You are on page 1of 6

Buffer Overflow: In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing

data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited. Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows. A buffer overflow occurs when data written to a buffer also corrupts data values in memory addresses adjacent to the destination buffer due to insufficient bounds checking. This can occur when copying data from one buffer to another without first checking that the data fits within the destination buffer. ftp write: In the ftp-write attack, an attacker uses the ftp service to create a bogus .rhosts file in a world-writable ftp daemon home directory. Using the created file the attacker is then able to open a remote session using the rlogin service without being required to supply a password. A generalization of this attack is that an attacker creates a bogus .rhosts file in any other users home directory and then uses it to be allowed to login without providing a password.

Guess passwd: Another type of network attack is Password Guessing attack. Here a legitimate users access rights to a computer and network resources are compromised by identifying the user id/password combination of the legitimate user. Password guessing attacks can be classified into two. Brute Force Attack: A Brute Force attack is a type of password guessing attack and it consists of trying every possible code, combination, or password until you find the correct one. This type of

attack may take long time to complete. A complex password can make the time for identifying the password by brute force long. Dictionary Attack: A dictionary attack is another type of password guessing attack which uses a dictionary of common words to identify the users password.

Ipsweep: An IP Sweep attack occurs when an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the targets IP address to the attacker. If the device receives 10 ICMP echo requests within the number of microseconds specified in this statement, it flags this as an IP Sweep attack, and rejects the 11th and all further ICMP packets from that host for the remainder of the second. Land : The "LAND attack" is a network attack dating from 1997 using IP address spoofing to exploit a flaw on some TCP/IP protocol implementations in systems. The name of this attack comes from the name given to the first distributed source code (called "exploit") that made it possible to implement this attack: land.c. The LAND attack therefore involves sending a packet with the same IP address and the same port number in the source and destination fields of IP packets. Directed against vulnerable systems, this attack caused systems to lock up or become unstable. Recent systems are no longer vulnerable to this type of attack. A Land Attack consists of a stream of TCP SYN packets that have the source IP address and TCP port number set to the same value as the destination address and port number (i.e., that of the attacked host). Some implementations of TCP/IP cannot handle this theoretically impossible condition, causing the operating system to go into a loop as it tries to resolve repeated connections to itself. Service providers can block LAND attacks that originate behind aggregation points by installing filters on the ingress ports of their edge routers to check the source IP addresses of all incoming packets.

Pod: A ping of death (abbreviated "PoD") is a type of attack on a computer that involves sending a malformed or otherwise malicious ping to a computer. A ping is normally 32 bytes in size (or 84

bytes when the Internet Protocol [IP] header is considered); historically, many computer systems could not handle a ping packet larger than the maximum IPv4 packet size, which is 65,535 bytes. Sending a ping of this size could crash the target computer. In early implementations of TCP/IP, this bug was easy to exploit. This exploit has affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers. However, most systems since 19971998 have been fixed, so this bug is mostly historical. Generally, sending a 65,536-byte ping packet would violate the Internet Protocol as written in RFC 791, but a packet of such a size can be sent if it is fragmented; when the target computer reassembles the packet, a buffer overflow can occur, which often causes a system crash. In recent years a different kind of ping attack has become widespreadping flooding simply floods the victim with so much ping traffic that normal traffic fails to reach the system (a basic denial-ofservice attack). As defined in RFC 791, the maximum packet length of an IPv4 packet including the IP header is 65,535 (216 1) bytes, a limitation presented by the use of a 16-bit wide IP header field that describes the total packet length. The underlying Data Link Layer almost always poses limits to the maximum frame size. In Ethernet, this is typically 1500 bytes. In such a case, a large IP packet is split across multiple IP packets (also known as IP fragments), so that each IP fragment will match the imposed limit. The receiver of the IP fragments will reassemble them into the complete IP packet, and will continue processing it as usual. When fragmentation is performed, each IP fragment needs to carry information about which part of the original IP packet it contains. This information is kept in the Fragment Offset field, in the IP header. The field is 13 bits long, and contains the offset of the data in the current IP fragment, in the original IP packet. The offset is given in units of 8 bytes. This allows a maximum offset 65,528 ((213-1)*8). This means that an IP fragment with the maximum offset should have data no larger than 7 bytes, or else it would exceed the limit of the maximum packet length. A malicious user can send an IP fragment with the maximum offset and with much more data than 8 bytes (as large as the physical layer allows it to be).

When the receiver assembles all IP fragments, it will end up with an IP packet which is larger than 65,535 bytes. This may possibly overflow memory buffers which the receiver allocated for the packet, and can cause various problems. As is evident from the description above, the problem has nothing to do with ICMP. It is a problem in the reassembly process of IP fragments, which may contain any type of protocol (TCP, UDP, IGMP, etc.). The fix for the problem is to add checks in the reassembly process. The check for each incoming IP fragment makes sure that the sum of "Fragment Offset" and "Total length" fields in the IP header of each IP fragment is smaller than 65,535. If the sum is larger, then the packet is invalid, and the IP fragment is ignored. This check is performed by some Firewalls, to protect hosts that do not have the bug fixed. Another fix for the problem is using a memory buffer larger than 65,535 bytes for the re-assembly of the packet. (This is essentially a breaking of the specification, since it adds support for packets larger than those allowed.)

Rootkit: A rootkit is a special type of malware (malicious software). Rootkits are special because you don't know what they're doing. Rootkits are nearly undetectable and they're almost impossible to remove. Although detection tools are proliferating, malware developers are constantly finding new ways to cover their tracks. A rootkit's purpose is to hide itself and other software from view. This is done to prevent a user from identifying and potentially removing an attacker's software. A rootkit can hide almost any software, including file servers, keyloggers, botnets, and remailers. Many rootkits can even hide large collections of files and thus enable an attacker to store many files on your computer invisibly. Rootkits do not infect computers by themselves like viruses or worms do. Instead, an attacker identifies an existing vulnerability in a target system. Vulnerabilities may include an open network port, an unpatched system, or a system with a weak administrator password. After gaining access to a vulnerable system, the attacker can install a rootkit manually. This type of stealthy directed attack does not usually trigger automated network security controls such as intrusion detection systems. Identifying rootkits can be difficult. There are several software packages that detect rootkits. These software packages fall into two categories: signature-based and behavior-based detectors.

Signature-based detectors, such as most virus scanners, look for specific binary files that are known to be rootkits. Behavior-based detectors attempt to identify rootkits by looking for hidden elements, which is the primary behavior of rootkits. One popular behavior-based rootkit detector is Rootkit Revealer. Once you've identified a rootkit on your system, the remediation options are somewhat limited. Because rootkits can hide themselves, you may not know how long they've been on the system. You also may not know what information the rootkits have compromised. The best reaction to an identified rootkit is to wipe and reinstall the system. Although drastic, this is the only proven method to completely remove rootkits. Preventing rootkits from getting onto your system is the best strategy you can use. This is done with the same defense-in-depth strategy that you should use to prevent all malware from attacking your computer. Elements of defense-in-depth include virus scanners, regular software updates, a firewall on the host and the network, and a strong password strategy.

Smurf: The Smurf Attack is a denial-of-service attack in which large numbers of ICMP packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP Broadcast address. This causes all hosts on the network to reply to the ICMP request, causing significant traffic to the victim's computer. If the routing device delivering traffic to those broadcast addresses delivers the IP broadcast to all hosts (for example via a layer 2 broadcast), most hosts on that IP network will take the ICMP request and reply to it, multiplying the traffic by the number of hosts responding. On a multi-access broadcast network, hundreds of machines might reply to each packet. According to CERT-CC, the name Smurf comes from name of one of the exploit programs used to execute the attack. In the late 1990s, many IP networks would participate in Smurf attacks if prompted (that is, they would respond to ICMP requests sent to broadcast addresses). Today, thanks largely to the ease with which administrators can make a network immune to such abuse, very few networks remain vulnerable to Smurf attacks. The fix is two-fold:

1. Configure individual hosts and routers not to respond to ICMP requests or broadcasts. 2. Configure routers not to forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default, but, in that year, the standard was changed to require the default to be not to forward.

Teardrop: A teardrop attack is a denial of service (DoS) attack conducted by targeting TCP/IP fragmentation reassembly codes. This attack causes fragmented packets to overlap one another on the host receipt; the host attempts to reconstruct them during the process but fails. Gigantic payloads are sent to the machine that is being targeted, causing system crashes. A teardrop attack involves sending mangled IP fragments with overlapping, over-sized payloads to the target machine. This can crash various operating systems because of a bug in their TCP/IP fragmentation vulnerable to this attack. Around September 2009, a vulnerability in Windows Vista was referred to as a "teardrop attack", but the attack targeted SMB2 which is a higher layer than the TCP packets that teardrop used. Neptune : SYN Flood (Neptune) is a denial of service attack to which every TCP/IP implementation is vulnerable (to some degree). For distinguishing a Neptune attack network traffic is monitored for a number of simultaneous SYN packets destined for a particular machine. The host sending these packets is usually unreachable. Satan : Satan is a probing intrusion which automatically scans a network of computers to gather information or find known vulnerabilities. The network probes are quite useful for attackers planning a future attack. re-assembly code.[5] Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are