HAKIN9 EXTRA 9/2012

DDoS Attack and Mitigation Techniques
By Valerio Sorrentino
Nowadays the most common reason that criminals attack internet services is still to extort money, ensuring that targeted systems will no longer be attacked. DDoS Attacks are costing the average enterprise company about five million euro for a 24-hour outage and attacks can be performed from anywhere in the world with total anonymity, using software such as ToR. This software was created to defend citizens from network surveillance that threatens personal freedom and privacy. However, criminals can also use it to hide their physical location, bouncing a network signal around a number of computers.

Understanding and Mitigating Distributed Denial of Service Attacks
By Hari Kosaraju
The mechanism in which a TCP connection is established is called a Three Way Handshake. During this process, the client will first send the server a TCP SYN packet. In response, the server will send a SYN ACK packet to the client. When the client receives this SYN ACK packet, it will send an ACK packet to the server. At this point, the TCP Connection is considered established between the client and the server. In a Denial of Service attack, there are two ways that an attacker can interrupt this process. They can send a TCP SYN packet to the server with a spoofed source IP address so that the server never receives an ACK because the spoofed source IP doesn’t know anything about establishing this TCP connection and will not send the TCP ACK to this server. The other way to do this is by using a legitimate source IP but not sending a TCP ACK packet. By doing this trick repeatedly, the attacker confuses the server into maintaining numerous half open connections and exhausting the connection queue. Once this connection queue is exhausted, no new legitimate clients will be able to connect to the server [4].

Web Application Firewall – From Planning to Deployment
By Yen Hoe Lee and Fernando Perez
The WAF tuning process requires the WAF to be set to monitoring mode. In this mode, all web request traffic for the application is allowed through the web application firewall without blocking the traffic. The WAF is set to capture and report these violations. The WAF implementation team needs to review these violations, and choose to accept these violations as legitimate traffic, or choose to tweak the rules so that there will not be violations. This process is repeated until all violations are addressed. When a positive model is used, the tuning effort will always be higher. The complexity of the application will impact the level of effort needed also. In this case, the complexity is determined by the number of input, the type of input expected, and how dynamic the application pages are generated.

Web Server SED Filtering
By Colin Renouf
One important thing to note, however, is that C represents strings as character arrays, usually with 8 bit ASCII characters, terminated with a NULL character. Java uses Unicode and under the covers stores the length of the String. The machine may represent the individual bytes in one ordering and the network in another, i.e. Big ended or little endian. These different representations can be used by the clever hacker to produce an attack that makes use of the data representation conversions that take place on the boundaries to bypass security in one layer by relying on the conversion going on behind it to create an attack string. We will cover this in another article; but the thing to understand is that each layer must have its own defences and not rely entirely on what sits in front of it. Many attacks often come from within the external firewalls, e.g. from staff, so even in a simple case where the same technologies are used throughout and no conversion occurs defences are still needed in each layer.

Web Application Firewalls, how tough are they now?
By Manfred Fereira
If the reader is running for the first time the Siege application, must run “siege.config” to be able generates the configuration file.
If the reader wants to test a partial page or a group of pages, one of the parameters to past is the URLs, for this tests we will provide just two URLs. But for better performance and analyses the principals URLs should be included. The more URLs in the list, the better notion of the actions taken from the WAF and LoadBalancer will the reader have.
Edit the file “/etc/urls.txt” with vi command, and input the most URLs that the reader can, always associated with the Web site that you want to test.
Commands executed in Backtrack distribution, over command line:
# vi /etc/urls.txt

Sockets and TCPIP – Core of an Attack
By Colin Renouf
With the sockets API from a client perspective, a socket is declared as a particular type, is opened or more accurately connected using a “connect” call, then is written to or read from, and finally is closed; all much like reading or writing to a file. From the server perspective the server will bind the socket to a port, will listen to that port for requests, and when each request comes in it will accept the request. Where only a single packet is to be handled simpler sendto and recvfrom calls are available. The API suite all contains functions to look up hosts by name, and convert between the host byte representation and the network representation. All of these are documented heavily elsewhere and are generally well understood.

Web server Log Analysis – Detecting Bad Stuff Hitting Your Web Server
By Kim Halavakoski
Web Servers on the Internet are under constant attack. Defending your web server requires vigilant response times and in-depth log analysis to be able to detect, remediate and track ongoing attacks.
WAFs are today a common tool in defending high-profile websites. One often forgotten aspect of any technology is the log analysis. Products and technologies are often installed as a countermeasure to observed attacks, but the real valuable part is usually forgotten: Log analysis. Without properly analysing the logs defending against the ever changing threat landscape and evolving attack methods can be challenging. This article will show some basic methods, tools and products for analysing the logs and detecting the bad stuff targeting your website.

Special Edition for Forensic Professionals: The Most Advanced and Effective New Tools from Atola Technology
By ATOLA Team
The Atola Forensic Imager is a high-quality professional tool designed that meets all expectations in advanced forensic operations. It’s an all-in-one solution that easily works with damaged or unstable hard disk drives. It combines a fast imager with strong data recovery capabilities for creating accurate forensic images. The powerful Atola Imaging Software is bundled with the Atola DiskSense Ethernet Unit, which utilizes the most efficient interface connections. This professional tool has been developed with the ability to Customize every step. Key parameters can be adjusted during the Imaging process to make it more effective and successful for each specific case. The Quick and accurate erasing of hard drives works at maximum speed using any specified HEX pattern to overwrite the sectors. It can also execute the Security Erase function and perform Zero-Fill, NIST 800-88 and DoD 5220.22-M compliant wiping. The Case Management System works automatically recording all important data such as date, time and hash values in one place. Archives of all past cases are stored on the host PC. The Automatic password removal function removes any user and level ATA password from a locked hard drive and displays the password to the technician.