Malfunction host on the Internet by using directional storm of false TCP-requests to establish connections, or the overflow queue
From the considerations in the preceding paragraph creation scheme TCP-connections that each received TCP-connection request to create the operating system must generate the initial value of the identifier ISN and send it in response to requests from the host. In this case, since the Internet (standard IPv4) does not provide control over the IP-address of the sender of the message, it is impossible to track down the true route taken by IP-packet, and, consequently, end-subscribers is not possible to limit the number of possible requests taken unit time from a single host.
It is therefore possible implementation of the standard UA Denial of service which will be to transfer to the attacked host the greatest possible number of false TCP-requests to create connections on behalf of any host on the network.
In this case, the attacked network operating system, depending on the computing power of a computer or - at worst - virtually freezes, or - at best - no longer respond to legitimate connection requests (DoS). This is due to the fact that for the whole mass of false requests a system should, first of all, save the resulting information in each request and, secondly, to develop and send a response to each request. Thus, all system resources are eaten by false requests:
- Overflow queue and the system is only concerned with their treatment. Effectiveness of the remote attack is higher, the more bandwidth between the attacker and the target of the attack, and the smaller, more computing power attacked a computer (number and speed of the processor, RAM, etc.).
From our point of view, the evidence of this remote attack was clear even twenty years ago, when the family of protocols TCP / IP.
The roots of this attack are the very infrastructure of the Internet, in its basic protocols - IP and TCP. But what was our surprise when the information myuvideli WWW-server, CERT (Computer Emergency Respone Team) the first mention of this remote attack, the only dated September 19, 1996!
There the attack was called TCP SYN Flooding and IP Spoofing Attacks - Flood-equation TCP-requests with false IP-addresses.
Another type of denial of service attacks is to pass on the attacked host dozens (hundreds) of requests for connection to the server, which can cause temporary (up to 10 minutes) overflow queue on the server (see K. Mitnick attack of Section 4.5. 2 and an example of running Linux 1.2.8 at the end of this paragraph). This is due to the fact that some network operating systems are designed to handle only the first few connection requests, and others - to ignore. That is, when receiving N connection requests, the server OS, they are queued and generates N replies, respectively. Further, during a certain period of time (time-out? 10 minutes) the server will wait on the prospective client messages of the final handshake, and confirming the creation of a virtual channel with the server. If an attacker sends the server the number of connection requests equal to the maximum number of simultaneously processed requests on the server, then during a timeout remaining connection requests will be ignored and the server will not connect.
Experiments with this remote attacks, carried out on various network operating systems in the experimental 10-megabit network segments revealed the following interesting results, which the authors felt it necessary to acquaint you. In the case of transmission over the communications channel the maximum possible number of TCP-requests to create the link and finding the attacker in the same segment in order to attack the attacked system to behave as follows: OS Windows '95, mounted on a 486DX2-66 with 8 MB RAM, felt faint and stopped responding on all sorts of external influences (clicking on the keyboard, for example); OS Linux 2.0.0 on 486DX4-133 c 8 MB of RAM also practically stopped all work and handle one push on the keyboard for about 30 seconds. Not only that these hosts were attacked, of course, impossible to get remote access, but local access was impossible!
The best result in this test showed the dual-firewall: Remote connection to it was also impossible, but carried out the attack on the local users and has no effect (after all, two processors).
No less interesting was the behavior of the attacked systems after removal of exposure. Windows '95 operating system almost immediately after cessation of treatment began to function normally, the operating system Linux 2.0.0 with 8 MB RAM, apparently overflowed buffer, and more than half the system is not functioning for either remote or local user, and was engaged in the transfer responses to the earlier requests.
Dual firewall immediately after removing the effects became available for remote access.
When finding a target system in the neighboring adjacent segments revealed the following: OC Windows '95 on Pentium100 with 16 MB RAM processed each press on the keyboard about one second, running Linux 2.0.0 on Pentium100 with 16 MB of RAM is practically hung - one click in 30 seconds, but after removing the effects of the local user the opportunity to immediately work properly.
No need to deceive the results of this test and assume that Windows '95 showed their best. This is due solely to the fact that the transmitted TCP-requests sent to the FTP-port, that is, it was a request to connect to FTP-server, as well as Windows'95 - essentially a client operating system and FTP-server that it does not, then therefore, keep in mind the parameters of the request and wait for the end of the handshake she simply was not necessary.
In the course of the experiment also revealed a fundamental weakness inherent in all on Linux. After the transfer of about a dozen requests for a specific port (FTP or TELNET) for some time (up to several tens of minutes) on the victim host disconnected corresponding to this port, the server (each server program waiting for a query on a particular reserved port), that is, within a certain period of time users have not been able to remotely connect to the server and gain remote access to its resources. This, as mentioned earlier, due to the overflow number of concurrent data server clients.
In conclusion, it should be noted that the existing standard Internet IPv4 network is not acceptable ways to reliably protect your system from this remote attack. Fortunately, the attacker as a result of the described attacks will not be able to gain unauthorized access to your information. It will only be able to eat the computing resources of your system and break its link with the outside world.
Hopefully, the malfunction of your host's simply unnecessary.