Hi Don
*WARNING - TECHIE INFO AHEAD. PRESS 'BACK' NOW IF THIS BORES YOU!!*
Yep, any IP stack has vunerabilities to denial of service attacks if the hacker is using the right tools for the job. I didn't see the headline that was referred to about NT but I have come across the so-called 'SYN attack' where a user could hang the IP stack by half opening several IP connections, but never completing the connection, leaving the servers IP stack waiting to synchronise with the client, be it FTP, Web, Telnet or whatever. There are only so many of these type of semi-completed connections available in each OS so if someone fills up the queue, other users wouldn't be able to even start a connection. The latest version of the NetWare IP stack gets around this problem by allowing you to set a parameter - 'SET DEFEND AGAINST SYN ATTACKS=ON' (or something quite explicit like that). This times out the connection handshaking quite quickly and allows other users to connect. It's not perfect but it's the same approach other vendors take, including MSFT.
Another way of denying service is to use two hosts, one that you want to shut down, the other an innocent 'patsy'. Two common ports that can be left open on internet servers are ECHO and CHARGEN. ECHO does what the name says, it echoes back any data written to that port, usually to a client that initiates the connection but this can be modified if you have the right software. CHARGEN is short for CHARacter GENerator, and this port merely generates a stream of data. Using two computers that can see each other on the network, either public like the Internet or private, you can get one server to generate data and send it to a server that will echo it back to the originator. It's like a human kicking off one of those Newton's Cradle desk toys - you use your hand to get two ball bearings to ping-pong backwards and forwards. It's possible to use up all the available bandwidth just to do this, again messing up any incoming connections from real users.
Current versions of NetWare/IntranetWare/BorderManager allow you to get past this by using packet filters, restricting who can access these ports from the Internet. It's probably a good idea to turn off all access to them unless needed, especially if the server's on the Internet.
Luckily, Novell has a lot of experience in the TCP/IP area, what with the acquisition of Excelan back around '85/'86 or so. A look through the documentation of BorderManager shows that the above scenario is documented as an example of making a server secure. The default install of BM is to turn off all access to the server from the Internet except through the BM proxy. All other access attempts are rejected. It's pretty hard to hack a server if you can't get a packet through to it in the first place! Coupled with the fact that NetWare servers running BM don't have the kind of services running on them that hackers like to use (mail gateways, telnet, remote execution etc) in the UNIX/NT environment, and the security risk is minimised even further....
Sorry to have gone on a bit, it's just I've done a little digging into this area in a past life and know that Novell's Internet/TCP/IP solutions don't have half the vunerabilities of other OSs' yet rarely get credit for this fact.
Regards to all
Peter |
