Ping of Death is an attack (Denial of Service) DoS against a server / computer that is connected in a network. These attacks take advantage of existing features in the TCP / IP packet fragmentation or breakdown of the package, and also the fact that the limit on the IP protocol packet size is 65,536 bytes or 64 kilobytes. Attackers can send various ICMP packets (used to ping) are fragmented so that when the packets are put back together, then the total packet size exceeds the limit of 65,536 bytes.

A simple example is as follows: C: \ windows> ping-l 65 540

MSDOS commands on a ping or ICMP packet delivery to a size of 65,540 bytes host / server. At the time a server is not protected receives a packet that exceeds the size specified in the IP protocol, the server usually crashes, hangs, or reboot so that the service be disrupted (Denial of Service).
In addition, Ping of Death attack packets can be easily dispoof or engineered so it can not know the real origin of which, and the attacker only needs to know the IP address of the computer you want attacked. But today, Ping of Death attacks are no longer effective because all the operating system has been upgraded and protected from these types of attacks like this. In addition, the firewall can block all ICMP packets from the outside so that these types of attacks can not be done anymore.

Half-open connection is also referred to as a SYN attack, attack because it uses a SYN (synchronization) and the weaknesses that exist in 3-way handshake at connection time of TCP / IP to be established between two computers. In a 3-way handshake to establish a TCP / IP link between the client and server, what happens is as follows:
* First, the client sends a SYN packet to the server / host to establish the relationship of TCP / IP between the client and host.
* Second, the host replied by sending a SYN / ACK (synchronization / Acknowledgement) back to the client.
* Finally, the client replied by sending a packet ACK (Acknowledgement) back to the host. Thus, the relationship of TCP / IP between the client and the host is established and data transfer can begin.

In the half-open connection attacks, the attacker sends to the server that is about to be attacked many SYN packets that have been dispoof or engineered so that the source address (source address) become invalid. In other words, the origin address of SYN packets are not pointed at the computer that really exists. At the time the server receives the SYN packets, then the server sends a SYN / ACK to respond to each SYN packet received. However, since the SYN / ACK from the server is sent to an address that does not exist, then the server will continue to wait to receive an answer in the form of ACK packets.

If the server is flooded with SYN packets are invalid, then the server will eventually run out of memory and computing resources because the server continues to wait for ACK packets received an answer that will never come. Eventually the server will crash, hang, or reboot and there was disruption to services (denial of service). This type of attack half-open connection or a SYN attack can be prevented by packet filtering and firewall, so that the SYN packets are invalid can be blocked by a firewall before flooding the servers.

If the server is not protected still uses the operating system (operating system) that can not handle long invalid UPD packages, then the server will crash immediately. Examples of operating systems that can be dropped by UDP bomb attack is a SunOS version 4.1.3a1 or earlier versions. Most operating systems will discard UDP packets that are not valid, so the operating system will not crash. However, to make it more secure, you should use a packet filtering through the firewall to monitor and block attacks such as UDP Bomb attack.

IP spoofing is also known as the Source Address Spoofing, namely forgery attacker’s IP address so that attacker considers the target IP address is the IP address of the host in the network rather than from outside network. Suppose the attacker has a type A 66.25.xx.xx IP address when the attackers do This type of attack the network that attacked the attacker will assume the IP is part of the Networknya 192.xx.xx.xx eg, IP type C. IP spoofing occurs when an attacker ‘outsmart’ packet routing to change the direction of data or transmission to different destinations. packet to routing is usually transmitted in a transparent and clear so as to make the attacker to easily to modify the data origin or destination of data. This technique is not only used by the attacker but also used by security professionals to download tracing the identity of the attacker.

Protocol that handles communication between computers most successful in the spoof. ICMP (Internet Control Message Protocol) is one of them (vulnerable) because the protocol is bypassed by the information and error messages between two nodes in the network. Internet Group Message Protocol (IGMP) can be exploited by using this type of attack because IGMP report error conditions user-level datagram, but it also contains routing information protocol and Information Network. (UDP) User Datagram Protocol can also be ‘requested’ to display the identity of the target host.

The solution to prevent IP spoofing is a way of securing the packet-packet is transmitted and installing screening policies. Encryption Point-to-point can also prevent users who do not have the right to read the data / packet. Authentication can also be used to filter the source a legal and not a source that has been in the spoof by attackers.

In another prevention, Administrator can use the signature for packages that communicate in the network so convincing that the package is not modified in transit. Anti Spoofing rules (anti-spoof rules) which basically tells the server to reject packet is coming from outside the visible coming from the inside, generally this will break any spoofing attacks.

Teardrop-type attack is a Denial of Service attack (DoS) against a server / computer that is connected in a network. Teardrop attack takes advantage of existing features in the TCP / IP packet fragmentation or breakdown of the package, and weaknesses in the TCP / IP at the time of the fragmented packets are put back together. In a data transmission from one computer to another over a network based on TCP / IP, then the data is broken down into several smaller packets in the computer of origin, and the packets are sent and then put back together on the destination computer.

Land attack is one kind of assault on a server / computer that is connected in a network that aims to stop the services provided by that server, causing disruption of service or network computer. Such types of attacks are called Denial of Service (DoS) attack. Land attack is categorized as a SYN attack (SYN attack) because it uses a SYN packet (synchronization) at the time to do 3-way handshake to establish a relationship based on TCP / IP. In a 3-way handshake to establish a TCP / IP link between the client and server, what happens is as follows:
* First, the client sends a SYN packet to the server / host to establish the relationship of TCP / IP between the client and host
* Second, the host replied by sending a SYN / ACK (synchronization / Acknowledgement) back to the client.
* Finally, the client replied by sending a packet ACK (Acknowledgement) back to the host. Thus, the relationship of TCP / IP between the client and the host is established and data transfer can begin.

In a Land attack, the attacker computer that acts as a client sends a SYN packet that has been engineered or dispoof to a server that is about to be attacked.
SYN packets that have been engineered or dispoof contains source address (source address) and port number of origin (source port number) that exactly match the destination address (destination address) and destination port number (destination port number).
Thus, when the host sends a SYN / ACK back to the client, then there is an infinite loop because the host is actually sending a SYN / ACK is to itself.
Host / server is not protected usually will crash or hang by the Land attack is. But now, Land attack is not effective anymore because almost all systems are protected from these types of attacks through packet filtering or firewall.

Continued in next articles.

Security issues usually consider as parts of hardware issues such as physical server and Operating system interference or any related IT environment issues. But the software itself are not entirely safe from attack. As an example, lets try to review some cms (content management system) such as Drupal and Joomla.

Security issues for CMSs like Drupal and Joomla fall into several main categories:
1. “Core code”
The modules you get when you download/install Drupal or Joomla, as developed by the team.
2. Third-party extensions
Add-ons written by Drupal/Joomla developers, made available to others (either free or for a price, depending), typically through central directories
3. Custom per-site coding
Done by design firms and other developers (who might also be the “customer”)
4. Admin configuration and other settings
Setting access permissions for groups, users, articles, etc.

Joomla is focused on basic content management and security is based on purely access control. In Drupal, everything that exists is an object, and that object can be a variety of types, content, media, applications, application programming interfaces (APIs) and more. The security principles with Drupal are designed to integrate with third-party applications in a more flexible, modern and secure way.

The core isn’t the only code that needs to be secure, of course. There are thousands of extensions third-party modules available for both Drupal and Joomla. Plus there’s whatever additional code has gone into creating the site.

Joomla has security features like a database class smart enough to check that when you pass data to it, the data is properly sanitized. But if you hard-code their connections to the database instead, without doing any checking or sanitizing, you’re introducing vulnerabilities. One concern for Joomla users is that third-party components for Joomla don’t go through any formal testing by Joomla.

Both Joomla and Drupal are not perfect, they both got its own weakness, but these two site builder have steals web developers heart. Another thing that required security protection is protecting your online content from content thieves.

The system makes guesses of hop counts starting with the observed TTL value and guessing the initial TTL value that was placed in the packet at the sender. There are only a few such values that operating systems use and they are fairly different, which facilitates correct guesses. The hop count is then the difference between the initial TTL and the observed one.

Hop-count distributions follow the normal distribution (bell curve), as there is sufficient variability in the TTL values. If an attacker wanted to defeat this scheme, he would have to guess the correct TTL value to insert into a forged packet, so that the deduced hop count matches the expected one. Spoofing becomes difficult, as the attacker now has to spoof the correct TTL value associated with a given spoofed source address and, augmented by the appropriate difference in hop counts between attacking and spoofed address, malicious traffic becomes easier to model.

In the general operation, the hop-count filter is passive while it is analyzing traffic and matches it to the established incoming tables of assumed hop counts. If the number of mismatches crosses an established threshold, the scheme starts filtering. The incoming tables are constantly updated by examining a random established (e.g., successful) TCP connection to a site within the protected network. Note that this scheme tries to prevent spoofed traffic. Nothing prevents an attacker from launching an attack with true sources and carrying the correct TTL values, and thus attacks using large bot networks or worms with DDoS payloads, which do not need to spoof source addresses to be successful, will still be a problem. Since these types of attacks are easy today, attackers would simply adopt this method over source address forgery to get around such defenses.

Like other victim-side defenses, this approach cannot help defend against flooding attacks based on overwhelming the link coming into the machine that is checking the TTL values.