Denial of Service Attacks INFO

[cklaus () iss net (Christopher Klaus)]

Here are some denial of service attacks we look for in assessing a network
security.  These checks can be turned off obviously.  But I figured I would
share the information since some of these attacks may be useful to know
so you can take preventive action to secure your network.
There is obviously a large number of other denial of service attacks that
can be done on a network, but these are just ones we can quickly perform.


Network Denial of Service Attacks checked by Internet Scanner 3.3

Index
        Summary
        UDP Bomb
        Finger Bomb
        NT dot..dot
        Chargen, Echo
        Linux Time Bomb
        Novell Net-ware FTP server
        Bruteforce in general
        ICMP Redirect Paragon OS

Summary:

Networked Denial of service attacks are ways that a network or service can be
brought down.  Disgruntled employees, customers, or just a mischevious hacker
may use various techniques to bring down your network services.  Below
are methods that the Internet Scanner 3.3 checks for that are ways someone
can do a denial of service attack.  The Internet Scanner 3.3 has a configuration
page to turn off these checks for they may disrupt your network.




UDP Bomb -  By sending a UDP packet with incorrect information in the header,
some Sun-OS 4.1.3 Unix boxes will panic and then reboot.  This is a problem
found frequently on many firewalls that are on top of a Sun-OS machine.  This
could be high risk vulnerability if your firewall keeps going down.

        Solution: Sun provides a Patch id # 100567-04.  Sun patches are
available from ftp.uu.net/systems/sun/sun-dist/patches

Finger Bomb - Some finger daemons allow redirecting the finger to remote sites.
To finger through several sites, finger username@hostA@hostB. The finger will
go through hostB then to hostA.  This helps hackers cover their tracks
because HostA will see a finger coming from HostB instead of the original
service.  This technique has been used to go through firewalls themselves if
they are not properly configured.  This can happen by finger user@host@firewall.
A denial of service attack may happen when a person types:


         finger username@@@@@@@@@@@@@@@@@@@@@hostA

The @ repeated causes the finger to recursively finger the same machine
itself repeatedly till the memory and and hard drive swap space fills up and
causes the machine to crash or slow to unusable speeds.

        Solution: Turn off the finger service or obtain a version of finger
which turns off redirection.  GNU Finger can be configured to not allow
redirection.

Windows NT .. Crash - The file sharing service if available and accessible
by anyone can crash the NT machine and require it to be rebooted.  This
technique using the dot..dot bug on a Windows 95 machine potentially allows
anyone to gain access to the whole hard drive.

        Solution:  This vulnerability is documented in Microsoft Knowledge Base
article number Q140818 last revision dated March 15, 1996.  Resolution is to
install the latest service pack for Windows NT version 3.51. The latest service
pack to have the patch is in service pack 4.

Chargen, Echo - These two services on many machines can be spoofed into sending
data from one service on one machine to another service on another machine
causing an infinite loop that causes high bandwidth so that the network
becomes unusable.

        Solution: Turn off these services.  There are some patches available
for Linux that will make echo and chargen not to be able to send data to
specific ports to block causing an infinite loop.

Linux Time Bomb - The inetd running the TCP time services, daytime (port 13)
and time (port 37) will crash if you send excessive SYN packets.  Once
inetd crashes, all other services running through inetd no longer will work.

        Solution: Turn off the two services in TCP mode.

Bruteforce Net-ware FTP - As the Internet Scanner 3.3 tries to bruteforce the FTP server
by trying to log in as default accounts, Novell's Netware FTP server has a
memory leak that will cause the entire machine to run out of memory.

        Solution: Novell reportedly has a patch to fix this problem.

Bruteforce Attacks in General - The Internet Scanner 3.3 tries to bruteforce
attack by trying default accounts and account info gained from finger and rusers
through the following servers: telnetd, ftpd, popd, rexecd, rshd.  On some
Unix OS's, if there are too many connections within a period of time, inetd
will turn off the service for a period of time.

        Solution: Modify inetd to allow more connections for a period of
time.  Internet Scanner 3.3 has the ability to select how many simultaneous
connections can happen within a given period to slow down the bruteforce
attack to an acceptable level for inetd.

ICMP Redirect on Paragon OS beta R1.4 - Sending an ICMP redirect to
Paragon OS beta R1.4 would cause it to freeze the machine and require a reboot.
This is a more rare case of denial of service since there are very few of
these type of systems on a typical network.

        Solution: Ask your vendor for a patch.



--
Christopher William Klaus            Voice: (404)252-7270. Fax: (404)252-2427
Internet Security Systems, Inc.                        "Internet Scanner finds
Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328     your network security holes
Web: http://iss.net/  Email: cklaus () iss net            before the hackers do."