets are legal packets in compliance with TCP/IP protocols,
except that they carry faked source addresses.

SYN attack is one of the more severe denial of service attacks,
since every faked SYN packet can disproportionately consume
a system's resources for a disproportional amount of time.

A TCP connection establishment process normally takes an
exchange of three TCP packets:  an initial SYN packet from a
client, a SYN-ACK packet from a server, and a SYN-ACK-ACK packet
from the client. Since the source address of the attacker's SYN
packet is faked, the SYN-ACK-ACK packet will never come.

Until the connection establishment process times out, a
disproportional amount of system resources are occupied: a slot
in the attacked port's listen queue, memory to maintain
connection information, and CPU and network bandwidth to
retransmit the SYN-ACK packet.

A TCP listen port has a finite number of slots in its listen
queue and normally that number of slots is relatively small.
When an attacker sends enough faked SYN packets, the listen
queue can be fully occupied and subsequently deny any
legitimate SYN packet from entering into the listen queue.
 

3. What are the defenses today against a SYN attack?

The best defense is to stop it at the source.  End systems
should not allow unauthorized users or applications to
generate any faked SYN packet.  Access to raw socket interface
should be restricted to trusted users or applications.

Routers may provide a second line of defense by screening
incoming IP packets to make sure that they are actually coming
from valid sources.

Certain firewall products today also can filter off
faked IP packets.

End systems can also provide a last line of defense by
accommodating a much larger number of incoming SYN packets
and appropriately replacing those half-open connections that
have been sitting in the listen queue.
 
 

參考資料
H-50: HP-UX SYN Flood Vulnerabilit
                    http://www.ciac.org/ciac/bulletins/h-50.shtml

                    http://www.adcom.com.tw/product/sonicw/dos_att.htm
The U.S. Department of Energy
                    http://jya.com/ibmsyn.txt

 Denial of service attacks.:
                    http://nova.cc.nthu.edu.tw/docs/linux/howto/Security/Security-HOWTO-29.html
 
SYN Flood DoS Attack Experiments:
                    http://www.niksula.cs.hut.fi/~dforsber/synflood/result.html#programs
 
 
 

原文轉自：http://www.kjueaiud.com