Scribd
Upload
127 views35 pages

Network Attacks - A Deeper Look

Uploaded by

Md Zahid Hossain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
127 views35 pages

Network Attacks - A Deeper Look

Uploaded by

Md Zahid Hossain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 35

Network Attacks: A Deeper Look

Sections & Objectives


 Network Monitoring and Tools
• Explain network traffic monitoring.
• Explain the importance of network monitoring.
• Explain how network monitoring is conducted.

 Attacking the Foundation


• Explain how TCP/IP vulnerabilities enable network attacks .
• Explain how IP vulnerabilities enable network attacks.
• Explain how TCP and UDP vulnerabilities enable network attacks.

 Attacking What We Do
• Explain how common network applications and services are vulnerable to attack .
• Explain IP vulnerabilities.
• Explain how network application vulnerabilities enable network attacks.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Network Monitoring and
Tools

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Introduction to Network Monitoring
Network Security Topology
 All networks are targets and
need to be secured using a
defense-in-depth approach.
 Security analysts must be
intimately familiar with normal
network behavior because
abnormal network behavior
typically indicates a problem.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Introduction to Network Monitoring
Network Monitoring Methods
 Tools used to help discover
normal network behavior include
IDS, packet analyzers, SNMP,
NetFlow, and others.
 Traffic information capture
methods:
• Network TAPs – Network test
access points that forward all traffic
including physical layer errors to an
analysis device.
• Port mirroring – enables a switch
to copy frames of one or more ports
to a Switch Port Analyzer (SPAN)
port connected to an analysis
device.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Introduction to Network Monitoring
Network Taps
 A network tap is typically a passive
splitting device implemented inline
between a device of interest and the
network. A tap forwards all traffic
including physical layer errors to an
analysis device.
 Taps are also typically fail-safe, which
means if it fails or loses power, traffic
between the firewall and internal router
is not affected.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Introduction to Network Monitoring
Traffic Mirroring and SPAN
 Port mirroring enables the switch to copy frames of
one or more ports to a Switch Port Analyzer (SPAN)
port connected to an analysis device.
 In the figure, the switch will forward ingress traffic
on F0/1 and egress traffic on F0/2 to the destination
SPAN port G0/1 connecting to an IDS.
 The association between source ports and a
destination port is called a SPAN session. In a
single session, one or multiple ports can be
monitored. 

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Introduction to Network Monitoring Tools
Network Security Monitoring Tools
 Monitoring Tools:
• Protocol Analyzers – Are programs used to capture traffic.
Ex. Wireshark and Tcpdump.
• NetFlow – Provides a complete audit trail of basic
information about every IP flow forwarded on a device.
• SIEM – Security Information Event Management systems
provide real time reporting and long-term analysis of security
events.
• SNMP – Simple Network Management Protocol provides the
ability to request and passively collect information across all
network devices.

Log files – It is also common for security analysts to access


Syslog log files to read and analyze system events and alerts.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Introduction to Network Monitoring Tools
Network Protocol Analyzers
 Analysts can use protocol analyzers such as Wireshark and tcpdump to see network exchanges
down to the packet level.
 Network protocol analyzers are also very useful for network troubleshooting, software and protocol
development, and education. In security forensics, a security analyst may reconstruct an incident
from relevant packet captures.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Introduction to Network Monitoring Tools
NetFlow  NetFlow is a Cisco IOS technology that
provides 24x7 statistics on packets flowing
through a Cisco router or multilayer switch. 
 NetFlow can be used for network and security
monitoring, network planning, and traffic
analysis; however, it does not capture the
content.
 NetFlow collectors like Cisco Stealthwatch can
also perform advanced functions including:
• Flow stitching: It groups individual entries into
flows.
• Flow deduplication: It filters duplicate
incoming entries from multiple NetFlow clients.
• NAT stitching: It simplifies flows with NAT
entries.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Introduction to Network Monitoring Tools
SIEM
 Security Information Event Management (SIEM) systems provide real time reporting and long-
term analysis of security events.
 SIEM includes the following essential functions:
• Forensic analysis – The ability to search logs and event records from sources throughout the
organization. It provides more complete information for forensic analysis.
• Correlation – Examines logs and events from different systems or applications, speeding detection
of and reaction to security threats.
• Aggregation - Aggregation reduces the volume of event data by consolidating duplicate event
records.
• Reporting - Reporting presents the correlated and aggregated event data in real-time monitoring and
long-term summaries.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Introduction to Network Monitoring Tools
SIEM Systems
 Splunk is one of the more popular proprietary SIEM
systems used by Security Operation Centers.
 As an open source option, this course uses the
ELK suite for SIEM functionality. ELK is an
acronym for three open source products from
Elastic:
 Elasticsearch - Document oriented full text search
engine
 Logstash - Pipeline processing system that
connects "inputs" to "outputs" with optional "filters"
in between
 Kibana - Browser based analytics and search
dashboard for Elasticsearch

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
Attacking the Foundation

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
IP Vulnerabilities and Threats
IPv4 and IPv6
 It is important for security analysts to
understand the different fields in both the
IPv4 and IPv6 headers because threat
actors can tamper with packet information.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
IP Vulnerabilities and Threats
The IPv4 Packet Header
 There are 10 fields in the IPv4 packet
header:
• Version
• Internet Header length
• Differentiated Services or DiffServ (DS)
• Total length
• Identification, Flag, and Fragment
offset
• Time-to-Live (TTL)
• Protocol
• Header checksum
• Source IPv4 Address
• Destination IPv4 Address
• Options and Padding
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
IP Vulnerabilities and Threats
The IPv6 Packet Header
 There are 8 fields in the IPv4 packet
header:
• Version
• Traffic Class
• Flow Label
• Payload Length
• Next Header
• Hop Limit
• Source IPv6 Address
• Destination IPv6 Address

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
IP Vulnerabilities and Threats
IP Vulnerabilities

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
IP Vulnerabilities and Threats
ICMP Attacks
 ICMP was developed to carry diagnostic messages
and to report error conditions when routes, hosts,
and ports are unavailable. ICMP messages are
generated by devices when a network error or
outage occurs. 
 Common ICMP messages of interest to threat actors
include:
• ICMP echo request and echo reply – This is used to
perform host verification and DoS attacks.
• ICMP unreachable – This is used to perform network
reconnaissance and scanning attacks.
• ICMP mask reply – This is used to map an internal IP
network.
• ICMP redirects – This is used to lure a target host
into sending all traffic through a compromised device
and create a MITM attack.
• ICMP router discovery – This is used to inject bogus
route entries into the routing table of a target host.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
IP Vulnerabilities and Threats
DoS Attacks
 The goal of a Denial of Service (DoS) attack
is to prevent legitimate users from gaining
access to websites, email, online accounts,
and other services.
 There are two major sources of DoS attacks:
• Maliciously Formatted Packets – Threat
actors craft a maliciously formatted packet
and forward it to a susceptible host, causing
the host to crash or become extremely slow.
• Overwhelming Quantity of Traffic – Threat
actors overwhelm a target network, host, or
application, causing them to crash or become
extremely slow.
 A distributed DoS (DDoS) attack combines
multiple DoS attacks. 

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
IP Vulnerabilities and Threats
Amplification and Reflection Attacks
 Threat actors often use
amplification and reflection
techniques to create DoS attacks.
The example in the figure illustrates
how an amplification and reflection
technique called a Smurf attack is
used to overwhelm a target host:
1. Amplification - The threat actor
forwards ICMP echo request
messages that contain the source IP
address of the victim to a large
number of hosts.
2. Reflection - These hosts all reply
to the spoofed IP address of the
victim to overwhelm it.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
IP Vulnerabilities and Threats
DDoS Attacks
 A DDoS attack is larger in magnitude than
a DoS attack because it originates from
multiple, coordinated sources. DDoS
attacks introduced new terms such as
botnet, handler systems, and zombie
computers.
A DDoS attack could proceed as follows:
1. The threat actor (botmaster) builds or purchases the
use of a botnet of zombie hosts. The command-and-
control (CnC) server communicates with zombies over a
covert channel using IRC, P2P, DNS, HTTP, or HTTPS.

2. Zombie computers continue to scan and infect more


targets to create more zombies.

3. When ready, the botmaster uses the handler systems


to make the botnet of zombies carry out the DDoS attack
on the chosen target.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
IP Vulnerabilities and Threats
Address Spoofing Attacks
 IP address spoofing attacks occur when a threat actor creates
packets with false source IP address information to either hide
the identity of the sender or to pose as another legitimate user.
The attacker can then gain access to otherwise inaccessible
data or circumvent security configurations. 

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
TCP and UDP Vulnerabilities
TCP

 TCP segment information appears immediately after the IP header. 

 TCP provides the following services:

• Reliable delivery
• Flow control
• Stateful communication
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
TCP and UDP Vulnerabilities
TCP Attacks
 Although the TCP protocol is a
connection-oriented and reliable
protocol, there are still
vulnerabilities that can be exploited.
 TCP attacks target expected
protocol behaviors:
• TCP SYN flood attack
• TCP reset attack
• TCP session hijacking

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
TCP and UDP Vulnerabilities
UDP and UDP Attacks
 UDP is a simple protocol that provides the basic transport layer functions. UDP is commonly used
by DNS, TFTP, NFS, and SNMP. It is also used with real-time applications such as media
streaming or VoIP. UDP is a connectionless transport layer protocol.
 By default, UDP is not protected by any encryption. The lack of encryption allows anyone to look at
the traffic, change it, and send it on to its destination.
 UDP protocol attacks target the lack of protocol behaviors (UDP):
• UDP checksum attack
• UDP flood attack
• UDP DoS attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Attacking What We Do

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
IP Services
ARP Vulnerabilities
 Hosts broadcast an ARP
Request to other hosts on the
segment to determine the
MAC address of a host with a
particular IP address.
 All hosts on the subnet receive
and process the ARP Request.
 The host with the matching IP
address in the ARP Request
sends an ARP Reply.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
IP Services
ARP Cache Poisoning
 ARP cache poisoning attacks deliberately poison the cache of another computer with spoofed
IP address to MAC address mappings.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
IP Services
DNS Attacks
 DNS servers resolve names to IP
addresses and are a major target of
attackers. Some DNS exploits are:
• DNS Open Resolvers (public name
servers)
• DNS Stealth Attacks
• DNS Shadowing Attacks – hijacked
domains are used to create subdomains
which are used to resolve to malicious
web sites
• DNS Tunneling Attacks - hides
malicious instructions inside DNS
queries and responses

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
IP Services
DNS Tunneling
 Threat actors who use DNS
tunneling place non-DNS
traffic within DNS traffic. This
method often circumvents
security solutions. For the
threat actor to use DNS
tunneling, the different types
of DNS records such as TXT,
MX, SRV, NULL, A, or
CNAME are altered. 

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
IP Services
DHCP
 A DHCP attack could result in every host on the network communicating with malicious DNS servers and gateways. A DHCP spoofing attack creates a
rogue DHCP server to serve falsified information.

1 3

2 4

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Enterprise Services
HTTP and HTTPS
 Browsing the Web is possibly the largest vector of attack. Security analysts should have in depth
knowledge of how web attacks work.
• Malicious iFrames – an iFrame allows a page from a different domain to be opened inline within the
current page. The iFrame can be used to launch malicious code.
• HTTP 302 cushioning – allows a web page to redirect and open in a different URL. Can be used to
redirect to malicious code.
• Domain shadowing – malicious web sites are created from subdomains created from a hijacked
domain.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Enterprise Services
Email
 Email messages are accessed from many different devices
that are often not protected by the company’s firewall.
• Attachment-based attacks – email with malicious
executable files attached.
• Email spoofing – phishing attack where the message
appears to come from a legitimate source.
• Spam email – unsolicited email with advertisements or
malicious content.
• Open mail relay server – massive amount of spam and
worms can be sent by misconfigured email servers.
• Homoglyphs – phishing scheme where text characters
(hyperlinks) look similar to real text and links.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Enterprise Services
Web-Exposed Databases
 Web applications commonly connect to a relational database. Because relational databases often
contain sensitive data, databases are a frequent target for attacks.
• Command injection attacks – insecure code and web application allows OS commands to be injected
into form fields or the address bar.
• XSS Cross-site scripting attacks – insecure server-side scripting where the input is not validated
allows scripting commands to be inserted into user generated forms fields, like web page comments.
This results in visitors being redirected to a malicious website
with malware code.
• SQL injection attacks – insecure server-side scripting allows
SQL commands to be inserted into form fields where the input
is not validated.
• HTTP injection attacks – manipulation of html allows
executable code to be injected through HTML div tags, etc.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34

You might also like