Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Network Security

News See also Recommended Links

IDS Whitepaper

Router Security Smurf attack Scanners
Firewalls Packet Generation Tools Firewalls DNS DoS_attacks Sniffers TCP Wrappers
Port Scanners Port Scan Detectors  Perl Scripts Honeypots CGI Security Humor Etc

Local cretinism is the historical curse of the security

This class will focus on network security. Topics will include the design and structure of secure Ethernet-based networks as well as using tools like snort for discovering properties of traffic flows and creating policies to control them.

For the most part, our focus on network security will not include issues of host OS security; e.g, we are not so much interested in host-centric security mechanisms like file or multi-user process access control. Instead we focus on network-side security management including both passive measures like firewall defense schemes (packet filters, proxy/bastion hosts, and hybrids therein) and newer network security protocols like IPSEC, secure shell (SSH), and SSL. We may include email security, and/or Kerberos if we have time.

We will also look at certain common open source tools.

The key approach to the network security is so called "policy-based" approach. That's why firewalls became such a successful and popular tool. They just enforce certain network access policy. 

Dr. Nikolai Bezroukov

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Jul 22, 2009] SECURITY: Nmap 5.00 Released

Jul 22, 2009 | Insecure.org

"Insecure.Org is pleased to announce the immediate, free availability of the Nmap Security Scanner version 5.00 from http://nmap.org/ . This is the first stable release since 4.76 (last September), and the first major release since the 4.50 release in 2007. Dozens of development releases led up to this."

Policy-Based Networks (October 1999) by Jean-Christophe Martin

Talks about the network policy concept in greater depth, and see how it is implemented in the Solaris[tm] Bandwidth Manager software.

oreilly.com -- Online Catalog Network Security Assessment

Foreword

Preface

1. Network Security Assessment
The Business Benefits
IP: The Foundation of the Internet
Classifying Internet-Based Attackers
Assessment Service Definitions
Network Security Assessment Methodology
The Cyclic Assessment Approach

2. The Tools Required
The Operating Systems
Free Network Scanning Tools
Commercial Network Scanning Tools
Protocol-Dependent Assessment Tools

3. Internet Host and Network Enumeration
Web Search Engines
NIC Querying
DNS Querying
Enumeration Technique Recap
Enumeration Countermeasures

4. IP Network Scanning
ICMP Probing
TCP Port Scanning
UDP Port Scanning
IDS Evasion and Filter Circumvention
Low-Level IP Assessment
Network Scanning Recap
Network Scanning Countermeasures

5. Assessing Remote Information Services
Remote Information Services
systat and netstat
DNS
finger
auth
SNMP
LDAP
rwho
RPC rusers
Remote Information Services Countermeasures

6. Assessing Web Services
Web Services
Identifying the Web Service
Identifying Subsystems and Components
Investigating Web Service Vulnerabilities
Accessing Poorly Protected Information
Assessing CGI Scripts and Custom ASP Pages
Web Services Countermeasures

7. Assessing Remote Maintenance Services
Remote Maintenance Services
SSH
Telnet
R-Services
X Windows
Microsoft Remote Desktop Protocol
VNC
Citrix
Remote Maintenance Services Countermeasures

8. Assessing FTP and Database Services
FTP
FTP Banner Grabbing and Enumeration
FTP Brute-Force Password Guessing
FTP Bounce Attacks
Circumventing Stateful Filters Using FTP
FTP Process Manipulation Attacks
FTP Services Countermeasures
Database Services
Microsoft SQL Server
Oracle
MySQL
Database Services Countermeasures

9. Assessing Windows Networking Services
Microsoft Windows Networking Services
Microsoft RPC Services
The NetBIOS Name Service
The NetBIOS Datagram Service
The NetBIOS Session Service
The CIFS Service
Unix Samba Vulnerabilities
Windows Networking Services Countermeasures

10. Assessing Email Services
Email Service Protocols
SMTP
POP-2 and POP-3
IMAP
Email Services Countermeasures

11. Assessing IP VPN Services
IPsec VPNs
Attacking IPsec VPNs
Check Point VPN Security Issues
Microsoft PPTP
VPN Services Countermeasures

12. Assessing Unix RPC Services
Enumerating Unix RPC Services
RPC Service Vulnerabilities
Unix RPC Services Countermeasures

13. Application-Level Risks
The Fundamental Hacking Concept
The Reasons Why Software Is Vulnerable
Network Service Vulnerabilities and Attacks
Classic Buffer-Overflow Vulnerabilities
Heap Overflows
Integer Overflows
Format String Bugs
Memory Manipulation Attacks Recap
Mitigating Process Manipulation Risks
Recommended Secure Development Reading

14. Example Assessment Methodology
Network Scanning
Accessible Network Service Identification
Investigation of Known Vulnerabilities
Network Service Testing
Methodology Flow Diagram
Recommendations
Closing Comments

A. TCP, UDP Ports, and ICMP Message Types
TCP Ports
UDP Ports
ICMP Message Types

B. Sources of Vulnerability Information
Security Mailing Lists
Vulnerability Databases and Lists
Underground Web Sites
Security Events and Conferences

***** NSA documents [Dec 30, 2001]

Updated 27-Dec-01 Router Security Configuration Guide, Executive Summary (65KB)
Updated 27-Dec-01 Router Security Configuration Guide (2,390KB)

http://www.theregister.co.uk/content/55/23900.html Title: Crackers exploit Cisco LAN switch flaw Catalyst LAN switches series 4000.

5000 and 6000 and also 2948G and 2900 models, running CatOS may be susceptible to denial of service (DoS) attacks by use of a buffer overflow vulnerability in Telnet. Cisco is offering free software upgrades to the switches affected by the vulnerability.

[Jan 25, 2002] Architecting Secure Network Topologies -- Your application may not be as safe as you think it is. Learn how to secure your network from the bottom up by getting the details on such topics as VLANs, VPNs, and the DMZ.

Defining Strategies to Protect Against UDP Diagnostic Port ...

Cisco Router Software Glitch Opens Security Hole (July 03, 2000)


Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

Top articles

Sites

Download the Supporting Documents -- National Security Agency

Cisco Enterprise Network Security

Denial of Service CS155 Spring Quarter

DDoS attacks

Network Attack and Defense

Computer Crimes Examples of Network Security Attacks

Denial-of-service attack - Wikipedia, the free encyclopedia

Exam Cram Insider, Issue 67 Specializing in Cisco Security

Specializing in Cisco Security

It's every company's nightmare: Someone has broken in and stolen your most sensitive data, leaving behind a foul mess of destroyed files and damaged customer relationships. Or even worse, they've left no traces, and you don't even know it's happened until your best customer walks, or a competitor creates a product that looks amazingly like yours.

That doesn▓t happen only in the movies. Scenarios like these can and will happen unless your network is protected. And that protection will come from the security experts within your company's IT department. With more and more business transacted via the Internet, and the computerization of just about any kind of business you can think of, even small shops need a security expert. If you're working with Cisco technology, you should consider becoming a Cisco Security Specialist.

The Cisco Security Specialist designation, one of the new Cisco Qualified Specialist tracks, focuses on the burgeoning network security market. A Cisco Security Specialist can design, install, and support Cisco security solutions within his/her network configuration. This credential tests your knowledge and proves your skills in three primary areas of network security: firewalls, intrusion detection systems, and virtual private networks.

When you've decided to go ahead and get your Security Specialist certification, what happens next? First of all, the program requires that you be a Cisco Certified Network Associate (CCNA). Once you've gotten that out of the way, you can move on to the meat of the security program.

Cisco Security Specialists have to pass four exams:

  • Exam 640-442: Managing Cisco Network Security (MCNS)
  • Exam 9E0-571: Cisco Secure PIX Firewall Advanced (CSPFA)
  • Exam 9E0-558: Cisco Secure Intrusion Detection System OR Exam 9E0-572: Intrusion Detection System with Policy Manager
  • Exam 9E0-570: Cisco Secure VPN (CSVPN)

These exams, while mostly made up of multiple choice questions or questions with drag-and-drop answers, require candidates to demonstrate on-the-job problem solving skills. Practical knowledge of the subject matter is a must. They usually last 1-2 hours and range in cost from US$125 to US$300.

Each exam has a corresponding recommended training course, offered by Cisco. These include: Managing Cisco Network Security; Cisco Secure PIX Firewall Advanced (make sure you take the prerequisite course, Cisco Secure PIX Firewall Fundamentals); Cisco Secure Intrusion Detection System Version 1.0 (if you plan to take exam 9E0-558) or Cisco Secure Intrusion Detection System Version 2.1 (if you're taking exam 9E0-572); and Cisco Secure VPN.

Details on each course, and each exam, can be found here. Just follow the links from there for all you need to know about training courses and the exams.

Because security technology is evolving rapidly, the Cisco Security Specialist certification is only valid for two years. You can recertify by taking and passing the current version of the appropriate security exams. So make sure the bad guys don't do you, or your company, any harm--earn your Cisco Security Specialist designation today.


Router Security


Encrypted Tunnels Are Answer for Remote Management -IW May 17, 1999

Q: What is the most secure way to manage routers and servers when the management traffic must travel across the Internet? A: The two common protocols used for managing equipment on a LAN are telnet and SNMP. Both of these protocols are insecure, because if traffic is intercepted by a sniffer, someone could collect passwords that could then be used to take over management control of the remote equipment. This is essentially what happens to Web servers that are "hacked." In my opinion, remote management should always be done through an encrypted tunnel of some sort. This ensures that passwords and other management information is never sniffable by hackers. Most Internet connections will travel across two shared-media LANs, one at either end. These might be Ethernet, FDDI, or token ring LANs, but in each case the traffic is vulnerable to sniffing because the shared-media technology makes the traffic available to all machines connected to it. Even switched Ethernet is not wholly secure from sniffing.

The Internet backbones themselves are not generally vulnerable to casual sniffing, but exchange-point traffic is vulnerable. In fact, a recently released document pointed out that the National Security Agency (NSA) was intercepting traffic at several major exchange points. Many Internet exchanges use a shared medium, commonly FDDI, in order to allow arbitrary interconnections between network peers. Anyone connected to the FDDI rings at these exchange points can potentially sniff other traffic crossing the exchange.

However, when you use encryption technology with a strong enough key, then you need not worry about sniffing. Unix-based servers can use the Secure IP (IPSEC) standard or the popular SSH technology to set up an encrypted telnet session that doubles as an encrypted tunnel through which FTP and SNMP can be done securely. The data is encrypted before it is placed on your local network connection and is not decrypted until it has arrived at the other end of the encrypted tunnel. Sniffers might be able to capture it, but they won't be able to decrypt it without expensive equipment and lots of time. If you change passwords every month, the information will be useless by the time someone could possibly decrypt your sessions.

With NT servers, you will need a black-box-encrypted virtual private network (VPN). Be careful with Point to Point Tunneling Protocol (PPTP), since the cryptography community believes its encryption technology is fundamentally flawed and not fixable. In any case, you are better off buying black-box equipment that supports IPSEC, because it will allow you to interconnect Unix servers that run IPSEC when your operation scales to the point that it requires Unix servers.

Once the VPN is in place and the encryption is turned on, you can safely use insecure protocols like SNMP and remote control products like VNC and PC Anywhere. In fact, VNC may be used to manage remote NT and Unix servers from any client you choose, including the Palm Pilot.

From Server to Firewall Multiple Layers of Intranet Security -IW April 5, 1999

Q: Is a firewall the only security we need for our intranet?

A: Security requirements vary from one organization to the next, and among an organization's different kinds of content. For most intranets, more than a firewall is needed.

Security is not just about access. It also protects information from accidental or willful alteration or destruction. Most security experts say a security breach is more likely to come from a company's own staff than from outside. These may be disgruntled employees, or those who are after the thrill of breaking the code. Either way, this implies the highest risk is inside the firewall.

In the physical world we have layers of security: A bank has vaults, locks, guards, and alarms, and each covers the weaknesses of the others. Intranets have a similar layered approach. At the center is server security, and content is only as secure as the server on which it is stored.

Most commercial servers include a base level of operating-system and file-system security. Some servers require additional software to control access to server resources and files. These measures are like locks: Only those with keys can gain access.

The next level is software that monitors the OS logs, looking for suspicious activity. When a potential intrusion is detected, the software generates an alert. The response may be automatic, or the systems administrator may have to generate the appropriate response. The history recorded in the server logs can be used to assess damage and plan restorative action.

Alarm systems can be added to network routers to detect or block potential threats. These take the form of filters that scan the IP packets looking for suspicious patterns.

At the network's entrance is the firewall. Firewalls have controls requiring the proper keys, and often have filters that scan incoming packets. They may have a proxy server that hides the real IP addresses of users requesting resources outside the firewall.

Finally, software, run outside the firewall, tries all known security tricks of hackers, thus scanning for vulnerability points. The security implementation also should be supplemented with regular process audits by an independent security expert.

Not every server or network segment needs the same security. One of the architectural considerations of an intranet should be the provision of areas where content requiring a high level of security can be placed.

Intrusion Detection Joins Net Security Arsenal -IW March 22, 1999

Passive and active techniques work together to help systems administratorsstay on top of intrusion perils

By Frederick M. Avolio and David M. Piscitello

When mainframes were the mainstay of computing, we encased them in glass houses. Locked doors and security badges were sufficient to secure our computing resources. But computing is now pervasive, and threats to computing resources have multiplied almost beyond comprehension. In a world where the network is more relevant than any single computer, locked doors simply don't do the job.

The security challenge posed by today's computing paradigm is daunting: Business-critical and highly sensitive information, residing on servers with known and exploitable vulnerabilities, is supposed to be accessible from virtually anywhere. We deploy antivirus systems to protect our computers and networks, and firewalls to block unauthorized access from the public Internet-and we hope that our staff are smarter than the attackers.

But while an organization's network vulnerability grows with each increase in the number of access points and network services required, most organizations can't find competent security staff nearly as quickly. New and automated mechanisms are needed to deal with burgeoning network vulnerabilities.

Intrusion detection systems (IDSs) are one such mechanism. The name may conjure images of an omniscient intelligence doing the work of ten or a hundred network and systems managers that tirelessly monitor computers and networks for malicious behaviors and sound an alarm at the first hint of a problem, while holding the hacker at bay or tracking him down across the Internet. But reality falls somewhat short of this.

Today's IDSs are neither as sophisticated nor as infallible as we'd wish-they're not psychic, so they can't discern bad intent or motive. They are, nonetheless, useful and effective additions to security defenses, and they are being used by small and large enterprises today. According to industry estimates, the market for intrusion detection products grew from $40 million in 1997 (Yankee Group) to $100 million in 1998 (Aberdeen Group).

TO SCAN OR MONITOR?
There are two types of IDS systems: scanners and monitors, both of which can be deployed on networks or on individual computers. Scanners are static analysis tools that we might call vulnerability checkers: They look for known problems-things like bad passwords, missing security patches, and weak configurations (such as a desktop machine that allows anyone to mount and read its C: drive). Scanners can also check to see whether important files have been removed or modified, and can warn of vandalism or systems administration errors. Monitors, in contrast, are dynamic analysis tools that watch for attacks in progress.

Scanners are used periodically, checking important servers, firewall machines, or any computer on a network. Network scanners check network services offered by individual computers on a network. Some also check for changes in security state, access controls, and passwords.

System scanners take a cryptographic snapshot of a system, so they can later tell if important files-system configuration files, system programs, even Web pages-have been modified. Some are set up simply to sound an alarm; others can also replace changed files with "good" cached copies.

Tripwire Security Systems' Tripwire, BindView Development's HackerShield, and WebTrends' Security Analyzer are among the growing number of vulnerability checkers available today, with support for different Unix systems as well as Windows NT. Among those that do network vulnerability checking are Axent's NetRecon.

Vulnerability checkers "can help reduce the huge amount of security audit trails and logs into useful information, allowing administrators to fine-tune systems," said Pete Cafarchio, program manager of the Intrusion Detection Systems Consortium at the International Computer Security Association (ICSA). "They help spot system configuration errors that have security implications, and are used to monitor the integrity of other key security servers, like firewalls. It's very common for us to hear of people who discover some major security holes that they never knew existed within the first 30 minutes after installing an IDS." Bill Tillery of National Bank of Alaska uses BindView's NOSadmin clients for both Windows NT and Novell. "With this tool," he said, "we're able to automate manual tasks that are otherwise quite time-intensive. We now have more information to work with, and it's more accurate." Dynamic analysis systems are also known as "threat monitors." They examine events as they are happening. There are two types of threat monitors: Anomaly detectors ask "What is unusual here?" and misuse detectors ask "What is bad here?" Examples of anomaly detection outside the computer world can be found in the credit card industry. If you've never charged thousands of dollars in one purchase on a charge card, try charging $2,500 in one store, then charge $5,000 elsewhere an hour later. It's likely the credit card verification system will advise the store to ask you for identification.

An anomaly detector is told, or actively "learns," what normal behavior is-for an individual, a system, or a network-and takes action when some event falls outside of some normal range. They let us know when something is fishy. People can be trained to do anomaly detection very well. It's very difficult to do by computer.

Much research has been done in the area of anomaly detection, but only very simple anomaly detection systems are in use today. Disk usage growth or shrinkage outside of a certain rate per minute can be tagged as an anomaly.

Individual user activities outside of normal use hours or connections to the network that are not from the user's usual machines are easily flagged as anomalous behavior. Sophisticated systems-where, for example, an individual's typing patterns or network use patterns are learned-are not here yet.

The other kind of dynamic analysis is misuse detection, which searches for codifiable patterns of behavior. There are two types of misuse detection systems. For the first type, we make a list of things that should not happen, and then the IDS watches for these events. "What should not happen" is based directly on the network security policy. For example, if the security policy says only HTTP, FTP, and SMTP are permitted from the Internet through the firewall, a misuse system watches for other types of packets from the firewall. This is difficult for an attacker to fool.

The second type of misuse detection system is also called an attack signature recognition system. Misuse or attack signatures are first codified, then a data source-a network telemetry system or an operating system audit log-is monitored for patterns of attack. A user-level process that starts up and acquires system or "root" privileges without executing the "su" (set user) command is an example of a simple misuse signature on a Unix system. NetProwler (Axent) and Anzen Flight Jacket for NFR (Anzen Computing), among others, handle this job at the network level, while CyberCop Server (Network Associates) and Axent's Intruder Alert are two of the products that monitor activity on servers at an enterprise level.

INTEGRATING DEFENSES
Some vendors are offering suites of products that work together and scan for threats and vulnerabilities on systems and the networks around them.

Examples of this are eNTrax (Centrax Corp.) and SafeSuite (Internet Security Systems).

Intrusion detection systems are already in fairly widespread use today on enterprise networks. Brian Iverson, a security consultant at KPMG Peat Marwick, has helped clients deploy IDSs because "they enhance a client's ability to know what's going on in their network and add capabilities to existing security measures." But he warns that IDSs are not a panacea but a complementing technology. "You can't ever get away from having strong controls on the back end [hosts]." In the future, as with all network security mechanisms, IDSs will have to work in concert with other security systems. Prevention systems, such as firewalls and authentication servers, could change configuration based on input from detection systems, a step known as "adaptive network security" or "active security." No matter how marketing departments label these, prevention, detection, and response systems that work together are within our grasp. Intrusion detection systems are critical to making this happen.

Security Mergers Shift Product Lines -IW January 4, 1999

With a growing number of large corporations seeking security products and services from one source, vendors are striving to meet that demand.

In many cases, vendors will be offering products in 1999 that are the result of technologies acquired last year.

For example, Network Associates acquired Dr. Solomon's for its virus detection software, Security Networks Inc. for its vulnerability assessment products, and Trusted Information Systems for its firewalls.

Meanwhile, Axent merged with Raptor, another firewall vendor, and strengthened its professional services group by acquiring Secure Network Consulting.

Other companies to watch include VeriSign, which joined the professional services group bandwagon when it picked up SecureIT of Atlanta, and Security Dynamics, which acquired Intrusion Detection Inc. to enter the vulnerability and scanning sector.

Another likely impact of these mergers and acquisitions will be a split in the market.

On one hand, corporations will work with large vendors that provide a wide range of products and sources. Yet they will be able to turn to speciality vendors that offer a "best-in-class" solution for unique security requirements.

Other security vendors, including large networking vendors and Internet service providers, will be offering products and services for companies that do not have the capability of setting up their own secure networks.

For example, GTE Internetworking has a suite of five security consulting services, including security design and implementation, penetration, and testing.

"Our SecureNet offerings help customers lower network operating costs, effectively manage information and technology risks, and reduce the time it takes to get a secure network up and running," said Adam Lipson, director, professional services, at GTE CyberTrust.

To round out their product offerings, companies are establishing partnerships.

Specialty IS vendors such as Check Point Software and Internet Security Systems are integrating complementary products.

Vendors with a broad IS product line, such as Network Associates, are working with complementary service providers such as Ernst & Young. For example, Ernst & Young will identify unique attacks and vulnerabilities using Network Associates' CyberCop product. The information will become part of an Ernst & Young library that will be shared with customers.

With the rise of electronic commerce, some analysts are also predicting that the greatest growth area for security products will involve public key infrastructures and certificate authorities.

International concerns
Because many corporations have global operations, many information security managers will be dealing with regulations from a number of political jurisdictions.

The European Union, for example, has a privacy policy that is considered to be far more stringent than policies in the United States.

Web site operators in the European Union must have a privacy policy prominently posted and adhere to it, and organizations there are prohibited from exporting data to any destination that does not have the same protection in place.

For companies and organizations that need consumer data for their operations, this is an important issue. As a result, the complex data privacy laws will require greater attention and will likely drive legal costs higher in 1999 and beyond.

Export regulation for such technology as encryption products is another area likely to be important in 1999.

The struggle continues between the U.S. government, with its desire for stronger export restrictions, and U.S. vendors with their desire for less restriction. So far, the government seems to be winning.

As a result, U.S. firms will need to continue monitoring the type of encryption software used abroad and look for products that will work with any "standard" encryption algorithm allowing for agility in employing export-legal software.

Network Security Companies Offer New Consulting Options -IW May 11, 1998

Two network security companies have announced new education and consulting services to help users properly install and maintain security systems.

Check Point Software Technologies Ltd., the market-leading firewall vendor, last week announced the formation of a new division dedicated to technical support and customer training for use of its security and policy-based network management products. And last month Secure Computing Corp., San Jose, Calif., announced that it will add four new security-related services as well.

Services from Check Point's new division will include consulting, implementation, management, and troubleshooting of its firewall and traffic management products. It has also created the Check Point Emergency Response Force, a team of engineers that will work with customers remotely or on-site to handle critical situations such as hacking incidents or denial-of-service attacks.

Tony Reed, Check Point's vice president for technical services in the company's Redwood City, Calif., U.S. headquarters, said customers had been asking for more support directly from the company for some time.

"Until now, the option of getting support directly from Check Point has not been available to our customers--they've been going to the resellers for support," he said. "Now, we can actually touch the end users directly." As part of the new service offerings, Check Point will also open a technical support call center and a research lab that will be open 24 hours a day to help major clients. Reed said technicians at the lab would try to duplicate the client's conditions to find solutions to problems as they come up.

Secure Computing's four new offerings are assessment services (including internal and external testing and analysis to eliminate security risks), architecture services to recommend security migration and implementation, network services (including product training and installation), and support services geared to meeting more customer-specific needs.

Ted Julian, an analyst with Forrester Research in Cambridge, Mass., said the new offerings are both a natural response to customer needs and a desire to increase the companies' attractiveness to larger potential customers.

"There are deals they won't be able to do without adding these services," he said. "All vendors run into this when they start dealing with large vendors." Julian added that Secure Computing has more of a legacy in offering consulting services than Check Point.


TCP/IP

firewall FAQ V-ONE Electronic Security University

Introduction to TCPIP

Introduction to Unix System Administration

Falling Victim To Smurf Attacks -IW April 20, 1998

Q: I have discovered that our network is being blocked from communicating with a number of other networks. At first I thought we had been placed on the Realtime Blackhole List (RBL) because someone on our network had been relaying spam. But I checked the RBL and we aren't on it.

A: It's quite possible that you have run into a different sort of exploitation. As you mentioned, if your network's mail servers are misconfigured, spammers can use them to blast out multiple copies of e-mail messages much faster than they could over a dial-up modem link. As a result, many network operators will block all traffic from a network that harbors these misconfigured mail servers.

But now there is another type of exploitation that can cause you to be cut off from sections of the Internet: a program called smurf. Widely available to hackers, smurf programs are used as attack weapons in denial-of-service (DoS) attacks. The goal of a DoS attack is to spew so many garbage packets at the victim's network that the victim's Internet connection is totally unusable.

Hackers can do this in many different ways, but the easiest is to mount a DoS attack from a network that has a greater Internet connection than the victim's. If the victim is on a dial-up line, an attack mounted from a T-1-connected network (1.54 Mbps) can completely flood the victim's link. So if you wanted to flood a company with, say, a T-1 or a 10-Mbps Ethernet connection, then you would need to launch your attack from a network with greater bandwidth than a T-1 or 10 Mbps. In these cases, it would suffice to mount two simultaneous attacks from T-1 or 10-Mbps connections, or you could use a DS-3-connected network (45 Mbps).

Fortunately, most attackers do not have access to this kind of bandwidth. But that's where the smurf program comes in handy. Using smurf, hackers send ping packets to the broadcast address on a network using Ethernet, FDDI, or Token Ring protocols. When such a network receives a ping directed at its broadcast address, every device on that network sends back a reply. The network could be someone's corporate LAN, or a Web server farm, or an ISP's modem pool. The end result is that for one incoming packet, several outgoing packets are produced, vastly amplifying the volume of traffic. It is not unusual for an Ethernet segment to have 100 devices on it, which would mean that someone sending a smurf attack from an ISDN line could generate roughly four T-1s' worth of attack traffic.

Now, ping replies normally go back to the origin of the ping packet, but a smurf program will generate packets using the victim's own IP address, so all replies are routed to the victim rather than to the attacker. In this way, a smurf attack can generate so much garbage traffic that the victim's usable connectivity is lost, thus making it difficult to identify the real source of the attack.

Some network providers will examine these attack streams to discover where the amplifier network is and will then block all data exchange with that amplifier network. The side effect is that even legitimate traffic from your network is blocked. Luckily, it is possible to configure your router, as documented in RFC 2267, so that your network cannot be abused as an attack amplifier or be used to originate such an attack.

In addition, Craig Huegen of Quadrunner Communications has published a Web page explaining how you can avoid being an attack amplifier.


FTP


NFS

Sendmail

Harker's sendmail References Page
...is a real mine of information concerning sendmail and related topics packed with tutorials and help (even for /etc/sendmail.cf).

Sendmail with POP3 v2.0 for Windows NT
The metainfo sendmail has a buit-in POP3 server and an HTML interface for administration. The sendmail part is based on version 8.8.4.

A (Smoother) Engine Powers Network Email

e-mail

Documentation

Sendmail book Home Page

Frequently Asked Questions

UnixWorld Online: Tutorial: Sendmail V8
"You can't read too much tutorial material..." Very true. But this one is a very good start and explains the rewriting rules in a way that even I (almost) understood them.

Sendmail Home Page
The bat page. Many useful links to many useful sites and email addresses for kudos (no?), questions and bugs.

Sendmail, Inc.
Sendmail Inc. is the commercial distribution channel for sendmail which offers a 'Pro' version and support.

WindMail
Windmail is an implementation of sendmail for Windows 95+ and NT and works in very much the same way.

Exploiting sendmail! by -- Ian Goldberg and David Wagner.

A first Guide for e-mail installation by Claus AŖmann

Internet Mail Consortium

Sendmail, Inc.

Muy Cool Sendmail Resources

Ratatosk - TkRat -- mailer

www.westnet

A Beginner's Guide to Effective Email

Electronic Mail in Russian

club-traceroute

Accessing the Internet by E-MAIL

PCSLink Traceroute -- you can traceroot you location



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Created: May 16, 1997; Last modified: September 12, 2017