Ethical Hacking Associate

Information Security Threats and Attacks

In general, DOS attacks target network bandwidth or connectivity. Bandwidth attacks

overflow the network with a high volume of traffic using existing network resources, thus
depriving legitimate users of these resources. Connectivity attacks overflow a computer with
a large amount of connection requests, consuming all available resources of the OS so that
the computer cannot process legitimate users' requests.
Imagine a pizza delivery company, which does much of its business over the phone. If an
attacker wanted to disrupt this business, he could figure out a way to tie up the company's
phone lines, making it impossible for the company to do business. That is how a DOS attack
works—the attacker uses up all the ways to connect to the system, making legitimate
business impossible.
DOS attacks are a kind of security break that does not generally result in the theft of
information. However, these attacks can harm the target in terms of time and resources.
However, failure might mean the loss of a service such as email. In a worst-case scenario, a
DOS attack can mean the accidental destruction of the files and programs of millions of
people who happen to be surfing the Web at the time of attack.

Module 04 Page 169 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Use strong encryption mechanisms such as WPA2, AES 256, etc. for broadband networks
to withstand against eavesdroppi ng
Ensure that the software and protocols are up-to-date and scan the machines thoroughly to
detect any anomalous behavior

Disable unused and unsecure services

Block all inbound packets originating from the service ports to block the traffic from
reflection servers

a Prevent the transmission Of fraudulently addressed packets at ISP level

SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

DOS Countermeasures
Implementing defensive mechanisms in appropriate places and following proper measures
allows the heightening of organizational network security. Below is a list of countermeasures
for combatting DoS/DDoS attacks:
Use strong encryption mechanisms such as WPA2 and AES 256 for broadband
networks to withstand against eavesdropping
Ensure that the software and protocols are up-to-date and scan the machines
thoroughly to detect any anomalous behavior
Update kernel to the latest release and disable unused and insecure services
Block all inbound packets originating from the service ports to block the traffic from
reflection servers
Enable TCP SYN cookie protection
Prevent the transmission of the fraudulently addressed packets at ISP level
Implement cognitive radios in the physical layer to handle the jamming and
scrambling attacks
Configure the firewall to deny external ICMP traffic access
Secure the remote administration and connectivity testing
Perform the thorough input validation
Data processed by the attacker should be stopped from being executed
Prevent use of unnecessary functions such as gets and strcpy

Module 04 Page 170 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Prevent the return addresses from being overwritten

Distributed DOS (DDoS) ENA

hy Ail SC'
Copyti%hta Rithts Re Aetl, is Strictlw Pmhibited.

Distributed Dos (DDoS)

Source: http://searchsecurity.techtarget.com
A DDoS attack is a large-scale, coordinated attack on the availability of services on a victim's
system or network resources, launched indirectly through many compromised computers
(botnets) on the Internet.
As defined by the World Wide Web Security FAQ: "A distributed denial-of-service (DDoS)
attack uses many computers to launch a coordinated DOS attack against one or more targets.
Using client/server technology, the perpetrator is able to multiply the effectiveness of the
denial of service significantly by harnessing the resources of multiple unwitting accomplice
computers, which serve as attack platforms." The flood of incoming messages to the target
system essentially forces it to shut down, thereby denying service to the legitimate users.
The services under attack are those of the "primary victim," whereas the compromised
systems used to launch the attack are the "secondary victims." The use of secondary victims
in performing a DDoS attack provides the attacker with the ability to wage a larger and a
more disruptive attack while making it more difficult to track down the original attacker.
The primary objective of any DDoS attacker is to first gain administrative access on as many
systems as possible. In general, attackers use customized attack script to identify potentially
vulnerable systems. Once the attacker gains access to the target systems, he or she will
upload DDoS software and run it on these systems but not until the time chosen to launch
the attack.
DDoS attacks have become popular because of the easy accessibility of exploit plans and the
negligible amount of brainwork required while executing them. These attacks can be very

Module 04 Page 171 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

dangerous because they can quickly consume the largest hosts on the Internet, rendering
them useless. The impact of DDoS includes loss of goodwill, disabled network, financial loss,
and disabled organizations.
How Distributed Denial-of-Service Attacks Work?
In a DDoS attack, many applications pound the target browser or network with fake exterior
requests that make the system, network, browser, or site slow, useless, and disabled or
unavailable.
The attacker initiates the DDoS attack by sending a command to the zombie agents. These
zombie agents send a connection request to a large number of reflector systems with the
spoofed IP address of the victim. The reflector systems see these requests as coming from
the victim's machine instead of the zombie agents due to spoofing of source IP address.
Hence, they send the requested information (response to connection request) to the victim.
The victim's machine is flooded with unsolicited responses from several reflector computers
at once. This either may reduce the performance or may cause the victim's machine to shut
down completely.

Module 04 Page 172 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

When an illegitimate user gains access to the network by forging the

identity, it is termed as spoofing

Various types of popular spoofing attacks are

IP spoofing e Man-in-the-Middleattack(MlTM)

by
CODynghtN Rikhts is

Module 04 Page 173 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

IP Spoofing Diagram and Countermeasures ENA

Countermeasures
Server
10.0.0.23
Attacker
192.168.0.5

Use ingress filtering for

filtering incoming traffic

u Use TCP to create secure

connection between the
systems

Genuine
172.16.0.6

Copyti%hta Ail Rithts SC' is

hy Re Aetl, Strictlw Pmhibited.

IP Spoofing
IP spoofing is the technique used by attackers to gain access to a network by sending
messages to a computer with an IP address indicating that the message is coming from a
trusted host. An attacker is engaged in IP spoofing by finding an IP address of a trusted host
and then modifying the packet headers so that it appears that the packets are coming from
that host.
Routers forward packets through the Internet using the "destination IP" address, but they
ignore the "source IP" address used by the destination machine when it responds back to the
source. These attacks exploit applications that use IP addresses based on authentication. The
countermeasures for IP spoofing are:
Identifying the spoofed IP packets and then finding them from the original source.
Use routers, host-based methods, and administrative controls for identifying the
spoofed IP packets. IP packets can be found by implementing special traceback
equipment or traceback features in routers.
Do not depend on address-based authentication.
Restrict access to the system's configuration information.
Encrypt all the network's traffic.
Implement router filters to restrict access to packets if the source address is available
inside it. This is also called as ingress filtering.
Implement filters to restrict packets that leave from your network if the source
address is available outside it.
Use random initial sequence numbers.

Module 04 Page 174 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

In this type of attack attackers intrude Victim Web Server into an existing connection to intercept
the exchanged data and inject false information
The web server and victim both receive manipulated
data

Countermeasures
Use encryption Even if an attacker gets access to the
data, he won't be able to interpret it
O Use Hashed Message Authentication
Codes. The code can identify manipulateddata
Attacker

Ail SC'

Copyti%hta hy Rithts Re Aetl, is Strictlw Pmhibited.

Module 04 Page 175 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

TCP Session Hijacking

At the simplest level, TCP hijacking relies on the violation of the trust relationship between
two interacting hosts. Before going into the details of session hijacking and understanding
why this attack is possible, consider the everyday scenario when the Internet is accessed with
browser — say IE. IE works at the application layer and accepts the initial datagram to be
sent across the Internet. The transport protocol comes into play at the next layer — aptly
called the transport layer — and the appropriate protocol header is added to the datagram.
Here it is TCP header, as it is the TCP protocol that is being used. This ensures the reliability
of data transported and controls many of the aspects in the management and initiation of
communication between the two hosts. In the network layer, routers offer the functionality
for the datagram to hop from source to the destination, one hop at a time. The IP header is
added to the datagram in this layer. The final layer that communicates with the physical
hardware is the data link layer. This layer is responsible for the delivery of signals from the
source to the destination over a physical communication platform, which in this case is the
Ethernet. The frame header is added to the datagram in this layer.
The headers are then peeled off upon reaching the destination to reveal the original
datagram, the original IPv4 standard needed to address three basic security issues:
authentication, integrity, and privacy. Authentication was an issue because an attacker could
spoof an IP address and exploit a session. Spoofing was not restricted to IP address alone,
but also extended to MAC addresses in ARP spoofing. An attacker sniffing on a network could
sniff packets and carry out simple attacks such as change, delete, reroute, add, forge, or
divert data. Perhaps the most popular among these attacks is the Man-ln-the-Middle attack.
An attacker can grab unencrypted traffic from a victim's network-based TCP application,
further tampering with the authenticity and integrity of the data before forwarding it on to
the unsuspecting target.

Module 04 Page 176 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Session Hijacking Countermeasures

Successful sessions should be limited to specific IP addresses. This usually works when
dealing with an intranet setting where the IP ranges are predictable and finite.
Re-authenticate the user before critical actions are performed (i.e. a purchase, money
transfer, etc.).
If possible, try to limit unique session tokens to each browser's instance. For example,
generate the token with a hash of the MAC address of the computer and process id of the
browser.
Follow the same general set of countermeasures to prevent Replay and Brute Force attacks.
Use x.509 certificates to prevent more traditional types of TCP traffic predictable
sequence number hijacking.
Force all incoming connections from the outside world to be fully encrypted.
Attackers outside of the network will have a much more difficult time if passwords are
not sniffable and sessions cannot be hijacked.
Force all connections to critical machines to be fully encrypted. The latest telnet
package allows administrative policies like this to be enforced. Kerberos does not
allow policies to be enforced, but will allow encrypted communications, as will SRA
telnet/FTP (sometime soon) and the new STEL (which is currently in beta test) from
CERT-IT.
Force all traffic on the network to be encrypted. Again, Kerberos will help somewhat,
but will not solve all problems (especially not denial of service). Newer systems such
as SKIP will help a great deal, but they are in their infancy.

Module 04 Page 177 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Use encrypted protocols, like those found in the OpenSSH suite.

The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which
replaces rcp, and sftp which replaces ftp. It also includes sshd which is the server side of
the package, and other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server.
Use strong authentication (like Kerberos) or peer-to-peer VPNs.
Configure the appropriate spoof rules on gateways (internal and external).
Monitor for ARP cache poisoning by using IDS products or ARPwatch.

Module 04 Page 178 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

Corporate Espionage ENA

Organizational threats are operations that one organization initiates against

other
To acquire confidential information that gives competitive advantage
They involve sabotaging the organizations network, either through:
e Destruction of data
e DOS attack

Competitors
Victim

Ail SC'
Copyti%hta hy Rithts Re Aetl, is Strictlw Pmhibited.

Corporate Espionage
Organizational attacks are mainly operations that one organization initiates against another.
They are used to acquire confidential information that may give the attacker a business or
competitive advantage. Some of the attacks are to sabotage the organization's network by
destroying the data or by DOS attack.
These attacks depend on the attacker finding and exploiting access to the organization's
network, such as an unsecured connection between an organization's intranet and a public
network such as the Internet. Once the attacker gets access to the network, he can gain
access to the corporate or organizational trade secrets or other intellectual property stored
on the organization's network.

Module 04 Page 179 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

u
e
Accidental breach occurs when authorized users are unintentionally granted permission to
access the restricted resources

e
user placed in a

Wrong group

Individual User given Wrong permission

Copyti%hta Ail Rithts SC' is

hy Re Aetl, Strictlw Pmhibited.

Accidental Security Breach

Accidental security breaches occur when authorized users are unintentionally granted
permissions to access the restricted resources. Unintended permissions are often acquired so
that a user's account is placed in a security group that grants excess permissions to the user.
Improper permissions may allow users to unintentionally read or modify the restricted files,
modify other's user accounts, or potentially destroy or damage data and system files.
Administrative policies that grant permissions to individuals, rather than only to groups, can
also lead to oversights in permission delegation. Individual user's accounts are more difficult
to administer than groups. Permissions must be carefully managed and maintained in order
to avoid granting users improper access to resources.

Use software designed to break passwords to gain access to the network

Module 04 Page 180 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.
Ethical Hacking Associate
Information Security Threats and Attacks

O Generally occurs over dial-up connections

Can be targeted at a particular company

e SC'
Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Automated Computer Attack

Automated computer attacks gain access to a network by using password breaking software
or software for bypassing other security defenses to a network. Dial up connections are
generally prone to the automated computer attacks. Automated attacks can also occur over
Internet as well. These attacks probe the Internet for unsecured computers, but are
generally used to target a specific company or organization.
These attacks are frequently disruptive in nature. Automated computer service attack can be
used to perform a distributed denial of service (DDoS) attack on an organization, using many
computers at once with the computer owner's cooperation or by control over unsecured
computers. A DDoS attack can strain the company's computer resources by disrupting or
disabling the network. Many tools are readily available in the market for performing
automated computer attacks.

Internal threats originate from individuals who have authorized access to the
network or have an account on a server
External threats are threats from outside the organization, who have no legitimate rights to corporate
systems or information
Malware is a malicious software that damages or disables computer systems and gives limited or full
control of the systems to the malware creator for the purpose of theft or fraud
Social engineering is the act of obtaining unauthorized access to a network by manipulating the
authorized users into revealing their passwords and accessing information
Attackers use password cracking techniques to gain unauthorized access to the vulnerable system
Scanning is a process of identifying the systems, open ports, and services running in a network
TCP session hijacking occurs when a hacker takes over a TCP session between two machines

SC'

Copyti%hta hy Ail Rithts Re Aetl, is Strictlw Pmhibited.

Module 04 Page 181 Ethical Hacking Associate Copyright O by EC•CounC" All Rights Reserved. Reproduction is Strictly Prohibited.