From proff Wed May 22 09:01:40 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id JAA07357 for best-of-security; Wed, 22 May 1996 09:01:39 +1000 Received: from relay6.UU.NET (relay6.UU.NET [192.48.96.16]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id IAA05372 for ; Wed, 22 May 1996 08:00:32 +1000 Received: from miles.greatcircle.com by relay6.UU.NET with ESMTP (peer crosschecked as: miles.greatcircle.com [198.102.244.34]) id QQaqsc04718; Tue, 21 May 1996 17:40:29 -0400 (EDT) Received: (majordom@localhost) by miles.greatcircle.com (8.7.1-lists/Lists-960417-1) id NAA13105 for firewalls-outgoing; Tue, 21 May 1996 13:54:32 -0700 (PDT) Received: from phoenix.iss.net (phoenix.iss.net [204.241.60.5]) by miles.greatcircle.com (8.7.4/Miles-951221-1) with SMTP id NAA13089 for ; Tue, 21 May 1996 13:54:19 -0700 (PDT) Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id QAA15226 for firewalls@greatcircle.com; Tue, 21 May 1996 16:51:21 -0400 From: Christopher Klaus Message-Id: <199605212051.QAA15226@phoenix.iss.net> Subject: Denial of Service Attacks INFO To: firewalls@greatcircle.com Date: Tue, 21 May 1996 16:51:21 -0400 (EDT) Reply-To: cklaus@iss.net X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Sender: proff Precedence: bulk Here are some denial of service attacks we look for in assessing a network security. These checks can be turned off obviously. But I figured I would share the information since some of these attacks may be useful to know so you can take preventive action to secure your network. There is obviously a large number of other denial of service attacks that can be done on a network, but these are just ones we can quickly perform. Network Denial of Service Attacks checked by Internet Scanner 3.3 Index Summary UDP Bomb Finger Bomb NT dot..dot Chargen, Echo Linux Time Bomb Novell Net-ware FTP server Bruteforce in general ICMP Redirect Paragon OS Summary: Networked Denial of service attacks are ways that a network or service can be brought down. Disgruntled employees, customers, or just a mischevious hacker may use various techniques to bring down your network services. Below are methods that the Internet Scanner 3.3 checks for that are ways someone can do a denial of service attack. The Internet Scanner 3.3 has a configuration page to turn off these checks for they may disrupt your network. UDP Bomb - By sending a UDP packet with incorrect information in the header, some Sun-OS 4.1.3 Unix boxes will panic and then reboot. This is a problem found frequently on many firewalls that are on top of a Sun-OS machine. This could be high risk vulnerability if your firewall keeps going down. Solution: Sun provides a Patch id # 100567-04. Sun patches are available from ftp.uu.net/systems/sun/sun-dist/patches Finger Bomb - Some finger daemons allow redirecting the finger to remote sites. To finger through several sites, finger username@hostA@hostB. The finger will go through hostB then to hostA. This helps hackers cover their tracks because HostA will see a finger coming from HostB instead of the original service. This technique has been used to go through firewalls themselves if they are not properly configured. This can happen by finger user@host@firewall. A denial of service attack may happen when a person types: finger username@@@@@@@@@@@@@@@@@@@@@hostA The @ repeated causes the finger to recursively finger the same machine itself repeatedly till the memory and and hard drive swap space fills up and causes the machine to crash or slow to unusable speeds. Solution: Turn off the finger service or obtain a version of finger which turns off redirection. GNU Finger can be configured to not allow redirection. Windows NT .. Crash - The file sharing service if available and accessible by anyone can crash the NT machine and require it to be rebooted. This technique using the dot..dot bug on a Windows 95 machine potentially allows anyone to gain access to the whole hard drive. Solution: This vulnerability is documented in Microsoft Knowledge Base article number Q140818 last revision dated March 15, 1996. Resolution is to install the latest service pack for Windows NT version 3.51. The latest service pack to have the patch is in service pack 4. Chargen, Echo - These two services on many machines can be spoofed into sending data from one service on one machine to another service on another machine causing an infinite loop that causes high bandwidth so that the network becomes unusable. Solution: Turn off these services. There are some patches available for Linux that will make echo and chargen not to be able to send data to specific ports to block causing an infinite loop. Linux Time Bomb - The inetd running the TCP time services, daytime (port 13) and time (port 37) will crash if you send excessive SYN packets. Once inetd crashes, all other services running through inetd no longer will work. Solution: Turn off the two services in TCP mode. Bruteforce Net-ware FTP - As the Internet Scanner 3.3 tries to bruteforce the FTP server by trying to log in as default accounts, Novell's Netware FTP server has a memory leak that will cause the entire machine to run out of memory. Solution: Novell reportedly has a patch to fix this problem. Bruteforce Attacks in General - The Internet Scanner 3.3 tries to bruteforce attack by trying default accounts and account info gained from finger and rusers through the following servers: telnetd, ftpd, popd, rexecd, rshd. On some Unix OS's, if there are too many connections within a period of time, inetd will turn off the service for a period of time. Solution: Modify inetd to allow more connections for a period of time. Internet Scanner 3.3 has the ability to select how many simultaneous connections can happen within a given period to slow down the bruteforce attack to an acceptable level for inetd. ICMP Redirect on Paragon OS beta R1.4 - Sending an ICMP redirect to Paragon OS beta R1.4 would cause it to freeze the machine and require a reboot. This is a more rare case of denial of service since there are very few of these type of systems on a typical network. Solution: Ask your vendor for a patch. -- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do."