Presentation is loading. Please wait.

Presentation is loading. Please wait.

Types of Network Attacks

Published byAlbert Tassé Modified over 5 years ago

Similar presentations

Presentation on theme: "Types of Network Attacks"— Presentation transcript:

1 Types of Network Attacks
Based on slides accompanying the book Network Defense and Countermeasures by Chuck Easttom (2018)

2 Objectives Describe the most common network attacks
Explain how these attacks are executed Identify basic defenses against those attacks A. Denial of service attacks B. Buffer overflow attacks C. IP Spoofing attacks D. Session Hijacking attacks E. Viruses F. Trojan horse attacks

3 A. Denial of Service Attacks
Denial of Service (DoS) Distributed Denial of Service (DDoS) SYN Flood Smurf Attack The Ping of Death UDP Flood ICMP Flood DHCP Starvation HTTP Post DoS PDoS Distributed Reflection Denial of Service

4 Denial of Service (DoS) Attacks
Based on the premise that all computers have operational limitations e.g., cpu cycles, memory space, network bandwidth Point out Figure 2 that illustrates a simple DoS attack. Also point out that the actual execution of the Dos attack is much more complicated. The example in the book uses the –w, -l (L) and –t switches to specify wait time, packet size, and timeout. Use the ping utility to execute the attack

5 Distributed Denial of Service (DDoS) Attacks
Variation of a Denial of Service Launched from multiple clients More difficult to track due to the use of zombie machines c.f., bots – “A bot (short for "robot") is an automated program that runs over the Internet. Some bots run automatically, while others only execute commands when they receive specific input.” (source: Explain the terms related to DDoS attacks (that is, Zombie machines). Explain the general structure of a DDoS attack from the host (master launching the attack) to zombies to the target machine.

6 SYN Flood Takes advantage of the TCP handshake process
The target server’s buffer space for handling TCP connection are exhausted; preventing legitimate sessions to be established All protocols relying on TCP are vulnerable (e.g., HTTP) Explain the process of the SYN flood attack: The client does not respond to the server acknowledgment in the TCP handshake process. Explain the defenses for the SYN flood, their weaknesses and strengths, and the difficulty level of configuring these defenses. Explain the figure and how it demonstrates the SYN flood attack.

7 SYN Flood TCP connection multi-step SYN to initiate SYN+ACK to respond
ACK gets agreement Sequence numbers then incremented for future messages Ensures message order Retransmit if lost Verifies party really initiated connection

8 SYN Flood Implementation Receive SYN Allocate connection Acknowledge
Wait for response See the problem? What if no response And many SYNs All space for connections allocated None for legitimate ones Time?

9 SYN Flood: Mitigations
Micro Blocks Instead of a complete connection object, the server only allocates a few bytes to the incoming SYN request. Q: Would this be effective against the attack? Bandwidth Throttling Excessive SYN traffic from a IP causes that source’s bandwidth to be restricted (by the firewall or IDS)

10 SYN Flood: Mitigations
SYN Cookies - When receiving the SYN request, the server does not allocate memory space, but rather send a cookie to the requester. Q: Trade-offs? RST Cookies - The server sends a wrong SYNACK back to the requester. Problem? May not be effective (because of firewalls) Stack Tweaking - Reduce timeout time set in the server’s stack Problem? (a) Only decrease (but doesn’t prevent) the danger; (b) complicated

11 SYN Flood: Mitigations
Mitigations using intermediate hosts TCP intercept Router establishes connection to client When connected then establish connection with server Synkill Monitor machine behaves like a “firewall” Good addresses: history of successful connections Bad addresses: previous timeout attempt Block and terminate attempts from bad addresses

12 Smurf Attack Sends an ICMP packet to the network’s broadcast address (with the victim’s spoofed IP as the source) Explain how the Smurf attack uses the ICMP packet to affect the target computer. (The ICMP packet is broadcast on the network with an altered source address. The source address is the target or victim machine’s IP address.)

13 Ping of Death (PoD) Attacks machines that cannot handle oversized packets Causes the victim to crash Mitigations? Ensure that systems are patched and up to date Most current operating systems automatically drop oversized packets

14 Ping Flood Sends a large number of ICMP Echo requests or ping packets to the victim The victim responds with ICMP Echo Reply packets Both the victim’s incoming and outgoing bandwidth are used.

15 UDP Flood and IMCP Flood
UDP (User Datagram Protocol) Flood Targets a victim machine’s open ports Sends packets to random ports of the victim If enough are sent, the target computer will be overwhelmed. ICMP Flood Another name for the Ping Flood

16 HTTP Post DoS Hangs server with slowly delivered HTTP Post message
POST /path/script.cgi HTTP/1.0 From: User-Agent: HTTPTool/1.0 Content-Type: application/x-www-form-urlencoded Content-Length: 32 home=Cosby&favorite+flavor=flies Hangs server with slowly delivered HTTP Post message The ‘content-length’ is in the HTTP Post header, while the actual content is in the HTTP Post payload/body. The attacker sends the actual message body at an extremely slow rate, causing the HTTP server to ‘hung’.

17 Other Denial-of-Service Attacks
DHCP Starvation Dynamic Host Configuration Protocol A DHCP server dynamically assigns an IP address and other network configuration parameters to each device on a network. The attacker sends lots of DHCP Request to the server, causing the DHCP server’s IP addresses to be depleted. Permanent DoS (PDoS) (a.k.a. phlashing) Often attacks the device’s firmware Causes OS reboot or damaged hardware

18 Distributed Reflection DoS (DRDoS)
Explain that routers use port 179 to communicate over the Internet backbone. Also explain that packets are altered to have the target machine’s IP address as the source. Mitigations? Configure routers to not forward broadcast packets

19 DoS Tools Tools are downloadable from the Internet.
Ease of access facilitates widespread use. Example DoS tools: Low Orbit Ion Cannon High Orbit Ion Cannon DoSHTTP Warning: Use a test system. DO NOT try these tools on a live system. Point out web sites where students can get more information regarding TFN2K: Washington University, PacketStorm Security, and CERT.

20 Real World Examples of DoS Attacks
Viruses Started in Purpose FakeAV 2012 Fake Anti-Virus Flame Spyware MyDoom 2004 Cyber Terrorism Gameover ZeuS 2001 (src: Peer-to-peer botnet CryptoLocker & CryptoWall 2013 (CryptoLocker) 2014 (CryptoWall) Ransomware + bot (CryptoWall) Explain these worms and attacks and their effects.

21 Defending Against DoS Attacks
Understand how attack is perpetrated Configure firewall to disallow incoming protocols or all traffic This may not be a practical solution. Disable forwarding of directed IP broadcast packets on routers Maintain virus protection on all clients on your network Maintain up-to-date operating system patches Establish policies for downloading software. Q. Example policies? Remind students how the DoS attack is executed and the protocols used in the attack. Explain that most network need to allow some type of traffic to function on the Internet. Explain the difference between Denial of Service and Dynamic Denial of Service. Provide additional examples. Point students to the SANS institute web site for additional information (

22 B. Buffer Overflow Attacks
More common than DoS a few years ago Still a very real threat Designed to put more information in the buffer than it is meant to hold More difficult to execute (than DoS attacks) Can only occur if some flaw exists in the software Mitigations? ‘Good’ application design can reduce this threat. Explain how the buffer overflow attack works. Explain what knowledge is necessary to execute a buffer overflow attack (e.g. some programming language and knowledge of an OS).

23 Buffer Overflow Attacks
How do buffer overflow attacks occur? Explain how the buffer overflow works. Provide examples if you have them. Also provide answers to the questions posed.

24 C. IP Spoofing Used to gain unauthorized access to computers by spoofing an authorized computer’s IP address Source address of packet is changed Often used as part of a DoS attack Becoming less frequent due to security Potential vulnerabilities with routers: External routers connected to multiple internal networks Proxy firewalls that use the source IP address for authentication Routers that subnet internal networks Unfiltered packets with a source IP on the local network/domain Provide ways to address IP spoofing: Do not release information about your internal IP addresses. Monitor incoming IP packets for signs of spoofing (e.g. Netlog). In relation to monitoring packets, if you use a Windows Server OS, it comes with a network monitor. Explain the dangers of not filtering or configuring your router properly to prevent IP spoofing attacks.

25 D. Session Hacking or Hijacking
TCP Session Hijacking: The hacker takes over an established TCP session. Possible because authentication often is done at the start of a TCP session (one time only). “Most common is the man-in-the-middle attack.”  Correction: The attack described in the book is actually eavesdropping attack. Q: What is man-in-the-middle (MITM) attack? Explain the process of how a man-in-the-middle attack is executed and how to avoid being caught in the middle.

26 MITM attacks “… a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.” -- Src:

27 Session Hacking or Hijacking (cont.)
An example of session hijacking: Launch a DoS attack against one of the communicating entities, say X Impersonate entity X while communicating with the remaining entity Q: Why is session hijacking possible? Encryption may be the only way to combat this type of attack (because …) Explain the process of how a man-in-the-middle attack is executed and how to avoid being caught in the middle.

28 E. Virus Attacks Most common threat to networks Propagate in two ways
Scanning computer for network connections Reading address book and sending to all Examples: Sobig Virus Mimail and Bagle Sasser Provide other examples of viruses and what they tend to do.

29 Protecting Against Viruses
Always use virus scanner software Do not open unknown attachments Establish a code word with friends and colleagues Do not believe security alerts sent to you Q: Other advices? Often on the security alert s there is a link to view the alert. You might mention that these links could be false links or to a hacker’s site. You can view the header information of the to verify that it is going to the correct site. You also need to be familiar with the site or be able to verify it without clicking the link in the but typing the URL directly in your browser.

30 F. Trojan Horse Attacks Program that looks benign but has malicious intent They might: Download harmful software Install a key logger or other spyware Delete files Open a backdoor for hacker to use

31 Trojan Horse Caution Students are strongly cautioned against attempting to create any of these Trojan horse scenarios. Release of this type of application is a criminal offense and likely to result in a prison sentence and civil penalties.

32 Summary Most common network attacks Session hacking
Virus and Trojan horse attacks Denial of Service/Distributed Denial of Service Buffer overflow

33 Summary (cont.) Defenses against attacks Antivirus software
Router configuration Smart policies and procedures Monitor network traffic Maintain a current patch policy to keep systems up to date with security patches

34 Summary (cont.) Defenses against DoS attacks
Proxy servers Established policies on maintenance Keep systems up to date with latest patches Defenses against Trojan horse and virus attacks: Have an established policy for attachments and downloading software Do not open unknown attachments Strictly monitor software downloads and what can be downloaded

35 Summary (cont.) Defenses against buffer overflow attacks
Routinely update systems Keep security patches up to date

Download ppt "Types of Network Attacks"

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.

Analysis of Attack By Matt Kennedy. Different Type of Attacks o Access Attacks o Modification and Repudiation Attacks o DoS Attacks o DDoS Attacks o Attacks.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

Denial of Service attacks. Types of DoS attacks Bandwidth consumption attackers have more bandwidth than victim, e.g T3 (45Mpbs) attacks T1 (1.544 Mbps).

Similar presentations

Ads by Google