Some methods of attacking a UNIX system

Below are some methods to attack a UNIX system:

1. Local DOS attack. DoS - denial of service.

It can be achieved by:

- depletion of memory, processor resources or HDD space.

In case of depletion of resources (a fork bomb ()) - the system becomes unusable until reset.

- depletion of HDD space: as a result the system will not be able to function normally, all attempts to write something in logs will fail.

This system will not even be able to boot after a reset, until it has some free space on the hard disk.

These problems can be easily prevented - by setting limits on processor success, memory resources, maximum number of processes, maximum number of files open at a time.

Depletion of HDD space can be prevented from the installation of the operating system, by allocating "critical" directories

(/ var / log, / tmp, / var, / home) separate partitions.

This way if the free space on a partition is exhausted, the system will continue to work (until a certain point of course).

It also has the advantage that we can mount different partitions with different options (/ home does not have to contain files with the suid bit set, as well as / tmp does not have to contain executables).

2. Remote DoS attack:

The goal - to shut down the system for a period of time.

This type of attack can be classified into 2 categories:

a) Attack by executing a large number of requests to the service provided by a system daemon.

b) Attack on vulnerable services.

The first type of attack does not require a lot of knowledge in the field, but a good connection to the network to which it is connected and the victim of the attack (such as the Internet).

The basic principle of this type of attack is the poor design (in terms of security) of the TCP / IP protocol.

As it is known, when a client-server connection occurs, the server listens on a certain port, to which the client sends a connection request
- a packet containing in the header the set SYN bit (the ACK bit is missing), and in the packets next - the ACK bit (SYN missing) is set.
Next, normally, the server will respond to the client's first packet with a packet with the ACK bit set (sign that it has received the client's first packet), and a SYN synchronization request.

When the client receives this response from the server, the connection is considered established.
Until then, the connection is considered to be half open.

In the type of attack I am trying to describe now, this stage of initiating a connection is used.
A lot of packets with the set SYN bit are created on the attacker's machine, which are sent to the server.
As a result, the attacked server (assuming it is a web server) will be occupied for a while only by processing these connections.
Next, it all depends on the settings of the victim car, as well as other conditions. If the sent packets had as source the address of an existing car in the network, the victim will not suffer much, because still at the 3rd stage it will close the connection, because the car in whose name the packets were sent knows nothing about them.

Another problem arises if the packets were sent on behalf of another machine, which does not exist on the network.
The server will have to wait some time until it closes the connection, waiting for a response from a non-existent machine, so its resources will be occupied for a longer time.

In this case - we have 2 possibilities for evolution -

1. In case the administrator of the victim machine has set restrictions on the number of "pending" connections, nothing serious will happen, only the victim machine will not be able to process the requests of some users who want to legally access its resources (and this can be up to after all the purpose of the attacker!).

2. The resources will be consumed, until exhaustion, the following requests will be processed more and more slowly, in the end it may end up that all the resources of the system will be thrown in the processing of the attacker's requests.

In the end, the attacked car will suffer a crash, or will be unavailable for a long time in the network, until it will process all the sent requests.

The second type of remote DoS attacks - they occur due to programming errors, in other words the existing bugs in the software running on
the attacked machine.

Here we have:

- OS level bugs

- program / service bugs

In the case of program bugs - most often the errors that lead to "buffer overflow" are exploited - overloading the buffer granted to a program.

For example, there is some program - which waits for user input, and sends it to a file.
The programmer who created it allocated only 65536 bits for the input buffer.
Next - it is enough for the attacker to send an input of more than 65536 bits to the program, as a result a "buffer overflow" occurs.
Most often the attacker uses this to start a shell - shell on the attacked machine.
The privileges with which the given shell will run are those of the program vulnerable to that "buffer overflow".

OS-level bugs are more complicated:
The attacker's goal is to prevent the kernel, or a kernel module, from processing a critical situation as a result - a phenomenon called "kernel panic" (operating system kernel panic * nix) .
Consequences - immediate reboot, unavailability of the system in the network, etc.

How to fight this - in the case of the first type of attack - SYN flood we can use the mechanisms implemented in the operating system
(tcp-syncookies mechanism implemented in Linux - compiling the kernel with support for tcp_syncookies and
echo "1"> / proc / sys / net / ipv4 / tcp_syncookies when starting the system), increasing the queue of half-open connections (in the SYN RECEIVED state), as well as decreasing the period of keeping the connections in this state.

Another thing - the limitation of resources allocated to a server program. Even the limitation with a large number, but the limitation anyway.

Finding the coordinates of the attacker in most cases will be impossible (of course he will use false ip addresses).

The number of the second type of attack can be reduced by regularly updating the software used, as well as reading / regularly following
the discussion lists, forums with the theme of security, to be aware of all the vulnerabilities discovered, and to be one step
ahead of potential attackers.

3. Local root attack.

These attacks are much more dangerous, because the end result is obtaining super-user rights, which can do anything on a
Unix system (by default, we do not consider using patches like grsecurity, rsbac, openwall), including deleting important files. , compromising confidential information, carrying out other attacks on this car.

This type of attack is the most commonly used (and the simplest method of obtaining supr-user rights on a Linux system). Usually the attacker acquires local rights on the system by exploiting bugs in system daemons, and then lifts his privileges).

With local access, a person can more easily find a vulnerable program.
Next - old scheme - "buffer overflow", if the program has the suid bit set (take a look at / usr / bin, / bin, you will find a lot there).
Some programs run under the root user, they need access to different places in the system according to their specifics.
Such a program is a "gift" to a cracker.

4. Remote root attack.

The algorithm is similar to that of DoS attacks directed at a vulnerable program, but now the attacker must act on a program that runs with uid 0, or has the sticky bit set.
Thus the attacker obtains a root shell from a distance, which is very dangerous.

And remember, the system tends to become more vulnerable over time, with the discovery of new vulnerabilities, or with the creation of security deficiencies by incompetent admins or users.