4.0 Network Security

icon picker
4.2 Compare and Contrast common types of Attacks

Last edited 301 days ago by Makiel [Muh-Keel]

Technology-Based Attacks

Technology-based attacks are those that take advantage of weaknesses in software and the protocols that systems use to communicate with one another. This is in contrast to attacks that target environmental or human weaknesses.
A Denial Of Service (DoS) attack does exactly what it sounds like it would do—it prevents users from accessing the network and/or its resources. Today, DoS attacks are commonly launched against a major company's intranet and especially its websites.
Distributed Denial Of Service (DDoS) amplify regular DoS attacks by recruiting helpers in the attack process. A DDoS attack occurs when a threat actor uses resources from multiple, remote locations to attack an organization’s online operations. Usually, DDoS attacks focus on generating attacks that manipulate the default, or even proper workings, of network equipment and services (e.g., routers, naming services or caching services).
There a number of different DDoS attacks.
During a Ping of Death attack, a humongous ICMP packet is sent to the remote host victim, totally flooding the victim's buffer and causing the system to reboot or helplessly hang there, drowning. It's good to know that patches are available for most operating systems to prevent a Ping of Death attack from working.
Thankfully, most networking operating systems are updated to prevent this DDoS attack from happening.
A Botnet is a group of programs connected on the Internet for the purpose of performing a task in a coordinated manner. Some botnets, such as those created to maintain control of Internet Relay Chat (IRC) channels, are legal, while others are illegally created to foist a DDoS. An attacker can recruit and build a botnet to help amplify a DoS attack.
image.png
An Unintentional DoS attack (also referred to as attack from “friendly fire”) is not one that is not caused by malicious individuals; instead, it's a spike in activity to a website or resource that overpowers its ability to respond. In many cases, it is the result of a relatively unknown URL suddenly being shared in a larger medium such as a popular TV or news show.
An attack called a Phlashing Denial of service (PDoS) attacks the firmware located in many systems. Using tools that fuzz (introduce errors) the firmware, attackers cause the device to be unusable. This is an example of a Permanent DoS.
A SYN flood is also a DoS attack that inundates the receiving machine with lots of packets that cause the victim to waste resources by holding connections open. You can see that the preyed-upon machine can't respond to any other requests because its buffers are already overloaded, and it therefore rejects all packets requesting connections, even valid ones, which is the idea behind the attack
The good news is that patches to help guard against this type of attack are available for the various network operating systems today.
1.) The attacker sends large amounts of SYN requests to a webserver.
2.)The webserver sends back a large amount of SYN-ACK requests.
3.)The attacker intentionally leaves the webserver hanging by not the final ACK request involved in a typical three-way handshake.
image.png
DDoS-DNS amplified attack is a form of reflection attack in that the attacker delivers traffic to the victim by reflecting it off a third party. Reflection conceals the source of the attack. It relies on the exploitation of publicly accessible open DNS servers to deluge(flood) victims with DNS response traffic. A overwhelming amount of DNS requests will eventually cripple the victim’s server.
image.png
DDoS-NTP amplified attack use the same process of recruiting bots to aid the attacks; They reflect off Network Time Protocol (NTP) servers. These servers are used to maintain time synchronization between devices in a network.

An On-Path Attack (previously known as a man-in-the-middle attack) happens when someone intercepts packets intended for one computer and reads the data. Rogue ATM machines and even credit-card swipers are tools that are also increasingly used for this type of attack. Figure 17.5 shows an on-path/man-in-the-middle attack.
image.png



(1) DNS clients send requests for name to IP address resolution (called queries) to a DNS server. The search for the IP address that goes with a computer or domain name usually starts with a local DNS server that is not authoritative for the DNS domain in which the requested computer or website resides. (2) When this occurs, the local DNS server makes a request of the DNS server that does hold the record in question. (3) After the local DNS server receives the answer, it returns it to the local DNS client. (4) After this, the local DNS server maintains that record in its DNS cache for a period called the time to live (TTL), which is usually an hour but can vary.
DNS Poisoning occurs when an attacks attempts to refresh or update that record when it expires with a different address than the correct address. If the attacker can convince the DNS server to accept this refresh, the local DNS server will then be responding to client requests for that computer with the address inserted by the attacker.
Typically, the address they now receive is for a fake website that appears to look in every way like the site the client is requesting. The hacker can then harvest all the name and password combinations entered on his fake site.
To prevent this type of attack, the DNS servers should be limited in the updates they accept. In most DNS software, you can restrict the DNS servers from which a server will accept updates. This can help prevent the server from accepting these false updates.

A VLAN hopping attack results in traffic from one VLAN being re-directed to the wrong VLAN by an attacker. Normally, this is prevented by the trunking protocol placing a VLAN tag in the packet to identify the VLAN to which the traffic belongs.
The attacker can circumvent this by a process called double tagging, which is placing a fake VLAN tag into the packet along with the real tag. When the frame goes through multiple switches, the real tag is taken off by the first switch, leaving the fake tag. When the frame reaches the second switch, the fake tag is read and the frame is sent to the VLAN to which the hacker intended the frame to go.
image.png

ARP spoofing is the process of adopting another system's MAC address for the purpose of receiving data meant for that system. ARP cache poisoning is usually a part of an on-path/man-in-the middle attack. The ARP cache contains IP address–to–MAC address mappings that a device has learned through the ARP process; This ARP cache cane be swapped out with a spoofed IP/MAC address.
When a Rogue DHCP Server is introduced to the network, unsuspecting hosts may accept DHCP Offer packets from the illegitimate DHCP server rather than the legitimate DHCP server. This a major problem because the Rogue DHCP Server can assign spoofed IP addresses, subnet masks, and default gateways.
It can also issue an incorrect DNS server address, which will lead to the host relying on the attacker's DNS server for the IP addresses of websites (such as those resembling major banks' websites) that lead to phishing attacks.
This leads the client to unwittingly connect to the attacker's copy of the bank's website. When the client enters his credentials to log in, the attacker now has the client's bank credentials and can proceed to empty out his account.
image.png

Rogue Access Points (AP) are APs that have been connected to your wired infrastructure without your knowledge. The rogue AP may have been placed there by a determined hacker who snuck into your facility and put it in an out-of-the-way location or, more innocently, by an employee who just wants wireless access and doesn't get just how dangerous doing this is.
Either way, it's just like placing an open Ethernet port out in the parking lot with a sign that says “Corporate LAN access here—no password required!”
The hacker likely placed the Rogue AP there to entice your wireless clients to disastrously associate with their rogue AP instead! This ugly trick is achieved by placing their AP on a different channel from your legitimate APs and then setting its SSID to the same name as your!
But you're not helpless—one way to keep rogue APs out of the wireless network is to employ a wireless LAN controller (WLC) to manage your APs. If an AP is detected that isn't usually managed by the controller, it's classified as a rogue, and if a wireless control system is in use, that rogue can be plotted on a floor plan and located.

An Evil Twin is an AP that is not under your control but is used to perform a hijacking attack. A hijacking attack is one in which the hacker connects one or more of your users' computers to their network for the purpose of a peer-to-peer attack.
It is done by SSID and not by channel. The hacker will “jam” the channel on which your access point is transmitting. When a station gets disconnected from an access point, it scans the area for another access point with the same SSID. The stations will find the hacker's access point (because it has the same SSID as the legitimate AP) and will connect to it.
Ransomware is a class of malware that prevents or limits users from accessing their information or systems, and the only way to regain access to the information is to pay a “Ransom”. In many cases the data is encrypted and the decryption key is only made available to the user when the ransom has been paid.

Password Attacks
Password attacks are one of the most common attacks there are. Cracked or disclosed passwords can lead to severe data breaches.
A brute-force attack is a form of password cracking. The attacker manually attempts every possible combination of numbers and letters that could be in a password. Theoretically, given enough time and processing power, any password can be cracked. When long, complex passwords are used, however, it can take years.
Setting an account lockout policy is the simplest mitigation technique to defeat brute-force attacks.
A Dictionary Attack uses all the words in a dictionary until a key is discovered that successfully decrypts the ciphertext. This attack requires considerable time and processing power and is very difficult to complete. It also requires a comprehensive dictionary of words.
An automated program uses the hash of the dictionary word and compares this hash value to entries in the system password file.
To protect against these attacks, you should implement a security rule that says that a password must not be a word found in the dictionary.

MAC spoofing is impersonating another system's MAC address for the following purposes:
To pass through a MAC address filter
To receive data intended for another system
To impersonate a gateway (router interface) for the purpose of receiving all data leaving a subnet.
MAC spoofing is the reason we don't rely solely on security at layer 2 (MAC address filters), while best practices call for basing access on user accounts rather than device properties such as IP addresses or MAC addresses.
IP spoofing is the creation of (IP) packets with a false source IP address to impersonate another computer system. It's usually done to get traffic through a firewall that would normally not be allowed. It may also be used to access a server to which the hacker would normally be disallowed access by their IP address.
A Wireless Deauthentication Attack is a form of a DoS attack in which the attacker sends a large number of management packets called deauthentication frames on the WLAN, causing stations to be disconnected from the access point.
Malicious software (or malware) is a term that describes any software that harms a computer, deletes data, or takes actions the user did not authorize. There is a wide variety of malware types out there.
In their simplest form, Viruses are basically little programs that cause a variety of very bad things to happen on your computer, ranging from merely annoying to totally devastating. They can display a message, delete files, or even send huge amounts of meaningless data over a network to block legitimate messages.
The defining trait of a virus is that they can’t replicate themselves to other computers or systems without a user doing something like opening an executable attachment in an email to propagate them.
Writing a unique virus is considered a programming challenge, This is also a big reason why viruses are becoming more and more complex and harder to eliminate.
A Logic Bomb is a type of malware that executes when a particular event takes place. For example, that event could be a time of day or a specific date or it could be the first time you open notepad.exe. Some logic bombs execute when forensics are being undertaken, and in that case the bomb might delete all digital evidence.
Ransomware is a class of malware that prevents or limits users from accessing their information or systems. In many cases the data is encrypted and the decryption key is only made available to the user when the ransom has been paid.
A File Virus Attacks executable application and system program files like those with filenames ending in .com, .exe, and .dll. These viruses do their damage by replacing some or all of the target program's code with their own. Only when the compromised file is executed can the virus do its dirty work.
A Macro is basically a script of commonly enacted commands used to automatically carry out tasks without requiring a user to initiate them.
A Macro Virus uses something known as the Visual Basic macro-scripting language to perform nasty things in data files created with programs like those in the Microsoft Office Suite.
Because macros are so easy to write, they're really common and usually fairly harmless, but they can be super annoying! People frequently find them infecting the files they're working on in Microsoft Word and PowerPoint
Boot-sector viruses work their way into the master boot record that's essentially the ground-zero sector on your hard disk where applications aren't supposed to live. Boot-sector viruses overwrite your boot sector, making it appear as if there's no pointer to your operating system. You know you've got this type of virus when you power up the computer and get a Missing Operating System or Hard Disk Not Found error message.
A Multipartite virus is one that affects both the boot sector and files on your computer, making such a virus particularly dangerous and exasperatingly difficult to remove.
image.png


Antivirus software uses definition files that identify known malware. These files must be updated frequently, but the update process can usually be automated so that it requires no help from the user.
Zero-Day Attacks If a new virus is created that has not yet been identified in the list, you will not be protected until the virus definition is added and the new definition file is downloaded.

War Driving is the act of searching for Wi-Fi wireless networks, usually from a moving vehicle, using a laptop or smartphone.
War Chalking is the drawing of symbols in public places to advertise an open Wi-Fi network.
FTP Bounce is the exploitation of port 20/21 to gain access to a network.
Network Tap can be used morally or immorally to copy and monitor data flows between two points.
Back Door is an intentional vulnerability created by developers in software applications to allow for administrative access.

Human and Environmental

While some vulnerabilities come from technical challenges such as attacks on cryptography and network protocols, many are a result of environmental issues within the facility or of human error and poor network practices by the users.
Social Engineering
Because most of today's sys admins have secured their networks well enough to make it pretty tough for an outsider to gain access, hackers decided to try an easier route to gain information: they just asked the network's users for it.
Social engineering attacks occur when attackers use believable language and user gullibility to obtain user credentials or some other confidential information.
Phishing is a social engineering attack in which attackers try to learn personal information, including credit card information and financial data. This type of attack is usually carried out by implementing a fake website that is nearly identical to a legitimate website.
Users are led there by fake emails that appear to come from a trusted source. Users enter data, including credentials, on the fake website, allowing the attackers to capture any information entered. Spear phishing is a phishing attack carried out against a specific target by learning about the target's habits and likes.
User awareness training is the only way to combat this issue.
Tailgating is the term used for someone being so close to you when you enter a building that they are able to come in right behind you without needing to use a key, a card, or any other security device.
Access control vestibules (mantraps) are a great way to stop tailgating.
Piggybacking and tailgating are similar but not the same. Piggybacking is done with the authorization of the person with access; The authorized person willingly lets the unauthorized person into the building with them. Tailgating is done when the attacker sneaks inside without the person with access knowing.
Shoulder surfing involves nothing more than watching someone when they enter their sensitive data. Privacy filters can be used that make the screen difficult to read unless you are directly in front of it.

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.