Cybersecurity Network Attacks

Main types of attacks

Denial of Service (DoS). Spoofing and sniffing. Wireless and mobile threats. System exploits

DoS

an attack that prevents a system or server from responding normally making it unavailable to perform its tasks or respond to users. Threat to availability

DDoS

multiple systems under the control of the attacker are used in a coordinated attack to create a traffic spike on the system

Zombies

computer systems that are unaware that they are involved in a DDos as part of a botnet

SYN Flood

attack that is created by mis-using the 3 way handshake.

1. Attacker sends initial SYN

2. victim sends SYN/ACK

3. attacker doesn’t send the final ACK. Victim is left waiting for completion of the handshake

   • the victim keeps each SYN request in a table (queue) of “connections in progress” and holds them until they timeout.

   • eventually the queue is full and the victim cannot accept any new connections

Unintentional/accidental DoS

1. happens when a digital resource becomes suddenly popular and is unable to handle the increase in demand

   • tickets for a popular concert go on sale

2. solution: plan ahead for redundant servers in case of heavy load

permanent DoS

1. server is not just overwhelmed, but is left inoperable; physical attack results in damage or destruction of the digital resource

2. solution: physical security

how can you tell DDoS may be occurring?

• sudden and unexpected drop in internet bandwidth

• sudden overwhelming number of requests from multiple hosts outside of the network

• sudden drain on victim device resources

NETSCOUT Cyber Threat Horizon

is a global cybersecurity situational awareness platform that

provides organizations with highly contextualized visibility into 'over the horizon' threat activity on the landscape. DDoS can lead to censorship (attacks happen on a daily basis, bringing down websites, blog posts, email, etc).

Mitigating DoS/DDoS attacks

• Large scale- Project Shield

  • protecting against DDoS attacks to fight censorship

  • people don’t have access to information (restrictive governments)

  • corruption investigations

  • human rights organizations/election committees

• Small scale- individual organizations

  • for SYN flood: reduce the time out value for connections so that the server does not wait as long for the ACK packet before giving up and hitting reset

  • configure the server to have longer queues i.e. to be available for a larger number of connections

  • block pings from external sources—because ping has so many uses for recon and attacks, many networks will block ping packets from outside the network

  • update software and use anti-malware so your device does not become part of a botnet

spoofing

an attacker passes as another by falsifying data to gain access to target systems or to eavesdrop (sniffing) on messages. Threat to confidentiality (stealing data) and integrity (spreading malware or editing)

IP Spoofing attacks

• Definition: attackers provide false information about the source of a packet or services of packets by faking the source IP address

• Example: attacker is part of 10.10.10.0 network but changes IP to appear as part of 192.168, fooling the router

• Flaw: can’t get a response as it will go to the spoofed address. Can’t complete the 3 way handshake. Needs to be used together with other software to get around these issues

• Uses: masks who you are. Delivers malware that does not need a reply or confirmation

IP spoofing example: Smurf attack

1. an ICMP packet (ping) is sent to the broadcast address of a network, but the packet has spoofed the sender’s IP address with the target’s IP address

2. all the hosts on the network respond the the ping with an echo reply which saturates the victim’s system and can also use up all of the network bandwidth

3. Mitigation: block the ICMP (ping) protocol

ARP poisoning (ARP spoofing) (network sniffing)

• definition: putting a false MAC address in the target’s ARP tale with the result that packets will be directed to the attacker’s computer instead of the intended receiver

  • only works on devices in the same LAN because it relies on MAC addressing which is handled by switches

• Result: network sniffing. The malicious actor can eavesdrop on messages between devices

• How ARP normally works: A device asks where an IP is. Reply is received. MAC is put in the ARP table

• ARP poisoning: ARP is stateless -meaning it will accept a reply even if it did not ask a question (gratuitous reply). Now the malicious actor will receive all packets meant for another MAC address. They will be able to read/copy a message before forwarding it on to the intended receiver

ARP poisoning example: AiTM attack

• Adversary in the middle attack

• malicious actors place themselves in the communication channel between the 2 parties

• if a secure protocol is being used, when on party sends its key to another, AiTM takes this key and replaces it with their key

• AiTMo: version of this attack used on mobile devices

  • malware such as ZEUS can be used to capture 2-step verification SMS messages

DNS Poisoning/spoofing

• how does DNS work normally

  • to get from a website to an IP address, something (like a DNS server) must do the translation for you

  • the user makes a request to a real website → DNS server → request is sent to real website → user is sent to the real website

• DNS poisoning

  • attackers insert fake DNS information for the real website to the DNS server

  • user makes a request to the real website from the DNS server

  • DNS server request is sent to the fake website, ignoring the real one

• pointing a URL to the wrong IP address

mitigation of spoofing attacks

• configure the router for ingress filtering

  • keeps external packets from entering if they don’t have a source IP number from the internal network

• monitor the network to spot duplicate MAC addresses for gratuitous ARP replies

• encryption

  • this requires an exchange of keys or certificates, meaning there has to be a 2-way communication which makes it much harder to try IP spoofing or ARP poisoning

Bluejacking

pushing unsolicited messages onto a device. Similar to spam, can include links to malware. Annoying

bluesnarfing

pulling email, contact, passwords, images off device. Bad

bluebugging

spying on a device by gaining access and installing a backdoor. Can be used to remotely control. Very bad

Security (mitigation) techniques

1. disable bluetooth when not in use

2. don’t share sensitive info or images over bluetooth

3. can be used for location tracking by apps that have bluetooth access. Check your privacy settings to identify which apps have this access

4. always install updates for bluetooth software and firmware

radio frequency jamming

wireless signals are susceptible to electromagnetic interference (EMI) radio frequency interference (RFI) even lightening strikes. Attackers can deliberately jam transmissions

Rogue Access Points -RAP

a wireless access point installed on a secure network without explicit authorization

Evil Twin Attack

the attackers access point is set up to look like a better connection option. Once you connect to the evil access point, the attacker can analyze your network traffic and execute a AiTM attack

Security (mitigation) techniques

1. turn on your firewall

2. make sure antivirus is up to date and working

3. confirm network name

4. do not use a credit card or do online shopping

5. use VPN software

Virtual Private Network (VPN)

a tool that disguises your actual network IP address and encrypts internet traffic between device and VPN’s server. Enterprise use: remote access to the organization network. Personal use: private access to the internet

Connecting to the internet -no VPN: privacy issues

1. your ISP (Internet Service Provider) provides you with an IP address. The ISP can keep records of what website your browser visits

2. your IP address and browsing activity can be seen by anyone monitoring the network - such as your company IT, a hacker, hostile government

3. Data is encrypted for all HTTPS websites; while there is a danger of data being captured before encryption happens if you are on an insecure network, most people’s home/school network is trusts and safe to use without a VPN

Connecting to the internet - how the VPN works

1. VPN replaces your IP address; this means any browser activity can’t be traced back to you and the website can’t determine your location

2. any data you send/download is encrypted so it cannot be read by anyone except the destination website

VPN pros

1. can be used to bypass strict internet censorship by government

2. creates a secure data transfer when using it on public network

3. allows access restricted online content

4. increases privacy as your ISP will not have record of online activity

VPN cons

1. VPN provides can use your device as a relay station

2. unreliable VPN provider

3. doesn’t provide anonymity

4. threat actors can use these to mask their location

There are multiple technologies that deliver data without running wires between network devices (likes hubs or switches)

bluetooth, cellular, wireless