PACKET ATTACKS - VERSION 1.1


Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
have enjoyed writing it.

The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
new methods to help us stop them and secure our networks.


Introduction:
TCP/IP Packet Switching Networks
OSI MODEL


---Chapter 1.---
Section a.
 Introduction to DDOS/DOS & Packet Attacks
Section b.
 How attacks are crafted

---Chapter 2.---
Section a. (attacks)
   ICMP
   Smurf
   SYN/ACK
   UDP
   DNS
   ARP
   DrDOS
   Special Bot / Trojans
   Worm DOS    
   Unicode ping flood  (new!)
Section b.
   Phasing
Section c. (hacks)
   TCP hijacking
   Sniffing
   Scans
   Information gathering / Footprinting
Section d.
   Defense against these attacks
   Attack Detection
   Intrusion Detection
Section e.
   IPSEC
   NAT as a means of security

---Chapter 3.---
 Section a.
   The future of TCP/IP as a means of using IPv6
 
---Chapter 4. ---
 Section a.
   New security application / protocol

-----
Introduction.

Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when they are received at the other end. Where as
an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
embedded in our infrastructure we must adapt and learn to defend each new attack.

OSI MODEL

Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.

Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.

Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
this means in a few minutes)

Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the
application(client) to a remote host(server).

Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.

Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
another function of this layer in inter-networking.

Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
sub layer controls how a computer on your network has access to data.

Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
protocols within this layer.

You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger (for example) and the data flows down through
the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
understanding.

To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
Because it will take you a very long time to understand exactly how TCP/IP works.  If your very knowledgeable in the way
TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :(  On the other hand if you dont
understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)
Data_Clast

---------------------------------------------------------------------------------------
Chapter 1.

Section a.

 The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
hijacking and your typical port and vulnerability scans among other things.

 Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.

The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
on that later though.

Section b.

 You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few