.D. ATTACKING FROM THE INSIDE ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.D.1. KERNEL PANIC UNDER SOLARIS 2.3 ------------------------------------
Solaris 2.3 will get a kernel panic if this is executed:
EX: $ndd /dev/udp udp_status
The solution is to install the proper patch.
.D.2. CRASHING THE X-SERVER ---------------------------
If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0 be removed and the x-server will crash.
Ex:
$ rm /tmp/.x11-unix/x0
.D.3. FILLING UP THE HARD DISK -----------------------------
If your hard disk space is not limited by a quota or if you can use /tmp then it`s possible for you to fill up the file system.
Ex:
while : ; mkdir .xxx cd .xxx done
.D.4. MALICIOUS USE OF eval ---------------------------
Some older systems will crash if eval '\!\!' is executed in the C-shell.
Ex: % eval '\!\!' .D.5. MALICIOUS USE OF fork() -----------------------------
If someone executes this C++ program the result will result in a crash on most systems.
Ex: #include <sys/types.h> #include <unistd.h> #include <iostream.h> main() { int x; while(x=0;x<1000000;x++) { system("uptime"); fork(); } }
You can use any command you want, but uptime is nice because it shows the workload.
To get a bigger and very ugly attack you should however replace uptime (or fork them both) with sync. This is very bad.
If you are real mean you could also fork a child process for every child process and we will get an exponential increase of workload.
There is no good way to stop this attack and similar attacks. A solution could be to place a limit on time of execution and size of processes.
.D.6. CREATING FILES THAT IS HARD TO REMOVE -------------------------------------------
Well all files can be removed, but here is some ideas:
Ex.I.
$ cat > -xxx ^C $ ls -xxx $ rm -xxx rm: illegal option -- x rm: illegal option -- x rm: illegal option -- x usage: rm [-fiRr] file ... $
Ex.II.
$ touch xxx! $ rm xxx! rm: remove xxx! (yes/no)? y $ touch xxxxxxxxx! $ rm xxxxxxxxx! bash: !": event not found $
(You see the size do count!)
Other well know methods is files with odd characters or spaces in the name.
These methods could be used in combination with ".D.3 FILLING UP THE HARDDISK". If you do want to remove these files you must use some sort of script or a graphical interface like OpenWindow:s File Manager. You can also try to use: rm ./<filename>. It should work for the first example if you have a shell.
.D.7. DIRECTORY NAME LOOKUPCACHE --------------------------------
Directory name lookupcache (DNLC) is used whenever a file is opened. DNLC associates the name of the file to a vnode. But DNLC can only operate on files with names that has less than N characters (for SunOS 4.x up to 14 character, for Solaris 2.x up 30 characters). This means that it's dead easy to launch a pretty discreet denial of service attack.
Create lets say 20 directories (for a start) and put 10 empty files in every directory. Let every name have over 30 characters and execute a script that makes a lot of ls -al on the directories.
If the impact is not big enough you should create more files or launch more processes. .D.8. CSH ATTACK ----------------
Just start this under /bin/csh (after proper modification) and the load level will get very high (that is 100% of the cpu time) in a very short time.
Ex:
|I /bin/csh nodename : **************b
.D.9. CREATING FILES IN /tmp ----------------------------
Many programs creates files in /tmp, but are unable to deal with the problem if the file already exist. In some cases this could be used for a denial of service attack.
.D.10. USING RESOLV_HOST_CONF -----------------------------
Some systems have a little security hole in the way they use the RESOLV_HOST_CONF variable. That is we can put things in it and through ping access confidential data like /etc/shadow or crash the system. Most systems will crash if /proc/kcore is read in the variable and access through ping.
Ex: $ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf
.D.11. SUN 4.X AND BACKGROUND JOBS ----------------------------------
Thanks to Mr David Honig <honig@amada.net> for the following:
" Put the string "a&" in a file called "a" and perform "chmod +x a". Running "a" will quickly disable a Sun 4.x machine, even disallowing (counter to specs) root login as the kernel process table fills."
" The cute thing is the size of the script, and how few keystrokes it takes to bring down a Sun as a regular user."
.D.12. CRASHING DG/UX WITH ULIMIT ---------------------------------
ulimit is used to set a limit on the system resources available to the shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the passwd file be set to zero.
.D.13. NETTUNE AND HP-UX ------------------------
/usr/contrib/bin/nettune is SETUID root on HP-UX meaning that any user can reset all ICMP, IP and TCP kernel parameters, for example the following parameters:
- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq
The solution could be to set the proper permission on /sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.14. SOLARIS 2.X AND NFS --------------------------
If a process is writing over NFS and the user goes over the disk quota will the process go into an infinite loop.
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION --------------------------------------------------
By executing a sequence of mount_union commands any user can cause a system reload on all FreeBSD version 2.X before 1996-05-18.
$ mkdir a $ mkdir b $ mount_union ~/a ~/b $ mount_union -b ~/a ~/b
The solution could be to set the proper permission on /sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X ----------------------------------------------------
Executing the trap_mon instruction from user mode can cause a kernel panic or a window underflow watchdog reset under SunOS 4.1.x, sun4c architecture.
.E. DUMPING CORE ~~~~~~~~~~~~~~~~
.E.1. SHORT COMMENT -------------------
The core dumps things don't really belongs in this paper but I have put them here anyway.
.E.2. MALICIOUS USE OF NETSCAPE -------------------------------
Under Netscape 1.1N this link will result in a segmentation fault and a core dump.
Ex:
<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx. xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>
.E.3. CORE DUMPED UNDER WUFTPD ------------------------------
A core dumped could be created under wuftp with two different methods:
(1) Then pasv is given (user not logged in (ftp -n)). Almost all versions of BSD:s ftpd. (2) More than 100 arguments is given with any executable command. Presents in all versions of BSD:sd ftpd.
.E.4. ld UNDER SOLARIS/X86 --------------------------
Under Solaris 2.4/X86 ld dumps core if given with the -s option.
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.F.1. BASIC SECURITY PROTECTION -------------------------------
.F.1.1. INTRODUCTION --------------------
You can not make your system totally secured against denial of service attacks but for attacks from the outside you can do a lot. I put this work list together and hope that it can be of some use.
.F.1.2. SECURITY PATCHES ------------------------
Always install the proper security patches. As for patch numbers I don't want to put them out, but that doesn't matter because you anyway want to check that you have all security patches installed, so get a list and check! Also note that patches change over time and that a solution suggested in security bulletins (i.e. CERT) often is somewhat temporary.
.F.1.3. PORT SCANNING ---------------------
Check which services you have. Don't check with the manual or some configuration file, instead scan the ports with sprobe or some other port scanner. Actual you should do this regualy to see that anyone don't have installed a service that you don't want on the system (could for example be service used for a pirate site).
Disable every service that you don't need, could for example be rexd, fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen, tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime and chargen is possible to get to loop. There is however no need to turn discard off. The discard service will just read a packet and discard it, so if you turn off it you will get more sensitive to denial of service and not the opposite.
Actual can services be found on many systems that can be used for denial of service and brute force hacking without any logging. For example Stock rexec never logs anything. Most popd:s also don't log anything
.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER ---------------------------------------------------------
Check that attacks described in this paper and look at the solution. Some attacks you should perform yourself to see if they apply to your system, for example:
- Freezing up X-Windows. - Malicious use of telnet. - How to disable services. - SunOS kernel panic. - Attacking with lynx clients. - Crashing systems with ping from Windows 95 machines. That is stress test your system with several services and look at the effect.
Note that Solaris 2.4 and later have a limit on the number of ICMP error messages (1 per 500 ms I think) that can cause problems then you test your system for some of the holes described in this paper. But you can easy solve this problem by executing this line:
$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0 .F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER --------------------------------------------------------
Check the inside attacks, although it is always possibly to crash the system from the inside you don't want it to be to easy. Also have several of the attacks applications besides denial of service, for example:
- Crashing the X-Server: If stickybit is not set in /tmp a number of attacks to gain access can be performed.
- Using resolv_host_conf: Could be used to expose confidential data like /etc/shadow.
- Core dumped under wuftpd: Could be used to extract password-strings.
If I don't have put out a solution I might have recommended son other paper. If not I don't know of a paper with a solution I feel that I can recommend. You should in these causes check with your company.
.F.1.6. EXTRA SECURITY SYSTEMS ------------------------------
Also think about if you should install some extra security systems. The basic that you always should install is a logdaemon and a wrapper. A firewall could also be very good, but expensive. Free tools that can be found on the Internet is for example:
TYPE: NAME: URL:
LOGDAEMON NETLOG ftp://net.tamu.edu/pub/security/TAMU WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit
Note that you should be very careful if building your own firewall with TIS or you might open up new and very bad security holes, but it is a very good security packer if you have some basic knowledge.
It is also very good to replace services that you need, for example telnet, rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be found at URL:
ftp://ftp.cs.hut.fi/pub/ssh
The addresses I have put out are the central sites for distributing and I don't think that you should use any other except for CERT.
For a long list on free general security tools I recommend: "FAQ: Computer Security Frequently Asked Questions".
.F.1.7. MONITORING SECURITY ---------------------------
Also monitor security regular, for example through examining system log files, history files... Even in a system without any extra security systems could several tools be found for monitoring, for example:
- uptime - showmount - ps - netstat - finger
(see the man text for more information).
.F.1.8. KEEPING UP TO DATE --------------------------
It is very important to keep up to date with security problems. Also understand that then, for example CERT, warns for something it has often been dark-side public for sometime, so don't wait. The following resources that helps you keeping up to date can for example be found on the Internet:
- CERT mailing list. Send an e-mail to cert@cert.org to be placed on the list. - Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.
- WWW-security mailing list. Send an e-mail to www-security@ns2.rutgers.edu.
.F.1.9. READ SOMETHING BIGGER AND BETTER ----------------------------------------
Let's start with papers on the Internet. I am sorry to say that it is not very many good free papers that can be found, but here is a small collection and I am sorry if have have over looked a paper.
(1) The Rainbow books is a long series of free books on computer security. US citizens can get the books from:
INFOSEC AWARENESS OFFICE National Computer Security Center 9800 Savage Road Fort George
G. Meader, MD 20755-600
We other just have to read the papers on the World Wide Web. Every paper can not however be found on the Internet.
(2) "Improving the security of your Unix system" by Curry is also very nice if you need the very basic things. If you don't now anything about computer security you can't find a better start.
(3) "The WWW security FAQ" by Stein is although it deal with W3-security the very best better on the Internet about computer security.
(4) CERT have aklso published several good papers, for example:
- Anonymous FTP Abuses. - Email Bombing and Spamming. - Spoofed/Forged Email. - Protecting yourself from password file attacks.
I think however that the last paper have overlooked several things.
(5) For a long list on papers I can recommend: "FAQ: Computer Security Frequently Asked Questions".
(6) Also see section ".G. SUGGESTED READING"
You should also get some big good commercial book, but I don't want to recommend any.
.F.2. MONITORING PERFORMANCE ----------------------------
.F.2.1. INTRODUCTION --------------------
There is several commands and services that can be used for monitoring performance. And at least two good free programs can be found on Internet.
.F.2.2. COMMANDS AND SERVICES -----------------------------
For more information read the man text. netstat Show network status. nfsstat Show NFS statistics. sar System activity reporter. vmstat Report virtual memory statistics. timex Time a command, report process data and system activity. time Time a simple command. truss Trace system calls and signals. uptime Show how long the system has been up.
Note that if a public netstat server can be found you might be able to use netstat from the outside. netstat can also give information like tcp sequence numbers and much more.
.F.2.3. PROGRAMS ----------------
Proctool: Proctool is a freely available tool for Solaris that monitors and controls processes. ftp://opcom.sun.ca/pub/binaries/ Top: Top might be a more simple program than Proctool, but is good enough.
.F.2.4. ACCOUNTING ------------------
To monitor performance you have to collect information over a long period of time. All Unix systems have some sort of accounting logs to identify how much CPU time, memory each program uses. You should check your manual to see how to set this up.
You could also invent your own account system by using crontab and a script with the commands you want to run. Let crontab run the script every day and compare the information once a week. You could for example let the script run the following commands:
- netstat - iostat -D - vmstat
.G. SUGGESTED READING ~~~~~~~~~~~~~~~~~~~~~
.F.1. INFORMATION FOR DEEPER KNOWLEDGE -------------------------------------
(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988. (2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984. (3) Postel, J. Internet Control Message Protocol. RFC 792, 1981. (4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977. (5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981. (6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.
Many of the papers in this category was RFC-papers. A RFC-paper is a paper that describes a protocol. The letters RCS stands for Request For Comment. Hosts on the Internet are expected to understand at least the common ones. If you want to learn more about a protocol it is always good to read the proper RFC. You can find a nice sRFC index search form at URL:
http://pubweb.nexor.co.uk/public/rfc/index/rfc.html
.F.2. KEEPING UP TO DATE INFORMATION ------------------------------------
(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce - comp.security.unix - comp.security.firewalls
(6) Varius 40Hex Issues.
.F.3. BASIC INFORMATION -----------------------
(1) Husman, H. INTRODUKTION TILL DATASÄKERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of Computer Security Terms). - Bright Orange Book( A Guide to Understanding Security Testing and Test Documentation in Trusted Systems). - C1 Technical Report-001 (Computer Viruses: Preventation, Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.
.H. COPYRIHT ------------
This paper is Copyright (c) 1996 by Hans Husman.
Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium excluding electronic medium, please ask the author for permission.
.I. DISCLAIMER
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
.D.1. KERNEL PANIC UNDER SOLARIS 2.3 ------------------------------------
Solaris 2.3 will get a kernel panic if this is executed:
EX: $ndd /dev/udp udp_status
The solution is to install the proper patch.
.D.2. CRASHING THE X-SERVER ---------------------------
If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0 be removed and the x-server will crash.
Ex:
$ rm /tmp/.x11-unix/x0
.D.3. FILLING UP THE HARD DISK -----------------------------
If your hard disk space is not limited by a quota or if you can use /tmp then it`s possible for you to fill up the file system.
Ex:
while : ; mkdir .xxx cd .xxx done
.D.4. MALICIOUS USE OF eval ---------------------------
Some older systems will crash if eval '\!\!' is executed in the C-shell.
Ex: % eval '\!\!' .D.5. MALICIOUS USE OF fork() -----------------------------
If someone executes this C++ program the result will result in a crash on most systems.
Ex: #include <sys/types.h> #include <unistd.h> #include <iostream.h> main() { int x; while(x=0;x<1000000;x++) { system("uptime"); fork(); } }
You can use any command you want, but uptime is nice because it shows the workload.
To get a bigger and very ugly attack you should however replace uptime (or fork them both) with sync. This is very bad.
If you are real mean you could also fork a child process for every child process and we will get an exponential increase of workload.
There is no good way to stop this attack and similar attacks. A solution could be to place a limit on time of execution and size of processes.
.D.6. CREATING FILES THAT IS HARD TO REMOVE -------------------------------------------
Well all files can be removed, but here is some ideas:
Ex.I.
$ cat > -xxx ^C $ ls -xxx $ rm -xxx rm: illegal option -- x rm: illegal option -- x rm: illegal option -- x usage: rm [-fiRr] file ... $
Ex.II.
$ touch xxx! $ rm xxx! rm: remove xxx! (yes/no)? y $ touch xxxxxxxxx! $ rm xxxxxxxxx! bash: !": event not found $
(You see the size do count!)
Other well know methods is files with odd characters or spaces in the name.
These methods could be used in combination with ".D.3 FILLING UP THE HARDDISK". If you do want to remove these files you must use some sort of script or a graphical interface like OpenWindow:s File Manager. You can also try to use: rm ./<filename>. It should work for the first example if you have a shell.
.D.7. DIRECTORY NAME LOOKUPCACHE --------------------------------
Directory name lookupcache (DNLC) is used whenever a file is opened. DNLC associates the name of the file to a vnode. But DNLC can only operate on files with names that has less than N characters (for SunOS 4.x up to 14 character, for Solaris 2.x up 30 characters). This means that it's dead easy to launch a pretty discreet denial of service attack.
Create lets say 20 directories (for a start) and put 10 empty files in every directory. Let every name have over 30 characters and execute a script that makes a lot of ls -al on the directories.
If the impact is not big enough you should create more files or launch more processes. .D.8. CSH ATTACK ----------------
Just start this under /bin/csh (after proper modification) and the load level will get very high (that is 100% of the cpu time) in a very short time.
Ex:
|I /bin/csh nodename : **************b
.D.9. CREATING FILES IN /tmp ----------------------------
Many programs creates files in /tmp, but are unable to deal with the problem if the file already exist. In some cases this could be used for a denial of service attack.
.D.10. USING RESOLV_HOST_CONF -----------------------------
Some systems have a little security hole in the way they use the RESOLV_HOST_CONF variable. That is we can put things in it and through ping access confidential data like /etc/shadow or crash the system. Most systems will crash if /proc/kcore is read in the variable and access through ping.
Ex: $ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf
.D.11. SUN 4.X AND BACKGROUND JOBS ----------------------------------
Thanks to Mr David Honig <honig@amada.net> for the following:
" Put the string "a&" in a file called "a" and perform "chmod +x a". Running "a" will quickly disable a Sun 4.x machine, even disallowing (counter to specs) root login as the kernel process table fills."
" The cute thing is the size of the script, and how few keystrokes it takes to bring down a Sun as a regular user."
.D.12. CRASHING DG/UX WITH ULIMIT ---------------------------------
ulimit is used to set a limit on the system resources available to the shell. If ulimit 0 is called before /etc/passwd, under DG/UX, will the passwd file be set to zero.
.D.13. NETTUNE AND HP-UX ------------------------
/usr/contrib/bin/nettune is SETUID root on HP-UX meaning that any user can reset all ICMP, IP and TCP kernel parameters, for example the following parameters:
- arp_killcomplete
- arp_killincomplete
- arp_unicast
- arp_rebroadcast
- icmp_mask_agent
- ip_defaultttl
- ip_forwarding
- ip_intrqmax
- pmtu_defaulttime
- tcp_localsubnets
- tcp_receive
- tcp_send
- tcp_defaultttl
- tcp_keepstart
- tcp_keepfreq
- tcp_keepstop
- tcp_maxretrans
- tcp_urgent_data_ptr
- udp_cksum
- udp_defaultttl
- udp_newbcastenable
- udp_pmtu
- tcp_pmtu
- tcp_random_seq
The solution could be to set the proper permission on /sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.14. SOLARIS 2.X AND NFS --------------------------
If a process is writing over NFS and the user goes over the disk quota will the process go into an infinite loop.
.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION --------------------------------------------------
By executing a sequence of mount_union commands any user can cause a system reload on all FreeBSD version 2.X before 1996-05-18.
$ mkdir a $ mkdir b $ mount_union ~/a ~/b $ mount_union -b ~/a ~/b
The solution could be to set the proper permission on /sbin/mount_union:
#chmod u-s /sbin/mount_union
.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X ----------------------------------------------------
Executing the trap_mon instruction from user mode can cause a kernel panic or a window underflow watchdog reset under SunOS 4.1.x, sun4c architecture.
.E. DUMPING CORE ~~~~~~~~~~~~~~~~
.E.1. SHORT COMMENT -------------------
The core dumps things don't really belongs in this paper but I have put them here anyway.
.E.2. MALICIOUS USE OF NETSCAPE -------------------------------
Under Netscape 1.1N this link will result in a segmentation fault and a core dump.
Ex:
<a name="http://xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx. xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx.xxx. xxx.xxx.xxx.xxx.xxxxxx.xxx.xxx.xxx.xxx.xxx...>
.E.3. CORE DUMPED UNDER WUFTPD ------------------------------
A core dumped could be created under wuftp with two different methods:
(1) Then pasv is given (user not logged in (ftp -n)). Almost all versions of BSD:s ftpd. (2) More than 100 arguments is given with any executable command. Presents in all versions of BSD:sd ftpd.
.E.4. ld UNDER SOLARIS/X86 --------------------------
Under Solaris 2.4/X86 ld dumps core if given with the -s option.
.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.F.1. BASIC SECURITY PROTECTION -------------------------------
.F.1.1. INTRODUCTION --------------------
You can not make your system totally secured against denial of service attacks but for attacks from the outside you can do a lot. I put this work list together and hope that it can be of some use.
.F.1.2. SECURITY PATCHES ------------------------
Always install the proper security patches. As for patch numbers I don't want to put them out, but that doesn't matter because you anyway want to check that you have all security patches installed, so get a list and check! Also note that patches change over time and that a solution suggested in security bulletins (i.e. CERT) often is somewhat temporary.
.F.1.3. PORT SCANNING ---------------------
Check which services you have. Don't check with the manual or some configuration file, instead scan the ports with sprobe or some other port scanner. Actual you should do this regualy to see that anyone don't have installed a service that you don't want on the system (could for example be service used for a pirate site).
Disable every service that you don't need, could for example be rexd, fingerd, systat, netstat, rusersd, sprayd, pop3, uucpd, echo, chargen, tftp, exec, ufs, daytime, time... Any combination of echo, time, daytime and chargen is possible to get to loop. There is however no need to turn discard off. The discard service will just read a packet and discard it, so if you turn off it you will get more sensitive to denial of service and not the opposite.
Actual can services be found on many systems that can be used for denial of service and brute force hacking without any logging. For example Stock rexec never logs anything. Most popd:s also don't log anything
.F.1.4. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER ---------------------------------------------------------
Check that attacks described in this paper and look at the solution. Some attacks you should perform yourself to see if they apply to your system, for example:
- Freezing up X-Windows. - Malicious use of telnet. - How to disable services. - SunOS kernel panic. - Attacking with lynx clients. - Crashing systems with ping from Windows 95 machines. That is stress test your system with several services and look at the effect.
Note that Solaris 2.4 and later have a limit on the number of ICMP error messages (1 per 500 ms I think) that can cause problems then you test your system for some of the holes described in this paper. But you can easy solve this problem by executing this line:
$ /usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 0 .F.1.5. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER --------------------------------------------------------
Check the inside attacks, although it is always possibly to crash the system from the inside you don't want it to be to easy. Also have several of the attacks applications besides denial of service, for example:
- Crashing the X-Server: If stickybit is not set in /tmp a number of attacks to gain access can be performed.
- Using resolv_host_conf: Could be used to expose confidential data like /etc/shadow.
- Core dumped under wuftpd: Could be used to extract password-strings.
If I don't have put out a solution I might have recommended son other paper. If not I don't know of a paper with a solution I feel that I can recommend. You should in these causes check with your company.
.F.1.6. EXTRA SECURITY SYSTEMS ------------------------------
Also think about if you should install some extra security systems. The basic that you always should install is a logdaemon and a wrapper. A firewall could also be very good, but expensive. Free tools that can be found on the Internet is for example:
TYPE: NAME: URL:
LOGDAEMON NETLOG ftp://net.tamu.edu/pub/security/TAMU WRAPPER TCP WRAPPERS ftp://cert.org/pub/tools/tcp_wrappers FIREWALL TIS ftp://ftp.tis.com/pub/firewalls/toolkit
Note that you should be very careful if building your own firewall with TIS or you might open up new and very bad security holes, but it is a very good security packer if you have some basic knowledge.
It is also very good to replace services that you need, for example telnet, rlogin, rsh or whatever, with a tool like ssh. Ssh is free and can be found at URL:
ftp://ftp.cs.hut.fi/pub/ssh
The addresses I have put out are the central sites for distributing and I don't think that you should use any other except for CERT.
For a long list on free general security tools I recommend: "FAQ: Computer Security Frequently Asked Questions".
.F.1.7. MONITORING SECURITY ---------------------------
Also monitor security regular, for example through examining system log files, history files... Even in a system without any extra security systems could several tools be found for monitoring, for example:
- uptime - showmount - ps - netstat - finger
(see the man text for more information).
.F.1.8. KEEPING UP TO DATE --------------------------
It is very important to keep up to date with security problems. Also understand that then, for example CERT, warns for something it has often been dark-side public for sometime, so don't wait. The following resources that helps you keeping up to date can for example be found on the Internet:
- CERT mailing list. Send an e-mail to cert@cert.org to be placed on the list. - Bugtraq mailing list. Send an e-mail to bugtraq-request@fc.net.
- WWW-security mailing list. Send an e-mail to www-security@ns2.rutgers.edu.
.F.1.9. READ SOMETHING BIGGER AND BETTER ----------------------------------------
Let's start with papers on the Internet. I am sorry to say that it is not very many good free papers that can be found, but here is a small collection and I am sorry if have have over looked a paper.
(1) The Rainbow books is a long series of free books on computer security. US citizens can get the books from:
INFOSEC AWARENESS OFFICE National Computer Security Center 9800 Savage Road Fort George
G. Meader, MD 20755-600
We other just have to read the papers on the World Wide Web. Every paper can not however be found on the Internet.
(2) "Improving the security of your Unix system" by Curry is also very nice if you need the very basic things. If you don't now anything about computer security you can't find a better start.
(3) "The WWW security FAQ" by Stein is although it deal with W3-security the very best better on the Internet about computer security.
(4) CERT have aklso published several good papers, for example:
- Anonymous FTP Abuses. - Email Bombing and Spamming. - Spoofed/Forged Email. - Protecting yourself from password file attacks.
I think however that the last paper have overlooked several things.
(5) For a long list on papers I can recommend: "FAQ: Computer Security Frequently Asked Questions".
(6) Also see section ".G. SUGGESTED READING"
You should also get some big good commercial book, but I don't want to recommend any.
.F.2. MONITORING PERFORMANCE ----------------------------
.F.2.1. INTRODUCTION --------------------
There is several commands and services that can be used for monitoring performance. And at least two good free programs can be found on Internet.
.F.2.2. COMMANDS AND SERVICES -----------------------------
For more information read the man text. netstat Show network status. nfsstat Show NFS statistics. sar System activity reporter. vmstat Report virtual memory statistics. timex Time a command, report process data and system activity. time Time a simple command. truss Trace system calls and signals. uptime Show how long the system has been up.
Note that if a public netstat server can be found you might be able to use netstat from the outside. netstat can also give information like tcp sequence numbers and much more.
.F.2.3. PROGRAMS ----------------
Proctool: Proctool is a freely available tool for Solaris that monitors and controls processes. ftp://opcom.sun.ca/pub/binaries/ Top: Top might be a more simple program than Proctool, but is good enough.
.F.2.4. ACCOUNTING ------------------
To monitor performance you have to collect information over a long period of time. All Unix systems have some sort of accounting logs to identify how much CPU time, memory each program uses. You should check your manual to see how to set this up.
You could also invent your own account system by using crontab and a script with the commands you want to run. Let crontab run the script every day and compare the information once a week. You could for example let the script run the following commands:
- netstat - iostat -D - vmstat
.G. SUGGESTED READING ~~~~~~~~~~~~~~~~~~~~~
.F.1. INFORMATION FOR DEEPER KNOWLEDGE -------------------------------------
(1) Hedrick, C. Routing Information Protocol. RFC 1058, 1988. (2) Mills, D.L. Exterior Gateway Protocol Formal Specification. RFC 904, 1984. (3) Postel, J. Internet Control Message Protocol. RFC 792, 1981. (4) Harrenstien, K. NAME/FINGER Protocol, RFC 742, 1977. (5) Sollins, K.R. The TFTP Protocol, RFC 783, 1981. (6) Croft, W.J. Bootstrap Protocol, RFC 951, 1985.
Many of the papers in this category was RFC-papers. A RFC-paper is a paper that describes a protocol. The letters RCS stands for Request For Comment. Hosts on the Internet are expected to understand at least the common ones. If you want to learn more about a protocol it is always good to read the proper RFC. You can find a nice sRFC index search form at URL:
http://pubweb.nexor.co.uk/public/rfc/index/rfc.html
.F.2. KEEPING UP TO DATE INFORMATION ------------------------------------
(1) CERT mailing list. Send an e-mail to cert@cert.org to be placed on the list.
(2) Bugtraq mailinglist. Send an e-mail to bugtraq-request@fc.net.
(3) WWW-security mailinglist. Send an e-mail to www-security@ns2.rutgers.edu.
(4) Sun Microsystems Security Bulletins.
(5) Various articles from: - comp.security.announce - comp.security.unix - comp.security.firewalls
(6) Varius 40Hex Issues.
.F.3. BASIC INFORMATION -----------------------
(1) Husman, H. INTRODUKTION TILL DATASÄKERHET UNDER X-WINDOWS, 1995.
(2) Husman, H. INTRODUKTION TILL IP-SPOOFING, 1995.
(3) The following rainbow books: - Teal Green Book (Glossary of Computer Security Terms). - Bright Orange Book( A Guide to Understanding Security Testing and Test Documentation in Trusted Systems). - C1 Technical Report-001 (Computer Viruses: Preventation, Detection, and Treatment).
(4) Ranum, Marcus. Firewalls, 1993.
(5) Sun Microsystems, OpenWindows V3.0.1. User Commands, 1992.
(6) Husman, H. ATT SPÅRA ODOKUMENTERADE SÄKERHETSLUCKOR, 1996.
(7) Dark OverLord, Unix Cracking Tips, 1989.
(8) Shooting Shark, Unix Nasties, 1988.
(9) LaDue, Mark.D. Hostile Applets on the Horizone, 1996.
(10) Curry, D.A. Improving the security of your unix system, 1990.
(11) Stein, L.D. The World Wide Web security FAQ, 1995.
(12) Bellovin, S.M. Security Problems in the TCP/IP Protocol, 1989.
.H. COPYRIHT ------------
This paper is Copyright (c) 1996 by Hans Husman.
Permission is hereby granted to give away free copies electronically. You may distribute, transfer, or spread this paper electronically. You may not pretend that you wrote it. This copyright notice must be maintained in any copy made. If you wish to reprint the whole or any part of this paper in any other medium excluding electronic medium, please ask the author for permission.
.I. DISCLAIMER
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
By Trivedi Jay (B E Electrical Engineer )
email : erjaytrivedi@yahoo.com
No comments:
Post a Comment