ch14.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,271 行 · 第 1/5 页

<P>There are probably several thousand IRC scripts in the void. I have not offered
any locations for these utilities because there is no good reason to provide such
information. These tools may be of some limited value if you happen to be on IRC
and come under attack, but more often, these tools are used to harass others and
deny others IRC service. It is amazing how much good programming effort goes into
utilities like these. Too bad.
<H3><FONT COLOR="#000077"><B>Additional Resources</B></FONT></H3>
<P>Following are some resources related to Internet Relay Chat (IRC). These are especially
valuable if you are new to IRC. I have provided these primarily because IRC is not
a subject often discussed in books on the Internet. IRC has been--and will likely
remain--the purview of crackers and hackers all over the world.

<UL>
	<LI><B>The IRC Survival Guide: Talk to the World With Internet Relay Chat.</B> Peachpit
	Press. Stuart Harris. ISBN 0-201-41000-1. 1995.<BR>
	<BR>
	
	<LI><B>Learn Internet Relay Chat (Learn Series).</B> Wordware Publishing. Kathryn
	Toyer. ISBN 1-55622-519-9. 1996.<BR>
	<BR>
	
	<LI><B>Person to Person on the Internet.</B> AP Professional. Keith Blanton and Diane
	Reiner. ISBN 0-12-104245-6. 1996.<BR>
	<BR>
	
	<LI><B>Interactive Internet: The Insider's Guide to Muds, Moos, and IRC.</B> Prima
	Publishing. William J. Shefski and Bill Shefski. ISBN 1-55958-748-2. 1995.<BR>
	<BR>
	
	<LI><B>Using Internet Relay Chat.</B> Que. ISBN 0-7897-0020-4. 1995.<BR>
	<BR>
	
	<LI><B>Sunsite, Europe.</B> Comprehensive collection of clients and other software.
</UL>


<DL>
	<DD><A HREF="http://sunsite.doc.ic.ac.uk/computing/comms/irc/"><TT>http://sunsite.doc.ic.ac.uk/computing/comms/irc/</TT></A>
</DL>


<UL>
	<LI><B>Interactive Synchronous: IRC World.</B> E-Lecture on IRC.
</UL>


<DL>
	<DD><A HREF="http://www-home.calumet.yorku.ca/pkelly/www/synch.htm"><TT>http://www-home.calumet.yorku.ca/pkelly/www/synch.htm</TT></A>
</DL>

<H3><FONT COLOR="#000077"><B>Denial-of-Service Tools</B></FONT></H3>
<P>I examine denial-of-service attacks in a more comprehensive manner at several
points throughout the remainder of this book. Here, I will refrain from discussing
how such attacks are implemented, but will tell you what tools are out there to do
so.
<H4><FONT COLOR="#000077"><B>Ancient Chinese &quot;Ping of Death&quot; Technique</B></FONT></H4>
<P>The title is hilarious, right? On more than one occasion, this technique for killing
a Windows NT 3.51 server has been so called. (Actually, it is more commonly called
just &quot;Ping of Death.&quot;) This is not a program, but a simple technique that
involves sending abnormally large ping packets. When the target receives (or in certain
instances, sends) these large packets, it dies. This results in a blue screen with
error messages from which the machine does not recover. Microsoft has issued a fix
for this.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Read the official advisory
	on the Ping of Death at <A HREF="http://www.microsoft.com/kb/articles/q132/4/70.htm"><TT>http://www.microsoft.com/kb/articles/q132/4/70.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>Syn_Flooder</B></FONT></H4>
<P>Syn_Flooder is a small utility, distributed in C source, that when used against
a UNIX server will temporarily render that server inoperable. It utilizes a standard
technique of flooding the machine with half-open connection requests. The source
is available on the Net, but I will refrain from printing it here. This is a powerful
tool and, other than its research value, it is of no benefit to the Internet community.
Using such a tool is, by the way, a violation of federal law, punishable by a term
of imprisonment. The utility runs on any UNIX machine, but was written on the Linux
platform by a well-known hacker in California.
<H4><FONT COLOR="#000077"><B>DNSKiller</B></FONT></H4>
<P>DNSKiller is a C program written and intended for execution on the Linux platform.
It is designed to kill the DNS server of a Windows NT 4.0 box.
<H4><FONT COLOR="#000077"><TT>arnudp100.c</TT></FONT></H4>
<P><TT>arnudp100.c</TT> is a program that forges the IP address of UDP packets and
can be used to implement a denial-of-service attack on UDP ports 7, 13, 19, and 37.
To understand the attack, I recommend examining a paper titled &quot;Defining Strategies
to Protect Against UDP Diagnostic Port Denial of Service Attacks,&quot; by Cisco
Systems. Another good source for this information is CERT Advisory CA-96.01.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Cisco Systems' &quot;Defining
	Strategies to Protect Against UDP Diagnostic Port Denial of Service Attacks&quot;
	can be found online at <A HREF="http://cio.cisco.com/warp/public/707/3.html"><TT>http://cio.cisco.com/warp/public/707/3.html</TT></A>.</P>
	<P>CERT Advisory CA-96.01 can be found online at <A HREF="ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial"><TT>ftp://ftp.cert.org/pub/cert_advisories/CA-96.01.UDP_service_denial</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><TT>cbcb.c</TT></FONT></H4>
<P><TT>cbcb.c</TT> is the filename for Cancelbot, written in C. This utility can
be used to target Usenet news postings of others. It generates cancel control messages
for each message fitting your criteria. Using this utility, you can make thousands
of Usenet news messages disappear. Although this is not traditionally viewed as a
denial-of-service attack, I have included it here simply because it denies the target
Usenet service, or more directly, denies him his right to self expression. (No matter
how obnoxious his opinion might seem to others.)
<H4><FONT COLOR="#000077"><TT>win95ping.c</TT></FONT></H4>
<P>The <TT>win95ping.c</TT> file is C source code and a program to reproduce and
implement a form of the Ping of Death attack from a UNIX box. It can be used to blow
a machine off the Net temporarily (using the oversized Ping packet technique). There
are two versions: one for Linux, the other for BSD 4.4 systems.</P>
<P>Other resources exist, but most of them are shell scripts written for use on the
UNIX platform. Nevertheless, I would expect that within a few months, tools programmed
in GUI for Windows and Mac will crop up. Denial-of-service (DoS) attacks are infantile
and represent only a slightly higher level of sophistication than e-mail bombing.
The only benefit that comes from DoS attacks is that they will ultimately provide
sufficient incentive for the programming community to completely eliminate the holes
that allowed such attacks in the first place. In all other respects, denial-of-service
attacks are neither interesting nor particularly clever. In any event, the following
sections list some resources for them.
<H4><FONT COLOR="#000077"><B>ANS Communications</B></FONT></H4>
<P>Products by ANS Communications are designed to thwart DoS attacks. ANS Communications
can be found online at

<UL>
	<LI><A HREF="http://www.ans.net/InterLock/"><TT>http://www.ans.net/InterLock/</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Berkeley Software Design, Inc.</B></FONT></H4>
<P>Berkeley Software Design, Inc. released source code that will defeat a DoS attack.
It can be found online at

<UL>
	<LI><A HREF="http://www.bsdi.com/press/19961002.html"><TT>http://www.bsdi.com/press/19961002.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>MCI Security</B></FONT></H4>
<P>MCI Security offers links relating to denial-of-service attacks, and can be found
online at

<UL>
	<LI><A HREF="http://www.security.mci.net/dosalert.html"><TT>http://www.security.mci.net/dosalert.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Digital</B></FONT></H4>
<P>Digital offers information on preventing DoS on the DEC platform, and can be found
online at

<UL>
	<LI><A HREF="http://www.europe.digital.com/info/internet/document/ias/avoidtcpsynattack.html"><TT>http://www.europe.digital.com/info/internet/document/ias/avoidtcpsynattack.html</TT></A>
</UL>

<H4><FONT COLOR="#000077"><B>Cisco Systems</B></FONT></H4>
<P>Cisco Systems offers solutions at the router level, and can be found online at

<UL>
	<LI><A HREF="http://www.cisco.com/"><TT>http://www.cisco.com/</TT></A>
</UL>

<H3><FONT COLOR="#000077"><B>Viruses</B></FONT></H3>
<P>Viruses are serious matters. For such small entities, they can wreak havoc on
a computer system. (Some viruses are as small as 380 bytes.) They are especially
dangerous when released into networked environments (the Internet being one such
environment).</P>
<P>Viruses have gained so much attention in the computing community that nearly everyone
knows that viruses exist. However, some users confuse viruses with other malicious
files. Therefore, I thought it might be nice to quickly define the term <I>computer
virus</I>. Once again, if you are already well aware of these basic facts, skip ahead
a few paragraphs.</P>
<P>A computer virus is a program, sometimes (but not necessarily) destructive, that
is designed to travel from machine to machine, &quot;infecting&quot; each one along
the way. This <I>infection</I> usually involves the virus attaching itself to other
files.</P>
<P>This is markedly different from a trojan horse. A trojan horse is a static entity:
malicious code nested within an otherwise harmless program. Trojans cannot travel
from machine to machine unless the file that contains the trojan also travels with
it. A trojan is commonly a string of computer code that has been surreptitiously
placed within a trusted application. That code performs an unauthorized and hidden
function, one that the user would almost certainly find objectionable. (For example,
mailing out the password files to an attacker in the void, or perhaps opening a back
door for him. A <I>back door</I> is some hidden method through which an attacker
can later return to the affected machine and gain control over it.)</P>
<P>Viruses, in contrast, <I>replicate</I>. Most often, this phenomenon manifests
itself by the virus attaching itself to a certain class of file. For example, it
is very common for viruses to attach themselves to executable files. (On the DOS/Windows
platform, viruses frequently target EXE and COM files.) Once the virus is attached
to a file in this manner, the victim file itself becomes a security risk. That file,
when transported to another computer system, can infect still other files that may
never come in contact with the original virus program.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>Note that data file viruses now exist.
	At least, macro viruses should (and usually are) classified under this heading. These
	viruses infect data files, namely documents. These are almost nonexistent, save in
	the Microsoft Word and Excel environments. 
<HR>


</BLOCKQUOTE>

<P>Try to think of a virus as a living creature for a moment. Its purpose is to infect
computer systems, so it stays awake at all times, listening for activity on the system.
When that activity fits a certain criterion (for example, an executable file executing),
the virus jumps into action, attaching itself to the active program.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>TIP:</B></FONT><B> </B>One way to tell whether a file is
	infected is to check its current size against the size it was when you installed
	it. (I wouldn't recommend using this as a method of identifying infected files, but
	if you find such a file using a virus checker, note the size. When you match it against
	the original size of the file, you will see that the file is now larger.) By subtracting
	the size of the virus from the file's size, you will be left with the approximate
	original size of the file (before it was infected). 
<HR>


</BLOCKQUOTE>

<P>If you have ever encountered a virus, you might have noticed that they are incredibly
small (that is, for a program that can do so much). There is a good reason for this.
Most viruses are written in a language called <I>assembly language</I>. Assembly
language is classified in the computing community as a <I>low-level</I> language,
meaning that it produces very small programs.</P>
<P>To understand what I mean by &quot;low-level,&quot; consider this: Computers have
become quite user friendly. Today, advanced technologies allow a user to almost &quot;talk&quot;
to a machine and get suitable answers. (Consider, for example, the new Answer wizards
in Microsoft products. You can basically type out a question in plain English. The
internal program routines parse your question and search the database, and out comes
the answer.) This is quite a parlor trick, and gives the illusion that the machine
is conversing with you.</P>
<P>In reality, computers speak a language all their own. It is called <I>machine
language</I>, and it consists of numbers and code that are unreadable by a human
being. The classification of a &quot;low&quot; or &quot;high&quot; language depends
solely on how close (or how far) that language is from machine language. A high-
or medium-level language is one that involves the use of plain English and math,
expressed much in the same manner as you might present it to a human being. BASIC,
Pascal, and the C programming language all fit into the medium-level class of language: