safety

These are all the attacks to the networks that exist and how to avoid them

At present it is impossible to list all the different types of attacks that can be carried out on a network, since in the world of security this varies continuously. We bring you the most common ones according to the network attack databases, so that we can be up to date and keep our network as secure as possible. In order to build the defense, we must first know how they attack us and what these threats consist of, thus, we can maintain a certain degree of security. Through this list we can see and understand the exact definition of each of the most well-known or widespread attacks, and what are the symptoms associated with them.

In the last ten or fifteen years, we have seen how the paradigm changed by which crackers or cybercriminals sought to exploit all possible vulnerabilities, within any organization or national infrastructure. In order to counteract this fact, what each and every one of us must be clear about is that we must change our perspective towards the way we see security in the computer and network field, we must know certain attacks and understand what can we learn from them, to be prepared as best as possible for them, and sometimes even to be able to avoid them. In this world of security we cannot say that we are prepared to prevent any attack.

Index of contents

  • DoS attack or denial of service attack
  • Distributed Denial of Service attack – Distributed Denial of Service (DDos)
  • ARP Spoofing
  • Man-In-The-Middle Attack
  • Social Engineering Attack
  • OS Finger Printing
  • Port scan
  • ICMP Tunneling
  • LOKI attack
  • TCP sequence attack
  • ICMP redirect attacks
  • DNS zone transfer attack

We will begin the list of threats with the most common since the beginning of cybercriminal activity.

DoS attack or denial of service attack

A denial-of-service attack, has as its objective disable the use of a system, an application, a computer or a server, in order to block the service for which it is intended. This attack can affect both the source that offers the information, such as an application or the transmission channel, as well as the computer network, or in other words, the cybercriminal will try to prevent users from accessing information or services. The most common type is when an attacker “floods” a network with a large amount of data, causing the entire network to be saturated. For example, in a DoS attack on a website, when we write a URL and access it, we will be sending a request to show us the information, in this case, an attacker could make millions of requests with the aim of collapsing the entire system. For this reason, this attack takes the name of «denial of service»,

Some of the problems that we will find if we do a DoS attack is that we will notice a huge drop in network performance and a lot of slowness (opening files or accessing websites). A particular website is totally inaccessible and unavailable. We will be unable to enter any website that we attempt to access. Drastic increase in the amount of spam we receive.

Types of DoS attacks

ICMP Flood Attack

This type of denial of service attack allows the victim’s bandwidth to be exhausted. It consists of sending a large amount of information using ICMP Echo Request packets, that is, the typical ping, but modified to be larger than usual. In addition, the victim could respond to you with ICMP Echo Reply packets (ping response), so we will have additional overhead, both on the network and on the victim. The most normal thing is to use one or several very powerful computers to attack the same victim, in this way, the victim will not be able to correctly manage the traffic generated.

Ping of the dead

This attack is similar to the previous one, it consists of sending a packet of more than 65536 bytes, causing the operating system not to know how to handle this large packet, causing the operating system to crash when trying to assemble it again. Today this attack does not work, because the operating system will drop the packets directly. It is very important to know about this attack to avoid it in the future, but we already told you that this attack no longer works because operating systems incorporate a large number of protections to prevent it.

Tear Drop Attack

This type of attack consists of sending a series of very large packets, with the aim that the target (the victim) is not able to assemble these packets, saturating the operating system and blocking it. It is possible that once the attack stops, it needs to be restarted so that it can function properly again. Today the kernels of operating systems incorporate protections against these attacks.

Jolt Two Attack

This type of attack consists of fragmenting an ICMP packet, so that the victim cannot reassemble it. This causes the victim’s CPU usage to increase, and has a major bottleneck. The result of this attack is usually that the victim’s PC becomes very slow, due to the CPU being too busy trying to reassemble the packet.

Land attack

This type of attack consists of sending a false TCP SYN packet, where the target’s IP address is used as both source and destination, with the aim that when it receives the packet, it gets confused and does not know where to send the packet, and blocks itself. This type of attack is normally recognized by operating systems, firewalls, and even antivirus suites.

Smurf attack

This attack consists of sending a large number of ICMP Echo request messages to the broadcast IP address with the source IP of the victim. In this way, the actual victim will receive all ICMP Echo Reply responses from the entire network, causing it to become saturated. Before carrying out this attack, IP Spoofing must be done to spoof the source IP address of the ICMP Echo Request, to later carry out this massive attack. The network will stop working normally while the attack is being carried out, because we will have a high broadcast traffic. Today’s switches are prepared to prevent these attacks automatically, based on PPS (Packets Per Second)., These requests t

SYN Flood

This type of attack is one of the most used throughout the world, it consists of sending TCP packets with the SYN flag activated, with the aim of sending hundreds or thousands of packets to a server and opening different connections, with the aim of saturating it with full. Normally this attack is used with a false source IP, so that all the responses go to an IP that does not exist, or to a victim IP that will also be saturated by all the TCP responses that are sent from the server.

SYN Flood attacks can be easily avoided with the firewall, limiting the number of TCP SYN packets that can be received, and even putting an intermediate proxy to add additional verification, before passing the messages to the web server or any other service that does. use of TCP protocol.

Fraggle Two Attack

This attack consists of sending a lot of UDP traffic to a broadcast IP address, these packets have the source IP of the victim, logically an IP Spoofing has been carried out to carry out this attack. The network will deliver the network traffic to all the hosts, because we are sending UDP packets to the broadcast address, and the computers will respond. This will cause the victim to receive a large amount of traffic that they are not able to handle properly, and they will be unable to work normally.

Distributed denial of service attack – DDos

This network attack consists of collapsing a victim from multiple source computers, for example, a botnet made up of a thousand computers could attack a certain target. These types of attacks are very common, making use of the techniques that we have explained previously, such as the SYN Flood. Although there is a very powerful server capable of handling millions of SYN Flood requests, if we use a botnet with hundreds or thousands of computers, it will not be able to hold it and it will end up blocking. This attack “spreads” between different computers, be it computers, other infected servers, hacked IoT devices, and much more.

Some tips to mitigate DDoS attacks are as follows:

  • Configure the firewall of the router correctly.
  • Block all network traffic, except what we are specifically allowed to do.
  • Disable any service that we are not using.
  • Check often the network configuration, and the logs that we have.
  • Robust logging policy, allowing event correlation (SIEM).
  • Have a good password policy with its corresponding permissions.
  • Limit the bandwidth in the network per port, to avoid attacks from our own network.

ARP Spoofing

This attack on data networks is one of the most popular, it allows attacking computers that are on the same local network, be it wired or wireless. When an ARP Spoofing attack is carried out, what we are doing is that the attacker can impersonate the router or gateway, and that all the network traffic or from a specific PC (victim) passes through it, allowing it to read, modify and even block network traffic.

This attack only works in IPv4 networks, but in IPv6 networks there is also a similar attack, because the ARP protocol is only available in IPv4 networks. This attack is the easiest way to perform a Man in the Middle and capture all the information from the victim. To detect these attacks, Reverse ARP could be used, a protocol that is used to consult the IP associated with a MAC, if we have more than one IP it means that we are facing an attack. Some security suites already detect this type of attack, and even manageable switches allow avoiding this type of attack by doing IP-MAC Binding.

MAC flood attack

This is one of the most typical attacks in data networks, it consists of flooding a network with MAC addresses where we have a switch, each one with different source MAC addresses, with the aim of keeping the CAM table of the switches and that the switch becomes a hub. However, nowadays all switches have protections against this attack, making it possible to eliminate MAC addresses quickly, and never collapse, but the switch CPU will be at 100% and we will notice slowness in the network .

In the case of managed switches with VLANs, the overflow would only be in the affected VLAN, not affecting the rest of the VLANs in the network. To prevent this type of attack, it is advisable to configure the Port Security in the switches, and limit to a certain number of MAC addresses per port, in this way, the port could be turned off automatically, or directly restrict the registration of new MACs until new order.

DNS cache poisoning

This type of attack consists of providing false data via DNS; for a victim to obtain that information and visit fake or under our control web pages. The computer that makes DNS requests could receive spoofed IP addresses based on its DNS request, in this way we can redirect a victim to any website under our control.

IP Spoofing

This attack consists of impersonating the source IP address of a certain computer, in this way, TCP, UDP or IP packets could be sent with a false source IP, impersonating the real IP address of a device. This has several objectives, to hide the real identity of the origin, or to impersonate another team so that all the answers go to him directly.

ACK Flood

This attack consists of sending a TCP ACK type packet to a certain target, normally it is carried out with a spoofed IP, therefore, IP spoofing will be necessary. It is similar to TCP SYN attacks, but if the firewall is blocking TCP SYN packets, this is an alternative to block the victim.

TCP Session Hijacking

This attack consists of taking possession of a TCP session that already exists, where the victim is using it. For this attack to be successful, it must be carried out at an exact moment, at the beginning of the TCP connections is where the authentication is carried out, it is right at that point when the cybercriminal will execute the attack.

Man-In-The-Middle Attack

Man in the Middle attacks is a type of attack that allows others to later be carried out. MITM attacks consist of placing themselves between the communication of two or more computers by the attacker, with the aim of reading, modifying on the fly and even denying the passage of traffic from an origin to a destination. This type of attack allows to know all the online navigation and any communication that is going to be carried out, in addition, all the information could be directed to another existing computer.

An example of a MITM attack would be when a cybercriminal intercepts a communication between two people, or between us and a web server, and the cybercriminal can intercept and capture all the sensitive information that we send to the site.

How to prevent Man-In-The-Middle attacks?

MITM attacks are not impossible to avoid, thanks to the “Public Key Infrastructure” technology we will be able to protect the different teams from attacks, and this would allow us to authenticate against other users in a secure way, proving our identity and verifying the identity of the recipient with public cryptography, in addition, we can digitally sign the information, guarantee the property of non-repudiation, and even send information fully encrypted to preserve confidentiality.

In a cryptographic operation that uses Public Key Infrastructure, the following parts intervene conceptually:

  • A user initiating the operation.
  • Some server systems that attest to the operation, and guarantee the validity of the certificates, the Certification Authority (CA), Registration Authority and Time Stamping System.
  • A recipient of the encrypted data that is signed, guaranteed by the user initiating the operation.

Public key cryptographic operations are processes in which asymmetric encryption algorithms are used that are known and accessible to all, such as RSA or based on elliptical curves. For this reason, the security that PKI technology can provide is strongly linked to the privacy of the so-called private key.

Social engineering attacks

Although social engineering attacks are not an attack on data networks, it is a very popular type of attack used by cybercriminals. These types of attacks consist of manipulating a person into providing user credentials, private information, and more. Cybercriminals always look for all possible ways to obtain user credentials, credit card numbers, bank accounts, etc., to achieve this, they will try to lie to the victims by posing as other people.

These types of attacks are very successful because they attack the weakest link in cybersecurity: the human being. It is easier to try to get a person’s user credentials through social engineering than to try to attack a service like Google to extract the passwords. It is essential who to trust, when to do it and also when we should not do it. No matter how secure our network is, if we entrust our security to whom we should not, all that security will be worthless.

How to prevent social engineering attacks?

The first recommendation is not to be in a hurry to respond to cyber attackers, many of these attacks are always transmitted with some urgency, for example, that it is urgently necessary to make a money transfer to a recipient that we have never had before. It is necessary that you suspect any strange or unsolicited message, if the mail that reaches us is from a website or company that we usually use, we must undertake a small investigation on our part, which includes even contacting said company to verify information.

  • Beware of bank information requests
  • Never provide access passwords, not even to banks.
  • Refuse any type of help from third parties, it is possible that they are cybercriminals to steal information or money.
  • Do not click on links by email, they could be phishing, avoid downloading any suspicious document.
  • Establish anti spam filters, configure our team with antivirus and firewalls, check email filters and keep everything updated.

OS Finger Printing

The term OS Finger Printing refers to any method to determine the operating system used on the victim, with the aim of violating it. Normally these types of attacks are carried out in the pentesting phase, this recognition of the operating system is carried out by analyzing protocol indicators, the time it takes to respond to a specific request, and other values. Nmap is one of the most used programs when it comes to OS Finger Printing. What is the use of an attacker knowing the victim’s operating system? To carry out more targeted attacks on that operating system, know the vulnerabilities and exploit them, and much more.

There are two different types of OS Finger Printing:

  • Active : it is achieved by sending specially modified packages created for the target team, and looking at the response in detail and analyzing the information collected. Nmap carries out these types of attacks to obtain as much information as possible.
  • Passive : in this case the information received is analyzed, without sending specifically designed packets to the target computer.

Port scan

In any pentesting, port scanning is the first thing to do to try to breach a target. It is one of the recognition techniques most used by cybercriminals to discover exposed services with open ports, if a firewall is being used and even what operating system the victim is using. All computers that are connected to the local network or the Internet make use of a large number of services that listen on certain TCP and UDP ports. These port scans allow us to know which ports are open, and even what service is behind them, in order to exploit a vulnerability to that service.

In port scans, we will send messages to each port one by one, depending on the type of response received, the port will be open, filtered or closed. One of the most used programs for port scanning is Nmap, it is the Swiss army knife of port scanning because we also have Nmap NSE that allows you to use scripts to exploit known vulnerabilities, or to attack Samba, FTP, SSH servers, etc.

Knowing the ports that we have open is also very important, because a port identifies a service that is running in the system. For example, the FTP protocol uses port 21, if it is open it could be because we have an FTP server listening, and we could attack it. Port scanning is the first phase of a pentesting.

How to prevent port scanning?

We cannot avoid port scanning, because we cannot prevent a cybercriminal or cybercriminal from trying to see which ports we have open, but what is in our power is to protect all ports with a well configured firewall in a restrictive way. We must bear in mind that performing a port scan is illegal, according to what has been declared in several courts, because it is the first step of the intrusion or to exploit a vulnerability.

To limit the information that we are going to provide to an attacker in a port scan, we must do the following:

  • Close all ports in the firewall, except those that have to be open for the proper functioning of the system.
  • Using a restrictive firewall policy only opens what is going to be used.
  • Close operating system services that are not needed.
  • Configure web services, SSH, FTP in such a way that they provide us with information such as the version number, to avoid the exploitation of possible vulnerabilities.
  • Use TCP Wrappers, a TCP wrapper that will give the administrator greater flexibility to allow or deny access to certain services.
  • Make use of programs like fail2ban to block IP addresses that carry out attacks.
  • Use IDS / IPS like Snort or Suricata, to block the attackers’ IPs.

ICMP Tunneling

This type of attack is mainly used to bypass firewalls, because firewalls do not normally block ICMP packets. They could also be used to establish an encrypted and difficult-to-trace communication channel. What an ICMP tunnel does is establish a covert connection between two computers, this can also be used with UDP using DNS.

To prevent ICMP tunnels, it is necessary to inspect ICMP traffic in detail, and see what kind of messages are being exchanged. In addition, this is complicated if data encryption is used, but we can detect it because it will be ICMP traffic that is not “normal”, therefore, all IDS / IPS alerts will skip if we configure them correctly.

LOKI attack

This is not an attack on data networks, it is a client / server program that allows information to be exfiltrated through protocols that normally do not contain payload, for example, SSH traffic could be tunnelled within the ICMP protocol with ping and even with UDP for DNS. This can be used as a back door on Linux systems to extract information and send it remotely without raising suspicions. This is something that we should also control through firewalls.

TCP sequence attack

This type of attack consists of trying to predict the sequence number of a TCP traffic, with the aim of identifying the packets of a TCP connection, and hijacking the session. The typical example is a scenario where an attacker is monitoring the flow of data between two computers, the attacker could cut communication with the real computer, and establish himself as the real computer, all predicting the sequence number of the next TCP packet . The attacker would “kill” the real computer, using a denial of service (DoS) attack or similar.

Thanks to this prediction of the sequence number, the packet will be able to reach its destination before any information from the legitimate host, because the latter is under a DoS attack and will not allow communication to the victim host. This packet from the attacker could be used to gain access to the system, forcibly terminate a connection, or directly send a malicious payload.

How to prevent TCP sequence attack?

The IETF in 2012 released a new standard to establish an improved algorithm, and prevent an attacker from guessing the initial sequence number in TCP communications. This standard is designed to increase the robustness of TCP communications against the predictive analysis and monitoring of attackers. Currently all operating systems make use of this new standard to prevent this attack, therefore, an attacker will not be able to predict the sequence numbers, but attackers in certain circumstances can still guess them, although it is much more difficult than before.

ICMP redirect attacks

This network attack called ICMP Redirect, allows redirecting to a source host that uses a different gateway so that it can be closer to the destination. Logically, an attacker will use himself as a gateway, with the aim that all traffic passes through him to capture, modify or block it. These messages are sent to the different hosts, but nowadays this type of ICMP Redirect attacks on Linux systems are not affected, because internally they have it disabled, but it is possible that in other operating systems they will be affected.

DNS zone transfer attack

This attack affects DNS servers, it consists in that the DNS server returns a list of host names and IP addresses in the domain, these zone transfers are normally carried out between authoritative DNS servers, but this attack could make cybercriminals consult the DNS servers to have a list of hosts to attack.

Leave a Reply

Your email address will not be published.

Back to top button