Network security

Network security[1] consists of the provisions and policies adopted by a network

administrator to prevent and monitor unauthorized access, misuse, modification, or denial of
a computer network and network-accessible resources. Network security involves the
authorization of access to data in a network, which is controlled by the network administrator.
Users choose or are assigned an ID and password or other authenticating information that
allows them access to information and programs within their authority. Network security
covers a variety of computer networks, both public and private, that are used in everyday jobs
conducting transactions and communications among businesses, government agencies and
individuals. Networks can be private, such as within a company, and others which might be
open to public access. Network security is involved in organizations, enterprises, and other
types of institutions. It does as its title explains: It secures the network, as well as protecting
and overseeing operations being done. The most common and simple way of protecting a
network resource is by assigning it a unique name and a corresponding password.

Network security concepts

Network security starts with authenticating the user, commonly with a username and a
password. Since this requires just one detail authenticating the user name —i.e. the password,
which is something the user 'knows'— this is sometimes termed one-factor authentication.
With two-factor authentication, something the user 'has' is also used (e.g. a security token or
'dongle', an ATM card, or a mobile phone); and with three-factor authentication, something
the user 'is' is also used (e.g. a fingerprint or retinal scan).

Once authenticated, a firewall enforces access policies such as what services are allowed to
be accessed by the network users.[2] Though effective to prevent unauthorized access, this
component may fail to check potentially harmful content such as computer worms or Trojans
being transmitted over the network. Anti-virus software or an intrusion prevention system
(IPS)[3] help detect and inhibit the action of such malware. An anomaly-based intrusion
detection system may also monitor the network and traffic for unexpected (i.e. suspicious)
content or behavior and other anomalies to protect resources, e.g. from denial of service
attacks or an employee accessing files at strange times. Individual events occurring on the
network may be logged for audit purposes and for later high-level analysis.

Communication between two hosts using a network may be encrypted to maintain privacy.

Honeypots, essentially decoy network-accessible resources, may be deployed in a network as

surveillance and early-warning tools, as the honeypots are not normally accessed for
legitimate purposes. Techniques used by the attackers that attempt to compromise these
decoy resources are studied during and after an attack to keep an eye on new exploitation
techniques. Such analysis may be used to further tighten security of the actual network being
protected by the honeypot.[4]
[edit] Security management

Security management for networks is different for all kinds of situations. A home or small
office may only require basic security while large businesses may require high-maintenance
and advanced software and hardware to prevent malicious attacks from hacking and
spamming.

[edit] Homes & Small Businesses

 A basic firewall or a unified threat management system.

 For Windows users, basic Antivirus software. An anti-spyware program would also be a good
idea. There are many other types of antivirus or anti-spyware programs out there to be
considered.
 When using a wireless connection, use a robust password. Also try to use the strongest
security supported by your wireless devices, such as WPA2 with AES. TKIP may be more
widely supported by your devices and should only be considered in cases where they are
NOT compliant with TKIP.
 If using Wireless: Change the default SSID network name, also disable SSID Broadcast; as this
function is unnecessary for home use. (Security experts consider this to be easily bypassed
with modern technology and some knowledge of how wireless traffic is detected by
software).[5]
 Enable MAC Address filtering to keep track of all home network MAC devices connecting to
your router. (This is not a security feature per se; However it can be used to limit and strictly
monitor your DHCP address pool for unwanted intruders if not just by exclusion, but by AP
association.)
 Assign STATIC IP addresses to network devices. (This is not a security feature per se;
However it may be used, in conjunction with other features, to make your AP less desirable
to would-be intruders.)
 Disable ICMP ping on router.
 Review router or firewall logs to help identify abnormal network connections or traffic to the
Internet.
 Use passwords for all accounts.
 For Windows users, Have multiple accounts per family member and use non-administrative
accounts for day-to-day activities.

 Raise awareness about information security to children.[6]

[edit] Medium businesses

 A fairly strong firewall or Unified Threat Management System

 Strong Antivirus software and Internet Security Software.
 For authentication, use strong passwords and change it on a bi-weekly/monthly basis.
 When using a wireless connection, use a robust password.
 Raise awareness about physical security to employees.
 Use an optional network analyzer or network monitor.
 An enlightened administrator or manager.
 Use a VPN, or Virtual Private Network, to communicate between a main office and satellite
offices using the Internet as a connectivity medium. A VPN offers a solution to the expense
of leasing a data line while providing a secure network for the offices to communicate. A
VPN provides the business with a way to communicate between two in a way mimics a
private leased line. Although the Internet is used, it is private because the link is encrypted
 and convenient to use. A medium sized business needing a secure way to connect several
offices will find this a good choice.[7]
 Clear employee guidelines should be implemented for using the Internet, including access to
non-work related websites, sending and receiving information.
 Individual accounts to log on and access company intranet and Internet with monitoring for
accountability.
 Have a back-up policy to recover data in the event of a hardware failure or a security breach
that changes, damages or deletes data.
 Disable Messenger.
 Assign several employees to monitor a group like CERT[8] which studies Internet security
vulnerabilities and develops training to help improve security.

[edit] Large businesses

 A strong firewall and proxy to keep unwanted people out.

 A strong Antivirus software package and Internet Security Software package.
 For authentication, use strong passwords and change it on a weekly/bi-weekly basis.
 When using a wireless connection, use a robust password.
 Exercise physical security precautions to employees.
 Prepare a network analyzer or network monitor and use it when needed.
 Implement physical security management like closed circuit television for entry areas and
restricted zones.
 Security fencing to mark the company's perimeter.
 Fire extinguishers for fire-sensitive areas like server rooms and security rooms.
 Security guards can help to maximize security.

[edit] School

 An adjustable firewall and proxy to allow authorized users access from the outside and
inside.
 Strong Antivirus software and Internet Security Software packages.
 Wireless connections that lead to firewalls.
 Children's Internet Protection Act compliance. (Only schools in the USA)
 Supervision of network to guarantee updates and changes based on popular site usage.
 Constant supervision by teachers, librarians, and administrators to guarantee protection
against attacks by both internet and sneakernet sources.
 An enforceable and easy to understand acceptable use policy which differentiates between
school owned and personally owned devices
 FERPA compliance for institutes of higher education

[edit] Large government

 A strong firewall and proxy to keep unwanted people out.

 Strong antivirus software and Internet Security Software suites.
 Strong encryption.
 Whitelist authorized wireless connection, block all else.
 All network hardware is in secure zones.
 All hosts should be on a private network that is invisible from the outside.
 Host web servers in a DMZ, or a firewall from the outside and from the inside.
 Security fencing to mark perimeter and set wireless range to this.
 Inventory controls of government owned mobile .
[edit] Types of Attacks

Networks are subject to attacks from malicious sources. Attacks can be from two categories
"Passive" when a network intruder intercepts data traveling through the network, and
"Active" in which an intruder initiates commands to disrupt the networks normal operation.[9]

Types of attacks include:[10]

 Passive
o Network
 wiretapping
 Port scanner
 Idle scan
 Active
o Denial-of-service attack
o Spoofing
o Man in the middle
o ARP poisoning
o Smurf attack
o Buffer overflow
o Heap overflow
o Format string attack
o SQL injection

Passive Attack
Telephone tapping (also wire tapping or wiretapping in American English) is the monitoring of
telephone and Internet conversations by a third party, often by covert means. The wire tap received
its name because, historically, the monitoring connection was an actual electrical tap on the
telephone line. Legal wiretapping by a government agency is also called lawful interception. Passive
wiretapping monitors or records the traffic, while active wiretapping alters or otherwise affects it.[1]

Non-official use
A telephone recording adapter (in-line tap). The phone jack connects to the wall socket while the
phone being monitored is connected to the adapter's socket. The audio plug connects to the
recording device (computer, tape recorder, etc.).

Conversations can be recorded or monitored unofficially, either by tapping by a third party

without the knowledge of the parties to the conversation, or recorded by one of the parties.
This may or may not be illegal, according to the circumstances and the jurisdiction.

There are a number of ways to monitor telephone conversations. One of the parties may
record the conversation, either on a tape or solid-state recording device, or on a computer
running call recording software. The recording, whether overt or covert, may be started
manually, automatically by detecting sound on the line (VOX), or automatically whenever
the phone is off the hook.

 using an inductive coil tap (telephone pickup coil) attached to the handset or near the base
of the telephone;[8]
 fitting an in-line tap, as discussed below, with a recording output;
 using an in-ear microphone while holding the telephone to the ear normally; this picks up
both ends of the conversation without too much disparity between the volumes[9]
 more crudely and with lower quality, simply using a speakerphone and recording with a
normal microphone

The conversation may be monitored (listened to or recorded) covertly by a third party by

using an induction coil or a direct electrical connection to the line using a beige box. An
induction coil is usually placed underneath the base of a telephone or on the back of a
telephone handset to pick up the signal inductively. An electrical connection can be made
anywhere in the telephone system, and need not be in the same premises as the telephone.
Some apparatus may require occasional access to replace batteries or tapes. Poorly designed
tapping or transmitting equipment can cause interference audible to users of the telephone.

The tapped signal may either be recorded at the site of the tap or transmitted by radio or over
the telephone wires. As of 2007 state-of-the-art equipment operates in the 30–300 GHz
range.[citation needed] The transmitter may be powered from the line to be maintenance-free, and
only transmits when a call is in progress. These devices are low-powered as not much power
can be drawn from the line, but a state-of-the-art receiver could be located as far away as ten
kilometers under ideal conditions, though usually located much closer. Research has shown
that a satellite can be used to receive terrestrial transmissions with a power of a few
milliwatts.[citation needed] Any sort of radio transmitter whose presence is suspected is detectable
with suitable equipment.

Conversation on many early cordless telephones could be picked up with a simple radio
scanner or sometimes even a domestic radio. Widespread digital spread spectrum technology
and encryption make eavesdropping this much more difficult.

A problem with recording a telephone conversation is that the recorded volume of the two
speakers may be very different. A simple tap will have this problem. An in-ear microphone,
while involving an additional distorting step by converting the electrical signal to sound and
back again, in practice gives better-matched volume. Dedicated, and relatively expensive,
telephone recording equipment equalizes the sound at both ends from a direct tap much
better.
[edit] Location data

Mobile phones are, in surveillance terms, a major liability. This liability will only increase as
the new third-generation (3G) phones are introduced, as the base stations will be located
closer together. For mobile phones the major threat is the collection of communications data.
This data does not only include information about the time, duration, originator and recipient
of the call, but also the identification of the base station where the call was made from, which
equals its approximate geographical location. This data is stored with the details of the call
and has utmost importance for traffic analysis.

It is also possible to get greater resolution of a phone's location by combining information

from a number of cells surrounding the location, which cells routinely communicate (to agree
on the next handoff—for a moving phone) and measuring the timing advance, a correction
for the speed of light in the GSM standard. This additional precision must be specifically
enabled by the telephone company—it is not part of the network's ordinary operation.

The second generation mobile phones (circa 1978 through 1990) could be easily monitored
by anyone with a 'scanning all-band receiver' because the system used an analog transmission
system-like an ordinary radio transmitter. The third generation digital phones are harder to
monitor because they use digitally-encoded and compressed transmission. However the
government can tap mobile phones with the cooperation of the phone company. It is also
possible for organizations with the correct technical equipment to monitor mobile phone
communications and decrypt the audio. A device called an "IMSI-catcher" pretends to the
mobile phones in its vicinity to be a legitimate base station of the mobile phone network,
subjecting the communication between the phone and the network to a man-in-the-middle
attack. This is possible because while the mobile phone has to authenticate itself to the
mobile telephone network, the network does not authenticate itself to the phone. Once the
mobile phone has accepted the IMSI-catcher as its base station the IMSI-catcher can
deactivate GSM encryption using a special flag. All calls made from the tapped mobile phone
go through the IMSI-catcher and are then passed on to the mobile network. Some phones
include a special monitor mode (activated with secret codes or special software) which
displays GSM operating parameters such as encryption while a call is being made. There is
no defense against IMSI-catcher based eavesdropping, except using end-to-end call
encryption; products offering this feature, secure telephones, are already beginning to appear
on the market, though they tend to be expensive and incompatible with each other, which
limits their proliferation.

[edit] Internet

In 1995, Peter Garza, a Special Agent with the Naval Criminal Investigative Service,
conducted the first court-ordered Internet wiretap in the United States while investigating
Julio Cesar Ardita ("El Griton").

As technologies emerge, including VoIP, new questions are raised about law enforcement
access to communications (see VoIP recording). In 2004, the Federal Communications
Commission was asked to clarify how the Communications Assistance for Law Enforcement
Act (CALEA) related to Internet service providers. The FCC stated that “providers of
broadband Internet access and voice over Internet protocol (“VoIP”) services are regulable as
“telecommunications carriers” under the Act.”[10] Those affected by the Act will have to
provide access to law enforcement officers who need to monitor or intercept communications
transmitted through their networks. As of 2009, warrantless surveillance of internet activity
has consistently been upheld in FISA court.[11]

The Internet Engineering Task Force has decided not to consider requirements for
wiretapping as part of the process for creating and maintaining IETF standards.[12]

Typically, illegal Internet wiretapping will be conducted via Wi-Fi connection to someone's
internet by cracking the WEP or WPA key, using a tool such as Aircrack-ng or Kismet. Once
in, the intruder will rely on a number of potential tactics, for example an ARP spoofing attack
which will allow the intruder to view packets in a tool such as Wireshark or Ettercap.

One issue that Internet wiretapping is yet to overcome is that of steganography, whereby a
user encodes, or “hides”, one file inside another (usually a larger, dense file like a MP3 or
JPEG image). With modern advancements in encoding technologies, the resulting combined
file is essentially indistinguishable to anyone attempting to view it, unless they have the
necessary protocol to extract the hidden file.[13][14] US News reported that this technique was
commonly used by Osama bin Laden as a way to communicate with his terrorist cells.[15]

There are a number of steganographic programs available online, such as Wnstorm,

QuickCrypto, and TextHide.

[edit] Mobile phone

Mobile phones have numerous privacy issues. Governments, law enforcement and
intelligence services use mobiles to perform surveillance in the UK and the US. They possess
technology to activate the microphones in cell phones remotely in order to listen to
conversations that take place near to the person who holds the phone.[16][17]

Mobile phones are also commonly used to collect location data. While the phone is turned on,
the geographical location of a mobile phone can be determined easily (whether it is being
used or not), using a technique known multilateration to calculate the differences in time for a
signal to travel from the cell phone to each of several cell towers near the owner of the
phone.[18][19]

[edit] Webtapping

Logging the IP addresses of users that access certain websites is commonly called
"webtapping".

Webtapping is used to monitor websites that presumably contain dangerous or sensitive

materials, and the people that access them. Though it is allowed by the USA PATRIOT Act,
it is considered by many[who?] a questionable practice,[citation needed] if not an all-out violation of
civil liberties.
 2.Port Scanner

A port scanner is a software application designed to probe a server or host for open ports.
This is often used by administrators to verify security policies of their networks and by
attackers to identify running services on a host with the view to compromise it.A port scan
or portscan is "An attack that sends client requests to a range of server port addresses on a
host, with the goal of finding an active port and exploiting a known vulnerability of that
service."To portsweep is to scan multiple hosts for a specific listening port. The latter is
typically used in searching for a specific service, for example, an SQL-based computer worm
may portsweep looking for hosts listening on TCP port 1433.[2]

Port scanning types

[edit] TCP scanning

The simplest port scanners use the operating system's network functions and is generally the
next option to go to when SYN is not a feasible option (described next). Nmap calls this
mode connect scan, named after the Unix connect() system call. If a port is open, the
operating system completes the TCP three-way handshake, and the port scanner immediately
closes the connection to avoid performing a kind of Denial-of-service attack.[3] Otherwise an
error code is returned. This scan mode has the advantage that the user does not require special
privileges. However, using the OS network functions prevents low-level control, so this scan
type is less common. This method is "noisy", particularly if it is a "portsweep": the services
can log the sender IP address and Intrusion detection systems can raise an alarm.

[edit] SYN scanning

SYN scan is another form of TCP scanning. Rather than use the operating system's network
functions, the port scanner generates raw IP packets itself, and monitors for responses. This
scan type is also known as "half-open scanning", because it never actually opens a full TCP
connection. The port scanner generates a SYN packet. If the target port is open, it will
respond with a SYN-ACK packet. The scanner host responds with a RST packet, closing the
connection before the handshake is completed.[3]

The use of raw networking has several advantages, giving the scanner full control of the
packets sent and the timeout for responses, and allowing detailed reporting of the responses.
There is debate over which scan is less intrusive on the target host. SYN scan has the
advantage that the individual services never actually receive a connection. However, the RST
during the handshake can cause problems for some network stacks, in particular simple
devices like printers. There are no conclusive arguments either way.

[edit] UDP scanning

UDP scanning is also possible, although there are technical challenges. UDP is a
connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP
packet is sent to a port that is not open, the system will respond with an ICMP port
unreachable message. Most UDP port scanners use this scanning method, and use the absence
of a response to infer that a port is open. However, if a port is blocked by a firewall, this
method will falsely report that the port is open. If the port unreachable message is blocked, all
ports will appear open. This method is also affected by ICMP rate limiting. [4]
An alternative approach is to send application-specific UDP packets, hoping to generate an
application layer response. For example, sending a DNS query to port 53 will result in a
response, if a DNS server is present. This method is much more reliable at identifying open
ports. However, it is limited to scanning ports for which an application specific probe packet
is available. Some tools (e.g., nmap) generally have probes for less than 20 UDP services,
while some commercial tools (e.g., nessus) have as many as 70. In some cases, a service may
be listening on the port, but configured not to respond to the particular probe packet.

To cope with the different limitations of each approach, some scanners offer a hybrid method.
For example, using nmap with the -sUV option will start by using the ICMP port unreachable
method, marking all ports as either "closed" or "open|filtered". The open|filtered ports are
then probed for application responses and marked as "open" if one is received.

[edit] ACK scanning

ACK scanning is one of the more unique scan types, as it does not exactly determine whether
the port is open or closed, but whether the port is filtered or unfiltered. This is especially
good when attempting to probe for the existence of a firewall and its rulesets. Simple packet
filtering will allow established connections (packets with the ACK bit set), whereas a more
sophisticated stateful firewall might not. [5]

[edit] Window scanning

Rarely used because of its outdated nature, window scanning is fairly untrustworthy in
determining whether a port is opened or closed. It generates the same packet as an ACK scan,
but checks whether the window field of the packet has been modified. When the packet
reaches its destination, a design flaw attempts to create a window size for the packet if the
port is open, flagging the window field of the packet with 1's before it returns to the sender.
Using this scanning technique with systems that no longer support this implementation
returns 0's for the window field, labeling open ports as closed. [6]

[edit] FIN scanning

Since SYN scans are not surreptitious enough, firewalls are, in general, scanning for and
blocking packets in the form of SYN packets.[3] FIN packets are able to pass by firewalls with
no modification to its purpose. Closed ports reply to a FIN packet with the appropriate RST
packet, whereas open ports ignore the packet on hand. This is typical behavior due to the
nature of TCP, and is in some ways an inescapable downfall. [7]
 Active Attacks

DDoS Stacheldraht Attack diagram.

In computing, a denial-of-service attack (DoS attack) or distributed denial-of-service

attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its
intended users. Although the means to carry out, motives for, and targets of a DoS attack may
vary, it generally consists of the efforts of one or more people to temporarily or indefinitely
interrupt or suspend services of a host connected to the Internet.

Perpetrators of DoS attacks typically target sites or services hosted on high-profile web
servers such as banks, credit card payment gateways, and even root nameservers. The term is
generally used relating to computer networks, but is not limited to this field; for example, it is
also used in reference to CPU resource management.[1]

One common method of attack involves saturating the target machine with external
communications requests, such that it cannot respond to legitimate traffic, or responds so
slowly as to be rendered effectively unavailable. Such attacks usually lead to a server
overload. In general terms, DoS attacks are implemented by either forcing the targeted
computer(s) to reset, or consuming its resources so that it can no longer provide its intended
service or obstructing the communication media between the intended users and the victim so
that they can no longer communicate adequately.

Denial-of-service attacks are considered violations of the IAB's Internet proper use policy,
and also violate the acceptable use policies of virtually all Internet service providers. They
also commonly constitute violations of the laws of individual nations.

When the DoS Attacker sends many packets of information and requests to a single network
adapter, each computer in the network would experience effects from the DoS attack.
Symptoms and manifestations

The United States Computer Emergency Readiness Team (US-CERT) defines symptoms of
denial-of-service attacks to include:

 Unusually slow network performance (opening files or accessing web sites)

 Unavailability of a particular web site
 Inability to access any web site
 Dramatic increase in the number of spam emails received—(this type of DoS attack is
considered an e-mail bomb)[2]

Denial-of-service attacks can also lead to problems in the network 'branches' around the
actual computer being attacked. For example, the bandwidth of a router between the Internet
and a LAN may be consumed by an attack, compromising not only the intended computer,
but also the entire network.

If the attack is conducted on a sufficiently large scale, entire geographical regions of Internet
connectivity can be compromised without the attacker's knowledge or intent by incorrectly
configured or flimsy network infrastructure equipment.

[edit] Methods of attack

A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent

legitimate users of a service from using that service. There are two general forms of DoS
attacks: those that crash services and those that flood services.

A DoS attack can be perpetrated in a number of ways. The five basic types of attack
are:[citation needed]

1. Consumption of computational resources, such as bandwidth, disk space, or processor time.

2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and the victim so that
they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:[citation needed]

 Max out the processor's usage, preventing any work from occurring.
 Trigger errors in the microcode of the machine.
 Trigger errors in the sequencing of instructions, so as to force the computer into an unstable
state or lock-up.
 Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to
use up all available facilities so no real work can be accomplished.
 Crash the operating system itself.

[edit] ICMP flood

See also: Smurf attack, Ping flood, and Ping of death
A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It
relies on misconfigured network devices that allow packets to be sent to all computer hosts
on a particular network via the broadcast address of the network, rather than a specific
machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators
will send large numbers of IP packets with the source address faked to appear to be the
address of the victim. The network's bandwidth is quickly used up, preventing legitimate
packets from getting through to their destination.[3] To combat Denial of Service attacks on
the Internet, services like the Smurf Amplifier Registry have given network service providers
the ability to identify misconfigured networks and to take appropriate action such as filtering.

Ping flood is based on sending the victim an overwhelming number of ping packets, usually
using the "ping" command from unix-like hosts (the -t flag on Windows systems has a far
less malignant function). It is very simple to launch, the primary requirement being access to
greater bandwidth than the victim.

Ping of death is based on sending the victim a malformed ping packet, which might lead to a
system crash.

[edit] SYN flood

A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged
sender address. Each of these packets is handled like a connection request, causing the server
to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge),
and waiting for a packet in response from the sender address (response to the ACK Packet).
However, because the sender address is forged, the response never comes. These half-open
connections saturate the number of available connections the server is able to make, keeping
it from responding to legitimate requests until after the attack ends.[4]

[edit] Teardrop attacks

A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized

payloads to the target machine. This can crash various operating systems due to a bug in their
TCP/IP fragmentation re-assembly code.[5] Windows 3.1x, Windows 95 and Windows NT
operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are
vulnerable to this attack.

Around September 2009, a vulnerability in Windows Vista was referred to as a "teardrop

attack", but the attack targeted SMB2 which is a higher layer than the TCP packets that
teardrop used.[6][7]

[edit] Low-rate Denial-of-Service attacks

The Low-rate DoS (LDoS) attack exploits TCP’s slow-time-scale dynamics of retransmission
time-out (RTO) mechanisms to reduce TCP throughput. Basically, an attacker can cause a
TCP flow to repeatedly enter a RTO state by sending high-rate, but short-duration bursts, and
repeating periodically at slower RTO time-scales. The TCP throughput at the attacked node
will be significantly reduced while the attacker will have low average rate making it difficult
to be detected.[8]
[edit] Peer-to-peer attacks

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate
DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-
to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no
botnet and the attacker does not have to communicate with the clients it subverts. Instead, the
attacker acts as a "puppet master," instructing clients of large peer-to-peer file sharing hubs to
disconnect from their peer-to-peer network and to connect to the victim's website instead. As
a result, several thousand computers may aggressively try to connect to a target website.
While a typical web server can handle a few hundred connections per second before
performance begins to degrade, most web servers fail almost instantly under five or six
thousand connections per second. With a moderately large peer-to-peer attack, a site could
potentially be hit with up to 750,000 connections in short order. The targeted web server will
be plugged up by the incoming connections.

While peer-to-peer attacks are easy to identify with signatures, the large number of IP
addresses that need to be blocked (often over 250,000 during the course of a large-scale
attack) means that this type of attack can overwhelm mitigation defenses. Even if a mitigation
device can keep blocking IP addresses, there are other problems to consider. For instance,
there is a brief moment where the connection is opened on the server side before the signature
itself comes through. Only once the connection is opened to the server can the identifying
signature be sent and detected, and the connection torn down. Even tearing down connections
takes server resources and can harm the server.

This method of attack can be prevented by specifying in the peer-to-peer protocol which ports
are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be
very limited.

[edit] Asymmetry of resource utilization in starvation attacks

An attack which is successful in consuming resources on the victim computer must be either:

 carried out by an attacker with great resources, by either:

o controlling a computer with great computation power or, more commonly, large
network bandwidth
o controlling a large number of computers and directing them to attack as a group. A
DDOS attack is the primary example of this.
 taking advantage of a property of the operating system or applications on the victim system
which enables an attack consuming vastly more of the victim's resources than the attacker's
(an asymmetric attack). Smurf attack, SYN flood, Sockstress and NAPTHA are all asymmetric
attacks.

An attack may utilize a combination of these methods in order to magnify its power.

[edit] Permanent denial-of-service attacks

A permanent denial-of-service (PDoS), also known loosely as phlashing,[9] is an attack that

damages a system so badly that it requires replacement or reinstallation of hardware.[10]
Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which
allow remote administration on the management interfaces of the victim's hardware, such as
routers, printers, or other networking hardware. The attacker uses these vulnerabilities to
replace a device's firmware with a modified, corrupt, or defective firmware image—a process
which when done legitimately is known as flashing. This therefore "bricks" the device,
rendering it unusable for its original purpose until it can be repaired or replaced.

The PDoS is a pure hardware targeted attack which can be much faster and requires fewer
resources than using a botnet in a DDoS attack. Because of these features, and the potential
and high probability of security exploits on Network Enabled Embedded Devices (NEEDs),
this technique has come to the attention of numerous hacker communities. PhlashDance is a
tool created by Rich Smith (an employee of Hewlett-Packard's Systems Security Lab) used to
detect and demonstrate PDoS vulnerabilities at the 2008 EUSecWest Applied Security
Conference in London.[11]

[edit] Application-level floods

Various DoS-causing exploits such as buffer overflow can cause server-running software to
get confused and fill the disk space or consume all available memory or CPU time.

Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming
flux of packets, oversaturating its connection bandwidth or depleting the target's system
resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth
available than the victim; a common way of achieving this today is via Distributed Denial of
Service, employing a botnet. Other floods may use specific packet types or connection
requests to saturate finite resources by, for example, occupying the maximum number of
open connections or filling the victim's disk space with logs.

A "banana attack" is another particular type of DoS. It involves redirecting outgoing

messages from the client back onto the client, preventing outside access, as well as flooding
the client with the sent packets.

An attacker with shell-level access to a victim's computer may slow it until it is unusable or
crash it by using a fork bomb.

[edit] Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of

fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a
modified ping utility to repeatedly send this corrupt data, thus slowing down the affected
computer until it comes to a complete stop.

A specific example of a nuke attack that gained some prominence is the WinNuke, which
exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band
data was sent to TCP port 139 of the victim's machine, causing it to lock up and display a
Blue Screen of Death (BSOD).

[edit] R-U-Dead-Yet?

This attack is one of the two web application DoS tools available to directly attack web
applications by starvation of available sessions on the web server. Much like Slowloris,
RUDY keeps sessions at halt using never-ending POST transmissions and sending an
arbitrarily large content-length header value.

[edit] Distributed attack

A distributed denial of service attack (DDoS) occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. These systems
are compromised by attackers using a variety of methods.

Malware can carry DDoS attack mechanisms; one of the better-known examples of this was
MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS
involved hardcoding the target IP address prior to release of the malware and no further
interaction was necessary to launch the attack.

A system may also be compromised with a trojan, allowing the attacker to download a
zombie agent (or the trojan may contain one). Attackers can also break into systems using
automated tools that exploit flaws in programs that listen for connections from remote hosts.
This scenario primarily concerns systems acting as servers on the web.

Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the
attacker uses a client program to connect to handlers, which are compromised systems that
issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are
compromised via the handlers by the attacker, using automated routines to exploit
vulnerabilities in programs that accept remote connections running on the targeted remote
hosts. Each handler can control up to a thousand agents.[12]

These collections of systems compromisers are known as botnets. DDoS tools like
Stacheldraht still use classic DoS attack methods centered on IP spoofing and amplification
like smurf attacks and fraggle attacks (these are also known as bandwidth consumption
attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer
tools can use DNS servers for DoS purposes. See next section.

Simple attacks such as SYN floods may appear with a wide range of source IP addresses,
giving the appearance of a well distributed DoS. These flood attacks do not require
completion of the TCP three way handshake and attempt to exhaust the destination SYN
queue or the server bandwidth. Because the source IP addresses can be trivially spoofed, an
attack could come from a limited set of sources, or may even originate from a single host.
Stack enhancements such as syn cookies may be effective mitigation against SYN queue
flooding, however complete bandwidth exhaustion may require involvement.[further explanation
needed]

Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address. Script
kiddies use them to deny the availability of well known websites to legitimate users.[13] More
sophisticated attackers use DDoS tools for the purposes of extortion – even against their
business rivals.[14]

If an attacker mounts an attack from a single host it would be classified as a DoS attack. In
fact, any attack against availability would be classed as a Denial of Service attack. On the
other hand, if an attacker uses many systems to simultaneously launch attacks against a
remote host, this would be classified as a DDoS attack.
The major advantages to an attacker of using a distributed denial-of-service attack are that:
multiple machines can generate more attack traffic than one machine, multiple attack
machines are harder to turn off than one attack machine, and that the behavior of each attack
machine can be stealthier, making it harder to track and shut down. These attacker advantages
cause challenges for defense mechanisms. For example, merely purchasing more incoming
bandwidth than the current volume of the attack might not help, because the attacker might be
able to simply add more attack machines.

In some cases a machine may become part of a DDoS attack with the owner's consent. An
example of this is the 2010 DDoS attack against major credit card companies by supporters
of WikiLeaks. In cases such as this, supporters of a movement (in this case, those opposing
the arrest of WikiLeaks founder Julian Assange) choose to download and run DDoS software.

[edit] Reflected / Spoofed attack

A distributed reflected denial of service attack (DRDoS) involves sending forged requests of
some type to a very large number of computers that will reply to the requests. Using Internet
Protocol address spoofing, the source address is set to that of the targeted victim, which
means all the replies will go to (and flood) the target.

ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack,
as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured
networks, thereby enticing many hosts to send Echo Reply packets to the victim. Some early
DDoS programs implemented a distributed form of this attack.

Many services can be exploited to act as reflectors, some harder to block than others.[15] DNS
amplification attacks involve a new mechanism that increased the amplification effect, using
a much larger list of DNS servers than seen earlier.[16]

[edit] Degradation-of-service attacks

"Pulsing" zombies are compromised computers that are directed to launch intermittent and
short-lived floodings of victim websites with the intent of merely slowing it rather than
crashing it. This type of attack, referred to as "degradation-of-service" rather than "denial-of-
service", can be more difficult to detect than regular zombie invasions and can disrupt and
hamper connection to websites for prolonged periods of time, potentially causing more
disruption than concentrated floods.[17][18] Exposure of degradation-of-service attacks is
complicated further by the matter of discerning whether the server is really being attacked or
under normal traffic loads.[19]

[edit] Unintentional denial of service

This describes a situation where a website ends up denied, not due to a deliberate attack by a
single individual or group of individuals, but simply due to a sudden enormous spike in
popularity. This can happen when an extremely popular website posts a prominent link to a
second, less well-prepared site, for example, as part of a news story. The result is that a
significant proportion of the primary site's regular users – potentially hundreds of thousands
of people – click that link in the space of a few hours, having the same effect on the target
website as a DDoS attack. A VIPDoS is the same, but specifically when the link was posted
by a celebrity.
An example of this occurred when Michael Jackson died in 2009. Websites such as Google
and Twitter slowed down or even crashed.[20] Many sites' servers thought the requests were
from a virus or spyware trying to cause a Denial of Service attack, warning users that their
queries looked like "automated requests from a computer virus or spyware application".[21]

News sites and link sites – sites whose primary function is to provide links to interesting
content elsewhere on the Internet – are most likely to cause this phenomenon. The canonical
example is the Slashdot effect when receiving traffic from Slashdot. Sites such as Digg, the
Drudge Report, Fark, Something Awful, and the webcomic Penny Arcade have their own
corresponding "effects", known as "the Digg effect", being "drudged", "farking",
"goonrushing" and "wanging"; respectively.

Routers have also been known to create unintentional DoS attacks, as both D-Link and
Netgear routers have created NTP vandalism by flooding NTP servers without respecting the
restrictions of client types or geographical limitations.

Similar unintentional denials of service can also occur via other media, e.g. when a URL is
mentioned on television. If a server is being indexed by Google or another search engine
during peak periods of activity, or does not have a lot of available bandwidth while being
indexed, it can also experience the effects of a DoS attack.

Legal action has been taken in at least one such case. In 2006, Universal Tube & Rollform
Equipment Corporation sued YouTube: massive numbers of would-be youtube.com users
accidentally typed the tube company's URL, utube.com. As a result, the tube company ended
up having to spend large amounts of money on upgrading their bandwidth.[22]

[edit] Denial-of-Service Level II

The goal of DoS L2 (possibly DDoS) attack is to cause a launching of a defense mechanism
which blocks the network segment from which the attack originated. In case of distributed
attack or IP header modification (that depends on the kind of security behavior) it will fully
block the attacked network from Internet, but without system crash.

[edit] Performing DoS-attacks

A wide array of programs are used to launch DoS-attacks. Most of these programs are
completely focused on performing DoS-attacks, while others are also true Packet injectors,
thus able to perform other tasks as well. Such tools are intended for benign use, but they can
also be utilized in launching attacks on victim networks.

[edit] Prevention and response

Defending against Denial of Service attacks typically involves the use of a combination of
attack detection, traffic classification and response tools, aiming to block traffic that they
identify as illegitimate and allow traffic that they identify as legitimate.[23] A list of
prevention and response tools is provided below:
[edit] Firewalls

Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some
DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web
service), firewalls cannot prevent that attack because they cannot distinguish good traffic
from DoS attack traffic.[24] Additionally, firewalls are too deep in the network hierarchy.
Routers may be affected even before the firewall gets the traffic. Nonetheless, firewalls can
effectively prevent users from launching simple flooding type attacks from machines behind
the firewall.

Some stateful firewalls, like OpenBSD's pf(4) packet filter, can act as a proxy for
connections: the handshake is validated (with the client) instead of simply forwarding the
packet to the destination. It is available for other BSDs as well. In that context, it is called
"synproxy".

[edit] Switches

Most switches have some rate-limiting and ACL capability. Some switches provide automatic
and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep
packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of
service attacks through automatic rate filtering and WAN Link failover and balancing.[citation
needed]

These schemes will work as long as the DoS attacks are something that can be prevented by
using them. For example SYN flood can be prevented using delayed binding or TCP splicing.
Similarly content based DoS can be prevented using deep packet inspection. Attacks
originating from dark addresses or going to dark addresses can be prevented using Bogon
filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly
and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention
mechanism.[citation needed]

[edit] Routers

Similar to switches, routers have some rate-limiting and ACL capability. They, too, are
manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to
take flow statistics out of the router during the DoS attacks, they further slow down and
complicate the matter. Cisco IOS has features that prevent flooding, i.e. example settings.[25]

[edit] Application front end hardware

Application front end hardware is intelligent hardware placed on the network before traffic
reaches the servers. It can be used on networks in conjunction with routers and switches.
Application front end hardware analyzes data packets as they enter the system, and then
identifies them as priority, regular, or dangerous. There are more than 25 bandwidth
management vendors. Hardware acceleration is key to bandwidth management.[citation needed]

[edit] IPS based prevention

Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with
them. However, the trend among the attacks is to have legitimate content but bad intent.
Intrusion-prevention systems which work on content recognition cannot block behavior-
based DoS attacks.[citation needed]

An ASIC based IPS can detect and block denial of service attacks because they have the
processing power and the granularity to analyze the attacks and act like a circuit breaker in an
automated way.[citation needed]

A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the
traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow
while blocking the DoS attack traffic.[citation needed]

[edit] DDS based defense

More focused on the problem than IPS, a DoS Defense System (DDS) is able to block
connection-based DoS attacks and those with legitimate content but bad intent. A DDS can
also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks
(such as ICMP floods and SYN floods).

Like IPS, a purpose-built system, such as the well-known Top Layer IPS products, can detect
and block denial of service attacks at much nearer line speed than a software based system.

[edit] Blackholing and sinkholing

With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole"
(null interface, non-existent server, ...). To be more efficient and avoid affecting network
connectivity, it can be managed by the ISP.[26]

Sinkholing routes to a valid IP address which analyzes traffic and rejects bad ones.
Sinkholing is not efficient for most severe attacks.

[edit] Clean pipes

All traffic is passed through a "cleaning center" or a "scrubbing center" via various methods
such as proxies, tunnels or even direct circuits, which separates "bad" traffic (DDoS and also
other common internet attacks) and only sends good traffic beyond to the server. The
provider needs central connectivity to the Internet to manage this kind of service unless they
happen to be located within the same facility as the "cleaning center" or "scrubbing
center".[27]

Prolexic, Tata Communications and Verisign are examples of providers of this service.[28][29]

[edit] Side effects of DoS attacks

[edit] Backscatter
See also: Backscatter (email) and Internet background noise

In computer network security, backscatter is a side-effect of a spoofed denial of service

(DoS) attack. In this kind of attack, the attacker spoofs (or forges) the source address in IP
packets sent to the victim. In general, the victim machine cannot distinguish between the
spoofed packets and legitimate packets, so the victim responds to the spoofed packets as it
normally would. These response packets are known as backscatter.[30]

If the attacker is spoofing source addresses randomly, the backscatter response packets from
the victim will be sent back to random destinations. This effect can be used by network
telescopes as indirect evidence of such attacks.

The term "backscatter analysis" refers to observing backscatter packets arriving at a

statistically significant portion of the IP address space to determine characteristics of DoS
attacks and victims.

Spoofing attack
In the context of network security, a spoofing attack is a situation in which one person or
program successfully masquerades as another by falsifying data and thereby gaining an
illegitimate advantage.

Spoofing and TCP/IP

Many of the protocols in the TCP/IP suite do not provide mechanisms for authenticating the
source or destination of a message. They are thus vulnerable to spoofing attacks when extra
precautions are not taken by applications to verify the identity of the sending or receiving
host. IP spoofing and ARP spoofing in particular may be used to leverage man-in-the-middle
attacks against hosts on a computer network. Spoofing attacks which take advantage of
TCP/IP suite protocols may be mitigated with the use of firewalls capable of deep packet
inspection or by taking measures to verify the identity of the sender or recipient of a message.

[edit] Referrer spoofing

Some websites, especially pornographic paysites, allow access to their materials only from
certain approved (login-) pages. This is enforced by checking the referrer header of the HTTP
request. This referrer header however can be changed (known as "referrer spoofing" or "Ref-
tar spoofing"), allowing users to gain unauthorized access to the materials.

[edit] Poisoning of file-sharing networks

"Spoofing" can also refer to copyright holders placing distorted or unlistenable versions of
works on file-sharing networks, to discourage downloading from these sources.

[edit] Caller ID spoofing

Main article: Caller ID spoofing

In public telephone networks, it has for a long while been possible to find out who is calling
you by looking at the Caller ID information that is transmitted with the call. There are
technologies that transmit this information on landlines, on cellphones and also with VoIP.
Unfortunately, there are now technologies (especially associated with VoIP) that allow callers
to lie about their identity, and present false names and numbers, which could of course be
used as a tool to defraud or harass. Because there are services and gateways that interconnect
VoIP with other public phone networks, these false Caller IDs can be transmitted to any
phone on the planet, which makes the whole Caller ID information now next to useless. Due
to the distributed geographic nature of the Internet, VoIP calls can be generated in a different
country to the receiver, which means that it is very difficult to have a legal framework to
control those who would use fake Caller IDs as part of a scam.[1]

[edit] Voice Mail Spoofing and How to Protect Yourself From Unauthorized
Access
Main article: Voice Mail spoofing

Spoofing technology enables someone to make it seem as though they are calling from your
telephone when they are not. The use of this technology for deceptive purposes is illegal.

In order to prevent unauthorized voicemail access from fraudulent activity such as caller ID
spoofing, you should continue to use the voicemail passcode established when you set up
your account. If you decide to skip using the voicemail passcode established when you set up
your account, your voice mail messages can be vulnerable to unauthorized access with
spoofing.

In most cases, you can change a voicemail passcode or adjust settings to re-enable the use of
a passcode for retrieving messages, just access your voicemail and follow the prompts.

This information was found within the self-service feature of Sprint Zone in user's cell phone
when selecting the option, Device Tips and Tricks, then, Voice Mail & Device Security.

[edit] E-mail address spoofing

Main article: E-mail spoofing

The sender information shown in e-mails (the "From" field) can be spoofed easily. This
technique is commonly used by spammers to hide the origin of their e-mails and leads to
problems such as misdirected bounces (i.e. e-mail spam backscatter).

E-mail address spoofing is done in quite the same way as writing a forged return address
using snail mail. As long as the letter fits the protocol, (i.e. stamp, postal code) the SMTP
protocol will send the message. It can be done using a mail server with telnet.[2]

[edit] GPS Spoofing

A GPS spoofing attack attempts to deceive a GPS receiver by broadcasting a slightly more
powerful signal than that received from the GPS satellites, structured to resemble a set of
normal GPS signals. These spoofed signals, however, are modified in such a way as to cause
the receiver to determine its position to be somewhere other than where it actually is,
specifically somewhere determined by the attacker. Because GPS systems work by measuring
the time it takes for a signal to travel from the satellite to the receiver, a successful spoofing
requires that the attacker know precisely where the target is so that the spoofed signal can be
structured with the proper signal delays. A GPS spoofing attack begins by broadcasting a
slightly more powerful signal that produces the correct position, and then slowly deviates
away towards the position desired by the spoofer, because moving too quickly will cause the
receiver to lose signal lock altogether, at which point the spoofer works only as a jammer. It
has been suggested that the capture of a Lockheed RQ-170 drone aircraft in northeastern Iran
in December, 2011, was the result of such an attack.[3] GPS spoofing attacks had been
predicted and discussed in the GPS community previously, but no known example of a
malicious spoofing attack has yet been confirmed.[4][5][6]

Protocol spoofing
From Wikipedia, the free encyclopedia
Jump to: navigation, search

Protocol spoofing is used in data communications to improve performance in situations

where an existing protocol is inadequate, for example due to long delays or high error rates.

Spoofing techniques

In most applications of protocol spoofing, a communications device such as a modem or

router simulates ("spoofs") the remote endpoint of a connection to a locally attached host,
while using a more appropriate protocol to communicate with a compatible remote device
that performs the equivalent spoof at the other end of the communications link.

[edit] File transfer spoofing

Error correction and file transfer protocols typically work by calculating a checksum or CRC
for a block of data known as a packet, and transmitting the resulting number at the end of the
packet. At the other end the receiver re-calculates the number and compares it to what was
sent from the remote machine. If the two match the packet was transmitted correctly, and the
receiver sends an ACK to signal that it's ready to receive the next packet.

The time to transmit the ACK back to the sender is a function of the phone lines, as opposed to
the modem's speed, and is typically about 1/10 of a second. For a protocol using small
packets, this delay can be larger than the time needed to send a packet. For instance, the
UUCP "g" protocol and Kermit both use 64-byte packets, which on a 9600 bit/s link takes
about 1/20th of a second to send. XModem used a slightly larger 128 byte packet.

In early high-speed modems, before the introduction of echo cancellation in v.32 and later
protocols, modems typically had a very slow "backchannel" for sending things like these
ACKs back to the sender. On a ~18,000 bit/s TrailBlazer, for instance, the modem could send
as many as 35 UUCP packets a second, but the backchannel offered only 75 bit/s, not nearly
enough for the 35 bytes (280 bits) of ACK messages to get back in time to keep the transfer
going.

Modems like TrailBlazer or Multi-Tech series address this by sending ACKs back from the
local modem immediately. This allows the sending machine to continue streaming constantly
with no interruptions. The data is then sent to the remote modem using an error-free link
which requires considerably less backchannel overhead, invisibly stripping it off again at the
far end. Likewise, the remote modem discards the ACKs being sent by the receiver's software.
[edit] TCP spoofing

TCP connections may suffer from performance limitations due to insufficient window size
for links with high bandwidth x delay product, and on long-delay links such as those over
GEO satellites, TCP's slow-start algorithm significantly delays connection startup. A
spoofing router terminates the TCP connection locally and translates the TCP to protocols
tailored to long delays over the satellite link such as XTP.

[edit] RIP/SAP spoofing

SAP and RIP periodically broadcast network information even if routing/service tables are
unchanged. dial-on-demand WAN links in IPX networks therefore never become idle and
won't disconnect. A spoofing router or modem will intercept the SAP and RIP broadcasts,
and re-broadcast the advertisements from its own routing/service table that it only updates
when the link is active for other reasons.

Man-in-the-middle attack
The man-in-the-middle attack (often abbreviated MITM, also known as a bucket brigade
attack, or sometimes Janus attack[citation needed]) in cryptography and computer security is a
form of active eavesdropping in which the attacker makes independent connections with the
victims and relays messages between them, making them believe that they are talking directly
to each other over a private connection, when in fact the entire conversation is controlled by
the attacker. The attacker must be able to intercept all messages going between the two
victims and inject new ones, which is straightforward in many circumstances (for example,
an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert
himself as a man-in-the-middle).[citation needed]

A man-in-the-middle attack can succeed only when the attacker can impersonate each
endpoint to the satisfaction of the other—it is an attack on (or lack of) mutual authentication.
Most cryptographic protocols include some form of endpoint authentication specifically to
prevent MITM attacks. For example, SSL can authenticate one or both parties using a
mutually trusted certification authority.

Need for additional transfer over a secure channel

With the exception of Interlock Protocol, all cryptographic systems that are secure against
MITM attacks require an additional exchange or transmission of information over some kind
of secure channel. Many key agreement methods have been developed, with different security
requirements for the secure channel.[citation needed]
[edit] Example of an attack

Illustration of man-in-the-middle attack.

Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to intercept the
conversation to eavesdrop and possibly deliver a false message to Bob.

First, Alice asks Bob for his public key. If Bob sends his public key to Alice, but Mallory is
able to intercept it, a man-in-the-middle attack can begin. Mallory sends a forged message to
Alice that claims to be from Bob, but instead includes Mallory's public key.

Alice, believing this public key to be Bob's, encrypts her message with Mallory's key and
sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message
using her private key, possibly alters it if she wants, and re-enciphers it using the public key
Bob originally sent to Alice. When Bob receives the newly enciphered message, he believes
it came from Alice.

1. Alice sends a message to Bob, which is intercepted by Mallory:

Alice "Hi Bob, it's Alice. Give me your key"--> Mallory Bob

2. Mallory relays this message to Bob; Bob cannot tell it is not really from Alice:

Alice Mallory "Hi Bob, it's Alice. Give me your key"--> Bob

3. Bob responds with his encryption key:

Alice Mallory <--[Bob's_key] Bob

4. Mallory replaces Bob's key with her own, and relays this to Alice, claiming that it is Bob's
key:

Alice <--[Mallory's_key] Mallory Bob

5. Alice encrypts a message with what she believes to be Bob's key, thinking that only Bob
can read it:

Alice "Meet me at the bus stop!"[encrypted with Mallory's key]--> Mallory

Bob
6. However, because it was actually encrypted with Mallory's key, Mallory can decrypt it,
read it, modify it (if desired), re-encrypt with Bob's key, and forward it to Bob:

Alice Mallory "Meet me at 22nd Ave!"[encrypted with Bob's key]-->

Bob

7. Bob thinks that this message is a secure communication from Alice.

This example shows the need for Alice and Bob to have some way to ensure that they are
truly using each other's public keys, rather than the public key of an attacker. Otherwise, such
attacks are generally possible, in principle, against any message sent using public-key
technology. Fortunately, there are a variety of techniques that help defend against MITM
attacks.

[edit] Defenses against the attack

This unreferenced section requires citations to ensure verifiability.

Various defenses against MITM attacks use authentication techniques that are based on[citation
needed]
:

 Public key infrastructures

o PKI mutual authentication The main defence in a PKI scenario is mutual
authentication. In this case as well as the application validating the user (not much
use if the application is rogue) - the users devices validates the application - hence
distinguishing rogue applications from genuine applications[citation needed]
 Stronger mutual authentication, such as:
o Secret keys (which are usually high information entropy secrets, and thus more
secure), or
o Passwords (which are usually low information entropy secrets, and thus less secure)
 Latency examination, such as with long Cryptographic hash function calculations that lead
into tens of seconds; if both parties take 20 seconds normally, and the calculation takes 60
seconds to reach each party, this can indicate a third party
 Second (secure) channel verification
 One-time pads are immune to MITM attacks, assuming the security and trust of the one-
time pad.
 Carry-forward verification
 Testing is being carried out on deleting compromised certificates from issuing authorities on
the actual computers and compromised certificates are being exported to sandbox area
before removal for analysis

The integrity of public keys must generally be assured in some manner, but need not be
secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys
can be verified by a Certificate Authority, whose public key is distributed through a secure
channel (for example, with a web browser or OS installation). Public keys can also be
verified by a web of trust that distributes public keys through a secure channel (for example
by face-to-face meetings).
See key-agreement protocol for a classification of protocols that use various forms of keys
and passwords to prevent man-in-the-middle attacks.

[edit] Forensic analysis of MITM attacks

Captured network traffic from what is suspected to be a MITM attack can be analyzed in
order to determine if it really was a MITM attack or not. Important evidence to analyze when
doing network forensics of a suspected SSL MITM attack include:[1]

 IP address of the server

 DNS name of the server
 X.509 certificate of the server
o Is the certificate self signed?
o Is the certificate signed by a trusted CA?
o Has the certificate been revoked?
o Has the certificate been changed recently?
o Do other clients, elsewhere on the Internet, also get the same certificate?

[edit] Quantum cryptography

Quantum cryptography protocols typically authenticate part or all of their classical

communication with an unconditionally secure authentication scheme e.g. Wegman-Carter
authentication.[2]

[edit] Beyond cryptography

A notable non-cryptographic man-in-the-middle attack was perpetrated by one version of a

Belkin wireless network router in 2003. Periodically, it would take over an HTTP connection
being routed through it: this would fail to pass the traffic on to destination, but instead itself
respond as the intended server. The reply it sent, in place of the web page the user had
requested, was an advertisement for another Belkin product. After an outcry from technically
literate users, this 'feature' was removed from later versions of the router's firmware.[3]

Another example of a non-cryptographic man-in-the-middle attack is the "Turing porn farm."

Brian Warner says this is a "conceivable attack" that spammers could use to defeat
CAPTCHAs.[4] The spammer sets up a pornographic web site where access requires that the
user solves the CAPTCHAs in question. However, Jeff Atwood points out that this attack is
merely theoretical — there was no evidence by 2006 that any spammer had ever built a
Turing porn farm.[5] However, as reported in an October, 2007 news story, spammers have
indeed built a Windows game in which users type in CAPTCHAs acquired from the Yahoo
webmail service, and are rewarded with pornographic pictures.[6] This allows the spammers
to create temporary free email accounts with which to send out spam.

ARP spoofing

ARP spoofing[1] is a computer hacking technique whereby an attacker sends fake ("spoofed")
Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim
is to associate the attacker's MAC address with the IP address of another host (such as the
default gateway), causing any traffic meant for that IP address to be sent to the attacker
instead.

ARP spoofing may allow an attacker to intercept data frames on a LAN, modify the traffic, or
stop the traffic altogether. Often the attack is used as an opening for other attacks, such as
denial of service, man in the middle, or session hijacking attacks.[2]

The attack can only be used on networks that make use of the Address Resolution Protocol
(ARP), and is limited to local network segments.[3]

A successful ARP spoofing attack allows an attacker to alter routing on a network, effectively
allowing for a man-in-the-middle attack.

Smurf attack
From Wikipedia, the free encyclopedia
Jump to: navigation, search

The Smurf attack is a way of generating significant computer network traffic on a victim
network. This is a type of denial-of-service attack that floods a system via spoofed broadcast
ping messages.

This attack relies on a perpetrator sending a large amount of ICMP echo request (ping) traffic
to IP broadcast addresses, all of which have a spoofed source IP address of the intended
victim. If the routing device delivering traffic to those broadcast addresses delivers the IP
broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will
take the ICMP echo request and reply to it with an echo reply, multiplying the traffic by the
number of hosts responding. On a multi-access broadcast network, hundreds of machines
might reply to each packet. This is partly why it became known as the Smurf attack, because
with proper visualization, it fits the stereotype of Smurfs[clarification needed][1]

In the late 1990s, many IP networks would participate in Smurf attacks (that is, they would
respond to pings to broadcast addresses). Today, thanks largely to the ease with which
administrators can make a network immune to this abuse, very few networks remain
vulnerable to Smurf attacks.[2]
The fix is two-fold:

1. Configure individual hosts and routers not to respond to ping requests or broadcasts.
2. Configure routers not to forward packets directed to broadcast addresses. Until 1999,
standards required routers to forward such packets by default, but, in that year, the
standard was changed to require the default to be not to forward.[3]

Another proposed solution is network ingress filtering which rejects the attacking packets on
the basis of the forged source address.[4]

An example of configuring a router not to forward packets to broadcast addresses, for a Cisco
router, is:

Router(config-if)# no ip directed-broadcast

(This example does not prevent a network from becoming the target of Smurf attack; it
merely prevents the network from "attacking" other networks, or, better said, taking part in a
Smurf attack.)

A Smurf amplifier is a computer network that lends itself to being used in a Smurf attack.
Smurf amplifiers act to worsen the severity of a Smurf attack because they are configured in
such a way that they generate a large number of ICMP replies to the victim at the spoofed
source IP address.

Buffer overflow
From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly

where a program, while writing data to a buffer, overruns the buffer's boundary and
overwrites adjacent memory. This is a special case of violation of memory safety.

Buffer overflows can be triggered by inputs that are designed to execute code, or alter the
way the program operates. This may result in erratic program behavior, including memory
access errors, incorrect results, a crash, or a breach of system security. Thus, they are the
basis of many software vulnerabilities and can be maliciously exploited.

Programming languages commonly associated with buffer overflows include C and C++,
which provide no built-in protection against accessing or overwriting data in any part of
memory and do not automatically check that data written to an array (the built-in buffer type)
is within the boundaries of that array. Bounds checking can prevent buffer overflows.

Technical description

A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking,
corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly
this occurs when copying strings of characters from one buffer to another.
[edit] Basic example

In the following example, a program has defined two data items which are adjacent in
memory: an 8-byte-long string buffer, A, and a two-byte integer, B. Initially, A contains
nothing but zero bytes, and B contains the number 1979. Characters are one byte wide.

variable name A B

value [null string] 1979

hex value 00 00 00 00 00 00 00 00 07 BB

Now, the program attempts to store the null-terminated string "excessive" in the A buffer.
By failing to check the length of the string, it overwrites the value of B:

variable name A B

value 'e' 'x' 'c' 'e' 's' 's' 'i' 'v' 25856

hex 65 78 63 65 73 73 69 76 65 00

Although the programmer did not intend to change B at all, B's value has now been replaced
by a number formed from part of the character string. In this example, on a big-endian system
that uses ASCII, "e" followed by a zero byte would become the number 25856. If B was the
only other variable data item defined by the program, writing an even longer string that went
past the end of B could cause an error such as a segmentation fault, terminating the process.

For more details on stack-based overflows, see Stack buffer overflow.

[edit] Exploitation

The techniques to exploit a buffer overflow vulnerability vary per architecture, operating
system and memory region. For example, exploitation on the heap (used for dynamically
allocated memory), is very different from exploitation on the call stack.

[edit] Stack-based exploitation

Main article: Stack buffer overflow

A technically inclined user may exploit stack-based buffer overflows to manipulate the
program to their advantage in one of several ways:

 By overwriting a local variable that is near the buffer in memory on the stack to change the
behaviour of the program which may benefit the attacker.
 By overwriting the return address in a stack frame. Once the function returns, execution will
resume at the return address as specified by the attacker, usually a user input filled buffer.
 By overwriting a function pointer,[1] or exception handler, which is subsequently executed.
With a method called "trampolining", if the address of the user-supplied data is unknown, but
the location is stored in a register, then the return address can be overwritten with the address
of an opcode which will cause execution to jump to the user supplied data. If the location is
stored in a register R, then a jump to the location containing the opcode for a jump R, call R
or similar instruction, will cause execution of user supplied data. The locations of suitable
opcodes, or bytes in memory, can be found in DLLs or the executable itself. However the
address of the opcode typically cannot contain any null characters and the locations of these
opcodes can vary between applications and versions of the operating system. The Metasploit
Project is one such database of suitable opcodes, though only those found in the Windows
operating system are listed.[2]

Stack-based buffer overflows are not to be confused with stack overflows.

Also note that these vulnerabilities are usually discovered through the use of a fuzzer.[3]

[edit] Heap-based exploitation

Main article: Heap overflow

A buffer overflow occurring in the heap data area is referred to as a heap overflow and is
exploitable in a different manner to that of stack-based overflows. Memory on the heap is
dynamically allocated by the application at run-time and typically contains program data.
Exploitation is performed by corrupting this data in specific ways to cause the application to
overwrite internal structures such as linked list pointers. The canonical heap overflow
technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses
the resulting pointer exchange to overwrite a program function pointer.

Microsoft's GDI+ vulnerability in handling JPEGs is an example of the danger a heap

overflow can present.[4]

[edit] Barriers to exploitation

Manipulation of the buffer, which occurs before it is read or executed, may lead to the failure
of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but
may not make it impossible. Manipulations could include conversion to upper or lower case,
removal of metacharacters and filtering out of non-alphanumeric strings. However,
techniques exist to bypass these filters and manipulations; alphanumeric code, polymorphic
code, self-modifying code and return-to-libc attacks. The same methods can be used to avoid
detection by intrusion detection systems. In some cases, including where code is converted
into unicode,[5] the threat of the vulnerability have been misrepresented by the disclosers as
only Denial of Service when in fact the remote execution of arbitrary code is possible.

[edit] Practicalities of exploitation

In real-world exploits there are a variety of challenges which need to be overcome for
exploits to operate reliably. These factors include null bytes in addresses, variability in the
location of shellcode, differences between environments and various counter-measures in
operation.

[edit] NOP sled technique

Main article: NOP slide
Illustration of a NOP-sled payload on the stack.

A NOP-sled is the oldest and most widely known technique for successfully exploiting a
stack buffer overflow.[6] It solves the problem of finding the exact address of the buffer by
effectively increasing the size of the target area. To do this much larger sections of the stack
are corrupted with the no-op machine instruction. At the end of the attacker-supplied data,
after the no-op instructions, an instruction to perform a relative jump to the top of the buffer
where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled"
because if the return address is overwritten with any address within the no-op region of the
buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the
jump at the end. This technique requires the attacker to guess where on the stack the NOP-
sled is instead of the comparatively small shellcode.[7]

Because of the popularity of this technique, many vendors of intrusion prevention systems
will search for this pattern of no-op machine instructions in an attempt to detect shellcode in
use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op
machine instructions; any instruction that does not corrupt the machine state to a point where
the shellcode will not run can be used in place of the hardware assisted no-op. As a result it
has become common practice for exploit writers to compose the no-op sled with randomly
chosen instructions which will have no real effect on the shellcode execution.[8]
While this method greatly improves the chances that an attack will be successful, it is not
without problems. Exploits using this technique still must rely on some amount of luck that
they will guess offsets on the stack that are within the NOP-sled region.[9] An incorrect guess
will usually result in the target program crashing and could alert the system administrator to
the attacker's activities. Another problem is that the NOP-sled requires a much larger amount
of memory in which to hold a NOP-sled large enough to be of any use. This can be a problem
when the allocated size of the affected buffer is too small and the current depth of the stack is
shallow (i.e. there is not much space from the end of the current stack frame to the start of the
stack). Despite its problems, the NOP-sled is often the only method that will work for a given
platform, environment, or situation; as such it is still an important technique.

[edit] The jump to address stored in a register technique

The "jump to register" technique allows for reliable exploitation of stack buffer overflows
without the need for extra room for a NOP-sled and without having to guess stack offsets.
The strategy is to overwrite the return pointer with something that will cause the program to
jump to a known pointer stored within a register which points to the controlled buffer and
thus the shellcode. For example if register A contains a pointer to the start of a buffer then
any jump or call taking that register as an operand can be used to gain control of the flow of
execution.[10]

An instruction from ntdll.dll to call the DbgPrint() routine contains the i386 machine opcode for
jmp esp.

In practice a program may not intentionally contain instructions to jump to a particular

register. The traditional solution is to find an unintentional instance of a suitable opcode at a
fixed location somewhere within the program memory. In figure E on the left you can see an
example of such an unintentional instance of the i386 jmp esp instruction. The opcode for
this instruction is FF E4.[11] This two byte sequence can be found at a one byte offset from the
start of the instruction call DbgPrint at address 0x7C941EED. If an attacker overwrites the
program return address with this address the program will first jump to 0x7C941EED, interpret
the opcode FF E4 as the jmp esp instruction, and will then jump to the top of the stack and
execute the attacker's code.[12]

When this technique is possible the severity of the vulnerability increases considerably. This
is because exploitation will work reliably enough to automate an attack with a virtual
guarantee of success when it is run. For this reason, this is the technique most commonly
used in Internet worms that exploit stack buffer overflow vulnerabilities.[13]
This method also allows shellcode to be placed after the overwritten return address on the
Windows platform. Since executables are mostly based at address 0x00400000 and x86 is a
Little Endian architecture, the last byte of the return address must be a null, which terminates
the buffer copy and nothing is written beyond that. This limits the size of the shellcode to the
size of the buffer, which may be overly restrictive. DLLs are located in high memory (above
0x01000000) and so have addresses containing no null bytes, so this method can remove null
bytes (or other disallowed characters) from the overwritten return address. Used in this way,
the method is often referred to as "DLL Trampolining".

[edit] Protective countermeasures

Various techniques have been used to detect or prevent buffer overflows, with various
tradeoffs. The most reliable way to avoid or prevent buffer overflows is to use automatic
protection at the language level. This sort of protection, however, cannot be applied to legacy
code, and often technical, business, or cultural constraints call for a vulnerable language. The
following sections describe the choices and implementations available.

[edit] Choice of programming language

The choice of programming language can have a profound effect on the occurrence of buffer
overflows. As of 2008, among the most popular languages are C and its derivative, C++, with
a vast body of software having been written in these languages. C and C++ provide no built-
in protection against accessing or overwriting data in any part of memory; more specifically,
they do not check that data written to a buffer is within the boundaries of that buffer.
However, the standard C++ libraries provide many ways of safely buffering data, and
techniques to avoid buffer overflows also exist for C.

Many other programming languages provide runtime checking and in some cases even
compile-time checking which might send a warning or raise an exception when C or C++
would overwrite data and continue to execute further instructions until erroneous results are
obtained which might or might not cause the program to crash. Examples of such languages
include Ada, Eiffel, Lisp, Modula-2, Smalltalk, OCaml and such C-derivatives as Cyclone
and D. The Java and .NET Framework bytecode environments also require bounds checking
on all arrays. Nearly every interpreted language will protect against buffer overflows,
signalling a well-defined error condition. Often where a language provides enough type
information to do bounds checking an option is provided to enable or disable it. Static code
analysis can remove many dynamic bound and type checks, but poor implementations and
awkward cases can significantly decrease performance. Software engineers must carefully
consider the tradeoffs of safety versus performance costs when deciding which language and
compiler setting to use.

[edit] Use of safe libraries

The problem of buffer overflows is common in the C and C++ languages because they
expose low level representational details of buffers as containers for data types. Buffer
overflows must thus be avoided by maintaining a high degree of correctness in code which
performs buffer management. It has also long been recommended to avoid standard library
functions which are not bounds checked, such as gets, scanf and strcpy. The Morris worm
exploited a gets call in fingerd.[14]
Well-written and tested abstract data type libraries which centralize and automatically
perform buffer management, including bounds checking, can reduce the occurrence and
impact of buffer overflows. The two main building-block data types in these languages in
which buffer overflows commonly occur are strings and arrays; thus, libraries preventing
buffer overflows in these data types can provide the vast majority of the necessary coverage.
Still, failure to use these safe libraries correctly can result in buffer overflows and other
vulnerabilities; and naturally, any bug in the library itself is a potential vulnerability. "Safe"
library implementations include "The Better String Library",[15] Vstr [16] and Erwin.[17] The
OpenBSD operating system's C library provides the strlcpy and strlcat functions, but these
are more limited than full safe library implementations.

In September 2007, Technical Report 24731, prepared by the C standards committee, was
published;[citation needed] it specifies a set of functions which are based on the standard C
library's string and I/O functions, with additional buffer-size parameters. However, the
efficacy of these functions for the purpose of reducing buffer overflows is disputable; it
requires programmer intervention on a per function call basis that is equivalent to
intervention that could make the analogous older standard library functions buffer overflow
safe.[18]

[edit] Buffer overflow protection

Main article: Buffer overflow protection

Buffer overflow protection is used to detect the most common buffer overflows by checking
that the stack has not been altered when a function returns. If it has been altered, the program
exits with a segmentation fault. Three such systems are Libsafe,[19] and the StackGuard[20]
and ProPolice[21] gcc patches.

Microsoft's Data Execution Prevention mode explicitly protects the pointer to the SEH
Exception Handler from being overwritten.[22]

Stronger stack protection is possible by splitting the stack in two: one for data and one for
function returns. This split is present in the Forth language, though it was not a security-based
design decision. Regardless, this is not a complete solution to buffer overflows, as sensitive
data other than the return address may still be overwritten.

[edit] Pointer protection

Buffer overflows work by manipulating pointers (including stored addresses). PointGuard

was proposed as a compiler-extension to prevent attackers from being able to reliably
manipulate pointers and addresses.[23] The approach works by having the compiler add code
to automatically XOR-encode pointers before and after they are used. Because the attacker
(theoretically) does not know what value will be used to encode/decode the pointer, he cannot
predict what it will point to if he overwrites it with a new value. PointGuard was never
released, but Microsoft implemented a similar approach beginning in Windows XP SP2 and
Windows Server 2003 SP1.[24] Rather than implement pointer protection as an automatic
feature, Microsoft added an API routine that can be called at the discretion of the
programmer. This allows for better performance (because it is not used all of the time), but
places the burden on the programmer to know when it is necessary.
Because XOR is linear, an attacker may be able to manipulate an encoded pointer by
overwriting only the lower bytes of an address. This can allow an attack to succeed if the
attacker is able to attempt the exploit multiple times and/or is able to complete an attack by
causing a pointer to point to one of several locations (such as any location within a NOP
sled).[25] Microsoft added a random rotation to their encoding scheme to address this
weakness to partial overwrites.[26]

[edit] Executable space protection

Main article: Executable space protection

Executable space protection is an approach to buffer overflow protection which prevents

execution of code on the stack or the heap. An attacker may use buffer overflows to insert
arbitrary code into the memory of a program, but with executable space protection, any
attempt to execute that code will cause an exception.

Some CPUs support a feature called NX ("No eXecute") or XD ("eXecute Disabled") bit,
which in conjunction with software, can be used to mark pages of data (such as those
containing the stack and the heap) as readable and writeable but not executable.

Some Unix operating systems (e.g. OpenBSD, Mac OS X) ship with executable space
protection (e.g. W^X). Some optional packages include:

 PaX[27]
 Exec Shield[28]
 Openwall[29]

Newer variants of Microsoft Windows also support executable space protection, called Data
Execution Prevention.[30] Proprietary add-ons include:

 BufferShield[31]
 StackDefender[32]

Executable space protection does not generally protect against return-to-libc attacks, or any
other attack which does not rely on the execution of the attackers code. However, on 64-bit
systems using ASLR, as described below, executable space protection makes it far more
difficult to execute such attacks.

[edit] Address space layout randomization

Main article: Address space layout randomization

Address space layout randomization (ASLR) is a computer security feature which involves
arranging the positions of key data areas, usually including the base of the executable and
position of libraries, heap, and stack, randomly in a process' address space.

Randomization of the virtual memory addresses at which functions and variables can be
found can make exploitation of a buffer overflow more difficult, but not impossible. It also
forces the attacker to tailor the exploitation attempt to the individual system, which foils the
attempts of internet worms.[33] A similar but less effective method is to rebase processes and
libraries in the virtual address space.
[edit] Deep packet inspection
Main article: Deep packet inspection

The use of deep packet inspection (DPI) can detect, at the network perimeter, very basic
remote attempts to exploit buffer overflows by use of attack signatures and heuristics. These
are able to block packets which have the signature of a known attack, or if a long series of
No-Operation instructions (known as a nop-sled) is detected, these were once used when the
location of the exploit's payload is slightly variable.

Packet scanning is not an effective method since it can only prevent known attacks and there
are many ways that a 'nop-sled' can be encoded. Shellcode used by attackers can be made
alphanumeric, metamorphic, or self-modifying to evade detection by heuristic packet
scanners and intrusion detection systems.

Heap overflow
From Wikipedia, the free encyclopedia
Jump to: navigation, search

A heap overflow is a type of buffer overflow that occurs in the heap data area. Heap
overflows are exploitable in a different manner to that of stack-based overflows. Memory on
the heap is dynamically allocated by the application at run-time and typically contains
program data. Exploitation is performed by corrupting this data in specific ways to cause the
application to overwrite internal structures such as linked list pointers. The canonical heap
overflow technique overwrites dynamic memory allocation linkage (such as malloc meta
data) and uses the resulting pointer exchange to overwrite a program function pointer

Consequences

An accidental overflow may result in data corruption or unexpected behavior by any process
which uses the affected memory area. On operating systems without memory protection, this
could be any process on the system.

A deliberate exploit may result in data at a specific location being altered in an arbitrary way,
or in arbitrary code being executed.

The Microsoft JPEG GDI+ vulnerability MS04-028 is an example of the danger a heap
overflow can represent to a computer user.

iOS jailbreaking often uses Heap overflows to gain arbitrary code, usually for kernel exploits
to achieve the ability to replace the kernel with the one jailbreak provides.

[edit] Detection and Prevention

Since version 2.3.6 the GNU libc includes protections that can detect heap overflows after the
fact, for example by checking pointer consistency when calling unlink. While those
protections protect against old-style exploits, they are not perfect, as described in The Malloc
Maleficarum, further described in Malloc Des-Maleficarum.
Microsoft Windows operating systems implement protections against heap overflows since
Windows XP SP2 such as safe unlinking and cookies. It also can mitigate these threats
through the use of Data