All network attacks are based on bags directly connected with protocols or their realizations. There is a set of the network attack variants, however the majority overwhelming them is based on five known types:

• The Attacks based on an IP-fragmentation
• IP Spoofing
• TCP Session Hijacking
• ARP Spoofing
• DNS Spoofing

Network attacks of that type recently practically are not used, because modern gateway screens reliably protect from them. That attacks happen two types: Tiny Fragments and Fragment Overlapping.

Attack consists of connection inquiry TCP, fragment on two IP-packages. The first IP-package consists from 68 bytes and contains only first eight bytes of heading TCP (ports of a source, purpose, and a serial number). Data of the second IP-package contain inquiry on TCP connection (Flag SYN is established, ACK it is removed).

Batch filters apply the same rule to all fragments of a package. By the first fragment (displacement = 0) gets out a rule according to which other fragments of a package without any additional control are processed all. Thus, at assembly of fragments by the target computer the package with inquiry about connection is formed. Connection in spite of the fact that the batch filter should prevent such situation is as a result established

That type of attack also consists in splitting an IP-package into two fragments. The batch filter passes the first package from 68 bytes as it does not contain inquiry on TCP connection (flag SYN = 0 and flag ACK = 0). That rule is applied to all fragments of a package. The second fragment (with displacement = 1), containing the present data about connection, is passed by the filter as it does not see, that in this fragment the inquiry about an establishment of connection contains. At a defragmentation, given the second fragment data of the first, since the eighth bytes (as replace displacement = 1). Result package turns out correct inquiry about connection for the target computer. Connection is established, despite of the present batch filter.

The purpose of that attack is to usurp the IP-address of the certain PC. It allows the malefactor or to hide a source of attack (refusal in service "is used in attacks of type"), or to take any advantage from confidential communications of two computers. Here we shall consider the second variant of IP Spoofing attack use.

For the malefactor, the base principle of attack consists in falsification of own IP-packages (for example, by means of such programs as hping2 or nemesis) in which changes, among other, the IP-address of a source. IP Spoofing attack often refers to as Blind Spoofing. It is connected by that answers to the forged packages cannot come to the PC cracker, in fact the proceeding address has been changed. Hence, they send to the PC which address used cracker for substitution. However, all the same there are two methods of answers reception:

• Source Routing: in IP protocol there is an opportunity of routing from a source which allows to set a route for reciprocal packages. This route represents a set of IP-addresses of routers through which should proceed a package. For cracker it is enough to give a route for packages up to a router, to it controllable. Presently, the majority of realizations of stack TCP/IP is rejected with packages with routing from a source;
• Re-routing: if the router uses RIP protocol its tables it is possible to change sending it RIP-packages with the new information on routes. By means of it, cracker achieves a direction of packages on a router under control to it.

Interception of a TCP-session allows the malefactor redirect stream TCP. Further, cracker can overcome password protection (as in telnet or ftp). Necessity of listening (sniffing) limits applicability of that type of attack up to a physical segment of a target host network.

So, the malefactor wishes to execute from the computer-3 interception 1 between computers 1 and 2 sessions telnet. In the beginning it listens to the telnet-traffic (TCP port 23) between 1 and 2. When the malefactor solves, that 1 get authentification service telnet computer-2, it desinchronise connection. For this purpose, the package with the proceeding address of the computer 1 and number of acknowledgement which the computer-2 expects is generated. It is natural, that this package is accepted by computer-2. Except for desinchronise a TCP-session, this package allows the malefactor to execute a command in a telnet-session established by computer-1. Actually, this package can bear a data.

This attack known also under name ARP Redirect, relink the network traffic from one or more PC to the PC of the malefactor. It is carried out in a physical network of a victim.

Considered attack changes a cache of the target PC. The malefactor send ARP-answers to the target PC with the information on the new MAC-address corresponding (for example) the IP-address of a sluice. Actually, this MAC-address corresponds to the interface of the malefactor's PC. Hence, all traffic to a sluice will be received now with the malefactor's PC. Now it is possible to listen the traffic (and-or to change it). After that, the traffic will go to the real target address and thus nobody will notice changes.

For realization of attack ARP Spoofing, the malefactor can take advantage of ARP-package generators, for example ARPSpoof or nemesis.

DNS (Domain Name System) will transform a domain name to its IP-address (for example, 192.168.0.1) and on the contrary. That attack uses technology of false answers sending to DNS-inquiries of a victim. Attack is based on two basic methods:

The heading of a package of the DNS-protocol contains an identification field for conformity of inquiries and answers. The purpose of substitution DNS ID is send the answer to DNS-inquiry before the present DNS-server will answer. For performance of it, it is necessary to predict the identifier of inquiry. Locally it is realized by simple listening of the network traffic.

DNS-server use cash for results storage of the previous inquiries in current of some time. It is done to avoid constant repetitions of inquiries to login to servers of corresponding domains. The second variant of the attack directed on substitution DNS, consists in change of a server cache DNS.