COMMON SECURITY

ATTACK
 2

Content
• Compare and contrast common types of attacks.
• Technology- based
• Denial- of- service (DoS)/distributed denial- of-
service (DDoS)
• Botnet/command and control
• On- path attack (previously known as man- in-
the- middle attack)
• DNS poisoning
 3

Content
• VLAN hopping
• ARP spoofing
• Rogue DHCP
• Rogue access point (AP)
• Password attacks
• Human and environmental
 4

Common Types of attack

• In this chapter you will learn the common
types of attacks that all network
professionals should understand to secure
an enterprise network.
 5

Technology- Based Attacks

• Technology- based attacks are those that take advantage
of weaknesses in software and the protocols that
systems use to communicate with one another. that target
environmental or human weaknesses (covered later in
this chapter). In the following sections, you’ll learn about
attacks that target technologies.
 6

Denial of service (DoS) attack

• A denial of service (DoS) attack prevents users from
accessing the network and/or its resources.
• There are millions of servers operating on the internet
(which host websites). If a hacker wants to bring down a
web server, the hacker would flood that server with
massive amounts of traffic.
• The web server would then be unable to respond to
legitimate traffic, and ordinary users would be unable to
visit the website.
 7

The Ping of Death

• Ping is primarily used to see whether a computer is
responding to IP requests. Usually, when you ping a
remote host, what you’re really doing is sending four
normal-sized Internet Control Message Protocol (ICMP)
packets to the remote host to see if it’s available.
• Ping of Death is a type of Denial of Service (DoS) attack
in which an attacker attempts to crash, destabilize, or
freeze the targeted computer or service by sending
malformed or oversized packets using a simple ping
command, totally flooding the victim’s buffer and causing
the system to reboot or helplessly hang there, drowning.
 8

Distributed DoS (DDoS)

• Denial of service attacks can be made more effective if
they can be amplified by recruiting helpers in the attack
process. In the following sections, some terms and
concepts that apply to a distributed denial of service
attack are explained.
 9

Traffic Spike
• One of the hallmarks of a DDoS attack is a major spike in
traffic in the network as bots that have been recruited
mount the attack. For this reason, any major spike in
traffic should be regarded with suspicion. A network
intrusion detection system (IDS) can recognize these
traffic spikes and may be able to prevent them from
growing larger or in some cases prevent the traffic in the
first place.
 10

Traffic Spike
• Figure 17.2 shows that there is a sudden increase in
packets/second during the DDoS attack time (nearly 240-
250 packets/sec). In normal time, number of packets per
second is around 50 only.
 11

Physical Attack
• Physical attacks are those that cause hardware
damage to a device. These attacks can be
mitigated, but not eliminated, by preventing
physical access to the device. Routers, switches,
firewalls, servers, and other infrastructure devices
should be locked away and protected by strong
access controls. Otherwise, you may be
confronted with a permanent DoS, which is
discussed next.
 12

Permanent DoS
• A permanent DoS attack is one in which the device is
damaged and must be replaced. It requires physical
access to the device, or does it? Actually, it doesn’t! An
attack called a phlashing denial of service (PDoS) attacks
the firmware located in many systems. Using tools that
fuzz (introduce errors) the firmware, attackers cause the
device to be unusable.
 13

DNS amplification attack

• What is a DNS amplification attack. DNS
amplification is a Distributed Denial of Service
(DDoS) attack in which the attacker exploits
vulnerabilities in domain name system (DNS)
servers to turn initially small queries into much
larger payloads, which are used to bring down the
victim's servers.
 14

On- Path Attack (Previously Known as Man- in-

the- Middle Attack)
• An on-path attack is an attacker that sits in the middle
between two stations and is able to intercept, and in some
cases, change that information that’s being sent interactively
across the network. This is a type of attack that can occur
without anyone knowing that anyone is sitting in the middle of
the conversation. In fact, you might hear this referred to often
as a man-in-the-middle attack. The key to the on-path attack
is that the original data stream will be intercepted by the
person in the middle of the conversation, and that information
will then be passed on to the destination. This allows the
attacker who’s sitting in the middle to read everything going
back and forth between these two devices, and it may also
allow the attacker to modify the information as it’s being
transmitted.
 15

On- Path Attack (Previously Known as Man- in-

the- Middle Attack)

Fig 17.3 on path attack •

 16

DNS Poisoning
• DNS clients send requests for name to IP address
resolution (called queries) to a DNS server.
• When this occurs, the local DNS server makes a request
of the DNS server that does hold the record in question.
After the local DNS server receives the answer, it returns
it to the local DNS client.
• After this, the local DNS server maintains that record in
its DNS cache for a period called the time to live (TTL),
which is usually an hour but can vary.
 17

DNS Poisoning
• In a DNS cache poisoning attack, the attacker attempts to
refresh or update that record when it expires with a
different address than the correct address.
• If the attacker can convince the DNS server to accept
this refresh, the local DNS server will then be responding
to client requests for that computer with the address
inserted by the attacker.
• Typically, the address they now receive is for a fake
website that appears to look in every way like the site the
client is requesting.
• The hacker can then harvest all the name and password
combinations entered on his fake site.
 18

DNS Poisoning
How do we prevent this type of attack?
To prevent this type of attack, the DNS
servers should be limited in the updates they
accept.
 19

VLAN Hopping
• A VLAN hopping attack results in traffic from one VLAN being
sent to the wrong VLAN.
• Normally, this is prevented by the trunking protocol placing a
VLAN tag in the packet to identify the VLAN to which the traffic
belongs.
• The attacker can circumvent this by a process called double
tagging, which is placing a fake VLAN tag into the packet along
with the real tag.
• When the frame goes through multiple switches, the real tag is
taken off by the first switch, leaving the fake tag.
• When the frame reaches the second switch, the fake tag is
read and the frame is sent to the VLAN to which the hacker
intended the frame to go.This process is shown in Figure 17.6.
 20

VLAN Hopping
 21

ARP Spoofing
What Is ARP Spoofing?
ARP spoofing is a type of attack in which a malicious actor
sends falsified ARP (Address Resolution Protocol)
messages over a local area network. This results in the
linking of an attacker's MAC address with the IP address of
a legitimate computer or server on the network.
 22

Rogue DHCP

• Dynamic Host Configuration Protocol (DHCP) is used to

automate the process of assigning IP configurations to hosts.
When configured properly, it reduces administrative overload,
reduces the human error inherent in manual assignment, and
enhances device mobility.
• But it introduces a vulnerability that when leveraged by a
malicious individual can result in an inability of hosts to
communicate (constituting a DoS attack) and peer- to- peer
attacks.
• When an illegitimate DHCP server (called a rogue DHCP
server) is introduced to the network, unsuspecting hosts may
accept DHCP Offer packets from the illegitimate DHCP server
rather than the legitimate DHCP server.
• .
 23

Rogue DHCP

• When this occurs, the rogue DHCP server will not only
issue the host an incorrect IP address, subnet mask, and
default gateway address (which makes a peer- to- peer
attack possible), it can also issue an incorrect DNS server
address, which will lead to the host relying on the
attacker’s DNS server for the IP addresses of websites
(such as those resembling major banks’ websites) that
lead to phishing attacks.
• An example of how this can occur is shown in Figure 17.7
 24

Rogue DHCP
 25

Rogue DHCP

• In Figure 17.7, after receiving an incorrect IP address,

subnet mask, default gateway, and DNS server address
from the rogue DHCP server, the DHCP client uses the
attacker’s DNS server to obtain the IP address of his
bank. This leads the client to unwittingly connect to the
attacker’s copy of the bank’s website. When the client
enters his credentials to log in, the attacker now has the
client’s bank credentials and can proceed to empty out his
account.
 26

Rogue Access Point (AP)

• A rogue access point is
an access point
installed on a network
without the network
owner's permission.
• Why is this bad?
If an attacker owns the
access point, they can
intercept the data
flowing through the
network.
 27

Ransomware
• Ransomware is a class of malware that prevents
or limits users from accessing their information or
systems. In many cases the data is encrypted
and the decryption key is only made available to
the user when the ransom has been paid.
 28

Password Attacks
• Password attacks are one of the most common
attacks there are. Cracked or disclosed
passwords can lead to severe data breaches.
The end game of a phishing attack is often to
learn a password.
• There are two ways to hack the password:
- Brute- Force approach
- Dictionary approach
 29

MAC spoofing
• A MAC spoofing attack is when a hacker changes the
MAC address of their device to match the MAC address
of another on a network in order to gain unauthorized
access or launch a Man-in-the-Middle attack. It can be
used to bypass network security measures that are based
on the MAC address, such as MAC filtering, and can also
be used to hide the identity of the attacker device.
 30

IP Spoofing
IP spoofing is the process of changing a source IP address
so that one computer appears to be a different computer.
It’s usually done to get traffic through a firewall that would
normally not be allowed. It may also be used to access a
server to which the hacker would normally be disallowed
access by their IP address.
 31

Deauthentication
• A wireless deauthentication attack is a form of a
DoS attack in which the attacker sends a large
number of management packets called
deauthentication frames on the WLAN, causing
stations to be disconnected from the access
point.
 32

Malware
• Malicious software (or malware) is a term that describes
any software that harms a computer, deletes data, or
takes actions the user did not authorize. There is a wide
array of malware types, including ones you have probably
heard of, like viruses. Some types of malware require the
assistance of a user to spread, while others do not.
 33

Viruses
• Viruses are probably the best- known threats to your
computer’s security because they get a lot of media
coverage as they proliferate and cause tons of damage to
legions of people.
• Viruses can display a message, delete files, or even send
huge amounts of meaningless data over a network to
block legitimate messages.
• A key trait of viruses is that they can’t replicate
themselves to other computers or systems without a user
doing something like opening an executable attachment in
an email to propagate them.
• Figure 17.8 shows how fast a virus can spread through
an email system
 34

Viruses
 35

Human and Environmental

• While some vulnerabilities come from technical
challenges such as attacks on cryptography and network
protocols, many are a result of environmental issues
within the facility or of human error and poor network
practices by the users. As Social Engineering, Tailgating,
Piggybacking, Shoulder Surfing.
 36

?Any Question