Information warfare
- 42 trang
- file .pdf
Information Warfare
Security Essentials
The SANS Institute
Information Assurance Foundations - SANS ©2001 1
"Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this
module we will consider what warfare means in the context of today's information systems and
networks. We will see that the fundamental principles of warfare known for thousands of years are
still relevant on today's new battleground.
5-1
Agenda
• What is Information Warfare?
• Why is it Important?
• Offensive Tactics
• Introduction to Network Attacks
• Defensive Tactics
Information Warfare - SANS ©2001 2
After introducing the concept of information warfare, we will be concentrating on warfare principles
and strategies. We will discuss both offensive and defensive tactics, both theory and practice. As a
concrete example of offensive tactics, a quick introduction to TCP/IP network attacks is provided.
5-2
What is Information Warfare?
Information warfare is the offensive and defensive
use of information and information systems to
deny, exploit, corrupt, or destroy, an adversary's
information, information-based processes,
information systems, and computer-based
networks while protecting one's own.
Such actions are designed to achieve advantages
over military or business adversaries.
Dr. Ivan Goldberg
Information Warfare - SANS ©2001 3
We start our discussion with a definition of information warfare. The definition above simply maps
our intuitive definition of warfare (subvert the enemy while protecting ourselves) into the realm of
computers and networks. This definition has been provided by Dr. Ivan Goldberg, who leads the
"Institute for the Advanced Study of Information Warfare". The institute's website has a number of
white papers and reports on information warfare topics.
http://www.psycom.net/iwar.1.html
Eric Hrovat provides some interesting perspectives on information warfare in his paper, "Information
Warfare: The Unconventional Art in a Digital World" published by SANS:
http://rr.sans.org/infowar/infowar.php
5-3
Examples of Information Warfare
• A company breaking into a competitor’s
computer system to find out their list of
customers
• An R&D company putting false
information about research on their web
site to mislead the competition
• A foreign government stealing tapes
containing classified information
Information Warfare - SANS ©2001 4
There are many possible forms of information warfare, the above slide provides three examples. Any
time someone uses information as a weapon against an adversary, that is information warfare. The
distinguishing factors are only how the information is obtained, how it is used, and to what impact.
We consider theft of information a form of information warfare, but the most critical issue is how the
stolen information is used against its rightful owner. In terms of the examples, a company who
discovers a list of their competitor's customers might send false or misleading information to the
customers, might market to these people specifically, or might simply see to it that the customers are
harassed by telemarketers and spam (so the recipients think that the company they trusted released
their information without permission).
A foreign government stealing classified backup tapes might be able to discover detailed technical
information concerning the capabilities of their adversary's weapons, or might obtain documents
detailing strategies, names of informants, or maps of secret testing facilities. The possibilities are
endless.
A startup tech company that has a next generation product to release might post information stating
that their product will not be ready for several months. Such a posting might lull the company's
competitors into a false sense of not needing to hurry their own development cycles. When the
startup releases its product months earlier than advertised, the competition is caught flat-footed.
5-4
Key Points From the Examples
• Information Warfare can be:
– Theft
– Deception
– Sabotage
• Does not have to be technical or
sophisticated
• Attackers will always go after the
weakest link
Information Warfare - SANS ©2001 5
Abstracting the previous examples a level, we can list out a few fundamental concepts. Theft,
espionage, blackmail, deception, sabotage, destruction -- these are all common goals in information
warfare attacks. As in other forms of warfare, a skilled attacker will seek out his opponent's
weaknesses and attack those first and most vigorously. For example, sometimes social engineering or
packet flooding attacks most effectively accomplish an attacker's goals, but neither of these attacks
requires any sophisticated technical skills.
5-5
Why is it Important?
• Affects all governments and companies,
and even individuals
• Can be devastating
• Risks are often not well understood
• Can be difficult to predict or detect
• Defenses must be custom tailored
• Raises questions of legalities and liabilities
Information Warfare - SANS ©2001 6
In today's world, information warfare impacts everyone, whether they own a computer or not.
Consider identity theft, where one person is able to impersonate another, resulting in destroyed credit
histories, undeserved criminal records, misassigned debt and liability, false healthcare documents,
and more. Most people and organizations are not fully aware of the risks that surround them,
although the results of an attack can be devastating.
Because each organization is different, there is no "one size fits all" defense system. The only way to
design a good defense is to understand the offensive tactics used by attackers, and to understand the
defensive tactics and tools available to us. We will explore both offensive and defensive tactics in
this module, and see how (fortunately) a few basic principles can be applied across a large number of
situations. Interestingly, our most useful principles come not from information theory, but from a
compilation of warfare strategies written well over two thousand years ago: Sun Tzu's "Art of War".
These strategies are as relevant today as when they were first written.
5-6
How Dangerous is it Really?
A few facts from the Honeynet project concerning
break-ins between April and December 2000:
• Seven default Red Hat 6.2 servers were attacked
within 3 days of connecting to net
• Fastest time for any server to be compromised was
15 minutes from first connection to net
• Default Win98 box compromised in less than 24
hours from first connection, and compromised
another four times in the next three days
Information Warfare - SANS ©2001 7
But lets back up a minute. Perhaps we are over-reacting. Is it really all that dangerous on the internet
today? Are there really that many "evil-doers" out to do me ill when I connect to the internet?
Unfortunately, yes. The Honeynet project (a group that sets up and monitors whole networks of
honeypots of all different operating systems) recently reported some statistics concerning the rate of
break-ins to their small network over a period of 9 months. The full information concerning the stats
above is quoted from the paper below.
http://project.honeynet.org/papers/stats/
----------------
• Between April and December 2000, seven default installations of Red Hat 6.2 servers were
attacked within three days of connecting to the internet. Based on this, we estimate the life
expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours. The last time we
attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever
for a system to be compromised was 15 minutes. This means the system was scanned, probed, and
exploited within 15 minutes of connecting to the internet. Coincidentally, this was the first honeypot
we ever setup, in March of 1999.
• A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same
configuration found in many homes and organizations. The honeypot was compromised in less than
twenty four hours. In the following three days it was successfully compromised another four times.
This makes a total of five successful attacks in less than four days.
----------------
These facts (and other information in the paper) demostrate the hostility of today's networks even to
a simple home user. Even "grandma" needs to be aware of the dangers of the online environment
today. As an example, consider that many of us use home computers to fill out year-end income tax
forms. An attacker able to access that information would know enough to cause significant problems.
Today's networks are infested with worms and automated attack programs that relentlessly seek out
and compromise vulnerable computers, reporting back to a human only after accomplishing a
successful compromise. Companies and governments must be secured against these threats, as well
as against more sophisticated attackers specifically targeting their organization.
5-7
How Would you be Impacted?
• Consider the following scenario:
– You go into work tomorrow and all of your
computers are gone and there is no internet
connection.
• Could you handle the situation?
• Do you have backups? Uncontaminated
backups? Is there a restore process?
• Could your organization survive the loss?
Information Warfare - SANS ©2001 8
Is your organization prepared for an attack? Either from the internet or from a natural disaster or
terrorist act? Part of information warfare is planning for the worst and having a recovery plan in
place. Many of us would be in a lot of trouble if a particular building burned down for example --
that building being the one holding the primary information and all of its backup copies. The
September11th tragedy demonstrated how critical backups can be to a company's survival.
When we ask about "uncontaminated backups", does that make sense to you? Consider a virus that
spreads rapidly but remains undetected because it does not do anything observable. The virus infects
several computers, but because it is not detected the virus program is copied onto the backup tapes
along with legitimate information. Time passes. Ten months later the virus' payload goes into action
and starts destroying files and laying waste to operating systems. You think, no problem, I've got
backups going back 6 months. Oh no! All the backups are contaminated too! What do we do now?
Do you have insurance against information loss? A recent Information Week article (January 2,
2002) explains how many insurance providers have decided to exclude online assets and terrorism-
related damages from their IT policy offerings.
http://www.informationweek.com/story/IWK20020102S0004
5-8
Threats
• Internal threats
– Employees
– Contractors
– Visitors
• External threats
– Anyone connected to the internet
Information Warfare - SANS ©2001 9
The threat to a company could really be anything. Threats are typically broken down into internal
and external threats. Internal threats are attacks launched by internal attackers, contractors, or even
visitors to your facility. External threats could really be anyone that is connected to the internet.
Threats can also range from intentional to unintentional events. Unintentional events, like floods or
fires, could also be a threat that impacts a company. Even though these threats are not meant to hurt
the company, the net result is the same. Therefore it is important to understand and react to all
possible threats that are posed to your company.
5-9
Offensive Tactics
• Using publicly available information maliciously
• Stealing confidential information
• Destroying or corrupting important data
• Denial of Service attacks against business or
livelihood
• Providing false information in order to deceive,
mislead, or confuse
• Impersonation and slandering
• Public embarrassment (e.g. website defacement)
Information Warfare - SANS ©2001 10
Let us begin our consideration of information warfare concepts by looking at the offensive side of
the game. Defensive strategies will be covered later.
The slide above lists several common ways information can be involved in an attack against an
organization or individual. At first glance it may seem that these attack methods are specific to the
information age. In the next few slides we will take a closer look at several of the specific tactics and
show that the concepts behind them have been well-known to warriors for centuries.
5 - 10
Public but Sensitive Information
"It is always necessary to begin by finding out the names of
the attendants, the aides-de-camp, and door keepers and
sentries of the general in command." -Sun Tzu
• There are many sources of information
– Press releases
– Employment ads
– Company descriptions
– Public databases (whois, legal, edgar, healthcare,
whitepages)
Information Warfare - SANS ©2001 11
Over two thousand years ago Sun Tzu noted that deploying spies to gather information such as the
names of people in the enemy organization, and the types of sentries (read defense mechanisms here)
is an important first step in warfare. Things haven't changed very much.
Given today's internet, it is possible for an attacker to find out a great deal about an adversary
without breaking any laws or even raising any eyebrows. If an attacker is interested in an individual
or a company, internet white page directories can provide names, addresses, phone numbers, street
maps, and even satellite photographs. Attackers can often gain access to legal, healthcare, and credit
history databases without too much trouble. A google.com search for an individual's email address
can provide links to newsgroup postings which contain information about the individual's interests,
habits, friends, employer, etc. Information-rich messages posted to security mailing lists such as "I
work for company XYZ and our main www.xyz.com IIS 5.0 web server has been hacked and is
backdoored..." can be very useful.
In addition, companies love giving out information to help fuel growth, but often fail to realize the
negative impact that information could have to the company. For example, an ISP who just built a
new network wants to advertise it to help get additional business. So they have a press release that
describes their new computers -- what brand, what operating systems, what versions, etc. An attacker
can easily use the information to build an attack list for breaking into the ISP's systems. Similarly, a
company that posts a list of employee names provides an attacker with information useful in
username/password guessing attacks.
Public databases can also provide a wealth of information. For example, publicly traded companies
are required to disclose certain information to the SEC. The SEC information is posted online in the
EDGAR database. These documents could be used to obtain the names of key executives, which
could be used in social engineering attacks.
Another common practice is for attackers to notice that a merger or acquisition has taken place, and
capitalize on the ensuing organizational confusion. For example, lets say our attacker's desired target
XYZ has recently acquired Acme Widgets Inc., and the two company's technologies are being
integrated. Our attacker simply phones up an XYZ engineer (name obtained via the company
directory) and says that he is from Acme Widgets and that Executive So-And-So (name obtained
from EDGAR) wanted him to call to get the latest product specifications and development timelines.
5 - 11
Stealing Confidential Information
"Though the enemy be stronger in numbers, we may prevent
him from fighting. Scheme so as to discover his plans and
the likelihood of their success." -Sun Tzu
• Espionage is a real problem
• Many foreign governments have admitted to
launching corporate espionage attacks
against US companies to give their local
companies a competitive advantage.
Information Warfare - SANS ©2001 12
A critical part of warfare, information or otherwise, lies in discovering the enemy's plans. Sun Tzu
notes that even a strong adversary can be crushed if his plans are known in advance. Online
espionage is the modern embodiment of this tactic, and it works as well today as ever.
One legal method of performing corporate intelligence gathering is to get the employees talking. A
recent news article describes how today's corporate spies rely heavily on forming online friendships
with target employees to gain information. According to one corporate intelligence professional, 85
percent of people will share sensitive information about themselves and their companies with perfect
strangers. The statistic is calculated based on the results of 78,000 recorded conversations with
people worldwide.
Further, companies have been known to hire agents to sit next to traveling executives on planes,
where they can read business information over the executive's shoulder, or engage in seemingly
innocent chit-chat. Experience has shown that executives are particularly vulnerable to questions
from brainless admirers.
http://www.al.com/news/huntsville/Apr2000/30-e27547.html
And of course the true hack-in-and-steal-something method is wildly popular. For example, the
articles linked below describe an incident where attackers stole source code from Microsoft in
October of 2000. A Microsoft spokesperson called the incident "a deplorable act of industrial
espionage".
http://news.zdnet.co.uk/story/0,,s2082221,00.html
http://news.cnet.com/news/0-1005-200-3308084.html
Interestingly, two of the main concerns in the Microsoft incident were that the attackers would
implant backdoors in the Windows source code (they had access to the data for three months), and
that the attackers would analyze the source code and discover vulnerabilities that no one else knows
about. Other concerns included the notion that a rival company might try to market the stolen
software as their own, or use the proprietary algorithmic and programming techniques to advance
their own products. These concerns illustrate a few of the dangers of proprietary information theft.
5 - 12
False Information
"All warfare is based on deception...The one who is skillful
maintains deceitful appearances, according to which the
enemy will act." -Sun Tzu
• If you know someone is watching you, why
not give them misleading information?
– False press releases
– False company information
– False server banners
Information Warfare - SANS ©2001 13
This warfare tactic has the goal of misleading the enemy. The hope is that the enemy will use the
false information to influence their actions to our advantage. For example, a company might "leak"
the fact that they are going to submit a proposal for a particular job at the price of $5 million. The
competition, upon hearing this information, decides to bid $4.5 million. When the original company
actually bids $4 million (instead of the "leaked" $5 million figure) the spying competitor finds
themselves underbid.
As another example of misinformation in the information age, consider the case of an attacker who
fabricated a false press release that led to a publicly traded company temporarily losing more than $2
million in market value. The bogus press release was submitted via email to InternetWire and picked
up and distributed by a number of major news organizations. The press release stated that the
company in question (Emulex) was under investigation by the SEC, had revised its latest earnings
reports to show a loss instead of a profit, and was losing its CEO. The result was that investors
started to dump the company's stock en masse, sending Emulex's stock plummeting as much as 62%.
The company lost as much as $2.5 billion in market value before the fraud was discovered and
Nasdaq halted its trading.
http://www.usdoj.gov/criminal/cybercrime/emulex.htm
http://www.ecommercetimes.com/perl/story/4426.html
In general, the misinformation strategy is quite interesting and complex. The complexities arise the
same as in any other lie, how to lie to some people, while telling the truth to others and keep it all
straight? An organization employing these methods can easily lose control, or become liable for
damages resulting from the false statements. The techniques can be quite effective however.
5 - 13
Honeypots
"Learn the principle of the enemy's activity or inactivity.
Force him to reveal himself ... By holding out advantages
to him, cause him to approach of his own accord."
-Sun Tzu
• Honeypots are sacrificial computers,
purposely left vulnerable.
• The computers are carefully instrumented
to record attackers' actions and gather
copies of the tools they use
Information Warfare - SANS ©2001 14
Another example of deception in information warfare is the use of honeypots. The idea of a honeypot
is twofold.
First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's
methods and goals. By leaving a few machines purposely vulnerable but instrumented, we can allow
attackers to break in and then watch what they do. By observing what files they look for we may be
able to guess what they are after, and by watching the tools they use we gain an idea of their
capabilities and methods of operation. For example, if the attacker exploits a MS SQL server
vulnerability to gain access, we would want to be sure to patch that vulnerability on all relevant
systems across the enterprise. Further, if we notice that the attacker likes to set up a Trojan SSH
server on port 50000/tcp, we might want to scan the internal networks for port 50000 listeners.
Second, honeypots can provide a way of diverting an attacker’s attention away from critical systems
for long enough to strengthen the defense. An attacker is likely to go after the "low hanging fruit",
that is, the easily compromised hosts on an enterprise, before moving on to more difficult targets. By
letting the attacker have a few sacrificial machines, we buy some time to learn about the attacker's
capabilities and react appropriately. Of course, Sun Tzu has a quote for this aspect of the strategy
too: "Sacrifice something, that the enemy may snatch at it."
5 - 14
Denial of Service Attacks
"So in war, the way is to avoid what is strong and
strike at what is weak." -Sun Tzu
• Easy to wage
• Difficult to defend against
• Can result in lost revenue
• Can hurt public image
Information Warfare - SANS ©2001 15
Most of us remember the infamous Distributed Denial of Service (DDoS) attacks waged by a
Canadian teenager in February of 2000 resulting in an estimated total loss of $1.7 billion to several
US companies. The attacker, known as "mafiaboy," flooded the webservers of Ebay, Dell, Amazon,
and Yahoo (among others) with meaningless traffic in order to overload the target networks and
prevent the servers from responding to legitimate requests. Because each of the targeted
organizations relies heavily on its internet presence as a source of revenue, Mafiaboy's Denial of
Service attack was quite damaging.
A news article on the topic:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1541000/1541252.stm
The important thing to take away from the example is that Mafiaboy didn't need any sophisticated
technical skills to wage these attacks. In fact, the tools he used and others like them are publicly
available on many websites. These tools do not take any special skills to run.
On the other hand the sites that were attacked all employ heavy security and would be difficult to
break into. Mafiaboy employed Sun Tzu's concept of avoiding what is strong (the site's security
defenses) and striking at what is weak (fundamental behavior of IP networks). Most Denial of
Service attacks are simple to wage, but difficult to defend against. Why not take the easy route to
inflicting damage on an enemy? Part of defensive information warfare comes in identifying our own
weaknesses and strengthening our defenses accordingly.
5 - 15
Understand the Risks
"He who exercises no forethought but makes light of his
opponent is sure to be captured by them." -Sun Tzu
• Attackers have a complete arsenal of
weapons to use against a network's
defenses
• An understanding of an attacker's offensive
warfare tactics is essential
Information Warfare - SANS ©2001 16
The point of intersection between offense and defense comes in understanding the offensive in order
to better defend. In information warfare, this concept is very important. It has been estimated that
new vulnerabilities were being discovered at the rate of 200 per month by mid 2001.
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2803105,00.html
A recent CERT report provides the following figures concerning numbers of reported vulnerabilities
for the past three years:
1999: 417 vulnerabilities
2000: 1090 vulnerabilities
2001: 2437 vulnerabilities
CERT further reports that the number of incidents has doubled between 2000 and 2001. 21,756
incidents were reported in 2000, while 52,658 incidents were reported in 2001. Less than 10,000
incidents were reported in 1999.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67318,00.html
http://www.cert.org/stats/cert_stats.html
Clearly it is important to keep up with information on new vulnerabilities, patches, and exploits. It is
also important to understand the fundamental techniques employed by attackers (e.g. buffer
overflows, improperly formatted packets, weak password exploitation, etc.) so that we can spot
vulnerabilities ourselves before an attacker finds them. The administrator who believes that "it
couldn't happen to them" is sure to be in for a rough ride.
5 - 16
An Introduction to Network
Attack Methods
• Denial of Service • SYN Flooding
• Distributed DoS • Smurf
• Session Hijacking • Teardrop
• IP Spoofing • Land
• TCP Sequence • Man in the Middle
Prediction • Session Replay
• IP Fragmentation
• Ping of Death
Information Warfare - SANS ©2001 17
In the following few slides, we are going to talk about various types of attacks that have occurred
over the internet in the past. But before we begin, I should point out a couple of important facts.
First, we will not be going into very technical depth about each of these attacks. Some of them can
get quite complicated, but we will stick to the high-level description as much as possible.
Second, many of these attacks have many variations that have been used over time. You may hear of
them referred to in several different ways in your continuing security education. In the interests of
time, we will restrict our discussion to the original attack, and mention any variations only as
necessary for clarification.
Finally, while each of these attacks can be used by itself, you will very often see them used in
combination, or see one attack used as the basis for another. For example, many of the attacks are
based on some form of Denial of Service.
5 - 17
Denial of Service
• Keeping the computer or network
from doing anything useful
• Attack can cause a system to crash
or consume excessive resources
• Very hard to prevent
• Attacker does not need to be
skilled to wage the attack
Information Warfare - SANS ©2001 18
Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it
sounds: It is used to deny service to a system or network. Denial of Service attacks are aimed at
preventing a computer or network from performing its normal duties. This can take the form of
crashing a computer, but more often it takes the form of flooding the network or computer with
hundreds, or even millions, of information or service requests. The computer quickly gets
overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of
the service because they can’t seem to get the server’s attention.
Denial of Service attacks are appealing to attackers for a number of reasons. First, they are
deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for
performing a DoS attack are not that difficult to learn or perform. Second, depending on how the
DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do
not necessarily have to crash the machine or ruin any of the server’s resources. The attacker
mentality will say that this is no more harmful than driving slowly on the highway or taking your
time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other
large internet sites that got hit with DDoS attacks in the Spring of 2000. To them, the damage and the
losses were very real.
Classic DoS attacks occur when a single system floods your network with packets or sends
maliciously crafted packets designed to crash or hang target systems. These attacks can be stopped
by instructing your routers or firewalls not to accept packets from the attacking system. However, a
new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS.
We’ll look at Distributed Denial of Service later, after considering a few of the "single shot" crafted
packet attacks that can crash systems. A fundamental difference between the two types of Denial of
Service attacks (flooding and crafted packet) arises from the differing principles on which the attacks
are based. Crafted packet attacks take advantage of the fact that the programmer who built the
vulnerable software did not properly handle an "impossible" case -- a type of packet that should
never arise under normal network conditions. Packet flooding attacks exploit a fundamental property
of TCP/IP networks and client-server communications. How can a server distinguish legitimate
service requests from bogus ones?
5 - 18
Land Attack
• Attacker sends a single spoofed packet
• Result: Crashed old Win boxes and
Cisco routers
Src IP = Dst IP
bad.guy.org Src Port = Dst Port
www.victim.com
TCP SYN
Information Warfare - SANS ©2001 19
This attack is very simple, but when land.c was first released in a posting to Bugtraq, the tool caused
a lot of problems. The idea was to spoof the source address on a TCP packet to be the same as the
destination address. Also, a Land packet has the SYN flag set and must be received by an open port
on the target.
When a vulnerable host receives these packets, it enters an infinite loop and has to be physically
rebooted. The attack worked very well against Windows 95 machines, locking them up completely,
and also crashed Cisco routers and switches. Once the exploit was released, Cisco engineers had
work around the clock to through Thanksgiving to isolate the problem, test equipment, and work on
fixes.
A 1997 Network World news story about the problems caused by Land:
http://www.nwfusion.com/news/1997/1215meltman.html
CERT advisory 97.28:
http://www.cert.org/advisories/CA-1997-28.html
Bugtraq summary of vulnerable systems:
http://www.securityfocus.com/archive/1/8123
Original exploit posting by m3lt:
http://www.securityfocus.com/archive/1/8083
Cisco advisory:
http://www.cisco.com/warp/public/770/land-pub.shtml
5 - 19
IP Fragmentation
reassembled
IP datagrams IP fragments at destination
MTU limited
• If packets are larger than a network can handle,
they are fragmented in multiple parts
• Fragmented parts are reassembled at destination
Information Warfare - SANS ©2001 20
In the IP protocol, there are allowances for the fact that there may be many different types of
equipment, computers, and networks connected together. For instance, a computer may want to
transmit packets of 1 kilobyte (1024 bytes) in size, but the routers between the computer and the
destination may only be able to handle packets of 512 bytes in size. If this is the case, IP will
automatically split the original packet into smaller pieces that will be able to make it all the way
across the network. This process is called fragmentation. Once the fragments reach their
destination, they are reassembled to recreate the original packet. Fragmentation is good because it
ensures the accurate transmission of information in a way that is transparent to the user or
application.
However, packet fragmentation has also been used for evil purposes as a way of attacking computers
and slipping past firewalls. Since it is computationally intensive for a network intrusion detection
system or firewall to reassemble fragmented transmissions, attackers can often hide their evil deeds
by forcing all of their communications to be fragmented. Further the process of fragment reassembly
can be rather complicated (consider missing fragments, overlapping fragments, out-of-order
fragments, etc.) and naturally some bugs have crept into the fragment handling routines of various
operating systems. Attackers discovered that they could crash systems in many cases by building and
sending streams of fragments that do not reassemble correctly. Further attackers discovered they
could sometimes trick firewalls into passing traffic that should not be allowed by sending very very
small fragments that do not contain all the information the firewall needs to make its filtering
decision correctly.
Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic
example of the technical lengths and the in-depth knowledge attackers will seek in order to work
their evil.
5 - 20
Security Essentials
The SANS Institute
Information Assurance Foundations - SANS ©2001 1
"Warfare" can be broadly defined as "the waging of armed conflict against an enemy." In this
module we will consider what warfare means in the context of today's information systems and
networks. We will see that the fundamental principles of warfare known for thousands of years are
still relevant on today's new battleground.
5-1
Agenda
• What is Information Warfare?
• Why is it Important?
• Offensive Tactics
• Introduction to Network Attacks
• Defensive Tactics
Information Warfare - SANS ©2001 2
After introducing the concept of information warfare, we will be concentrating on warfare principles
and strategies. We will discuss both offensive and defensive tactics, both theory and practice. As a
concrete example of offensive tactics, a quick introduction to TCP/IP network attacks is provided.
5-2
What is Information Warfare?
Information warfare is the offensive and defensive
use of information and information systems to
deny, exploit, corrupt, or destroy, an adversary's
information, information-based processes,
information systems, and computer-based
networks while protecting one's own.
Such actions are designed to achieve advantages
over military or business adversaries.
Dr. Ivan Goldberg
Information Warfare - SANS ©2001 3
We start our discussion with a definition of information warfare. The definition above simply maps
our intuitive definition of warfare (subvert the enemy while protecting ourselves) into the realm of
computers and networks. This definition has been provided by Dr. Ivan Goldberg, who leads the
"Institute for the Advanced Study of Information Warfare". The institute's website has a number of
white papers and reports on information warfare topics.
http://www.psycom.net/iwar.1.html
Eric Hrovat provides some interesting perspectives on information warfare in his paper, "Information
Warfare: The Unconventional Art in a Digital World" published by SANS:
http://rr.sans.org/infowar/infowar.php
5-3
Examples of Information Warfare
• A company breaking into a competitor’s
computer system to find out their list of
customers
• An R&D company putting false
information about research on their web
site to mislead the competition
• A foreign government stealing tapes
containing classified information
Information Warfare - SANS ©2001 4
There are many possible forms of information warfare, the above slide provides three examples. Any
time someone uses information as a weapon against an adversary, that is information warfare. The
distinguishing factors are only how the information is obtained, how it is used, and to what impact.
We consider theft of information a form of information warfare, but the most critical issue is how the
stolen information is used against its rightful owner. In terms of the examples, a company who
discovers a list of their competitor's customers might send false or misleading information to the
customers, might market to these people specifically, or might simply see to it that the customers are
harassed by telemarketers and spam (so the recipients think that the company they trusted released
their information without permission).
A foreign government stealing classified backup tapes might be able to discover detailed technical
information concerning the capabilities of their adversary's weapons, or might obtain documents
detailing strategies, names of informants, or maps of secret testing facilities. The possibilities are
endless.
A startup tech company that has a next generation product to release might post information stating
that their product will not be ready for several months. Such a posting might lull the company's
competitors into a false sense of not needing to hurry their own development cycles. When the
startup releases its product months earlier than advertised, the competition is caught flat-footed.
5-4
Key Points From the Examples
• Information Warfare can be:
– Theft
– Deception
– Sabotage
• Does not have to be technical or
sophisticated
• Attackers will always go after the
weakest link
Information Warfare - SANS ©2001 5
Abstracting the previous examples a level, we can list out a few fundamental concepts. Theft,
espionage, blackmail, deception, sabotage, destruction -- these are all common goals in information
warfare attacks. As in other forms of warfare, a skilled attacker will seek out his opponent's
weaknesses and attack those first and most vigorously. For example, sometimes social engineering or
packet flooding attacks most effectively accomplish an attacker's goals, but neither of these attacks
requires any sophisticated technical skills.
5-5
Why is it Important?
• Affects all governments and companies,
and even individuals
• Can be devastating
• Risks are often not well understood
• Can be difficult to predict or detect
• Defenses must be custom tailored
• Raises questions of legalities and liabilities
Information Warfare - SANS ©2001 6
In today's world, information warfare impacts everyone, whether they own a computer or not.
Consider identity theft, where one person is able to impersonate another, resulting in destroyed credit
histories, undeserved criminal records, misassigned debt and liability, false healthcare documents,
and more. Most people and organizations are not fully aware of the risks that surround them,
although the results of an attack can be devastating.
Because each organization is different, there is no "one size fits all" defense system. The only way to
design a good defense is to understand the offensive tactics used by attackers, and to understand the
defensive tactics and tools available to us. We will explore both offensive and defensive tactics in
this module, and see how (fortunately) a few basic principles can be applied across a large number of
situations. Interestingly, our most useful principles come not from information theory, but from a
compilation of warfare strategies written well over two thousand years ago: Sun Tzu's "Art of War".
These strategies are as relevant today as when they were first written.
5-6
How Dangerous is it Really?
A few facts from the Honeynet project concerning
break-ins between April and December 2000:
• Seven default Red Hat 6.2 servers were attacked
within 3 days of connecting to net
• Fastest time for any server to be compromised was
15 minutes from first connection to net
• Default Win98 box compromised in less than 24
hours from first connection, and compromised
another four times in the next three days
Information Warfare - SANS ©2001 7
But lets back up a minute. Perhaps we are over-reacting. Is it really all that dangerous on the internet
today? Are there really that many "evil-doers" out to do me ill when I connect to the internet?
Unfortunately, yes. The Honeynet project (a group that sets up and monitors whole networks of
honeypots of all different operating systems) recently reported some statistics concerning the rate of
break-ins to their small network over a period of 9 months. The full information concerning the stats
above is quoted from the paper below.
http://project.honeynet.org/papers/stats/
----------------
• Between April and December 2000, seven default installations of Red Hat 6.2 servers were
attacked within three days of connecting to the internet. Based on this, we estimate the life
expectancy of a default installation of Red Hat 6.2 server to be less than 72 hours. The last time we
attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever
for a system to be compromised was 15 minutes. This means the system was scanned, probed, and
exploited within 15 minutes of connecting to the internet. Coincidentally, this was the first honeypot
we ever setup, in March of 1999.
• A default Windows 98 desktop was installed on October 31, 2000, with sharing enabled, the same
configuration found in many homes and organizations. The honeypot was compromised in less than
twenty four hours. In the following three days it was successfully compromised another four times.
This makes a total of five successful attacks in less than four days.
----------------
These facts (and other information in the paper) demostrate the hostility of today's networks even to
a simple home user. Even "grandma" needs to be aware of the dangers of the online environment
today. As an example, consider that many of us use home computers to fill out year-end income tax
forms. An attacker able to access that information would know enough to cause significant problems.
Today's networks are infested with worms and automated attack programs that relentlessly seek out
and compromise vulnerable computers, reporting back to a human only after accomplishing a
successful compromise. Companies and governments must be secured against these threats, as well
as against more sophisticated attackers specifically targeting their organization.
5-7
How Would you be Impacted?
• Consider the following scenario:
– You go into work tomorrow and all of your
computers are gone and there is no internet
connection.
• Could you handle the situation?
• Do you have backups? Uncontaminated
backups? Is there a restore process?
• Could your organization survive the loss?
Information Warfare - SANS ©2001 8
Is your organization prepared for an attack? Either from the internet or from a natural disaster or
terrorist act? Part of information warfare is planning for the worst and having a recovery plan in
place. Many of us would be in a lot of trouble if a particular building burned down for example --
that building being the one holding the primary information and all of its backup copies. The
September11th tragedy demonstrated how critical backups can be to a company's survival.
When we ask about "uncontaminated backups", does that make sense to you? Consider a virus that
spreads rapidly but remains undetected because it does not do anything observable. The virus infects
several computers, but because it is not detected the virus program is copied onto the backup tapes
along with legitimate information. Time passes. Ten months later the virus' payload goes into action
and starts destroying files and laying waste to operating systems. You think, no problem, I've got
backups going back 6 months. Oh no! All the backups are contaminated too! What do we do now?
Do you have insurance against information loss? A recent Information Week article (January 2,
2002) explains how many insurance providers have decided to exclude online assets and terrorism-
related damages from their IT policy offerings.
http://www.informationweek.com/story/IWK20020102S0004
5-8
Threats
• Internal threats
– Employees
– Contractors
– Visitors
• External threats
– Anyone connected to the internet
Information Warfare - SANS ©2001 9
The threat to a company could really be anything. Threats are typically broken down into internal
and external threats. Internal threats are attacks launched by internal attackers, contractors, or even
visitors to your facility. External threats could really be anyone that is connected to the internet.
Threats can also range from intentional to unintentional events. Unintentional events, like floods or
fires, could also be a threat that impacts a company. Even though these threats are not meant to hurt
the company, the net result is the same. Therefore it is important to understand and react to all
possible threats that are posed to your company.
5-9
Offensive Tactics
• Using publicly available information maliciously
• Stealing confidential information
• Destroying or corrupting important data
• Denial of Service attacks against business or
livelihood
• Providing false information in order to deceive,
mislead, or confuse
• Impersonation and slandering
• Public embarrassment (e.g. website defacement)
Information Warfare - SANS ©2001 10
Let us begin our consideration of information warfare concepts by looking at the offensive side of
the game. Defensive strategies will be covered later.
The slide above lists several common ways information can be involved in an attack against an
organization or individual. At first glance it may seem that these attack methods are specific to the
information age. In the next few slides we will take a closer look at several of the specific tactics and
show that the concepts behind them have been well-known to warriors for centuries.
5 - 10
Public but Sensitive Information
"It is always necessary to begin by finding out the names of
the attendants, the aides-de-camp, and door keepers and
sentries of the general in command." -Sun Tzu
• There are many sources of information
– Press releases
– Employment ads
– Company descriptions
– Public databases (whois, legal, edgar, healthcare,
whitepages)
Information Warfare - SANS ©2001 11
Over two thousand years ago Sun Tzu noted that deploying spies to gather information such as the
names of people in the enemy organization, and the types of sentries (read defense mechanisms here)
is an important first step in warfare. Things haven't changed very much.
Given today's internet, it is possible for an attacker to find out a great deal about an adversary
without breaking any laws or even raising any eyebrows. If an attacker is interested in an individual
or a company, internet white page directories can provide names, addresses, phone numbers, street
maps, and even satellite photographs. Attackers can often gain access to legal, healthcare, and credit
history databases without too much trouble. A google.com search for an individual's email address
can provide links to newsgroup postings which contain information about the individual's interests,
habits, friends, employer, etc. Information-rich messages posted to security mailing lists such as "I
work for company XYZ and our main www.xyz.com IIS 5.0 web server has been hacked and is
backdoored..." can be very useful.
In addition, companies love giving out information to help fuel growth, but often fail to realize the
negative impact that information could have to the company. For example, an ISP who just built a
new network wants to advertise it to help get additional business. So they have a press release that
describes their new computers -- what brand, what operating systems, what versions, etc. An attacker
can easily use the information to build an attack list for breaking into the ISP's systems. Similarly, a
company that posts a list of employee names provides an attacker with information useful in
username/password guessing attacks.
Public databases can also provide a wealth of information. For example, publicly traded companies
are required to disclose certain information to the SEC. The SEC information is posted online in the
EDGAR database. These documents could be used to obtain the names of key executives, which
could be used in social engineering attacks.
Another common practice is for attackers to notice that a merger or acquisition has taken place, and
capitalize on the ensuing organizational confusion. For example, lets say our attacker's desired target
XYZ has recently acquired Acme Widgets Inc., and the two company's technologies are being
integrated. Our attacker simply phones up an XYZ engineer (name obtained via the company
directory) and says that he is from Acme Widgets and that Executive So-And-So (name obtained
from EDGAR) wanted him to call to get the latest product specifications and development timelines.
5 - 11
Stealing Confidential Information
"Though the enemy be stronger in numbers, we may prevent
him from fighting. Scheme so as to discover his plans and
the likelihood of their success." -Sun Tzu
• Espionage is a real problem
• Many foreign governments have admitted to
launching corporate espionage attacks
against US companies to give their local
companies a competitive advantage.
Information Warfare - SANS ©2001 12
A critical part of warfare, information or otherwise, lies in discovering the enemy's plans. Sun Tzu
notes that even a strong adversary can be crushed if his plans are known in advance. Online
espionage is the modern embodiment of this tactic, and it works as well today as ever.
One legal method of performing corporate intelligence gathering is to get the employees talking. A
recent news article describes how today's corporate spies rely heavily on forming online friendships
with target employees to gain information. According to one corporate intelligence professional, 85
percent of people will share sensitive information about themselves and their companies with perfect
strangers. The statistic is calculated based on the results of 78,000 recorded conversations with
people worldwide.
Further, companies have been known to hire agents to sit next to traveling executives on planes,
where they can read business information over the executive's shoulder, or engage in seemingly
innocent chit-chat. Experience has shown that executives are particularly vulnerable to questions
from brainless admirers.
http://www.al.com/news/huntsville/Apr2000/30-e27547.html
And of course the true hack-in-and-steal-something method is wildly popular. For example, the
articles linked below describe an incident where attackers stole source code from Microsoft in
October of 2000. A Microsoft spokesperson called the incident "a deplorable act of industrial
espionage".
http://news.zdnet.co.uk/story/0,,s2082221,00.html
http://news.cnet.com/news/0-1005-200-3308084.html
Interestingly, two of the main concerns in the Microsoft incident were that the attackers would
implant backdoors in the Windows source code (they had access to the data for three months), and
that the attackers would analyze the source code and discover vulnerabilities that no one else knows
about. Other concerns included the notion that a rival company might try to market the stolen
software as their own, or use the proprietary algorithmic and programming techniques to advance
their own products. These concerns illustrate a few of the dangers of proprietary information theft.
5 - 12
False Information
"All warfare is based on deception...The one who is skillful
maintains deceitful appearances, according to which the
enemy will act." -Sun Tzu
• If you know someone is watching you, why
not give them misleading information?
– False press releases
– False company information
– False server banners
Information Warfare - SANS ©2001 13
This warfare tactic has the goal of misleading the enemy. The hope is that the enemy will use the
false information to influence their actions to our advantage. For example, a company might "leak"
the fact that they are going to submit a proposal for a particular job at the price of $5 million. The
competition, upon hearing this information, decides to bid $4.5 million. When the original company
actually bids $4 million (instead of the "leaked" $5 million figure) the spying competitor finds
themselves underbid.
As another example of misinformation in the information age, consider the case of an attacker who
fabricated a false press release that led to a publicly traded company temporarily losing more than $2
million in market value. The bogus press release was submitted via email to InternetWire and picked
up and distributed by a number of major news organizations. The press release stated that the
company in question (Emulex) was under investigation by the SEC, had revised its latest earnings
reports to show a loss instead of a profit, and was losing its CEO. The result was that investors
started to dump the company's stock en masse, sending Emulex's stock plummeting as much as 62%.
The company lost as much as $2.5 billion in market value before the fraud was discovered and
Nasdaq halted its trading.
http://www.usdoj.gov/criminal/cybercrime/emulex.htm
http://www.ecommercetimes.com/perl/story/4426.html
In general, the misinformation strategy is quite interesting and complex. The complexities arise the
same as in any other lie, how to lie to some people, while telling the truth to others and keep it all
straight? An organization employing these methods can easily lose control, or become liable for
damages resulting from the false statements. The techniques can be quite effective however.
5 - 13
Honeypots
"Learn the principle of the enemy's activity or inactivity.
Force him to reveal himself ... By holding out advantages
to him, cause him to approach of his own accord."
-Sun Tzu
• Honeypots are sacrificial computers,
purposely left vulnerable.
• The computers are carefully instrumented
to record attackers' actions and gather
copies of the tools they use
Information Warfare - SANS ©2001 14
Another example of deception in information warfare is the use of honeypots. The idea of a honeypot
is twofold.
First, as highlighted in the slide, honeypots can be used to gather intelligence about an attacker's
methods and goals. By leaving a few machines purposely vulnerable but instrumented, we can allow
attackers to break in and then watch what they do. By observing what files they look for we may be
able to guess what they are after, and by watching the tools they use we gain an idea of their
capabilities and methods of operation. For example, if the attacker exploits a MS SQL server
vulnerability to gain access, we would want to be sure to patch that vulnerability on all relevant
systems across the enterprise. Further, if we notice that the attacker likes to set up a Trojan SSH
server on port 50000/tcp, we might want to scan the internal networks for port 50000 listeners.
Second, honeypots can provide a way of diverting an attacker’s attention away from critical systems
for long enough to strengthen the defense. An attacker is likely to go after the "low hanging fruit",
that is, the easily compromised hosts on an enterprise, before moving on to more difficult targets. By
letting the attacker have a few sacrificial machines, we buy some time to learn about the attacker's
capabilities and react appropriately. Of course, Sun Tzu has a quote for this aspect of the strategy
too: "Sacrifice something, that the enemy may snatch at it."
5 - 14
Denial of Service Attacks
"So in war, the way is to avoid what is strong and
strike at what is weak." -Sun Tzu
• Easy to wage
• Difficult to defend against
• Can result in lost revenue
• Can hurt public image
Information Warfare - SANS ©2001 15
Most of us remember the infamous Distributed Denial of Service (DDoS) attacks waged by a
Canadian teenager in February of 2000 resulting in an estimated total loss of $1.7 billion to several
US companies. The attacker, known as "mafiaboy," flooded the webservers of Ebay, Dell, Amazon,
and Yahoo (among others) with meaningless traffic in order to overload the target networks and
prevent the servers from responding to legitimate requests. Because each of the targeted
organizations relies heavily on its internet presence as a source of revenue, Mafiaboy's Denial of
Service attack was quite damaging.
A news article on the topic:
http://news.bbc.co.uk/hi/english/sci/tech/newsid_1541000/1541252.stm
The important thing to take away from the example is that Mafiaboy didn't need any sophisticated
technical skills to wage these attacks. In fact, the tools he used and others like them are publicly
available on many websites. These tools do not take any special skills to run.
On the other hand the sites that were attacked all employ heavy security and would be difficult to
break into. Mafiaboy employed Sun Tzu's concept of avoiding what is strong (the site's security
defenses) and striking at what is weak (fundamental behavior of IP networks). Most Denial of
Service attacks are simple to wage, but difficult to defend against. Why not take the easy route to
inflicting damage on an enemy? Part of defensive information warfare comes in identifying our own
weaknesses and strengthening our defenses accordingly.
5 - 15
Understand the Risks
"He who exercises no forethought but makes light of his
opponent is sure to be captured by them." -Sun Tzu
• Attackers have a complete arsenal of
weapons to use against a network's
defenses
• An understanding of an attacker's offensive
warfare tactics is essential
Information Warfare - SANS ©2001 16
The point of intersection between offense and defense comes in understanding the offensive in order
to better defend. In information warfare, this concept is very important. It has been estimated that
new vulnerabilities were being discovered at the rate of 200 per month by mid 2001.
http://techupdate.zdnet.com/techupdate/stories/main/0,14179,2803105,00.html
A recent CERT report provides the following figures concerning numbers of reported vulnerabilities
for the past three years:
1999: 417 vulnerabilities
2000: 1090 vulnerabilities
2001: 2437 vulnerabilities
CERT further reports that the number of incidents has doubled between 2000 and 2001. 21,756
incidents were reported in 2000, while 52,658 incidents were reported in 2001. Less than 10,000
incidents were reported in 1999.
http://www.computerworld.com/storyba/0,4125,NAV47_STO67318,00.html
http://www.cert.org/stats/cert_stats.html
Clearly it is important to keep up with information on new vulnerabilities, patches, and exploits. It is
also important to understand the fundamental techniques employed by attackers (e.g. buffer
overflows, improperly formatted packets, weak password exploitation, etc.) so that we can spot
vulnerabilities ourselves before an attacker finds them. The administrator who believes that "it
couldn't happen to them" is sure to be in for a rough ride.
5 - 16
An Introduction to Network
Attack Methods
• Denial of Service • SYN Flooding
• Distributed DoS • Smurf
• Session Hijacking • Teardrop
• IP Spoofing • Land
• TCP Sequence • Man in the Middle
Prediction • Session Replay
• IP Fragmentation
• Ping of Death
Information Warfare - SANS ©2001 17
In the following few slides, we are going to talk about various types of attacks that have occurred
over the internet in the past. But before we begin, I should point out a couple of important facts.
First, we will not be going into very technical depth about each of these attacks. Some of them can
get quite complicated, but we will stick to the high-level description as much as possible.
Second, many of these attacks have many variations that have been used over time. You may hear of
them referred to in several different ways in your continuing security education. In the interests of
time, we will restrict our discussion to the original attack, and mention any variations only as
necessary for clarification.
Finally, while each of these attacks can be used by itself, you will very often see them used in
combination, or see one attack used as the basis for another. For example, many of the attacks are
based on some form of Denial of Service.
5 - 17
Denial of Service
• Keeping the computer or network
from doing anything useful
• Attack can cause a system to crash
or consume excessive resources
• Very hard to prevent
• Attacker does not need to be
skilled to wage the attack
Information Warfare - SANS ©2001 18
Denial of Service, or DoS, is one of the most common attacks in use today. It works just like it
sounds: It is used to deny service to a system or network. Denial of Service attacks are aimed at
preventing a computer or network from performing its normal duties. This can take the form of
crashing a computer, but more often it takes the form of flooding the network or computer with
hundreds, or even millions, of information or service requests. The computer quickly gets
overwhelmed and can’t handle the load. Once this happens, service is denied to legitimate users of
the service because they can’t seem to get the server’s attention.
Denial of Service attacks are appealing to attackers for a number of reasons. First, they are
deceptively simple to do. As we shall see shortly when we talk about SYN flooding, the methods for
performing a DoS attack are not that difficult to learn or perform. Second, depending on how the
DoS is performed, all you are doing is preventing legitimate traffic from getting to the server. You do
not necessarily have to crash the machine or ruin any of the server’s resources. The attacker
mentality will say that this is no more harmful than driving slowly on the highway or taking your
time at the drive-in line at the bank. Well, tell that to Yahoo, eBay, or any one of the dozen other
large internet sites that got hit with DDoS attacks in the Spring of 2000. To them, the damage and the
losses were very real.
Classic DoS attacks occur when a single system floods your network with packets or sends
maliciously crafted packets designed to crash or hang target systems. These attacks can be stopped
by instructing your routers or firewalls not to accept packets from the attacking system. However, a
new breed of DoS attacks has recently surfaced, the Distributed Denial of Service, or DDoS.
We’ll look at Distributed Denial of Service later, after considering a few of the "single shot" crafted
packet attacks that can crash systems. A fundamental difference between the two types of Denial of
Service attacks (flooding and crafted packet) arises from the differing principles on which the attacks
are based. Crafted packet attacks take advantage of the fact that the programmer who built the
vulnerable software did not properly handle an "impossible" case -- a type of packet that should
never arise under normal network conditions. Packet flooding attacks exploit a fundamental property
of TCP/IP networks and client-server communications. How can a server distinguish legitimate
service requests from bogus ones?
5 - 18
Land Attack
• Attacker sends a single spoofed packet
• Result: Crashed old Win boxes and
Cisco routers
Src IP = Dst IP
bad.guy.org Src Port = Dst Port
www.victim.com
TCP SYN
Information Warfare - SANS ©2001 19
This attack is very simple, but when land.c was first released in a posting to Bugtraq, the tool caused
a lot of problems. The idea was to spoof the source address on a TCP packet to be the same as the
destination address. Also, a Land packet has the SYN flag set and must be received by an open port
on the target.
When a vulnerable host receives these packets, it enters an infinite loop and has to be physically
rebooted. The attack worked very well against Windows 95 machines, locking them up completely,
and also crashed Cisco routers and switches. Once the exploit was released, Cisco engineers had
work around the clock to through Thanksgiving to isolate the problem, test equipment, and work on
fixes.
A 1997 Network World news story about the problems caused by Land:
http://www.nwfusion.com/news/1997/1215meltman.html
CERT advisory 97.28:
http://www.cert.org/advisories/CA-1997-28.html
Bugtraq summary of vulnerable systems:
http://www.securityfocus.com/archive/1/8123
Original exploit posting by m3lt:
http://www.securityfocus.com/archive/1/8083
Cisco advisory:
http://www.cisco.com/warp/public/770/land-pub.shtml
5 - 19
IP Fragmentation
reassembled
IP datagrams IP fragments at destination
MTU limited
• If packets are larger than a network can handle,
they are fragmented in multiple parts
• Fragmented parts are reassembled at destination
Information Warfare - SANS ©2001 20
In the IP protocol, there are allowances for the fact that there may be many different types of
equipment, computers, and networks connected together. For instance, a computer may want to
transmit packets of 1 kilobyte (1024 bytes) in size, but the routers between the computer and the
destination may only be able to handle packets of 512 bytes in size. If this is the case, IP will
automatically split the original packet into smaller pieces that will be able to make it all the way
across the network. This process is called fragmentation. Once the fragments reach their
destination, they are reassembled to recreate the original packet. Fragmentation is good because it
ensures the accurate transmission of information in a way that is transparent to the user or
application.
However, packet fragmentation has also been used for evil purposes as a way of attacking computers
and slipping past firewalls. Since it is computationally intensive for a network intrusion detection
system or firewall to reassemble fragmented transmissions, attackers can often hide their evil deeds
by forcing all of their communications to be fragmented. Further the process of fragment reassembly
can be rather complicated (consider missing fragments, overlapping fragments, out-of-order
fragments, etc.) and naturally some bugs have crept into the fragment handling routines of various
operating systems. Attackers discovered that they could crash systems in many cases by building and
sending streams of fragments that do not reassemble correctly. Further attackers discovered they
could sometimes trick firewalls into passing traffic that should not be allowed by sending very very
small fragments that do not contain all the information the firewall needs to make its filtering
decision correctly.
Packet fragmentation may seem a bit esoteric for ordinary folks to worry about, but it is a classic
example of the technical lengths and the in-depth knowledge attackers will seek in order to work
their evil.
5 - 20