Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 688 — #714
i
i
i
i
i
i
i
i
making the service disappear. However, once a given service has become
unavailable, communications could become vulnerable to man-in-the-middle
attacks (sniffing, TCP connection hijacking, spoofing) and DNS poisoning.
Man in the Middle: Sniffing, Hijacking, Spoofing
In general, any remote attack performed by an attacker who puts himself
between the communicating hosts is called a man-in-the-middle attack. What
almost all types of man-in-the-middle attacks have in common is that the
victim is usually not aware that there is something happening. There are
many possible variants, for example, the attacker could pick up a connec-
tion request and forward that to the target machine himself. Now the vic-
tim has unwittingly established a connection with the wrong host, because
the other end is posing as the legitimate destination machine.
The simplest form of a man-in-the-middle attack is called sniffer — the at-
tacker is “just” listening to the network traffic passing by. As a more com-
plex attack, the “man in the middle” could try to take over an already es-
tablished connection (hijacking). To do so, the attacker would need to ana-
lyze the packets for some time to be able to predict the TCP sequence num-
bers belonging to the connection. When the attacker finally seizes the role
of the target host, the victims notice this, because they get an error message
saying the connection was terminated due to a failure. The fact that there
are protocols not secured against hijacking through encryption, which only
perform a simple authentication procedure upon establishing the connec-
tion, makes it easier for attackers.
Spoofing is an attack where packets are modified to contain counterfeit
source data, usually the IP address. Most active forms of attack rely on
sending out such fake packets — something that, on a Linux machine, can
only be done by the superuser (root).
Many of the attacks mentioned are carried out in combination with a DoS.
If an attacker sees an opportunity to bring down a certain host abruptly,
even if only for a short time, it makes it easier for him to push the active at-
tack, because the host will not be able to interfere with the attack for some
time.
DNS Poisoning
DNS poisoning means that the attacker corrupts the cache of a DNS server
by replying to it with spoofed DNS reply packets, trying to get the server
to send certain data to a victim who is requesting information from that
server. Many servers maintain a trust relationship with other hosts, based
688 26.7. Security and Confidentiality