Section 14: Network Attacks

Denial of Service (DoS) Attack

• Occurs when one machine overwhelms a victim system with continuous service requests

• Leads to resource exhaustion, causing the victim system to crash

Types of DoS Attacks (2)

• TCP SYN Flood

• SMURF Attack (ICMP Flood)

TCP SYN Flood

• Involves initiating multiple TCP sessions but not completing them

• TCP Handshake

  • In a normal scenario, involves SYN, SYN/ACK, and ACK packets

• Attack Process

  • Attacker sends SYN packets

  • Victim reserves resources

  • Attacker ignores subsequent SYN/ACK packets

  • Leads to half-open connections and resource exhaustion

• Attacker often spoofs source IP during TCP handshake to flood the server

SMURF Attack (ICMP Flood)

• Utilizes ICMP traffic instead of TCP traffic

• Attacker sends ping to subnet broadcast address with a spoofed source IP

  • Causes all devices on the subnet to respond to the victim server

• Attack can be intensified by sending multiple requests to different subnets, leading to resource exhaustion

Distributed Denial of Service (DDoS) Attack

• Involves multiple machines simultaneously overwhelming a single server

• Botnet

  • Collection of compromised computers under the control of a Command and Control(C2) server

• Zombie

  • Individually compromised computers within a botnet

• C2 server controls all zombies, allowing coordinated attacks

Preventing DDoS Attacks

• Cloud Challenge

  • Cloud-based resources can horizontally scale to handle increased demand

• Cost Consideration

  • Despite scaling, organizations may face substantial costs for illegitimate traffic during DDoS attacks

• Prevention Importance

  • Emphasizes the need to implement preventive measures to avoid financial and operational consequences

MAC Flooding

• A network attack technique aimed at compromising a switch’s security by overflowing its MAC table

• Normal Switch Operation

  • Utilizes MAC tables to associate MAC addresses with switchports for efficient data forwarding

• Execution of MAC Flooding

  • Attackers use specialized tools to flood the switch with random MAC addresses, forcing it into fail-safe mode

MAC Flooding Attack Implications

• Data Snooping

  • Attackers are enabled to capture sensitive data by forcing the switch into hub mode

• Disruption of Services

  • Network performance is degraded and may lead to DoS Attacks

• Bypassing Security Measures

  • MAC flooding allows attackers to circumvent MAC address filtering and gain unauthorized network access

MAC Flooding Detection and Prevention

• Implement anomaly-based intrusion detection systems (IDS)

• Employ network monitoring tools

• Configure port security

• Set MAC address limits per switchport

• Use VLANs to segregate network traffic and limit the impact of MAC flooding attacks

Address Resolution Protocol (ARP)

• Used to map IP addresses to MAC addresses on a local area network

ARP Spoofing

• Occurs when an attacker sends falsified ARP messages, linking their MAC address with a legitimate IP

• Goals are to intercept, modify, or stop data-in-transmit, and initiate on-path attacks

ARP Poisoning

• Corrupts ARP cache by associating attackers’ MAC with IP addresses of LAN devices

• Enables:

  • Alteration of network traffic flow

  • Interception

  • Session hijacking

  • DoS attacks

Difference between ARP Spoofing and ARP Poisoning

• ARP Spoofing - Targets single host’s traffic

  • More targeted attack

• ARP Poisoning - Affects all hosts in a LAN

Motivations for ARP Attacks (3)

• Data Interception

• On-Path Attack

• Network Disruption

Techniques for ARP Attacks

• Scanning network for IP-MAC pairs and sending fake ARP responses

• Conducting ARP poisoning via ARP flood

ARP Attack Detection and Prevention

• Use ARP monitoring tools to detect unusual ARP traffic patterns

• Alert network administrators

• Configure intrusion detection systems to identify ARP spoofing or poisoning activities

• Implement preventive measures

  • Static ARP entries

    • Manually inputting ARP mappings to prevent spoofing

    • Impractical for large networks

  • Dynamic ARP inspection

    • Switches inspect ARP packets, dropping suspicious mappings based on trusted MAC-IP pairs

  • Network segmentation

    • Limits the scope of ARP attack

  • VPNs or encryption technologies

    • Safeguard data against alterations

Virtual Local Area Network (VLAN)

• Segregates broadcast domains at Layer 2 of the OSI model, enhancing network security

• Commonly utilized in intranets and local area networks to partition and secure network segments

VLAN Hopping

• Exploits misconfigurations to gain unauthorized access to different VLANs

Double Tagging

• Attacker exploits trunk port vulnerabilities to direct traffic to another VLAN

  • Inner tag

    • Contains the true destination

  • Outer tag

    • Denotes the native VLAN

Purpose of VLAN Hopping

• Blind Attacks

  • Commands are sent to the victim, but the attacker or pen tester does not get to see any of the responses

• DoS or Stress Testing

  • Does not always require response data, facilitating various attack scenarios

Double Tagging Prevention Measures

• Change the default configuration of the native VLAN from VLAN ID 1 to another identifier

• Avoid adding user devices to the native VLAN

Switch Spoofing

• Attackers use Dynamic Trunking Protocol (DTP) to negotiate trunk ports

• Disabling dynamic switch port modes helps prevent switch spoofing attacks

MAC Table Overflow Attack

• Overloading CAM tables can cause switches to act like hubs, exposing traffic from other VLANs

• Flood the switch’s CAM table with MAC addresses to induce this behavior

Domain Name System (DNS)

• Fundamental internet component translating domain names to IP addresses

DNS Attack Types (5)

• DNS Cache Poisoning

• DNS Amplification Attacks

• DNS Tunneling

• Domain Hijacking

• DNS Zone Transfer Attacks

DNS Cache Poisoning

• Corrupting DNS resolver cache with false information to redirect traffic

• Mitigations:

  • Utilize Domain Name System Security Extension (DNSSEC) to add a digital signature

  • Implement secure network configurations and firewalls

DNS Amplification Attacks

• Overwhelm target system with DNS response traffic

• Mitigation:

  • Limit size of DNS responses

  • Rate limit DNS response traffic

DNS Tunneling

• Involves using the DNS protocol to encapsulate non-DNS traffic (such as HTTP or SSH, over port 53) to attempt to bypass firewall rules

• Can be used for command and control or data exfiltration

• Mitigation:

  • Involves regular monitoring of DNS logs to analyze for any signs of unusual patterns of behavior

Domain Hijacking

• Unauthorized change of domain registration

• Can lead to redirection to malicious websites

• Mitigations:

  • Conduct regular updates

  • Ensure that registration account information is secure

  • Use domain registry lock services

DNS Zone Transfer Attacks

• Pretend to be authorized system to get entire DNS zone data

• Expose sensitive network infrastructure information

On-path Attack

• An attack where the penetration tester places their workstation between two hosts to capture, monitor, and relay communications

• Captures authorization packets, allowing the attacker to taker over the authorized session between client and server

Methods of On-Path Attack (4)

• ARP Poisoning

• DNS Poisoning

• Rogue Wireless Access Point

• Rogue Hub/Switch

Replay Attack

• Occurs when an attacker captures valid data and repeats it either immediately or with a delay

• Example

  • Capturing authentication handshake to gain access to network resources

Relay Attack

• An attack where the attacker becomes a proxy between two hosts, intercepting and potentially modifying communications

• Example

  • Modifying transaction details in online banking to divert funds

Challenges with Encryption

• SSL/TLS Encryption poses difficulty in intercepting and cracking communications

• Techniques to overcome challenges with encryptions:

  • SSL Stripping

    • Redirecting HTTPS requests to HTTP to capture unencrypted data

  • Downgrade Attack

    • An attack that persuades client or server to adopt lower security modes

    • Convinces systems to abandon higher security modes in favor of lower ones

    • Example

      • Allowing encryption at lower levels (E.g. SSL 2.0) to facilitate easier interception

• Not limited to SSL/TLS

  • Applicable to any encryption or protection mechanism like WIFI, VPNs, etc.

Rouge Devices

• Unauthorized devices or services on a network that allows unauthorized individuals to connect to that network

• Identified by MAC address and IP address

• Use digital certificates for authentication and encryption (IPsec, HTTPS) to authorize devices

Rouge System Detection

• Process of identifying and removing machines on the network that not supposed to be there

Types of Rogue Systems (7)

• Network Taps

• Wireless Access Points (WAPs)

• Servers

• Wired and Wireless Clients

• Software

• Virtual Machines

• Smart Appliances

Rogue Systems: Network Taps

• Physical device that is attached to cabling to record packets passing over the network segment

Rogue Systems: Wireless Access Points (WAPs)

• Devices that can be connected to the network and extend the physical network into the wireless spectrum

• Types of Rogue Access Points

  • Connected to a network

    • Allows adversaries to convert radio signals into physical network access

  • Evil Twin

    • Attacker sets up own access point with his own internet connection, masquerading as legitimate network

• Scanning airwaves to identify and remove rogue devices is crucial

• Tools like Wi-Fi Pineapple enable easy creation of rogue access points, posing significant threats to unsuspecting users

Rogue Systems: Servers

• Set up as honeypots to harvest data

Rogue Systems: Wired and Wireless Clients

• Personal devices connected to network

• Bring Your Own Device Policy

  • Personal devices are not considered as rogue devices unless they are used to do things that are unauthorized

Rogue Systems: Unauthorized Software

• Installed without permission

Rogue Systems: Virtual Machines

• Created within highly virtualized environments

Rogue Systems: Smart Appliances

• Vulnerabilities in internet-connected devices

Rogue Device Detection and Removal

• Visual inspection

  • Checking ports and switches for rogue devices

• Network Mapping and Host Discovery

  • Use enumeration scanners to identify hosts

• Wireless Monitoring

  • Detect unknown SSIDs within range

• Packet Sniffing and Traffic Flows

  • Identify unauthorized protocols and peer-to-peer communication

• NAC and Intrusion Detection

  • Use automated network scanning for prevention and detection

Rogue Device Mitigation

• Use digital certificates and encryption for authentication

• Perform regular inventories to detect additional or rogue devices

• Implement network access control (NAC) and intrusion detection systems (IDS) for automated scanning and defense

Social Engineering

• Any attempt to manipulate users into revealing confidential information or performing actions detrimental to the user or system security

• Focus

  • Exploiting human vulnerabilities to bypass technical controls

Types of Social Engineering Attacks (6)

• Phishing

• Tailgating

• Piggybacking

• Shoulder surfing

• Eavesdropping

• Dumpster diving

Phishing

• Sending deceptive emails to trick users into revealing sensitive information

• Example

  • Fake PayPal email requesting account information

• Effectiveness

  • High, even with obvious signs of phishing

• Variants

  • Phishing - most broad type, does not target any particular person

  • Spear phishing - more targeted form

  • Whaling - targets key executives

Tailgating

• Unauthorized entry into secure areas by following an authorized person

• Prevention

  • Train employees to shut doors behind them

Piggybacking

• Gaining entry to a secure area with an employee’s consent

• Example

  • Asking someone to hold the door open with hands full

Shoulder surfing

• Gaining authentication information by direct observation

• Example

  • Watching someone type their password

Eavesdropping

• Listening in on conversations to gather sensitive information

• Example

  • Overhearing business discussions to gain insights

Dumpster Diving

• Scavenging for personal or confidential information in trash or recycling

• Prevention

  • Shred paperwork before disposal or use locked trash cans

Malware

• Short-hand for malicious software

• Designed to infiltrate a computer system and possibly damage it without the user’s knowledge or consent

Malware Types (6)

• Virus

• Worm

• Trojan Horse

• Ransomware

• Spyware

• Rootkit

Virus

• Malicious code that infects a computer when run

Worm

• Self-replicating malware that spreads without user interaction

• Exploits security vulnerabilities in OS, protocols, or applications

• Notable Examples

  • Nimda (2001) - infected the entire internet in 22 minutes

  • Conficker (2009) - infected 9-15 million machines, creating a botnet

Trojan Horse

• Malware disguised as legitimate software

• Remote Access Trojan (RAT)

  • A common type of Trojan that provides the attacker with remote control of a victim’s system

Ransomware

• Malware that restricts access until a ransom is paid

• Encrypts files or changes passwords, demanding payment for access

• Notable example

  • SamSam (2018) - cost Atlanta over $17 million to fix

Spyware

• Malware that gathers information without consent

• Types

  • Adware - for advertising

  • Keylogger - captures keystrokes

Rootkit

• Malware that gains administrative control without detection

• Difficult to detect, often requires booting from an external device

Malware Prevention and Best Practices

• Always check files for malware before downloading or installing

• Keep software up to date to patch vulnerabilities

• Use reputable antivirus software and firewalls

• Educate users about safe browsing and downloading practices