INTRO TO I.T.

DISTRIBUTED DENIAL OF SERVICE (DDOS)

Another form of trickery is the Distributed Denial of Service attack (DDoS). As with all such denial attacks, it is accomplished by the hacker getting a number of machines to attack the target. However, this attack works a bit differently than other DoS attacks. Rather than getting coputie3rs to attack the target, one of the ways the hacker accomplishes a DDoS is to trick Internet routers into attacking a target. Another form of DDoS relies on compromised (zombie) hosts to simultaneously attack a given target with a large number of packets.

Recall from the discussion that many of the routers on the Internet backbone communication on port 179 (Gibson, 2002). This attack takes advantage of this communication line and acquires routers to attack the target system. What makes this attack particularly wicked is that it does not require the router in question to be compromised in any way. Accept of this, a hacker send packets of various massages to the connection. The packets have been altered so that they appear to come from the target system’s IP address. Routers respond by starting a connection with the target system. What happens next is a flood of connections to multiple routers, all targeting the same target system. The effect of this flood is to make the system inaccessible.

Real – World Example

A good deal of time has been spent discussing the basics of how various DoS attacks are conducted. By now, you should have a firm grasp of what a DoS attack is and have a basic understanding of how it works. It is now time to begin discussing specific, real-world, examples of such attacks. This section will take the theoretical knowledge you have gained and give you real-world examples of this application.

MyDoom

One of the most well publicized DoS attacks was the MyDoom attack. This threat was a classically distributed DoS attack. The virus/worm would e-mail itself to everyone in your address book and then, at a preset time, all infected machines would begin a coordinated attack on www.sco.com (Delio, 2004). Estimates put the number of infected machines between 500,000 and I million. This attack was successful and promptly shut down the SCO web site. It should be noted that well before the day that the DoS attack was actually executed, network administrator and home users were well aware of what MyDoom would do. There were also several tools available free of charge on the Internet for removing the virus/worm. However, it appears that many people did not take the steps necessary to clean their machines of this virus / worm.

What makes this attack so interesting is that it is clearly an example of domestic cyber terrorism (although it is certain that the creators of MyDoom would probably see it differently) for those readers who do not know the story, it will be examined here briefly, Santa Cruz operation (SCO) makes a version is copyright protected. Several months before this attack, SCO began accusing certain Linux distributions of containing segments of SCO Unix code. SCO sent demand letters to many Linux users demanding license fees. Many people in the Linux community viewed this request as simply an attempt to undermine the growing popularity of Linux, an open-source operating system. SCO went even further and filed suit against major companies that were distributing Linux (SCO/Linux, 2003). This claim by SCO seemed unfounded to many legal and technology analysis. It was also viewed with great suspicion because SCO had close ties to Microsoft, which had been trying desperately to stop the grow popularity of Linux.

Many analysts feel that the MyDoom virus/worm was created by some individual (or group of individuals) who felt that the santa Cruz Operations tactics were unacceptable. The hackers wished to cause economic harm to SCO and damage its public image. This probable motive makes this case clearly one of domestic economic terrorism: One group attacks the technological assets of another group based on an ideological difference. Prior to this virus/worm, there were numerous Web site defacements and other small-scale attacks that were part of ideological conflicts. However, this virus / worm was the first such attack to be so widespread and successful. This incident began a new trend in information warfare. As technology becomes less expensive and the tactics more readily available, you can expect to see an increase in this sort of attack in the coming years.

Slammer

Another virus/worm responsible for DoS attacks was the Slammer virus/worm. Some experts rate Slammer as the fastest-spreading virus/worm to ever hit the Internet (Moore, 2004). This virus/worm achieved its DoS simply by spreading so fast that it clogged up networks. It began spreading on January 25^th 2003. It would scan a network for any computers running the Microsoft SQL Server Desktop Engine. It then used a flaw in that application to infect the target machine. It would continually scan every computer connected to the infected machine, seeking one with Microsoft SQL Server Desktop Engine. At its peak, it performed millions of scans per second. This activity resulted in a tremendous number of packets going across infected networks. That flood of scanning packets brought many systems down.

This particular attack was interesting for two reasons. First, what defines this virus as also being a worm is its method of propagation. It was able to spread without any downloading it or opening an attachment o0n an email. Instead, it would randomly scan IP addresses, looking for any machine it could infect. This method meant that it spread much faster than many other virus/worm attacks had previously. The second interesting fact about this attack was that it was totally preventable. Microsoft had released a patch for this flaw weeks before the attack took place. This story should illustrate the critical need to frequently update you machine’s software. You must make certain that you have all the latest patches installed on your machine.

DoS ATTACKS

DoS Attacks

As you can see, the basic concept for perpetrating a DoS is not complicated. The actual problem for the attacker is performing the attack without being caught. We will examine the few some specific types of DoS attacks and look at specific case studies. You will be able to deeply understand the danger of Internet through this information.

TCP SYN Flood Attack

SYN flood is one of most popular version of DoS. These particular attacks depend on the hacker’s knowledge of how connections are made to a server. When the session between Client & Server through TCP Protocol then there is must leave the buffer space in memory which is used for the proper exchange of massages. The SYN filed is included in establishing packet to identifying the sequence of message exchanging. An attacker can send a number of connection requests very rapidly and then fail to respond to the reply that is send back by the server, or he can supply a spoofed (forged) IP address. In other words, he requests connections and then never follows through with the rest of the connection sequence. This process has the effect of leaving connections on the server half open and the buffer memory allocated for them is reserved and not available to other applications. Although the packet in the buffer is dropped after a certain period of time (usually about three minutes) without a reply, the effect of many of these false connections requests is to make it difficult for legitimate request for a session to get established.

There have been a number of well-known SYN flood attack on Web servers. The main cause of this attach that machine is busy with TCP.

FYI: Flood Attacks
In a *flood attack*, the attacker overwhelms a target system by sending a continuous flood a traffic designed consume d

communication is in danger because all machines connected to the Internet engage in TCP communications. Such communication is obviously the entire reason for Web server. There are, however, several methods and techniques you can implement to protect against these attacks. These basic defensive techniques you can implement to protect against these attacks. The basic defensive techniques are:

Ø SYN cookies

Ø RST cookies

Ø Stack tweaking

Some these methods require more technical sophistication than other. In general these methods will be discussed here. When you have task to defend the system against those form of attacks, then you select most competent method for your network system to show your expertise and also examine it in further at that time. Which method you want to implement it depend on operating system, which is used for Web Server by you. You will need to consult your operating system’s documentation or appropriate Web sites, in order to find explicit instruction on how to implement methods.

SYN Cookies As the name SYN cookies suggest, this method uses cookies, not unlike the standard cookies used on many Web site. In this way, the system can’t immediate creates buffer space in memory for hand wringing process. There is cookies in SYNACK, which is created very carefully, in which the information of IP address , port number and other information of client system which request for connect. When the client responds with a normal ACK (acknowledgement), the information from that cookie will be included, which the server then verifies. Thus, the system does not fully allocated any memory until the third stage of the hand-shaking process as illustrated. It enable to system for perform its functions, usually one effect to disable to large windows. However, the cryptographic hashing to use in SYN cookies is fairly resource intensive, therefore, this defensive technique, the system administrators that expect a great deal of incoming connections may choose not to use.

FYI: Hashing

A hash value is a number generated by a string of text. He has is significantly smaller than the text itself and is generated by a formula in such a way it is extremely unlikely that some other text will produce the same hash value. Hashing plays a role in security when it is used to ensure that transmitted message have not been tampered with. To do this, the sending machine generates a hash of the message, encrypts it, and sends it with the message itself. Hash & message is decrypted by receiving machine and create second hash from receiving message also compares from each other. If both are same then there a big problems.

RST Cookies

Another easy method for SYN to compete RST cookie that client is received wrong message by server and client should generate an RST packet. Because the client send back a packet notifying the server of the error, the server now knows the client request is legitimate and can now accept incoming connections from that client in the normal fashion. This method has two disadvantages. It might cause problems with Windows 95 machines and or machines that are communicating form behind firewalls.

Stack Tweaking

The stack tweaking procedure involves changing the TCP stack on the server so that it takes less time to time out when the SYN connection is incomplete. Unfortunately, this precaution will make it more difficult for SYN Floods to perform against this target. For a determined hacker, an attack is still possible.

FYI: Stack Tweaking
The action of stack tweaking is complicated according to the operating system. On this subject there is no help by the documentation of operating system. For these reasons, this method is usually only used by very The advanced network administrators usually can use this method.

Smurt IP Attack

Attack is a very popular version of the DoS attack. An ICMP(Internet Control Message Protocol) packet is sent out to the broadcast address of the network. Since it is broadcast, it responds to all hosts on the network by echoing the packet, which then sends it to the fake source address. Also, the address of the fake source can be found not only on the local subnet, but also anywhere on the internet. If the hacker can continually send such packets, she will cause the network itself to perform a DoS attack on one or more of its member servers. This attack is clever and rather simple. The only problem for the hacker is getting the packets started on on the target network. This task can be accomplished via some software, such as a virus or Trojan horse that will begin sending the packets.

In a Smurf attack, three individuals / systems are involved: the attacker, the middle (which can also be a victim) and the victim. The attacker first sends the ICMP echo request packet to the intermediary's IP broadcast address. Since this is send to the IP broadcast address, many of the machines on the intermediary’s network will receive this request packet and will send an ICMP echo reply packet back. If machines on network respond of request then the network becomes outage.

The attacker impacts the third part—the intended victim—the creating forged packets that contain the spoofed source address of the victim. Therefore, when all the machines on the intermediary’s network start replying to the echo request, those replies will flood the victim’s network. Thus, the network becomes congested as well as unusable.

The Smurf at5tack is an example of the creativity that some malicious parties can employ. It is sometimes viewed as the digital equivalent of the biological process in an auto-immune disorder. With such disorders, the immune system attacks the patient’s own body. In a Smurf attack, the network performs a DoS attack on one of its own systems. This method’s cleverness illustrates why it is important that you attempt to work creatively and in a forward-thing manner if you are responsible for system security in your network. The perpetrator of computer attacks are inventive and always coming up with new techniques. If your defense is less creative and clever than the attackers’ defense, then it is simply a matter of time before your system is compromised.

There are several ways to protect you system against this problem. One is to guard against Trojan horses. However, having policies prohibiting employees from downloading applications will help. Also, having adequate virus scanners can go a long way in protecting your system from a Trojan horse and thus, a Smurf attack. It is also imperative that you use a proxy server, which was explained in previous article. If the internal IP addresses of your network are not known, then it is more difficult to target one in Smurf attack. Probably the best way to protect your system is to combine these defenses along with prohibiting directed broadcasts and patching the hosts to refuse to reply to any directed broadcasts

UDP Flood Attack

UDP, as you will recall a connection protocol that does not require any connection setup procedure prior to transferring data in a UDP flood attack. The attacker se3nds a UDP packet to random port on a target system. When the target system receives a UDP packet, it automatically determines what application is waiting on the destination port. In this case, there is no application waiting on the port, the target system will generate an ICMP packet of “destination unreachable” and attempt to send it back to the forged source address. If enough UDP packets are delivered to ports on the target, the system will become overloaded trying to determine awaiting application (which do not exist) and then generating and sending packets back.

ICMP Flood Attack

There are two basic types of ICMP flood attacks; floods and nukes. An ICMP flood is usually accomplished by broadcasting a large number either pings or UDP packets. Like other floods attacks, the idea is to send so much data to the target system that it slows down. If it can be forced to slow down enough, the target will time out (not sent replies fast enough) & be disconnected from the Internet. ICMP nukes exploit known bugs in specific operation systems. The attacker send a packet of information that he knows the operation system on the target system cannot handle. In many cases, this will cause the target system to lock up completely.

The Ping of Death (PoD)

TCP packets are of limited size. In some cases simply sending a packet that is too large can shut down a target machine. This action is referred to as the Ping of Death (DoP). It works simply by overloading the target system. The hacker sends merely a single ping, but he does so with a very large packet and thus can shut down some machines.

This attack is quite similar to the classroom example discussed earlier in previous article. The aim in both cases is to overload the target system and cause it to quite responding. PoD works to compromise systems that cannot deal with extremely large packet size. If successful, the server will actually shutdown completely. It can, of course be rebooted.

The only real safeguard against PoD is to ensure that all operating systems and software are routinely patched. This attack relies on vulnerabilities. In the way a particular operating system (or application) handles abnormally large TCP packets. When such vulnerabilities are discovered, it is customary for the vendor to release a patch. The possibility of PoD is one reason, among many, why you must keep patches updated on all of your systems.

Teardrop Attack

In teardrop attack, the attacker sends a fragmented message. The two fragments overlap in ways that make it impossible to reassemble them properly without destroying the individual packet headers. Therefore, when the victim attempts to reconstruct the message, the message is destroyed. This causes the target system to halt or crash. There are a number of variations on the basic teardrop attack that are available such as TearDrop2, Boink, targa, Nestea Boink, NewTear and SYNdrop.

Land Attack

A land attack is probably the simplest in concept. The attacker sends a forged packet with the same source IP address and destination IP address (the target’s IP address). The method is to drive the target system “crazy” by having it attempt to send messages to and from itself. The victim system will often be confused and will crash or reboot.

Echo / Chargen Attack

The character generator (Chargen) service was designed primarily for testing purposes. It simply generates a stream of characters. In an echo/chargen attack, this service is abused by attackers who exhaust the target system’s resources. The attacker accomplishes this by creating a spoofed network session that appear to come from that local system’s echo service and which is pointed at the chargen service to form a “loop”. This session will cause huge amounts of data to be passed in an endless loop. This constant looping causes a heavy load to the system. Alternately, if the spoofed session is pointed at a system’s echo service, it will cause heavy network traffic that slows down the target’ network.

METAVERS

In 2004, Mark Zuckerberg, a student at Howard University, created a social networking site called Facebook, which was exclusively for students at the school and was opened to the public in September 2006. In 2007, Facebook was introduced to be used by other means of social media. Over time, Facebook spread to users not only in the United States but around the world. And its revenue will continue to grow through advertising. With that in mind, Microsoft bought 1.6 percent of its shares for 240 million, bringing the total value of Facebook to 15 billion. The total population of the world is seven billion people, of which three billion people use Facebook on a daily basis. Prior to October 2021, Facebook renamed the company Meta Platform, commonly known as Meta, and became part of the Metavers, which is used in the broader sense of the Internet. Facebook has announced that it is hiring tens of thousands of people from Europe to develop Metavers. This is a concept that people are going to talk about the future of the Internet. But what does Facebook want and what will be the future of the world because of social media dependent on the Internet? It may seem like a soup-up version of virtual reality, but some people think that Metavers is the future of the Internet. In fact, the virtual reality "VR" concept is similar to the one invented by the modern Smartphone in the 1980's, the first mobile phone. The use of computers is introducing a new world in which users will become part of the digital world using Metavers, which will be the environment of a virtual "artificial" world. But in the human mind it would be like a real gift of feeling. There will be a sense of cross-border and unlimited social life. Unlike the current VR, which can be used for more online or offline games, the virtual world can be used for virtually anything. It can be used for work, sports, concert, and cinema or even for sightseeing. There is a lot of excitement about Metavers among the rich, investors and big tech firms and no one wants to be left behind if it proves to be the future of the internet. There is also a sense that this is the first time this technology has come to the fore. With the development of VR gaming and connectivity, this may be required. Facebook has stated that building Metavers is one of its top priorities. Many tech firms, including Facebook, are investing in virtual reality, making it cheaper than competitors. According to some analysts, this could be harmful. VR apps are also being developed for these social hangouts and work-spaces. Despite a history of buying competitors, Facebook claims that Metavers will not build a company overnight and has promised to cooperate. It has recently invested 50 million in financing nonprofit groups to help build the Metavers responsibly, but it may take another ten to fifteen years for the concept of the real Metavers to emerge. Significantly, the world has decided to modernize the traditional style and functioning of the Internet, and the situation that arises from it, that is, the scenario, includes goals such as the formation of a facilitated society. Metavers will not only enhance the sense of reality in social networking but will also make 3D technology in the fields of education, health and tourism accessible to all special and common people and will revolutionize the development of different fields and inform consumers. And the details of the activities will not be kept secret.

THAT'S THE TIK TOK

TIKS TOK is the most downloaded in the world. The most interesting. The most infamous. Tick tock, even a tea stall holder can show off their talent. Everyone and Knox have complete freedom to perform in this short video. But with the use of it, young people and young people are at high risk of death. This web is appearing in the face of society in a strange way, which has changed a lot of society. That's the TIK TOK. It is just a well of death. It was a straight path to entertainment. Video Share Platform. Laughter spreads on the faces of sad people. But it has been turned into a well of death. How many people have fallen into it? Then how many of them fell out of it and where did they fall? How many young and blooming buds have been burdened with dust. The faces of his family are wet with tears. Make a tick talk video a hundred times and a hundred and one times again. But don't play with your life and stop making tick-tock videos in dangerous places. Sitting in front of the oncoming train, the boy tried to make a tick-tock video with the help of the rear camera, but the train reached his head in such a short time. He is not in a position to describe the situation. Another woman fell into a manhole while making a TIK TOK video. Another girl, who was making a tick-tock video by the river, slipped on her feet and looked at the waves. In another case, some friends got confused and made bets with each other about who would swim from one side to the other in a short time. As soon as he said this, a friend jumped into the river and as soon as he saw it, the boy drowned in the river and the rest of the friends had no choice but to shout and thus he lost his life. TIK TOK is a platform for children, old and young alike to present their art to both boys and girls. There is an excuse to learn and teach the style and manners inside the house. Parents should keep a close eye on their children. Guess which of our kids is keen to make TIK TOK videos indoors. This needs attention, because they want to gain fame and impress the viewers by making any inversion and astonishing them. He will not do it himself but unknowingly his life may be in danger. There have been many incidents with tick talk stars. But still these people do not give up. Just think that something has happened or will happen to the next one. But nothing will happen to me and in this delusion he leaves this world. In this way, they take risks and make some videos, but in this risk, they also risk their lives. Tick tock is another name for scattering laughter and smiles on sad faces. But if someone sees you and shakes your hand with regret, it is very immoral. If it had been banned, it would have removed the good Thamgar. TIK TOK will not create the wrong content. We must use it in a positive way. China has blocked the accounts of millions of users to control the website. There is a special ban on 13-year-olds, but where does the new plant comply with the ban? This refreshed website is being used by a certain group to advance their thinking instead of entertainment. Wealth does not come from TIK TOK but fame does come from hand. But that too to someone. At the moment, I have a few names that I refrain from writing. But they will change their style in their own way and reach the heights of fame overnight. Modern development has brought a lot of benefits, but people have also used it in an ugly way and lost their lives. Now fans have also started taking pictures with TIK TOK stars. The tick-tock application was developed by China and is now in a state of disarray. Because it also faces opposition from the United States. Tick tock company has lost millions of videos. But the next day millions of videos will be made. Children do not have bats. Annoyingly Libran - always rational, easily hurt emotionally, very passionate and maybe a little too intense. Well, I have to write about the young people who put their lives in the fire. Very few die intentionally and most unknowingly.

MOBILE PHONE USES

The International Telecommunication Union (ITU) has said in its report that by the end of this year, mobile will reach 92% of the world's population. And the number of mobile users globally will exceed 110 million. Scientific inventions have undoubtedly brought many conveniences to our lives, including electricity, airplanes, cars and much more. Just think how our life would have been without electricity. This means that every invention has made human life easier. One of these inventions is the invention of the mobile phone. The advent of mobile phones in Pakistan was terrifying. People used to look at it with great amazement without having to put any tarti or switch etc., its size and its box was so big that noble type people had an employee with them for mobile phone who He used to pick up his mobile phone and walk with them. Then slowly its size began to decrease. At the same time, the price will go down. Even so, owning one is still beyond the reach of the average person. But now this mobile phone, which was considered a sign of wealth and which parrots in our hands used to fly when I saw it, is now crying its worthlessness, when I remember its past and look at its condition. So the focus is on the rise and fall of Muslims. Currently, the largest industry in Pakistan is the mobile phone. Innovation in every field will increase in Pakistan during the last two decades and now thanks to modern technology, Pakistanis are also benefiting from more and more modern inventions than in the past. The work of the world's first mobile phone was only to make calls and this first generation of mobile phones was named as 1G ie first generation and this mobile phone had no other option but to make calls and listen. Some time later, when the system for sending and receiving messages came in mobile, it was named as 2G, the second generation. Then in the era when it will acquire the ability to send pictures through mobile, it was called 3G, ie the third generation, and when the development of movies and movies through the Internet, it was called 4G, ie the fourth generation. Gone and now when the world of mobile is moving towards 5J, everything in the world has been shifted to mobile. There will be any work in the world today that is not being taken from mobile. But surprisingly, despite so much progress and going through new stages, this mobile has not forgotten its basic function even today. Whether you are playing a game or watching a movie, the purpose is to do ten things in the mobile, but as soon as the call comes, the mobile first leaves all the work and tells you that the call is coming. Stops all work for the sake of basic work. We should also consider some limitations in the use of mobile phones. It is better to leave it with him, especially in important and important places, because during prayers he can neither hear the phone nor answer the caller. Similarly, the use of mobile phone while driving is tantamount to playing with one's life. In our country, even if you leave the motor car, the use of mobile phone continues even while driving a motorbike. Similarly, if you are eating and a morsel is stuck in your throat, you have a cough. You are in the washroom, you are sitting at a party, the phone rings, you tell this gentleman that I am in trouble at the moment, so I will talk to you later, but until then he will tell you. Someone has gotten into more trouble. There is a need for us not to bother with this useful tool and to keep it in the category of convenience so that its disadvantages can be avoided.

DENIAL OF SERVICE ATTACKS

Introduction

By now you are aware the dangers of the Internet and have also find a few basic rules for protection as well as safety on the Internet. In previous article I explored ways to investigate a target system and to learn a great deal about it. The time has come that we explain that how the attack on the system. Now we will examine in this & coming articles, one category of attack that might be used to cause harm to a target computer system. In the depth, the working of the Denial of Service (DoS) attack. This threat is one of the most common attacks on the Internet, so it is prudent for you to understand how it works and how to defend yourself against it.

Overview

As was said in the introduction, one of the most common and simplest forms of attacks on a system is a Denial of Service (DoS). This attack does even attempt to intrude on your system or to obtain sensitive information; it simply aims to prevent legitimate users from accessing the system. It is easy to perform this type of attacks. Basically technical expertness is needed. It is fact that every machine has its own limitation, it can’t exceed from its limitation. For example, a truck has its own limitation, it carries limited goods for limited distance, like this computer has limitations, it performs limited operation for limited time. A workload for a computer system may be defined by the number of simultaneous users, the size of files, the speed of data transmission, or the amount of data stored. If you give the extra load of work to the system then it will stop to reply. For example, if you can flood a Web server with more requests than it can process, it will be over loaded and will no longer be able to respond to further requests (Webopedia, 2004). This reality underlies the DoS attack. Simply overload the system with request, and it will no longer be able to respond to legitimate users attempting to access the Web server.

IN PRACTICE: Illustrating an Attack

On simple way to illustrate this attack, especially in a classroom setting, involves the use of the pig command discussed in previous articles.

1. Start a Web server service running on one machine (you can use Apache, IIS or any Web server.

2. Ask several people to open their browsers and key the IP address of that machine in the address bar. They should then be viewing the default Web site for that Web server.

Now you can do a rather primitive DoS attack on the system. Recall from previous article that typing in ping/h will show you all the options for the ping command. The –I option changes the size of the pocket you can send. A TCP packet can be only of a limited size. Thus, you are wanted to set these packets to be almost as large as your requirement. The –w option decides how many milliseconds the ping utility will wait for a response from the target. When you use –O so that the ping utility does not wait. Then the –t instructs the ping utility to keep sending packets until explicitly told to stop.

3. Open the command prompt in Windows 2000/XP (that is the DOS prompt in Windows 98 and the Shell in Unix/Linux).

4. Key ping <address of target machine goes her>-I 65000 –w O –t.

What is happening at this point is that this single machine is continually pinging away at the target machine. Of course, just one machine in your classroom or lab that is simply pinging on your Web server is not going to adversely affect the Web server. However, you can now, one by one, get other machines in the classroom pinging the server in the same way. After each batch of three or four machines you add, try to go to the Web server’s default Web page. After a certain threshold (certain numbers of machines pinging the server), it will stop responding to requests and you will no longer be able to see the Web page.

Howe many machines it will take to deny service depends on the Web server you are using. In order to see this denial happen with a few machines involved as possible, you could use a very low-capacity PC as your Web server. For example, running an Apache Web server on a simple Pentium III laptop running Windows 98, it can take about 15 machines simultaneously pinging to cause a Web server to stop responding to legitimate requests. This strategy is, of course, counter to what you would normally select for a Web server – no real Web server would be running on a simple laptop with Windows 98. Likewise, actual DoS attacks use much more sophisticated methods. This simple exercise, however, should demonstrate for you the basic principle behind the DoS attack: Simply flood the targe3t machine with so many packets that it can no longer respond to legitimate request.

FYI: Buffer Overflows
A Denial of Server attack is “ one of the most common” attack on a system. Another extremely common type of attack is the buffer overflow. Which of these is the leading form of attack is subject to debate among the experts. Regardless, understanding DoS attacks and how to thwart them is clearly on important component of system security.

Generally, the method used for DoS attacks are significant more sophisticated than the illustration. For example, a hacker might develop a small virus whose sole purpose is to initiate a ping flood against a predetermined target. Once of virus has spread, the various machines that are infected with that virus then begun their ping flood of the target system. This sort of DoS is easy to do, and it can be hard to stop. A DoS that is launched from several different machines is called a Distributed Denial of Service. (DDoS).

Common Tools Used for DoS

As with any of the security issues in previous articles, you will find that hackers have at their disposal a vast array of tool with which to work. The DoS arena is no different. While it is certainly well beyond the scope this & previous articles to begin to categorize or discuss all of these tools, a brief introduction to just a few of them will prove useful. The two tools discussed here, TFN and Stacheldraht, and typical of the type of tools that some one wishing to perform a DoS attack would utilize.

TFN and TFN2K TFN also known as Tribal Flood Network, and TFN2K are not viruses, but rather attack tools that can be used to perform a DDoS. TFN2K is a newer version of TFN that supports both Windows NT and Unix platforms (and can easy be ported to additional platforms). There are some feature which make its complex more than predecessor.

FYI: What is DoS?
The name for DoS attacks comes from the fact that such attempts literally deny legitimate users the service provided by the site in question. These attacks began to become widely known in 1995 when the simple Ping of Death DoS attack began to be used frequently.

including sending decoy information to avoid being traced. Experts of TFN2K can use the resources for attack against more than one target. Additionally, TFN and TFN2K can perform various attacks such as UDP flood attacks, ICMP flood attacks, and TCM SYN flood attacks.

TFN2K works on two fronts. First, there is a command-run client on the master system. Second, there is a daemon process operation on an agent system. The attack works like this:

1. The master instruction its agents to attack a list of designated targets.

2. The agents respond by flooding the targets with a barrage of packets.

With this tool, multiple agents, coordinated by the master, can work together during the attack to disrupt access to the target. Additionally, there are a number of “safty” features for the attacker that significantly complicates development of effective and efficient countermeasures for TFN2K.

· Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

· Both master-to-agent communications and attacks themselves can be sent via randomized TCP, UDP and ICMP packets.

· The master can falsify its IP address (spoof).

Stacheldraht:

Stacheldraht, which is German for “barded wire”, is a DDoS attack tool that combines features of the Trinoo DDoS tool (another common tool) with the source code from the TFN DDoS attack tool. Like TFN2K, it adds encryption of communication between the attacker and the Stacheldraht master. It also involve in automatic updating of the agents.

Stacheldraht can perform a variety of attacks including UDP flood, ICMP flood, TCP SYN flood and Smurf attacks. This source address also detects forgery and enables it automaticallyDoS Weanknesses

The weakness in any DoS attacks, form the attacker’s point of view, is that the flood of packets must be sustained. As soon as we stop sending packets, the target system is backed up. As DoS/DDoS attack, however, is very often used in conjunction with another form of attack, such as diabling one side of a connection in TCP hijacking or preventing authentication or logging between servers.

If the hacker is using a distributing attack, as soon as the administrator or owners of the infected machines realize their machine is infected, they will take steps to remove the virus and thus stop the attack. If a hacker attempts to launch an attack from her own machine, she must be aware that each packet has the3 potential to be traced back to its source. This fact means the single hacker using a DoS will almost certainly be caught by the authorities. For this session, the DDoS is quickly becoming the most common type of DoS attack.

Common Tools Used for DoS

FYI: What is DoS?
The name for DoS attacks comes from the fact that such attempts literally deny legitimate users the service provided by the site in question. These attacks began to become widely known in 1995 when the simple Ping of Death DoS attack began to be used frequently.

TFN2K works on two fronts. First, there is a command-run client on the master system. Second, there is a daemon process operation on an agent system. The attack works like this:

1. The master instruction its agents to attack a list of designated targets.

2. The agents respond by flooding the targets with a barrage of packets.

· Master-to-agent communications are encrypted and may be mixed with any number of decoy packets.

· Both master-to-agent communications and attacks themselves can be sent via randomized TCP, UDP and ICMP packets.

· The master can falsify its IP address (spoof).

Stacheldraht:

Stacheldraht can perform a variety of attacks including UDP flood, ICMP flood, TCP SYN flood and Smurf attacks. This source address also detects forgery and enables it automatically

DoS Weanknesses

PORT MONITORING AND MANAGING

Using the tool I have already outlined in previous article, you have access to a great deal of information about the ports in use on a system. There are however, some additional tools that allow you to obtained more specific information about port in use and the9ir state, as well as about the flow of information in and out of those ports. Some of these tools also allow you to link listening port to its application.

NetStat Live

One of the most popular protocol monitors is NetStat, which is on free ships with Microsoft Windows. A version of this, NetStat Live (NSL), which is freely available on the Internet, is a small, easy-to-use TCP/IP protocol monitor that can be used to see the exact throughput on both incoming and outgoing data whether you are using a modem, DSL or even a local network. It allows you see the speed at which your data goes from your computer to another computer on the Internet. It will even tell you how many other computers your data must go through to get to its destination. It also graphs the CPU usage of the NSL system. This can be especially useful if, for example, you are experiencing slow connection speeds. It can identify whether your computer is the reason for the slow down or if it is you Internet connection.

After you download and install the program, you simply run it. When the program launches.

It displays the last 60 seconds of display data. It shows the average data rate, the total amount of data sent after the last reboot, and the maximum data rate. It tracks all incoming and outgoing messages. Default display window, but this window can be customized to display what you want, but this window can be customized to show exactly what you want. To enable or disable a pane, simply right – click on the window, choose Statistics and then place a check next to any statistics that you would like to see. Your choices are:

Ø Local Machine. Monitoring current machine name, IP address and network interface.

Ø Remote Machine. The remote machine, including average ping time and number of hops.

Ø Incoming Data. Data on the incoming (Download) channel.

Ø Incoming Totals. Total for the incoming data.

Ø Outgoing Data. Data on the outgoing (upload) channel

Ø Outgoing Totals. Totals for the outgoing data.

Ø System Threads. Total number of threads currently running in the system.

Ø CPU Usage. Graphs the CPU load.

Notice that a machine is listed in the remote section and some information about it. You can easily change the server you are collecting information for. Simply open your Web browser, go to a Web page and copy the URL (including the http://) into the clipboard by using Ctrl + C). Notice that a machine is listed in the remote section and some information about it. You can easily change the server you are collecting information for.

In addition to adjusting the display, NSL can also9 be configured to operate in several different ways from the Configure dialog box. To access the Configure options, right-click on the NSL display and choose the configuration as your demand.

From this dialog box, you can configure the program in many ways. Your configuration option are:

Ø Auto Minimize. If enabled, when NSL start up, it will automatically show up in the system tray instead of as a window on the screen.

Ø Auto Start. If enabled, NSL will automatically run time you reboot your machine. (this is good to use with Auto Minimize option).

Ø Always on Top. If enabled, the NSL dialog box will always be on top of other windows. This allows you to see the information no matter what else is on the screen.

Ø URL ClipCap. If enabled, NetStat will scan Windows clipboard for URL and if it finds one, will automatically ping/traceroute it.

Ø Close Minimize. If enabled, pressing the Close button doesnot actually close NSL, but rather minimizes it to the system tray.

Ø TCP/IP Interface. This drop-down list allows you to select from the TCP/IP interface currently available or to monitor. All available interfaces (if a specific interface can not be found, it defaults back to all.)

Ø Displays values in. this drop-down list allows you to select whether or not the values are displayed in bits or bytes (the default).

NetStat Live tracks all network activity. This means that you can see how quickly data moves across the local network (as long as you are using TCP/IP) as well as to and from remote sites. Additionally, this means that when used on a modern connection, you will see the actual throughput and not just what the dial-up networking adapter or modem says it is doing. This allows you to see exactly what kind of performance you are getting while you are browsing around Web page.

Active Ports

Active Ports is another easy-to-use tool for Windows. Through it you will enable to monitor all open TCP and UDP ports on the your local computer. Active Ports maps ports to the owning application so that you can watch which process has opened which port. It also displays a local and remote IP address for each connection and allows you to terminate the owning process. Active Ports can help you detect Trojan horses and other malicious programs.

Like so many of these types of programs, Active Ports is available as free download from many sites on the Internet.

Fport

Like Active Ports, fport reports all open TCP/IP and UDP ports and maps them to the owning application. Additionally, it maps those ports to running processes. Fport can used to quickly identify unknown open ports and their associated application.

TCPView

TCPView is a Windows program that will show you detailed listings of all TCP & UDP endpoints on your system, including the remote addresses and the state of TCP connections. TCPView provide a conveniently presented subset of the Netstat program.

In-Depth Searches

Port scanners and other types of scanners can only tell you so much about a target system. At some point, you will probably have taken your investigation to a deeper level. For example, if you find out that particular server is running IIS 5.0, that discovery probably means the company has Windows 2000. If you then uncover default shared folders and default registry settings, you know that the system is probably entirely set up with default settings. It is also less likely that this system is routinely patched and updated because a security-conscious administrator would not have left default setting in the first place. Your next step is to scan the Internet using various search engines (e.g. www.yahoo.com, www.google.com, www.lycos.com) to find out whether there are any known vulnerabilities with the target system and its configuration. There is a good chance that someone has actually documented the specific vulnerabilities and how these faults can be exploited. Once you have studied the potential vulnerabilities in a target system, yu can take one of several actions, depending on your role in the investigation.

1. If you are a system administrator, you must correct those vulnerabilities promptly.

2. If you are a “sneaker” (or an “ethical” white hat hacker), you would document what you have found to then report to your client.

3. If you are a cracker, you can use this information to select the most appropriate way to compromise the target system. However, be aware that such activities are illegal and can culminate in severe civil penalties, including a prison sentences.

Web search and newsgroup searches (you can use Google’s “groups” tab for this task) can also provide other interesting information about it site. You will often be able to find details about a company, such as its key personnel and ISP. There are several ways to use this information. For example, if you find that a company has a high turnover in its systems department (for example, you see the same job posted frequently, indicating rapid turnover), then it is less likely that the system is as secure as it should be. Or, if you see that one company is being bought out by another, this event might lead to some confusion in the two companies’ IT departments as they try to merge. This information can help you identify other vulnerabilities in a target system.