What is WINS?

Not satisfied with DNS, Microsoft invented another naming service for Windows, called WINS (Windows Internet Name Service). WINS is a Windows-specific name service for TCP/IP and is meant for networking geographically distant Windows computers (it typically isn’t used on a local area network). WINS not only maps names of servers but also maps names of workgroups and NT domains.
It’s unlikely that WINS will be around in the next generation of Windows machines (although it’s still around in Windows 98); Microsoft is taking a page from the competition’s automatic name services and directory services and will be rolling TCP/IP name services together with their username and password services. This will be called Active Directory.
The notion of a directory is similar to the name services concept, but it goes one step further: Instead of simply resolving a name to a number, directory services offer many pieces of vital data on the network. In particular, directory services allow users from all over to log in to the network rather than into a specific server; each server on the network relies on the directory services to assign security rights, and so on.

This is terrific because administrators no longer need to update multiple servers with username and password information; instead, they can administer updates from one point and distribute them throughout the network. Although the long-term goal has been simplification, which makes troubleshooting easier, beware of early implementations. Even Novell’s NDS—arguably the “best” directory service around (it’s been around a number of years and has a lot of support)—had a lot of problems out of the gate.
Some sort of directory service—whether it’s Microsoft’s, Novell’s, or Acme’s—is definitely in your future.

What is DNS?

Prologue for this article.
You’ve probably asked yourself in one of the preceding paragraphs, “How does www.co.chatham.ga.us get translated into 167.195.160.9?” Furthermore, why use names at all? People can deal with phone numbers, why not just use the IP number? These are good questions. The answer to the latter is that just because people can deal with a number doesn’t mean that they prefer to use a number. Which would you rather remember, 1-800-NETWORK or 1-800-638-9675? Obviously, most people prefer to remember a name. Actually, names are the better thing to use when networking, because numerical addresses can change during a reconfiguration or a move, whereas symbolic names typically stay the same.
Name-to-address translation (also known as name lookup or name resolution) occurs via name services. Very similar to the speed dial button on your phone, name services are the networking equivalent of an electronic phone book. They’re actually a lot cooler than your speed dial: For example, suppose you could say “Mom” to make your phone dial your mother.

DNS (Domain Name System)

Name services run as a service on any given name server; that is, a specific program runs on a name server that hands out an address when you give it a name. Like your speed dial buttons, you must program in a name entry; entering the correct number for a given name is important. In particular, TCP/IP name services, although powerful and able to handle millions and millions of names, isn’t exactly plug-and-play. The DNS (Domain Name Service) that you use when surfing the Web works pretty automatically for you once it’s configured correctly, and it will translate www.co.chatham.ga.us to 167.195.160.9. However, you’ll need to know the exact number of your DNS server. Unlike telephone information, DNS servers all have different addresses; verifying that a workstation’s DNS server is correct can be an important troubleshooting step

Note that most smaller sites that use TCP/IP usually don’t have DNS set up. Instead, each workstation has a local (hard drive) “hosts” file that lists the addresses and host names the workstation needs to get to. (Think of this as your personal phone book rather than the corporate directory.) As you can imagine, this gets hard to manage when you have more than a handful of workstations, unless the addresses of the servers never change. As sites grow, or as they get connected to the Internet, DNS servers are added. Can you imagine how big a single file with all the servers on the Internet would be? Fortunately, each DNS server for a given DNS zone is only responsible for its own information.
A DNS zone (its scope of responsibility for naming) can be huge—for example, .com has millions of subzones (yahoo.com, jotto.com, and so on); on the other hand, it can be small—for example, feldman.org lists only one host (www.feldman.org) and no subzones.
With DNS servers getting easier to manage and being a mandatory component of Internet access, you can expect to see more of them in smaller shops as time goes on. It’s worth mentioning that each DNS server is responsible for only its own zone, so if you can’t get to one particular address (say, yahoo.com) but can get to another (say, jotto.com), it may be that the name server responsible for that zone is down. On the Internet at large, this rarely happens, because the DNS organizers require back-up DNS servers for a zone. DNS problems are more likely to happen within a smaller organization’s intranet, particularly when all the eggs for that organization are in one basket.

What is LAN and WAN?

A LAN is a high-speed, fault-tolerant data network that covers a relatively small geographic area. It typically connects workstations, personal computers, printers, and other devices. LANs offer computer users many advantages, including shared access to devices and applications, file exchange between connected users, and communication between users via electronic mail and other applications.

A WAN is a data communications network that covers a relatively broad geographic area and often uses transmission facilities provided by common carriers, such as telephone companies. WAN technologies function at the lower three layers of the OSI reference model: the physical layer, the data link layer, and the network layer.

TYPES OF DOS ATTACKS

To be able to perform, find, or protect against DoS activities, you must first understand the basic principles and types of these attacks. Three main types of DoS attacks exist:

• Consumption of resources, such as bandwidth, hard disk space,
• CPU resources, and so on
• Disruption of configuration information, routing, DNS, and other information
• Direct disruption of network communication between the client and the server

As information about common DoS attacks has been mentioned in many other Hacking Exposed books, we'll only briefly describe these types of DoS attacks and will then move on to spend more time on Cisco-centric issues. We'll also include details on the methods of stopping DoS attacks on the perimeter of your network using built-in functions of Cisco devices.

Consumption of Resources

The bandwidth consumption attack is the most common type of DoS in the world. Many Internet companies such as Yahoo!, eBay, Microsoft, Amazon, and others have experienced downtime and financial losses due to this type of attack.

This type of attack makes up the majority of distributed denial of service (DDoS) attacks, as well as the early DoS methods of using ping -f floods by attackers with larger Internet pipes than those of their targets. These attacks are more difficult, and sometimes even impossible, to mitigate due to the nature of the protocols on which the Internet is built. However, efficient means of traffic rate control have been implemented by Cisco Systems for routers, and we will review these methods in this chapter. CPU resource consumption attacks can be the result of programming flaws found in the TCP/IP stack, server-side services, and other network-interacting software to which attackers can connect. These attacks can usually be rectified by patching the buggy software code using vendor patches. Hard disk space consumption occurs when the software or service is tricked into storing excessive amounts of information on the server's storage facility, thus consuming all available storage resources and memory. This will most likely lead to a denial of services for legitimate users and can be rectified by cleaning up the disk space, fixing the buggy software code, and/or rebooting the server. An example of such an attack is the flooding of an unauthenticated syslog server (usually found on port 514/UDP) by junk messages. An attacker can send any information to that port and it will be stored in the system log files. Depending on the attacker's bandwidth and the storage available, this method can be effective in disabling the logging facilities of the server or even the entire enterprise, making attacker tracing and prosecution a very difficult task.

Disruption of Information Flow

This type of attack is less common than bandwidth consumption; however, such an attack can affect many users, organizations, and, if properly launched, even entire countries or continents. For instance, the DNS entry of a company or an entire country can be altered or diverted to a different location or to /dev/null, thus disabling connectivity of the targeted networks for the duration of the attack. The motives behind this type of attack are usually political or corporate in nature. Another example of such an attack can be discovered when an attacker fiddles with the routers responsible for Border Gateway Protocol (BGP) routing updates; this can easily bring a large chunk of the Internet to its knees with only a few packets. 

Disruption of Communication

This type of attack causes a disruption of established communication channels between the client and server. A typical attack would involve resetting a management TCP session to the device, such as a PIX firewall, to stop a system administrator from reconfiguring the device to counter a different attack. These attacks are usually possible due to a system software fault and can be rectified by applying a vendor patch.

DOS ATTACK MOTIVES

The Internet has experienced numerous cases of DoS attacks. Unfortunately, due to the nature and existing inherited drawbacks of current Internet-centric protocols, these attacks are likely to stay with us for a long time, causing havoc and financial losses to thousands of organizations all over the world.

As we have already stated, the usual cause behind the attacks from experienced Black Hat hackers is to achieve some level of remote control (be it enable or unprivileged access) over the device. Therefore, the main reason why these attacks are uncommon among experienced hackers is that after successfully performing a series of DoS attacks, the device or targeted equipment becomes useless or obsolete for the duration of the attack or until the device is restarted. This scenario is usually true unless the attacked device is being specifically targeted to disable its operations as a part of some malicious "master plan."

In contrast, many unskilled hackers who do not manage to gain remote access to a device are likely to be frustrated, pitiful people who also show their underdeveloped egos by bragging on Internet Relay Chat (IRC) channels or underground message boards to increase their device frag count. These attackers will try to crash the device by all means possible to satisfy their egos and boast about such "marvelous" achievements to their virtual friends. What motivates different types of crackers to perform DoS attacks? The list of reasons can go on forever, but here are just a few of them:

• Industrial and corporate competition
• Profit-related causes (racketeers or mafia)
• Political or social reasons
• Having fun
• Bragging rights
• Revenge
• Hatred