http://wiki.cas.mcmaster.ca/index.php?feed=atom&target=Luongqt&title=Special%3AContributionsComputing and Software Wiki - User contributions [en]2026-04-30T06:16:04ZFrom Computing and Software WikiMediaWiki 1.15.1http://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-13T03:51:52Z<p>Luongqt: </p>
<hr />
<div>[[Image:Bot_attack.jpg|thumb|right|400px|Attack of the bots. Too late for something too big.]]<br />
In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition<sup>[3]</sup>==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
[[Image:CnnDoS.PNG|thumb|right|400px|DoS reported on CNN]]<br />
[[Image:NewDoSTool.PNG|thumb|right|400px|Trinity]]<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks<sup>[2]</sup>==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
[[Image:Mixter.jpg|thumb|right|300px|The creator of Targa]]<br />
<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
[http://en.wikipedia.org/wiki/Windows_95 Windows 95]/[http://en.wikipedia.org/wiki/Windows_NT NT] and [http://en.wikipedia.org/wiki/Mac_os Mac OS].<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood<sup>[1]</sup>===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed address]. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
[[Image:Network_security.jpg|thumb|right|400px|Network security]]<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* [1] Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* [2]International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* [3] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Cell BE - A Network on a Chip]]<BR><br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Wi-Fi]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[The practicality of IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Service ]]<BR><br />
* [[Keystroke Logging: Are You Next]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
<br />
* [[Radio Frequency Identification (RFID)]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHA]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Server]]<BR><br />
* [[Network Firewall]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer Network Security]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Man in the Middle Attack]]<BR><br />
* [[Network Attached Storage]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Network]]<BR><br />
* [[Bots & Botnets]]<BR><br />
* [[Trivial File Transfer Protocol]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistics of Internet Threats]]<BR><br />
* [[VoIP]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
* [http://www.hackforums.net Hacker Forums]<BR><br />
* [http://lib.tkk.fi/Diss/2006/isbn9512282151/article1.pdf Mitigating denial of service attacks: A tutorial]<BR><br />
* [http://homepages.cs.ncl.ac.uk/jeff.yan/sec2002.pdf Denial of Service: Another Example]<BR><br />
* [http://e-articles.info/e/a/title/Wireless-Attacks-~-Jamming-(Denial-of-Service)/ Wireless Attacks ~ Jamming (Denial of Service)]<BR><br />
* [http://kondor.etf.bg.ac.yu/~vm/tutorial/ssgrr2001/denial.ppt Denial of Service Attacks: Methods, Tools, and Defenses]<br />
<br />
--[[User:Luongqt|Luongqt]] 23:51, 12 April 2009 (EDT)</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-13T03:45:37Z<p>Luongqt: </p>
<hr />
<div>[[Image:Bot_attack.jpg|thumb|right|400px|Attack of the bots. Too late for something too big.]]<br />
In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition<sup>[3]</sup>==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
[[Image:CnnDoS.PNG|thumb|right|400px|DoS reported on CNN]]<br />
[[Image:NewDoSTool.PNG|thumb|right|400px|Trinity]]<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks<sup>[2]</sup>==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
[[Image:Mixter.jpg|thumb|right|300px|The creator of Targa]]<br />
<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
[http://en.wikipedia.org/wiki/Windows_95 Windows 95]/[http://en.wikipedia.org/wiki/Windows_NT NT] and [http://en.wikipedia.org/wiki/Mac_os Mac OS].<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood<sup>[1]</sup>===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed address]. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
[[Image:Network_security.jpg|thumb|right|400px|Network security]]<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* [1] Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* [2]International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* [3] Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Cell BE - A Network on a Chip]]<BR><br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Wi-Fi]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[The practicality of IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Service ]]<BR><br />
* [[Keystroke Logging: Are You Next]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
<br />
* [[Radio Frequency Identification (RFID)]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHA]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Server]]<BR><br />
* [[Network Firewall]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer Network Security]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Man in the Middle Attack]]<BR><br />
* [[Network Attached Storage]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Network]]<BR><br />
* [[Bots & Botnets]]<BR><br />
* [[Trivial File Transfer Protocol]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistics of Internet Threats]]<BR><br />
* [[VoIP]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
* [http://www.hackforums.net Hacker Forums]<BR><br />
* [http://lib.tkk.fi/Diss/2006/isbn9512282151/article1.pdf Mitigating denial of service attacks: A tutorial]<BR><br />
<br />
--[[User:Luongqt|Luongqt]] 23:45, 12 April 2009 (EDT)</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-10T19:12:41Z<p>Luongqt: </p>
<hr />
<div>[[Image:Bot_attack.jpg|thumb|right|400px|Attack of the bots. Too late for something too big.]]<br />
In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
[[Image:CnnDoS.PNG|thumb|right|400px|DoS reported on CNN]]<br />
[[Image:NewDoSTool.PNG|thumb|right|400px|Trinity]]<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
[[Image:Mixter.jpg|thumb|right|300px|The creator of Targa]]<br />
<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
[http://en.wikipedia.org/wiki/Windows_95 Windows 95]/[http://en.wikipedia.org/wiki/Windows_NT NT] and [http://en.wikipedia.org/wiki/Mac_os Mac OS].<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed address]. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
[[Image:Network_security.jpg|thumb|right|400px|Network security]]<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Cell BE - A Network on a Chip]]<BR><br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Wi-Fi]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[The practicality of IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Service ]]<BR><br />
* [[Keystroke Logging: Are You Next]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
<br />
* [[Radio Frequency Identification (RFID)]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHA]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Server]]<BR><br />
* [[Network Firewall]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer Network Security]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Man in the Middle Attack]]<BR><br />
* [[Network Attached Storage]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Network]]<BR><br />
* [[Bots & Botnets]]<BR><br />
* [[Trivial File Transfer Protocol]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistics of Internet Threats]]<BR><br />
* [[VoIP]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
* [http://www.hackforums.net Hacker Forums]<BR><br />
--[[User:Luongqt|Luongqt]] 15:12, 10 April 2009 (EDT)</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-10T19:12:22Z<p>Luongqt: </p>
<hr />
<div>[[Image:Bot_attack.jpg|thumb|right|400px|Attack of the bots. Too late for something too big.]]<br />
In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
[[Image:CnnDoS.PNG|thumb|right|400px|DoS reported on CNN]]<br />
[[Image:NewDoSTool.PNG|thumb|right|400px|Trinity]]<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
[[Image:Mixter.jpg|thumb|right|300px|The creator of Targa]]<br />
<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
[http://en.wikipedia.org/wiki/Windows_95 Windows 95]/[http://en.wikipedia.org/wiki/Windows_NT NT] and [http://en.wikipedia.org/wiki/Mac_os Mac OS].<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed address]. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
[[Image:Network_security.jpg|thumb|right|400px|Network security]]<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Cell BE - A Network on a Chip]]<BR><br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Wi-Fi]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[The practicality of IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Service ]]<BR><br />
* [[Keystroke Logging: Are You Next]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
<br />
* [[Radio Frequency Identification (RFID)]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHA]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Server]]<BR><br />
* [[Network Firewall]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer Network Security]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Man in the Middle Attack]]<BR><br />
* [[Network Attached Storage]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Network]]<BR><br />
* [[Bots & Botnets]]<BR><br />
* [[Trivial File Transfer Protocol]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistics of Internet Threats]]<BR><br />
* [[VoIP]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
* [http://www.hackforums.net Hacker Forums]<BR><br />
[[User:Luongqt|Luongqt]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Mixter.jpgFile:Mixter.jpg2009-04-10T19:06:07Z<p>Luongqt: Mixter, creator of Targa</p>
<hr />
<div>Mixter, creator of Targa</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-10T19:03:12Z<p>Luongqt: </p>
<hr />
<div>[[Image:Bot_attack.jpg|thumb|right|400px|Attack of the bots. Too late for something too big.]]<br />
In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
[[Image:CnnDoS.PNG|thumb|right|400px|DoS reported on CNN]]<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
[[Image:NewDoSTool.PNG|thumb|right|400px|Trinity]]<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
Windows 95/NT and Mac OS.<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed address]. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
[[Image:Network_security.jpg|thumb|right|400px|Network security]]<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Cell BE - A Network on a Chip]]<BR><br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Wi-Fi]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[The practicality of IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Service ]]<BR><br />
* [[Keystroke Logging: Are You Next]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
<br />
* [[Radio Frequency Identification (RFID)]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHA]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Server]]<BR><br />
* [[Network Firewall]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer Network Security]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Man in the Middle Attack]]<BR><br />
* [[Network Attached Storage]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Network]]<BR><br />
* [[Bots & Botnets]]<BR><br />
* [[Trivial File Transfer Protocol]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistics of Internet Threats]]<BR><br />
* [[VoIP]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
* [http://www.hackforums.net Hacker Forums]<BR><br />
<br />
--[[User:Luongqt|Luongqt]] 15:03, 10 April 2009 (EDT)</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:NewDoSTool.PNGFile:NewDoSTool.PNG2009-04-10T19:00:48Z<p>Luongqt: Trinity</p>
<hr />
<div>Trinity</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-10T18:58:37Z<p>Luongqt: </p>
<hr />
<div>[[Image:Bot_attack.jpg|thumb|right|400px|Attack of the bots. Too late for something too big.]]<br />
In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
[[Image:CnnDoS.PNG|thumb|right|400px|DoS reported on CNN]]<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
Windows 95/NT and Mac OS.<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the [http://en.wikipedia.org/wiki/IP_address_spoofing spoofed address]. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
[[Image:Network_security.jpg|thumb|right|400px|Network security]]<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Cell BE - A Network on a Chip]]<BR><br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Wi-Fi]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[The practicality of IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Service ]]<BR><br />
* [[Keystroke Logging: Are You Next]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
<br />
* [[Radio Frequency Identification (RFID)]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHA]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Server]]<BR><br />
* [[Network Firewall]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer Network Security]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Man in the Middle Attack]]<BR><br />
* [[Network Attached Storage]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Network]]<BR><br />
* [[Bots & Botnets]]<BR><br />
* [[Trivial File Transfer Protocol]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistics of Internet Threats]]<BR><br />
* [[VoIP]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
* [http://www.hackforums.net Hacker Forums]<BR><br />
[[User:Luongqt|Luongqt]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Network_security.jpgFile:Network security.jpg2009-04-10T18:56:20Z<p>Luongqt: Network security</p>
<hr />
<div>Network security</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Bot_attack.jpgFile:Bot attack.jpg2009-04-10T18:53:42Z<p>Luongqt: Attack of the bots</p>
<hr />
<div>Attack of the bots</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:CnnDoS.PNGFile:CnnDoS.PNG2009-04-10T18:47:33Z<p>Luongqt: DoS reported on CNN</p>
<hr />
<div>DoS reported on CNN</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-10T18:28:16Z<p>Luongqt: </p>
<hr />
<div>In the world of computer [http://en.wikipedia.org/wiki/Network_security network security], denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the [http://en.wikipedia.org/wiki/Internet Internet] that allow attackers to conduct denial-of-service attacks to any vulnerable servers. They are created by [http://en.wikipedia.org/wiki/Black_hat_hacker black hat hackers] for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
* On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, [http://en.wikipedia.org/wiki/Ebay eBay (EBAY)], Amazon.com (AMZN), and [http://en.wikipedia.org/wiki/Cnn CNN] (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
* The [http://en.wikipedia.org/wiki/Fbi FBI]'s Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
* In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
* During the [http://en.wikipedia.org/wiki/Iraq_war Iraq War] in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP], [http://en.wikipedia.org/wiki/User_Datagram_Protocol UDP] and [http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ICMP].<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* [http://en.wikipedia.org/wiki/SYN_(TCP) SYN] floods (bandwidth)<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
Windows 95/NT and Mac OS.<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the spoofed address. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
* [[Digital Enhanced Cordless Telecommunications (DECT)]]<BR><br />
* [[Internet Control Message Protocol (ICMP)]]<BR><br />
* [[Denial Of Service Attacks]]<BR><br />
* [[Cryptography in Information Security]]<BR><br />
* [[Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)]]<BR><br />
* [[Bluetooth]]<BR><br />
* [[Cell BE Hardware Employed as Network on a Chip]]<BR><br />
* [[IPv6]]<BR><br />
* [[Dynamic Host Configuration Protocol (DHCP)]]<BR><br />
* [[Social Network Services ]]<BR><br />
* [[Network Latency]]<BR><br />
* [[Onion Routing]]<BR><br />
* [[Radio Frequency Identification]]<BR><br />
* [[3G Communications]]<BR><br />
* [[Security in Smartphones]]<BR><br />
* [[Credit Card Chip Security and Technology]]<BR><br />
* [[Address Resolution Protocol (ARP)]]<BR><br />
* [[How to Connect to the Internet via an ISP]]<BR><br />
* [[CAPTCHAs]]<BR><br />
* [[Security for Small Home Networks]]<BR><br />
* [[Rootkits]]<BR><br />
* [[Proxy Servers]]<BR><br />
* [[Network Firewalls]]<BR><br />
* [[Steganography and Digital Watermarking]]<BR><br />
* [[Malware]]<BR><br />
* [[Peer-to-Peer File Sharing]]<BR><br />
* [[High-Speed Downlink Packet Access (HSDPA)]]<BR><br />
* [[Network Attached Storage (NAS) Devices]]<BR><br />
* [[RSA Encryption Algorithm]]<BR><br />
* [[Corporate Security and IT Policies]]<BR><br />
* [[Ethical Hacking]]<BR><br />
* [[Extensible Messaging and Presence Protocol (XMPP)]]<BR><br />
* [[Cloud Computing]]<BR><br />
* [[Ethernet Routing Devices]]<BR><br />
* [[Personal Data Protection and Privacy]]<BR><br />
* [[Public Key Authentication]]<BR><br />
* [[AJAX Security]]<BR><br />
* [[Network Topology]]<BR><br />
* [[IP Spoofing]]<BR><br />
* [[WLAN Standard 802.11n]]<BR><br />
* [[Domain Name System (DNS)]]<BR><br />
* [[Web 2.0]]<BR><br />
* [[Local Area Networks]]<BR><br />
* [[Botnets]]<BR><br />
* [[Trivial FTP]]<BR><br />
* [[Load Balancing for Network Servers]]<BR><br />
* [[Simple Mail Transfer Protocol (SMTP)]]<BR><br />
* [[Email Security]]<BR><br />
* [[Data Encryption for Storage Devices]]<BR><br />
* [[Statistical Analysis of Internet Security Threats]]<BR><br />
* [[Voice over IP (VoIP)]]<BR><br />
* [[Deep Packet Inspection]]<BR><br />
* [[Fingerprint Authentication]]<BR><br />
* [[Multicasting]]<BR><br />
* [[MD5 Rainbow Tables]]<BR><br />
* [[The Interplanetary Internet]]<BR><br />
==External links==<br />
* [http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<BR><br />
* [http://en.wikipedia.org/wiki/Network_security Network security]<br><br />
[[User:Luongqt|Luongqt]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-09T00:05:11Z<p>Luongqt: </p>
<hr />
<div>In the world of computer network security, denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the Internet that allow any average user to conduct a denial-of-service attack to any vulnerable servers. They are created by black hat hackers for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
<br />
<br />
==Definition==<br />
[[Image:Dosgeek.jpg|thumb|right|400px|DoS in comic]]<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of <br />
network security. Its sole purpose is to shut a computer system down or drain all its <br />
available resources, which prevents it to serve legitimate users. As computer becomes more <br />
and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the <br />
damage from thousand to million times.<br />
The most common technique for conducting DoS attacks is to "flood" the target with <br />
information/data. Others aim for the victim's Achilles' heel that cause it to crash.<br />
===Fact===<br />
On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. <br />
(BUYX) was hit the next day, hours after going public. By that evening, eBay (EBAY), <br />
Amazon.com (AMZN), and CNN (TWX) had gone dark. And in the morning, the mayhem continued <br />
with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked <br />
off. As a result, Yahoo, which relies on advertising for much of its revenue, lost potentially an estimated $500,000 because its users were unable to access Yahoo's Web pages and the advertisements they carried. (Business Week Online, 12 February 2000)<br />
<br />
The FBI's Web site was taken out of service for three hours on 18 February, 2000 by a DDoS attack. (CNN)<br />
<br />
In October 2002, an attacker tried to performed a DDoS attack on the complete set of DNS root servers which have 13 servers of replicated DNS data in total. By a simple form of DDoS attack, he successfully took down 9 of them. The other 4 remained fully functional. The attack lasted only one hour. A longer and stronger attack might have been extremely harmful.<br />
<br />
During the Iraq War in 2003, a DDoS attack was launched on the Qatar-based Al-Jazeera news organization, which broadcast pictures of captured American soldiers. Al-Jazeera attempted to out-provision the attackers by purchasing more bandwidth, but they merely ratcheted up the attack. The Web site was largely unreachable for two days, following which someone hijacked their DNS name, redirecting requests to another Web site that promoted the American cause.<br />
==Types of attack==<br />
There are basically three types of DoS attack:<br />
# Bandwidth attacks: straight forward, comsume resources.<br />
# Protocol attacks: take advantage of expected behavior of protocols such as TCP, UDP and ICMP.<br />
# Software vulnerability attacks: exploit vulnerabilities in network software, such as a web server, or the underlying TCP/IP stack.<br />
There are many tools for each type such as:<br />
* Sending oversized packets (protocol)<br />
* fragmentation overlap (protocol)<br />
* loopback floods (protocol)<br />
* Application DoS (software)<br />
* UDP floods (protocol)<br />
* SYN floods (bandwidth)<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|300px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|300px|SYN Flood]]<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, <br />
over-sized ICMP data packets. While trying to put the fragments together, the computer can <br />
get into a memory overflow which causes the machine to freeze. With a few packets, the <br />
attacker can lock the victim's computer instantaneously. The identity of the attacker is <br />
unknown since the connection is lost as the victim restarts the computer. SSPing affects <br />
Windows 95/NT and Mac OS.<br />
Jolt is a program known for this kind of attack. It will freeze unpatched Windows 95, NT <br />
machines by sending a series of spoofed & highly fragmented ICMP packets to the target, <br />
which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and <br />
source addresses are the same and port numbers are the same. Receiving such packet causes <br />
some TCP implementations to crash the target system or exhaust all CPU resources. The name <br />
of the attack comes from the first distributed source code (called "exploit") that made it <br />
possible to implement this attack: land.c. Computers running Windows 95 and NT are desired targets of this kind of attack.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast <br />
address. Attackers spoof the source address on ICMP echo requests and sending them to an IP <br />
broadcast address. This causes every machine on the broadcast network to receive the reply <br />
and respond back to the source address that was forged by the attacker. This attack results <br />
in DoS due to high network traffic which not only hurts the victim but the broadcast <br />
network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to <br />
rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way <br />
handshake. However the source address of the packet is spoofed thus misleads system B to <br />
switch to SYN_RECV state and send an SYN/ACK packet to the spoofed address. These <br />
connections are called half-open connections. The source address does not exist and system <br />
B can only flush the potential connection once the connection-establishment timer expires. <br />
This timer varies from system to system ranging from seconds to minutes. This type of <br />
attack is very dangerous because with little resources (e.g. bandwidth), the attacker can <br />
take down an industrial strength web server. Moreover, this is a stealth attack since <br />
everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity <br />
depletion mechanism for denial of service attacks.<br />
===Targa===<br />
Targa, written by a German hacker known as Mixter, is a free software packet available on the Internet. It can run 8 different DoS attacks using some of the tools listed above. The attacker can try individual attack or try all attacks until it is successful. The attacker must be logged in with root permissions; since most of the attacks, use IP spoofing that requires root privileges. The attack can be done from any machine on which the targa.c code compiles. Target platforms can be any operating system but the attacks do not have an impact on all operating systems.<br />
<br />
The attacks that can be done with the Targa kit:<br />
<br />
* Jolt by Jeff W. Roberson<br />
* Land by m3lt<br />
* Winnuke by _eci<br />
* Nestea by humble and ttol<br />
* Syndrop by PineKoan<br />
* Teardrop by route|daemon9<br />
* Bonk by route|daemon9 and klepto<br />
* NewTear by route|daemon9 (a variation of Teardrop)<br />
<br />
For further information about these tools, please refer to the references below.<br />
<br />
==Prevention==<br />
You could do the following things to minimize the DoS attack:<br />
<br />
* Effective robust design<br />
* Bandwidth limitations<br />
* Keep systems patched<br />
* Run the least amount of services<br />
* Allow only necessary traffic<br />
* Block IP addresses<br />
<br />
Due to the power of DoS attacks and the way they work, there is nothing that can be done to prevent a Dos attack entirely.<br />
<br />
==Conclusion==<br />
<br />
DoS attacks can happen to anyone with devastating damage. A good network design will help mitigating DoS attacks. It is essential to have filtering capability based on packet header and content within the network or at the critical gateways in order to filter malicious traffic as a response to such attacks while waiting for a permanent solution. It is important to have the relevant referrals in the policy and legislation to address the issue of DoS and DDoS to ensure an effective cooperation between service providers and law enforcement agencies.<br />
<br />
==References==<br />
* Stuart McClure, Joel Scambray and George Kurtz, Hacking Exposed—Network Security Secrets & Solutions, Fifth Edition,McGraw-Hill/Osborne, ISBN:9780072260816<br />
* International Council of Electronic Commerce Consultants, Ethical Hacking and Countermeasures [EC-Council Exam 312-50]—Student Courseware,ISBN No 0972936211<br />
* Jelena Mirkovic, Sven Dietrich, David Dittrich, Peter Reiher, Internet Denial of Service: Attack and Defense Mechanisms, Prentice Hall PTR, Print ISBN: 0-13-147573-8<br />
<br />
==See also==<br />
<br />
<br />
==External links==<br />
[http://en.wikipedia.org/wiki/Denial-of-service_attack Denial-of-service Attacks]<br />
[http://en.wikipedia.org/wiki/Network_security Network security]<br />
[[User:Luongqt|Luongqt]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Dosgeek.jpgFile:Dosgeek.jpg2009-04-08T20:22:30Z<p>Luongqt: Comic for DoS</p>
<hr />
<div>Comic for DoS</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-08T20:19:42Z<p>Luongqt: </p>
<hr />
<div>In the world of computer network security, denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the Internet that allow any average user to conduct a denial-of-service attack to any vulnerable servers. They are created by black hat hackers for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
==Definition==<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of network security. Its sole purpose is to shut a computer system down or drain all its available resources, which prevents it to serve legitimate users.<br />
<br />
As computer becomes more and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the damage from thousand to million times.<br />
<br />
<br />
<br />
===Fact===<br />
On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, eBay (EBAY), Amazon.com (AMZN), and CNN (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. (Business Week Online, 12 February 2000) <br />
<br />
==Types of attack==<br />
There are many ways to conduct a DoS attack. Some of them are<br />
* Sending oversized packets<br />
* fragmentation overlap<br />
* loopback floods<br />
* Application DoS<br />
* UDP floods<br />
* SYN floods<br />
==Tools for conducting DoS attacks==<br />
<br />
===SSPing===<br />
[[Image:SmurfAttack.gif|thumb|right|100px|Smurf]]<br />
[[Image:SYN_flood.jpg|thumb|right|100px|SYN Flood]]<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, oversized ICMP data packets. While trying to put the fragments together, the computer can get into a memory overflow which causes the machine to freeze. SSPing affects Windows 95/NT and Mac OS.<br />
<br />
Jolt is a program known for this kind of attack. It will freeze un-patched Windows 95, NT machines by sending a series of spoofed & highly fragmented ICMP packets to the target, which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and source addresses are the same and port numbers are the same.<br />
This trick works for Windows 95 and Windows NT. The computer which is running one of these operating systems will operate slowly and sometimes hang.<br />
===Smurf===<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast address. Attackers spoof the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker. This attack results in DoS due to high network traffic which not only hurts the victim but the broadcase network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way handshake. However the source address of the packet is spoofed thus misleads system B to switch to SYN_RECV state and send an SYN/ACK packet to the spoofed address. These connections are called half-open connections. The source address does not exist and system B can only flush the potential connection once the connection-establishment timer expires. This timer varies from system to system ranging from seconds to minutes. This type of attack is very dangerous because with little resources (e.g. bandwidth), the attacker can take down an industrial strength web server. Moreover, this is a stealth attack since everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity depletion mechanism for denial of service attacks.<br />
==Conclusion==<br />
<br />
==References==<br />
<br />
==See also==<br />
<br />
==External links==<br />
<br />
[[User:Luongqt|Luongqt]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:SYN_flood.jpgFile:SYN flood.jpg2009-04-08T20:12:43Z<p>Luongqt: </p>
<hr />
<div></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/Tools_for_conducting_denial-of-service_attacksTools for conducting denial-of-service attacks2009-04-08T20:07:25Z<p>Luongqt: New page: In the world of computer network security, denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minu...</p>
<hr />
<div>In the world of computer network security, denial-of-service attack is a sneaky and furious monster. It is calm and quite. But when it attacks you, your system will be defeated within minutes (sometimes seconds). What is it? Where does it come from? What can it do? How can you conduct it? Conduct with what? Software or hardware?<br />
<br />
Nowadays there are tools available on the Internet that allow any average user to conduct a denial-of-service attack to any vulnerable servers. They are created by black hat hackers for different reasons varying from personal, political reasons to nastiness. Damages from a DoS attack are usually devastating to businesses such as search engines, email providers, banks, e-commerce sites that rely heavily on availability.<br />
<br />
On the other hand, although details of denial-of-service attacks are well-known and studied, it is quite difficult to protect any systems from it due to the very nature of the attacks. Scanning tools and other intrusion detection systems can be used to detect attacks or find vulnerable spots which can lead to an DoS attack.<br />
==Definition==<br />
Denial-of-service (DoS) attack is an attempt to violate the availability condition of network security. Its sole purpose is to shut a computer system down or drain all its available resources, which prevents it to serve legitimate users.<br />
<br />
As computer becomes more and more popular, DoS attack evolves to Distributed DoS (DDoS) attack which amplifies the damage from thousand to million times.<br />
<br />
<br />
<br />
===Fact===<br />
On February 6th, 2000, Yahoo portal was shut down for 3 hours. Then retailer Buy.com Inc. (BUYX) was hit the next day, hours after going public. By that evening, eBay (EBAY), Amazon.com (AMZN), and CNN (TWX) had gone dark. And in the morning, the mayhem continued with online broker E*Trade (EGRP) and others having traffic to their sites virtually choked off. (Business Week Online, 12 February 2000) <br />
<br />
==Types of attack==<br />
There are many ways to conduct a DoS attack. Some of them are<br />
* Sending oversized packets<br />
* fragmentation overlap<br />
* loopback floods<br />
* Application DoS<br />
* UDP floods<br />
* SYN floods<br />
==Tools for conducting DoS attacks==<br />
===SSPing===<br />
SSPing, a DoS tool, is a program sends the victim's computer a series of highly fragmented, oversized ICMP data packets. While trying to put the fragments together, the computer can get into a memory overflow which causes the machine to freeze. SSPing affects Windows 95/NT and Mac OS.<br />
<br />
Jolt is a program known for this kind of attack. It will freeze un-patched Windows 95, NT machines by sending a series of spoofed & highly fragmented ICMP packets to the target, which then tries to reassemble the received fragments.<br />
===Land Exploit===<br />
Land Exploit is a DoS attack in which a program sends a TCP SYN packet where the target and source addresses are the same and port numbers are the same.<br />
This trick works for Windows 95 and Windows NT. The computer which is running one of these operating systems will operate slowly and sometimes hang.<br />
===Smurf===<br />
[[Image:SmurfAttack.gif]]<br />
<br />
Smurf is a simple effective DoS attack involving forged ICMP packets sent to a broadcast address. Attackers spoof the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the source address that was forged by the attacker. This attack results in DoS due to high network traffic which not only hurts the victim but the broadcase network also.<br />
There is a similar tool called Fraggle which uses UDP packets instead.<br />
===SYN Flood===<br />
With a series of SYN packets, the attacker can drain the victim resources which leads to rejecting legitimate requests.<br />
System A sends a SYN packet to system B asking to establish a connection via three-way handshake. However the source address of the packet is spoofed thus misleads system B to switch to SYN_RECV state and send an SYN/ACK packet to the spoofed address. These connections are called half-open connections. The source address does not exist and system B can only flush the potential connection once the connection-establishment timer expires. This timer varies from system to system ranging from seconds to minutes. This type of attack is very dangerous because with little resources (e.g. bandwidth), the attacker can take down an industrial strength web server. Moreover, this is a stealth attack since everything (e.g. the packet) look so normal. Today, SYN flood is the primary capacity depletion mechanism for denial of service attacks.<br />
<br />
[[User:Luongqt|Luongqt]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:SmurfAttack.gifFile:SmurfAttack.gif2009-04-08T20:06:32Z<p>Luongqt: Smurf Attack in DoS</p>
<hr />
<div>Smurf Attack in DoS</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-10T04:15:02Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer due to early implementation of [http://en.wikipedia.org/wiki/Transmission_Control_Protocol TCP] connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous [http://en.wikipedia.org/wiki/Hacker hacker] in [http://en.wikipedia.org/wiki/United_States United States of America].<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|thumb|right|170px|Kevin Mitnick]]<br />
[[Image:Shimomura.jpg|thumb|right|170px|Tsutomu Shimomura]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert in [[social engineering]], which helped him to obtain many classified information used for his hacking hobby. In his early age, he was on the [http://en.wikipedia.org/wiki/Fbi FBI] most wanted cyber criminal list. He was captured by the FBI with the aid of [http://en.wikipedia.org/wiki/Tsutomu Tsutomu] and sentenced 5 years in prison. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There are no specific mechanisms to detect the Mitnick attack directly. However, a security analyst can combine several mechanisms to detect the attack indirectly. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Nowadays, Mitnick attack is no longer practical because the security in networking field is way improved than before. However, preventing Mitnick attack is the least requirement a system must satisfy to be considered secure. It worths to mention that in the days of the attack, people (e.g. Tsutomu) used [http://en.wikipedia.org/wiki/Remote_shell remote shell (RSH)] instead of [http://en.wikipedia.org/wiki/Secure_Shell secure shell (SSH)] like today.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<BR><br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
<br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-10T04:06:57Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer due to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|thumb|right|170px|Kevin Mitnick]]<br />
[[Image:Shimomura.jpg|thumb|right|170px|Tsutomu Shimomura]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert in [[social engineering]], which helped him to obtain many classified information used for his hacking hobby. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prison. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There are no specific mechanisms to detect the Mitnick attack directly. However, a security analyst can combine several mechanisms to detect the attack indirectly. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Nowadays, Mitnick attack is no longer practical because the security in networking field is way improved than before. However, preventing Mitnick attack is the least requirement a system must satisfy to be considered secure. It worths to mention that in the days of the attack, people (e.g. Tsutomu) used remote shell (RSH) instead of secure shell (SSH) like today.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<BR><br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
<br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-10T04:06:26Z<p>Luongqt: /* Who is Mitnick? */</p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer due to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|thumb|right|150px|Kevin Mitnick]]<br />
[[Image:Shimomura.jpg|thumb|right|150px|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert in [[social engineering]], which helped him to obtain many classified information used for his hacking hobby. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prison. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There are no specific mechanisms to detect the Mitnick attack directly. However, a security analyst can combine several mechanisms to detect the attack indirectly. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Nowadays, Mitnick attack is no longer practical because the security in networking field is way improved than before. However, preventing Mitnick attack is the least requirement a system must satisfy to be considered secure. It worths to mention that in the days of the attack, people (e.g. Tsutomu) used remote shell (RSH) instead of secure shell (SSH) like today.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<BR><br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
<br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-10T04:04:36Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer due to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert in [[social engineering]], which helped him to obtain many classified information used for his hacking hobby. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prison. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There are no specific mechanisms to detect the Mitnick attack directly. However, a security analyst can combine several mechanisms to detect the attack indirectly. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Nowadays, Mitnick attack is no longer practical because the security in networking field is way improved than before. However, preventing Mitnick attack is the least requirement a system must satisfy to be considered secure. It worths to mention that in the days of the attack, people (e.g. Tsutomu) used remote shell (RSH) instead of secure shell (SSH) like today.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<BR><br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
<br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-09T22:47:41Z<p>Luongqt: /* Prevention */</p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There are no specific mechanisms to detect the Mitnick attack directly. However, a security analyst can combine several mechanisms to detect the attack indirectly. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
<br />
== Prevention==<br />
Nowadays, Mitnick attack is no longer practical because the security in networking field is way improved than before. However, preventing Mitnick attack is the least requirement a system must satisfy to be considered secure. It worths to mention that in the days of the attack, people (e.g. Tsutomu) used remote shell (RSH) instead of secure shell (SSH) like today.<br />
<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-09T22:38:10Z<p>Luongqt: /* Detection */</p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There are no specific mechanisms to detect the Mitnick attack directly. However, a security analyst can combine several mechanisms to detect the attack indirectly. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-09T22:36:56Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of easy-to-be-known weaknesses. After his attack, computer security was taken more seriously. New tools was developed to improve security in networking over the Internet. SSH (secure shell) is used to replace RSH (remote shell) which allowed data transfered insecurely.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-09T22:32:31Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
[[Image:Kevin mitnick FBI.gif|thumb|right|250px|Mitnick on FBI wanted list]]<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|thumb|right|500px|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Kevin_mitnick_FBI.gifFile:Kevin mitnick FBI.gif2007-12-09T22:22:01Z<p>Luongqt: </p>
<hr />
<div></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-09T22:21:05Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|frame|right|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
<br />
QUANG LUONG<br />
Revised date: Dec 9 2007</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-04T20:09:10Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|frame|right|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.<br />
== References ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==See also==<br />
Information Security Topics:<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR><br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-04T20:06:01Z<p>Luongqt: </p>
<hr />
<div>Computer security is an important factor in our information world with Internet and digitally owned materials. Over the past twenty years, network security has evolved continuously. More secure implementations are invented to replace old less secure implementations. Kevin Mitnick was able to hack into Tsutomu Shimomura's X-Terminal computer thanks to early implementation of TCP connection, which was not really secure at that time. With a huge desire of curiosity, Mitnick did something that no one has ever done before him. He exploited the trusted relationship between two computers by performing man-in-the-middle attack under a spoofed identity. His attack made him the most famous hacker in United States of America.<br />
== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in United States of America. He is an expert [[Social engineering]], which helped him to obtain many classified information used for his hacking habbit. In his early age, he was on the FBI most wanted cyber criminal list. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a [http://www.pccitizen.com/threewayhandshake.htm three-way handshake]. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
====Step 1: SYN request====<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
====Step 2: SYN/ACK response====<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
====Step 3: ACK or RESET response====<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|frame|right|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were "echo + + >> /.rhosts". The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.<br />
== Further readings ==<br />
- [http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<BR><br />
- [http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<BR><br />
- [http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<BR><br />
- [http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<BR><br />
- [http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<br />
== External links ==<br />
- [http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<BR><br />
- [http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<BR><br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
==Other information security topics==<br />
- [[Piggybacking]]<BR><br />
- [[Security and Storage Mediums]]<BR><br />
- [[Random Number Generators and Information Security]]<BR><br />
- [[Biometric systems regarding security design principle]]<BR><br />
- [[Phishing]]<BR><br />
- [[Biometrics in Information Security]]<BR><br />
- [[Smart Card technology to prevent fraud]]<BR><br />
- [[Electronic Voting Systems]]<BR><br />
- [[Anti-spam Systems and Techniques]]<BR><br />
- [[Payment Card Industry Data Security Standard]]<BR><br />
- [[Operating Systems Security]]<BR><br />
- [[Autocomplete]]<BR><br />
- [[Social engineering]]<BR><br />
- [[Identity Theft]]<BR><br />
- [[Information security awareness]]<BR></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-04T17:40:58Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a three-way handshake. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
<br />
Step 1: SYN request<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
<br />
Step 2: SYN/ACK response<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
<br />
Step 3: ACK or RESET response<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|frame|right|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were echo + + >> /.rhosts. The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.<br />
<br />
== Further readings ==<br />
[http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<br />
<br />
[http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<br />
<br />
[http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<br />
<br />
[http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<br />
<br />
[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<br />
<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<br />
<br />
[http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<br />
<br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
<br />
==Other information security topics==<br />
[[Piggybacking]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Random Number Generators and Information Security]]<BR><br />
[[Biometric systems regarding security design principle]]<BR><br />
[[Phishing]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card technology to prevent fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam Systems and Techniques]]<BR><br />
[[Payment Card Industry Data Security Standard]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Social engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information security awareness]]<BR></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-04T17:39:52Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
==Three-way handshake==<br />
If there is a trusted relationship between two computers (e.g. server and client), a connection can be established by a three-way handshake. In the Mitnick attack, the three-way handshake used TCP sequence number and IP address as proof for identity and signature. Three-way handshake has three steps:<br />
<br />
Step 1: SYN request<br />
Computer A sends a SYN request under its IP address with a random TCP sequence number xA to computer B.<br />
<br />
Step 2: SYN/ACK response<br />
Computer B sends an ACK response with number (xA+1) and its own random TCP sequence number xB back to computer A.<br />
<br />
Step 3: ACK or RESET response<br />
If computer A wants to establish the connection, it sends an ACK response with number (xB+1) back to computer B. Otherwise, it sends a RESET response to drop the connection request.<br />
<br />
==The attack==<br />
[[Image:Mitnickattack.JPG|frame|right|The Mitnick attack]]<br />
The Mitnick attack has five general steps:<br />
====Step 1: Information gathering====<br />
Before the attack, Mitnick was able to determine the TCP sequence number generator’s behavior of X-Terminal and a trusted relationship between X-Terminal and Server.<br />
======Determine the TCP sequence number generator’s behavior======<br />
Mitnick sent SYN request to X-Terminal and received SYN/ACK response. Then he sent RESET response to keep the X-Terminal from being filled up. He repeated this for twenty times. He found there is a pattern between two successive TCP sequence numbers. It turned out that the numbers were not random at all. The latter number was greater than the previous one by 128000.<br />
======Determine a trusted relationship between X-Terminal and Server======<br />
Before the attack, Mitnick hacked into Shimomura’s website. He used command finger and showmount to find if X-Terminal had trusted relationship with any other computers.<br />
====Step 2: The flood====<br />
Mitnick kept the Server muted by filling the Server up with half-open SYN requests from spoofed IP address. To create half-open SYN requests, he used routable but not active IP address. Because he had no intention to complete three-way handshake with the Server, half-open SYN request occupied the Server’s memory faster. The result is that the Server could not respond to any other requests. This is a type of Denial of Service attack.<br />
====Step 3: Trusted relationship hijacking====<br />
Mitnick sent a SYN request to X-Terminal with spoofed IP address as the Server. He used an arbitrary number as the Server’s TCP sequence number. X-Terminal sent a SYN/ACK response to the Server. Because the Server was muted, it did not receive the SYN/ACK response. As mentioned in the information gathering step, Mitnick was able to generate the TCP sequence number that X-Terminal created for the Server. Mitnick, again spoofed his IP as the Server’s IP, sent an ACK response to X-Terminal to finish three-way handshake. Because the returned TCP sequence number was correct, X-Terminal allowed Mitnick connect to it. The connection was established. Shimomura’s computer was considered hacked by finishing this step.<br />
====Step 4: Remote command pump====<br />
Mitnick wanted to create a backdoor on Shimomura computer so that he could come back later without repeating the hijack. He pumped commands from his computer to Shimomura’s computer. To be precise, they were echo + + >> /.rhosts. The ++ allowed any computers connect to X-Terminal without being verified.<br />
====Step 5: Clean up====<br />
Mitnick sent RESET responses to the Server to cancel all his SYN requests. The Server was freed.<br />
<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
Since now we know how Mitnick attacked Shimomura, we can easily prevent this kind of attack by simply randomize out TCP sequence number. However, nowadays Mitnick attack is no longer practical. Computer users use SSH instead of RSH like before.<br />
==Comments==<br />
The Mitnick attack was a classic case. Mitnick took advantage of yet-to-be-known weaknesses. After his case, computer security was taken seriously. New tools was developing to improve security. SSH is used to replace RSH. UNIX systems are built with security in mind.<br />
<br />
== Further readings ==<br />
[http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<br />
<br />
[http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<br />
<br />
[http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<br />
<br />
[http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<br />
<br />
[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attacker)]<br />
<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<br />
<br />
[http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<br />
<br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']<br />
<br />
==Other information security topics==</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Mitnickattack.JPGFile:Mitnickattack.JPG2007-12-04T17:29:03Z<p>Luongqt: </p>
<hr />
<div></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-12-03T02:11:57Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[[Image:kevinmitnick.jpg|frame|right|Kevin Mitnick]]<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
==== Preparation ====<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP] header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests. <br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
<br />
[http://img527.imageshack.us/img527/8462/86297598yt9.png Mitnick Attack Graph]<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
The Mitnick attack was possible due to weaknesses in early implementation of TCP<br />
== Further readings ==<br />
[http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<br />
<br />
[http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<br />
<br />
[http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<br />
<br />
[http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<br />
<br />
[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attaker)]<br />
<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<br />
<br />
[http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<br />
<br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Kevinmitnick.jpgFile:Kevinmitnick.jpg2007-12-03T02:04:35Z<p>Luongqt: </p>
<hr />
<div></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/File:Shimomura.jpgFile:Shimomura.jpg2007-12-03T02:02:57Z<p>Luongqt: </p>
<hr />
<div></div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-18T05:45:29Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
==== Preparation ====<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP] header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests. <br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
<br />
[http://img527.imageshack.us/img527/8462/86297598yt9.png Mitnick Attack Graph]<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
The Mitnick attack was possible due to weaknesses in early implementation of TCP<br />
== Further readings ==<br />
[http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<br />
<br />
[http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<br />
<br />
[http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<br />
<br />
[http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<br />
<br />
[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attaker)]<br />
<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<br />
<br />
[http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<br />
<br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-12T23:39:40Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
==== Preparation ====<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP] header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests. <br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
The Mitnick attack was possible due to weaknesses in early implementation of TCP<br />
== Further readings ==<br />
[http://en.wikipedia.org/wiki/Transport_Control_Protocol Transport control protocol]<br />
<br />
[http://en.wikipedia.org/wiki/Ip_spoofing IP address spoofing]<br />
<br />
[http://en.wikipedia.org/wiki/OSI_model Open Systems Interconnection Basic Reference Model (OSI Model)]<br />
<br />
[http://en.wikipedia.org/wiki/Tsutomu Tsutomu Shimomura (the victim of the attack)]<br />
<br />
[http://en.wikipedia.org/wiki/Kevin_Mitnick Kevin Mitnick (the attaker)]<br />
<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<br />
<br />
[http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<br />
<br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-12T23:34:10Z<p>Luongqt: /* External links */</p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
==== Preparation ====<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP] header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests. <br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
The Mitnick attack was possible due to weaknesses in early implementation of TCP<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]<br />
<br />
[http://hack.pl/gfx/wywiady/Kevin_Mitnick.jpg Kevin Mitnick picture]<br />
<br />
Amazon.com: [http://www.amazon.com/Network-Intrusion-Detection-Analysts-Handbook/dp/0735708681 '''Network intrusion detection, an analyst's handbook''' by ''Stephen Northcutt'']</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-12T23:28:35Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
==== Preparation ====<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP] header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests. <br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.<br />
== Detection ==<br />
There is no specific mechanism to detect the Mitnick attack. However, a security analyst can combine several mechanisms to detect the attack. Basically, the attack can be detected by both network-based and host-based intrusion detection systems ([http://en.wikipedia.org/wiki/Intrusion_detection_system IDS]). For network-based IDS, port scan and host scan can be used to detect a potential attack. For host-based IDS, the attack can be detected using two commonly used UNIX tool, ''TCP wrappers'' and ''tripwire''. For further details, refer to the book '''Network Intrusion Detection, an analyst's hand book''' by ''Stephen Northcutt'' (ISBN: 0-7357-0868-1)<br />
== Prevention==<br />
The Mitnick attack was possible due to weaknesses in early implementation of TCP<br />
== External links ==<br />
[http://www.youtube.com/watch?v=8_VYWefmy34 An interview with Mitnick]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-10T20:59:19Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons. Now he is a security consultant in his own firm [http://www.mitnicksecurity.com/index.php Mitnick Security Consulting].<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP(Internet Protocol Suite) sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
==== Preparation ====<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. Mitnick was able to predict the sequence number in the [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP] header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests. When the server is flooded, it is considered muted, which means it cannot respond to any other requests. <br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-10T20:36:25Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.<br />
== Overview ==<br />
Kevin Mitnick used [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing], [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP sequence number] prediction to gain access control of target's computer. The Mitnick attack is a form of [http://en.wikipedia.org/wiki/Man_in_the_middle Man-in-the-middle attack]. It corrupted the [http://www.pccitizen.com/threewayhandshake.htm three-way handshake].<br />
<br />
== How did it happpen? ==<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.<br />
==== Preparation ====<br />
Mitnick was able to predict the sequence number in the TCP header of the SYN/ACK packet. Being able to predict the sequence number allowed Mitnick to validate himself as the server.<br />
<br />
==== Step 1: SYN flooding ====<br />
Mitnick sent SYN packets with fake IP address to the server continuously to keep the server from responding to genuine requests.<br />
<br />
==== Step 2: Hijacking ====<br />
Mitnick spoofed the server's IP address and sent a request to ebtablish a connection with the target.<br />
<br />
Mitnick -----SYN-----> target : "I am your server and I want to connect to you"<br />
<br />
The target accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the target sent an SYN/ACK packet to the server.<br />
<br />
target -----SYN/ACK-----> server : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the server did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
target <-----ACK----- server : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the server did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
target <-----RST----- server : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."<br />
<br />
Apparently, the server, which was being muted, could not send a RST packet to the target. This is where Mitnick sent an ACK packet to the target and completed three-way handshake.<br />
Mitnick -----ACK----->target : "Yes, I confirm. Let's connect!"<br />
The one way connectiong is established. Now the target was connected to Mitnick and would allow him to run any commands on the target.<br />
==== Step 3: Cleaning up ====<br />
After successfully hacking into the target, he didn't want any attentions by keeping other users from logging into the server by sending out a series of RSTs to stop flooding the server.</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-10T19:44:38Z<p>Luongqt: </p>
<hr />
<div>== Who is Mitnick? ==<br />
[http://en.wikipedia.org/wiki/Mitnick Kevin Mitnick](born October 6, 1963) is known as "the most famous" hacker in US. He hacked into [http://en.wikipedia.org/wiki/Tsutomu_Shimomura Tsutomu Shimomura]'s computer(referred as the target) to steal information on December 25, 1994. He was captured by the FBI with the aid of Tsutomu and sentenced 5 years in prisons.<br />
== Overview ==<br />
The Mitnick attack exploited the weakness of [http://en.wikipedia.org/wiki/Remote_Shell rsh] using [http://en.wikipedia.org/wiki/Ip_spoofing IP spoofing] and [http://en.wikipedia.org/wiki/Transmission_Control_Protocol#Using_TCP TCP sequence number] prediction to gain access control of target's cmputer.<br />
<br />
== How can it happpen? ==<br />
First, Mitnick had to determine if there is a trusted connection between the target and any servers that it is connected to. If there is, he now can start the attack.<br />
<br />
== Step 1: IP spoofing (I am Tsutomu!)==<br />
Mitnick spoofed Tsutomu's IP address and sent a request to ebtablish a connection with the server.<br />
<br />
Mitnick -----SYN-----> server : "I am Tsutomu and I want to connect to you"<br />
<br />
The server accepted his request and demanded a three-way TCP connection handshake to validate the identity. To perform a three-way handshake, the server sent an SYN/ACK packet to the target's IP address.<br />
<br />
server -----SYN/ACK-----> target : "You requested a connection. Now I want to confirm that. Send me your confirmation please."<br />
<br />
There are two cases now.<br />
<br />
1. If the target did send a request, it would send back an ACK packet to the server. A trusted connection is established.<br />
server <-----ACK----- target : "Yes, I confirm. Let's connect!"<br />
<br />
2. If the target did not send a request, it would send back a RST packet(RESET packet) to the server. The connection is dropped.<br />
server <-----RST----- target : "Sorry, I did not request it. There must be a mistake. Please drop the connection now."</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_mitnick_attackThe mitnick attack2007-11-03T04:31:49Z<p>Luongqt: The mitnick attack moved to The Mitnick attack: capitalize name</p>
<hr />
<div>#REDIRECT [[The Mitnick attack]]</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-03T04:31:49Z<p>Luongqt: The mitnick attack moved to The Mitnick attack: capitalize name</p>
<hr />
<div>An attack by Kevin Mitnick.</div>Luongqthttp://wiki.cas.mcmaster.ca/index.php/The_Mitnick_attackThe Mitnick attack2007-11-03T04:30:35Z<p>Luongqt: New page: An attack by Kevin Mitnick.</p>
<hr />
<div>An attack by Kevin Mitnick.</div>Luongqt