Types of remote attacks
There are many special techniques which allow attackers to compromise remote systems. These are divided into several categories:
DoS, or Denial of Service, is an attempt to make a computer or network unavailable for its intended users. DoS attacks obstruct communications between affected users, preventing them from continuing in a functional way. One common method of attack involves saturating the target machine with external communications requests, so that the target machine cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. Such attacks usually lead to a server overload. Computers exposed to DoS attacks usually need to be restarted in order to work properly.
The targets of DoS attacks are web servers and the aim is to make them unavailable to users for a certain period of time.
Using DNS (Domain Name Server) poisoning, hackers can trick the DNS server of any computer into believing that fake data is legitimate and authentic. The fake information is cached for a certain period of time, allowing attackers to rewrite DNS replies of IP addresses. As a result, users trying to access DNS poisoned websites will download computer viruses or worms instead of the website's original content.
Port scanning is used to determine which computer ports are open on a network host. A port scanner is software designed to find such ports.
A computer port is a virtual point which handles incoming and outgoing data – this is crucial from a security point of view. In a large network, the information gathered by port scanners may help to identify potential vulnerabilities. Such use is legitimate.
Still, port scanning is often used by hackers attempting to compromise security. Their first step is to send packets to each port. Depending on the response type, it is possible to determine which ports are in use. The scanning itself causes no damage, but be aware that this activity can reveal potential vulnerabilities and allow attackers to take control of remote computers.
Network administrators are advised to block all unused ports and protect those that are in use from unauthorized access.
TCP desynchronization is a technique used in TCP Hijacking attacks. It is triggered by a process in which the sequential number in incoming packets differs from the expected sequential number. Packets with an unexpected sequential number are dismissed (or saved in buffer storage if they are present in the current communication window).
In desynchronization, both communication endpoints dismiss received packets, at which point remote attackers are able to infiltrate and supply packets with a correct sequential number. The attackers can even manipulate or modify communication.
TCP Hijacking attacks aim to interrupt server-client, or peer-to-peer communications. Many attacks can be avoided by using authentication for each TCP segment. It is also advised to use the recommended configurations for your network devices.
SMBRelay and SMBRelay2 are special programs that are capable of carrying out attacks against remote computers. The programs take advantage of the Server Message Block file sharing protocol which is layered into NetBIOS. A user sharing any folder or directory within the LAN most likely uses this file sharing protocol. Within local network communication, password hashes are exchanged.
SMBRelay receives a connection on UDP port 139 and 445, relays the packets exchanged by the client and server, and modifies them. After connecting and authenticating, the client is disconnected. SMBRelay creates a new virtual IP address. The new address can be accessed using the command “net use \\192.168.1.1“. The address can then be used by any of the Windows networking functions. SMBRelay relays SMB protocol communication except for negotiation and authentication. Remote attackers can use the IP address as long as the client computer is connected.
SMBRelay2 works on the same principle as SMBRelay, except it uses NetBIOS names rather than IP addresses. Both can carry out “man-in-the-middle” attacks. These attacks allow remote attackers to read, insert and modify messages exchanged between two communication endpoints without being noticed. Computers exposed to such attacks often stop responding or restart unexpectedly. To avoid attacks we recommend that you use authentication passwords or keys.
ICMP (Internet Control Message Protocol) is a popular and widely-used Internet protocol. It is used primarily by networked computers to send various error messages.
Remote attackers attempt to exploit the weaknesses of ICMP protocol. ICMP protocol is designed for one-way communication requiring no authentication. This enables remote attackers to trigger DoS (Denial of Service) attacks, or attacks which give unauthorized individuals access to incoming and outgoing packets.
Typical examples of an ICMP attack are ping flood, ICMP_ECHO flood and smurf attacks. Computers exposed to an ICMP attack will experience significantly slower performance in applications that use the Internet and have problems connecting to the Internet.