Network Attacks | CompTIA Network+ N10-007 | 4.4

In this video you will learn about networking attacks such as: DoS, social engineering, insider threats, logic bombs, rogue access points, evil twins, war-driving, phishing, ransomware, DNS poisoning, ARP poisoning, spoofing, deauthentication, brute force, VLAN hopping, Man-in-the-Middle, and exploits vs. vulnerabilities.

DoS (Denial of Service)

A DoS attack occurs when legitimate users are unable to access information systems, devices, or other network resources due to the actions of a malicious cyber threat actor.  Services affected may include email, websites, online accounts, or other services that rely on the affected computer or network.  A DoS condition is accomplished by flooding the targeted host or network with traffic until the target cannot respond or simply crashes, preventing access for legitimate users.  DoS attacks can cost an organization both time & money while their resources and services are inaccessible.^[1]

• Reflective DoS
  • A reflective DoS attack makes use of a potentially legitimate third-party component to send attack traffic to a victim, ultimately hiding the attackers’ own identity.  The attackers send packets to a reflector server with a source IP address set to their victim’s IP therefore indirectly overwhelming the victim with response packets.  Reflector servers used for this purpose could be ordinary servers not obviously compromised, which makes this kind of attack particularly difficult to mitigate.^[2]
• Amplified DoS
  • An amplified DoS attack uses legitimate DNS servers that are tricked into flooding responses towards a targeted system by sending small queries that result in large responses which allows for a malicious user to send more smaller requests that result in larger responses that hit the target.
• DDoS (Distributed DoS)
  • A DDoS attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.  DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic.  Exploited machines can include computers and other networked resources such as IoT devices.  From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.^[3]

Social Engineering

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information.  This differs from social engineering within social sciences, which does not concern the divulging of confidential information.  A type of confidence tricks for the purpose of information gathering, fraud, or system access, it differs from a traditional “con” in that it is often one of many steps in a more complex fraud scheme.  Here are some examples of social engineering:

• Pretexting:  Gaining users’ trust by claiming to be “from the IT department” or “the Internet provider” of the “the phone company”, followed by asking the user to enter or provide the password to a system so the “tech” can make changes.
• Phishing:  The fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details, often for malicious reasons, by disguising oneself as a trustworthy entity in an electronic communication.
• Spear Phishing:  A form of phishing (fake email messages) that appears to come from another department in the company & requests information from a specific targeted individual or department.
• Compromised Passwords:  Users who don’t change passwords after an IT technician or outside contractor test their system leave their systems vulnerable.

Training users to understand, detect, and reject social engineering and other types of deceit is essential to protecting important information.

Insider Threat

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have insider information concerning the organization’s security practices, data and computer systems.  The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.  The insider threat comes in three categories:

• Malicious insiders, which are people who take advantage of their access to inflict harm on an organization
• Negligent insiders, which are people who make errors and disregard policies, which place their organizations at risk
• Infiltrators, who are external actors that obtain legitimate access credentials without authorization

Logic Bomb

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met.  For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company.  Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a predefined time or when some other conditions is met.  This technique can be used by a virus or worm to gain momentum and spread before being noticed.  Some viruses attack their host systems on specific dates, such as Friday the 13th or April Fools’ Day.  Trojans and other computer viruses that activate on certain dates are often called “time bombs”.  To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software.

Rogue Access Point

A rogue access point is a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker.^[4]  To prevent the installation of rogue access points, organizations can install wireless intrusion prevention systems to monitor the radio spectrum for unauthorized access points.

Evil Twin

An evil twin is a fraudulent WiFi access point that appears to be legitimate but is set up to eavesdrop on wireless communications.^[5]  The evil twin is the wireless LAN equivalent of the phishing scam.  This type of attack may be used to steal the passwords of unsuspecting users, either by monitoring their connections or by phishing, which involves setting up a fraudulent website and luring people there.  The attacker snoops on Internet traffic using a bogus wireless access point.  Unwitting web users may be invited to log into the attacker’s server, prompting them to enter sensitive information such as usernames and passwords.  Often, users are unaware they have been duped until well after the incident has occurred.

War Driving

Wardriving involves attackers searching for wireless networks with vulnerabilities while moving around an area in a moving vehicle.  The attackers use hardware & software to discover unsecured WiFi networks then gain unauthorized access to the network by cracking passwords or decrypting the router.  The attacker then records vulnerable network locations on digital maps, known as access point mapping, and may share that information with third-party applications and websites.  Wardriving can have several variations depending on the mode of transport that hacker has:  war biking, war cycling, war railing, war jogging, & war walking.^[6]

Ransomware

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s personal data or perpetually block access to it unless a ransom is paid.  While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion.  It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.^[7]  In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Bitcoin or other cryptocurrencies that are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

DNS Poisoning

DNS poisoning, also known as DNS cache poisoning or DNS spoofing, is a highly deceptive cyber attack in which hackers redirect web traffic toward fake web servers and phishing websites.  These fake sites typically look like the user’s intended destination, making it easy for hackers to trick visitors into sharing sensitive information.  In a DNS poisoning attack, hackers alter a domain names system (DNS) to a “spoofed” DNS so that when a legitimate user goes to a website, instead of landing on their intended destination they actually end up at an entirely different site.  Usually, this happens without users even knowing, as the fake sites are often made to look like the real ones.^[8]

ARP Poisoning (Address Resolution Protocol)

ARP poisoning is a technique by which an attacker sends (spoofed) ARP messages onto a LAN.  Generally, the aim is to associate the attacker’s MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.  ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic.  Often the attack is used as an opening for other attacks, such as denial of service, man-in-the-middle, or session hijacking attacks.^[9]  The attack can only be used on networks that use ARP, and requires the attacker to have direct access to the local network segment to be attacked.^[10]

Spoofing

Spoofing is the act of disguising a communication or identity so that it appears to be associated with a trusted, authorized source.  Spoofing attacks can take many forms, from the common email spoofing attacks that are deployed in phishing campaigns to caller ID spoofing attacks that are often used to commit fraud.  Attackers may also target more technical elements of an organization’s network, such as an IP address, DNS server, or ARP service, as part of a spoofing attack.  Spoofing attacks typically take advantage of trusted relationships by impersonating a person or organization that the victim knows.  In some cases – such as whale phishing attacks that feature email spoofing or website spoofing – these messages may even be personalized to the victim in order to convince that person that the communication is legitimate.  If the user is unaware that internet communications can be faked, they are especially likely to fall prey to a spoofing attack.^[11]

Deauthentication

A WiFi deauthentication attack is a type of denial-of-service attack that targets communication between a user and a WiFi wireless access point.  Unlike most radio jammers, deauthentication acts in a unique way.  The IEEE 802.11 (WiFi) protocol contains the provision for a deauthentication frame.  Sending the frame from the access point to a station is called a “sanctioned technique to inform a rogue station that they have been disconnected from the network”.^[12]  An attacker can send a deauthentication frame at any time to a wireless access point, with a spoofed address for the victim.  The protocol does not require any encryption for this frame, even when the session was established with WEP for data privacy, and the attacker only needs to know the victim’s MAC address, which is available in the clear through wireless network sniffing.  One of the main purposes of deauthentication used in the hacking community is to force clients to connect to an evil twin access point which then can be used to capture network packets transferred between the client and the access point.  The attacker conducts a deauthentication attack to the target client, disconnecting it from its current network, thus allowing the client to automatically connect to the evil twin access point.

Brute Force

In cryptography, a brute force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing a combination correctly.  The attacker systematically checks all possible passwords and passphrases until the correct one is found.  System and network administrators setting up password rules that require a system to lock after a specified number of incorrect passwords are input is one way to prevent a brute force attack.  Longer passwords also aid in the fight against brute force attacks.

VLAN Hopping

VLAN hopping is a computer security exploit, a method of attacking networked resources on a virtual LAN (VLAN).  The basic concept behind all VLAN hopping attacks is for an attacking host on a VLAN to gain access to traffic on other VLANs that would normally not be accessible.  There are two primary methods of VLAN hopping:  switch spoofing and double tagging.

• Switch Spoofing:  the attacker will send packets to try to negotiate a trunk with the switch.  Once you have a trunk to your computer, you will have access to all VLANs.
• Double Tagging:  the attacker is connected to an interface in access mode with the same VLAN as the native untagged VLAN on the trunk.  The attacker sends two tags, the “inner” VLAN tag for the VLAN that the attacker wants to reach and the “outer” VLAN tag for the native VLAN.  When the switch receives the frame, it will remove the first (native VLAN) tag & forward the frame with the second tag on its trunk interface.  The attacker has now “jumped” from the native VLAN to the victim’s VLAN.^[13]

Man-in-the-Middle

In cryptography and computer security, a man-in-the-middle attack is a cyberattack where the attacker secretly relays and possibly alters captured communications between two parties who believe that they are directly communicating with each other.

Exploits vs. Vulnerabilities

An exploit is a code that takes advantage of a software vulnerability or security flaw.  It is written either by security researchers as a proof-of-concept threat or by malicious actors for use in their operations.  When used, exploits allow an intruder to remotely access a network and gain elevated privileges, or move deeper into the network.  In some cases, an exploit can be used as part of a multi-component attack.  Instead of using a malicious file, the exploit may instead drop another malware, which can include backdoor Trojans and spyware that can steal user information from the infected systems.^[14]

A vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries (i.e. perform unauthorized actions) within a computer system.  To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.  In this frame, vulnerabilities are also known as the attack surface.

References

1. Understanding Denial-of-Service Attacks. Cybersecurity & Infrastructure Security Agency.
2. Reflector – Reflective DoS attacks. Radware.
3. What is a DDoS attack? Cloudflare.
4. Identifying Rogue Access Points.  Wi-Fi Planet.
5. Strange Wi-Fi spots may harbor attacks. The Dallas Morning News.
6. Wardriving. Fortinet.
7. Cryptovirology: Extortion-Based Security Threats & Countermeasures. IEEE Symposium on Security and Privacy.
8. What is DNS Poisoning? (aka DNS Spoofing). Key Factor.
9. Information Systems Security. Birkhauser.
10. Network Security Hacks. O’Reilly.
11. Spoofing Attacks. Rapid 7.
12. Wright, J. (2005). Weaknesses in Wireless LAN Session Containment.
13. VLAN Hopping. Network Lessons.
14. Exploit. Trend Micro.