L. J.

POLYTECHNIC
L. J. Campus, Between Sarkhej-Sanand Circle & Kataria Motors,

S.G. Road, Ahmedabad-382210.

Ph. 079-29096539.

Notes
Of
Computer
And
Network Security
DEPARTMENT OF COMPUTER ENGINEERING

SEMESTER – 5
Computer and Network Security [3350704] Notes

UNIT 1

Q1 Explain types of viruses.

Parasitic Virus: A parasitic virus attaches itself to executable files and replicates,
when infected program is executed, by finding other executable files to infect.
Memory Resident Virus: It stays in main memory as part of a resident system
program. From that point the virus infects every program that executes.
Boot Sector Virus: It infects a master boot record or boot record and spreads when a
system is booted from the disk containing the virus.
Stealth Virus: It is a form of a virus explicitly designed to hide itself from detection
by antivirus software.
Polymorphic Virus: A virus that mutates with every infection, making detection by
the “signature” of the virus impossible.
Metamorphic Virus: As with a polymorphic virus, a metamorphic virus mutates
with every infection. The difference is that a metamorphic virus rewrites itself
completely at each iteration, increasing the difficulty of detection.

Q2 Explain virus countermeasures.

Software countermeasures include:
 Personal firewalls
 Application firewalls
 Anti-virus software
 Pop-up blockers
 Spyware detection/removal programs.
Hardware countermeasures include:
 Biometric authentication systems
 Physical restriction of access to computers and peripherals
 Intrusion detectors
 Alarms
Behavioral countermeasures include:
 Frequent deletion of stored cookies and temporary files from Web browsers
 Regular scanning for viruses and other malware
 Regular installation of updates and patches for operating systems
 Refusing to click on links that appear within e-mail messages

2
Computer and Network Security [3350704] Notes

 Refraining from opening e-mail messages and attachments from unknown

senders
 Staying away from questionable Web sites
 Regularly backing up data on external media.

Q3 Explain steps in attack.

Reconnaissance:
It is a set of processes and techniques used to secretly discover and collect
information about a target system. During reconnaissance, an ethical hacker attempts
to gather as much information about a target as possible. There are 2 types of
reconnaissance: Active and Passive
Scanning:
The information discovered during reconnaissance and using it to examine the
network.
Attacker may use several tools during scanning phase. Attackers are seeking any
information that can help them to attack such as computer names, IP address, and
user accounts.
Gaining Access:
After scanning, the attacker designs the blueprint of the network of the target with the
help of data collected during step 1 and step 2. Vulnerabilities discovered during the
reconnaissance and scanning phase are now exploited to gain access.
Perform the attack:
Now after the above three steps, the attacker is ready to execute the attack, which
could have many different results that is the system could crash, information could be
stolen, or a website could be defected. Attacker can install the backdoor and build
their own user accounts with administrative privileges so that even when the user do
update the system, attacker can still gain the access.

Q4 Explain security basics.

Confidentiality: To achieve confidentiality, only the sender and the intended
receiver should be able to access the contents of a message.

3
Computer and Network Security [3350704] Notes

Integrity: The message that is sent from sender to receiver is not modified or altered
before it reaches to the receiver. If the message is modified before it reaches to the
receiver then integrity is lost.

Availability: It assures that systems work promptly and service is not denied to
authorize users. Availability means that information should be available to authorized
parties at all times.

4
Computer and Network Security [3350704] Notes

Q5 Define active and passive attack.

Attack can be defined as any action that compromises the security of information.
There are two types of attacks:
Active attack - An active attack is a network exploit in which a hacker attempts to
make changes to data on the target or data en route to the target. An example of an
active attack is a denial of service attack.

Passive attack - A passive attack is a network attack in which a system is monitored

and sometimes scanned for open ports and vulnerabilities. The purpose is solely to
gain information about the target and no data is changed on the target. Traffic
Analysis is an example of passive attack.

Q6 Explain DoS attack.

A denial of service attack is an attack designed to prevent a system or service from
functioning normally.
A DoS attack can exploit a known vulnerability in a specific application or operating
system, or it can attack features in some protocols or services.
In DoS attack, the attacker attempts to deny authorized users access either to specific
information or to the computer system or network itself. This can be accomplished by
crashing this system by taking it offline or by sending so many requests that the
machine is overwhelmed.
The purpose of DoS attack is to prevent access to the targeted system, or the attack
can be used in conjunction with other action to gain unauthorized access to a
computer or network.
The example of DoS attack is synchronize flooding. This flooding takes the
advantage of the way TCP/IP networks were designed to function, and it can be used
to illustrate the basic principles of any DoS attack.

5
Computer and Network Security [3350704] Notes

Q7 Explain in short: spoofing and sniffing.

Spoofing: Spoofing is an attack that happens when someone impersonates a trusted
contact or brand, pretending to be someone you trust in order to access sensitive
personal information. Spoofing attacks copy and exploit the identity of your contacts,
the look of well-known brands, or the addresses of trusted websites.
A successful spoofing attack can have serious consequences. An attacker may be able
to steal sensitive personal or company information, harvest credentials for use in a
future attack or fraud attempt, spread malware through malicious links or
attachments, gain unauthorized network access by taking advantage of trust
relationships, or bypass access controls. They may even launch a denial-of-service
(DoS) attack or a man-in-the-middle (MITM) attack.

Sniffing: Sniffing attack in context of network security, corresponds to theft or

interception of data by capturing the network traffic using a packet sniffer (an
application aimed at capturing network packets). When data is transmitted across
networks, if the data packets are not encrypted, the data within the network packet
can be read using a sniffer. Using a sniffer application, an attacker can analyze the
network and gain information to eventually cause the network to crash or to become
corrupted, or read the communications happening across the network.
Sniffing attacks can be compared to tapping of phone wires and get to know about the
conversation, and for this reason, it is also referred as wiretapping applied to
computer networks.

6
Computer and Network Security [3350704] Notes

Q8 Explain types of attacks.

Eavesdropping

An eavesdropping attack occurs when a hacker intercepts, deletes, or modifies data

that is transmitted between two devices. Eavesdropping, also known as sniffing or
snooping, relies on unsecured network communications to access data in transit
between devices.
To further explain the definition of "attacked with eavesdropping", it typically occurs
when a user connects to a network in which traffic is not secured or encrypted and
sends sensitive business data to a colleague. The data is transmitted across an open
network, which gives an attacker the opportunity to exploit a vulnerability and
intercept it via various methods. Eavesdropping attacks can often be difficult to spot.
Unlike other forms of cyber-attacks, the presence of a bug or listening device may not
adversely affect the performance of devices and networks.

7
Computer and Network Security [3350704] Notes

Masquerade

A masquerade attack is an attack that uses a fake identity, such as a network identity,
to gain unauthorized access to personal computer information through legitimate
access identification. If an authorization process is not fully protected, it can become
extremely vulnerable to a masquerade attack.
Masquerade attacks can be perpetrated using stolen passwords and logons, by
locating gaps in programs, or by finding a way around the authentication process. The
attack can be triggered either by someone within the organization or by an outsider if
the organization is connected to a public network. The amount of access masquerade
attackers get depends on the level of authorization they've managed to attain. As
such, masquerade attackers can have a full smorgasbord of cybercrime opportunities
if they’ve gained the highest access authority to a business organization. Personal
attacks, although less common, can also be harmful.

Denial of Service

8
Computer and Network Security [3350704] Notes

A denial-of-service (DoS) attack is a security threat that occurs when an attacker

makes it impossible for legitimate users to access computer systems, network,
services or other information technology (IT) resources. Attackers in these types of
attacks typically flood web servers, systems or networks with traffic that overwhelms
the victim's resources and makes it difficult or impossible for anyone else to access
them.
DoS and DDoS attacks often take advantage of vulnerabilities in networking
protocols and how they handle network traffic. For example, an attacker might
overwhelm the service by transmitting many packets to a vulnerable network service
from different Internet Protocol (IP) addresses.
DoS and DDoS attacks target one or more of the seven layers of the Open Systems
Interconnection (OSI) model. The most common OSI targets include Layer 3
(network), Layer 4 (transport), Layer 6 (presentation) and Layer 7 (application).
An enterprise that suspects a DoS attack is underway should contact its internet
service provider (ISP) to determine whether slow performance or other indications
are from an attack or some other factor. The ISP can reroute the malicious traffic to
counter the attack. It can also use load balancers to mitigate the severity of the attack.

Distributed Denial of Service

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the

normal traffic of a targeted server, service or network by overwhelming the target or
its surrounding infrastructure with a flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer
systems as sources of attack traffic. Exploited machines can include computers and
other networked resources such as IoT devices.

9
Computer and Network Security [3350704] Notes

From a high level, a DDoS attack is like an unexpected traffic jam clogging up the
highway, preventing regular traffic from arriving at its destination.

Sniffing

Sniffing attack in context of network security, corresponds to theft or

interception of data by capturing the network traffic using a packet sniffer (an
application aimed at capturing network packets). When data is transmitted
across networks, if the data packets are not encrypted, the data within the
network packet can be read using a sniffer. Using a sniffer application, an
attacker can analyse the network and gain information to eventually cause the
network to crash or to become corrupted, or read the communications
happening across the network.

Spoofing

Spoofing, is when someone or something pretends to be something else in an attempt

to gain our confidence, get access to our systems, steal data, steal money, or spread
malware.

10
Computer and Network Security [3350704] Notes

For example, a spoofed email from PayPal or Amazon might inquire about purchases
you never made. Concerned about your account, you might be motivated to click the
included link.
From that malicious link, scammers will send you to a web page with a malware
download or a faked login page—complete with a familiar logo and spoofed URL—
for the purpose of harvesting your username and password.

Backdoor/Trapdoor
The simplest backdoor attack definition is using any malware/virus/technology to
gain unauthorized access to the application/system/network while bypassing all the
implemented security measures. Unlike other kinds of viruses/malware, backdoor
attack elements reach the core of the targeted application and often drive the aimed
resource as a driver or key administrator.
Attackers can change the entire or partial infrastructure, make the targeted system
work/behave as per their will, and steal crucial data.
The working of backdoor attacks depends on the way they enter the system. As
observed, the most common ways, using which a backdoor can enter into a system,
are using malware or using backdoor-specific software/hardware.
To prevent backdoor, an anti-malware program is useful to keep malicious content at
bay. It will automatically detect and eliminate dangers like viruses, malware, Trojans,
and so on and keep the system protected. As everything happens automatically, not
much effort is required.

Man in the Middle

11
Computer and Network Security [3350704] Notes

A man in the middle (MITM) attack is a general term for when an attacker positions
himself in a conversation between a user and an application—either to eavesdrop or
to impersonate one of the parties, making it appear as if a normal exchange of
information is underway.
The goal of an attack is to steal personal information, such as login credentials,
account details and credit card numbers.
A man-in-the-middle (MiTM) attack is a type of attack in which the attacker secretly
intercepts and relays messages between two parties who believe they are
communicating directly with each other. The attack is a type of eavesdropping in
which the attacker intercepts and then controls the entire conversation.
During MiTM attacks, attackers insert themselves in the middle of data transactions
or online communication. Through the distribution of malware, the attacker gains
easy access to the user's web browser and the data it sends and receives during
transactions. Online banking and e-commerce sites, which require secure
authentication with a public key and a private key, are the prime targets of MiTM
attacks as they enable attackers to capture login credentials and other confidential
information.
Typically, these attacks are carried out through a two-step process known as data
interception and decryption.
Data interception consists of an attacker intercepting a data transfer between a client
and a server. The attacker tricks the client and the server into believing that they are
exchanging information with each other, while the attacker intercepts the data, creates
a connection to the real site and acts as a proxy to read and insert false information
into the communication.
The decryption phase is where the intercepted data is unencrypted. This essential step
enables the attacker to finally decipher and use the data to their advantage; for
example, they can carry out identity theft or cause disruptions to business operations.

12
Computer and Network Security [3350704] Notes

Replay

A replay attack occurs when an attacker eavesdrops on a secure network

communication, intercepts it, and then fraudulently delays or resends it to misdirect
the receiver into doing what the hacker wants.
Consider this real-world example of an attack. A staff member at a company asks for
a financial transfer by sending an encrypted message to the company's financial
administrator. An attacker eavesdrops on this message, captures it, and is now in a
position to resend it. Because it's an authentic message that has simply been resent,
the message is already correctly encrypted and looks legitimate to the financial
administrator. In this scenario, the financial administrator is likely to respond to this
new request unless he or she has a good reason to be suspicious.

TCP/IP Hacking
TCP/IP Hijacking is when an authorized user gains access to a genuine network
connection of another user. It is done in order to bypass the password authentication
which is normally the start of a session.
An attacker monitors the data transmission over a network and discovers the IP’s of
two devices that participate in a connection.
When the hacker discovers the IP of one of the users, he can put down the connection
of the other user by DoS attack and then resume communication by spoofing the IP of
the disconnected user.

13
Computer and Network Security [3350704] Notes

SQL Injection

SQL injection is a set of SQL commands that are placed in a URL string or in data
structures in order to retrieve a response that we want from the databases that are
connected with the web applications. This type of attacks generally takes place on
webpages developed using PHP or ASP.NET.
An SQL injection attack can be done with the following intentions −
 To dump the whole database of a system,
 To modify the content of the databases, or
 To perform different queries that are not allowed by the application.
This type of attack works when the applications don’t validate the inputs properly,
before passing them to an SQL statement. Injections are normally placed put in
14
Computer and Network Security [3350704] Notes

address bars, search fields, or data fields. The easiest way to detect if a web
application is vulnerable to an SQL injection attack is to use the " ‘ " character in a
string and see if you get any error.

Phishing

Phishing attacks are the practice of sending fraudulent communications that appear to
come from a reputable source. It is usually done through email. The goal is to steal
sensitive data like credit card and login information, or to install malware on the
victim’s machine. Phishing is a common type of cyber-attack that everyone should
learn about in order to protect themselves.
Phishing starts with a fraudulent email or other communication that is designed to
lure a victim. The message is made to look as though it comes from a trusted sender.
If it fools the victim, he or she is coaxed into providing confidential information,
often on a scam website. Sometimes malware is also downloaded onto the target’s
computer.

Q9 What is malicious code?

Malicious code is the term used to describe any code in any part of a software system
or script that is intended to cause undesired effects, security breaches or damage to a
system. Malicious code is an application security threat that cannot be efficiently
controlled by conventional antivirus software alone. Malicious code describes a broad
category of system security terms that includes attack scripts, viruses, worms, Trojan
horses, backdoors and malicious active content.
15
Computer and Network Security [3350704] Notes

Malicious code may also include time bombs, hardcoded cryptographic constants and
credentials, deliberate information and data leakage, rootkits and anti-debugging
techniques. These targeted malicious code threats are hidden in software and mask
their presence to evade detection by traditional security technologies.
Once inside your environment, malicious code can enter network drives and
propagate. Malicious code can also cause network and mail server overload by
sending email messages; stealing data and passwords; deleting document files, email
files or passwords; and even reformatting hard drives.

Q10 Difference between DoS and DDoS.

Parameter DoS DDoS

Full form Denial of Service Distributed Denial of
Service
Source of attack DoS attack typically DDoS attack uses
uses one computer and multiple computers
one internet connection and internet
to flood a targeted connections to flood
system or resource the targeted resource
Protection System can be Difficult to protect
stopped/protected system against DDoS
easily
Threat Level Low Medium to High
Malware No malware involved A botnet is usually
involvement made up of thousands
of infected PC’s
Cost and Easier to operate and Not easy to manage
management manage and operate

16