tailieunhanh - Hacking from a network: SYN flood and TCP Sequence number prediction attacks

Greetings. This is the oldie, but goody section of the course. This next section is important for a number of reasons. If you think about it, attacks occur in stages. In general the attacker has to perform reconnaissance to hone in on the target, to find the weaknesses. Then there will be an initial attack, this is often minimal, in the book Network Intrusion Detection we referred to this as the “grappling hook”. Finally, the attacker completes the kill. This attack shows each of these stages. This attack took 16 seconds to complete. When we were discussing automated response, we used 16 seconds as a measuring rod | Hacking from a network SYN flood and TCP Sequence number prediction attacks IDIC - SANS GIAC LevelTwo 2000 2001 1 Greetings. This is the oldie but goody section of the course. This next section is important for a number of reasons. If you think about it attacks occur in stages. In general the attacker has to perform reconnaissance to hone in on the target to find the weaknesses. Then there will be an initial attack this is often minimal in the book Network Intrusion Detection we referred to this as the grappling hook . Finally the attacker completes the kill. This attack shows each of these stages. This attack took 16 seconds to complete. When we were discussing automated response we used 16 seconds as a measuring rod. How fast can you run How fast can you type Finally you really can t run around in intrusion detection circles if you are not familiar with the so-called Mitnick attack. 1 What we will cover TCP SYN - Review of TCP - Theory of attack - Implementation IP SPOOF - Theory of attack - Implementation details -Tsutomu Shimomura example IDIC - SANS GIAC LevelTwo 2000 2001 2 The information on the Mitnick attack is drawn primarily from Shimomura s post on the subject. The initial header of the news posting is shown below. Source tsutomu@ Tsutomu Shimomura Date 25 Jan 1995 There seems to be a lot of confusion about the IP address spoofing and connection hijacking attacks described by John Markoff s 1 23 95 NYT article and CERT advisory CA-95 01. Here are some technical details from my presentation on 1 11 95 at CMAD 3 in Sonoma California. 2 It s a SYN SYN attacks theory and implementation IDIC - SANS GIAC LevelTwo 2000 2001 3 We want to introduce the notion of an elegant SYN flood. The basic approach here is to take advantage of an engineering decision to have a fixed resource allocation and to use more of the resource than the designers expected and or to take advantage of consequences from using more of the resource. During .