[ Team LiB ] Previous Section Next Section


When crackers attempt to break into or disable systems, their behavior can be categorized as a certain type of attack. This section discusses different ways that a network (such as the Internet) can be used to attack systems, attacks that can come from inside your infrastructure, and how crackers can divert your legitimate Internet traffic.

Network Attacks

Denial of Service (DoS) attacks drain a Web host of a scarce resource. This could be a resource such as open TCP connections or the amount of memory allocated to receiving client requests. After this resource has been overly used, it isn't available to service real client requests.

Buffer overflows occur when a network address receives more data than the program supporting that address can hold.

Programs that service network addresses (Web servers, FTP servers, email servers, and so forth) have been written to work with multiple diverse clients simultaneously. These programs need to store information in memory in data buffers. When these data buffers are full, they can no longer service client requests. By filling these buffers with bogus client requests, crackers can deny access to legitimate users.

In the SYN flood attack, a source host starts a TCP conversation using an invalid IP address. The destination host sends out an ACK to that IP address and cannot start the conversation until it receives a reply. The destination keeps an entry of this soon-to-be-started conversation in a connection queue. Because the IP address isn't valid, the reply never comes and the conversation stays in the connection queue for a certain period of time. If many requests to start TCP connections to invalid IP addresses occur in a short period of time, the connection queue will be full. When this occurs, other services based on TCP, such as email, FTP, and serving of Web pages, will be denied to genuine users.

The Internet Protocol (IP) requires that packets that are too large for a router to handle must be split into multiple smaller packets. These packets are then reassembled at a destination host using packet-offset values that indicate how reassembly should occur. In a teardrop attack, the attacker changes the offset values in these packets and confuses the destination host. This in itself would only mean that the packet wasn't sent correctly.

However, in some cases, if the destination host hasn't been configured to handle this situation, the change causes the machine to crash.

Spoofing is the process of forging someone else's Internet identity or IP address. For instance, when a cracker can spoof an email server, he can then send thousands of email messages that appear to be coming from that server. In a Smurf attack, an IP address is spoofed and then used as the reply address in an ICMP echo call (ping). If enough of these pings occur simultaneously, the innocent spoofed program running at this IP address will be overwhelmed with traffic and cannot effectively handle any real client requests.

There are many other popular attacks such as the fraggle attack, mail-bomb attack, ping of death, trinoo attack, tribe flood network, stacheldraht, and ICMP ping flood. Be sure that your hardware/software solution and/or your ISPs have taken the necessary steps to thwart the efforts of those attempting to bring down your Internet presence using attacks such as these. As we'll see in later chapters, WebLogic Server has such configurable settings to protect against some of these attacks.

Distributed Network Attacks

Perhaps one of the most frightening attacks and the one hardest to fight is the Distributed Denial of Service (DDoS) attack. In this type pf attack, an attacker has employed the use of many unsuspecting, innocent systems to send traffic to a host. As Figure 26.2 points out, these multiple sites overwhelm the target Web host and just as in a standard DoS attack, cut off its capability to serve legitimate clients.

Figure 26.2. A cracker can impersonate Web hosts and get them to unsuspectingly perform a distributed denial of service attack.


Enterprise Attacks

If an attacker chooses, he can try to get into your system by getting you to run a virus program or a worm. These can be delivered as email attachments or downloaded from Web sites. Once run, these viruses can do many things. Some email out sensitive files, whereas others just display a message from the cracker who created the virus. Some viruses will attempt to collect sensitive information such as usernames and passwords. A cracker can then communicate with the virus at a later date and collect this information.

Packet Sniffers

A packet sniffer is a piece of software that communicates with a network interface card and asks it for all packets of information it receives. Sniffers have a rightful place in the toolkit of network administrators, but in the hands of a cracker, they can be used to view sensitive information such as usernames and passwords, especially when information isn't encrypted. To protect against these types of attacks, companies can use antisniffer tools. These tools can detect whether a packet sniffer is being used. After it's detected, a packet sniffer can be found and disabled.

Man-in-the-Middle Attacks

This type of attack redirects Internet traffic and enables a cracker to eavesdrop on a conversation, as depicted in Figure 26.3. The cracker can then use this information for personal gain. For instance, when Joe wants to connect to his online bank, www.mybank.com, he types the URL in his browser. A cracker routes this request to another IP address by corrupting a DNS server (as discussed earlier) or by corrupting the host table on Joe's PC. The host table will contain an entry for www.mybank.com with the IP address of the cracker's host. This host table can be corrupted by getting Joe to run an EXE file on his PC.

Figure 26.3. A cracker can redirect traffic to his IP address and then view information being sent to the original address.


    [ Team LiB ] Previous Section Next Section