Graphics Programs Reference
In-Depth Information
0x456
Distributed DoS Flooding
A
distributed DoS (DDoS) attack
is a distributed version of a flooding DoS
attack. Since bandwidth consumption is the goal of a flooding DoS attack,
the more bandwidth the attacker is able to work with, the more damage they
can do. In a DDoS attack, the attacker first compromises a number of other
hosts and installs daemons on them. Systems installed with such software are
commonly referred to as bots and make up what is known as a botnet. These
bots wait patiently until the attacker picks a victim and decides to attack. The
attacker uses some sort of a controlling program, and all of the bots simulta-
neously attack the victim with some form of flooding DoS attack. Not only
does the great number of distributed hosts multiply the effect of the flood-
ing, this also makes tracing the attack source much more difficult.
0x460
TCP/IP Hijacking
TCP/IP hijacking
is a clever technique that uses spoofed packets to take over a
connection between a victim and a host machine. This technique is exception-
ally useful when the victim uses a one-time password to connect to the host
machine. A one-time password can be used to authenticate once and only once,
which means that sniffing the authentication is useless for the attacker.
To carry out a TCP/IP hijacking attack, the attacker must be on the same
network as the victim. By sniffing the local network segment, all of the details
of open TCP connections can be pulled from the headers. As we have seen,
each TCP packet contains a sequence number in its header. This sequence
number is incremented with each packet sent to ensure that packets are
received in the correct order. While sniffing, the attacker has access to the
sequence numbers for a connection between a victim (system A in the follow-
ing illustration) and a host machine (system B). Then the attacker sends a
spoofed packet from the victim's IP address to the host machine, using the
sniffed sequence number to provide the proper acknowledgment number,
as shown here.
src : 192.168.0.100
dst : 192.168.0.200
seq #: 1429775000
ack #: 1250510000
len : 2
4
System A
System B
192.168.0.100
192.168.0.200
src : 192.168.0.200
dst : 192.168.0.100
seq #: 1250510000
ack #: 1429775024
len : 167
src : 192.168.0.100
dst : 192.168.0.200
seq #: 1429775024
ack #: 1250510167
len : 71
Attacker
system
