29. Port Redirection Host B Attacker Source: A Destination: B Port: 23 Compromised Host A Source: Attacker Destination: A Port: 22 Source: Attacker Destination: B Port: 23
39. TCP SYN Flooding DoS Attack AttackerTCP Client ------------- Client Ports 1024 – 65535 Victim TCP Server ------------- Service Ports 1–1024 80 ? SYN Packet with Spoofed Source Address TCP Client ------------- Client Ports 1024–65535 TCP Three-Way Handshake 1 SYN 2 SYN and ACK TCP Server ------------- Service Ports 1 – 1024 80 1 SYN 3 ACK 2 SYN and ACK
Windows Domain Models - http://is-it-true.org/nt/atips/atips307.shtml Linux/UNIX Trusts - http://nim.cit.cornell.edu/usr/share/man/info/en_US/a_doc_lib/files/aixfiles/hosts.equiv.htm
Allows traffic entering a compromised machine on a particular port (that is, TCP/22-SSH) to be redirected to a different machine on a different port (TCP/23-Telnet) Allows an attacker to exploit trust relationships to circumvent the firewall for all hosts once he controls one host. Root kit based install allows the redirection process, files, and connections to be hidden.
IP Spoofing – an attacker sends a message to a target host with an IP address indicating that the message is coming from a trusted host. The attacker must know the IP address of a trusted host in order to modify the packet headers so that it appears that the packets are coming from that host. TCP Session Hijacking – an attacker sniffs for packets being sent from a client to a server in order to identify the two hosts' IP addresses and relative port numbers. Using this information an attacker modifies his packet headers to spoof TCP/IP packets from the client. The attacker then waits to receive an ACK packet from the client communicating with the server (which contains the sequence number of the next packet the client is expecting). The attacker replies to the client using a modified packet with the source address of the server and the destination address of the client. This results in a RST which disconnects the legitimate client. The attacker takes over communications with the server spoofing the expected sequence number from the ACK that was previously sent from the legitimate client to the server. IP Fragmentation – Firewalls that support stateful inspection of established connections analyze packets to see if they are being received in the proper sequence. In the case of IP fragments, the firewall attempts to reassemble all fragments prior to forwarding them on to the final destination. If an attacker sends repeated incomplete or out-of-order fragmented packets to the firewall it will log and wait for all remaining fragments to be received before handling the connection. As a result, system resources are exhausted due to logging and the firewall is subject to a denial of service. Also, some Intrusion Detection Systems (IDS) do not handle IP fragmentation, Out-of-Order fragmentation, TCP segment overlap, and Out-of-Order TCP segments properly; which results in packets slipping through because the IDS failed to alarm!!!