Go4Expert

Go4Expert (http://www.go4expert.com/)
-   Ethical hacking Tips (http://www.go4expert.com/articles/ethical-hacking-tutorials/)
-   -   TCP/IP & UDP Attacks (http://www.go4expert.com/articles/tcp-ip-udp-attacks-t7722/)

SpOonWiZaRd 5Dec2007 20:13

TCP/IP & UDP Attacks
 
I hope you have read the previous article I wrote on the different types of attacks you get as a whole and liked it. This article will cover the most common TCP and UDP attacks. I will therefore cover the following TCP attacks:
  1. TCP SYN or TCP ACK Flood Attack
  2. TCP Sequence Number Attack
  3. TCP/IP Hijacking

The following UDP attacks:
  1. ICMP Attacks
  2. Smurf Attacks
  3. ICMP Tunneling

TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. The synchronization or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as the TCP SYN Flood attack. The process is also susceptible to access and modification attacks, which are briefly explained in the following sections.

TCP SYN or TCP ACK Flood Attack - This attack is very common... The purpose of this attack is to deny service. The attack begins as a normal TCP connection: the client and the server exchange information in TCP packets. The TCP client continues to send ACK packets to the server, these ACK packets tells the server that a connection is requested. The server thus responds to the client with a ACK packet, the client is supposed to respond with another packet accepting the connection to establish the session. In this attack the client continually send and receives the ACK packets but it does not open the session. The server holds these sessions open, awaiting the final packet in the sequence. This cause the server to fill up the available connections and denies any requesting clients access.

TCP Sequence Number Attack - This is when the attacker takes control of one end of a TCP session. The goal of this attack is to kick the attacked end of the network for the duration of the session. Only then will the attack be successful. Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system. The only defense of such an attack is to know that its occurring... There is little that can be done...

TCP Hijacking - This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.

UDP packets aren't connection oriented and don't require the synchronization process as with TCP. UDP packets, however, are susceptible to interception, thus it can be attacked. UDP, like TCP, doesn't check the validity of an IP address. The nature of this layer is to trust the layer above it (I'm referring to the IP layer). The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing UDP services on that host to shut down. It can also overload the network and cause a DoS situation to occur.

ICMP Attacks - This occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate request (think of it as echoing). Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.

Smurf Attacks - This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.

ICMP Tunneling - ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.

Well, i hope you have learned something and now know more about these attacks than what you thought it seems... ICMP can be very dangerous...

Bhullarz 11Dec2007 12:54

Re: TCP/IP & UDP Attacks
 
is there any way to beware of TCP/IP Hijacking ? I am already facing the problem that my pc disconnects from the internet very frequently and reconnects itself. My all programs using internet stop working for a while and downloads just stop. I am using even firewall and anti-virus. But that doesn't seem to be working for me. Any suggestion plz ?

SpOonWiZaRd 14Dec2007 18:34

Re: TCP/IP & UDP Attacks
 
Well, there is little that you can do, but, download JAP, that will give you anonymity on the internet. This attack requires sophisticated software and are harder to engineer than a DoS attack...

arvindsony 2Dec2008 22:23

Re: TCP/IP & UDP Attacks
 
good one


All times are GMT +5.5. The time now is 07:21.