Chapter 8: Networking Threats, Assessments, and Defenses
Sources of DDoS Attacks
- 1st massive DDoS attacked was in 2016 that attacked a French web hosting services - The botnets of 1 million compromised devices send 4Tbps which is like 800k HD movies at same time!
DNS Server Poisoning Steps
- Attacker's domain is www.evil.net with a DNS server called ns.evil.net 1. Atacker sends request to DNS server to resolve its domain 2. DNS doesn't know what that address is, so it asks the server 3. ns.evil.net sends address + ALL records (zone transfer) to the DNS to accept 4. All request from DNS server will respond with the fake addressed
DNS poisoning vs hijacking
- DNS Poisoning all domains that one victim uses, is controlled bt attacker - DNS Hijacking controls fewer domains, but all DNS servers are redirected
Domain Name resolution
- Host table was expanded to a hierarchal name system for matching computer names and numbers = DNS
Distributed attacks
- Its like when Gabe is trying to have conversation with Cora in a coffee shop, but the a flash mob of his friends enter the shop and talks to him. Gabe is unable to finish conversation with Cora - DDoS attacks
Malicious Coding and Scripting attacks
- Network attacks from malicious software code and scripts The attacks use: - PowerShell - Visual Basic for Apps - Coding language Python - Linux/UNIX Bash
DNS attacks
- before internet there was ARPAnet - Naming computers network by numbers. Later on, evenly more human friendly names like letters, numbers, and special symbols - DNS
Terms not meaning same thing
- terms like frame, packet, datagram, and segment - OSI use terms like PDU and SDU - Some network certifications require specific terms, but not Security+ certifications - Just remember, PACKET, is a generic sense of a unit of data
Layer 2 is weakest
- weakest and most targeted frequently - Known as Data Link Layer, which divides data into packets with error detections and correction and performs physical addressing, data framing, and error handling
Host tables
-stored in
2 common Layer 2 attacks
1. Address Resolution Protocol Poisoning 2. Media Access Control
Topics
1. Attacks on Networks 2. Tools for Assessment 3. Physical Security Controls
Types of DNS attacks
1. DNS Poisoning 2. DNS Hijacking
Types Attack Targets on Network
1. Interception 2. Layer 2 attacks 3. DNS attacks 4, Distributed attacks 5. Distributed denial of Service attacks 6. Malicious Coding and Scripting attacks
2 types of SPOOFING MAC address
1. MAC Cloning - the switch changes MAC table to reflect a NEW ASSOCIATION of the MAC address with the another port which has attackers device connected to - All packets now sent to attackers device 2. MAC Flooding - Which the memory of switch is flooded with spoofed packets that acts like a NETWORK HUB and BORDCSATS frames to all the ports - This can quickly CONSUME ALL MEMEROY (CAM) for the MAC table - Once a MAC table is full, the switch enters a fail-open mode and broadcasts frames to all ports - Threat actors can install a software/hardware device that capture and decode packets on one client to view all traffic
Interception Attacks
1. Man-in-the-middle (MITM) 2. Session Replay 3. Man-in-the-browser
2 consequences from a DNS Attack
1. URL Redirection: An attack which a user is redirected to another site - The redirected site is fictious, looks identical a bank or ecommerce site which tricks users to enter username, password, and CC number 2. Domain Reputation: An attack which the status of site is manipulated an earn a low domain score - Online algorithms to evaluate of webpages, domains, and email services - IP addresses are evaluated and rated - Company competitor could hire a threat actor to use DNS attack that earns the company a low domains core, thus affecting their sales
Threat actor gains from using MITB Attack
1. Use Trojan extension, which benefits users with it functions, but also installs a malware without being recognized 2. Selects target websites. It'll be dormant for months until triggered by users 3. Resides in the web browser, making a STANDARD ANITMALRE to detect it
2 phases for MITM
1st Phase: - intercepting - Pretend to be an approved web app by changing the packet headers in IP address - Results: sent to attacker's website 2nd Phase: -Decrypt transmission - Sends Fake DC tot rick the PC into verifying the AUTENTICTY of an APPLICATION - Results: Attacker can see any data centered by victim
DNS Poisoning
An attack that Substitutes/Modify the DNS address in the local lookup table so that the computer is redirect to attackers device - As result, the threat actor steals users information or infect the device with malware - The threat actors control ALL websites that a user visits - Users are unaware of HOST file on the device + The infection can remain undetected for periods of time Some Govt, use this tactic to RESTRICT people from reading what they considered UNFABVALE internet content
DNS Hijacking
An attack to infect an EXTERNAL DNS server with IP addresses pointing to malicious sites - Redirects ALL users accessing the server - Attackers will exploit protocol flaws, and convince the DNS server to accept it - IF stored, it can spread to other DNS servers
Man-in-the-middle (MITM)
An attacks that intercepts a REAL communication to EAVESDROP or IMPERSONATE on the parties Example like: - Angie gets bad grade and teacher sends letter for conference meeting - Angie gets the mailed letter first - She forges to give to teacher + makes a new letter to COMPLIMENT on her grades
Zone transfers
DNS servers exchange information by themselves
Man-in-the-browser (MITB)
Intercepts Communication between BROWSER and the COMPUTER Process: 1. Trojan infecting the PC + installing extension 2. Extension waits for a website, where the users enters information 3. After submitted, the extension CAAPTUERS data and can MODIFY the data
Media Access Control
Manipulates the MAC address. The target is the NETWORK SWITCHES Network Switch- a device that connects network devices and has a degree of "intelligence" - operates at Layer 2 - Switch can learn which device is connected to each ports - Examines MAC packets it receives and observes which switch ports have arrived - Store information in MAC Address table Threat Actors and Switches - Switch good for network performance by limit packets sharing + better security - When threat actors installs software to get packets, the switch makes them see inly packets from that device an not other network devices
Layer 2 attacks- OSI Model
Open Systems Interconnection Model - What happens on a network device when sending/receiving traffic by portraying as a series of 7 steps - Revision in 1983 - Each layer is compartmentalized: different layers work w/o knowledge and approval of other layers - meaning, if one layer is affected, other layers won't notice and communications is being COMPROMISED
Address Resolution Protocol Poisoning
Part of TCP/IP protocol for finding MAC address based by IP address - Ethernet LAN uses physical media access control (MAC) address that's "burned" permanently onto a network interface card (NIC) - IP addresses and correspond MAC are stored in the ARP cache. Also other endpoints of ARP reply also CACHE data - However, Threat Actors take advantages of MAC stored in ARP to change the data so that IP addresses points to a different device. - The attack is called ARP poisoning
DDoS
Uses many computers to perform the DoS attacks. Involves thousands or millions of sources producing torrent of fake requests
Session Replay
Where the attack attempts to IMPERSONATE the user by using user's session token ID - Several types of techniques to steal a Session ID - Network attacks- hijacks and altered comms between 2 users - Endpoint attacks - cross-site scripting, Trojans, and malicious JavaScript coding
ARP poisoning
attack that corrupts ARP cache - uses SPOOFING, using another's identity - They are successful because NO AUTENTIFICATION process is required
Session ID
unique # that a web server assigns to the users for duration of visit or sessions - Complex Ids that are usually at least 128 bits Long and Hashed using secure function like SHA-256 - Sometimes if idle on website, server may generate a new ID Ex; fa2e76d49a0475910504cb3ab7a1f626d174d2d.