The information below is a list of common Internet Attacks. Most “off-the-shelf” inexpensive firewalls do not address these, leaving your business at risk. Optin Security not only addresses these attacks, but it also continues to research new threats, vulnerabilities, and attacks each day and methodically updates your security appliance to keep your business safe and productive.
|
Attack Group
 |
General:
 |
|
|
|
|
Anti-Spoof Hazard |
|
Spoofing is the act wherein an
intruder to the system will try to alter the IP address of a packet in
order to make it appear that the packet originated from an area of the
network where there is greater access privileges, thus hoping to gain
access to confidential information on the internal network, or cause a
denial of service to internal hosts. |
|
|
|
|
Attack Group
|
Denial of Service:
|
|
|
|
|
TearDrop |
|
Some implementations of the
TCP/IP IP fragmentation re-assembly code do not properly handle
overlapping IP fragments. Sending two IP fragments, the latter entirely
contained inside the former, causes the server to allocate too much memory
and crash. TearDrop is a widely available attack tool that exploits this
vulnerability. |
|
Ping of Death |
|
A malformed PING request that crashes the target computer. The
attacker sends a fragmented PING request
that exceeds the maximum IP packet size (64KB). Some operating systems are
unable to handle such requests and crash. |
|
Land |
|
Some implementations of TCP/IP are vulnerable to packets that are crafted in a particular way (a SYN packet in which the source address and port are the same as the destination, i.e., spoofed). LAND is a widely available attack tool that exploits this vulnerability |
|
|
|
|
Attack Group
|
IP and ICMP:
|
|
|
|
|
Packet Sanity |
|
This option performs several Layer 3 and Layer 4 sanity checks. These include verifying packet size, UDP and TCP header lengths, dropping IP options and verifying the TCP flags |
|
Large Ping Size |
|
PING (ICMP echo request) is a protocol used to check whether a remote machine is up. A request is sent by the client and the server responds with a reply echoing the client's data. An attacker might echo the client with large data, trying to compromise the security of the client's machine (for example causing a buffer overflow). |
|
IP Fragments |
|
An attacker might break the data section of a single packet into several fragmented packets, trying to conceal known attacks and exploits. Without reassembling the fragments, it is not always possible to detect such an attack |
|
Network Quota |
|
Network Quota enforces a limit upon the number of connections that are allowed from the same source IP, to protect against Denial Of Service attacks. When a certain source exceeds the number of allowed connections, Network Quota can either block all new connection attempts from that source or track the event. |
|
Welchia worm ICMP flood |
|
The Welchia worm uses the MS DCOM vulnerability or a WebDAV vulnerability. After infecting a computer, it begins searching, in its class B network, other live computers, candidates to be infected. It does so by sending a specific ping packet, waiting for the reply that is signaling that the target is alive. The flood of pings may disrupt network connectivity. |
|
Cisco IOS Denial of Service |
|
Cisco routers are configured to process and accept Internet Protocol version 4 (IPv4) packets by default. A specially crafted sequence of IPv4 packets with protocol type 53 (SWIPE), 55 (IP Mobility), 77 (Sun ND), or 103 (Protocol Independent Multicast - PIM) which is handled by the processor on a Cisco IOS device can cause the router to stop processing inbound traffic on that interface. |
|
Null Payload ICMP |
|
Some worms, such as Sasser, use ICMP echo request packets with null payload to detect potentially vulnerable hosts. |
|
|
|
|
Attack Group
|
TCP:
|
|
|
|
|
SYN Attack |
|
SYN attack prevents a TCP/IP server from servicing other users. It is accomplished by not sending the final acknowledgment to the server's SYN-ACK response (SYNchronize-ACKnowledge) in the handshaking sequence, which causes the server to keep signaling until it eventually times out. The source address from the client is, of course, counterfeit. SYN flood attacks can either overload the server or cause it to crash. |
|
Small PMTU |
|
The small PMTU is a bandwidth attack discussed in various security mailing lists. In this attack, the client fools the server into sending large amounts of data using small packets. Each packet has a large overhead that creates a "bottleneck" on the server. |
|
Sequence Verifier |
|
Sequence Verifier is a mechanism matching the current TCP packet's sequence number against a TCP connection state. Packets that match the connection in terms of the TCP session but have incorrect sequence numbers are either dropped when the packet's sequence may compromise security, or stripped of data. |
|
|
|
|
Attack Group
|
Fingerprint Scrambling:
|
|
|
|
|
ISN Spoofing |
|
The first operation performed when a TCP connection is established is to synchronize numbers called "Sequences" between the client and the server. This is performed in a process called "Three way handshake". In this process, the client notifies the server about the sequences for the client side of the connection, and the server notifies the client about the sequences for the server side of the connection. The sequence chosen during the three way handshake stage is called "Initial sequence number", or ISN.
While the TCP/IP standard defines clearly how the ISN is to be chosen, the algorithm described there suffers from high predictability of the next initial sequence number that the server will use. This gives rise to an attack called "ISN guessing", where an attacker can use that information to create blind TCP connections from a spoofed source address. For that reason, many operating systems today use one kind or another of random numbers for their ISNs. Sadly, these numbers are often not random enough, and can be guessed in a rather small number of attempts.
In addition to the attack described above, the mere fact of the difference between different algorithms for different operating systems creates a unique fingerprint for each operating system. An adversary can send successive SYN requests, checking the difference between the ISNs, and then deduce the operating system the server is running |
|
TTL |
|
Each IP packet has a field called "Time to Live", or TTL. Each router along the way decrements this value by one. When the router decrements this value to zero it drops the packet and sends an ICMP notifying about the event.
When a host sends a packet, it sets the TTL to a value that should be enough to make sure that the packet reaches its destination under normal circumstances. The default initial value changes from one OS to another. Typical values are 64, 128 and 255. An adversary receiving a packet can deduce the number of routers between it and the sending machine by assuming the original TTL was one of the above and that each router along the way decreases the value by 1. In addition to that, detecting which of the above initial TTLs were used gives some information about what operating system the host is running.
In order to prevent such detection this feature can change the TTL field of all packets (or all outgoing packets) to a given number. This achieves two goals. Using this approach it is not possible to know how many routers (hops) the host is from the listener, and the listener cannot know what is the original TTL value.
The TTL field is also used by the traceroute utility (called tracert on windows) to detect the path a packet traverses on its way from one host to another. This is performed by sending a packet with a TTL of 1, and then slowly increasing the TTL until the packet reaches its destination. The utility knows which routers the packet passed through by listening for the ICMP replies. If we change each and every packet leaving the organization, this utility will not be able to function, as the small TTL packets will be set to the standard TTL defined in the TTL scrambling. |
|
|
|
|
Attack Group
|
Successive Events:
|
|
|
|
|
Address Spoofing |
|
Spoofing is a technique where an intruder attempts to gain unauthorized access by altering a packet's IP addresses to make it appear as though the packet originated in a part of the network with higher access privileges. For example, a packet originating on the Internet may be disguised as a local packet. If undetected, this packet might then have unrestricted access to internal networks. |
|
Local Interface Spoofing |
|
This attack is similar to the LAND attack, but the targeted machine is a gateway. |
|
Port Scanning |
|
An excessive number of attempts to connect to ports on a specific destination IP address from the same source IP address have been detected. |
|
Successive Alerts |
|
In the course of this attack, an excessive number of VPN-1/FireWall-1 alerts are generated. |
|
Successive Multiple Connections |
|
An excessive number of connections opened to a specific destination IP address and port number from the same source IP address have been detected. |
|
|
|
|
Attack Group
|
Dynamic Ports:
|
|
|
|
|
Port Abuse |
|
This feature allows you to configure which ports are "privileged ports" that will be protected when opening a connection dynamically (for example FTP data connections). These ports are a subset of the ports of the TCP and UDP services defined. In addition, it is possible to explicitly protect low ports (lower than 1024). |
|
|
|
|
Attack Group
|
Web:
|
|
|
|
|
HTTP Worm |
|
A worm is a self-replicating malware (malicious software) that propagates by actively sending itself to new machines.
Some worms propagate by using security vulnerabilities in HTTP servers or clients. Known HTTP worms are the Nimda and CodeRed worms, each having several variants |
|
Cross Site Scripting |
|
Cross-site scripting attacks place malicious code in locations where other users see it. The intention of the attack is to steal cookies that contain user identities and credentials, or to trick users into supplying their credentials to the attacker.
Many web sites use cookies to store information about users. Cookies contain identifying information such as username and password. A hacker may want to steal cookies in order to illegally use someone else's identity.
When someone browses to a web site to view a page, they send to the web server an HTTP request that contains their cookie. The web server usually keeps cookies for only a short time.
Many web sites contain forms, which are used to post information such as names and addresses, or comments on bulletin boards. The hacker can inject scripting code into the attacked web server by adding scripting code to these forms. Scripting code includes tags such as SCRIPT. The code can instruct the server to send its cookies to another location, such as another web site (hence the name: Cross Site Scripting), where the hacker can see the cookies.
This attack is especially dangerous because neither the user nor the web site administrator knows that the attack is taking place.
Another variety of Cross-site scripting attack does not steal cookies, but rather dupes the victim into supplying his or her credentials. The attacker enters scripting code to a form. When a user accesses that form, the script causes a popup form to appear that asks the victim to supply his or her details. The form sends those details to the attacker. |
|
HTTP Format Sizes |
|
The sizes of different elements in the HTTP request and response are not limited. This can used to perform a Denial of Service attack on a web server. For example, many buffer-overflow attacks require a very large header to be sent to the web server. |
|
ASCII Only Request Headers |
|
This feature allows you to force all HTTP headers to be ASCII only. This will prevent some malicious content from passing in the HTTP protocol headers. |
|
ASCII Only Response Headers |
|
This feature allows you to force all HTTP headers in an HTTP response to be ASCII only. This will prevent some malicious content from passing in the HTTP protocol headers of an HTTP response. |
|
Peer to Peer |
|
When this protection is turned on, Peer To Peer traffic over HTTP can be blocked according to unique HTTP headers.
The built in header patterns block the main Peer to Peer applications as well as many other applications that use HTTP, such as streaming media clients.
In order to completely block Peer to Peer traffic, it is necessary to also block the native ports used by the applications. You can use the 'P2P_File_Sharing_Applications' group of services in order to achieve this.
Note that when web security is enforced in the strict protocol enforcement mode both the response and the request are examined.
When web security is enforced in the optimized protocol enforcement mode, only the request is examined. |
|
|
|
|
Attack Group
|
Mail:
|
|
|
|
|
Mail and Recipient Content |
|
In a Mail and Recipient content attack malicious code can be used to send email worms and viruses that can reach your system and infect your users through harmful attachments. In addition, some viruses are transmitted through harmless-looking email messages and can run automatically without the need for user intervention. |
|
Block ASN.1 BitString encoding attack over SMTP |
|
Microsoft ASN.1 library suffers from a vulnerability in processing the BitString structure encoding. ASN.1 is used in GSSAPI security service - which is part of several protocols, including in the GSSAPI authentication negotiation of SMTP. |
