UNIX and NT DoS/DDoS
IP fragmentation overlap: IP packets may need to be broken in parts (fragments) in route and put together by the destination OS which may have a flaw:
- teardrop (Linux), syndrop.c, boink.c (Windows)
- countermeasures: Linux kernels 2.0 and above, NT use SP6a.
Stream and raped attacks (UNIX/NT): resource starvation, making the CPU run up to 100%, preventing access to the NET and stopping/slowing other jobs
- stream.c: sends TCP Ack packets to a series of ports with random sequence numbers and random source IP addresses
- raped.c attacks: sends TCP Ack packets with spoofed IP addresses
- countermeasures: in practice, none (unless you can change your IP address).
DDoS attacks: first attacks in February of 200 --> Yahoo, E*TRADE, eBay, Buy.com, CNN.com, etc. Attacks have three stages:
- attack systems and gain administration privileges (hunting grounds: @Home, DSL providers, etc).
- Upload DDoS software (server) in the slaves (zombies) and run it (listen).
- When there are enough slaves command them to attack victim.
- Examples: GRC.COM: a case example and press coverage of other attacks.