Hi,
I have indexed the below text file "filename.txt" using the test code
G1.java..
When I search for "check for old" trm.seekceil() method gives "checking"
and "checks" and ignores "check" which is there in text document..
It is working for most cases except a few
Please kindly help me..
--
Thanks and Regards
Vignesh Srinivasan
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Aravind N Samsung SDS 10-01-2012 Network Security COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL TABLE OF CONTENTS
1 S No. MODULE SUB MODULE 1 INTRODUCTION Case Studies
Network Vulnerabilities Protocol Attacks & Solutions VPN IPSec
Firewall Attacks & Prevention Evasion Techniques 2 DoS Attacks
Firewall DoS Attacks Network DoS Attacks OS Specific DoS Attacks Network
DoS Défense Mechanism 3 Network Solutions Content Monitoring & Filtering
Deep Inspection Sample Attack Objects & Groups 4 References References
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Network Security CASE STUDY 1: •A consultant wants to evaluate how secure a
website is? •What all information he needs ? •What can be the intermediate
steps? 2 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED |
CONFIDENTIAL Network Security Solution: •Network Scanning tools •Check
for vulnerable ports •Check for old and vulnerable versions of services on
open ports •Transfer a code which exploits buffer overflow of that service.
•Gain access to the host (gateway or Web Server) 3 COPYRIGHT © 2008 SAMSUNG
SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network Security CASE
STUDY 2: •You are a Project Manager of a software firm and you want that
the designers practice coding standards which ensures/enhances the security
of the network where the product will be used. 4 COPYRIGHT © 2008 SAMSUNG
SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network Security
Solution: •Use Tools to catch Memory Leaks •Check Buffer Overflow
conditions in the code. •Exploiting a Buffer Overflow: 5 void foo() {
char buf[512]; ... gets(&buf); ... } buf Return address SP Input
pushl $68732f ('/sh\0') pushl $6e69622f ('/bin') movl sp, r10 pushl $0
pushl $0 pushl r10 pushl $3 movl sp, ap chmk $3b COPYRIGHT © 2008 SAMSUNG
SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network Security CASE
STUDY 3: •You are the System Administrator of a company and you want to
ensure that your company’s resources are protected from various attacks
through the network. 6 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS
RESERVED | CONFIDENTIAL Network Security Solution: 7 COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network Security
Agenda of the Presentation: •Vulnerabilities •Protocol Attacks & Solutions
8 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED |
CONFIDENTIAL Network Picture 9 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL
RIGHTS RESERVED | CONFIDENTIAL Network Security Layer 2 Vulnerabilities
•Switches are Key components to communications at the Data Link Layer
Possible Attacks: - Content-Addressable Memory (CAM) table overflow - VLAN
hopping - Spanning-Tree Protocol (STP) manipulation - Media Access Control
(MAC) Address spoofing - Address Resolution Protocol (ARP) attack - Private
VLAN - DHCP “starvation” 10 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL
RIGHTS RESERVED | CONFIDENTIAL Network Security Layer 3 Vulnerabilities
•Most Popular protocol in Layer 3 is IP (Internet Protocol) Following are
the vulnerabilities related to IP: - IP Spoofing (Blind Attack) - Routing
Attacks - ICMP & DNS Attacks - Ping flood - Ping of Death attack -
Teardrop attack - Packet sniffing (Passive Attack) 11 COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network Security
Layer 4 Vulnerabilities •Key risks associated with TCP and UDP at the
Transport Layer Possible Attacks: - TCP “SYN” Attack - Man in Middle
attack - Port Scan Attack - UDP Flood Attack - TCP Session Hijacking
(Active Attack) - Land Attack 12 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL
RIGHTS RESERVED | CONFIDENTIAL Network Security Application Layer
Vulnerabilities •Exploit weaknesses in HTTP servers, FTP servers and Telnet
servers, SMTP, POP3, IMAP, SNMP, SSH, SNTP, SIP, H.323 protocols to
launch attacks. •Application layer attacks include Viruses, Worms,
Spam etc. Possible Attacks: - Scripting vulnerabilities - Buffer overflows
- Cookie poisoning - Hidden field manipulation - Parameter tampering -
Cross-site scripting - SQL injection 13 COPYRIGHT © 2008 SAMSUNG SDS Co.,
Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network Security Solutions 14
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Network Security Data Privacy Privacy provides security by allowing
information to be accessed by authorized parties Integrity Integrity
ensures that the data can be modified by authorized parties Authentication
Authentication ensures that the authenticated party is the one who he claims to
be and not a n imposter Non-Repudiation Non-repudiation ensures that there
is no replay of the data sent through the channel in the past 15
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Data Privacy •Cryptography •Types of Cryptography - Encryption: Secret Key,
Public Key - Hash Functions: HMAC, MD5, SHA •Encryption Algorithms - DES,
3DES, RSA •Key Exchange Algorithms - Diffie-Hellman 16 COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Virtual Private
Networks VPN •A virtual private network (VPN) provides a means for securely
communicating between remote computers across a public wide area network
(WAN), such as the Internet. •A VPN connection can link two local area
networks (LANs) or a remote dialup user and a LAN. The traffic that flows
between these two points passes through shared resources such as routers,
switches, and other network equipment that make up the public WAN. To secure
VPN communication while passing through the WAN, the two
participants create an IP Security (IPSec) tunnel. IPSec: •IP Security
(IPSec) Tunnel to secure VPN communication while passing through the WAN.
•IPSec constitutes of a pair of unidirectional Security Associations (SAs) that
specify –Security Parameter Index (SPI) –Destination IP address –Security
protocol (Authentication Header or Encapsulating Security Payload) •IPSec
provides following security functions through SA –Privacy via encryption
–Content Integrity via data authentication –Sender authentication if using
certificates and –Non-repudiation via data origin authentication 17
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
IPSec VPN Tunnels 18 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS
RESERVED | CONFIDENTIAL Protecting a Network •There can be many reasons
for invading a protected network: Gather information about the protected
network Overwhelm a host with bogus traffic to induce a Denial-of-Service
(DoS) Overwhelm the protected network with bogus traffic to induce a network
wide DoS Overwhelm the firewall with bogus traffic to induce DoS Cause
damage to and steal data from a host on a protected network Gain access to a
host to obtain information Gain access to a host to launch other exploits
Gaining control of a firewall to control access to network that it protects
•Stages of Attack – Each attack progresses in two major stages: Perform
reconnaissance a. Map the network and determine which hosts are active (IP
address sweep). b. Discern which ports are active (port scans) on the hosts
discovered by the IP address sweep. c. Determine the operating system (OS),
which might expose a weakness in the OS or suggest an attack to which
that particular OS is susceptible. Launch the attack a. Conceal the origin
of the attack. b. Perform the attack. c. Remove or hide evidence. 19
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Firewall •Firewalls are used to thwart the efforts of attackers to achieve the
previous objectives when they attempt to target a protected network.
They provide security against the following types of attacks: IP Address
Sweep Port Scanning Network Reconnaissance using IP Options Operating
System Probes •SYN and FIN flags set •FIN Flag without ACK Flag •TCP Header
without Flags set Evasion Techniques •FIN scan •Non-SYN Flags •IP Spoofing
•IP Source Route Options 20 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL
RIGHTS RESERVED | CONFIDENTIAL Firewall IP Address Sweep: •An address
sweep occurs when one source IP address sends 10 ICMP packets to different
hosts within a defined interval (5000 microseconds is the default). The
purpose of this scheme is to send ICMP packets - typically echo requests - to
various hosts in the hopes that at least one replies, thus uncovering
an address to target. •Using the default settings, if a remote host sends ICMP
traffic to 10 addresses in 0.005 seconds (5000 microseconds), the security
device flags this as an address sweep attack, and rejects all further
ICMP echo requests from that host for the remainder of the specified threshold
time period. The device detects and drops the tenth packet that meets the
address sweep attack criterion. 21 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd.
ALL RIGHTS RESERVED | CONFIDENTIAL Firewall Port Scanning: •A port scan
occurs when one source IP address sends IP packets containing TCP SYN segments
to 10 different ports at the same destination IP address within a defined
interval (5000 microseconds is the default).
The purpose of this scheme is to scan the available services in the hopes that
at least one port will respond, thus identifying a service to target. •Using
the default settings, if a remote host scans 10 ports in 0.005 seconds (5000
microseconds), the device flags this as a port scan attack, and rejects all
further packets from the remote source for the remainder of the specified
timeout period. The device detects and drops the tenth packet that meets
the port scan attack criterion. 22 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd.
ALL RIGHTS RESERVED | CONFIDENTIAL Network Reconnaissance Using IP Options
IP Options: •The Internet Protocol standard RFC 791, Internet Protocol,
specifies a set of options to provide special routing controls, diagnostic
tools, and security. These options appear after the destination address in an
IP packet header, as shown below: 23 The following IP Options can be used by
an attacker for reconnaissance: •Record Route •Timestamp •Stream ID •No
Options •Security •Strict Source Route •Loose Source Route COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Operating System
Probes SYN and FIN Flags Set: •Both the SYN and FIN control flags are not
normally set in the same TCP segment header. •The SYN flag synchronizes
sequence numbers to initiate a TCP connection. •The FIN flag indicates the
end of data transmission to finish a TCP connection. Their purposes are
mutually exclusive. •A TCP header with the SYN and FIN flags set is anomalous
TCP behavior, causing various responses from the recipient,
depending on the OS. •Firewall checks if the SYN and FIN flags are set in TCP
headers. If it discovers such a header, it drops the packet. 24
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Operating System Probes FIN Flag without ACK Flag: •Figure below shows TCP
segments with the FIN control flag set (to signal the conclusion of a
session and terminate the connection). Normally, TCP segments with the FIN flag
set also have the ACK flag set (to acknowledge the previous packet
received). •Because a TCP header with the FIN flag set but not the ACK flag is
anomalous TCP behavior, there is no uniform response to this. The OS
might respond by sending a TCP segment with the RST flag set. Another might
completely ignore it. The victim’s response can provide the attacker with a
clue as to its OS. •Firewall checks if the FIN flag is set but not the ACK
flag in TCP headers. If it discovers a packet with such a header, it drops
the packet. 25 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED
| CONFIDENTIAL Operating System Probes TCP Header Without Flags Set: •A
normal TCP segment header has at least one flag control set. •A TCP segment
with no control flags set is an anomalous event. Because different operating
systems respond differently to such anomalies, the response (or lack of
response) from the targeted device can provide a clue as to the
type of OS it is running. •Firewall drops all TCP packets with a missing or
malformed flags field. 26 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS
RESERVED | CONFIDENTIAL Firewall Evasion Techniques: •When gathering
information or launching an attack the attacker tries to avoid detection by
firewalls. •Although some IP address and port scans are blatant and easily
detectable, more wily attackers use a variety of means to conceal their
activity. Such techniques as using FIN scans instead of SYN scans - which
attackers know most firewalls and intrusion detection programs detect -
indicate a evolution of reconnaissance and exploit techniques to evade
detection and successfully accomplish their tasks. •Below are the evasion
techniques to avoid being detected by Firewalls: –FIN scan –Non-SYN Flags
–IP Spoofing –IP Source Route Options FIN scan 27 COPYRIGHT © 2008 SAMSUNG
SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Evasion Techniques •FIN
Scan: •A FIN scan sends TCP segments with the FIN flag set in an attempt to
provoke a response (a TCP segment with the RST flag set) and thereby discover
an active host or an active port on a host. •An attacker might use this
approach rather than perform an address sweep with ICMP echo
requests or an address scan with SYN segments because he or she knows that many
firewalls typically guard against the latter two approaches - but not
necessarily against FIN segments. •The use of TCP segments with the FIN flag
set might evade detection and thereby help the attacker succeed in
his or her reconnaissance efforts. •To thwart a FIN scan: –Block TCP
segments with FIN flag set but not the ACK Flag –Reject all non-SYN packets
that do not belong to an existing session 28 COPYRIGHT © 2008 SAMSUNG SDS
Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Firewall •Non-SYN Flags: •By
default, the security device checks for SYN flags in the first packet of a
session and rejects any TCP segments with non-SYN flags attempting to initiate
a session. •When the security device with SYN flag checking enabled receives a
non-SYN TCP segment that does not belong to an existing session, it drops the
packet and sends the source host to a TCP RST - unless the code bit of the
initial non-SYN TCP packet is also RST. In that case, the security device
simply drops the packet. 29 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL
RIGHTS RESERVED | CONFIDENTIAL Evasion Techniques •IP Spoofing: •To
insert bogus source address in the packet header to make the packet appear to
come from a trusted source and gain access to a restricted area of network.
•Layer 3 IP Spoofing: •When interfaces on the security device are operating
in Route or NAT mode, the mechanism to detect IP spoofing relies on route
table entries. If, for example, a packet with source IP address 10.1.1.6
arrives at ethernet3, but the security device has a route to 10.1.1.0/24
through ethernet1, IP spoof checking notes that this address arrived at an
invalid interface - as defined in the route table, a valid packet from
10.1.1.6 can only arrive via ethernet1, not ethernet3. Therefore, the
device (Firewall) concludes that the packet has a spoofed source IP address and
discards it. 30 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED
| CONFIDENTIAL Evasion Techniques •IP Source Route Options: •Source routing
was designed to allow the user at the source of an IP packet transmission to
specify the IP addresses of the routers (also referred to as “hops”)
along the path that he or she wants an IP packet to take on its way to its
destination. •The original intent of the IP source route options was to
provide routing control tools to aid diagnostic analysis. You can
then use either the loose or strict source route option to direct traffic
along a specific path, using the addresses you learned from the results that
the record route or timestamp options produced. •By changing router
addresses to alter the path and sending several packets along different paths,
you can note changes that either improve or lessen the success rate. Through
analysis and the process of elimination, you might be able to deduce where
the trouble lies. •Attackers can use IP source route options to hide their
true address and access restricted areas by specifying a different path.
31 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED |
CONFIDENTIAL Evasion Techniques 32 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd.
ALL RIGHTS RESERVED | CONFIDENTIAL Evasion Techniques •IP Source Route
Options: •Users can enable the Firewall device to either block any packets
with loose or strict source route options set or detect such packets and
then record the event in the counters list for the ingress interface.
Various Options available are: •Deny IP Source Route Option: Enable this
option to block all IP traffic that employs the loose or strict source
route option. Source route options can allow an attacker to enter a network
with a false IP address. •Detect IP Loose Source Route Option: The
security device detects packets where the IP option is 3 (Loose Source
Routing) and records the event in the counters list for the ingress interface.
This option specifies a partial route list for a packet to take on its
journey from source to destination. The packet must proceed in
the order of addresses specified, but it is allowed to pass through other
routers in between those specified. •Detect IP Strict Source Route Option: The
security device detects packets where the IP option is 9 (Strict Source
Routing) and records the event in the counters list for the ingress interface.
This option specifies the complete route list for a packet to take on
its journey from source to destination. The last address in the
list replaces the address in the destination field. 33 COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Denial of Service
(DoS) Attack Defences •The intent of a denial-of-service (DoS) attack is to
overwhelm the targeted victim with a tremendous amount of bogus traffic so
that the victim becomes so preoccupied processing the bogus traffic
that it is unable to process legitimate traffic. •If a DoS attack originates
from multiple source addresses, it is known as a distributed denial of
service (DDoS) attack. Typically, the source address of a DoS attack is
spoofed. The source addresses in a DDoS attack might be spoofed or the
actual addresses of hosts that the attacker has previously
compromised and which he or she is now using as “zombie agents” from which
to launch the attack. 34 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS
RESERVED | CONFIDENTIAL Denial of Service Attacks Firewall DoS Attacks
Session Table Flood SYN-ACK-ACK Proxy Flood Network DoS Attacks SYN
Flood SYN Cookie ICMP Flood UDP Flood Land Attack OS Specific DoS
Attacks Ping of Death Teardrop Attack Win Nuke 35 COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Firewall DoS
Attack Defences •If an attacker discovers the presence of the firewall, he
might launch a denial- of-service (DoS) attack against it instead of the
network behind it. •Session Table Flooding: –When the session table is
full, that host cannot create any new sessions and begins rejecting new
connection requests. –The following settings on firewall can mitigate such
attacks •Source and Destination Based Session Limits •Aggressive Aging 36
COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL
Firewall DoS Attack Defences 37 •Source & Destination Based Session
Limiting: COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED |
CONFIDENTIAL Firewall DoS Attack Defences 38 •Aggressive Aging out
Sessions: •In this example, you set the aggressive aging out process to
commence when traffic exceeds a high-watermark of 80 percent and
cease when it retreats below a low-watermark of 70 percent. You specify
40 seconds for the aggressive age-out interval. When the session table is more
than 80 percent full (the high-mark threshold), the security device decreases
the timeout for all sessions by 40 seconds and begins aggressively aging out
the oldest sessions until the number of sessions in the table is under 70
percent (the low-mark threshold). COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL
RIGHTS RESERVED | CONFIDENTIAL Firewall DoS Attack Defences 39
•SYN-ACK-ACK Proxy Flood: •To thwart such an attack, you can enable the
SYN-ACK-ACK proxy protection SCREEN option. After the number of connections
from the same IP address reaches the SYN-ACK-ACK proxy threshold, the firewall
rejects further connection requests from that IP address. COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS Attack
Defences 40 A denial-of-service (DoS) attack directed against one or more
network resources floods the target with an overwhelming number of SYN,
ICMP, or UDP packets, or with an overwhelming number of SYN fragments.
Depending on the attacker’s purpose and the extent and success of previous
intelligence gathering efforts, the attacker might single out a specific
host, such as a router or server; or he or she might aim at random hosts
across the targeted network. Either approach has the potential of
upsetting service to a single host or to the entire network, depending
on how critical the role of the victim is to the rest of the network. SYN
Flooding SYN Cookie ICMP Flooding UDP Flooding Land Attack COPYRIGHT ©
2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS
Attack Defences SYN Flooding: •A SYN flood occurs when a host becomes so
overwhelmed by SYN segments initiating incomplete connection requests
that it can no longer process legitimate connection requests. •Two hosts
establish a TCP connection with a triple exchange of packets known as a
three-way handshake: A sends a SYN segment to B; B responds with
a SYN/ACK segment; and A responds with an ACK segment. •A SYN flood
attack inundates a site with SYN segments containing forged (spoofed) IP source
addresses with nonexistent or unreachable addresses. B responds
with SYN/ACK segments to these addresses and then waits for responding ACK
segments. Because the SYN/ACK segments are sent to nonexistent or unreachable
IP addresses, they never elicit responses and eventually time out. •By
flooding a host with incomplete TCP connections, the attacker eventually fills
the memory buffer of the victim. Once this buffer is full, the host can no
longer process new TCP connection requests. The flood might even damage
the victim’s operating system. Either way, the attack disables the victim and
its normal operations. 41 COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS
RESERVED | CONFIDENTIAL Network DoS Attack Defences 42 COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS Attack
Defences 43 SYN Flood Protection: •Impose a limit on the number of SYN
segments permitted to pass through the firewall per second. We can base the
attack threshold on the destination address and port, the destination address
only, or the source address only. When the number of SYN segments per second
exceeds one of these thresholds, the security device starts proxying incoming
SYN segments, replying with SYN/ACK segments and storing the
incomplete connection requests in a connection queue. The incomplete connection
requests remain in the queue until the connection is completed or the request
times out. COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED |
CONFIDENTIAL Network DoS Attack Defences 44 SYN Flood Protection: •The
proxied connection queue has completely filled up, and the security device is
rejecting new incoming SYN segments. This action shields hosts on
the protected network from the bombardment of incomplete three-way
handshakes. •The security device starts receiving new SYN packets when the
proxy queue drops below the maximum limit. COPYRIGHT © 2008 SAMSUNG SDS Co.,
Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS Attack Defences 45
SYN Cookie: •SYN Cookie is a stateless SYN proxy mechanism you can use in
conjunction with the defenses against a SYN flood attack. •When SYN Cookie is
enabled on the security device and becomes the TCP-negotiating proxy for the
destination server, it replies to each incoming SYN segment with a SYN/ACK
containing an encrypted cookie as its Initial Sequence Number (ISN). •The
cookie is a MD5 hash of the original source address and port number,
destination address and port number, and ISN from the original SYN packet.
After sending the cookie, the device drops the original SYN packet and
deletes the calculated cookie from memory. If there is no response to the
packet containing the cookie, the attack is noted as an active SYN
attack and is effectively stopped. •If the initiating host responds with a TCP
packet containing the cookie +1 in the TCP ACK field, the device
extracts the cookie, subtracts 1 from the value, and recomputes the cookie to
validate that it is a legitimate ACK. •If it is legitimate, the device
starts the TCP proxy process by setting up a session and sending a SYN to the
server containing the source information from the original SYN. •When the
device receives a SYN/ACK from the server, it sends ACKs to the sever and to
the initiation host. At this point the connection is established and the
host and server are able to communicate directly. COPYRIGHT © 2008
SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS Attack
Defences 46 SYN Cookie: •Figure shows how a connection is established
between an initiating host and a server when SYN Cookie is active on the
security device. COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED
| CONFIDENTIAL Network DoS Attack Defences 47 ICMP Flooding Protection:
•An ICMP flood typically occurs when ICMP echo requests overload its victim
with so many requests that it expends all its resources responding until it
can no longer process valid network traffic. •Set a threshold that once
exceeded invokes the ICMP flood attack protection feature. (The default
threshold value is 1000 packets per second.) If the threshold is exceeded,
the security device ignores further ICMP echo requests for the remainder
of that second plus the next second as well. COPYRIGHT © 2008 SAMSUNG SDS Co.,
Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS Attack Defences 48
UDP Flooding Protection: •UDP flooding occurs when an attacker sends IP
packets containing UDP datagram's with the purpose of slowing down the victim
to the point that it can no longer handle valid connections. •After enabling
the UDP flood protection feature, you can set a threshold that, once exceeded,
invokes the UDP flood attack protection feature. (The default threshold
value is 1000 packets per second.) If the number of UDP datagram's from one or
more sources to a single destination exceeds this threshold, the security
device ignores further UDP datagram's to that destination or the remainder of
that second plus the next second as well. COPYRIGHT © 2008 SAMSUNG SDS Co.,
Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL Network DoS Attack Defences 49
LAND Attack Protection: •Combining a SYN attack with IP spoofing, a land
attack occurs when an attacker sends spoofed SYN packets containing the IP
address of the victim as both the destination and source IP address. The
receiving system responds by sending the SYN-ACK packet to itself, creating
an empty connection that lasts until the idle timeout value is reached.
Flooding a system with such empty connections can overwhelm the
system, causing a denial of service. •When you enable the SCREEN option to
block land attacks, the security device combines elements of the SYN flood
defense and IP spoofing protection to detect and block any attempts of this
nature. COPYRIGHT © 2008 SAMSUNG SDS Co., Ltd. ALL RIGHTS RESERVED |
CONFIDENTIAL OS-Specific DoS Attack Defences 50 •If an attacker not only
identifies the IP address and responsive port numbers of an active host but
also its operating system (OS), instead of resorting to brute-force
attacks, he or she can launch more elegant attacks that can produce one- or
two-packet “kills.” •The attacks presented in this section can cripple a
system with minimum effort. Ping of Death: •The maximum allowable IP
packet size is 65,535 bytes, including the packet header, which is typically
20 bytes long. An ICMP echo request is an IP packet with a pseudo header, which
is 8 bytes long. Therefore, the maximum allowable size of the data
area of an ICMP echo request is 65,507 bytes (65,535 - 20 - 8 =
65,507). •However, many ping implementations allow the user to specify a
packet size larger than 65,507 bytes. •A grossly oversized ICMP packet can
trigger a range of adverse system reactions such as denial of service
(DoS), crashing, freezing, and rebooting. When you enable the Ping of Death
SCREEN option, the security device detects and rejects such oversized and
irregular packet sizes even when the attacker hides the total
packet size by purposefully fragmenting it. COPYRIGHT © 2008 SAMSUNG SDS Co.,
Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL OS-Specific DoS Attack Defences 51
Teardrop Attack: •Teardrop attacks exploit the reassembly of fragmented IP
packets. In the IP header, one of the fields is the fragment offset field,
which indicates the starting position, or offset, of the data contained in a
fragmented packet relative to the data of the original unfragmented
packet. •When the sum of the offset and size of one fragmented packet differ
from that of the next fragmented packet, the packets overlap, and the
server attempting to reassemble the packet can crash, especially if it is
running an older operating system that has this vulnerability. •After you
enable the Teardrop Attack SCREEN option, whenever the device detects this
discrepancy in a fragmented packet, it drops it. COPYRIGHT © 2008 SAMSUNG SDS
Co., Ltd. ALL RIGHTS RESERVED | CONFIDENTIAL OS-Specific DoS Attack
Defences 52 WinNuke: •Win Nuke is a DoS attack targeting any computer on
the Internet running Windows. The attacker sends a TCP segment—usually to
NetBIOS port 139 with the urgent (URG) flag set—to a host with an
established connection. This introduces a NetBIOS fragment overlap, which
causes many machines running Windows to crash. After rebooting the
attacked machine, the following message appears, indicating that an
attack has occurred: An exception OE has occurred at 0028:[address] in VxD
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
