First - Strengthen the defense of your computer
- Install Firewalls
"Firewall" is an isolation technology to separate the internal network and the Internet. The firewall carries out some filtering when two networks communicate. It lets the data/person that you "agree" to enter your network, and also block the data/person you "do not agree" from your network. It can prevent they changes, copy, or destroys your material. To ensure the firewall get into work, you must keep it update.
- Install Anti-virus software
The key on computer virus is not "Kill" is "Prevent". You should install the Anti-virus software and start the real-time monitoring process and keep the software and the virus definition file updated. To guard against the newest virus, you should set the update process in a daily mode. Also, in every week, you should scan the computer completely for the virus.
- Guard against Spyware
Spyware is a program that is installed without the user authorization. It can get the information and send to a third party. Spyware can attached in software, executable image and break into the user computer. They are used to track the computer usage information, record the keyboard hits, or take a screen capture. To get rid from spyware, you can
- raise the security level of your browser
- install software to guard against from spyware
- verify with the official website about the software plan to install
Second - Against from attacks
- Refuse unknown software, emails and attachments
Don't download unknown software. Save all downloaded softwares into one single directory and scan it before install. Don't open any unknown email and its attachments. Many viruses are spread through by using email. Don't open unknown emails, especially those with interesting headline.
- Don't go to hacker and pornographic website
Many virus and spyware are come from these websites. If you browse this website and your computer is not secure enough, you can imagine what will happen next.
- Avoid share folders
Share folder is risky and outsider can surf around your folder freely. When you want to share folder, remember to set a password. If you are no need to share the folder any more, remove the sharing immediately. It is extremely danger to share the whole drive. If someone removes the system file, your machine may be down and cannot start up again.
Last - Keep Checking/Update
- Set different and complicate password
In Internet, there are thousand needs to use password, like e-banking, login account, email. Try to use different password for different operation, this can limit the loss if one of the passwords is broken into by someone. Avoid using meaningful password, like birthday, telephone number. You should use password with letter and number. One more thing is do not choose "Save Password" option.
- Beware of defraud
The number of defraud case in Internet is keep increasing. Build up a fake bank website, send out an email to ask for password. Before take any action, try to verify it is real or not. You can phone to bank hotline to ask, go to the bank to contact directly.
- Backup
Backup is the last step to guard against the attacks. If your computer is hacked, the operating system and softwares can be reinstalled. But the data can only be restored if you frequently make a backup.
Tuesday, May 5, 2009
Sunday, April 12, 2009
Seven Common DoS Attack Methods
Hackers have an armory of methods to pass Denial of Service (DoS) attacks. The following seven sections emphasize the degree of the quandary faced by organizations trying to battle the DoS threat. TippingPoint provides solutions to battle these common methods of DDoS attacks:
� Vulnerabilities
� Zombie Staffing
� Attack Tools
� Bandwidth Attacks
� SYN Floods
� Established Connection Floods
� Connections-Per-Second Floods
Method 1 � Vulnerabilities
Attackers can effort to collide a service or fundamental operating system in a straight line through a network. These attacks immobilize services by exploiting shock absorber spread out and other accomplishment dodge that exist in defenseless servers. Vulnerability attacks do not want widespread resources or bandwidth to commit; attackers only need to know of the survival of a susceptibility to be able to develop it and cause widespread injure. Once an attacker has control of a vulnerable service, request, or operating system, they abuse the opening to immobilize systems and in the end crash an whole network from within.
Method 2 � Zombie Conscription
The same vulnerabilities used to collide a server allow hackers to change vulnerable PCs into Distributed Denial of Service zombies. Once the hacker develop the susceptibility to increase manage of the system, they plant a backdoor into the system for later use in commiting DDoS attacks. The Trojan or similar disease provides a trail into the system. Once the attacker has the path, they tenuously control the network, making the server a �Zombie� that waits for the given attack authority. Using these zombies, attackers can send a huge number of DoS and DDoS attacks with secrecy. Viruses can also be used for Zombie conscription. For instance, the MyDoom bug was designed to convert PCs into Zombies that attacked SCO and Microsoft at a prearranged time programmed into the virus. Other viruses fit backdoors that let hackers to open coordinated attacks, rising the sharing of the attacks across networks around the sphere. The following figures detail how attackers make and begin these attacks against a network.
Method 3 � Attack Tools
Through zombie recruitment, hackers use secret communication channels to contact and manage their zombie military. They can choose from hundreds of off-the-shelf backdoor programs and tradition tools from websites. These tools and programs begin these attacks to penetrate and control networks as zombie armies to pass additional attacks from within. Once they have the zombie systems, they can use other tools to send a solitary command to all zombies concurrently. In some cases, commands are carried in ICMP or UDP packets that can go around firewalls. In other cases, the zombie �phones home� by making a TCP link to the master. Once the relation is created, the master can manage the Zombie.
The tools used to attack and control systems comprise:
� Tribe Flood Network (TFN) � Spotlight on Smurf, UDP, SYN, and ICMP reverberation apply for floods.
� Tribe Flood Network 2000 (TFN2K) � The updated version of TFN.
� Trinoo � Focuses on UDP floods. Sends UDP packets to chance purpose ports.
The size is configurable.
� Stacheldraht � Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNS floods, and TCP packet floods with random headers.
DDoS Protection tools are growing both in terms of covert channel completion and in DDoS flooding methods. New tools exploit random port numbers or work across IRC. Further, smarter tools cleverly mask flooding packets as lawful service requests and/or bring in a high degree of chance. These improvements make it more and more hard for a port-filtering device to divide attack packets from lawful traffic.
Method 4 � Bandwidth Attacks
When a DDoS attack is opened, it can often be detected as a important change in the arithmetical work of art of the network transfer. For example, a typical system might consist of 80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the arithmetical mix can be a signal of a new attack. For example, the Slammer maggot resulted in a rush of UDP packets, whereas the Welchi worm shaped a flood of ICMP packets. Such surges can be DDoS attacks or so-called zero-day attacks � attacks that develop secret vulnerabilities.
Method 5 � SYN Flood
One of the majority common types of DoS attacks is the SYN Flood. This assault can be launched from one or more attacker equipment to put out of action access to a target server. The attack use the device used to found a TCP connection. Every TCP link requires the conclusion of a three-way handclasp before it can pass data:
� Connection Request � First packet (SYN) sent from the supplicant to the server, preliminary the three-way handclasp
� Request Acknowledgement � Second packet (SYN+ACK) sent from the server to the requester
� Connection Complete � Third packet (ACK) sent from the supplicant back to the server, implementation the three-way handshake
The attack consists of a flood of unacceptable SYN packets with spoofed source IP addresses. The spoofed source address causes the target server to react to the SYN with a SYN-ACK to an unwary or absent source machine. The aim then waits for an ACK packet from the source to total the link. The ACK never comes and ties up the connection table with a awaiting connection ask for that by no means completes. The bench will rapidly fill up and devour all obtainable capital with invalid requests. While the number of link entries may differ from one server to another, tables may fill up with only hundreds or thousands of requests. The result is a denial of service since, once a table is full, the target server is unable to service lawful requests. The difficulty with SYN attacks is that each request in separation looks benign. An unacceptable ask for is very difficult to differentiate from a lawful one.
The complexity with SYN assault is that each request in separation looks caring. An invalid request is very hard to differentiate from a lawful one.
Method 6 � Established Connection Flood
An Recognized Connection Flood is an development of the SYN Flood attack that employs a array of zombies to commit a DDoS attack on a aim. Zombies found apparently lawful connections to the end server. By using a large number of zombies, each creating a large number of connections to the target, an attacker can make so many connections that the aim is no longer able to believe to lawful link requests. For example, if a thousand zombies make a thousand connections to a end server, the server have got to run a million open connections. The result is similar to a SYN Flood attack in that it devour server funds, but is even more difficult to sense.
Method 7 � Connections Per Second Floods
Connections Per Second (CPS) Flood attacks flood servers with a high rate of connections from a apparently valid source. In these attacks, an attacker or army of zombies attempts to drain server resources by rapidly setting up and ripping down TCP connections, perhaps begining a request on each link. For example, an attacker strength use his zombie army to frequently obtain the home page from a target web server. The resulting load makes the server tremendously lethargic. visit DDoS Protection
� Vulnerabilities
� Zombie Staffing
� Attack Tools
� Bandwidth Attacks
� SYN Floods
� Established Connection Floods
� Connections-Per-Second Floods
Method 1 � Vulnerabilities
Attackers can effort to collide a service or fundamental operating system in a straight line through a network. These attacks immobilize services by exploiting shock absorber spread out and other accomplishment dodge that exist in defenseless servers. Vulnerability attacks do not want widespread resources or bandwidth to commit; attackers only need to know of the survival of a susceptibility to be able to develop it and cause widespread injure. Once an attacker has control of a vulnerable service, request, or operating system, they abuse the opening to immobilize systems and in the end crash an whole network from within.
Method 2 � Zombie Conscription
The same vulnerabilities used to collide a server allow hackers to change vulnerable PCs into Distributed Denial of Service zombies. Once the hacker develop the susceptibility to increase manage of the system, they plant a backdoor into the system for later use in commiting DDoS attacks. The Trojan or similar disease provides a trail into the system. Once the attacker has the path, they tenuously control the network, making the server a �Zombie� that waits for the given attack authority. Using these zombies, attackers can send a huge number of DoS and DDoS attacks with secrecy. Viruses can also be used for Zombie conscription. For instance, the MyDoom bug was designed to convert PCs into Zombies that attacked SCO and Microsoft at a prearranged time programmed into the virus. Other viruses fit backdoors that let hackers to open coordinated attacks, rising the sharing of the attacks across networks around the sphere. The following figures detail how attackers make and begin these attacks against a network.
Method 3 � Attack Tools
Through zombie recruitment, hackers use secret communication channels to contact and manage their zombie military. They can choose from hundreds of off-the-shelf backdoor programs and tradition tools from websites. These tools and programs begin these attacks to penetrate and control networks as zombie armies to pass additional attacks from within. Once they have the zombie systems, they can use other tools to send a solitary command to all zombies concurrently. In some cases, commands are carried in ICMP or UDP packets that can go around firewalls. In other cases, the zombie �phones home� by making a TCP link to the master. Once the relation is created, the master can manage the Zombie.
The tools used to attack and control systems comprise:
� Tribe Flood Network (TFN) � Spotlight on Smurf, UDP, SYN, and ICMP reverberation apply for floods.
� Tribe Flood Network 2000 (TFN2K) � The updated version of TFN.
� Trinoo � Focuses on UDP floods. Sends UDP packets to chance purpose ports.
The size is configurable.
� Stacheldraht � Software tool that focuses on TCP, ACK, TCP NULL, HAVOC, DNS floods, and TCP packet floods with random headers.
DDoS Protection tools are growing both in terms of covert channel completion and in DDoS flooding methods. New tools exploit random port numbers or work across IRC. Further, smarter tools cleverly mask flooding packets as lawful service requests and/or bring in a high degree of chance. These improvements make it more and more hard for a port-filtering device to divide attack packets from lawful traffic.
Method 4 � Bandwidth Attacks
When a DDoS attack is opened, it can often be detected as a important change in the arithmetical work of art of the network transfer. For example, a typical system might consist of 80 percent TCP and a 20 percent mix of UDP and ICMP. A change in the arithmetical mix can be a signal of a new attack. For example, the Slammer maggot resulted in a rush of UDP packets, whereas the Welchi worm shaped a flood of ICMP packets. Such surges can be DDoS attacks or so-called zero-day attacks � attacks that develop secret vulnerabilities.
Method 5 � SYN Flood
One of the majority common types of DoS attacks is the SYN Flood. This assault can be launched from one or more attacker equipment to put out of action access to a target server. The attack use the device used to found a TCP connection. Every TCP link requires the conclusion of a three-way handclasp before it can pass data:
� Connection Request � First packet (SYN) sent from the supplicant to the server, preliminary the three-way handclasp
� Request Acknowledgement � Second packet (SYN+ACK) sent from the server to the requester
� Connection Complete � Third packet (ACK) sent from the supplicant back to the server, implementation the three-way handshake
The attack consists of a flood of unacceptable SYN packets with spoofed source IP addresses. The spoofed source address causes the target server to react to the SYN with a SYN-ACK to an unwary or absent source machine. The aim then waits for an ACK packet from the source to total the link. The ACK never comes and ties up the connection table with a awaiting connection ask for that by no means completes. The bench will rapidly fill up and devour all obtainable capital with invalid requests. While the number of link entries may differ from one server to another, tables may fill up with only hundreds or thousands of requests. The result is a denial of service since, once a table is full, the target server is unable to service lawful requests. The difficulty with SYN attacks is that each request in separation looks benign. An unacceptable ask for is very difficult to differentiate from a lawful one.
The complexity with SYN assault is that each request in separation looks caring. An invalid request is very hard to differentiate from a lawful one.
Method 6 � Established Connection Flood
An Recognized Connection Flood is an development of the SYN Flood attack that employs a array of zombies to commit a DDoS attack on a aim. Zombies found apparently lawful connections to the end server. By using a large number of zombies, each creating a large number of connections to the target, an attacker can make so many connections that the aim is no longer able to believe to lawful link requests. For example, if a thousand zombies make a thousand connections to a end server, the server have got to run a million open connections. The result is similar to a SYN Flood attack in that it devour server funds, but is even more difficult to sense.
Method 7 � Connections Per Second Floods
Connections Per Second (CPS) Flood attacks flood servers with a high rate of connections from a apparently valid source. In these attacks, an attacker or army of zombies attempts to drain server resources by rapidly setting up and ripping down TCP connections, perhaps begining a request on each link. For example, an attacker strength use his zombie army to frequently obtain the home page from a target web server. The resulting load makes the server tremendously lethargic. visit DDoS Protection
Monday, February 2, 2009
MikroTik RouterOS SNMP Security Bypass Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at: vuldb@securityfocus.com.
http://felinemenace.org/~andrewg/MikroTik_Router_Security_Analysis_Part2/
The MikroTik Wireless Router is a Linux embedded wireless router, focusing on various functionality such as bandwidth management, Firewalling, VPN server/client, and various other things. As with all embedded linux based software, it is interesting to pull it apart :)
It has been around for a while now… a couple of years ago when I analysed the software / pulling it apart, it had drivers/firmware to turn standard Orinoco wireless cards into an Access Point (which as far as I know isn't possible otherwise, at least not when I was looking at it.)
For the purposes of this article, I am looking at mikrotik-2.9.46.iso (MD5sum: 65aa908dd748ccf72ad9f588613dfe31, SHA1sum: 5e5ed13498db8d9745a701f75e58da3ef6701e58). For the most part, I have used QEMU to emulate the hardware/software environment to install it on. This has several advantages, such as being able to edit the "disk" it's using easily, amongst other things.
Performing active analysis of MikroTik router components
As with any analysis of potentially hostile software, you should be careful to take adequate security precautions when running untrusted software.
To perform more active analysis of the MikroTik components, we could copy the applicable binaries and associated libraries to another linux platform. This would allow us to strace the binary, debug it (which is incredibly useful for exploit development), and monitor the activities it performs in general. Furthermore, we can copy the kernel and applicable modules to perform further analysis on them, and to allow the environment to be replicated a lot better.
The analysis environment / setup
For this article, I have done a basic network install of Debian 4rc1. After performing the installation and installing a bunch of generic tools (strace/gdb/gcc/ltrace/openssh-server/nasm/etc), I then extracted the Mikrotik kernel and modules, and put the applicable files into their place.
It has been around for a while now… a couple of years ago when I analysed the software / pulling it apart, it had drivers/firmware to turn standard Orinoco wireless cards into an Access Point (which as far as I know isn't possible otherwise, at least not when I was looking at it.)
For the purposes of this article, I am looking at mikrotik-2.9.46.iso (MD5sum: 65aa908dd748ccf72ad9f588613dfe31, SHA1sum: 5e5ed13498db8d9745a701f75e58da3ef6701e58). For the most part, I have used QEMU to emulate the hardware/software environment to install it on. This has several advantages, such as being able to edit the "disk" it's using easily, amongst other things.
Performing active analysis of MikroTik router components
As with any analysis of potentially hostile software, you should be careful to take adequate security precautions when running untrusted software.
To perform more active analysis of the MikroTik components, we could copy the applicable binaries and associated libraries to another linux platform. This would allow us to strace the binary, debug it (which is incredibly useful for exploit development), and monitor the activities it performs in general. Furthermore, we can copy the kernel and applicable modules to perform further analysis on them, and to allow the environment to be replicated a lot better.
The analysis environment / setup
For this article, I have done a basic network install of Debian 4rc1. After performing the installation and installing a bunch of generic tools (strace/gdb/gcc/ltrace/openssh-server/nasm/etc), I then extracted the Mikrotik kernel and modules, and put the applicable files into their place.
Subscribe to:
Posts (Atom)