|
SYN Flood
Late in 1997, a new type of attack known as the SYN flood disabled Internet service providers (ISPs). The SYN flood is not an intrusion attack, it does
not attempt to access or modify data, instead its purpose is to disable servers and thus it is classified as a denial-of-service attack.
When data is sent over TCP/IP, the transmission follows a simple ‘handshake protocol’: A client sends a SYN (synchronised data packet) to the server, the
server then returns a SYN/ACK (to acknowledge receipt of the packet). The connection between the client and server is now established and they can communicate with each other.
A SYN flood attacker sends numerous connection requests to a server from a false address.
As a result, the server is unable to respond and places the request in a queue awaiting a SYN/ACK (acknowledgement frame from the false address). After several minutes the server’s TCP sockets time out. If enough false requests are made, the server’s pending connection queue will fill up and it will be unable to respond to requests, even valid ones.
If you allow outsiders to access your system, perhaps to make a purchase order or have access to corporate information, then this service can be denied if you
fall victim to an SYN flood attack.
Examples of SYN flood attacks
In December 96, Web Communications, an ISP in California, America, fell victim to a SYN flood attack. The WebCom servers were disabled for 40 hours and
customers who hosted web sites with WebCom lost the use of their sites.
Panix, a very popular ISP in New York, was disabled by an SYN flood attack for seven days starting from the 6th Sept. 1996.
We must bear in mind however, that any company operating an Internet service can be vulnerable to a SYN flood attack, not just ISPs. There are, however,
software patches available to block SYN attacks . According to Mitch Wagner at Computerworld "the ANS subsidiary of America Online, Inc., COAST and Sun Microsystems, Inc. all have software patches
designed to block the SYN attack." It’s always wise to check with your firewall or ISP provider about protection from SYN attacks.
Ping O’ Death
Ping-of-Death is a denial of service attack which works by sending very large ping packets to the victim system. Victim systems, as a result of
receiving a hostile ping, will crash or hang because there is not enough memory to cope.
PING (Packet INternet Groper) is a utility that is used to test if an IP address is reachable, an ICMP Echo packet is sent to an Internet host and the utility
awaits a reply.
IBM has issued AIX operating system patches for the Ping o' Death and Syn floods. Information on the patch is available at: http://techsupport.services.ibm.com/rs6000/support/
Sniffer Attack
Early in 1994, the Internet experienced a continuing series of "sniffer" attacks. That is, attackers compromised host systems, by installing
software that monitored and recorded specific Local Area Network transactions that included host name/user name/password combinations.
Some intruders evaded detection through the use of sophisticated Trojan software. It only took one or a few talented individuals to create the software and
techniques that were then used by many to compromise at the least hundreds of thousands of accounts.
Sniffer attacks are possible because the majority of LANs (local area networks) are ring and bus technology, which allows communication between nodes via
broadcast transmission. A ‘sniffer’ or network tap placed anywhere on a LAN can monitor traffic. A typical Internet communication may cross a number of LANs.
By using the latest encryption and firewall technologies, businesses and organizations can frustrate would be Network sniffers, rendering intercepted data
packets unreadable and allowing safe and secure Internet transactions. ©1998 Colin Germain
|
