Ch4 - 4.02 - Identifying Network Attacks Flashcards
Denial of Service (DoS)
A denial of service (DoS) attack involves the hacker overloading a system with requests so that the system is so busy servicing the hacker’s requests that it cannot service valid requests from other clients
Distributed Denial of Service (DDoS)
A distributed denial of service (DDoS) attack is when the hacker uses a number of systems to perform the attack, which helps the hacker create a large number of requests. With a DDoS attack, the hacker first compromises and takes control of a number of systems and then uses those systems to help with the attack. The compromised systems are known as zombie systems because they have no mind of their own and will do whatever the hacker tells them to do.
DDoS - Smurf Attack
A very popular example of a DDoS attack years ago was the smurf attack. The smurf attack involved the hacker sending ping (ICMP) messages to a number of systems, but also spoofing the source IP address of the packets so that they appeared to come from the intended victim. All of the systems would then send their ICMP replies to the victim system, overburdening it with traffic and causing it to crash.
Spoofing. Types of Spoofing.
Spoofing is a type of attack where the hacker alters the source address of information to make the information look like it is coming from a different person. Spoofing is sometimes referred to as refactoring. A few types of spoofing follow:
- IP Spoofing
- MAC Spoofing
- Email Spoofing
IP spoofing and MAC spoofing are popular methods used by hackers to bypass filters placed on firewalls and wireless networks.
Name Spoofing Tools
- Nemesis
- Hping2
- Macchanger
Eavesdropping/Sniffing
A very popular type of attack is an eavesdropping attack, also known as sniffing. With an eavesdropping attack, the hacker captures network traffic and is able to view the contents of the packets traveling along the network. The packets may contain sensitive information such as credit card numbers or usernames and passwords
Name Packet-Sniffing Softwares
- Wireshark
- tcpdump
- airodump-ng
Replay
A replay attack starts as a sniffing attack because the hacker first must capture the traffic that they wish to replay. The hacker then resubmits the traffic onto the network (replays it) later. The hacker may alter the traffic first and then replay it, or the hacker may simply be replaying traffic to generate more traffic.
Man-in-the-Middle (MITM)
An MITM, the hacker inserts himself in the middle of two
systems that are communicating. After the hacker inserts himself between the two parties that are communicating, he then passes information back and forth between the two.
Poisoning
Poisoning with computers is the concept that someone goes into an environment and purposely places incorrect settings into it in order to disrupt the environment. Two popular examples of poisoning that you need to be familiar with for the Security+ certification exam are DNS poisoning and ARP poisoning.
DNS Poisoning
DNS poisoning is when the hacker compromises a DNS server and poisons the DNS entries by having the DNS names point to incorrect IP addresses. Often, the hacker will modify the DNS records to point to the hacker’s system—this will force all traffic for that DNS name to the hacker’s system.
DNS poisoning is also the altering of the DNS cache that is located on your company’s local DNS servers. The DNS cache stores the names of web sites already visited by employees and the IP addresses of those sites. The cache is on your DNS server so that when another employee surfs the same site, the DNS server already has the IP address of that site and does not need to forward a query out to the Internet. The DNS server in your local office simply sends the IP address that is stored in the DNS cache to the client. It is possible for the hacker to poison the DNS cache so that your users are sent to the wrong web sites.
Another popular technique for hackers to lead you to the wrong web site is to modify the hosts file that resides on every system. The hosts file is used to resolve domain names to IP addresses, and if an entry is found in the local hosts file, then the system will not query DNS. Pharming is the term used for leading someone to the wrong site by modifying DNS or the hosts file.
Domain Hijacking
Domain hijacking is a type of attack that involves the hacker taking over a domain name from the original registrant. The hacker may hijack the domain by using social engineering techniques to gain access to the domain name and then switch ownership, or the hacker could exploit a vulnerability on the systems that host the domain name to gain unauthorized access to the domain
registration.
Man-in-the-Browser
A man-in-the-browser (MITB) attack is a form of man-in-the-middle (MITM) attack where the browser contains a Trojan that was inserted via an add-in being loaded or a script executing within the browser. The Trojan at this point can intercept any data the user inputs into the browser and alter it before sending it to the destination server. Examples of MITB Trojans are Zeus and SpyEye.
ARP Poisoning
ARP poisoning involves the hacker altering the ARP cache on a system, or group of systems, so that all systems have the wrong MAC address stored in the ARP cache for a specific IP address, maybe the address of the default gateway. Typically, the hacker will poison the ARP cache so that the default gateway IP address (your router’s IP address) points to the hacker’s MAC address.
This will ensure that every time a system tries to send data to the router, it will retrieve the hacker’s MAC address from the local ARP cache and then send the data to the hacker’s system instead of to the router. This is how the hacker typically performs an MITM attack on a wired network or wireless network. This also allows a hacker to capture all network traffic even in a switched environment. The hacker just needs to enable the routing feature on their system so that all data is then passed on to the router and out to the Internet, while in the meantime the hacker has captured every piece of data headed out to the Internet.
Amplification
Amplification is the process of increasing the strength of a signal so that communication can occur. A hacker may amplify the signal on their wireless card so that they can reach greater distances with wireless. This means that
the hacker may not need to be physically close to a network in order to connect to that network if they have amplified their signal. Keep in mind, from a security point of view, you should lower the power on your wireless access point to force someone to be close to your access point in order to connect (inside the facility).
