Computer threat - continued

Another threat to the computer and network as follows:

Denial of Service (DoS)

This type entangling the hacker and or a certain party to send a number of ICMP echo request to the broadcast address. Remember that the address of sender request have been disguised so difficult to tracks.

Protection to the network can be done by selection to the reciprocation of ICMP echo, another way is do not activate the directed broadcast at the router. Permit out package only and the sender address same with internal network address. This is important to the network security

The other level of Denial of Service(DoS) is Distributed Denial of Service (DDoS).
This type will increase the traffic and combine the bandwidth from some of host to one target host or network.

Spoofing

Is the creation of TCP/IP packets using somebody else's IP address. Routers use the "destination IP" address in order to forward packets through the Internet, but ignore the "source IP" address. That address is only used by the destination machine when it responds back to the source.

Broadcast Amplification

By using broadcast amplification, an attacker can direct machines at one site to flood another site with network packets. If huge amounts of packets are sent to a site, it goes down under the load, causing denial of service. To prevent this technique from being used, the document's authors suggest that companies turn off the capability to forward directed broadcast or multicast traffic.

TCP SYN attack

is an attack based on bogus TCP connection requests, created with a spoofed source IP address, sent to the attacked system. Connections are not completed, thus soon it will fill up the connection request table of the attacked system, preventing it from accepting any further valid connection request.

The source host for the attack sends a SYN packet to the target host. The target hosts replies with a SYN/ACK back to the legitimate user of the forged IP source address.

Since the spoofed source IP address is unreachable, the attacked system will never receive the corresponding ACK packets in return, and the connection request table on the

Attacked system will soon be filled up.The attack works if the spoofed source IP address is not reachable by the attacked system. If the spoofed source IP address where reachable by the attacked system, then the legitimate owner of the source IP address would respond with a RST packet back to the target host, closing the connection and defeating the attack.

TCP SYN flood is a denial of service attack that sends a host more TCP SYN packets than the protocol implementation can handle.

This is a resource starvation DoS attack because once the connection table is full, the server is unable to service legitimate requests.

Computer threat - Network Security

Every TCP package have 'flag bit’ defining content and intention of each package.

Example:

A package with flag bit contain "SYN or SYNCHRONIZE" will undertake to conduct initiation connection from sender to recipient. A package with flag bit contain "ACK" will undertake to inform receiver about sender information.
While a TCP package with beet flag contain "FIN" or "FINISH" undertaking to stop connection from sender to recipient.

To build a TCP connection, need data transfer package between two host, transfer of this data recognized by the name of "TCP Three-Way Handshake" as below picture.

Computer Network Threat

Threat is very harmful to the entire system and also by application at internal and external network.

The threat as follows:

Remote Login - this matter happened when someone capable to connect to a computer and have ability to control to several things related to resource found on the host or computer.

Application Backdoors - some program have special ability to access with long distance (remote access). Some bug program, exactly contain a backdoor or hidden access providing level control the computer and program.

SMTP session hijacking - SMTP is most commonly method used to deliver E-mail. By getting E-mail mailing-list, someone can deliver undesirable E-mail to thousands of or more users. This matter is called unsolicited junk mail or spam.

Spamming conducted with joining SMTP server which not suspect, then deliver thousands of E-mail called redirecting process, so that complicate to detect who is the real sender of the Mail Spam.

Operating system bugs – In application, some operation system have conducive security gap to be exploited illegally.

E-mail bombs - is an Individual attack, someone send hundreds or thousands of E-mail to one address so the victim E-mail cannot accept E-mail anymore.

Macro - To make simple or facilitate procedure an application, many application program permit us to make command which can be run by the program (script). By exploiting ability of script or macro, attacker can cause damage of data at computer.

Virus – Most known to make trouble at computer. The growth of virus from method, way of, making, effectiveness, damage storey, and also speed of spreading is different each other.

Redirect bombs – Hacker or Cracker can use ICMP to change direction of information and attack to other router.

Source routing - At many case, a data package which work through one or some network determined by router pass to route information by the router, but sometime hacker used the package as the real sender.

Another type of computer attack are from (next posted about this) :

Denial of Service (DoS)
Spoofing
Broadcast Amplification
TCP SYN

The method to run the threat above, can be conducted variously including using virus.

Computer Port list

What is Computer port ?

An interface on a computer to which you can connect a device. Personal computers have various types of ports. Internally, there are several ports for connecting disk drives, display screens, and keyboards.

Externally, personal computers have ports for connecting modems, printers, mice, and other peripheral devices.

Almost all personal computers come with a serial RS-232C port or RS-422 port for connecting a modem or mouse and a parallel port for connecting a printer.

On PCs, the parallel port is a Centronics interface that uses a 25-pin connector. SCSI (Small Computer System Interface) ports support higher transmission speeds than do conventional ports and enable you to attach up to seven devices to the same port.

In TCP/IP and UDP networks, an endpoint to a logical connection. The port number identifies what type of port it is.

For Network administrator must know about the computer Port, to identify network attack and network function purposed.

Below is a general computer port list and the service port name:

Service Name	Port Number
Windows Services
Browsing DHCP Lease DHCP Manager Directory Replication DNS Administration DNS Resolution Event Viewer File Sharing Logon Sequence NetLogon Pass Through Validation Performance Monitor PPTP Printing Registry Editor Server Manager Trusts User Manager WinNT Diagnostics WinNT Secure channel Wins Replication Wins Manager Wins Registration Direct Hosting of SMB over TCP/IP	UDP:137,138 UDP:67,68 TCP:135 UDP:138 TCP:139 TCP:135 UDP:53 TCP:139 TCP:139 UDP:137,138 TCP:139 UDP:138 UDP:137,138 TCP:139 TCP:139 TCP:1723 IP Protocol:47 (GRE) UDP:137,138 TCP:139 TCP:139 TCP:139 UDP:137,138 TCP:139 TCP:139 TCP:139 UDP:137,138 TCP:139 TCP:42 TCP:135 TCP:137 TCP,UDP:445

Service Name	Port Number
Windows Load balancing System (WLBS) & convoy for cluster Control
Convoy WLBS	UDP:1717 UDP:2504
Microsoft Exchange
Client/Server Comm. Exchange Administrator IMAP IMAP (SSL) LDAP LDAP (SSL) MTA – X.400 over TCP/IP POP3 POP3 (SSL) RPC SMTP NNTP NNTP (SSL)	TCP:135 TCP:135 TCP:143 TCP:993 TCP:389 TCP:636 TCP:102 TCP:110 TCP:995 TCP:135 TCP:25 TCP:119 TCP:563
Windows Terminal Services
RDP Client (Microsoft) ActiveX Client (TSAC) ICA Client (Citrix) Terminal Server IPSec ISAKMP ESP AH Karberos Karberos RSVP RSVP	TCP:3389 TCP:80,3389 TCP:1494 TCP:3389 UDP:500 IP Protocol 50 IP Protocol 51 TCP;UDP:88 IP Protocol:46

SMTP Investigation for Telkom adsl connection

Investigate SMTP Connection for TELKOM ADSL :

Below is a FAQ to investigate SMTP Relay, smtp.telkom.net. Follow this step to do smtp investigation:

1. Run test nslookup to the smtp telkom server :

IP not found from smtp.telkom.net?, check your DNS number, don’t know your DNS number ? You can asked what’s the DNS number for your telkom connection to astinet customer service (147).

2. Run ping to smtp server :



When your ping results is RTO (Request Time Out), that’s means your computer/network is unconnected with telkom server. You have to checked your adsl connection or adsl modem indicator. ADSL indicator lamps is blink that’s mean no adsl signal to your modem or cannot login.

3. Tracert into smtp server :


Tracert result display is indicated server found.


4. Test send email via telnet :



Sending email via telnet, used for tested into smtp telkom.net server. Do this test if sending mail via Outlook express failed.

Above picture is a Linux testing result, for the process step you can do via cmd (command prompt) windows, but the words that you type is disappear.

If you see the above picture result, that’s means sending email via telnet is successful, but send mail using Outlook Express almost failed, Had to checked your Outlook express software.

If all step had been done, but cannot send mail, check from your server side :

1. Are your server using Firewall ?
2. Check your ADSL configuration, do not block smtp (25 port)
3. Do you have anothers application problem with your server ?, example : wingate ?

Note for wingate had special configuration for SMTP mail server, check your wingate configuration.


Technorati Cosmos: other blogs commenting on this post