Common Network Attacks and How to Defend Against Them
A stable and secure IT infrastructure is one of the most important features for a successful business today. Of course, successful businesses make tempting targets for competitors and black hat hackers. Cyberattacks are evolving by the day. According to a new study by Juniper Research, the cost to businesses and governments worldwide of defending and cleaning up from data breaches is $455 billion (U.S.) annually, and expected to climb to $2.1 trillion (U.S.) over the next four years.
It's important to know how to classify and prevent cyberattacks. Below are some of the more common types and simple ways to stop them.
This is most often the initial attack an infrastructure will encounter. Before attacking a network directly, hackers will try familiarize themselves with a network's characteristics and vulnerabilities.
Reconnaissance attacks are usually done using information gathering tools and techniques starting from the simple whois.com (to look up domain names and contact information) and nslookup (translates the domain name to its IP hosting address), to more functional tools such as nmap (port-scanning and analyzing machine fingerprints) and FOCA (a security audit tool that examines metadata from domains).
There are two subtypes of reconnaissance attacks — active and passive.
Passive reconnaissance is gathering information during normal interaction with a server. While browsing a webpage, for example. If you do a packet analysis on the data received, you can actually discover which web service software the server is using (apache or nginx).
Active reconnaissance is using a script, or software, to send a specially constructed packet with the purpose of receiving the response you need. Examples of these are the numerous port-scanning tools you can find on the internet, or simply build yourself.
Reconnaissance attacks are commonly used by penetration testers. This is a great way for companies concerned about network security to see just what they expose to the "enemy" and then to take further steps to protect their network infrastructure.
How to react:
Unfortunately, in an infrastructure that needs to be accessed by the outside world (the internet), the information gathering process cannot be limited completely, as its proper functioning requires some server-side data to be shared. There are, however, a couple of simple things you can do to defend yourself from the inevitable black hats:
� Use IPS/IDS in your network — they can detect the patterns and packets that port scanners use, and eventually block them and generate an alarm.
� Patch your servers to the most current version and get yourself informed about the latest exploits about the server operating systems you use.
These attacks occur when an attacker fakes their identity, or assumes another machine's identity. A common example is the IP address spoofing attack — the sender alters the IP source field in the IP packet, so that it will not represent his own IP, but a randomly chosen one. Doing this, the hacker can provoke thousands of TCP acknowledgements to be redirected to an IP that did not send the SYN packet in the first place (DDoS), or simply to flood a network using random and invalid source addresses.
Another identity spoofing attack is the ARP spoofing — the attacker sends spoofed ARP packets with an IP address already in the network ( commonly the default gateway's address) and inserts his own MAC address, so all the traffic designated for that IP will instead go to the attacker's machine. This is also often referred to as a man-in-the-middle attack.
How to react:
� With an IP spoofing attack, where the network receive packets with random source addresses, we can enable the unicast reverse path forwarding (uRPF) strict mode mechanism on our routing devices. This enables the router to check if the source IP address is found in the routing table, in order to determine whether it is from the same interface we receive the packets from. If not, the packets will be dropped far before reaching key points in our network. The uRPF should be placed at the entrance to the company's network.
� A Statefull firewall can help us in case we receive multiple SYN-ACK packets from unknown destinations. By tracking the connection state of TCP sessions, it will drop everything that does not belong to an existing entry in the connections table. This defense should also be placed at the entrance of a company's network
� An IP source guard mechanism verifies that packets received on a port contain valid IP-MAC pairs. If a hacker tries to play the ARP spoofing or IP spoofing game, he will be blocked. An IP source guard should be placed in the LAN environment the attacker has accessed.
Packet sniffing and Man-in-the-middle attack
The name says it all. This is when an attacker succeeds in placing himself between communicating devices. Its main purpose is packet sniffing and stealing of sensitive data. An attack can be done on all of the OSI layers — someone can simply cut your UTP cable and plug himself between you and your ISP switch. Or somebody can fake being your wireless AP and default gateway, so all your data is sent to him first. If this happens in your corporate network, things can quickly become serious.
How to react:
� From the edge to the core, maintain strict control on who and what is plugged into your physical network. Also, implement mechanisms limiting network access to allow only recognized MAC addresses.
� Implement DHCP snooping. If someone unauthorized tries to send DHCP offers, this mechanism will prevent him of doing it.
� Secure your wireless network. Wireless networks are very vulnerable to both packet sniffing and man-in-the-middle. A strong authentication and encryption can prevent unauthorized actions.
Denial-of-Service (DoS) and Distributed (DDoS)
This is the type of attack that severely affects a single or multiple service in a network. It can be directed to each device on a network, filling its bandwidth, memory and connections' capacity, making its CPU hit 100 percent and preventing its normal functionality. The most common targets usually are: the web service, as the company website is its face towards the internet world; or the DNS. Disrupting the DNS service causes loss of everything that uses domain name–to–IP resolving, including mail service and users or simply filling the bandwidth available.
How to react:
� Since every DoS attack has different characteristics, you first have to determine what service has been attacked and how.
� Try to do packet-filtering on your firewall, if the type of attack allows it.
� If suffering from bandwidth exhaustion, call your service provider and have them block all traffic towards the affected IP addresses.
The most common password-based attacks are the dictionary attack, using password dictionaries and brute force to guess and execute a valid login to a system.
How to react:
� Have a company-wide policy for strong passwords: more than 8 characters, mixing numbers, capital letters and special symbols.
� Change passwords on a regular basis. On most of the systems you can actually configure your password validity.
� Do not allow more than a given number of attempts per second and minute, and block accounts after several consecutive invalid attempts.
� Use password encryption and hashing.
Social engineering, phishing, Trojans, viruses
Last, but certainly not least, we come to probably the weakest point in any network: users. Hackers know this and are extremely creative in trying to trick users into providing sensitive information and login data. They can call on the phone, pretending they are calling from the bank and request credit cards numbers; spoof an e-mail from a colleague to request a password; or send the very well known �You have won� e-mails that contain malicious attachments. Probably 5,000 of your company's employees won't be caught by this trick — but it only takes one to infect the network.
How to react:
� Educate employees and colleagues about the security threats they'll encounter on the internet, and explain how hackers try to manipulate them to obtain confidential data. Then, provide regular trainings of both new and old employees.