Sardarji Commits Suicide

Sardarji is trying to commit suicide on the railway tracks

and he takes along some wine and chicken with him. Somebody stops

him and asks "kyon bhai, ye sab kyon leke baithe ho?" (Why

do you take these things with you?).

Sardarji replies "Saali train late aati hai kahin bhook se na

marjaun" (If the stupid train comes late, I will die of hunger!)

Special File/Database Access

Two other methods used to gain access to a system are through special files and
database access.These types of files, although different in structure and function,
exist on all systems and all platforms. From an NT system to a Sun Enterprise
15000 to a Unisys Mainframe, these files are common amongst all platforms.
Attacks against Special Files
The problem of attacks against special files becomes apparent when a user uses
the RunAs service of Windows 2000.When a user executes a program with the
RunAs function,Windows 2000 creates a named pipe on the system, storing the
credentials in clear text. If the RunAs service is stopped, an attacker may create a
named pipe of the same name.When the RunAs service is used again, the credentials
supplied to the process will be communicated to the attacker.This allows
an attacker to steal authentication credentials, and could allow the user to log in
as the RunAs user.Attackers can take advantage of similar problems in UNIX systems. One such
problem is the Solaris pseudo-terminal problems we mentioned previously.Red
Hat Linux distribution 7.1 has a vulnerability in the upgrade portion of the
package. A user upgrading a system and creating a swap file exposes herself to
having swap memory snooped through.This is due to the creation of the swap file
with world-readable permissions. An attacker on a system could arbitrarily create a
heavy load on system memory, causing the system to use the swap file. In doing
so, the attacker could make a number of copies of swap memory at different states,
which could later be picked through for passwords or other sensitive information.
Attacks against Databases
Databases present a world of opportunity to attackers. Fulfilling our human
needs to organize, categorize, and label things, we have built central locations of
Classes of Attack • Chapter 2 51
information.These central locations are filled with all sorts of goodies, such as
financial data, credit card information, payroll data, client lists, and so forth.The
thought of insecure database software is enough to keep a CEO awake at night,
let alone send a database administrator into a nervous breakdown. In these days of
post-dot-com crash, e-commerce is still alive and well.And where there is commerce,
there are databases.
Risky Business
Databases are forced to fight a two-front war.They are software, and are therefore
subject to the problems that all software must face, such as buffer overflows, race
conditions, denials of service, and the like. Additionally, databases are usually a
backend for something else, such as a Web interface, graphical user interface tool,
or otherwise. Databases are only as secure as the software they run and the interfaces
they communicate with.
Web interfaces tend to be a habitual problem for databases.The reasons for
this are that Web interfaces fail to filter special characters or that they are
designed poorly and allow unauthorized access, to name only two.This assertion
is backed by the fact that holes are found in drop-in e-commerce packages on a
regular basis.
Handling user-supplied input is risky business. A user can, and usually will,
supply anything to a Web front end. Sometimes this is ignorance on the part of
the user, while other times this is the user attempting to be malicious. Scripts
must be designed to filter out special characters such as the single quote (`), slash
(/), backslash (\), and double quote (“) characters, or this will quickly be taken
advantage of.A front-end permitting the passing of special characters to a
database will permit the execution of arbitrary commands, usually with the permission
of the database daemons.
Poorly designed front-ends are a different story. A poorly designed front-end
will permit a user to interact and manipulate the database in a number of ways.
This can allow an attacker to view arbitrary tables, perform SQL commands, or
even arbitrarily drop tables.These risks are nothing new, but the problems continue
to occur.
Database Software
Database software is an entirely different collection of problems. A database is
only as secure as the software it uses—oftentimes, that isn’t particularly reassuring.
52 Chapter 2 • Classes of Attack
For example,Oracle has database software available for several different platforms.
A vulnerability in the 8.1.5 through 8.1.7 versions of Oracle was discovered
by Nishad Herath and Brock Tellier of Network Associates COVERT Labs.
The problem they found was specifically in the TNS Listener program used with
For the unacquainted,TNS Listener manages and facilitates connections to
the database. It does so by listening on an arbitrary data port, 1521/TCP in
newer versions, and waiting for incoming connections. Once a connection is
received, it allows a person with the proper credentials to log into a database.
The vulnerability, exploited by sending a maliciously crafted Net8 packet to
the TNS Listener process, allows an attacker to execute arbitrary code and gain
local access on the system. For UNIX systems, this bug was severe, because it
allowed an attacker to gain local access with the permissions of the Oracle user.
For Windows systems, this bug was extremely severe, because it allowed an
attacker to gain local access with LocalSystem privileges, equivalent to administrative
access.We discuss code execution in the next section.
Oracle is not the only company with the problem described in this section.
Browsing various exploit collections or the SecurityFocus vulnerability
database, one can discover vulnerabilities in any number of
database products, such as MySQL and Microsoft SQL. And although this
may lead to the knee-jerk reaction of drawing conclusions about which
product is more secure, do not be fooled. The numbers are deceptive,
because these are only the known vulnerabilities.
Database Permissions
Finally, we discuss database permissions.The majority of these databases can use
their own permission schemes separate from the operating system. For example,
version 6.5 and earlier versions of Microsoft’s SQL Server can be configured to
use standard security, which means they use their internal login validation process
and not the account validation provided with the operating system. SQL Server
ships with a default system administrator account named SA that has a default
null password.This account has administrator privileges over all databases on the
entire server. Database administrators must ensure that they apply a password to
the SA account as soon as they install the software to their server.
Databases on UNIX can also use their own permission schemes. For example,
MySQL maintains its own list of users separate from the list of users maintained
by UNIX. MySQL has an account named root (which is not to be confused with
the operating system’s root account) that, by default, does not have a password. If
you do not enter a password for MySQL’s root account, then anyone can connect
with full privileges by entering the following command:
mysql –u root
If an individual wanted to change items in the grant tables and root was not
passworded, she could simply connect as root using the following command:
mysql –u root mysql
Even if you assign a password to the MySQL root account, users can connect
as another user by simply substituting the other person’s database account name
in place of their own after the –u if you have not assigned a password to that particular
MySQL user account. For this reason, assigning passwords to all MySQL
users should be a standard practice in order to prevent unnecessary risk.

7 Strategies To Make Room For Money

Laws of the Attraction notwithstanding, there are several external ways that you can make room for more money in your life.
Yes, there are those of you who can manifest whateveryou want, whenever you want. This article is for those of you who may need just a few extra tools.
First, it is vital to create a space that can be filled with what you really want.
Start by going through your closets. Remove every articleof clothing, shoes, and purses you have not worn in at least a year.

How do you know what to get rid of?

Use the following as a guide:

1. Use your intuition. Trust it.
2. Ask yourself if you love it.
3. Does it fit?
4. Do you use it?
5. Do you need it?
6. What memories does it bring up?
7. Again, use your intuition.

Take all of these clothes, shoes and purses to your local resale store. You will start receiving money immediately.
Bonus feature: The space you have created will now be filled with what you really want. Be patient.
Second, go through every drawer in your home and remove all the junk.

You know what junk is ?

Plastic forks from takeout; rubber bands and plastic bagsyou are saving for some reason.
Men (and women!) go to the garage.

- How many screwdrivers do you really need?

- How many cans of old, unused paint are taking up space?

Clean out the garage and only put back in what you use.
Sell the rest at a garage sale or give to the Goodwill.
There, you have a tax credit as well as money.
Clean out your office desk. Throw away any document that isunnecessary.
I know, you are afraid you will throw something awayyou may need in the future.
Well, I understand.
Create as much order as possible in your home, garage and office. If you are a creative individual, this may be difficult as creative types are visual and like to see things. Make it work for you.
As you eliminate all this junk, you will start feeling a sense of satisfaction, accomplishment and freedom.
If you do not have these feelings, you are not yet ready to make room for money I your life.
Your desire and your feelings must be in alignment.
You may also have feelings of fear and doubt. Learn totrust yourself and allow the process to work for you.

Third, sit down and make a list of all the people you do not have a great relationship with.
This list includes people you have judged, blamed or criticized. This same list includes people who have judged blamed or criticized you!
Visualize each individual, and, as you do, forgive them.
Forgiveness is one of the most important tools for makingmoney in your life. Generate appreciation towards these individuals in order to heal yourself.
Eliminate grudges. Grudges contract the body, mind andspirit. Release and let go. Step by step, expansion is on the way.

Fourth, pay your bills on time. It is very important to keepyour money agreements, so pay your bills graciously.If you avoid paying certain obligations because you haveinsuffieienct funds, or are displeased with the service of someone whom you owe money, use visualization.
Bring these people into your mind's eye. Allow your body toexperience negative feelings you may be holding on to.Breathe deeply and look at your resistance. Generateappreciation and love towards these vendors.
You certainly were grateful when you used the card, sobring back that gratitude!
Keep breathing until all discomfort is released; until youcan visualize this person with little emotion or reaction.
If you do not currently have the money for a specific obligation,phone the vendor and explain the situation.
Remember, it is only temporary!
Even the U.S. government will negotiate.
Fifth, act as if you have all the money you want. Notice,I use the word 'want', as opposed to 'need'. You have allthat you need. In order to attract what you want -- the Universal Law of Attraction says it is already there, but the rational mind sometimes butts in-- you must act as if you have all you want.
If you had all the money you wanted, what would you be doing for work, if anything? If you are not doing whatyou love, what brings you joy, money may appear as a slow leak, instead of a gusher.
Present as prosperous a picture as possible. That does notmean you have to spend money.
- Appropriate grooming is cheap.
- Smile more often.
- Indulge yourself with long luxurious baths.
- Create a candle light dinner, even if for one person.
- Look in the mirror and say, " Hey, I like you!."

These simple tools will help you feel and look better. The Universe will look at you and say, "Alright, you've got it! Let's give you a little more."

Sixth, give some money away. Give away what you want more of ? it really works. Tithe clothing items in lieu ofmoney if that feels better. Don't purchase anything newunless you eliminate one item form your home or office.
Give willingly and unconditionally, without expecting toreceive anything in return.
Do it because you can.

Seven, call up your parents. Tell them you love all they have done for you. If you cannot get as far as the love word, express your appreciation. Let them know how you feel in a positive way. If your parents have passed on, write them a letter telling them about all the things andcircumstances you appreciated them for but never hadthe chance to share.
They will see this letter, no matter where they are.
Remember, the Law of Attractions is powerful. It providesyou with whatever you think about, both wanted andunwanted.
Let these seven strategies help you think more clearlyabout how to make room for money in your life.

Identifying Methods of Testing For Vulnerabileties

Testing a system for vulnerabilities is the best way to ensure that the system is, or
is not, vulnerable to a particular problem.Vulnerability testing is a necessary and
mandatory task for anybody involved with the administration or security of
information systems.You can only ensure system security by attempting to break
into your own systems.
Up to this point, we have discussed the different types of vulnerabilities that
may be used to exploit a system. In this section, we discuss the methods of
finding and proving that vulnerabilities exist, including exploit code.We also discuss
some of the methods used in gathering information prior to launching an
attack on a system, such as the use of Nmap.

Validate the Input Text

There’s a strong temptation to look at the XML validation capabilities and decide
that they provide all the input security necessary for data transmitted through
XML documents. Unfortunately, as we’ve seen, it’s all too easy for hackers to
exploit plain-text inconsistencies from one character set to another to launch
attacks against systems that are using well-formed and validated XML. It therefore
falls to the developer to create separate validation routines for data coming into
an application through a validated XML document.
The proper approach is to break the problem of verification into a number of
discrete steps. First in order, though last in our examination, are formal validation
of the foundation data definition documents through DTD and Schema validating
parsers. Next comes treatment of the input stream as it is received into the
application. Ensuring that each input character is valid within the definition of
the language and that each is decoded according to a mapping agreed to by all
the components of the application is the crucial next step. Finally, requiring each
properly decoded entry to fall within logical bounds of the application helps
weed out both malicious programming mischief and the unintended consequences
of human error.

Remote Privilege Elevation

Remote privilege elevation can be classified to fall under one of two categories.
The first category is remote unprivileged access, allowing a remote user unauthorized
access to a system as a regular user.The second type of remote privilege
elevation is instantaneous administrative access.
A number of different vectors can allow a user to gain remote access to a
system.These include topics we have previously discussed, such as the filtering of
special characters by Web interfaces, code execution through methods such as
buffer overflows or format string bugs, or through data obtained from information
leakage. All of these problems pose serious threats, with the end result being
potential disaster.
Remote Unprivileged User Access
Remote privilege elevation to an unprivileged user is normally gained through
attacking a system and exploiting an unprivileged process.This is defined as an
elevation of privileges mainly because the attacker previously did not have access
to the local system, but does now. Some folks may scoff at this idea, as I once did.
David Ahmad, the moderator of Bugtraq, changed my mind.
One night over coffee, he and I got on the topic of gaining access to a
system.With my history of implementing secure systems, I was entirely convinced
that I could produce systems that were near unbreakable, even if an attacker were
to gain local access. I thought that measures such as non-executable stacks,
restricted shells, chrooted environments, and minimal setuid programs could keep
an attacker from gaining administrative access for almost an eternity. Later on that
evening, Dave was kind enough to show me that I was terribly, terribly wrong.
Attackers can gain local, unprivileged access to a system through a number of
ways. One way is to exploit an unprivileged service, such as the HTTP daemon,
a chrooted process, or another service that runs as a standard user.Aside from
remotely executing code to spawn a shell through one of these services, attackers
can potentially gain access through other vectors. Passwords gained through ASP
source could lead to an attacker gaining unprivileged access under some circumstances.
A notorious problem is, as we discussed previously, the lack of specialcharacter
filtering by Web interfaces. If an attacker can pass special characters
through a Web interface, the attacker may be able to bind a shell to a port on the
system. Doing so will not gain the attacker administrative privileges, but it will
gain the attacker access to the system with the privileges of the HTTP process.
Once inside, to quote David Ahmad,“it’s only a matter of time.”
Remote Privileged User Access
Remote privileged user access is the more serious of the two problems. If a
remote user can obtain access to a system as a privileged user, the integrity of the
system is destined to collapse. Remote privileged user access can be defined as an
attacker gaining access to a system with the privileges of a system account.These
accounts include uucp, root, bin, and sys on UNIX systems, and Administrator or
LocalSystem on Windows 2000 systems.
The methods of gaining remote privileged user access are essentially the same
as those used to gain unprivileged user attacks. A few key differences separate the
two, however. One difference is in the service exploited.To gain remote access as
a privileged user, an attacker must exploit a service that runs as a privileged user.
The majority of UNIX services still run as privileged users. Some of these,
such as telnet and SSH, have recently been the topic of serious vulnerabilities.
The SSH bug is particularly serious.The bug, originally discovered by Michal
Zalewski, was originally announced in February of 2001. Forgoing the deeply
technical details of the attack, the vulnerability allowed a remote user to initiate a
malicious cryptographic session with the daemon. Once the session was initiated,
the attacker could exploit a flaw in the protocol to execute arbitrary code, which
would run with administrative privileges, and bind a shell to a port with the
effective userid of 0.
Likewise, the recent vulnerability in Windows 2000 IIS made possible a
number of attacks on Windows NT systems. IIS 5.0 executes with privileges
equal to that of the Administrator.The problem was a buffer overflow in the
ISAPI indexing infrastructure of IIS 5.0.This problem made possible numerous
intrusions, and the Code Red worm and variants.
Remote privileged user access is also the goal of many Trojans and backdoor
programs. Programs such as SubSeven, Back Orifice, and the many variants produced
can be used to allow an attacker remote administrative privileges on an
infected system.The programs usually involve social engineering, broadly defined
as using misinformation or persuasion to encourage a user to execute the program.
Though the execution of these programs do not give an attacker elevated
privileges, the use of social engineering by an attacker to encourage a privileged
user to execute the program can allow privileged access. Upon execution, the
attacker needs simply to use the method of communication with the malicious
program to watch the infected system, perform operations from the system, and
even control the users ability to operate on the system.
Other attacks may gain a user access other than administrative, but privileged
nonetheless. An attacker gaining this type of access is afforded luxuries over the
standard user, because this allows the attacker access to some system binaries, as
well as some sensitive system facilities. A user exploiting a service to gain access as
a system account other than administrator or root will likely later gain administrative
privileges. These same concepts may also be applied to gaining local privilege elevation.
Through social engineering or execution of malicious code, a user with local
unprivileged access to a system may be able to gain elevated privileges on the
local host.

Adventerous Journey

Its me who is driving my RAPTOR(Pulsar 180-dtsi). On the way to Tada falls driving in the speed of 120km/hr. It is a real pleasure to drive in that bypass road with smooth surface.

These waterfalls are better known as Tada falls but actual place is in Ubbalamadugu in Chittore district, Andhra pradesh, India. Tada is a place in Nellore district.

These roads are approximately 90-100kms distance by road from Chennai, where i live.

It is advised to take a person who knows well about this falls, as people visit very rarely this place,the route is difficult.

The guy who is standing in the middle is living in Gumidipundi which s 40Kms from the falls towards Chennai. He will visit this place often so he had a good knowledge of it.

These are my friends having lots of fun in the crystal clear water. We reached here safely in combination of bike ,car n walk.

After trekking the hilly area, we reached a small Siva temple, 3 KM distance from the forest gate. Next to the temple we saw the stream and found
few guys who decided to stop thereonly.

We crossed the stream. From there , We started climbing the hill. Somebody told us the falls are around 2 KM from there. The way is very rocky and steep. We had to cross the stream again and again. Lot of boulders are submerged in the water and we crossed the stream over them. In between we saw a beautiful mini waterfall. it is excellent. while crossing over that,I fell down in water. It took almost 15 minutes find out how to step from one big rock on to other.

After climbing over the rocks of mini falls, we trekked further. Finally we could spot the main waterfalls, seperated by a mini lake. Carefully

we stepped on a submerged wooden log and reached the main water falls. The waterfall is very exciting. We spent an hour there and took lunch .

We wanted to findout from where the water is coming to the falls. Is it a lake above the falls or a stream coming from some other place? We found a steep 20 Ft. high rocky walls. One can reach the top of water falls after climbing that only. I felt disappointed as I cannot climb that height. I got a bag with me and already my left hand was paining ( as earlier I slipped down into the stream from the rocks).

While climbing up we had lots of fun. We enjoyed a lot there. Such a nice place it is.. But this didnt last any more. While we return back to our bike and car through which we traveled we found many of our belongings missing. To prevent things getting damaged in water and when we walk in the rocks we kept our cell phones ,watches , wallets etc.. in our car. As i said earlier it is the place for ultimate fun but its not safe. Somebody have broken the car window glass n took everything(5 cell phones, cash 1000, watch, a spectacle etc..). So be careful my friends.. Have fun wit care...


Phew!!! Finally the long waited car THE WORLD”S CHEAPEST CAR - NANO was unveiled by the TATA in the presence of minister kamal nath .

TATA's nano  - world's cheapest carThe pic on your left of the screen is the the worlds cheapest car named NANO which cost just 1 lakh rupees and the on road price would be just 1,20000.Well, ISn’t that unbelievably cheap . The main motive of a car being modeled for a cheap price like this was to attract the middle class population which other wise wouldn’t have even thought of buying a car.

tata nano Wow,doesn’t the car looks amazing .

You can have a look at the specifications of TATA’s NANO here

Records Held by Sachin Tendulkar

1. Highest Run scorer in the ODI
Most number of hundreds in the ODI 41
Most number of nineties in the ODI
Most number of man of the matches(56) in the ODI's
Most number of man of the series(14) in ODI's
Best average for man of the matches in ODI's
First Cricketer to pass 10000 run in the ODI
First Cricketer to pass 15000 run in the ODI
He is the highest run scorer in the world cup (1,796 at an average of 59.87 as on 20 March 2007)
Most number of the man of the matches in the world cup
Most number of runs 1996 world cup 523 runs in the 1996 Cricket World Cup at an average of 87.16
Most number of runs in the 2003 world cup 673 runs in 2003 Cricket World Cup, highest by any player in a single Cricket World Cup
He was Player of the World Cup Tournament in the 2003 Cricket World Cup.
Most number of Fifties in ODI's 87
Appeared in Most Number of ODI's 407
He is the only player to be in top 10 ICC ranking for 10 years.
Most number of 100's in test's 38
He is one of the three batsmen to surpass 11,000 runs in Test cricket, and the first Indian to do so
He is thus far the only cricketer to receive the Rajiv Gandhi Khel Ratna, India 's highest sporting honor
In 2003, Wisden rated Tendulkar as d No. 1 and Richards at No. 2 in all time Greatest ODI player
In 2002, Wisden rated him as the second greatest Test batsman after Sir Donald Bradman.
he was involved in unbroken 664-run partnership in a Harris Shield game in 1988 with friend and team mate Vinod Kambli,
Tendulkar is the only player to score a century in all three of his Ranji Trophy, Duleep Trophy and Irani Trophy debuts
In 1992, at the age of 19, Tendulkar became the first overseas born player to represent Yorkshire
Tendulkar has been granted the Rajiv Gandhi Khel Ratna, Arjuna Award and Padma Shri by Indian government. He is the only Indian cricketer to get all of them.
Tendulkar has scored over 1000 runs in a calendar year in ODI's 7 times
Tendulkar has scored 1894 runs in calendar year in ODI's most by any batsman
He is the highest earning cricketer in the world
He has the least percentage of the man of the matches awards won when team looses a match.. Out of his 56 man of the match awards only 5 times India has lost.
Tendulkar most number man of match awards(10) against Australia
In August of 2003, Sachin Tendulkar was voted as the "Greatest Sportsman" of the country in the sport personalities category in the Best of India poll conducted by Zee News.
In November 2006, Time magazine named Tendulkar as one of the Asian Heroes.
In December 2006, he was named "Sports person of the Year
The current India Poised campaign run by The Times of India has nominated him as the Face of New India next to the likes of Amartya Sen and Mahatma Gandhi among others.
Tendulkar was the first batsman in history to score over 50 centuries in international cricket
Tendulkar was the first batsman in history to score over 75 centuries in international cricket:79 centuries
Has the most overall runs in cricket, (ODIs+Tests+Twenty20s), as of 30 June 2007 he had accumulated almost 26,000 runs overall.
Is second on the most number of runs in test cricket just after Brian Lara
Sachin Tendulkar with Sourav Ganguly hold the world record for the maximum number of runs scored by the opening partnership. They have put together 6,271 runs in 128 matches
The 20 century partnerships for opening pair with Sourav Ganguly is a world record
Sachin Tendulkar and Rahul Dravid hold the world record for the highest partnership in ODI matches when they scored 331 runs against New Zealand in 1999
Sachin Tendulkar has been involved in six 200 run partnerships in ODI matches - a record that he shares with Sourav Ganguly and Rahul Dravid
Most Centuries in a calendar year: 9 ODI centuries in 1998
Only player to have over 100 innings of 50+ runs (41 Centuries and 87 Fifties)(as of 18th Nov, 2007)
the only player ever to cross the 13,000-14,000 and 15,000 run marks IN ODI.
Highest individual score among Indian batsmen (186* against New Zealand at Hyderabad in 1999).
The score of 186* is listed the fifth highest score recorded in ODI matches
Tendulkar has scored over 1000 ODI runs against all major Cricketing nations.
Sachin was the fastest to reach 10,000 runs taking 259 innings and has the highest batting average among batsmen with over 10,000 ODI runs
Most number of Stadium Appearances: 90 different Grounds
Consecutive ODI Appearances: 185
On his debut, Sachin Tendulkar was the second youngest debutant in the world
When Tendulkar scored his maiden century in 1990, he was the second youngest to score a century
Tendulkar's record of five test centuries before he turned 20 is a current world record
Tendulkar holds the current record (217 against NZ in 1999/00 Season) for the highest score in Test cricket by an Indian when captaining the side
Tendulkar has scored centuries against all test playing nations.[7] He was the third batman to achieve the distinction after Steve Waugh and Gary Kirsten
Tendulkar has 4 seasons in test cricket with 1000 or more runs - 2002 (1392 runs), 1999 (1088 runs), 2001 (1003 runs) and 1997 (1000 runs).[6] Gavaskar is the only other Indian with four seasons of 1000+ runs
He is second most number of seasons with over 1000 runs in world.
On 3 January 2007 Sachin Tendulkar (5751) edged past Brian Lara's (5736) world record of runs scored in Tests away from home
Tendulkar and Brian Lara are the fastest to score 10,000 runs in Test cricket history. Both of them achieved this in 195 innings
Second Indian after Sunil Gavaskar to make over 10,000 runs in Test matches
Became the first Indian to surpass the 11,000 Test run mark and the third International player behind Allan Border and Brian Lara.
Tendulkar is fourth on the list of players with most Test caps. Steve Waugh (168 Tests), Allan Border (158 Tests), Shane Warne (145 Tests) have appeared in more games than Tendulkar
Tendulkar has played the most number of Test Matches(144) for India (Kapil Dev is second with 131 Test appearances).
First to 25,000 international runs
Tendulkar's 25,016 runs in international cricket include 14,537 runs in ODI's, 10,469 Tests runs and 10 runs in the lone Twenty20 that India has played.
On December 10, 2005, Tendulkar made his 35th century in Tests at Delhi against Sri Lanka . He surpassed Sunil Gavaskar's record of 34 centuries to become the man with the most number of hundreds in Test cricket.
Tendulkar is the only player who has 150 wkts and more than 15000 runs in ODI
Tendulkar is the only player who has 40 wkts and more than 11000 runs in Tests
Only batsman to have 100 hundreds in the first class cricket

Roles of a Hacker

>A hacker can be and is perceived as many things, including: A criminal, a
magician, a security professional, a cyber warrior, a consumer’s rights
activist, or a civil rights activist to name a few.
>How can you prevent break-ins to your system if you don’t know how
they are accomplished? How do you test your security measures? How
do you make a judgment about how secure a new system is? The answer
is by being a skilled hacker yourself. Knowing how to break into things,
helps developers create more secure systems and programs by being
intimately aware of the type of breaches and techniques that exist.
>Hackers who tout themselves as a consumer advocates believe that by
releasing security breaches to the general public, this forces corporations
and technology providers to fix potentially damaging errors more
>A civil rights hactivist is normally an individual who is concerned with
the sentencing of computer hackers. For example, two hackers break
into the same system. One breaks in just to break in and notify the
organization, the other breaks in and steals valuable and proprietary data.
Should they be given similar sentences?
>Another type of civil rights hactivist is concerned with cryptography
standards and copyright law.


The concept of misinformation can present itself in many ways. Let’s go back to
the military scenario. Suppose that guards are posted at various observation points
in the field, and one of them observes the enemy’s reconnaissance team.The
guard alerts superiors, who send out their own reconnaissance team to find out
exactly who is spying on them.
Now, you can guess that the enemy general has already thought about this
scenario. Equally likely, he has also considered his options. He could hide all of
his troops and make it appear as if nobody is there.“But what if somebody saw
my forces entering the area” would be his next thought. And if the other side
were to send a “recon” team to scope out his position and strength, discovering
his army greater than theirs, they would likely either fortify their position, or
move to a different position where they would be more difficult to attack, or
where they could not be found.
Therefore, he wants to make his forces seem like less of a threat than they
really are. He hides his heavy weapons, and the greater part of his infantry, while
allowing visibility of only a small portion of his force.This is the same idea
behind misinformation.
Standard Intrusion Procedure
The same concept of misinformation applies to systems.When an attacker has
compromised a system, much effort is made to hide her presence and leave as
much misinformation as possible. Attackers do this in any number of ways.
One vulnerability in Sun Solaris can be taken advantage of by an attacker to
send various types of misinformation.The problem is due to the handling of
ACLs on pseudo-terminals allocated by the system. Upon accessing a terminal,
the attacker could set an access control entry, then exit the terminal.When
another user accessed the system using the same terminal, the previous owner of
the terminal would retain write access to the terminal, allowing the previous
owner to write custom-crafted information to the new owner’s terminal.The
following sections look at some of the methods used.
Log Editing
One method used by an attacker to send misinformation is log editing.When an
attacker compromises a system, the desire is to stay unnoticed and untraceable as
long as possible. Even better is if the attacker can generate enough noise to make
the intrusion unnoticeable or to implicate somebody else in the attack.
Let’s go back to the previous discussion about DoS.We talked about generating
events to create log entries. An attacker could make an attempt to fill the
log files, but a well-designed system will have plenty of space and a log rotation
facility to prevent this. Instead, the attacker could resort to generating a large
amount of events in an attempt to cloak their activity. Under the right circumstances,
an attacker could create a high volume of various log events, causing one
or more events that look similar to the entry made when an exploit is initiated.
If the attacker gains administrative access on the system, any hopes of log
integrity are lost.With administrative access, the attacker can edit the logs to
remove any event that may indicate intrusion, or even change the logs to implicate
another user in the attack. In the event of this happening, only outside systems
that may be collecting system log data from the compromised machine or
network intrusion detection systems may offer data with any integrity.
Some tools include options to generate random data and traffic.This random
data and traffic is called noise, and is usually used as either a diversionary tactic or
an obfuscation technique. Noise can be used to fool an administrator into
watching a different system or believing that a user other than the attacker, or
several attackers, are launching attacks against the system.
The goal of the attacker editing the logs is to produce one of a few effects. One
effect would be the state of system well-being, as though nothing has happened.
Another effect would be general and total confusion, such as conflicting log entries
or logs fabricated to look as though a system process has gone wild—as said earlier,
noise. Some tools, such as Nmap, include decoy features.The decoy feature can
create this effect by making a scan look as though it is coming from several different
Another means of misinformation is the rootkit. A rootkit is a ready-made program
designed to hide an attacker’s activities inside a system. Several different
types of rootkits exist, all with their own features and flaws. Rootkits are an
attacker’s first choice for keeping access to a system on a long-term basis.
A rootkit works by replacing key programs on the system, such as ls, df, du, ps,
sshd, and netstat on UNIX systems, or drivers, and Registry entries on Windows
systems.The rootkit replaces these programs, and possibly others with the programs
it contains, which are customized to not give administrative staff reliable
details. Rootkits are used specifically to cloak the activity of the attacker and hide
his presence inside the system.
These packages are specifically designed to create misinformation.They create
an appearance of all being well on the system. In the meantime, the attacker controls
the system and launches attacks against new hosts, or he conducts other
nefarious activities.
Kernel Modules
Kernel modules are pieces of code that may be loaded and unloaded by a running
kernel. A kernel module is designed to provide additional functionality to a
kernel when needed, allowing the kernel to unload the module when it is no
longer needed to lighten the memory load. Kernel modules can be loaded to
provide functionality such as support of a non-native file system or device control.
Kernel modules may also have facinorous purposes.
Malicious kernel modules are similar in purpose to rootkits.They are
designed to create misinformation, leading administrators of a system to believe
that all is well on the host.The module provides a means to cloak the attacker,
allowing the attacker to carry out any desired deeds on the host.
The kernel module functions in a different way from the standard rootkit.
The programs of the rootkit act as a filter to prevent any data that may be
incriminating from reaching administrators.The kernel module works on a much
lower level, intercepting information queries at the system call level, and filtering
out any data that may alert administrative staff to the presence of unauthorized guests.This allows an attacker to compromise and backdoor a system without the
danger of modifying system utilities, which could lead to detection.
Kernel modules are becoming the standard in concealing intrusion. Upon
intrusion, the attacker must simply load the module, and ensure that the module
is loaded in the future by the system to maintain a degree of stealth that is difficult
to discover. From that point on, the module may never be discovered unless
the drive is taken offline and mounted under a different instance of the operating

Regular File Access
Regular file access can give an attacker several different means from which to
launch an attack. Regular file access may allow an attacker to gain access to sensitive
information, such as the usernames or passwords of users on a system, as we
discussed briefly in the “Information Leakage” section. Regular file access could
also lead to an attacker gaining access to other files in other ways, such as
changing the permissions or ownership of a file, or through a symbolic link attack.
One of the easiest ways to ensure the security of a file is to ensure proper permissions
on the file.This is often one of the more overlooked aspects of system security.
Some single-user systems, such as the Microsoft Windows 3.1/95/98/ME
products, do not have a permission infrastructure. Multiuser hosts have at least one,
and usually several means of access control.
For example, UNIX systems and some Windows systems both have users and
groups. UNIX systems, and Windows systems to some extent, allow the setting of
attributes on files to dictate what user, and what group have access to perform
certain functions with a file. A user, or the owner of the file, may be authorized
complete control over the file, having read, write, and execute permission over
the file, while a user in the group assigned to the file may have permission to
read, and execute the file. Additionally, users outside of the owner and group
members may have a different set of permissions, or even no permissions at all.
Many UNIX systems, in addition to the standard permission set of owner,
group, and world, include a more granular method of allowing access to a file.
These infrastructures vary in design, offering something as simple as the capability
to specify which users have access to a file, to something as complex as assigning
a member a role to allow a user access to a variety of utilities.The Solaris operating
system has two such examples: Role-Based Access Control (RBAC), and
Access Control Lists (ACLs). ACLs allow a user to specify which particular system users are permitted access to a file.The access list is tied to the owner and the group membership. It
additionally uses the same method of permissions as the standard UNIX permission
infrastructure. RBAC is a complex tool, providing varying layers of permission. It is customizable, capable of giving a user a broad, general role to perform functions
such as adding users, changing some system configuration variables, and the like.
It can also be limited to giving a user one specific function.As we shall see later,
the concept can be used in the general sense to keep code from going places it
shouldn’t be playing in.
Symbolic Link Attacks
Symbolic link attacks are a problem that can typically be used by an attacker to
perform a number of different functions.They can be used to change the permissions
on a file.They can also be used to corrupt a file by appending data to it or
by overwriting a file completely, destroying the contents.
Symbolic link attacks are often launched from the temporary directory of a
system.The problem is usually due to a programming error.When a vulnerable
program is run, it creates a file with one of a couple attributes that make it vulnerable
to being attacked.
One attribute making the file vulnerable is permissions. If the file has been created
with insecure permissions, the system will allow an attacker to alter it.This will
permit the attacker to change the contents of the temporary file.Depending on the
design of the program, if the attacker is able to alter the temporary file, any input
placed in the temporary file could be passed to the user’s session.
Another attribute making the file vulnerable is the creation of insecure temporary
files. In a situation where a program does not check for an existing file
before creating it, and a user can guess the name of a temporary file before it is
created, this vulnerability may be exploited.The vulnerability is exploited by creating
a symbolic link to the target file, using a guessed file name that will be used
in the future.The following example source code shows a program that creates a
predictable temporary file:
/* lameprogram.c - Hal Flynn */
/* does not perform sufficient checks for a */
/* file before opening it and storing data */
int main()
char a[] = "This is my own special junk data storage.\n";
char junkpath[] = "/tmp/junktmp";
FILE *fp;
fp = fopen(junkpath, "w");
fputs(a, fp);
This program creates the file /tmp/junktmp without first checking for the
existence of the file.
When the user executes the program that creates the insecure temporary file,
if the file to be created already exists in the form of a symbolic link, the file at
the end of the link will be either overwritten or appended.This occurs if the user
executing the vulnerable program has write-access to the file at the end of the
symbolic link. Both of these types of attacks can lead to an elevation of privileges.

Information Leakage

Information leakage can be likened to leaky pipes.Whenever something comes
out, it is almost always undesirable and results in some sort of damage.
Information leakage is typically an abused resource that precludes attack. In the
same way that military generals rely on information from reconnaissance troops
that have penetrated enemy lines to observe the type of weapons, manpower, supplies,
and other resources possessed by the enemy, attackers enter the network to
perform the same tasks, gathering information about programs, operating systems,
and network design on the target network.
Service Information Leakage
Information leakage occurs in many forms. Banners are one example. Banners are
the text presented to a user when they attempt to log into a system via any one
of the many services. Banners can be found on such services as File Transfer
Protocol (FTP), secure shell (SSH), telnet, Simple Mail Transfer Protocol (SMTP),
and Post Office Protocol 3 (POP3). Many software packages for these services
happily yield version information to outside users in their default configuration.
Another similar problem is error messages. Services such as Web servers yield
more than ample information about themselves when an exception condition is
created. An exception condition is defined by a circumstance out of the ordinary,
such as a request for a page that does not exist, or a command that is not recognized.
In these situations, it is best to make use of the customizable error configurations
supplied, or create a workaround configuration. Observe Figure 2.4 for a
leaky error message from Apache.
Protocol Information Leakage
In addition to the previously mentioned cases of information leakage, there is also
what is termed protocol analysis. Protocol analysis exists in numerous forms. One
type of analysis is using the constraints of a protocol’s design against a system to
yield information about a system. Observe this FTP system type query:
elliptic@ellipse:~$ telnet 21
Connected to
Escape character is '^]'.
220 parabola FTP server (Version: 9.2.1-4) ready.
215 UNIX Type: L8 Version: SUNOS
Figure 2.4 An HTTP Server Revealing Version Information
40 Chapter 2 • Classes of Attack
This problem also manifests itself in such services as HTTP. Observe the
leakage of information through the HTTP HEAD command:
elliptic@ellipse:~$ telnet 80
Connected to
Escape character is '^]'.
HTTP/1.1 200 OK
Date: Wed, 05 Dec 2001 11:25:13 GMT
Server: Apache/1.3.22 (Unix)
Last-Modified: Wed, 28 Nov 2001 22:03:44 GMT
ETag: "30438-44f-3c055f40"
Accept-Ranges: bytes
Content-Length: 1103
Connection: close
Content-Type: text/html
Connection closed by foreign host.
Attackers also perform protocol analysis through a number of other methods.
One such method is the analysis of responses to IP packets, an attack based on
the previously mentioned concept, but working on a lower level. Automated
tools, such as the Network Mapper, or Nmap, provide an easy-to-use utility
designed to gather information about a target system, including publicly reachable
ports on the system, and the operating system of the target. Observe the
output from an Nmap scan:
elliptic@ellipse:~$ nmap -sS -O
Starting nmap V. 2.54BETA22 ( )
Interesting ports on (
(The 1533 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
Remote operating system guess: Solaris 2.6 - 2.7
Uptime 5.873 days (since Thu Nov 29 08:03:04 2001)
Nmap run completed -- 1 IP address (1 host up) scanned in 67 seconds
First, let’s explain the flags (also known as options) used to scan parabola.The sS
flag uses a SYN scan, exercising half-open connections to determine which ports
are open on the host.The O flag tells Nmap to identify the operating system, if
possible, based on known responses stored in a database.As you can see, Nmap was
able to identify all open ports on the system, and accurately guess the operating
system of parabola (which is actually a Solaris 7 system running on a Sparc).
All of these types of problems present information leakage, which could lead
to an attacker gaining more than ample information about your network to
launch a strategic attack.
Leaky by Design
This overall problem is not specific to system identification. Some programs happily
and willingly yield sensitive information about network design. Protocols
such as Simple Network Management Protocol (SNMP) use clear text communication
to interact with other systems.To make matters worse, many SNMP
implementations yield information about network design with minimal or easily
guessed authentication requirements, ala community strings.
Sadly, SNMP is still commonly used. Systems such as Cisco routers are
capable of SNMP. Some operating systems, such as Solaris, install and start SNMP
facilities by default. Aside from the other various vulnerabilities found in these
programs, their default use is plain bad practice.
Leaky Web Servers
We previously mentioned some Web servers telling intrusive users about themselves
in some scenarios.This is further complicated when things such as PHP,
Common Gateway Interface (CGI), and powerful search engines are used. Like
any other tool, these tools can be used in a constructive and creative way, or they
can be used to harm.
Things such as PHP, CGI, and search engines can be used to create interactive
Web experiences, facilitate commerce, and create customizable environments for
users.These infrastructures can also be used for malicious deeds if poorly
designed. A quick view of the Attack Registry and Intelligence Service (ARIS)
shows the number three type of attack as the “Generic Directory Traversal
Attack” (preceded only by the ISAPI and cmd.exe attacks, which, as of the time
of current writing, are big with the Code Red and Nimda variants).This is, of
course, the dot-dot (..) attack, or the relative path attack (…) exercised by
including dots within the URL to see if one can escape a directory and attain a
listing, or execute programs on the Web server.
Scripts that permit the traversal of directories not only allow one to escape
the current directory and view a listing of files on the system, but they allow an
attacker to read any file readable by the HTTP server processes ownership and
group membership.This could allow a user to gain access to the passwd file in
/etc or other nonprivileged files on UNIX systems, or on other implementations,
such as Microsoft Windows OSs, which could lead to the reading of (and, potentially,
writing to) privileged files.Any of the data from this type of attack could
be used to launch a more organized, strategic attack.Web scripts and applications
should be the topic of diligent review prior to deployment.
A Hypothetical Scenario
Other programs, such as Sendmail, will in many default implementations yield
information about users on the system.To make matters worse, these programs
use the user database as a directory for e-mail addresses. Although some folks may
scoff at the idea of this being information leakage, take the following example
into account.
A small town has two Internet service providers (ISPs). ISP A is a newer ISP,
and has experienced a significant growth in customer base. ISP B is the older ISP
in town, with the larger percentage of customers. ISP B is fighting an all-out war
with ISP A, obviously because ISP A is cutting into their market, and starting to gain ground on ISP B. ISP A, however, has smarter administrators that have taken
advantage of various facilities to keep users from gaining access to sensitive information,
using tricks such as hosting mail on a separate server, using different logins
on the shell server to prevent users from gaining access to the database of mail
addresses. ISP B, however, did not take such precautions. One day, the staff of ISP
A gets a bright idea, and obtains an account with ISP B.This account gives them a
shell on ISP B’s mail server, from which the passwd file is promptly snatched, and
all of its users mailed about a great new deal at ISP A offering them no setup fee
to change providers, and a significant discount under ISP B’s current charges.
As you can see, the leakage of this type of information can not only impact
the security of systems, it can possibly bankrupt a business. Suppose that a company
gained access to the information systems of their competitor.What is to
stop them from stealing, lying, cheating, and doing everything they can to undermine
their competition? The days of Internet innocence are over, if they were
ever present at all.
Why Be Concerned with Information Leakage?
Some groups are not concerned with information leakage.Their reasons for this
are varied, including reasons such as the leakage of information can never be
stopped, or that not yielding certain types of information from servers will break
compliance with clients.This also includes the fingerprinting of systems, performed
by matching a set of known responses by a system type to a table identifying
the operating system of the host.
Any intelligently designed operating system will at least give the option of
either preventing fingerprinting, or creating a fingerprint difficult to identify
without significant overhaul. Some go so far as to even allow the option of
sending bogus fingerprints to overly intrusive hosts.The reasons for this are clear.
Referring back to our previous scenario about military reconnaissance, any group
that knows they are going to be attacked are going to make their best effort to
conceal as much information about themselves as possible, in order to gain the
advantage of secrecy and surprise.This could mean moving, camouflaging, or
hiding troops, hiding physical resources, encrypting communications, and so
forth.This limiting of information leakage leaves the enemy to draw their own
conclusions with little information, thus increasing the margin of error.
Just like an army risking attack by a formidable enemy, you must do your best
to conceal your network resources from information leakage and intelligence gathering.
Any valid information the attacker gains about one’s position and perimeter
gives the attacker intelligence from which they may draw conclusions and fabricate
a strategy. Sealing the leakage of information forces the attacker to take more intrusive
steps to gain information, increasing the probability of detection.

Denial of Service

What is a denial of service (DoS) attack? A DoS attack takes place when availability
to a resource is intentionally blocked or degraded by an attacker. In other
words, the attack impedes the availability of the resource to its regular authorized
users.These types of attacks can occur through one of two vectors: either on the
local system, or remotely from across a network.The attack can concentrate on one
of the following:
■ Degrading processes
■ Degrading storage capability
■ Destroying files to render the resource unusable
■ Shutting down parts of the system or processes
Let’s take a closer look at each of these items.
Local Vector Denial of Service
Local DoS attacks are common, and in many cases, may be preventable.Although
any type of DoS can be frustrating and costly, local denial of service attacks are
typically the most preferable to encounter. Given the right security infrastructure,
these types of attacks are easily traced, and the attacker is easily identified.
Three common types of local denial of service attacks are process degradation,
disk space exhaustion, and index node (inode) exhaustion.
Process Degradation
One local denial of service is the degrading of processes.This occurs when
the attacker reduces performance by overloading the target system, by either
spawning multiple processes to eat up all available resources of the host system,
by spawning enough processes to fill to capacity the system process table, or by
spawning enough processes to overload the central processing unit (CPU).
An example of this type of attack is exhibited through a recent vulnerability
discovered in the Linux kernel. By creating a system of deep symbolic links, a
user can prevent the scheduling of other processes when an attempt to dereference
the symbolic link is made. Upon creating the symbolic links, then
attempting to perform a head or cat of one of the deeply linked files, the process
scheduler is blocked, therefore preventing any other processes on the system from
receiving CPU time.The following is source code of; this shell script will create the necessary links on an affected system (this problem was not fully
fixed until Linux kernel version 2.4.12):
# by Nergal
while [ $I -lt $ELNUM ] ; do
ln -s "$P"l$2 l$IND
#main program
if [ $# != 1 ] ; then
echo A numerical argument is required.
exit 0
mklink 4
mklink 3
mklink 2
mklink 1
mklink 0 /../../../../../../../etc/services
mkdir l5
mkdir l
Another type of local denial of service attack is the fork bomb.This problem is
not Linux-specific, and it affects a number of other operating systems on various
platforms.The fork bomb is easy to implement using the shell or C.
The code for C is as follows:
(main() {for(;;)fork();})
In both of these scenarios, an attacker can degrade process performance with
varying effects—these effects may be as minimal as making a system perform
slowly, or they may be as extreme as monopolizing system resources and causing
a system to crash.
Disk Space Exhaustion
Another type of local attack is one that fills disk space to capacity. Disk space is a
finite resource, though it has always been a supposition by many UNIX programmers
that a lack of hardware is a user problem, not a programming one. In the
past, disk space was an extremely expensive resource, although the current
industry has brought the price of disk storage down significantly.Though you can
solve many of the storage complications with solutions such as disk arrays and
software that monitors storage abuse, disk space will continue to be a bottleneck
to all systems. Software-based solutions such as per-user storage quotas are
designed to alleviate this problem.
This type of attack prevents the creation of new files and the growth of
existing files. An added problem is that some UNIX systems will crash when the
root partition reaches storage capacity. Although this isn’t a design flaw on the
part of UNIX itself, a properly administered system should include a separate
partition for the log facilities, such as /var, and a separate partition for users, such
as the /home directory on Linux systems, or /export/home on Sun systems.
Attackers can use this type of denial of service to crash systems, such as when
a disk layout hasn’t been designed with user and log partitions on a separate slice.
They can also use it to obscure activities of a user by generating a large amount
of events that are logged to via syslog, filling the partition on which logs are
stored and making it impossible for syslog to log any further activity.
Such an attack is trivial to launch. A local user can simply perform the following
cat /dev/zero > ~/maliciousfile
This command will concatenate data from the /dev/zero device file (which
simply generates zeros) into maliciousfile, continuing until either the user stops the
process, or the capacity of the partition is filled.
A disk space exhaustion attack could also be leveraged through such attacks as
mail bombing. Although this is an old ploy, it is not commonly seen in the present
(even with the advent of anonymous remailers).The reasons are perhaps that
mail is easily traced via SMTP headers, and although open relays or remailers can
be used, finding the purveyor of a mail bomb is not rocket science. For this
reason, most mail bombers find themselves either without Internet access, jailed,
or both.
Inode Exhaustion
The last type of local denial of service attack we discuss is inode exhaustion, similar
to the disk capacity attack. Inode exhaustion attacks are focused specifically on
the design of the file system.The term inode is an acronym for the words index
node. Index nodes are an essential part of the UNIX file system.
An inode contains information essential to the management of the file
system.This information includes, at a minimum, the owner of a file, the group
membership of a file, the type of file, the permissions, size, and block addresses
containing the data of the file.When a file system is formatted, a finite number of
inodes are created to handle the indexing of files with that slice.
An inode exhaustion attack focuses on using up all the available inodes for
the partition. Exhaustion of these resources creates a similar situation to that of
the disk space attack, leaving the system unable to create new files.This type of
attack is usually leveraged to cripple a system and prevent the logging of system
events, especially those activities of the attacker.
Network Vector Denial of Service
Denial of service attacks launched via a network vector can essentially be broken
down into one of two categories: an attack that affects a specific service, or an attack
that targets an entire system.The severity and danger of these attacks vary significantly.
These types of attacks are designed to produce inconvenience, and are
often launched as a retaliatory attack.
To speak briefly about the psychology behind these attacks, network vector
denial of service attacks are, by and large, the choice method of cowards.The reasons,
ranging from digital vigilantism to Internet Relay Chat (IRC) turf wars,
matter not. Freely and readily available tools make a subculture (and we borrow
the term coined by Jose Oquendo—also known as sil of fame)
called script kiddiots possible.The term script kiddiot, broken down into base form,
would define script as “a prewritten program to be run by a user,” and kiddiot being a combination of the words kid and idiot. Fitting.The availability of these
tools gives these individuals the power of anonymity and ability to cause a nuisance,
while requiring little or no technical knowledge.The only group with
more responsibility for these attacks than the script kiddiots is the group of professionals
who continue to make them possible through such things as lack of
egress filtering.
Network vector attacks, as mentioned, can affect specific services or an entire
system; depending on who is targeted and why, these types of attacks include
client, service, and system-directed denials of service.The following sections look at
each of these types of denial of service in a little more detail.
Client-Side Network DoS
Client-side denials of service are typically targeted at a specific product.Their purpose
is to render the user of the client incapable of performing any activity with
the client. One such attack is through the use of what’s called JavaScript bombs.
By default, most Web browsers enable JavaScript.This is apparent anytime one
visits a Web site, and a pop-up or pop-under ad is displayed. However, JavaScript
can also be used in a number of malicious ways, one of which is to launch a DoS
attack against a client. Using the same technique that advertisers use to create a
new window with an advertisement, an attacker can create a malicious Web page
consisting of a never-ending loop of window creation.The end result is that so
many windows are “popped up,” the system becomes resource-bound.
This is an example of a client-side attack, denying service to the user by exercising
a resource starvation attack as we previously discussed, but using the network
as a vector.This is only one of many client-side attacks, with others
affecting products such as the AOL Instant Messenger, the ICQ Instant Message
Client, and similar software.
Service-Based Network DoS
Another type of DoS attack launched via networks is service-based attacks. A service-
based attack is intended to target a specific service, rendering it unavailable
to legitimate users.These attacks are typically launched at a service such as a
Hypertext Transfer Protocol Daemon (HTTPD), Mail Transport Agent (MTA), or
other such service that users typically require.
An example of this problem is a vulnerability that was discovered in the Web
configuration infrastructure of the Cisco Broadband Operating System (CBOS).
When the Code Red worm began taking advantage of Microsoft’s Internet Information Server (IIS) 5.0 Web servers the world over, the worm was discovered
to be indiscriminate in the type of Web server it attacked. It would scan networks
searching for Web servers, and attempt to exploit any Web server it
A side effect of this worm was that although some hosts were not vulnerable
to the malicious payload it carried, some hosts were vulnerable in a different way.
CBOS was one of these scenarios. Upon receiving multiple Transmission Control
Protocol (TCP) connections via port 80 from Code Red infected hosts, CBOS
would crash.
Though this vulnerability was discovered as a casualty of another, the problem
could be exploited by a user with one of any readily available network auditing
tools. After attack, the router would be incapable of configuration, requiring a
power-cycling of the router to make the configuration facility available.This is a
classic example of an attack directed specifically at one service.
System-Directed Network DoS
A DoS directed towards a system via the network vector is typically used to produce
the same results as a local DoS: Degrading performance or making the
system completely unavailable.A few approaches are typically seen in this type of
attack, and they basically define the methods used in entirety. One is using an
exploit to attack one system from another, leaving the target system inoperable.
This type of attack was displayed by the land.c, Ping of Death, and teardrop exploits
of a couple years ago, and the various TCP/IP fragmented packet vulnerabilities
in products such as D-Link routers and the Microsoft ISA Server.
Also along this line is the concept of SYN flooding.This attack can be
launched in a variety of ways, from either one system on a network faster than
the target system to multiple systems on large pipes.This type of attack is used
mainly to degrade system performance.The SYN flood is accomplished by
sending TCP connection requests faster than a system can process them.The
target system sets aside resources to track each connection, so a great number of
incoming SYNs can cause the target host to run out of resources for new legitimate
connections.The source IP address is, as usual, spoofed so that when the
target system attempts to respond with the second portion of the three-way
handshake, a SYN-ACK (synchronization-acknowledgment), it receives no
response. Some operating systems will retransmit the SYN-ACK a number of
times before releasing the resources back to the system. One can detect a SYN flood coming from the preceding code by using a
variety of tools, such as the netstat command shown in Figure 2.1, or through
infrastructure such as network intrusion detection systems (IDSs).
On several operating system platforms, using the –n parameter displays
addresses and port numbers in numerical format, and the –p switch allows you to
select only the protocol you are interested in viewing.This prevents all User
Datagram Protocol (UDP) connections from being shown so that you can view
only the connections you are interested in for this particular attack. Check the
documentation for the version of netstat that is available on your operating system
to ensure that you use the correct switches.
Additionally, some operating systems support features such as TCP SYN
cookies. Using SYN cookies is a method of connection establishment that uses
cryptography for security.When a system receives a SYN, it returns a SYN+ACK,
as though the SYN queue is actually larger.When it receives an ACK back from
the initiating system, it uses the recent value of the 32-bit time counter modulus
32, and passes it through the secret server-side function. If the value fits, the
extracted maximum segment size (MSS) is used, and the SYN queue entry rebuilt.
Let’s also look at the topic of smurfing or packeting attacks, which are typically
purveyed by the previously mentioned script kiddiots.The smurf attack performs
a network vector DoS against the target host.This attack relies on an intermediary,
the router, to help, as shown in Figure 2.2.The attacker, spoofing the source
IP address of the target host, generates a large amount of Internet Control
Message Protocol (ICMP) echo traffic directed toward IP broadcast addresses.The
router, also known as a smurf amplifier, converts the IP broadcast to a Layer 2
broadcast and sends it on its way. Each host that receives the broadcast responds
back to the spoofed source IP with an echo reply. Depending on the number of
hosts on the network, both the router and target host can be inundated with
traffic.This can result in the decrease of network performance for the host being
attacked, and depending on the number of amplifier networks used, the target
network becoming saturated to capacity.
The last system-directed DoS attack using the network vector is distributed
denial of service (DDoS).This concept is similar to that of the previously mentioned
smurf attack.The means of the attack, and method of which it is leveraged,
however, is significantly different from that of a smurf attack.
This type of attack depends on the use of a client, masters, and daemons (also
called zombies). Attackers use the client to initiate the attack by using masters,
which are compromised hosts that have a special program on them allowing the
control of multiple daemons. Daemons are compromised hosts that also have a
special program running on them, and are the ones that generate the flow of
packets to the target system.The current crop of DDoS tools includes trinoo,Router
IBM AS/400 IBM 3174 Cray Supercomputer
Attacker sends spoofed ICMP packets to a smurf amplifying network.
Packets enter router, and all hosts on the
network respond to the spoofed source address.
The target machine receives large amounts
of ICMP ECHO traffic, degrading performance.
Tribe Flood Network,Tribe Flood Network 2000, stacheldraht, shaft, and
mstream. In order for the DDoS to work, the special program must be placed
on dozens or hundreds of “agent” systems. Normally an automated procedure
looks for hosts that can be compromised (buffer overflows in the remote procedure
call [RPC] services statd, cmsd, and ttdbserverd, for example), and then
places the special program on the compromised host. Once the DDoS attack
is initiated, each of the agents sends the heavy stream of traffic to the target,
inundating it with a flood of traffic.

Identifying and Understanding

As we mentioned, attacks can be placed into one of a few categories. Attacks can
lead to anything from leaving your applications or systems without the ability to
function, to giving a remote attacker complete control of your systems to do
whatever he pleases.We discuss severity of attacks later in this chapter, placing
them on a line of severity. Let’s first look at the different types of external attacks
and discuss them.
In this section, we examine seven categorized attack types.These seven attack
types are the general criteria used to classify security issues:
Denial of service
Information leakage
Regular file access
Special file/database access
Remote arbitrary code execution
Elevation of privileges