computer network - Security Threats

Recognizing Security Threats

Viruses are common threats that we hear about all the time, there are many other nasty things out there as well. Bad guys who create threats to a network generally have one of two purposes in mind destruction or reconnaissance.

In the following topics we are going to see some of this types of attacks

Denial of Service:

A denial of service (DoS) attack does exactly what it sounds like it would do -it prevents users from accessing the network and/or its resources. Today, DoS attacks are commonly launched against a major company’s intranet and especially its websites.

DoS attack is very easy to deploy, any person any use this attack to shut down any company network for this attack you don’t need high technical or hacking knowledge.

Some DoS attack are as follows:

The Ping of Death:

Ping is primarily used to see whether a computer is responding to IP requests. Usually, when you ping a remote host, what you’re really doing is sending four normal-sized Internet Control Message Protocol (ICMP) packets to the remote host to see if it’s available. But during a Ping of Death attack, a humongous ICMP packet is sent to the remote host victim, totally flooding the victim’s buffer and causing the system to reboot or helplessly hang there, drowning. It’s good to know that patches are available for most operating systems to prevent a Ping of Death attack from working.

Unreachable Gateway:

An attacker can make a host’s default gateway unreachable; the end game is to get the host to change their gateway address to that of one controlled by the attacker to accomplish a man in the midd1e attack.

Distributed DoS (DDoS):

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic.

Terms and concepts that used to a distributed denial of service attack:

Botnet:

A botnet is a group of programs connected on the internet for the purpose of performing a task in a coordinated manner. Some botnets, such as those dread to maintain control of Internet Relay Chat (IRC) channels are legal, while others are illegally created to foist a DD0S.

Traffic Spike:

One of the hallmarks of a DDoS attack is a major spike in traffic in the network as bots that have been recruited mount the attack. For this reason, any major spike in traffic should be regarded with suspicion. A network intrusion detection system (IDS) can recognize these traffic spikes and may be able to prevent them from growing larger or in some cases prevent the traffic in the first place.

Friendly/Unintentional DoS:

An unintentional DoS attack is one that is not caused by malicious individuals but rather is a spike in activity to a website or resource that overpowers its ability to respond.

Physical Attack:

Physical attacks are those that cause hardware damage to a device. These attacks mitigated, but not eliminated, by preventing physical access to the device. Router, firewalls, servers, and other infrastructure devices should be locked away and protected by strong access controls.

Permanent DoS:

A permanent DoS attack is one in which the device is damaged and must be replaced. An attack called a Permanent denial of service (PDOS) attacks the firmware located in many systems. Using tools that introduce errors in firmware, attackers cause the device to be unusable. Another approach is to introduce a firmware image containing a Trojan or other types of malware.

Smurf:

The Smurf attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address.

SYN Flood:

A SYN flood is also a DoS attack that inundates the receiving machine with lots of packets that cause the victim to waste resources by holding connections open. In normal communications, a workstation that wants to open a Transmission Control Protocol/Internet Protocol (TCP/IP) communication with a server sends a TCP/IP packet with the SYN flag set to 1. The server automatically responds to the request, indicating that it’s ready to start communicating with a SYN-ACK. In the SYN flood, the attacker sends a SYN, the victim sends back a SYN-ACK, and the attacker leaves the victim waiting for the final ACK. While the server is waiting for the response, a small part of memory is reserved for it. As the SYNs continue to arrive, memory is gradually consumed.

ARP Cache Poisoning:

ARP cache poisoning is usually a part of a man-in-the middle attack. The ARP cache contains IP address to MAC address mappings that a device has learned through the ARP process. One of the ways this cache can be poisoned is by pinging a device with a spoofed IP address. In this way, an attacker can force the victim to insert an incorrect IP address to MAC address mapping into its ARP cache. If the attacker can accomplish this with two computers having a conversation, they can effectively be placed in the middle of the transmission. After the APP cache is poisoned on both machines, they will be sending data packets to the attacker, all they while thinking they are sending them to the other member of the conversation.

Spoofing:

IP spoofing is the process of changing a source IP address so that one computer appears to be a different computer. It’s usually done to get traffic through a firewall that would normally not be allowed. It may also be used to access a server to which the hacker would normally be disallowed access by their IP address.

Brute Force:

A brute force attack is a form of password cracking. The attacker attempts every possible combination of numbers and letters that could be in a password. Theoretically, given enough time and processing power, any password can be cracked. When long, complex passwords are used, however, it can take years.

Setting an account lockout policy is the simplest solution to defeat brute force attacks. With such a policy applied, the account becomes locked after a set number of failed attempts.

Session Hijacking:

Session hijacking attacks attempt to take over a user’s session with a secure server after the user has been authenticated. This can be done in the following ways:

Session Fixation: The attacker sets the session ID ahead of time by sending a link to the victim with the ID preset. When the user connects, the attacker waits for the authentication to complete and takes over the session by disconnecting the user and using the ID to reconnect.

Session Side jacking: The attacker uses a sniffer to steal a session cookie from the user. Alternately, if the attacker has physical access to the user’s machine, they can steal the session key from memory.

Cross-Site Scripting: The attacker uses the user’s computer to run code on the site that may allow him to obtain the cookie. The attacker does this by putting malware on the user’s computer; the malware runs the code on the site after the user authenticates to the site.