Information Technology Reference
In-Depth Information
Figure 2. Hooks provided for the Linux netfilter framework
determine this fact by inspecting the system using
iptables
. The rules still appear to be valid and the
firewall appears to be in effect. In designing this
attack, the goal of the attacker is to disable the
network defense mechanisms employed by the
target systems, thereby making them vulnerable
to other attacks over the network.
Background:
Netfilter
is a packet filtering
framework in the Linux kernel. It provides hooks
at different points in the networking stack. This
was designed for kernel modules to hook into
and provide different functionality such as packet
filtering, packet mangling and network address
translation. These hooks are provided for each
protocol supported by the system. The
netfilter
hooks for the IP protocol are shown in Figure 2.
Each of the hooks,
Pre-routing, Input, Forward,
Output and Post-routing
, are hooks at different
points in the packets traversal.
Iptables
is a fire-
wall management command line tool available
on Linux.
Iptables
can be used to set the firewall
rules for incoming and outgoing packets.
Iptables
uses the netfilter framework to enforce the firewall
rules. Packets are filtered according to the rules
provided by the firewall.
Attack Description:
The pointers to the
netfilter
hooks are stored in a global table called
nf_hooks
.
This is an array of pointers that point to the handlers
registered by kernel modules to handle different
protocol hooks. This data structure is exported even
by the latest 2.6 Linux kernel. We modified the hook
corresponding to the IP protocol and redirected it to
our dummy code, effectively disabling the firewall.
The firewall rules that we used during this experi-
ment are shown in Figure 3. The INPUT rules deny
admission for incoming traffic to the web server
running on the system. Before the attack, we were
unable to access this web server externally. After
we inserted the attack module, we could access the
web content hosted by the web server running on
http port (port 80). Running
iptables
command to
list the firewall rules still shows that the same rules
are in effect (as shown in Figure 3). The user has
no way of knowing that the firewall is disabled as
the rules appear to be in effect.
Impact:
A stealthy attack such as the one de-
scribed cannot be detected by the existing set of
tools. Since our attack module is able to filter all
packets without passing it to the firewall, it can
run other commands upon receipt of a specially
crafted packet sent by the remote attacker.
resource wastage
This attack causes resource wastage and perfor-
mance degradation on applications by generating
artificial memory pressure, which can lead to a
thrashing (Wiseman, 2009), (Jiang, 2009). The
goal of this attack is to show that it is possible
to stealthily influence the kernel algorithms by
simply manipulating data values. This attack
targets the zone balancing logic, which ensures
that there are always enough free pages available
in the system memory.
Background:
Linux divides the total physical
memory installed on a machine into nodes. Each
Search WWH ::
Custom Search