Previous Page
Next Page

Two-Minute Drill

Here are some of the key points from the certification objectives in Chapter 7.

Differentiate Between the Types of Host-Based Denial of Service Attacks and Understand How Attacks Are Executed

  • The most common forms of DoS attacks include program buffer overflow, malformed packets (that is, overlapping IP fragments), Teardrop, Ping of Death, Smurf, Bonk, Boink, NewTear, WinNuke, Land, LaTierra, and SYN attacks.

  • After penetrating a target system, an attacker would typically attempt to erase any traces of the incident by deleting activity logs and leaving backdoors in place to allow later clandestine access to the system.

  • When default executable stacks with permissions set to read/write/execute are allowed, programs may be targets for buffer overflow attacks. A buffer overflow occurs when a program process or task receives extraneous data that is not properly programmed. As a result, the program typically operates in such a way that an intruder can abuse or misuse it.

  • During a SYN attack, the attacker abuses the TCP three-way handshake by sending a flood of connection requests (SYN packets) while not responding to any of the replies. To verify that this type of attack is occurring, you can check the state of the system's network traffic with the netstat command.

  • In a Teardrop attack, the attacker modifies the length and fragmentation offset fields in IP packets, which causes the target to crash.

  • Ping of Death is a malformed ICMP packet attack whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer.

  • A Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

Establish Courses of Action to Prevent Denial of Service Attacks

  • To help prevent DoS attacks against the Solaris operating system, Sun advocates disabling executable stacks, disabling extraneous IP services/ports, using egress filtering, using firewalls, monitoring networks, and implementing a patch update program.

  • Sun recommends that you always monitor programs that are executed with privileges as well as the users that have rights to execute them. You can search your system for unauthorized use of the setuid and setgid permissions on programs to gain superuser privileges using the find command:

    find directory -user root -perm -4000 -exec ls -ldb {} \; >/tmp/filename
    

    where find directory checks all mounted paths starting at the specified directory, which can be root (/), sys, bin, or mail; -user root displays files owned only by root; -perm -4000 displays files only with permissions set to 4000; -exec ls -ldb displays the output of the find command in ls -ldb format; and >/tmp/filename writes results to this file.

  • To defend against stack smashing, you can configure attributes so that code cannot be executed from the stack by setting the noexec_user_stack=1 variable in the /etc/system file. If you disable executable stacks, programs that require the contrary will be aborted, so it's crucial that you first test this procedure on a nonproduction system.

  • The inetd.conf defines how the inetd daemon handles common Internet service requests. To disable an unneeded port and prevent unauthorized access to the associated service, comment out the service in the /etc/inetd.conf file with the hash character and then restart the inetd process or reboot the server if the service started through the inetd daemon.

  • Use the showrev -p command from a terminal session to view your system's current patches.

  • To install a patch, use the patchadd command:

    patchadd /dir/filename
    

    where dir is the folder that contains the patch, and filename is the name of the patch.

Self Test

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully, because there might be more than one correct answer. Choose all correct answers for each question.

Differentiate Between the Types of Host-Based Denial of Service Attacks and Understand How Attacks Are Executed

1. 

When executable stacks with permissions set to read/write/execute are allowed, programs by default will be vulnerable to buffer overflow attacks.

  1. True

  2. False

    B. False. When default executable stacks with permissions set to read, write, and execute are allowed, programs may be inherently vulnerable to buffer overflow attacks.     A is incorrect because, by default, programs are not inherently vulnerable to stack smashing. This is especially true when the latest patches have been applied.

2. 

Half-open connections are commonly initiated by an attacker in which of the following types of attacks?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    D. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. This is referred to as a half-open connection because during a normal connection between a client and a server, the connection is considered to be open after the handshake process. When the server has not received an ACK from the client, the connection is considered to be half-open.     A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack, whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

3. 

Which of the following are common forms of DoS attacks against Solaris operating systems?

  1. Program buffer overflow

  2. Extraneous IP ports

  3. Teardrop

  4. Executable stacks

  5. SYN flooding

  6. All of the above

    A, C, and E. A buffer overflow occurs when a program process or task receives extraneous data that is not properly programmed. As a result, the program typically operates in such a way that an intruder can abuse or misuse it. In a Teardrop attack, the attacker modifies the length and fragmentation offset fields in IP packets, which causes the target to crash. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies, thus leaving the connection half-open. The SYN messages will usually flood the server, and as a result the target system will fill up with requests until it is unable to accommodate any new requests. In some cases, the system could consume available memory, crash, or be rendered inoperative.     B is incorrect because although extraneous IP ports and services could be potential targets for DoS attacks, they're not forms of attacks in and of themselves. D is incorrect because when default executable stacks with permissions set to read/write/execute are allowed, programs may be targets for buffer overflow attacks; executable stacks alone are not an attack. It's also important to note that some software may require executable stacks. Therefore, if you disable executable stacks, programs that require them will be aborted.

4. 

Which type of attack occurs when a program process or task receives extraneous data that is not properly programmed?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    A. A program buffer overflow occurs when a program process or task receives unwarranted data and/or an abundance of data that is not properly programmed.     B is incorrect because Ping of Death is a malformed ICMP packet attack whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because, during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

5. 

Which type of attack occurs when an attacker sends an oversized ICMP packet in an attempt to overflow the target system's buffer?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    B. Ping of Death is a malformed ICMP packet attack, whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer.     A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted data and/or an abundance of data that is not properly programmed. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

6. 

Which type of attack occurs when a broadcasted ping request is sent to every system on the target's network?

  1. Program buffer overflow

  2. Ping of Death

  3. Executable stacks

  4. SYN flooding

  5. Smurf attacks

  6. All of the above

    E. A Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.     A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted data and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies.

Answers

1. 

þ B. False. When default executable stacks with permissions set to read, write, and execute are allowed, programs may be inherently vulnerable to buffer overflow attacks.

ý A is incorrect because, by default, programs are not inherently vulnerable to stack smashing. This is especially true when the latest patches have been applied.

2. 

þ D. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. This is referred to as a half-open connection because during a normal connection between a client and a server, the connection is considered to be open after the handshake process. When the server has not received an ACK from the client, the connection is considered to be half-open.

ý A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack, whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

3. 

þ A, C, and E. A buffer overflow occurs when a program process or task receives extraneous data that is not properly programmed. As a result, the program typically operates in such a way that an intruder can abuse or misuse it. In a Teardrop attack, the attacker modifies the length and fragmentation offset fields in IP packets, which causes the target to crash. During a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies, thus leaving the connection half-open. The SYN messages will usually flood the server, and as a result the target system will fill up with requests until it is unable to accommodate any new requests. In some cases, the system could consume available memory, crash, or be rendered inoperative.

ý B is incorrect because although extraneous IP ports and services could be potential targets for DoS attacks, they're not forms of attacks in and of themselves. D is incorrect because when default executable stacks with permissions set to read/write/execute are allowed, programs may be targets for buffer overflow attacks; executable stacks alone are not an attack. It's also important to note that some software may require executable stacks. Therefore, if you disable executable stacks, programs that require them will be aborted.

4. 

þ A. A program buffer overflow occurs when a program process or task receives unwarranted data and/or an abundance of data that is not properly programmed.

ý B is incorrect because Ping of Death is a malformed ICMP packet attack whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because, during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

5. 

þ B. Ping of Death is a malformed ICMP packet attack, whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer.

ý A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted data and/or an abundance of data that is not properly programmed. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies. E is incorrect because a Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

6. 

þ E. A Smurf attack involves a broadcasted ping request to every system on the target's network with a spoofed return address of the target.

ý A is incorrect because a program buffer overflow occurs when a program process or task receives unwarranted data and/or an abundance of data that is not properly programmed. B is incorrect because Ping of Death is a malformed ICMP packet attack whereby an attacker sends an oversized ping packet in an attempt to overflow the system's buffer. C is incorrect because executable stacks involve program buffer overflows. D is incorrect because during a SYN attack, the attacker sends a flood of connection requests but does not respond to any of the replies.

Establish Courses of Action to Prevent Denial of Service Attacks

7. 

By commenting out extraneous inetd services, the operating system will disable the service from being available and potentially vulnerable to an attack.

  1. True

  2. False

    A. True. To disable a service that is defined in inetd, you comment it out in the /etc/inetd.conf file by inserting a hash character in the first character position before the service. To activate the change, restart the process or reboot the operating system.     B is incorrect, because unless the service is enabled in inetd the port and service will not be listening for connection attempts.

8. 

To prevent and defend against DoS attacks, Sun recommends which of the following mechanisms?

  1. Using egress filtering

  2. Installing recommended patches from SunSolve

  3. Disabling unnecessary service ports

  4. Using TCP wrappers

  5. Network monitoring and deploying a firewall

  6. All of the above

    F. All of the answers are correct. To prevent DoS attacks against the Solaris operating system, Sun advocates disabling executable stacks, disabling extraneous IP ports, using egress filtering, monitoring networks, using firewalls, and implementing a patch update program.

9. 

From within a terminal session, which command would you execute to view the system's current installed patches?

  1. grep filename

  2. showpatch -p

  3. showrev -p

  4. vi system

  5. All of the above

    C. To verify that a patch was successfully installed, issue the showrev -p command, or to verify a specific individual patch, use showrev -p | grep   filename;  where  filename  is the name of the patch.     A is incorrect because grep filename is an option to the showrev command when verifying that a specific patch was successfully installed. B is incorrect because the command showpatch -p does not exist. D is incorrect because vi is the system's visual editor that is used to create and modify text within files. Depending on where you executed the command vi system , the editor would either create a new file entitled system or open the current system file for editing.

10. 

In which of these files would you find the list that specifies the ports used by the server processes as contact ports (also known as well-known ports)?

  1. /usr/sbin/in.telnetd

  2. /tmp/patch

  3. /etc/services

  4. /etc/inetd.conf

  5. All of the above

    C. The /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.     A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. D is incorrect because the inetd.conf defines how the inetd daemon handles common Internet service requests.

11. 

When viewing your system's current patches from a terminal session, the output will display what useful information?

  1. A list of current installed patches

  2. Whether a patch obsoletes a previous patch

  3. Whether a patch is incompatible with other patches

  4. Which packages are directly affected by a patch

  5. If any prerequisite patches exist for a current patch

  6. All of the above

    F. All of the answers are correct. Viewing your system's current patches using the showrev -p command will display installed patches, patch numbers, whether a patch obsoletes a previous patch, if any prerequisite patches are required for a current patch, whether a patch is incompatible with other patches, and what packages are directly affected by a patch.

12. 

Which of the following should be added to the /etc/system file manually to disable programs from using executable stacks?

  1. set noexec_user_stack=1

  2. set noexec_user_stack_log=1

  3. set noexec_program_stack=0

  4. set noexec_user_stack_log=0

  5. All of the above

    A. If the noexec_user_stack variable is set to non-zero, the operating system will apply nonexecutable but readable and writable attributes to every process stack.     B and D are incorrect because these settings are used to disable or enable executable stack message logging. C is incorrect because that option does not exist.

13. 

Which command would display the following output in a terminal session that could indicate that the system is being attacked?

10.16.3.11.22    10.16.3.100.21834     0     0  9112     0 SYN_RECEIVED
10.16.3.11.22    10.16.3.100.22090     0     0  9112     0 SYN_RECEIVED
10.16.3.11.22    10.16.3.100.22346     0     0  9112     0 SYN_RECEIVED
10.16.3.11.22    10.16.3.100.22602     0     0  9112     0 SYN_RECEIVED
10.16.3.11.22    10.16.3.100.22858     0     0  9112     0 SYN_RECEIVED
  1. find directory -user root

  2. netstat -a -f inet

  3. showrev -p

  4. grep inetd.conf

  5. All of the above

    B. The netstat command with -a and -f inet switches can be used to show the state of all sockets and all routing table entries for the AF_INET address family showing IPv4 information only.     A is incorrect because find directory -user root is used to check all mounted paths starting at the specified directory and to display files owned by root. C is incorrect because the command showrev -p is used for viewing the system's current installed patches. D is incorrect because grep inetd.conf as it stands will produce nothing.

14. 

To disable an extraneous service and associated IP port, which file would you edit?

  1. /usr/sbin/in.telnetd

  2. /tmp/patch

  3. /etc/services

  4. /etc/inetd.conf

  5. All of the above

    D. The inetd.conf defines how the inetd daemon handles common Internet service requests.     A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. C is incorrect because the /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.

15. 

Assuming the syslog kern facility is set to notice level, when you disallow executable stacks, programs that attempt to execute code on their stack will likely do which of these?

  1. Execute the program with privileges.

  2. Display a warning message with the name of the program, its process ID, and the UID of the user who ran the program.

  3. Monitor executable stacks.

  4. Log a message by syslog.

    B and D. When you disallow executable stacks, programs that attempt to execute code on their stack will abort with a core dump. At that time, a warning message will be displayed with the name of the program, its process ID, and the UID of the user who ran the program. In addition, the message can be logged by syslog when the syslog kern facility is set to notice level.     A is incorrect because when a program attempts to execute code on its stack when you disallow executable stacks, the program will abort. C is incorrect because whether or not you are monitoring executable stacks has nothing to do with the results of a program that attempts to execute code on its stack.

Answers

7. 

þ A. True. To disable a service that is defined in inetd, you comment it out in the /etc/inetd.conf file by inserting a hash character in the first character position before the service. To activate the change, restart the process or reboot the operating system.

ý B is incorrect, because unless the service is enabled in inetd the port and service will not be listening for connection attempts.

8. 

þ F. All of the answers are correct. To prevent DoS attacks against the Solaris operating system, Sun advocates disabling executable stacks, disabling extraneous IP ports, using egress filtering, monitoring networks, using firewalls, and implementing a patch update program.

9. 

þ C. To verify that a patch was successfully installed, issue the showrev -p command, or to verify a specific individual patch, use showrev -p | grep filename; where filename is the name of the patch.

ý A is incorrect because grep filename is an option to the showrev command when verifying that a specific patch was successfully installed. B is incorrect because the command showpatch -p does not exist. D is incorrect because vi is the system's visual editor that is used to create and modify text within files. Depending on where you executed the command vi system, the editor would either create a new file entitled system or open the current system file for editing.

10. 

þ C. The /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.

ý A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. D is incorrect because the inetd.conf defines how the inetd daemon handles common Internet service requests.

11. 

þ F. All of the answers are correct. Viewing your system's current patches using the showrev -p command will display installed patches, patch numbers, whether a patch obsoletes a previous patch, if any prerequisite patches are required for a current patch, whether a patch is incompatible with other patches, and what packages are directly affected by a patch.

12. 

þ A. If the noexec_user_stack variable is set to non-zero, the operating system will apply nonexecutable but readable and writable attributes to every process stack.

ý B and D are incorrect because these settings are used to disable or enable executable stack message logging. C is incorrect because that option does not exist.

13. 

þ B. The netstat command with -a and -f inet switches can be used to show the state of all sockets and all routing table entries for the AF_INET address family showing IPv4 information only.

ý A is incorrect because find directory -user root is used to check all mounted paths starting at the specified directory and to display files owned by root. C is incorrect because the command showrev -p is used for viewing the system's current installed patches. D is incorrect because grep inetd.conf as it stands will produce nothing.

14. 

þ D. The inetd.conf defines how the inetd daemon handles common Internet service requests.

ý A is incorrect because that file is used with the telnet service. B is incorrect because the file does not typically exist. C is incorrect because the /etc/services file specifies the ports used by the server processes as contact ports, which are also known as well-known ports.

15. 

þ B and D. When you disallow executable stacks, programs that attempt to execute code on their stack will abort with a core dump. At that time, a warning message will be displayed with the name of the program, its process ID, and the UID of the user who ran the program. In addition, the message can be logged by syslog when the syslog kern facility is set to notice level.

ý A is incorrect because when a program attempts to execute code on its stack when you disallow executable stacks, the program will abort. C is incorrect because whether or not you are monitoring executable stacks has nothing to do with the results of a program that attempts to execute code on its stack.

Lab Question

 

ABCD Inc. hired you as a consultant with regard to two production Solaris servers. To mitigate the risk of any potential DoS attacks against extraneous services, management informed you that FTP and Name services are not required on their first server; however, they do not want you to bring down the system completely. What steps would you perform to disable the unneeded services?

In addition, management informed you that based on a recent audit of the second server, to alleviate new buffer overflow vulnerabilities, they are required to install and verify the latest SunOS 5.9 kernel patch (112233-11). Assuming the patch was already downloaded into the /tmp directory, what steps would you perform to install and verify the required patch?

The first task that ABCD Inc. hired you to perform is to disable the FTP and Name services on one of its servers without completely bringing down the system. To disable these services, you simply comment them out with a hash character in the /etc/inetd.conf file, in the very first character position on each line of the service. After saving the modified file, you would identify the PID for inetd using the ps -eaf | grep inetd command, and then restart the process with the kill -l (   PID   ) command, where  PID  is the process number for inetd on that system. The second task that management requires you to perform is to install and verify the latest SunOS 5.9 kernel patch (filename: 112233-11 ) on the other server. The patch was downloaded into the /tmp directory. If ABCD Inc. does not have a nonproduction pilot system available on which you can install and test the patch in advance, be sure you are provided a full current system backup of the production system before installing the patch. Next, be sure to refer to the patch report for this patch on Sunsolve.Sun.com for any specific installation instructions. Upon doing so, you'll know that you need to install this patch in single-user state and then restart the system. Therefore, you start by issu-ing the init S command to enter single-user mode. Next, to install the patch, you simply execute the patchadd command as follows: patchadd /tmp/112233-11 . At that point, you restart the system with the init 6 command. Finally, to verify that the patch was successfully installed, you issue the showrev command as follows: showrev -p | grep 112233-11 .

Answers

 

The first task that ABCD Inc. hired you to perform is to disable the FTP and Name services on one of its servers without completely bringing down the system. To disable these services, you simply comment them out with a hash character in the /etc/inetd.conf file, in the very first character position on each line of the service. After saving the modified file, you would identify the PID for inetd using the ps -eaf | grep inetd command, and then restart the process with the kill -l (PID) command, where PID is the process number for inetd on that system.

The second task that management requires you to perform is to install and verify the latest SunOS 5.9 kernel patch (filename: 112233-11) on the other server. The patch was downloaded into the /tmp directory. If ABCD Inc. does not have a nonproduction pilot system available on which you can install and test the patch in advance, be sure you are provided a full current system backup of the production system before installing the patch. Next, be sure to refer to the patch report for this patch on Sunsolve.Sun.com for any specific installation instructions. Upon doing so, you'll know that you need to install this patch in single-user state and then restart the system. Therefore, you start by issu-ing the init S command to enter single-user mode. Next, to install the patch, you simply execute the patchadd command as follows: patchadd /tmp/112233-11. At that point, you restart the system with the init 6 command. Finally, to verify that the patch was successfully installed, you issue the showrev command as follows: showrev -p | grep 112233-11.


Previous Page
Next Page