_________ SWAT MAGAZINE ISSUE EIGHTEEN: JUNE 1999 ________ / \___________________________________________/ \ / Protect and Survive - Part 1 \ / Common Denial of Service attacks and what you can do to protect \ / yourself \ / By Aces^High \ ------------------------------------------------------------------------ Whatever you do on the internet, you will most likely encounter some form of Denial of Service (DoS) attack at some point, and if you can identify the attacks, it is easier to take steps to protect yourself. This text only deals with the most common attacks, it is worth checking pages such as Packet Storm, AntiOnline (www.antionline.com) and search engines such as AstaLaVista (http://astalavista.box.sk) and SecureRoot for news on the latest exploits, many of these attacks are likely to happen if you are a regular IRC and/or ICQ user (and lets face it, a lot of us are) because its very easy to find your IP address and hostname, in later issues of SWAT magazine i will deal with WWW browser exploits and Trojans. Some common DoS attacks - OOB, Port 139 NetBIOS exploit This used to be one of the most common attacks, affecting Windows 95 (early releases only, it was fixed in OSR2) it was very easy to get hold of as it was available as an .exe, usually a nice VB windows application, and used to cause a lot of trouble on IRC. All it required was for the user to enter a victims IP address, and click 'Nuke', at which point the victims machine crashed, giving the ever familier blue screen error. Luckily, this is no longer the case, you are very unlikely to ever encounter this attack, because most people now have either got Win 95 OSR2 or Win 98 or have their machine patched against it. There is however still a few newbies left out there with a copy of Winnuke, and i often catch port 139 attacks when im on IRC, usually after some kid has threatened to 'fuck me up' or hack my machine. Ive also heard that if you can be nuked, your machine can be accessed by anybody with a copy of Netstat.... ICMP Unreach This is now very common, and almost everybody who uses IRC has a copy of Click, Gimp or Vai te ja. ICMP nukes cause a server to drop a clients connection, disconnecting you from IRC, which can be highly irritating. There are two different types, Server side and Client side. Client side can be picked up with something as simple as NukeNabber, Server side nukes however are difficult to stop, a correctly configured firewall can stop an attack, but its far easier to connect to IRC through a BNC. Smurf The Smurf attack works by sending spoofed ICMP echo traffic at broadcast addresses, if the machines on a network respond to the requests, a large number of replys are sent back to the spoofed IP, which is the victims IP address, this example below, taken from documentation in the smurf.c file, shows how deadly it can be: "Assume a co-location switched network with 100 hosts, and that the attacker has a T1. The attacker sends, say, a 768kb/s stream of ICMP echo (ping) packets, with a spoofed source address of the victim, to the broadcast address of the "bounce site". These ping packets hit the bounce site's broadcast network of 100 hosts; each of them takes the packet and responds to it, creating 100 ping replies outbound. If you multiply the bandwidth, you'll see that 76.8 Mbps is used outbound from the "bounce site" after the traffic is multiplied. This is then sent to the victim (the spoofed source of the originating packets)." Now imagine what a flood of 76 megs, coming from high speed connections, is going to do to an IRC server or even a single user (its happend to me). Its easy to tell if you are being attacked with Smurf if you have an external modem, as the recieving data light will flash non-stop and your machine will freeze. There are two victims to this attack, the machines used to bounce the requests off, and the owner of the spoofed IP. Unfortuantly, there is very little a single user can do to protect his/her self, it is possible to stop an attack, but requires a good firewall and expert knowledge of networks and communications systems, although if you are on IRC connect through a BNC, as this may stop it (dont hold me to that, i havent tested yet). Luckily, Smurf only comes as .c file, so only people with access to *nix machines are going to have it. Land This attack affects Windows 95 (not sure about 98) including OSR2 and Win NT 4.0. It sends spoofed connection request packets (SYN) across TCP/IP, when a machine recieves these, it may begin to operate slowly, but then return to normal operation. Variations of Land may cause machines to crash. A patch is available to fix this problem. Bonk/Boink/Teardrop/NewTear All of these attacks are variants of Teadrop, they affect windows 95 and NT machines. An attack from one of these may give a blue screen error similar to an OOB attack. They can easily be stopped by installing a patch. SSPing This is another exploit using ICMP, when you send a flood of spoofed and fragmented ICMP datagram packets Windows 95 and NT attempt to reconstruct them, causing machines to freeze. A patch is available to fix this. The exploits above are not all of the ones around, not by far, they are just some of the most common. Below is a small list of programs that can be used to detect and stop DoS attacks. NukeNabber 2.9 NukeNabber is basically a simple firewall, although it lacks the rulesets of more advanced programs, it is simple to use, and comes preset to watch a number of ports. Its also free.... Conseal PC Firewall - www.signal9.com This is about the most advanced firewall you are going to find for Windows (i think, if anybody knows of many others, e-mail me) it uses rulesets and so if you know what your doing, can probably be setup to protect you against a lot of attacks. Not one for the beginner. Theres plenty of cracks available for getting the full version of this as well. AtGuard - www.atguard.com This is a brilliant program that is halfway between NukeNabber and Conseal, although it features Rulesets, they are far easier to setup. It also intergrates with your browser, and stops popup windows and advertisments, very handy. Internet Firewall 2000 Well, this claims to be a firewall, but ive never seen such a heaving pile of shit before. It claims its a firewall because it uses a batch file to activate netstat and has some sort of strange port watch. And they actually expect you to PAY for this. Netstat This program comes with Windows, simply go to run and type netstat, it has a number of switches and can be used to see incoming/outgoing connections, so you know if someone trys to connect to you. Can also be used to get the IP address of an icq user.... Most of the above programs and source code can be found on www.antionline.com, http://spikeman.genocide2600.com, www.hackcity.com and of course www.swateam.org :o) I do not confess to be a great expert in DoS, its just something that im interested in, so if you see a mistake here, please mail me at aces.high@swateam.org