Common Network Attacks
Network attacks that are directed by a hacker are called directed attacks. For example, a Win-
Nuke packet (generated by the WinNuke utility, discussed later in this chapter) sent by a hacker
to a specific machine is considered a directed attack. Viruses are traditionally not directed attacks. The virus is unknowingly copied from user to user. Viruses are some of the most prevalent attacks used on the Internet. In the following sections, we’ll discuss some of the techniques that hackers commonly use to attack a network. Then we’ll discuss some tools and procedures you can use to defend against them.
IP spoofing is the process of sending packets with a fake source address, pretending that the packet is coming from within the network that the hacker is trying to attack. The address can be considered stolen from the hacker’s target network. A router (even a packet-filtering router) is going to treat this packet as coming from within the network and will let it pass; however, a firewall can prevent this type of packet from passing into the secured network. Figure 8.6 shows
a hacker attempting an IP spoof. Notice that the hacker with the spoofed IP address is denied access to the network by the firewall.
The Ping of Death
The Ping of Death is a type of denial of service (DoS) attack. A DoS attack prevents any users,
even legitimate ones, from using the system. Ping is primarily used to see if a computer is responding to IP requests. Normally, when you ping a remote host, four normal-sized Internet
Control Message Protocol (ICMP) packets are sent to the remote host to see if it is available. In
a Ping of Death attack, a very large ICMP packet is sent to the remote host, whose buffer is flooded by this packet. Typically, this causes a system to reboot or hang. Patches to prevent a
Ping of Death attack from working are available for most operating systems.
A SYN flood is also a DoS attack because it can barrage the receiving machine with dozens of meaningless packets. In normal communications, a workstation that wants to open a TCP/IP communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server auto
matically responds to the request, indicating that it is ready to start communicating. Only new communications use SYN flags. If you are in the middle of a file download, SYNs are not used. A new SYN packet is used only if you lose your connection and must reestablish communications.
To initiate a SYN flood, a hacker sends a barrage of SYN packets. The receiving station normally can’t help itself and tries to respond to each SYN request for a connection. The receiving device soon expends its resources trying to reply, and all incoming connections are rejected until all current connections can be answered. The victim machine cannot respond to any other requests because its buffers are overfilled, and it therefore rejects all packets, including valid requests for connections. Patches that can help with this problem are available for the various network operating systems.