Monday January 27, 2003

From the "I can't believe it's Java!" department comes Visual Route. If you like mapping and/or if you like networking you'll probably get a kick out of this app. Nicely done interface with all kinds of interesting goodies. I tracked a spam email back through VA, GA, MD, London, Paris, Frankfurt, and finally to Infostrada hosting in Italy.


TedHieron • 2003-01-28 09:52am

I can't imaging being online much without this valuable and fun tool! I've used it for years. They now have another product specifically aimed at getting information about spam sent to you.


When we moved offices I setup our network with a Sonicwall firewall/router. It's a pretty cool unit, quite a step up from the little home Linkysys boxes I'd played with before. Among its many feautures it will send out email alerts when someone is attacking the network. This means at least once a day I get an email that someone is attempting a Smurf Amplification Attack or a Ping of Death or something equally weird.

After this weekend's Microsoft SQL worm cluttered up the Internet and slowed things down one has to wonder how much faster and fun the Internet would be without all of the attacks and spam. Of course that's like wondering how enjoyable and educational the Science and Discover channels might be without all of those brain dead advertisements. I suspect the whole reason Tivo was invented was an the engineer wanted a way to skip the bowflex ads and the repetitive announcer before and after each break.

For your work-break reading pleasure let me clog the internet with the following list of potential network attacks.

Back Orifice Attack

Back Orifice is a Trojan Horse attack that, once executed on a remote computer, will
allow an attacker to perform illicit activities such as capturing screenshots or 
keyboard commands, performing file transfers, or installing applications. Back Orifice
communicates over TCP port 31337.


IniKiller Attack

IniKiller is a Trojan Horse attack that allows an attacker to destroy .ini files on 
a remote computer communicating over TCP port 9989.


IP Spoof

An IP Spoof is an intrusion attempt in which a hacker attempts to send TCP/IP packets 
using the address of another computer. This can be used to access a protected network 
by using an IP address of a machine on the protected network. The SonicWALL recognizes 
this as an intrusion attempt and drops these packets. An IP spoof alert on the log often 
indicates a SonicWALL misconfiguration; if you see an IP spoof alert, make sure that all 
IP addresses on the LAN, WAN, and DMZ are correct. This can also occur if an IP address 
on the LAN does not fall within the LAN subnet.


Land Attack

A Land Attack is an attempt to slow down a computer or network connection. In a Land Attack,
a packet is sent with identical source and destination IP addresses which match an IP
address of a computer on the network. Because this is theoretically impossible, Windows
goes into an infinite loop trying to resolve these illegal connections, causing the whole
network performance to be degraded.


NetBus Attack

NetBus is a Trojan Horse attack for Windows 95/98/NT that, once executed on a remote computer,
will allow an attacker to perform illicit activities such as opening and closing the CD-ROM,
starting applications, showing different messages or even redirecting a web browser to a
specific URL on the Internet.


NetSpy Attack

NetSpy is a Trojan Horse attack that allows an attacker to perform illicit activities on
a remote computer communicating over TCP port 1024.


Ping of Death

A ping of death is a denial of service attack that attempts to crash your system by
sending a fragmented IP packet. IP does not allow single packets to exceed 65536 bytes,
but the fragments themselves can add up to more than that. Since this is a theoretically
impossible condition, operating systems crash when they receive this data. A ping of
death attack can be launched from older versions of Windows-newer versions of Windows
prevent users from sending these packets.


Port Scan

A Port Scan indicates that someone may be scanning your system to identify open ports.
Sometimes this is done in preparation for a future attack or to identify whether you have
rules which allow a service susceptible to attack. A false positive may occur if an
application or user is legitimately connecting to several ports. To determine whether
this is likely, look at the port to see if it is an expected port number.


Priority Attack

Priority is a Trojan Horse attack that allows an attacker to perform illicit activities
on a remote computer communicating over TCP port 16969.


Ripper Attack

Ripper is a Trojan Horse attack that allows an attacker to steal passwords from a remote
computer communicating over TCP port 2023. 


Senna Spy Attack

Senna Spy is a Trojan Horse attack that allows an attacker to perform illicit activities
on a remote computer communicating over UDP port 13000. 


Smurf Attack

A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group
of machines on the Internet with the source address replaced by the target computer or
network IP address. This causes a flurry of echo responses to be sent to the target machine,
which can overflow the target computer or network. This alert indicates that somebody is
attempting to use your network as a smurf amplifier. Broadcasts on the local segment can
sometimes trigger false Smurf Attack alerts. 


Striker Attack

Striker is a Trojan Horse attack that allows an attacker to crash remote Windows PC’s
communicating over TCP port 2565. 


SubSeven Attack

SubSeven is a Trojan Horse attack that allows an attacker to perform illicit activities
on a remote computer communicating over TCP ports 6667, 6711 and 27374. This Trojan is
particularly dangerous and can send an IRC chat message to notify the hacker that the
system is up and running. 


SYN Flood Attack

A SYN Flood is a denial of service attempt in which TCP connection requests are sent
faster than the system can process them. This causes the memory to fill up, forcing the
new connections to be ignored. This detection triggers whenever a large number of SYN
packets are seen in a short period of time. There are cases when it will trigger
incorrectly, producing a false positive. For example, if a busy website becomes unavailable
for a few minutes, then is brought back online, this event triggers because of the
"pent up" connections waiting for the system to become available. 


Stealth Scanning

Stealth scanning is used by intruders to discover what ports are listening on a machine
without being detected. A TCP FIN, or Stealth FIN, scan will send a FIN packet to each
port. A Xmas Tree scan uses packets with the FIN, URG, and PUSH flags set. A Null scan
will send packets with no TCP flags set. 

TedHieron • 2003-01-27 02:19pm

The "Land Attack" reminds me of the "Nomad" episode of the original Star Trek. Silly.
Doug L. • 2003-01-27 05:36pm

Next question: How many of these particular attacks would be effective in their current forms if computers running Microsoft operating systems were not permitted on the net?

Just curious...
Jeremyx • 2003-01-27 08:55pm

If Microsoft Operating Systems were not allowed on the net, then this list would contain exploits for the next most popular OS. If Linux or Mac had the market share M$ does, then we'd see just as many Linux or Mac viri too...
Jerry • 2003-01-28 12:32pm

So you are saying that people who run Windows are sort of like the front line in a hand-to-hand field battle? They are up there taking arrows, spikes, and swords, while the rest of us sit back and contemplate strategies and sip Champagne?

We should pause from time to time to thank the hapless windows users for being such good decoys and foils.

":^)



Faith • 2003-01-28 10:14pm

I am Nomad. I am HE!

You will be absorbed...

Or was that Landru?

What's the kick in slowing down the net? Just doesn't make any sense. Or is it just getting your 'baby' on the news?

Send this message to 8 friends or you will have bad luck for 8 years. A man in new Hampshire did not forward this message and he got 3 feet of snow...


This one is for Faith. Kombu Noodles, a flourless noodle made from 100% seaweed. Saute Wednesday offered a description:

The Kombu Seaweed Noodles are made from kelp found in the China Sea, although these are the giant version, with strands reaching over 1500 feet long. The kelp is harvested, cleaned and cooked, until it is a big gelatinous mass, and then extruded into a noodle form. They are then packed in 6 oz. packages and shipped frozen.