CHAPTER 3

Network Attacks & Protecting the

Network
By:

SITI ROHANI BINTI SUKAIMI

 Display technique networks are
attacked

Display the various types of threats

and attacks

LEARNING Display network traffic monitoring.

OUTSCOMES
Display technique TCP/IP vulnerabilities
enable network attacks.

Display common network applications

and services are vulnerable to attack.
3.1 DISPLAY TECHNIQUE NETWORKS ARE
ATTACKED
 Threat, Vulnerability, and Risk
Vulnerability &
Threat
Attack Surface
▪ Potential danger to an ▪ Weakness in a system or its
asset such as data or the design that could be
network. exploited by a threat.
Threat
▪ Attack surface describes
different points where an
attacker could get into a
system and could get to the
data (Example – operating
system without security
patches)
Exploit Risk
▪ Mechanism used to ▪ Likelihood that a threat
leverage a vulnerability will exploit a
to compromise an vulnerability of an asset
asset. and result in an
▪ Remote – works over undesirable
the network. consequence.
▪ Local – threat actor has
user or administrative
access to the end
system
 W H I T E H AT H AC K E RS

• Ethical hackers who use their

programming skills for good, ethical,
and legal purposes.

H a c ke r • Perform penetration tests to discover

vulnerabilities and report to
developers before exploitation.

vs G R E Y H AT H AC K E RS

T h re at • Commit crimes and do unethical

things but not for personal gain or to
cause damage.
• May compromise network and then
Actor disclose the problem so the
organization can fix the problem

B L AC K H AT H AC K E RS

• Unethical criminals who violate

security for personal gain, or for
malicious reasons, such as attacking
networks
 EVOLUTION OF THREAT ACTOR

Script Kiddies
Inexperienced hackers running existing tools and exploits, to cause harm, but typically not for profit.

State-Sponsored

White or black hats who steal government secrets, gather intelligence, and sabotage networks.

Cybercriminals

Black hats stealing billions of dollars from consumers and businesses.

Hacktivists
Grey hats who rally and protest against political and social ideas.

Vulnerability Broker
Discover exploits and report them to vendors, sometimes for prizes or rewards
 Cybercriminals
• Money-motivated threat actors.
• Buy, sell, and trade exploits, and
private information and
intellectual property.
• Steal from consumers, small
businesses, as well as large
enterprises and industries.
 Cybersecurity Tasks
• Develop good cybersecurity
awareness.
• Report cybercrime to authorities.
• Be aware of potential threats in
email and web
• Guard important information from
theft.
• Organizations must take action
and protect their
assets, users, and customers.
• Develop cybersecurity tasks and
implement those tasks on a
reoccurring basis.
 Cyber Threat Indicators
• Each attack has unique
identifiable attributes that are
known as cyber threat indicators
or simply attack indicators.
• U.S. Department of Homeland
Security (DHS) and United States
Computer Emergency Readiness
Team (US-CERT) use the
Automated Indicator Sharing (AIS)
system that enables sharing of
verified attack indicators with
public and private sector
organizations
 Threat Actor Tools:
Introduction of Attack Tools
• Attackers use tools to exploit a vulnerability.
• Sophistication of attack tools and technical knowledge to conduct
attacks has changed since 1985.
 Evolution of Security Tools
• Common Penetration Testing Tools
• Password crackers - guesses to crack the password and access the system.
• Wireless hacking tools - hack into a wireless network to detect security vulnerabilities.
• Network scanning and hacking tools - probe network devices, servers, and hosts for
open ports.
• Packet crafting tools - probe and test a firewall’s robustness using specially crafted
forged packets.
• Packet sniffers - capture and analyze packets within traditional Ethernet LANs or WLANs.
• Rootkit detectors - directory and file integrity checker used by white hats to detect
installed root kits.
• Fuzzers - attempts to discover a computer system’s security vulnerabilities.
• Forensic tools - sniff out any trace of evidence existing in a particular computer system.
• Debugger tools - reverse engineer binary files when writing exploits or malware analysis.
• Hacking operating systems - designed operating systems preloaded with tools and
technologies optimized for hacking.
• Encryption tools - use algorithm schemes to encode the data to prevent unauthorized
access to the encrypted data.
• Vulnerability exploitation tools - determine whether a remote host is vulnerable to a
security attack.
• Vulnerability scanners - scan a network or system to identify open ports.
 Categories of Attacks
• Common Categories of Network Attacks
• Eavesdropping - capture and listen to network traffic.
• Data modification - alter the captured data in the packet without the
knowledge of the sender or receiver.
• IP address spoofing - constructs an IP packet that appears to originate
from a valid address inside the corporate intranet.
• Password-based - uses the stolen valid accounts to obtain lists of other
users and network information.
• Denial-of-Service - prevents normal use of a computer or network by
valid users.
• Man-in-the-Middle - hackers position themselves between a source and
destination to monitor, capture and control communication.
• Compromised-Key - gain access to a secured communication without
the sender or receiver being aware of the attack by obtaining the secret
key.
• Sniffer - an application or device that can read, monitor, and capture
network data exchanges and read network packets.
3.2 DISPLAY THE VARIOUS TYPES OF
THREATS AND ATTACKS
 Short for malicious software or
malicious code

M A LWA R E
Specifically designed to damage,
disrupt, steal or inflict illegitimate
action on data
 Malware:
Trojan Horses
• Malicious code that is designed to
look legitimate.
• Often found attached to online
games.
• Non-replicating type of malware.
• Exploits the privileges of the user
that runs the malware.
• Can cause immediate damage,
provide remote access to the
system, or access through a back
door.
 Malware:
Trojan Horses Classification
• Remote-access Trojan horse - Enables
unauthorized remote access.
• Data-sending Trojan horse - Provides the
threat actor with sensitive data, such as
passwords.
• Destructive Trojan horse - Corrupts or deletes
files.
• Proxy Trojan horse - Will use the victim's
computer as the source device to launch
attacks and perform other illegal activities.
• FTP Trojan horse - Enables unauthorized file
transfer services on end devices.
• Security software disabler Trojan horse - Stops
antivirus programs or firewalls from
functioning.
• DoS Trojan horse - Slows or halts network
activity.
 Malware:
Worms
• Executes arbitrary code and installs itself
in the memory of the infected device.
• Automatically replicates itself and
spreads across the network from system
to system.
Initial Code Red Worm Infection – 658 servers
• Components of a worm attack include
an exploiting vulnerability, delivering a
malicious payload, and self-propagation.
• Virus requires a host program to run,
worms can run by themselves.

Code Red Worm Infection– 19 Hours Later

300,000 servers
 Malware:
Worms Components
• Worm attacks consist of three components:
• Enabling vulnerability - Worm installs itself
using an exploit mechanism, such as an email
attachment, an executable file, or a Trojan
horse, on a vulnerable system.
• Propagation mechanism - After gaining
access to a device, the worm replicates itself
and locates new targets..
• Payload - Any malicious code that results in
some action is a payload which is used to
create a backdoor that allows a threat actor
access to the infected host or to create a
DoS attack.
 Malware:
Ransomware
• Malware that denies access to the infected
computer system or its data.
• Cybercriminals demand payment to release the
computer system.
• Frequently uses an encryption algorithm to
encrypt system files and data, cannot be easily
decrypted.
• Email and malicious advertising are vectors for
ransomware campaigns.
• Social engineering is also used, cybercriminals
who identify themselves as security technicians
call homes and persuade users to connect to a
website that downloads the ransomware to the
user’s computer.
 Other Malware
• Modern Malware
• Spyware - Used to gather information about a user and send the information to
another entity without the user’s consent. Can be a system monitor, Trojan horse,
Adware, tracking cookies, and key loggers.
• Adware - Typically displays annoying pop-ups to generate revenue for its author.
May analyze user interests by tracking the websites visited and send pop-up
advertising pertinent to those sites.
• Scareware - Includes scam software which uses social engineering to shock or
induce anxiety by creating the perception of a threat. Generally directed at an
unsuspecting user and attempts to persuade the user to infect a computer by
taking action to address the bogus threat.
• Phishing - Attempts to convince people to divulge sensitive information. Examples
include receiving an email from their bank asking users to divulge their account
and PIN numbers.
• Rootkits - Installed on a compromised system. After it is installed, it continues to
hide its intrusion and provide privileged access to the threat actor.
 Common Malware Behaviors
• Computers infected with malware often exhibit one or more of the following:
• Appearance of strange files, programs, or desktop icons.
• Antivirus and firewall programs are turning off or reconfiguring settings.
• Computer screen is freezing or system is crashing.
• Emails are spontaneously being sent without your knowledge to your contact list.
• Files have been modified or deleted.
• Increased CPU and/or memory usage.
• Problems connecting to networks.
• Slow computer or web browser speeds.
• Unknown processes or services running.
• Unknown TCP or UDP ports open.
• Connections are made to hosts on the Internet without user action.
• Strange computer behavior.
Lab Exercise – Anatomy of Malware
 Reconnaisance

TYPES OF
NETWORK Access

ATTACKS
Denial of Service
 Common Network Attacks:
Reconnaissance Attacks
• Also known as information gathering,
reconnaissance attacks perform
unauthorized discovery and mapping of
systems, services, or vulnerabilities.
• Analogous to a thief surveying a
neighborhood by going door-to-door
pretending to sell something.
• Called host profiling when directed at an
endpoint.
• Recon attacks precede intrusive access
attacks or DoS attack and employ the
use of widely available tools.
 Common Network Attacks:
Sample Reconnaissance Attacks
• Techniques used by threat actors:
• Perform an information query of a target - Threat
actor is looking for initial information about a target.
Tools: Google search, public information from DNS
registries using dig, nslookup, and whois.
• Initiate a ping sweep of the target networks - Threat
actor initiates a ping sweep of the target networks
revealed by the previous DNS queries to identify
target network addresses. Identifies which IP
addresses are active and creation of logical
topology.
• Initiate a port scan of active IP addresses - Threat
actor initiates port scans on hosts identified by the
ping sweep to determine which ports or services are
available. Port scanning tools such as Nmap,
SuperScan, Angry IP Scanner, and NetScan Tools
initiate connections to the target hosts by scanning
for ports that are open on the target computers.
 Common Network Attacks:
Access Attacks
• Access attacks exploit vulnerabilities in
authentication services, FTP services, and web
services to retrieve data, gain access to systems,
or to escalate access privileges
• There are at least three reasons that threat actors
would use access attacks on networks or systems:
• To retrieve data
• To gain access to systems
• To escalate access privileges
 Common Network Attacks:
Types of Access Attacks
• Password attack - Attempt to discover critical system passwords using phishing
attacks, dictionary attacks, brute-force attacks, network sniffing, or using social
engineering techniques.
• Pass-the-hash - Has access to the user’s machine and uses malware to gain
access to the stored password hashes. The threat actor then uses the hashes to
authenticate to other remote servers or devices.
• Trust exploitation - Use a trusted host to gain access to network resources.
• Port redirection - Uses a compromised system as a base for attacks against other
targets.
• Man-in-the-middle attack - Threat actor is positioned in between two legitimate
entities in order to read, modify, or redirect the data that passes between the
two parties.
• IP, MAC, DHCP Spoofing - One device attempts to pose as another by falsifying
address data.
Common Network Attacks:
Types of Access Attacks
 Common Network Attacks:
Social Engineering Attacks
• Type of access attack that attempts to manipulate individuals into performing actions or
divulging confidential information needed to access a network. Examples of social engineering
attacks include:
• Pretexting - Calls an individual and lies to them in an attempt to gain access to
privileged data. Pretends to need personal or financial data in order to confirm the
identity of the recipient.
• Spam - Use spam email to trick a user into clicking an infected link, or downloading an
infected file.
• Phishing - Common version is the threat actor sends enticing custom-targeted spam
email to individuals with the hope the target user clicks on a link or downloads
malicious code.
• Something for Something (Quid pro quo) - Requests personal information from a party
in exchange for something like a free gift.
• Tailgating - Follows an authorized person with a corporate badge into a badge-secure
location.
• Baiting - Threat actor leaves a malware-infected physical device, such as a USB flash
drive in a public location such as a corporate washroom. The finder finds the device
and inserts it into their computer.
• Visual hacking – Physically observes the victim entering credentials such as a
workstation login, an ATM PIN, or the combination on a physical lock. Also known as
“shoulder surfing”.
 Common Network Attacks:
Phishing Engineering Attacks
• Common social engineering technique that threat actors use to send emails that
appear to be from a legitimate organization (such as a bank). Variations include:
• Spear phishing - Targeted phishing attack tailored for a specific individual or
organization and is more likely to successfully deceive the target.
• Whaling – Similar to spear phishing but is focused on big targets such as top
executives of an organization.
• Pharming – Compromises domain name services by injecting entries into
local host files. Pharming also includes poisoning the DNS by compromising
the DHCP servers that specify DNS servers to their clients.
• Watering hole – Determines websites that a target group visits regularly and
attempts to compromise those websites by infecting them with malware that
can identify and target only members of the target group.
• Vishing – Phishing attack using voice and the phone system instead of email.
• Smishing – Phishing attack using SMS texting instead of email.
Lab Exercise – Social Engineering
 Common Network Attacks:
Denial of Service Attacks
• Typically result in some sort of interruption of
service to users, devices, or applications.
• Can be caused by overwhelming a target
device with a large quantity of traffic or by
using maliciously formatted packets.
• A threat actor forwards packets containing
errors that cannot be identified by the
application, or forwards improperly
formatted packets.
 Common Network Attacks:
DDoS Attacks
• DDoS Attacks
• Compromises many hosts
• Originates from multiple, coordinated sources
• DDoS terms:
• Zombies – Refers to a group of compromised hosts (i.e.,
agents). These hosts run malicious code referred to as robots
(i.e., bots).
• Bots – Bots are malware designed to infect a host and
communicate with a handler system. Bots can also log
keystrokes, gather passwords, capture and analyze packets,
and more.
• Botnet – Refers to a group of zombies infected using self-
propagating malware (i.e., bots) and are controlled by
handlers.
• Handlers – Refers to a master command-and-control server
controlling groups of zombies. The originator of a botnet can
remotely control the zombies.
• Botmaster – This is the threat actor in control of the botnet
and handlers.
 Common Network Attacks:
Example DDoS Attacks
1. The threat actor builds or purchases a botnet of
zombie hosts.
2. Zombie computers continue to scan and infect
more targets to create more zombies.
3. When ready, the botmaster uses the handler
systems to make the botnet of zombies carry out the
DDoS attack on the chosen target.
Common Network Attacks:
Example DDoS Attacks

2.

1.

3.
 Common Network Attacks:
Buffer Overflow Attacks
• The goal is to find a system memory-related flaw on a
server and exploit it.
• Exploiting the buffer memory by overwhelming it with
unexpected values usually renders the system inoperable.
• For example:
• Threat actor enters input that is larger than expected
by the application running on a server.
• The application accepts the large amount of input
and stores it in memory.
• It consumes the associated memory buffer and
potentially overwrites adjacent memory, eventually
corrupting the system and causing it to crash.
 Common Network Attacks:
Evasion Methods
• Threat actors learned long ago that malware and
attack methods are most effective when they are
undetected.
• Some of the evasion methods used by threat actors
include encryption and tunneling, resource
exhaustion, traffic fragmentation, protocol-level
misinterpretation, traffic substitution, traffic insertion,
pivoting, and rootkits.
• New attack methods are constantly being
developed; therefore, network security personnel
must be aware of the latest attack methods in
order to detect them.
3.3 DISPLAY NETWORK TRAFFIC MONITORING
 Introduction to Network Monitoring:
Network Security Topology

• All networks are targets and need

to be secured using a defense-in-
depth approach.
• Security analysts must be
intimately familiar with normal
network behavior because
abnormal network behavior
typically indicates a problem
 Introduction to Network Monitoring:
Network Security Methods
• Tools used to help discover normal
network behavior include IDS,
packet analyzers, SNMP, NetFlow,
and others.
• Traffic information capture
methods:
• Network TAPs – Network test
access points that forward all
traffic including physical layer
errors to an analysis device.
• Port mirroring – enables a
switch to copy frames of one
or more ports to a Switch Port
Analyzer (SPAN) port
connected to an analysis
device.
 Introduction to Network Monitoring:
Network Taps
• A network tap is typically a passive
splitting device implemented inline
between a device of interest and
the network. A tap forwards all
traffic including physical layer
errors to an analysis device.
• Taps are also typically fail-safe,
which means if it fails or loses
power, traffic between the firewall
and internal router is not affected.
 Introduction to Network Monitoring:
Traffic Mirroring & SPAN
• Port mirroring enables the switch
to copy frames of one or more
ports to a Switch Port Analyzer
(SPAN) port connected to an
analysis device.
• In the figure, the switch will
forward ingress traffic on F0/1 and
egress traffic on F0/2 to the
destination SPAN port G0/1
connecting to an IDS.
• The association between source
ports and a destination port is
called a SPAN session. In a single
session, one or multiple ports can
be monitored.
 Introduction to Network Monitoring Tools:
Network Security Monitoring Tools
MONITORING TOOLS

PROTOCOL
NetFlow SIEM SNMP
ANALYZERS

▪ programs used to capture ▪ Provides a complete ▪ Security Information ▪ Simple Network

traffic audit trail of basic Event Management Management Protocol
▪ Ex. Wireshark and Tcpdump information about systems provide real provides the ability to
every IP flow forwarded time reporting and request and passively
on a device long-term analysis of collect information
security events. across all network
devices.
**Log files – It is also common for security analysts to access Syslog log files to read and analyze system events and alerts.
 Introduction to Network Monitoring Tools:
Network Protocol Analyzers
• Analysts can use protocol
analyzers such as Wireshark and
tcpdump to see network
exchanges down to the packet
level.
• Network protocol analyzers are
also very useful for network
troubleshooting, software and
protocol development, and
education. In security forensics, a
security analyst may reconstruct
an incident from relevant packet
captures.
 Introduction to Network Monitoring Tools:
NetFlow
• NetFlow is a Cisco IOS technology that
provides 24x7 statistics on packets
flowing through a Cisco router or
multilayer switch.
• NetFlow can be used for network and
security monitoring, network planning,
and traffic analysis; however, it does
not capture the content.
• NetFlow collectors like Cisco
Stealthwatch can also perform
advanced functions including:
• Flow stitching: It groups individual
entries into flows.
• Flow deduplication: It filters
duplicate incoming entries from
multiple NetFlow clients.
• NAT stitching: It simplifies flows with
NAT entries.
Introduction to Network Monitoring Tools:
SIEM
• Security Information Event Management (SIEM) systems provide real time
reporting and long-term analysis of security events.
• SIEM includes the following essential functions:
• Forensic analysis – The ability to search logs and event records from
sources throughout the organization. It provides more complete
information for forensic analysis.
• Correlation – Examines logs and events from different systems or
applications, speeding detection of and reaction to security threats.
• Aggregation - Aggregation reduces the volume of event data by
consolidating duplicate event records.
• Reporting - Reporting presents the correlated and aggregated event
data in real-time monitoring and long-term summaries.
 Introduction to Network Monitoring Tools:
SIEM SYSTEMS
• Splunk is one of the more popular
proprietary SIEM systems used by
Security Operation Centers.
• As an open source option, this course
uses the ELK suite for SIEM functionality.
ELK is an acronym for three open source
products from Elastic:
• Elasticsearch - Document oriented full
text search engine
• Logstash - Pipeline processing system
that connects "inputs" to "outputs" with
optional "filters" in between
• Kibana - Browser based analytics and
search dashboard for Elasticsearch
 3.4 DISPLAY TECHNIQUE TCP/IP
VULNERABILITIES ENABLE NETWORK ATTACKS.
 IP Vulnerabilities and Threats:
IPv4 and IPv6

• It is important for security analysts to

understand the different fields in both
the IPv4 and IPv6 headers because
threat actors can tamper with packet
information.
Exercise:
• What is the difference between IPv4 & IPv6?
 IP Vulnerabilities and Threats:
The IPv4 Packet Header
• There are 10 fields in the IPv4 packet
header:
• Version
• Internet Header length
• Differentiated Services or DiffServ
(DS)
• Total length
• Identification, Flag, and Fragment
offset
• Time-to-Live (TTL)
• Protocol
• Header checksum
• Source IPv4 Address
• Destination IPv4 Address
• Options and Padding
 IP Vulnerabilities and Threats:
The IPv6 Packet Header
• There are 8 fields in the IPv4 packet
header:
• Version
• Traffic Class
• Flow Label
• Payload Length
• Next Header
• Hop Limit
• Source IPv6 Address
• Destination IPv6 Address
 IP Vulnerabilities and Threats:
IP Vulnerabilities

Session DoS and

Hijacking Ddos Attacks
IP
VULNERABALITIES

MITM Address
Attacks Spoofing

ICMP
Attacks
 IP Vulnerabilities and Threats:
ICMP Attacks
• ICMP was developed to carry diagnostic messages
and to report error conditions when routes, hosts, and
ports are unavailable. ICMP messages are generated
by devices when a network error or outage occurs.
• Common ICMP messages of interest to threat actors
include:
• ICMP echo request and echo reply – This is used
to perform host verification and DoS attacks.
• ICMP unreachable – This is used to perform
network reconnaissance and scanning attacks.
• ICMP mask reply – This is used to map an internal
IP network.
• ICMP redirects – This is used to lure a target host
into sending all traffic through a compromised
device and create a MITM attack.
• ICMP router discovery – This is used to inject bogus
route entries into the routing table of a target
host.
 IP Vulnerabilities and Threats:
DoS Attacks
• The goal of a Denial of Service (DoS) attack is
to prevent legitimate users from gaining
access to websites, email, online accounts,
and other services.
• There are two major sources of DoS attacks:
• Maliciously Formatted Packets – Threat
actors craft a maliciously formatted
packet and forward it to a susceptible
host, causing the host to crash or
become extremely slow.
• Overwhelming Quantity of Traffic – Threat
actors overwhelm a target network, host,
or application, causing them to crash or
become extremely slow.
• A distributed DoS (DDoS) attack combines
multiple DoS attacks.
 IP Vulnerabilities and Threats:
Amplification and Reflection Attacks
• Threat actors often use amplification and
reflection techniques to create DoS
attacks. The example in the figure
illustrates how an amplification and
reflection technique called a Smurf attack
is used to overwhelm a target host:
• 1. Amplification - The threat actor forwards
ICMP echo request messages that contain
the source IP address of the victim to a
large number of hosts.
• 2. Reflection - These hosts all reply to the
spoofed IP address of the victim to
overwhelm it.
 IP Vulnerabilities and Threats:
DDoS Attacks
• A DDoS attack is larger in magnitude than a DoS
attack because it originates from multiple,
coordinated sources. DDoS attacks introduced
new terms such as botnet, handler systems, and
zombie computers.
• A DDoS attack could proceed as follows:
1. The threat actor (botmaster) builds or purchases
the use of a botnet of zombie hosts. The
command-and-control (CnC) server
communicates with zombies over a covert
channel using IRC, P2P, DNS, HTTP, or HTTPS.
2. Zombie computers continue to scan and infect
more targets to create more zombies.
3. When ready, the botmaster uses the handler
systems to make the botnet of zombies carry out
the DDoS attack on the chosen target.
 IP Vulnerabilities and Threats:
Address Spoofing Attacks
• occur when a threat actor creates packets with
false source IP address information to either hide
the identity of the sender or to pose as another
legitimate user. The attacker can then gain
access to otherwise inaccessible data or
circumvent security configurations.
 TCP & UDP Vulnerabilities :
TCP
• TCP segment information appears immediately after
the IP header.
• TCP provides the following services:
• Reliable delivery
• Flow control
• Stateful communication
 TCP & UDP Vulnerabilities :
TCP Attacks
• Although the TCP protocol is a connection-oriented
and reliable protocol, there are still vulnerabilities that
can be exploited.
• TCP attacks target expected protocol behaviors:
• TCP SYN flood attack
• TCP reset attack
• TCP session hijacking
 TCP & UDP Vulnerabilities :
UDP and UDP Attacks
• UDP is a simple protocol that provides the basic transport layer functions. UDP is
commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications
such as media streaming or VoIP. UDP is a connectionless transport layer protocol.
• By default, UDP is not protected by any encryption. The lack of encryption allows anyone
to look at the traffic, change it, and send it on to its destination.
• UDP protocol attacks target the lack of protocol behaviors (UDP):
• UDP checksum attack
• UDP flood attack
• UDP DoS attacks
 3.5 DISPLAY COMMON NETWORK
APPLICATIONS AND SERVICES ARE VULNERABLE
TO ATTACK.
 IP Services:
ARP Vulnerabilities
• Hosts broadcast an ARP Request to other hosts
on the segment to determine the MAC address
of a host with a particular IP address.
• All hosts on the subnet receive and process the
ARP Request.
• The host with the matching IP address in the ARP
Request sends an ARP Reply.
 IP Services:
ARP Cache Poisoning
• ARP cache poisoning
attacks deliberately
poison the cache of
another computer with
spoofed IP address to
MAC address mappings.
 IP Services:
DNS Attacks
DNS servers resolve names to IP addresses and are a major target of attackers. Some DNS
exploits are:

DNS Open Resolvers(public name servers)

DNS Stealth Attacks

DNS Shadowing Attacks

hijacked domains are used to create subdomains which are u sed to resolve to
malicious web sites

DNS Tunneling Attacks

hides malicious instructions inside DNS queries and responses

 IP Services:
DNS Tunneling
• Threat actors who use DNS
tunneling place non-DNS
traffic within DNS traffic. This
method often circumvents
security solutions. For the
threat actor to use DNS
tunneling, the different types
of DNS records such as TXT,
MX, SRV, NULL, A, or CNAME
are altered.
 IP Services:
DHCP
• A DHCP attack could result in every host on the network communicating with malicious DNS
servers and gateways. A DHCP spoofing attack creates a rogue DHCP server to serve falsified
information.
 IP Services:
Lab Exercise– Exploring DNS Traffic
 HTTP & HTTPS
Browsing the Web is possibly the largest vector of attack. Security analysts should have in
depth knowledge of how web attacks work.

Malicious iFrame

an iFrame allows a page from a different domain to be opened inline within the
current page. The iFrame can be used to launch malicious code.

HTTP 302 cuishioning

allows a web page to redirect and open in a different URL. Can be used to redirect to
malicious code.

Domain Shadowing

malicious web sites are created from subdomains created from a hijacked domain.
 EMAIL
Email messages are accessed from many different devices that are often not protected
by the company’s firewall.

Attachment-based attacks

email with malicious executable files attached.

Email Spoofing

phishing attack where the message appears to come from a legitimate source.

Spam Email

unsolicited email with advertisements or malicious content.

Open Mail Relay Server

massive amount of spam and worms can be sent by misconfigured email servers.

Homoglyphs
phishing scheme where text characters (hyperlinks) look similar to real text and links.
 WEB-EXPOSED DATABASED
Web applications commonly connect to a relational database. Because relational
databases often contain sensitive data, databases are a frequent target for attacks.

Command injection attacks

insecure code and web application allows OS commands to be injected into

form fields or the address bar.

XSS Cross-site Scripting attacks

insecure server-side scripting where the input is not validated allows scripting
commands to be inserted into user generated forms fields, like web page
comments. This results in visitors being redirected to a malicious website
with malware code.

SQL Injection attacks

insecure server-side scripting allows SQL commands to be inserted into form fields where
the input is not validated.

HTTP Injection attacks

manipulation of html allows executable code to be injected through HTML div tags, etc.
Lab Exercise – Attacking a mySQL Database
Lab Exercise – Reading Server Logs
THANK YOU