Denial of Service WORLDS ATTAKS Prepared by: Mohammed Mahmoud Hussain Supervised by : Dr. Lo’ai Tawalbeh NYIT-winter 2007.

Denial of Service Denial of Service WORLDS ATTAKS WORLDS ATTAKS

Prepared by: Mohammed Mahmoud HussainPrepared by: Mohammed Mahmoud HussainSupervised by : Dr. Lo’ai TawalbehSupervised by : Dr. Lo’ai TawalbehNYIT-winter 2007NYIT-winter 2007

Good News / Bad Good News / Bad NewsNews

The Internet and Networks give us The Internet and Networks give us better connectivitybetter connectivity– Share informationShare information– Collaborate (a)synchronouslyCollaborate (a)synchronously

The Internet and Networks give us The Internet and Networks give us better connectivitybetter connectivity– Viruses can spread easierViruses can spread easier– ““The bad guys” now have easier access The bad guys” now have easier access

to your information as wellto your information as well

Why do I want to be Why do I want to be secure?secure?(What’s in it for me?)(What’s in it for me?)

You can ensure private You can ensure private information is kept privateinformation is kept private– Some things are for certain eyes Some things are for certain eyes

only and you probably want to keep only and you probably want to keep them that waythem that way

– Is someone looking over your Is someone looking over your shoulder (physically or virtually)?shoulder (physically or virtually)?

The 3 Main Forms of Bad The 3 Main Forms of Bad GuysGuys

Virus/WormVirus/Worm TrojanTrojan Denial of ServiceDenial of Service

Viruses / WormsViruses / Worms

Most widely known – thanks to press Most widely known – thanks to press coveragecoverage

What is it?What is it?– Computer programs written byComputer programs written by

bad guys ( ) to do malicious things bad guys ( ) to do malicious things often triggered by a specific eventoften triggered by a specific event

– Example – Word Macro Virus that sends Example – Word Macro Virus that sends out junk email when word document is out junk email when word document is openedopened

Trojan horseTrojan horse

Most dangerous of allMost dangerous of all What is it?What is it?

– Computer programs often written by good guys but used by bad guys Computer programs often written by good guys but used by bad guys ( ) to give them a back door to intended computer( ) to give them a back door to intended computer

– Example – Remote Management application that runs in background Example – Remote Management application that runs in background – and allows the bad guys to “get in” and allows the bad guys to “get in” – and use your computer as they wishand use your computer as they wish

Typically can not beTypically can not besafely removed – must start safely removed – must start from working backup or from working backup or scratchscratch

BecauseBecause– Deleting/modifying data files is one of Deleting/modifying data files is one of

their goalstheir goals– Stealing personal information also Stealing personal information also – Interrupting/destroying business Interrupting/destroying business

processes (contingency plan)processes (contingency plan)

Denial of service ( DOS Denial of service ( DOS ))

- Too many requests for a particular web Too many requests for a particular web site “clog the pipe” so that no one else can site “clog the pipe” so that no one else can access the siteaccess the site

- Also the using of land attackAlso the using of land attack

Possible impacts:Possible impacts: -May reboot your computer -May reboot your computer -Slows down computers-Certain -Slows down computers-Certain sites sites -applications become inaccessible -applications become inaccessible **you are off **you are off..

Where are youWhere are you

Every one has to Every one has to know that they know that they come from 3 come from 3 placesplaces– New Files”New Files”– ““Viewed Content”Viewed Content”– ““Exposed Exposed

ServicesServices

Where they come fromWhere they come from

Unwanted email with Unwanted email with attachments you weren’t attachments you weren’t expectingexpecting

Downloaded programs Downloaded programs from the internet that from the internet that come from less than come from less than trustworthy locationstrustworthy locations

File Sharing Programs (P2P)File Sharing Programs (P2P)

Websites that will Websites that will “install” things for you“install” things for you

The more open doors The more open doors

your computer has, the your computer has, the more chance of more chance of someone coming insomeone coming in

What is Denial of Service What is Denial of Service AttackAttack??

““Attack in which the primary goal Attack in which the primary goal is to deny the victim(s) access to is to deny the victim(s) access to a particular resource.”a particular resource.”

A "denial-of-service" attack is A "denial-of-service" attack is characterized by an explicit characterized by an explicit attempt by attackers to prevent attempt by attackers to prevent legitimate users of a service from legitimate users of a service from using that service. using that service.

How to take down a How to take down a restaurantrestaurant

Saboteur

Restauranteur

Saboteur vs. Saboteur vs. RestauranteurRestauranteur

Saboteur

Restauranteur

Table for fourat 8 o’clock. Name of Mr. Smith.

O.K.,Mr. Smith

Saboteur

Restauranteur

No More Tables!

Denial-of-service attacks are Denial-of-service attacks are most frequently executed most frequently executed against network connectivity. against network connectivity. The goal is to prevent hosts or The goal is to prevent hosts or networks from communicating networks from communicating on the network. An example of on the network. An example of this type of attack is the "SYN this type of attack is the "SYN flood" attackflood" attack

Categories of DOS attackCategories of DOS attack

Bandwidth attacks Bandwidth attacks Protocol exceptions Protocol exceptions Logic attacks Logic attacks

A bandwidth attack is the oldest and A bandwidth attack is the oldest and most common DoS attack. In this most common DoS attack. In this approach, the malicious hacker approach, the malicious hacker saturates a network with data traffic. saturates a network with data traffic. A vulnerable system or network is A vulnerable system or network is unable to handle the amount of unable to handle the amount of traffic sent to it and subsequently traffic sent to it and subsequently crashes or slows down, preventing crashes or slows down, preventing legitimate access to users.legitimate access to users.

A protocol attack is a trickier A protocol attack is a trickier approach, but it is becoming quite approach, but it is becoming quite popular. Here, the malicious popular. Here, the malicious attacker sends traffic in a way attacker sends traffic in a way that the target system never that the target system never expected, such as when an expected, such as when an attacker sends a flood of SYN attacker sends a flood of SYN packets.packets.

The third type of attack is a logic attack. The third type of attack is a logic attack. This is the most advanced type of This is the most advanced type of attack because it involves a attack because it involves a sophisticated understanding of sophisticated understanding of networking. A classic example of a logic networking. A classic example of a logic attack is a LAND attack, where an attack is a LAND attack, where an attacker sends a forged packet with the attacker sends a forged packet with the same source and destination IP address. same source and destination IP address. Many systems are unable to handle this Many systems are unable to handle this type of confused activity and type of confused activity and subsequently crash.subsequently crash.

TypesTypes

Types of DoS AttacksTypes of DoS AttacksThe infos here introduce the The infos here introduce the common types of DoS attacks, common types of DoS attacks, many of which can be done as a many of which can be done as a DDoS attack.DDoS attack.

PING OF DEATHPING OF DEATH

A Ping of Death attack uses Internet A Ping of Death attack uses Internet Control Message Protocol (ICMP) ping Control Message Protocol (ICMP) ping messages. Ping is used to see if a host is messages. Ping is used to see if a host is active on a network. It also is a valuable active on a network. It also is a valuable tool for troubleshooting and diagnosing tool for troubleshooting and diagnosing problems on a network. As the following problems on a network. As the following picture, a normal ping has two messages:picture, a normal ping has two messages:

BUTBUT With a Ping of Death attack, an echo packet is sent that is With a Ping of Death attack, an echo packet is sent that is

larger than the maximum allowed size of 65,536 bytes. The larger than the maximum allowed size of 65,536 bytes. The packet is broken down into smaller segments, but when it is packet is broken down into smaller segments, but when it is reassembled, it is discovered to be too large for the reassembled, it is discovered to be too large for the receiving buffer. Subsequently, systems that are unable to receiving buffer. Subsequently, systems that are unable to handle such abnormalities either crash or reboot.handle such abnormalities either crash or reboot.

You can perform a Ping of Death from within Linux by typing You can perform a Ping of Death from within Linux by typing ping –f –s 65537. Note the use of the –f switch. This switch ping –f –s 65537. Note the use of the –f switch. This switch causes the packets to be sent as quickly as possible. Often causes the packets to be sent as quickly as possible. Often the cause of a DoS attack is not just the size or amount of the cause of a DoS attack is not just the size or amount of traffic, but the rapid rate at which packets are being sent to traffic, but the rapid rate at which packets are being sent to a target.a target.

Tools:-Tools:- -Jolt -SPing-ICMP Bug -IceNewk -Jolt -SPing-ICMP Bug -IceNewk

Smurf and FraggleSmurf and Fraggle

A Smurf attack is another DoS attack A Smurf attack is another DoS attack that uses ICMP. Here, an request is sent that uses ICMP. Here, an request is sent to a network broadcast address with the to a network broadcast address with the target as the spoofed source. When target as the spoofed source. When hosts receive the echo request, they hosts receive the echo request, they send an echo reply back to the target. send an echo reply back to the target. sending multiple Smurf attacks directed sending multiple Smurf attacks directed at a single target in a distributed at a single target in a distributed fashion might succeed in crashing it. fashion might succeed in crashing it.

If the broadcast ping cannot be sent If the broadcast ping cannot be sent to a network, a Smurf amplifier is to a network, a Smurf amplifier is instead. A Smurf amplifier is a network instead. A Smurf amplifier is a network that allows the hacker to send that allows the hacker to send broadcast pings to it and sends back a broadcast pings to it and sends back a ping response to his target host on a ping response to his target host on a different network. NMap provides the different network. NMap provides the capability to detect whether a network capability to detect whether a network can be used as a Smurf amplifier. can be used as a Smurf amplifier.

A variation of the Smurf attack is a A variation of the Smurf attack is a Fraggle attack, which uses User Fraggle attack, which uses User Datagram Protocol (UDP) instead of Datagram Protocol (UDP) instead of ICMP. Fraggle attacks work by using the ICMP. Fraggle attacks work by using the CHARGEN and ECHO UDP programs that CHARGEN and ECHO UDP programs that operate on UDP ports 19 and 7. Both of operate on UDP ports 19 and 7. Both of these applications are designed to these applications are designed to operate much like ICMP pings; they are operate much like ICMP pings; they are designed to respond to requesting hosts designed to respond to requesting hosts to notify them that they are active on a to notify them that they are active on a network. network.

LAND AttackLAND Attack

In a LAND attack, a TCP SYN packet is sent In a LAND attack, a TCP SYN packet is sent with the same source and destination address with the same source and destination address and port number. When a host receives this and port number. When a host receives this abnormal traffic, it often either slows down or abnormal traffic, it often either slows down or comes to a complete halt as it tries to initiate comes to a complete halt as it tries to initiate communication with itself in an infinite loop. communication with itself in an infinite loop. Although this is an old attack (first reportedly Although this is an old attack (first reportedly discovered in 1997), both Windows XP with discovered in 1997), both Windows XP with service pack 2 and Windows Server 2003 are service pack 2 and Windows Server 2003 are vulnerable to this attack.vulnerable to this attack.

HPing can be used to craft packets with the HPing can be used to craft packets with the same spoofed source and destination address.same spoofed source and destination address.

Synchronous floodSynchronous flood

A SYN flood is one of the A SYN flood is one of the oldest and yet still most oldest and yet still most effective DoS attacks. As a effective DoS attacks. As a review of the three-way review of the three-way handshake, TCP handshake, TCP communication begins with a communication begins with a SYN, a SYN-ACK response, SYN, a SYN-ACK response, and then an ACK response. and then an ACK response. When the handshake is When the handshake is complete, traffic is sent complete, traffic is sent between two hosts.between two hosts.

but in our case the using of the syn flood but in our case the using of the syn flood for the 3 way handshaking is taking for the 3 way handshaking is taking another deal, that is the attacker host another deal, that is the attacker host will send a flood of syn packet but will will send a flood of syn packet but will not respond with an ACK packet.The not respond with an ACK packet.The TCP/IP stack will wait a certain amount of TCP/IP stack will wait a certain amount of time before dropping the connection, a time before dropping the connection, a syn flooding attack will therefore keep syn flooding attack will therefore keep the syn_received connection queue of the syn_received connection queue of the target machine filled.the target machine filled.

With a SYN flood attack, these rules are With a SYN flood attack, these rules are violated. Instead of the normal three-way violated. Instead of the normal three-way handshake, an attacker sends a packet from a handshake, an attacker sends a packet from a spoofed address with the SYN flag set but does spoofed address with the SYN flag set but does not respond when the target sends a SYN-ACK not respond when the target sends a SYN-ACK response. A host has a limited number of half-response. A host has a limited number of half-open (embryonic) sessions that it can maintain open (embryonic) sessions that it can maintain at any given time. After those sessions are used at any given time. After those sessions are used up, no more communication can take place untilup, no more communication can take place until

the half-open sessions are cleared the half-open sessions are cleared out. This means that no users can out. This means that no users can communicate with the host while communicate with the host while the attack is active. SYN packets the attack is active. SYN packets are being sent so rapidly that are being sent so rapidly that even when a half-open session is even when a half-open session is cleared out, another SYN packet cleared out, another SYN packet is sent to fill up the queue again.is sent to fill up the queue again.

SYN floods are still successful today for three SYN floods are still successful today for three reasons:reasons:

1) SYN packets are part of normal, everyday traffic, 1) SYN packets are part of normal, everyday traffic, so it is difficult for devices to filter this type of so it is difficult for devices to filter this type of attack. attack.

2) SYN packets do not require a lot of bandwidth to 2) SYN packets do not require a lot of bandwidth to launch an attack because they are relatively launch an attack because they are relatively small. small.

3) SYN packets can be spoofed because no 3) SYN packets can be spoofed because no response needs to be given back to the target. As response needs to be given back to the target. As a result, you can choose random IP addresses to a result, you can choose random IP addresses to launch the attack, making filtering difficult for launch the attack, making filtering difficult for security administrators. security administrators.

An example: TCP SYN An example: TCP SYN floodingflooding

“TCP connection, please.”

“O.K. Please send ack.”

“TCP connection, please.”

“O.K. Please send ack.”

Buffer

Now we may categorize the DOS Now we may categorize the DOS in to 3 parts depending on the in to 3 parts depending on the number of characters.number of characters.

Direct Single-tier DoS Direct Single-tier DoS AttacksAttacks

– Straightforward 'point-to-point' Straightforward 'point-to-point' attackattack, that means we have 2 actors , that means we have 2 actors hacker and victim.hacker and victim.

– ExamplesExamples Ping of DeathPing of Death SYN floodsSYN floods Other malformed packet attacksOther malformed packet attacks

Direct Dual-tier DoS Direct Dual-tier DoS AttacksAttacks

– More complex attack modelMore complex attack model– Difficult for victim to trace and Difficult for victim to trace and

identify attackeridentify attacker– ExamplesExamples

SmurfSmurf

Direct Triple-tier DDoS Direct Triple-tier DDoS AttacksAttacks

– Highly complex attack model, known as Highly complex attack model, known as Distributed Denial of Service (DDoS).Distributed Denial of Service (DDoS).

– DDoS exploits vulnerabilities in the very DDoS exploits vulnerabilities in the very fabric of the Internet, making it virtually fabric of the Internet, making it virtually impossible to protect your networks impossible to protect your networks against this level of attack.against this level of attack.

– ExamplesExamples TFN2KTFN2K StacheldrahtStacheldraht MstreamMstream

The Components of a DDoS The Components of a DDoS Flood NetworkFlood Network

– AttackerAttacker Often a hacker with good networking and Often a hacker with good networking and

routing knowledge.routing knowledge.– Master serversMaster servers

Handful of backdoored machines running Handful of backdoored machines running DDoS master software, controlling and DDoS master software, controlling and keeping track of available zombie hosts.keeping track of available zombie hosts.

– Zombie hostsZombie hosts Thousands of backdoored hosts over the Thousands of backdoored hosts over the

worldworld

Distributed Denial of Service Distributed Denial of Service Attack (DDoS)Attack (DDoS)

In and around early 2001 a new type of DoS attack became rampant, called a Distributed Denial of Service attack, or DDoS. In this case multiple comprised systems are used to attack a single target. The flood of incoming traffic to the target will usually force it to shut down. Like a DoS attack, In a DDoS attack the legitimate requests to the affected system are denied. Since a DDoS attack it launched from multiple sources, it is often more difficult to detect and block than a DoS attack.

Results expectedResults expected

Denial-of-service attacks can essentially Denial-of-service attacks can essentially disable your computer or your network. disable your computer or your network. Depending on the nature of your Depending on the nature of your enterprise.enterprise.

Some denial-of-service attacks can be Some denial-of-service attacks can be executed with limited resources against a executed with limited resources against a large, sophisticated site. This type of large, sophisticated site. This type of attack is sometimes called an "asymmetric attack is sometimes called an "asymmetric attack." For example, an attacker with an attack." For example, an attacker with an old PC and a slow modem may be able to old PC and a slow modem may be able to disable much faster and more disable much faster and more sophisticated machines or networks. sophisticated machines or networks.

FormsForms

– attempts to "flood" a network, thereby attempts to "flood" a network, thereby preventing legitimate network traffic preventing legitimate network traffic

– attempts to disrupt connections attempts to disrupt connections between two machines, thereby between two machines, thereby preventing access to a service preventing access to a service

– attempts to prevent a particular attempts to prevent a particular individual from accessing a service individual from accessing a service

– attempts to disrupt service to a specific attempts to disrupt service to a specific system or person system or person

DefenseDefense

Internet Service ProvidersInternet Service Providers

Deploy source address anti-spoof filters Deploy source address anti-spoof filters ((very important!very important!).).

Turn off directed broadcasts.Turn off directed broadcasts. Develop security relationships with Develop security relationships with

neighbor ISPs.neighbor ISPs. Set up mechanism for handling Set up mechanism for handling

customer security complaints.customer security complaints. Develop traffic volume monitoring Develop traffic volume monitoring

techniques.techniques.

High loaded machinesHigh loaded machines

Look for too much traffic to a particular Look for too much traffic to a particular destination.destination.

Learn to look for traffic to that Learn to look for traffic to that destination at your border routers destination at your border routers (access routers, peers, exchange (access routers, peers, exchange points, etc.).points, etc.).

Can we automate the tools – too many Can we automate the tools – too many queue drops on an access router will queue drops on an access router will trigger source detection? (bl..trigger source detection? (bl..

Disable and filter out Disable and filter out all unused UDP services.all unused UDP services.

AlsoAlso

Routers, machines, and all other Routers, machines, and all other Internet accessible equipment should Internet accessible equipment should be periodically checked to verify that be periodically checked to verify that all security patches all security patches have been installedhave been installed

System should be checked periodically System should be checked periodically for presence of malicious software for presence of malicious software (Trojan horses, viruses, worms, back (Trojan horses, viruses, worms, back doors, etc.)doors, etc.)

Train your system and network administratorsTrain your system and network administrators Read security bulletins like: Read security bulletins like:

www.cert.orgwww.cert.org, , www.sans.orgwww.sans.org, , www.eEye.comwww.eEye.com From time to time From time to time

listen on to attacker community listen on to attacker community to be informed about their latest achievementsto be informed about their latest achievements

Be in contact with your ISP. Be in contact with your ISP. In case that your network is being attacked, In case that your network is being attacked, this can save a lot of timethis can save a lot of time

Can both do better some Can both do better some dayday ICMP Traceback message.ICMP Traceback message. Warning –this technique is Warning –this technique is

untested idea practically. untested idea practically.

ICMPICMP

It’s a message that usually used to It’s a message that usually used to indicate for errors at the net, request not indicate for errors at the net, request not complete, router not reachable.complete, router not reachable.

While in TCP and UDP it has different While in TCP and UDP it has different story, it used mainly to check the story, it used mainly to check the communication between nodes, goes as communication between nodes, goes as echo message request (ping) to echo message request (ping) to determine:-determine:-

1-host is reachable.1-host is reachable. 2-how long packets it takes long to get 2-how long packets it takes long to get

and from the host.and from the host.

ICMP TracebackICMP Traceback

It’s the way that we determine the It’s the way that we determine the real source attacker specially in the real source attacker specially in the dos attack and it’s kinds, so we are dos attack and it’s kinds, so we are going to the original point in going to the original point in backtracking way.backtracking way.

there is 2 methods:-there is 2 methods:-

1-IP logging .1-IP logging .

2-IP marking .2-IP marking .

ICMP TracebackICMP Traceback

In IP logging we have an log In IP logging we have an log information that is stored at the information that is stored at the routers in tables, at each router, when routers in tables, at each router, when we traceback we get all the table and we traceback we get all the table and finally get the source.finally get the source.

While in the IP marking we each router While in the IP marking we each router used to add an traffic and defining info used to add an traffic and defining info to each packet then it has the real to each packet then it has the real source.source.

ICMP TracebackICMP Traceback

For a very few packets (about 1 in For a very few packets (about 1 in 20,000), each router will send the 20,000), each router will send the destination a new ICMP message destination a new ICMP message indicating the indicating the previousprevious hop for that hop for that packet.packet.

Net traffic increase at endpoint is Net traffic increase at endpoint is about .1% -- probably acceptable.about .1% -- probably acceptable.

Issues: authentication, loss of Issues: authentication, loss of traceback packets, load on routers.traceback packets, load on routers.

OverviewOverview

What happens these What happens these days ondays on

Throw away requestsThrow away requests

Buffer

Server

Problem: Legitimate clients must keep retrying

Client

“Hello?”

“Hello?”

“Hello?”

Request

IP Tracing (or IP Tracing (or Syncookies)Syncookies)

Buffer

Server

•Can be evaded, particularly on, e.g., Ethernet

Problems:

Client

Hi. My name is 10.100.16.126.

Digital signaturesDigital signatures

Buffer

Server

•Requires carefully regulated PKI•Does not allow for anonymity

Problems:

Client

Connection timeoutConnection timeout

Problem: Hard to achieve balance between security and latency demands

Server

A Solution: client puzzleA Solution: client puzzle

by Juels and Brainardby Juels and Brainardwith improvement by Wang and with improvement by Wang and

ReiterReiter

IntuitionIntuition

Table for fourat 8 o’clock. Name of Mr. Smith.

Please solve thispuzzle.O.K.,

Mr. SmithO.K.

A puzzle takes an hour to solveA puzzle takes an hour to solve There are 40 tables in restaurantThere are 40 tables in restaurant Reserve at most one day in Reserve at most one day in

advanceadvance

IntuitionIntuition

Suppose:

The client puzzle The client puzzle protocolprotocol

Buffer

ServerClientService request R

O.K.

What does a puzzle look What does a puzzle look like?like?

hash

image Y

Puzzle basis: Puzzle basis: partial hash partial hash inversioninversion

pre-image X160 bits

?

Pair (X’, Y) is k-bit-hard puzzle

partial-image X’ ?k bits

Puzzle constructionPuzzle construction

Client

Service request R

Server

Secret S

Puzzle constructionPuzzle constructionServer computes:

secret S time T request R

hash

pre-image X

hash

image Y

Puzzle

Puzzles cannot always Puzzles cannot always be usedbe used The attack may be performed on The attack may be performed on Phones, SMS,MMS or physical e-Phones, SMS,MMS or physical e-

mailmail It may not be possible to add It may not be possible to add

puzzles puzzles Sometimes, the adversary will be Sometimes, the adversary will be

more powerful than normal users more powerful than normal users (e.g., computer vs. cell phone.)(e.g., computer vs. cell phone.)

referencesreferences

[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.html[.1.] http://www.eecs.nwu.edu/~jmyers/bugtraq/1354.htmlArticle by Christopher Klaus, including a "solution". Article by Christopher Klaus, including a "solution".

[.2.] http://jya.com/floodd.txt[.2.] http://jya.com/floodd.txt2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane2600, Summer, 1996, pp. 6-11. FLOOD WARNING by Jason Fairlane

[.3.] http://www.fc.net/phrack/files/p48/p48-14.html[.3.] http://www.fc.net/phrack/files/p48/p48-14.htmlIP-spoofing Demystified by daemon9 / route / infinityIP-spoofing Demystified by daemon9 / route / infinityfor Phrack Magazine for Phrack Magazine

[.4.][.4.]http://www.gao.gov/new.items/d011073t.pdfhttp://www.gao.gov/new.items/d011073t.pdf [.5.]http://www.cl.cam.ac.uk/~rc277/[.5.]http://www.cl.cam.ac.uk/~rc277/

[.6.][.6.]http://www.cert.org/reports/dsit_workshop.pdfhttp://www.cert.org/reports/dsit_workshop.pdf

[.7.][.7.]http://staff.washington.edu/dittrich/misc/tfn.analysishttp://staff.washington.edu/dittrich/misc/tfn.analysis

Presented to Dr Loa’e Al-TawalbehPresented to Dr Loa’e Al-Tawalbeh Executed by Mohammed HussainExecuted by Mohammed Hussain Course intrusion detection and Course intrusion detection and

hacker exploitshacker exploits Winter jan-2007Winter jan-2007