# # # 10-Mar-01 amo Date-of-Birth -- stolen from SonicWALL # 16-Apr-01 amo Added silly attacks, stacksmashing, buffer overflow, etc # 22-Apr-01 amo Added Armed.net # # # More stuff http://www.armed.net/how/pg001455.htm # # Alerts and Attacks: =================== Silly Attacks ------------- - no passwords or too simple of a passwd defined for user - leaving the PC/server un-attended and logged in - not hardened servers when it should have been ... - live rj45 ports - yet unused Denial of Service ----------------- http://www.linuxfirewall.org/docs/denial_of_service Back Orifice Attack ------------------- Back Orifice is a Trojan Horse attack that, once executed on a remote computer, will allow an attacker to perform illicit activities such as capturing screenshots or keyboard commands, performing file transfers, or installing applications. Back Orifice communicates over TCP port 31337. Buffer Overflow --------------- IniKiller Attack ---------------- IniKiller is a Trojan Horse attack that allows an attacker to destroy .ini files on a remote computer communicating over TCP port 9989. IP Spoof -------- An IP Spoof is an intrusion attempt in which a hacker attempts to send TCP/IP packets using the address of another computer. This can be used to access a protected network by using an IP address of a machine on the protected network. The SonicWALL recognizes this as an intrusion attempt and drops these packets. An IP spoof alert on the log often indicates a misconfiguration; if you see an IP spoof alert, make sure that all IP addresses on the LAN, WAN, and DMZ are correct. This can also occur if an IP address on the LAN does not fall within the LAN subnet. Land Attack ----------- A Land Attack is an attempt to slow down a computer or network connection. In a Land Attack, a packet is sent with identical source and destination IP addresses which match an IP address of a computer on the network. Because this is theoretically impossible, Windows goes into an infinite loop trying to resolve these illegal connections, causing the whole network performance to be degraded. NetBus Attack ------------- NetBus is a Trojan Horse attack for Windows 95/98/NT that, once executed on a remote computer, will allow an attacker to perform illicit activities such as opening and closing the CD-ROM, starting applications, showing different messages or even redirecting a web browser to a specific URL on the Internet. NetSpy Attack ------------- NetSpy is a Trojan Horse attack that allows an attacker to perform illicit activities on a remote computer communicating over TCP port 1024. Ping of Death ------------- A ping of death is a denial of service attack that attempts to crash your system by sending a fragmented IP packet. IP does not allow single packets to exceed 65536 bytes, but the fragments themselves can add up to more than that. Since this is a theoretically impossible condition, operating systems crash when they receive this data. A ping of death attack can be launched from older versions of Windows-newer versions of Windows prevent users from sending these packets. Ping Sweeps ----------- Port Scan --------- A Port Scan indicates that someone may be scanning your system to identify open ports. Sometimes this is done in preparation for a future attack or to identify whether you have rules which allow a service susceptible to attack. A false positive may occur if an application or user is legitimately connecting to several ports. To determine whether this is likely, look at the port to see if it is an expected port number. Priority Attack --------------- Priority is a Trojan Horse attack that allows an attacker to perform illicit activities on a remote computer communicating over TCP port 16969. Ripper Attack ------------- Ripper is a Trojan Horse attack that allows an attacker to steal passwords from a remote computer communicating over TCP port 2023. Senna Spy Attack ---------------- Senna Spy is a Trojan Horse attack that allows an attacker to perform illicit activities on a remote computer communicating over UDP port 13000. Smurf Attack ------------ A Smurf Attack occurs when a single packet such as an ICMP echo frame is sent to a group of machines on the Internet with the source address replaced by the target computer or network IP address. This causes a flurry of echo responses to be sent to the target machine, which can overflow the target computer or network. This alert indicates that somebody is attempting to use your network as a smurf amplifier. Broadcasts on the local segment can sometimes trigger false Smurf Attack alerts. Stack Smashing -------------- Striker Attack -------------- Striker is a Trojan Horse attack that allows an attacker to crash remote Windows PC’s communicating over TCP port 2565. SubSeven Attack --------------- SubSeven is a Trojan Horse attack that allows an attacker to perform illicit activities on a remote computer communicating over TCP ports 6667, 6711 and 27374. This Trojan is particularly dangerous and can send an IRC chat message to notify the hacker that the system is up and running. SYN Flood Attack ---------------- A SYN Flood is a denial of service attempt in which TCP connection requests are sent faster than the system can process them. This causes the memory to fill up, forcing the new connections to be ignored. This detection triggers whenever a large number of SYN packets are seen in a short period of time. There are cases when it will trigger incorrectly, producing a false positive. For example, if a busy website becomes unavailable for a few minutes, then is brought back online, this event triggers because of the "pent up" connections waiting for the system to become available. SYN Sweeps ---------- Stealth Scanning ---------------- Stealth scanning is used by intruders to discover what ports are listening on a machine without being detected. A TCP FIN, or Stealth FIN, scan will send a FIN packet to each port. A Xmas Tree scan uses packets with the FIN, URG, and PUSH flags set. A Null scan will send packets with no TCP flags set. -------------------------------------------------------------------------------- Website/Newsgroup Blocked: When a user attempts to access a website or newgroup that is blocked by the firewall filter settings, an entry will appear in the log. In addition to the IP address of the machine and usually the name of the blocked website or newsgroup, this entry will contain a code made up of one or more lower-case letters. These letters correspond to the blocking categories as follows: a - violence/profanity b - partial nudity c - full nudity d - sexual acts e - gross depictions f - intolerance g - satanic/cult h - drug culture i - militant/extremist j - sex education k - gambling/illegal l - alcohol/tobacco o - custom addition (either a Forbidden Domain or keyword entry) -------------------------------------------------------------------------------- Forbidden E-Mail Attachment Altered: Computer viruses are frequently transmitted across the internet as E-Mail attachments. When E-Mail Filtering (an Anti-Virus feature) is enabled, forbidden file attachments will be altered and this event will be logged. This log entry will contain source / destination IP addresses and the name of the forbidden file's extension -------------------------------------------------------------------------------- # # # end of file