Академический Документы
Профессиональный Документы
Культура Документы
How it works
The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP
address to an open port as both source and destination.
The reason a LAND attack works is because it causes the machine to reply to itself continuously.
Definition: A LAND attack involves IP packets where the source and destination address are set to
address the same device.
9.
The Smurf attack is a way of generating significant computer network traffic on a victim network.
This is a type of denial-of-service attack that floods a system
via spoofedbroadcast ping messages.
This attack relies on a perpetrator sending a large amount of ICMP echo request (ping) traffic
to IP broadcast addresses, all of which have a spoofed source IP address of the intended victim. If
the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts
(for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP echo
request and reply to it with an echo reply, multiplying the traffic by the number of hosts responding.
On a multi-access broadcast network, hundreds of machines might reply to each packet
2.
Another proposed solution is network ingress filtering which rejects the attacking packets on the
basis of the forged source address.
An example of configuring a router not to forward packets to broadcast addresses, for a Cisco router,
is:
Router(config-if)# no ip directed-broadcast
Smurf amplifier
A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack. Smurf
amplifiers act to worsen the severity of a Smurf attack because they are configured in such a way that
they generate a large number of ICMP replies to the victim at the spoofed source IP address.
Technical details
Normally when a client attempts to start a TCP connection to a server, the client and server exchange a
series of messages which normally runs like this:
1. The client requests a connection by sending a SYN (synchronize) message to the server.
2. The server acknowledges this request by sending SYN-ACK back to the client.
A SYN flood attack works by not responding to the server with the expected ACK code. The malicious
client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN,
causing the server to send the SYN-ACK to a falsified IP address - which will not send an ACK because it
"knows" that it never sent a SYN.
The server will wait for the acknowledgement for some time, as simple network congestion could also be
the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will
bind resources on the server until no new connections can be made, resulting in a denial of service to
legitimate traffic. Some systems may also malfunction badly or even crash if other operating system
functions are starved of resources in this way.
Countermeasures
There are a number of well-known countermeasures, [1]including:
SYN cookies
provide protection against the SYN flood by eliminating the resources allocated on the
target host.
Limiting new connections per source per timeframe is not a general solution since the attacker can spoof
the packets to have multiple sources.
SYN cookies -are the key element of a technique used to guard against SYN flood attacks. Daniel
J. Bernstein, the technique's primary inventor, defines SYN cookies as "particular choices of
initial TCP sequence numbers by TCP servers." In particular, the use of SYN cookies allows a server to
avoid dropping connections when the SYN queue fills up. Instead, the server behaves as if the SYN
queue had been enlarged. The server sends back the appropriate SYN+ACK response to the client but
discards the SYN queue entry. If the server then receives a subsequent ACK response from the client, the
server is able to reconstruct the SYN queue entry using information encoded in the TCP sequence
number.
6.Teardrop
In a Teardrop attack, the attacker sends two IP fragments, the latter entirely contained within the former.
This causes some computers to allocate too much memory and crash.
7.Non-TCP Flooding
Advanced firewalls maintain state information about connections in a State table. In Non-TCP Flooding
attacks, the attacker sends high volumes of non-TCP traffic. Since such traffic is connectionless, the
related state information cannot be cleared or reset, and the firewall State table is quickly filled up. This
prevents the firewall from accepting new connections and results in a Denial of Service (DoS).