Hacker basics

The variety of attacks to choose from for this article was great, as you can imagine. The reason I chose the particular attacks discussed in this article is because they do not require too much knowledge about the protocols involved, but still illustrate effectively how attacks are performed, how "simple" an attack actually is once you know the details, and the limited amount of resources -- computing and networking -- an attacker needs. While it would be impossible to cover the whole subject of hacking in this article, I've tried to simplify the underlying principles as much as possible while still providing as much information as necessary for you to understand the attacks described.

Back to top

Categories of attacks

Later in this article you'll find details about selected attacks and how they are executed. Before I get started, though, you'll need to understand some of the terminology used in the field. Typically, attacks are categorized by their characteristics. Two of these characteristics are described below:

• Scanning: Scanning, or footprinting, is part of the initial information-gathering process for a hacker. Before hackers can attack a system, they need to gather information about the system, such as the network layout, type of operating systems, services available on those systems, users on those systems, and so on. Based on the information gathered, hackers can deduce possible vulnerabilities and choose the best method of attack for the selected target system.
  
  
• Denial of service attacks: Often, attackers target particular systems, breaking into them so they can be used for specific purposes. Frequently, the host security of those systems will prevent attackers from gaining control over a host. But with denial of service attacks, attackers don't need to gain access to a system. The goal is simply to overload a system or network so that it cannot provide its service anymore. Denial of service attacks can have different goals, including bandwidth consumption and resource starvation.

Back to top

Protocols

This article covers attacks on the Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP), which belong to the Internet Protocol (IP) suite. Before going into detail on those protocols, I would like to put those protocols into their proper context. Figure 1 shows a simplified figure of the Internet Protocol stack with Ethernet assumed as the underlying physical network technology.

Network protocols are typically layered, as depicted in Figure 1. This makes sense, as the bottom protocols provide very basic services such as transmission of signals over network cables. In addition, the higher level protocols provide more sophisticated application layer services, such as Telnet. Each layer employs the services of the layer underneath, which enables a top layer protocol to transmit messages over the physical network. Let's briefly look at the protocols shown in Figure 1.

• The two bottom layers, called the physical layer protocols, take care of the actual signal transfer over the network cable. This service is used by the next higher level protocol: the Internet Protocol (IP).
  
  
• Internet Protocol (IP) provides a host-to-host packet -- or datagram -- delivery service. IP provides the most basic form of datagram delivery across the boundaries of the underlying physical networks. The IP layer, in turn, provides services used by the Internet Control Message Protocol (ICMP) and Transmission Control Protocol (TCP).
  
  
• Internet Control Message Protocol (ICMP) is an integral part of IP, but it uses some of IP's services. ICMP provides a service that enables hosts to communicate control information to each other. ICMP is used by IP as well as some higher level protocols, such as Transmission Control Protocol (TCP).
  
  
• Transmission Control Protocol (TCP) is the third important protocol in this article. TCP goes one step further than IP and provides two important features: connections and quality of service. This means you can open a virtual channel between two hosts where the order of the packets sent and their actual delivery is guaranteed.
  
  
• On the next higher level are application layer protocols, such as Telnet and SMTP. Both use the services offered by TCP. For instance, when you connect to a host with Telnet, you open a connection and you expect all the data typed into this Telnet session to get sent to the receiving host -- in the right order.

Back to top

Understanding IP

While I won't cover any IP-level attacks in this article, I do want to discuss IP in a little more detail as it is the underlying protocol of ICMP and TCP.

IP provides a service for transmitting blocks of data between two network nodes set up as IP nodes, called source and destination. The source and destination nodes are identified by IP addresses. To enable communication between two nodes in an IP network, those IP addresses have to be unique among the whole network. An IP address is -- in IP version 4 -- a 32-bit number, typically represented in dotted-decimal notation (such as 10.0.0.1).

Because it provides a connectionless, unreliable, best-effort datagram delivery service, IP is somewhat limited in scope. However, it serves two basic functions: addressing and fragmentation. The addresses, encapsulated as source and destination in the IP datagrams header, are used to transmit the datagram to their destination, called routing. Basically, this creates two scenarios:

• The receiving host is on the same subnet as the sending host, in which case the datagram will be sent directly from the sender to the receiver.
  
  
• The receiving host is on a different subnet, in which case the sending host will forward the datagram to a gateway -- an IP host that connects two subnets -- which will then try to deliver the datagram to the destination host if the destination host is in one of the subnets connected to the gateway. If it's not, the gateway will forward the datagram to another gateway. This process is repeated until the datagram can be delivered to its destination host.
  
  

If the datagram to be transmitted is larger than the maximum packet size of the underlying physical layer, the IP module splits the datagram up into smaller packets -- called fragmentation -- before sending, then reassembles them upon receiving.

Now that I have covered the basics, I can discuss the individual protocols. In the following sections you will find more detailed information about ICMP and TCP as well as some interesting attacks using these protocols.

Back to top

Using ICMP

Because it is packet-oriented, ICMP is an unreliable host-to-host datagram service in a system of interconnected networks, offering no guarantee of delivery. ICMP uses the basic support of IP as if it were a higher level protocol. However, ICMP is an integral part of IP -- which basically means that ICMP packets use the IP header for transmission -- and must be implemented by every IP module. Typically, ICMP is used to report errors in datagram processing on a host. Some functions of ICMP include:

• Destination Unreachable Message: If, according to the gateway's routing tables, the destination address specified in the datagram to be forwarded is not reachable, it will return a Destination Unreachable Message ICMP message to the source host, informing it that the packet delivery was not successful.
  
  
• Time Exceeded Message: Every IP datagram contains a field in its header -- called a "time to live field" -- which indicates how much longer the datagram is to remain on the Internet before it is discarded. The time the datagram remains on the Internet is measured in hops, where one hop represents one gateway on the datagram's path to the destination node. When a datagram is forwarded by a gateway, it decreases the value in the time to live field by one. If the gateway processing a datagram determines that the time to live field in the datagram's IP header is 0, it discards the datagram and notifies the sending host with a Time Exceeded Message.
  
  
• Echo Request and Echo Reply Messages: If Host A wants to find out if Host B is active, Host A will send an ICMP Echo Request Message to Host B. Host B will reply with an ICMP Echo Reply Message to indicate that it is active. This message is commonly known as a ping packet.

These are not the only message types employed by ICMP, but they should give you an idea what ICMP is used for. Next I'll show you two ICMP attacks.

Destination unreachable attack

Category: Denial of service Attack

Description: As described above, the ICMP Destination Unreachable Message gives a gateway trying to forward a message a tool to inform the sender that the message could not be delivered because the host specified in the datagram's destination address could not be reached.

You can probably guess what a "destination unreachable attack" will be like. Let's assume that Gateway G connects two networks: Network 10.1.0.0 and Network 10.2.0.0. Suppose Host A, whose address is 10.1.23.3 (therefore belonging to Network 10.1.0.0), wants to send a datagram to Host B, whose address is 10.2.156.34 (therefore belonging to Network 10.2.0.0). Along its way, the datagram will get sent to Gateway G, which will in turn forward it to its destination host.

If an intruder gained access to a host in Network 10.1.0.0, he could broadcast a "Destination Unreachable Message" stating that Gateway G is not reachable to all hosts in the network he is in. This would make Gateway G and Network 10.2.0.0 temporarily unavailable, making it impossible to transmit any messages from Network 10.1.0.0 to Network 10.2.0.0.

The motivation behind this attack is simply to put a network or service temporarily out of business. It is particularly dangerous because the attacker does not need a powerful machine or a powerful network connection to perform this attack.

Smurf attack

Category: Denial of service Attack

Description: The Smurf attack is a very frightening form of Denial of service attack due to its amplification effects. The Smurf attack utilizes the ICMP echo messages. As described above, each time an Echo Request Message is sent by Host A to Host B, Host B will return an Echo Reply Message indicating it is active. The name "Smurf attack" derives from the name of one of the exploit programs -- called smurf -- attackers use to execute this attack.

Before I go into detail on this attack I should explain the term spoofing. Spoofing can be interpreted as the network security term used for forging. It means that for attackers there exists a way of constructing network datagrams that contain wrong data. For example, the attacker could send a datagram from Host A to Host B, but use the IP address of Host C in the datagram header's source address field. This way, Host B thinks the packet came from Host C instead of Host A. In essence, Host C has "impersonated" Host A without Host B even noticing.

Knowing this, imagine that an attacker constructs an ICMP echo message containing the spoofed source address of some arbitrary Host A, such as 192.168.2.2, in its header. Let's further assume that Host A is located in Network 192.168.2.0, and that the attacker sends the datagram to the network broadcast address of this network instead of to a particular host. By sending the datagram to the network broadcast address, the datagram will be broadcast to every host on this network, and every host in this network will return an Echo Reply Message to the supposed sender, Host A. Assuming that there are 255 subnets, each of which contains 255 computers, over 65,000 computers would send an Echo Reply message to Host A -- and that's if the attacker broadcast only one spoofed datagram (255 * 255 = 65,025). By increasing the number of spoofed packets broadcast or the size of the network broadcast to, you can see that this can be a very serious form of attack.

The motivation of a Smurf attack is the same as before. It is easy to see that an attacker could put even an industrial-strength Web server out of business due to the amplification effects of the attack. Again, the attacker requires very few resources.

Back to top

Transmission Control Protocol (TCP)

The TCP protocol provides a connection-oriented, reliable, stream delivery service in packet-switched computer networks. This means the TCP modules guarantee the delivery with no duplication, no transmission errors, and the data transmitted in the correct order. TCP further provides the port abstraction, which enables a host to open multiple TCP connections in parallel. From this you can see that a TCP is identified by source- and destination-address/port quadruples. The couple IP address/port is called a socket.

TCP interfaces to the IP layer underneath and the Presentation- and Application-Layer protocols (such as Telnet or SMTP) above, as was described earlier in Figure 1.

Before continuing, I'll discuss some aspects of TCP in more detail, which is necessary to understand the attacks discussed below. In particular this will be the layout of TCP packets (called segments), how TCP connections are set up between hosts, and how they are shut down.

Layout of TCP packets

Like the IP datagram, the TCP segment consists of a header portion, an optional (options) section, and the data portion. Let's take a closer look now at some of the important fields of the TCP header:

• Source port: The port number assigned to the virtual connection on the connection-initiating host.
  
  
• Destination port: The destination port number. This will also be assigned by the connection-initiating host, because this is the only one that knows where it "wants" to connect. For example, if you open a Telnet connection to a particular host, the destination port will be set to 23.
  
  
• Sequence number and acknowledgment number: Two sequence numbers are used by the sender and the receiver to ensure that no packets get lost, that there is no duplication, and that the packets can be reassembled in the right order at the destination node.
  
  
• Flags: This field contains six control bits:
  • URG: Indicates to the receiver to do urgent processing as long as there is data to be consumed.
  • ACK: Indicates that the acknowledgment number field is significant.
  • PSH: Indicates that the data must be transmitted to the receiver promptly.
  • RST: Indicates that the connection is to be reset immediately.
  • SYN: Set in case the sequence numbers need to be synchronized.
  • FIN: Indicates that there will be no more data from the sender (that is, the connection will be shut down.

These are important fields in the TCP header, and the following section on TCP connection setup and shutdown will give you an even better understanding of what they are used for.

Setting up and shutting down TCP connections

Connection setup: The setup of a TCP connection is performed by a three-step handshake between a client that wants to establish the connection and the server that is contacted by the client. To start with, you need a server offering a service on a specific port; for example, the Telnet service listening on port 23. When a client wants to open a connection to a server, it sends a connection request to this server. This means a TCP packet with the SYN flag set is sent to the server. The server answers with a packet where both the SYN and ACK flags are set. Finally, the client confirms this by sending a TCP packet back to the server with the ACK flag set. After this, the connection between client and server is established.

Connection shutdown: Once all the data have been sent, one of the communication partners will want to shut down the connection. Let's assume the client wants to terminate the connection. It will do this by sending a TCP packet with the FIN flag set to the server. The server will acknowledge this by returning a packet with the ACK flag set. From this point on the client will not send any data to the server anymore. It will only acknowledge data sent by the server with empty segments. When the server shuts down its stream, the connection is closed.

Now that the preliminaries are out of the way, I'll show you two examples of TCP attacks.

TCP SYN scanning

Category: Port scan

Description: TCP SYN scanning is a variant of port scanning. Port scanning is used to check whether ports on a given host are open. Gathering this type of information is part of footprinting, discussed earlier in Categories of attacks, and is used to get extra information on a host. Knowing which ports are open on a host is an important first step for an attacker to deduce possible vulnerabilities to the target host.

The simplest form of a TCP port scan is to open a connection to all ports on a host. If opening a connection to a given port succeeds, an attacker knows that the service is available. However, the attacker generally wants to perform a port scan without letting the scanned host know it is being scanned, since operating systems and/or tools might log this type of activity and therefore identify a port scan. In this section, I'll discuss a form of port scanning used by attackers that may not be detected so easily by the target host.

TCP SYN Scanning is also known as half open scanning. As the name suggests, the attacker opens the connection only halfway. To accomplish this, the attacker sends a TCP packet with the SYN flag set to the target host, just like when opening a regular TCP connection. In response, the scanned host returns a packet with the SYN and ACK flags set if the port is open. If the port is not open, the scanned host sends a packet with the RST and ACK flags set.

Once the scanned host returns a SYN/ACK packet, the connection will go into a pending state on the server side, indicating that the connection is in the process of being established, but is not fully established yet. However, in answer to the SYN/ACK packet the attacker will send a packet with the RST and ACK flags set. This will trigger the scanned host to close the halfway-established connection again.

The idea is to find out which ports are open on a specific target host, but it is done in such a tricky way that the attacked host or a poor-quality intrusion detection tool may not notice.

SYN flooding

Category: Denial of service attack

Description: Before the Smurf attack came into vogue, the SYN flood attack was the most devastating Denial of service attack. As discussed above, when Host A wants to establish a TCP connection to destination Host D, it sends a TCP segment with the SYN flag set first. When receiving this segment, Host D acknowledges it by returning a packet with the SYN and ACK flags set. But Host D also puts the pending -- partly opened -- connection into a pending-connection queue. The connection is kept in a pending state while awaiting acknowledgment from the originator of the connection, Host A.

Host D waits for the acknowledgment to arrive for a certain time-out period, typically anywhere from 75 seconds to as long as 25 minutes on broken IP implementations. Since the pending-connection queue has only a limited size -- maybe a dozen or so connections -- it will eventually get full. You can see that the attacker will only have to send a few SYN packets every ten seconds or so to disable a specific port. This attack method is a very serious form of Denial of service attack, since the attacked system will never be able to clear the backlog queue before receiving new SYN packets, and therefore will not be able to respond to any other requests.

The motivation in this case is clear as well. The attacker wants to bring a certain service -- for example a Web server -- down. Again, you can see that this attack can be performed with frighteningly few resources on the part of the attacker.

Back to top

Summary

Diving into the world of computer security is scary and fascinating at the same time: Scary because you slowly begin to understand what attackers can do with very simple means; something you do not notice as a security novice. Fascinating, because you see how much room for improvement there is and therefore how much new work there is the more you learn about it.

Resources

• Check out these previous developerWorks Security articles:
  • 'Net threats, Part 1 and Part 2.
  
  
  
• This book, Distributed Systems: Concepts and Design, is useful reading if you are interested in concepts of distributed systems. It teaches how to design a distributed system starting with the very basics and developing into more complex ideas.
  
  
  
  
• In Practical UNIX & Internet Security you will find a good introduction into the field of UNIX and network security.
  
  
  
  
• Read Hacking Exposed - Network Security Secrets & Solutions, a comprehensive guide on network security vulnerabilities, threats, and countermeasures across a variety of platforms.
  
  
  
  
• The DARPA Internet Protocol (RFC 791), Internet Control Message Protocol (RFC 792), and Transmission Control Protocol (RFC 793) provide detailed information on IP, ICMP, and TCP specifications.
  
  
  
  
• Check out this course on Internet Security, from the Distributed Systems Group, Technical University of Vienna.
  
  
  

About the author

Rate this article

Comments

Back to top

Table of contents

• Hacker basics
• Categories of attacks
• Protocols
• Understanding IP
• Using ICMP
• Transmission Control Protocol (TCP)
• Summary
• Resources
• About the author
• Comments

Next steps from IBM

WebSphere Portal can help your small and midsize business achieve better website security, along with faster time to value with easily deployable and customizable example Web sites.

---

• Try: Download a free trial version of IBM WebSphere Portal Express V6.1, which offers collaboration, document management, and secure Web content management.
• Article: This article provides an overview of the WebSphere Portal security architecture, including internet security, and secure connections between clients.
• Tutorial: This tutorial take you through the steps to develop and test your first portlet WebSphere Portal Test Environment.
• Demo: These demos show Web 2.0 features available today within WebSphere Portal, as well as several features planned for the future.
• Buy: IBM WebSphere Portal Express

Dig deeper into Tivoli on developerWorks

Discover knowledge paths

Skill-building guides for Linux, open source, cloud, Java, business analytics, and more.

Special offers