1693

DENIAL OF SERVICE ATTACK

====================================INTRODUCTION TO DENIAL OF SERVICE====================================Hans Husmant95hhu@student.tdb.uu.seLast updated: Mon Oct 28 14:56:31 MET 1996.0. FOREWORD.A. INTRODUCTION.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?.A.2. WHY WOULD SOMEONE CRASH A SYSTEM?.A.2.1. INTRODUCTION.A.2.2. SUB-CULTURAL STATUS.A.2.3. TO GAIN ACCESS.A.2.4. REVENGE.A.2.5. POLITICAL REASONS.A.2.6. ECONOMICAL REASONS.A.2.7. NASTINESS.A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?.B. SOME BASIC TARGETS FOR AN ATTACK.B.1. SWAP SPACE.B.2. BANDWIDTH.B.3. KERNEL TABLES.B.4. RAM.B.5. DISKS.B.6. CACHES.B.7. INETD.C. ATTACKING FROM THE OUTSIDE.C.1. TAKING ADVANTAGE OF FINGER.C.2. UDP AND SUNOS 4.1.3..C.3. FREEZING UP X-WINDOWS.C.4. MALICIOUS USE OF UDP SERVICES.C.5. ATTACKING WITH LYNX CLIENTS.C.6. MALICIOUS USE OF telnet.C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4.C.8. HOW TO DISABLE ACCOUNTS.C.9. LINUX AND TCP TIME, DAYTIME.C.10. HOW TO DISABLE SERVICES.C.11. PARAGON OS BETA R1.4.C.12. NOVELLS NETWARE FTP.C.13. ICMP REDIRECT ATTACKS.C.14. BROADCAST STORMS.C.15. EMAIL BOMBING AND SPAMMING.C.16. TIME AND KERBEROS.C.17. THE DOT DOT BUG.C.18. SUNOS KERNEL PANIC.C.19. HOSTILE APPLETS.C.20. VIRUS.C.21. ANONYMOUS FTP ABUSE.C.22. SYN FLOODING.C.23. PING FLOODING.C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES.C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE.C.26. FLEXlm.C.27. BOOTING WITH TRIVIAL FTP.D. ATTACKING FROM THE INSIDE.D.1. KERNEL PANIC UNDER SOLARIS 2.3.D.2. CRASHING THE X-SERVER.D.3. FILLING UP THE HARD DISK.D.4. MALICIOUS USE OF eval.D.5. MALICIOUS USE OF fork().D.6. CREATING FILES THAT IS HARD TO REMOVE.D.7. DIRECTORY NAME LOOKUPCACHE.D.8. CSH ATTACK.D.9. CREATING FILES IN /tmp.D.10. USING RESOLV_HOST_CONF.D.11. SUN 4.X AND BACKGROUND JOBS.D.12. CRASHING DG/UX WITH ULIMIT.D.13. NETTUNE AND HP-UX.D.14. SOLARIS 2.X AND NFS.D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION.D.16. trap_mon CAUSES KERNEL PANIC UNDER SUNOS 4.1.X.E. DUMPING CORE.E.1. SHORT COMMENT.E.2. MALICIOUS USE OF NETSCAPE.E.3. CORE DUMPED UNDER WUFTPD.E.4. ld UNDER SOLARIS/X86.F. HOW DO I PROTECT A SYSTEM AGAINST DENIAL OF SERVICE ATTACKS?.F.1. BASIC SECURITY PROTECTION.F.1.1. INTRODUCTION.F.1.2. PORT SCANNING.F.1.3. CHECK THE OUTSIDE ATTACKS DESCRIBED IN THIS PAPER.F.1.4. CHECK THE INSIDE ATTACKS DESCRIBED IN THIS PAPER.F.1.5. EXTRA SECURITY SYSTEMS.F.1.6. MONITORING SECURITY.F.1.7. KEEPING UP TO DATE.F.1.8. READ SOMETHING BETTER.F.2. MONITORING PERFORMANCE.F.2.1. INTRODUCTION.F.2.2. COMMANDS AND SERVICES.F.2.3. PROGRAMS.F.2.4. ACCOUNTING.G. SUGGESTED READING.G.1. INFORMATION FOR DEEPER KNOWLEDGE.G.2. KEEPING UP TO DATE INFORMATION.G.3. BASIC INFORMATION.H. COPYRIGHT.I. DISCLAIMER.0. FOREWORD------------In this paper I have tried to answer the following questions:- What is a denial of service attack?- Why would someone crash a system?- How can someone crash a system.- How do I protect a system against denial of service attacks?I also have a section called SUGGESTED READING were you can findinformation about good free information that can give you a deeperunderstanding about something.Note that I have a very limited experience with Macintosh, OS/2 andWindows and most of the material are therefore for Unix use.You can always find the latest version at the following address:http://www.student.tdb.uu.se/~t95hhu/secure/denial/DENIAL.TXTFeel free to send comments, tips and so on to address:t95hhu@student.tdb.uu.se.A. INTRODUCTION~~~~~~~~~~~~~~~~.A.1. WHAT IS A DENIAL OF SERVICE ATTACK?-----------------------------------------Denial of service is about without permission knocking offservices, for example through crashing the whole system. Thiskind of attacks are easy to launch and it is hard to protecta system against them. The basic problem is that Unixassumes that users on the system or on other systems will bewell behaved..A.2. WHY WOULD SOMEONE CRASH A SYSTEM?---------------------------------------.A.2.1. INTRODUCTION--------------------Why would someone crash a system? I can think of several reasonsthat I have presentated more precisely in a section for each reason,but for short:.1. Sub-cultural status..2. To gain access..3. Revenge..4. Political reasons..5. Economical reasons..6. Nastiness.I think that number one and six are the more common today, but thatnumber four and five will be the more common ones in the future..A.2.2. SUB-CULTURAL STATUS---------------------------After all information about syn flooding a bunch of such attackswere launched around Sweden. The very most of these attacks werenot a part of a IP-spoof attack, it was "only" a denial of serviceattack. Why?I think that hackers attack systems as a sub-cultural pseudo careerand I think that many denial of service attacks, and here in theexample syn flooding, were performed for these reasons. I also thinkthat many hackers begin their carrer with denial of service attacks..A.2.3. TO GAIN ACCESS----------------------Sometimes could a denial of service attack be a part of an attack togain access at a system. At the moment I can think of these reasonsand specific holes:.1. Some older X-lock versions could be crashed with amethod from the denial of service family leaving the systemopen. Physical access was needed to use the work space after..2. Syn flooding could be a part of a IP-spoof attack method..3. Some program systems could have holes under the startup,that could be used to gain root, for example SSH (secure shell)..4. Under an attack it could be usable to crash other machinesin the network or to deny certain persons the ability to accessthe system..5. Also could a system being booted sometimes be subverted,especially rarp-boots. If we know which port the machine listento (69 could be a good guess) under the boot we can send falsepackets to it and almost totally control the boot..A.2.4. REVENGE---------------A denial of service attack could be a part of a revenge against a useror an administrator..A.2.5. POLITICAL REASONS-------------------------Sooner or later will new or old organizations understand the potentialof destroying computer systems and find tools to do it.For example imaginate the Bank A loaning company B money to build afactory threating the environment. The organization C therefor crash A:scomputer system, maybe with help from an employee. The attack could costA a great deal of money if the timing is right..A.2.6. ECONOMICAL REASONS--------------------------Imaginate the small company A moving into a business totally dominated bycompany B. A and B customers make the orders by computers and dependsheavily on that the order is done in a specific time (A and B could bestock trading companies). If A and B can't perform the order the customerslose money and change company.As a part of a business strategy A pays a computer expert a sum of money toget him to crash B:s computer systems a number of times. A year later Ais the dominating company..A.2.7. NASTINESS-----------------I know a person that found a workstation where the user had forgotten tologout. He sat down and wrote a program that made a kill -9 -1 at arandom time at least 30 minutes after the login time and placed a call tothe program from the profile file. That is nastiness..A.3. ARE SOME OPERATING SYSTEMS MORE SECURE?---------------------------------------------This is a hard question to answer and I don't think that it willgive anything to compare different Unix platforms. You can't say thatone Unix is more secure against denial of service, it is all up to theadministrator.A comparison between Windows 95 and NT on one side and Unix on theother could however be interesting.Unix systems are much more complex and have hundreds of built in programs,services... This always open up many ways to crash the system fromthe inside.In the normal Windows NT and 95 network were is few ways to crashthe system. Although were is methods that always will work.That gives us that no big different between Microsoft and Unix canbe seen regardning the inside attacks. But there is a couple ofpoints left:- Unix have much more tools and programs to discover anattack and monitoring the users. To watch what another useris up to under windows is very hard.- The average Unix administrator probably also have much moreexperience than the average Microsoft administrator.The two last points gives that Unix is more secure against insidedenial of service attacks.A comparison between Microsoft and Unix regarding outside attacksare much more difficult. However I would like to say that the averageMicrosoft system on the Internet are more secure against outsideattacks, because they normally have much less services..B. SOME BASIC TARGETS FOR AN ATTACK~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.B.1. SWAP SPACE----------------Most systems have several hundred Mbytes of swap space toservice client requests. The swap space is typical usedfor forked child processes which have a short life time.The swap space will therefore almost never in a normalcause be used heavily. A denial of service could be basedon a method that tries to fill up the swap space..B.2. BANDWIDTH---------------If the bandwidth is to high the network will be useless. Mostdenial of service attack influence the bandwidth in some way..B.3. KERNEL TABLES-------------------It is trivial to overflow the kernel tables which will causeserious problems on the system. Systems with write throughcaches and small write buffers is especially sensitive.Kernel memory allocation is also a target that is sensitive.The kernel have a kernelmap limit, if the system reach thislimit it can not allocate more kernel memory and must be rebooted.The kernel memory is not only used for RAM, CPU:s, screens and soon, it it also used for ordinaries processes. Meaning that any systemcan be crashed and with a mean (or in some sense good) algorithm prettyfast.For Solaris 2.X it is measured and reported with the sar commandhow much kernel memory the system is using, but for SunOS 4.X thereis no such command. Meaning that under SunOS 4.X you don't even canget a warning. If you do use Solaris you should write sar -k 1 toget the information. netstat -k can also be used and shows how muchmemory the kernel have allocated in the subpaging..B.4. RAM---------A denial of service attack that allocates a large amount of RAMcan make a great deal of problems. NFS and mail servers areactually extremely sensitive because they do not need muchRAM and therefore often don't have much RAM. An attack ata NFS server is trivial. The normal NFS client will do agreat deal of caching, but a NFS client can be anythingincluding the program you wrote yourself....B.5. DISKS-----------A classic attack is to fill up the hard disk, but an attack atthe disks can be so much more. For example can an overloaded diskbe misused in many ways..B.6. CACHES-------------A denial of service attack involving caches can be based on a methodto block the cache or to avoid the cache.These caches are found on Solaris 2.X:Directory name lookup cache: Associates the name of a file with a vnode.Inode cache: Cache information read from disk in case it is neededagain.Rnode cache: Holds information about the NFS filesystem.Buffer cache: Cache inode indirect blocks and cylinders to realed diskI/O..B.7. INETD-----------Well once inetd crashed all other services running through inetd nolonger will work..C. ATTACKING FROM THE OUTSIDE~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.C.1. TAKING ADVANTAGE OF FINGER--------------------------------Most fingerd installations support redirections to an other host.Ex:$finger @system.two.com@system.one.comfinger will in the example go through system.one.com and on tosystem.two.com. As far as system.two.com knows it is system.one.comwho is fingering. So this method can be used for hiding, but alsofor a very dirty denial of service attack. Lock at this:$ finger @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@host.we.attackAll those @ signs will get finger to finger host.we.attack again andagain and again... The effect on host.we.attack is powerful andthe result is high bandwidth, short free memory and a hard disk withless free space, due to all child processes (compare with .D.5.).The solution is to install a fingerd which don't support redirections,for example GNU finger. You could also turn the finger service off,but I think that is just a bit to much..C.2. UDP AND SUNOS 4.1.3.--------------------------SunOS 4.1.3. is known to boot if a packet with incorrect informationin the header is sent to it. This is the cause if the ip_optionsindicate a wrong size of the packet.The solution is to install the proper patch..C.3. FREEZING UP X-WINDOWS---------------------------If a host accepts a telnet session to the X-Windows port (generallysomewhere between 6000 and 6025. In most cases 6000) could thatbe used to freeze up the X-Windows system. This can be made withmultiple telnet connections to the port or with a program whichsends multiple XOpenDisplay() to the port.The same thing can happen to Motif or Open Windows.The solution is to deny connections to the X-Windows port..C.4. MALICIOUS USE OF UDP SERVICES-----------------------------------It is simple to get UDP services (echo, time, daytime, chargen) toloop, due to trivial IP-spoofing. The effect can be high bandwidththat causes the network to become useless. In the example the headerclaim that the packet came from 127.0.0.1 (loopback) and the targetis the echo port at system.we.attack. As far as system.we.attack knowsis 127.0.0.1 system.we.attack and the loop has been establish.Ex:from-IP=127.0.0.1to-IP=system.we.attackPacket type:UDPfrom UDP port 7to UDP port 7Note that the name system.we.attack looks like a DNS-name, but thetarget should always be represented by the IP-number.Quoted from proberts@clark.net (Paul D. Robertson) comment oncomp.security.firewalls on matter of "Introduction to denial of service"" A great deal of systems don't put loopback on the wire, and simplyemulate it. Therefore, this attack will only effect that machinein some cases. It's much better to use the address of a differentmachine on the same network. Again, the default services shouldbe disabled in inetd.conf. Other than some hacks for mainframe IPstacks that don't support ICMP, the echo service isn't used by manylegitimate programs, and TCP echo should be used instead of UDPwhere it is necessary. ".C.5. ATTACKING WITH LYNX CLIENTS---------------------------------A World Wide Web server will fork an httpd process as a respondto a request from a client, typical Netscape or Mosaic. The processlasts for less than one second and the load will therefore nevershow up if someone uses ps. In most causes it is therefore verysafe to launch a denial of service attack that makes use ofmultiple W3 clients, typical lynx clients. But note that the netstatcommand could be used to detect the attack (thanks to Paul D. Robertson).Some httpd:s (for example http-gw) will have problems besides the normalhigh bandwidth, low memory... And the attack can in those causes getthe server to loop (compare with .C.6.).C.6. MALICIOUS USE OF telnet-----------------------------Study this little script:Ex:while : ; dotelnet system.we.attack &doneAn attack using this script might eat some bandwidth, but it isnothing compared to the finger method or most other methods. Wellthe point is that some pretty common firewalls and httpd:s thinksthat the attack is a loop and turn them self down, until theadministrator sends kill -HUP.This is a simple high risk vulnerability that should be checkedand if present fixed..C.7. MALICIOUS USE OF telnet UNDER SOLARIS 2.4-----------------------------------------------If the attacker makes a telnet connections to the Solaris 2.4 host andquits using:Ex:Control-}quitthen will inetd keep going "forever". Well a couple of hundred...The solution is to install the proper patch..C.8. HOW TO DISABLE ACCOUNTS-----------------------------Some systems disable an account after N number of bad logins, or waitsN seconds. You can use this feature to lock out specific users fromthe system..C.9. LINUX AND TCP TIME, DAYTIME----------------------------------Inetd under Linux is known to crash if to many SYN packets sends todaytime (port 13) and/or time (port 37).The solution is to install the proper patch..C.10. HOW TO DISABLE SERVICES------------------------------Most Unix systems disable a service after N sessions have beenopen in a given time. Well most systems have a reasonable default(lets say 800 - 1000), but not some SunOS systems that have thedefault set to 48...The solutions is to set the number to something reasonable..C.11. PARAGON OS BETA R1.4---------------------------If someone redirects an ICMP (Internet Control Message Protocol) packetto a paragon OS beta R1.4 will the machine freeze up and must berebooted. An ICMP redirect tells the system to override routingtables. Routers use this to tell the host that it is sendingto the wrong router.The solution is to install the proper patch..C.12. NOVELLS NETWARE FTP--------------------------Novells Netware FTP server is known to get short of memory if multipleftp sessions connects to it..C.13. ICMP REDIRECT ATTACKS----------------------------Gateways uses ICMP redirect to tell the system to override routingtables, that is telling the system to take a better way. To be ableto misuse ICMP redirection we must know an existing connection(well we could make one for ourself, but there is not much use for that).If we have found a connection we can send a route thatloses it connectivity or we could send false messages to the hostif the connection we have found don't use cryptation.Ex: (false messages to send)DESTINATION UNREACHABLETIME TO LIVE EXCEEDEDPARAMETER PROBLEMPACKET TOO BIGThe effect of such messages is a reset of the connection.The solution could be to turn ICMP redirects off, not much proper useof the service..C.14. BROADCAST STORMS-----------------------This is a very popular method in networks there all of the hosts areacting as gateways.There are many versions of the attack, but the basic method is tosend a lot of packets to all hosts in the network with a destinationthat don't exist. Each host will try to forward each packet sothe packets will bounce around for a long time. And if new packetskeep coming the network will soon be in trouble.Services that can be misused as tools in this kind of attack is forexample ping, finger and sendmail. But most services can be misusedin some way or another..C.15. EMAIL BOMBING AND SPAMMING---------------------------------In a email bombing attack the attacker will repeatedly send identicalemail messages to an address. The effect on the target is high bandwidth,a hard disk with less space and so on... Email spamming is about sendingmail to all (or rather many) of the users of a system. The point ofusing spamming instead of bombing is that some users will try tosend a replay and if the address is false will the mail bounce back. Inthat cause have one mail transformed to three mails. The effect on thebandwidth is obvious.There is no way to prevent email bombing or spamming. However havea look at CERT:s paper "Email bombing and spamming"..C.16. TIME AND KERBEROS------------------------If not the the source and target machine is closely aligned will theticket be rejected, that means that if not the protocol that set thetime is protected it will be possible to set a kerberos server offunction..C.17. THE DOT DOT BUG----------------------Windows NT file sharing system is vulnerable to the under Windows 95famous dot dot bug (dot dot like ..). Meaning that anyone can crashthe system. If someone sends a "DIR ..\" to the workstation will aSTOP messages appear on the screen on the Windows NT computer. Note thatit applies to version 3.50 and 3.51 for both workstation and serverversion.The solution is to install the proper patch..C.18. SUNOS KERNEL PANIC-------------------------Some SunOS systems (running TIS?) will get a kernel panic if agetsockopt() is done after that a connection has been reset.The solution could be to install Sun patch 100804..C.19. HOSTILE APPLETS----------------------A hostile applet is any applet that attempts to use your systemin an inappropriate manner. The problems in the java languagecould be sorted in two main groups:1) Problems due to bugs.2) Problems due to features in the language.In group one we have for example the java bytecode verifier bug, whichmakes is possible for an applet to execute any command that the usercan execute. Meaning that all the attack methods described in .D.X.could be executed through an applet. The java bytecode verifier bugwas discovered in late March 1996 and no patch have yet been available(correct me if I'am wrong!!!).Note that two other bugs could be found in group one, but theyare both fixed in Netscape 2.01 and JDK 1.0.1.Group two are more interesting and one large problem found is thefact that java can connect to the ports. Meaning that all the methodsdescribed in .C.X. can be performed by an applet. More informationand examples could be found at address:http://www.math.gatech.edu/~mladue/HostileArticle.htmlIf you need a high level of security you should use some sort offirewall for protection against java. As a user you could havejava disable..C.20. VIRUS------------Computer virus is written for the purpose of spreading anddestroying systems. Virus is still the most common and famousdenial of service attack method.It is a misunderstanding that virus writing is hard. If you knowassembly language and have source code for a couple of virus itis easy. Several automatic toolkits for virus construction couldalso be found, for example:* Genvir.* VCS (Virus Construction Set).* VCL (Virus Construction Laboratory).* PS-MPC (Phalcon/Skism - Mass Produced Code Generator).* IVP (Instant Virus Production Kit).* G2 (G Squared).PS-MPC and VCL is known to be the best and can help the novice programmerto learn how to write virus.An automatic tool called MtE could also be found. MtE will transformvirus to a polymorphic virus. The polymorphic engine of MtE is wellknown and should easily be catch by any scanner..C.21. ANONYMOUS FTP ABUSE--------------------------If an anonymous FTP archive have a writable area it could be misusedfor a denial of service attack similar with with .D.3. That is we canfill up the hard disk.Also can a host get temporarily unusable by massive numbers ofFTP requests.For more information on how to protect an anonymous FTP site couldCERT:s "Anonymous FTP Abuses" be a good start..C.22. SYN FLOODING-------------------Both 2600 and Phrack have posted information about the syn flooding attack.2600 have also posted exploit code for the attack.As we know the syn packet is used in the 3-way handshake. The syn floodingattack is based on an incomplete handshake. That is the attacker hostwill send a flood of syn packet but will not respond with an ACK packet.The TCP/IP stack will wait a certain amount of time before droppingthe connection, a syn flooding attack will therefore keep the syn_receivedconnection queue of the target machine filled.The syn flooding attack is very hot and it is easy to find more informationabout it, for example:[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.htmlArticle by Christopher Klaus, including a "solution".[.2.] http://jya.com/floodd.txt2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane[.3.] http://www.fc.net/phrack/files/p48/p48-14.htmlIP-spoofing Demystified by daemon9 / route / infinityfor Phrack Magazine.C.23. PING FLOODING--------------------I haven't tested how big the impact of a ping flooding attack is, butit might be quite big.Under Unix we could try something like: ping -s hostto send 64 bytes packets.If you have Windows 95, click the start button, select RUN, then typein: PING -T -L 256 xxx.xxx.xxx.xx. Start about 15 sessions..C.24. CRASHING SYSTEMS WITH PING FROM WINDOWS 95 MACHINES----------------------------------------------------------If someone can ping your machine from a Windows 95 machine he or she mightreboot or freeze your machine. The attacker simply writes:ping -l 65510 address.to.the.machineAnd the machine will freeze or reboot.Works for kernel 2.0.7 up to version 2.0.20. and 2.1.1. for Linux (crash).AIX4, OSF, HPUX 10.1, DUnix 4.0 (crash).OSF/1, 3.2C, Solaris 2.4 x86 (reboot)..C.25. MALICIOUS USE OF SUBNET MASK REPLY MESSAGE--------------------------------------------------The subnet mask reply message is used under the reboot, but somehosts are known to accept the message any time without any check.If so all communication to or from the host us turned off, it's dead.The host should not accept the message any time but under the reboot..C.26. FLEXlm-------------Any host running FLEXlm can get the FLEXlm license manager daemonon any network to shutdown using the FLEXlm lmdown command.# lmdown -c /etc/licence.datlmdown - Copyright (C) 1989, 1991 Highland Software, Inc.Shutting down FLEXlm on nodes: xxxAre you sure? [y/n]: yShut down node xxx#.C.27. BOOTING WITH TRIVIAL FTP-------------------------------To boot diskless workstations one often use trivial ftp with rarp orbootp. If not protected an attacker can use tftp to boot the host..D. ATTACKING FROM THE INSIDE~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.D.1. KERNEL PANIC UNDER SOLARIS 2.3------------------------------------Solaris 2.3 will get a kernel panic if thisis executed:EX:$ndd /dev/udp udp_statusThe solution is to install the proper patch..D.2. CRASHING THE X-SERVER---------------------------If stickybit is not set in /tmp then can the file /tmp/.x11-unix/x0be removed and the x-server will crash.Ex:$ rm /tmp/.x11-unix/x0.D.3. FILLING UP THE HARD DISK-----------------------------If your hard disk space is not limited by a quota or if you can use/tmp then it`s possible for you to fill up the file system.Ex:while : ;mkdir .xxxcd .xxxdone.D.4. MALICIOUS USE OF eval---------------------------Some older systems will crash if eval '\!\!' is executed in theC-shell.Ex:% eval '\!\!'.D.5. MALICIOUS USE OF fork()-----------------------------If someone executes this C++ program the result will result in a crashon most systems.Ex:#include #include #include main(){int x;while(x=0;x -xxx^C$ ls-xxx$ rm -xxxrm: illegal option -- xrm: illegal option -- xrm: illegal option -- xusage: rm [-fiRr] file ...$Ex.II.$ touch xxx!$ rm xxx!rm: remove xxx! (yes/no)? y$ touch xxxxxxxxx!$ rm xxxxxxxxx!bash: !": event not found$(You see the size do count!)Other well know methods is files with odd characters or spacesin the name.These methods could be used in combination with ".D.3 FILLING UP THEHARDDISK". If you do want to remove these files you must use some sortof script or a graphical interface like OpenWindow:s FileManager. You can also try to use: rm ./. It should work forthe first example if you have a shell..D.7. DIRECTORY NAME LOOKUPCACHE--------------------------------Directory name lookupcache (DNLC) is used whenever a file is opened.DNLC associates the name of the file to a vnode. But DNLC can onlyoperate on files with names that has less than N characters (for SunOS 4.xup to 14 character, for Solaris 2.x up 30 characters). This meansthat it's dead easy to launch a pretty discreet denial of service attack.Create lets say 20 directories (for a start) and put 10 empty files inevery directory. Let every name have over 30 characters and execute ascript that makes a lot of ls -al on the directories.If the impact is not big enough you should create more files or launchmore processes..D.8. CSH ATTACK----------------Just start this under /bin/csh (after proper modification)and the load level will get very high (that is 100% of the cpu time)in a very short time.Ex:|I /bin/cshnodename : **************b.D.9. CREATING FILES IN /tmp----------------------------Many programs creates files in /tmp, but are unable to deal with the problemif the file already exist. In some cases this could be used for adenial of service attack..D.10. USING RESOLV_HOST_CONF-----------------------------Some systems have a little security hole in the way they use theRESOLV_HOST_CONF variable. That is we can put things in it andthrough ping access confidential data like /etc/shadow orcrash the system. Most systems will crash if /proc/kcore isread in the variable and access through ping.Ex:$ export RESOLV_HOST_CONF="/proc/kcore" ; ping asdf.D.11. SUN 4.X AND BACKGROUND JOBS----------------------------------Thanks to Mr David Honig for the following:" Put the string "a&" in a file called "a" and perform "chmod +x a".Running "a" will quickly disable a Sun 4.x machine, even disallowing(counter to specs) root login as the kernel process table fills."" The cute thing is the size of thescript, and how few keystrokes it takes to bring down a Sunas a regular user.".D.12. CRASHING DG/UX WITH ULIMIT---------------------------------ulimit is used to set a limit on the system resources available to theshell. If ulimit 0 is called before /etc/passwd, under DG/UX, will thepasswd file be set to zero..D.13. NETTUNE AND HP-UX------------------------/usr/contrib/bin/nettune is SETUID root on HP-UX meaningthat any user can reset all ICMP, IP and TCP kernelparameters, for example the following parameters:- arp_killcomplete- arp_killincomplete- arp_unicast- arp_rebroadcast- icmp_mask_agent- ip_defaultttl- ip_forwarding- ip_intrqmax- pmtu_defaulttime- tcp_localsubnets- tcp_receive- tcp_send- tcp_defaultttl- tcp_keepstart- tcp_keepfreq- tcp_keepstop- tcp_maxretrans- tcp_urgent_data_ptr- udp_cksum- udp_defaultttl- udp_newbcastenable- udp_pmtu- tcp_pmtu- tcp_random_seqThe solution could be to set the proper permission on/sbin/mount_union:#chmod u-s /sbin/mount_union.D.14. SOLARIS 2.X AND NFS--------------------------If a process is writing over NFS and the user goes over the diskquota will the process go into an infinite loop..D.15. SYSTEM STABILITY COMPROMISE VIA MOUNT_UNION--------------------------------------------------By executing a sequence of mount_union commands any usercan cause a system reload on all Fre
0