SYN Stealth Scan(-sS):• Exploits 3-way handshake by sending SYN

packet and then waiting dor the response.• If SYN/ACK is sent back, the port is open and

the remote end is trying to open a TCP connection.– In this case it sends an RST to tear the

connection so fast that its almost undetected in the target.

• If the port is closed, an RST will be sent.• If it is filtered, the SYN packet will have been

dropped and no response will be sent.• Thus open, closed and filtered ports can be

detected by stealth scanning.

Winnuke:

• The term WinNuke refers to a remote denial-of-service attack (DoS) that affected the Microsoft Windows 95, Microsoft Windows NT and Microsoft Windows 3.1x.

• The exploit sent a string of OOB (out of band) data to the target computer on TCP port 139 (NetBIOS).– Out of band data can be stated as data that the

computer doesn’t expects and is not ready to process.

– causes it to lock up and display a Blue Screen of Death .

• This doesn’t damage or change the data on the computer's hard disk, but any unsaved data would be lost.

Saihyousen attack:• The Japanese term ‘Saihyousen’ refers to the

state of ‘getting freezed’. This is what happens to the victim.

• It was actually designed to attack the ConSeal firewall(McAfee).

• The way this program kills the machine happens in 2 ways :-– If Conseal is set for "learning" mode the flooding

packets from all the different IPs and ports will cause the program to continuously attempt to write more and more new rules. This eventually uses up all the resources and results in a freeze and eventually a reboot.

– If ConSeal is set to log attacks, once again because of the number of packets the system resources are eaten up and the machine dies.

Teardrop attack:• Teardrop exploits an overlapping IP fragment

bug causes the TCP/IP fragmentation re-assembly code to improperly handle overlapping IP fragments.

• The fragments are measured in terms of octets.

• Here, the basic idea is to change the fragmentation of the second packet to such a low value that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.

• Thus, the target overwrites and jumbles up the packets resulting in garbage data which is incapable of processing and thus the target machines gets freezed.

Oshare attack:• This DoS attack affects Windows 9x operating

systems.

• Here the attacker sends an ‘Oshare’ packet to the target machine to crash it.

• Similar to the Teardrop Attack.

• An Oshare packet is nothing but a malformed invalid packet.

• The ‘malformation’ is done by exploiting Invalid fragmentation offset.

Bubonic attack:• Here the attacker randomly sends TCP packets

having random values.• The attack involves transmission of an

extremely large amount of random valued packets.

• This causes the victim to freeze and crash as it becomes incapable of handling such high amount of packets having random values.

• The target machine crashes but the non-targeted machines also suffer from decreased network performance as a result of the extremely high collision rate of the TCP packets.

SYN Flood attack:• Exploits 3-way handshake.• The potential for abuse arises at the point where

the server system has sent an acknowledgment (SYN-ACK) back to client but has not yet received the ACK message resulting in a ‘half-open connection’.

• The Server maitains a data structure describing all pending connections which gets overflowed by the ongoing half-open connections made by IP spoofing.

• The attacking system sends SYN messages to the victim server system; these appear to be legitimate but in fact reference a client system that is unable to respond to the SYN-ACK messages.

• The half-open connections data structure on the victim server system will eventually exhaust; then the system will be unable to accept any new incoming connections until the table is emptied out.

SYN Flood attack(continued):

• Concept of Timeout so the halfopen connections will eventually expire and the victim server system will recover.

• But the problem is that the attacking system can simply continue sending IP-spoofed packets requesting new connections faster than the victim system can timeout the pending connections.

• Thus, the victim of such an attack will have difficulty in accepting any new incoming network connection.

• Usually, the attack does not affect existing incoming connections nor the ability to originate outgoing network connections. But sometimes the system may exhaust memory, crash, or be rendered otherwise inoperative.

Bonk

• Affects Windows 95 & NT machines• Variation of teardrop attack.• The Bonk attack manipulates a field

in TCP/IP packets, called a fragment offset. This field tells a computer how to reconstruct a packet that was fragmented.

• By manipulating this number, the Bonk attack causes the target machine to reassemble a packet that is much too big to be reassembled.

• The machine will crash (the Blue Screen of Death).

Jolt• This DoS attack affects Windows 95

and NT machines.• The Jolt attack sends very large,

fragmented ICMP packets to the target machine. The ICMP packets are fragmented in such a way that the target machine is unable to reassemble them for use.

• When the ICMP packets are received by the target machine, it freezes up and will not accept input from the keyboard or mouse.

• The machine will lock up, and accept no input from the keyboard or mouse.

Land

• The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address and an open port as both source and destination.

• The reason a LAND attack works is because it causes the machine to reply to itself continuously.

• Symptoms ? The machine will lock up.

Nestea

• This DoS attack affects the Linux operating system .

• It sends IP fragments to a machine connected to the Internet or a network. Nestea is specific to the Linux operating system, and exploits a bug (commonly known as the "off by one IP header" bug) in the Linux refragmentation code.

• The infected machine will certainly crash.

Newtear

• The Newtear attack is a modified version of the Teardrop attack.

• Newtear exploits a problem with the way the Microsoft TCP/IP stack handles certain exceptions caused by misformed UDP header information. which changes padding length and increases the UDP header length field to twice the size of the packet.

• The infected machine will cause either operating system to crash or hang.

Smurf

• The Smurf attack is a way of generating significant computer network traffic on a victim network.

• The attacker sends a large amount of ICMP traffic to a broadcast address and uses a victim’s IP address as the source IP so the replies from all the devices that respond to the broadcast address will flood the victim.

• The attacker can use a low-bandwidth connection to kill high-bandwidth connections.

Smurf(continued)

Smurf(continued)

• The attacker sends a stream of ICMP echo packets to the router at 128Kbps.

• The attacker modifies the packets by changing the source IP to the IP address of the victim’s computer so replies to the echo packets will be sent to that address.

• which would effectively disable its 512Kbps connection.

Fraggle

• Fraggle is different from Smurf in that Fraggle uses UDP ECHO packets instead of ICMP ECHO packets .

• sends a large amount of UDP echo traffic to IP broadcast addresses.

• all of it having a fake source address.