Network Attacks

Below is information relating to a number of different types of attack aimed at computer networks. These have been further sub-divided into wireless network attacks, on-path attacks, layer 2 attacks, domain name system (DNS) attacks, distributed denial-of-service (DDoS) attacks, and malicious code or script execution attacks.

Wireless Network Attacks

Evil Twin

An evil twin is a wireless access point that has been set up by an attacker to look like a legitimate access point. The attacker's aim is to get people to connect via the evil twin instead of the legitimate one, to eavesdrop on the traffic and gain sensitive information from those connected. More advanced wireless network management software can be set up to detect and alert about new access points to help mitigate this type of attack.

Rogue Access Point

A rogue access point is one that is set up without the knowledge of network administrators, either by accident or for nefarious reasons. For example, an employee of an organisation may turn a device into a wireless hotspot. It could simply be to give access to another device, or there could be more sinister reasons, such as to try and get other people to connect and eavesdrop on the traffic to gain sensitive information. As with evil twins, more advanced wireless network management software can be used to detect and alert about these types of devices.

Bluesnarfing

Bluesnarfing is an attack aimed at Bluetooth enabled devices. The purpose is to steal information from the victim, such as e-mails, contact information, and any other sensitive details available. This type of attack can be carried out from a mobile device or laptop. Usually, the phone needs to be discoverable for the attack to be successful, although this isn't always necessary. Newer devices have been patched to address this type of attack.

Bluejacking

Bluejacking is the opposite of Bluesnarfing, rather than take information from the victim's device, the idea is to send unauthorised messages to the device. These messages can contain text, images, or audio. The device must have Bluetooth enabled and be discoverable for the attack to be successful.

Disassociation

In relation to wireless systems, the goal of disassociation attacks is to force a victim's device to lose connection to the wireless network. An attacker may then try to steal credentials if the victim tries to reconnect, by monitoring the traffic, using a technique called packet sniffing.

Jamming

Jamming targets the radio spectrum of a wireless network and can cause a denial of service, stopping users from connecting to a wireless access point. Where an evil twin, discussed earlier, has been deployed, jamming can be used to encourage users to connect to it instead.

Radio Frequency Identification (RFID)

RFID tags are used in many scenarios including, tracking devices, inventory in a warehouse and even household pets. The tags can be classed as active or passive, where active tags have their own power source and passive tags rely on Radio Frequency (RF) energy transmitted from the device that reads them. The proximity a reader must be to an RFID tag in order to read it depends on the type of tag and ranges from just a few centimetres to up to 200 metres.

Attacks against RFID can be against the devices themselves, against the communication channel between the device and the reader, or, against the reader and backend system.

There are a number of standards covering the security of RFID. Cryptographic methods to support confidentiality, untraceability, tag and reader authentication, and over-the-air privacy are covered in ISO/IEC 18000 and ISO/IEC 29167. ISO/IEC 20248 also specifies a digital signature data structure for use with systems that utilise RFID.

Near-Field Communication (NFC)

Near Field Communication, or NFC, allows smartphones and other mobile devices, to communicate over distances typically up to 10 centimetres. It facilitates payment services such as Apple Pay and Google Pay, as well as allowing the transfer of files between devices. The close proximity helps with securing the communication, but traffic interception, replay attacks and spoofing attacks are still possible. Devices need to ensure that they only respond to queries when desired.

Initialisation Vector (IV)

An initialisation vector is a randomly selected value that is used to start the encryption process in wireless technologies. The shorter the IV the easier it is for an attacker to crack. This was the problem with the wireless technology WEP, or Wired Equivalent Privacy, because the IV was only 24-bits in length.

On-Path Attack

An on-path attack, otherwise known as a man in the middle attack, involves an attacker getting in the middle of a communication between two other parties. An attacker must convince both parties that their machine is the other one involved in the communication. The result is that all traffic involved in the communication goes via the attacker, which allows them to monitor the traffic, forward it on to the other party, and even change the traffic before forwarding it on.

An on-path attack may have limited success if the communication is encrypted. This type of attack can be used to conduct an application level SSL stripping attack, where it removes the TLS encryption from a web page request over HTTPS, by redirecting to the insecure HTTP version, in order to read and possibly modify the communication. Websites can help mitigate against this type of attack by requiring the use of HTTPS throughout the site.

A variation on an on-path, or man in the middle attack, is a man in the browser attack. This is where a Trojan is inserted into a user's browser, which is able to access and modify information sent and received by the browser.

Layer 2 Attacks

Layer 2 refers to the second layer of the Open Systems Interconnection (OSI) Seven Layer Model, which helps to conceptualise the many parts of a network. Layer 2 is called the Data Link Layer and is responsible for the delivery and receipt of data from hardware in layer 1 of the model, the physical layer. Network switches and media access control (MAC) addresses operate at layer 2, amongst other things. Layer 2 attacks look to exploit parts of a network that operate at this layer.

Address Resolution Protocol (ARP) Poisoning

The Address Resolution Protocol facilitates the retrieval of a device's MAC address, which is sometimes needed in order to transfer network packets from one device to another. A device keeps MAC addresses in its ARP table, along with the corresponding IP address.

When a device wants to know a MAC address corresponding to an IP address, it sends out an ARP request on the network. The device with that IP address will respond with an ARP reply containing their MAC address. A similar process happens when a device has a MAC address and wants to know the IP address, except a reverse ARP (RARP) request and a RARP reply is used. Any device that hears a reply will add the information to their ARP table.

Replies to requests are automatically trusted and updated in the ARP table. Replies will even be accepted on some operating systems even if the request was not heard. ARP poisoning occurs where an attacker sends messages to corrupt an ARP table, causing packets to be misrouted. This can be used to facilitate an on-path, or man in the middle attack, discussed previously.

Media Access Control (MAC) Flooding

Network switches, which operate at layer 2, learn the MAC addresses, or hardware addresses, of devices connected to it, so that it can send network packets to the destination device and no other. If it doesn't know the destination MAC address it will send a packet to all interfaces, hoping for a response from the correct destination so that it can store the address for future use.

MAC flooding occurs when an attacker floods a switch with MAC addresses, which it can't find in its table, so the packets get sent to all interfaces. An attacker could use this for ARP poisoning previously described.

Media Access Control (MAC) Cloning

MAC cloning involves the duplication of a device's MAC address. There can be legitimate reasons for doing this, however, attackers may use this to bypass network security that includes restrictions by MAC address. Network access control, machine authentication and other validation technologies can be used to help detect cloned MAC addresses.

Domain Name System (DNS) Attacks

When network packets of data need to go to a destination outside of the local network, the Domain Name System (DNS) is used to provide the address of that destination. It converts domain names into IP addresses and comprises of a hierachy of servers all over the internet. DNS information is also cached by your Internet Service Provider (ISP), within home routers and even your local machine. Attackers try to corrupt DNS in order to influence where packets go, using one of a number of attacks mentioned below.

Domain Hijacking

A domain name must be registered before it can be used. Domain hijacking occurs where an attacker changes this registration without the permission of the original registrant and points it to a different location.

DNS Poisoning

As explained above, DNS information comes from a hierarchy of servers over the internet and is also cached locally and by your ISP. DNS poisoning occurs where there is an unauthorised change in where this DNS information comes from. This can be achieved in a number of different ways, for example, an attacker might provide a DNS response whilst pretending to be a DNS server. An attacker may also try to corrupt the local DNS cache. Once the cache is corrupted it will continue to be used until it is either purged or updated.

Uniform Resource Locator (URL) Redirection

A URL is a string of alphanumeric characters that is used to describe where you want your browser to go, which is used by DNS to convert into an IP address. An attacker will try to trick users in an email or other communication by providing a link that is slightly different to the actual domain, to get someone to visit a malicious site and divulge sensitive information. These slight differences in the domain name can be missed by the brain.

Domain Reputation

As with a physical location, an IP address can have a reputation. If a domain is seen to be associated with spam, botnets, or other bad behaviour, then the reputation of the domain will suffer, so care must be taken to make sure that no one is piggybacking on your address and using it for malicious purposes. A bad reputation can have the effect that the domain is seen as an untrusted email sender and some services may become unavailable.

Distributed Denial-of-Service (DDoS) Attacks

The aim of a denial-of-service attack is to deny authorised users access to a computer system or network. A distributed denial-of-service (DDoS) attack is a denial-of-service attack that comes from multiple sources. Often these sources are unaware of their involvement in the attack, as they have been infected with malware and are under the control of a Command and Control (C2) server. The infected devices are sometimes referred to as zombies, or bots, and collectively they form a botnet. Once infected they wait for a command from the C2 server to initiate the attack.

Many antivirus and anti-malware tools can detect malware infections that utilise devices in DDoS attacks so you can prevent devices on your own network from partaking in such an attack. The problem comes when attacks originate from outside your network.

Network

A aim of a DDoS attack against a network is to block authorised network connections by flooding it with malicious connection requests. One example of how this is achieved is with a SYN flooding attack, that takes advantage of how the Transmission Control Protocol (TCP) uses a three-way handshake to create a connection. Usually, a device starts the handshake process by sending a SYN network packet. The receiver then sends back a SYN/ACK packet to signify that it is able to accept a connection and waits for an ACK packet from the originating device to complete the connection.

With a SYN flooding attack, fake SYN packets are sent to the target. The target sends the SYN/ACK response and waits for the final acknowledgement, which never comes. Lots of requests like this eventually overwhelm the target system, slowing it down or even stopping it working altogether.

Application

The majority of applications take user input, process data relating to the input, and create output based on the processed data. All of this activity requires resources, which is where an application-level denial-of-service attack is aimed at. The objective of the attack is to use all of the available resources to cause the application to fail.

For web applications, an attack is often aimed at the Hypertext Transport Protocol (HTTP). Malicious HTTP requests are made to an application to try to drain its resources and therefore stop it from working. A Web Application Firewall (WAF) can be used to provide some resilience against this type of attack. A similar type of attack can also be aimed at an Application Programming Interface (API).

Operational Technology (OT)

Operational Technology, or OT for short, refers to the software and hardware, which collectively controls devices, such as traffic lights, and systems in buildings, factories, power plants, and other industries. OT devices and systems use different protocols to standard IT systems and are often very time dependant, with devices such as traffic lights for example. A denial-of-services on OT technology can result in major problems. Due to this sensitivity, they are often not directly connected to the Internet.

Malicious Code or Script Execution Attacks

Scripting can be very useful from a system administration point of view, allowing for the automation of repetitive tasks. It can speed up a task and improve accuracy, along with a number of other advantages. The problem is that these advantages which benefit system administration, also can be of benefit to attackers.

PowerShell

PowerShell is a scripting language that is built in to all modern versions of Microsoft Windows. It is also available to install on macOS and a number of different Linux distributions. It is a powerful tool that can be used to perform administrative level functions. Due to this it is popular with attackers and system administrators alike.

Python

Python is a general-purpose, cross platform, scripting language that is easy to learn. It is a useful tool for task automation and data analysis, making it very useful for system administration and cyber security teams, as well as for malicious purposes by attackers. A number of different tools are written in Python that are utilised by both security personnel and attackers.

Bash

Bash, or the Bourne Again Shell, is a scripting language available on Linux systems. It can be used for task automation and to perform operating system level tasks making it ideal for system administration. As with other similar tools previously discussed however, it can also be utilised by attackers for malicious purposes.

Macros

Macros provide a means to record a set of instructions to automate a task within an application. These can be used to perform repetitive tasks and speed them up. Macros can however be exploited by attackers to perform unwanted system level functions. For this reason, care must be taken to restrict their use, making them available only where absolutely necessary.

Visual Basic for Applications (VBA)

Visual Basic for Applications is an older form of macro technology provided by Microsoft within its office applications. It can be used to perform repetitive tasks within these applications, however, the technology can also be exploited by attackers. For this reason, systems should be protected against documents created with these applications, unless the source is known and trusted.