Notes on Network Attacks

A comprehensive overview of various network security threats, including reconnaissance, access, and DoS attacks, along with prevention strategies.

This article was originally published at drstarry.github.io.

Introduction

Network Security seems far away from us. You may see news talking about network attacks but never thought it would happen to yourself. In fact, it's everywhere in our life. We are vulnerable to network attacks if we don't have security plan in place.

A recent famous attack was a massive DDoS attack last month in United States, causing many famous websites unavailable.

attackattack

source. The effected areas

Background

What do we want to protect?

  • Confidentiality: defines how we keep data privacy. Data encryption is used to achieve confidentiality.
  • Integrity: defines how we keep our data unaltered. Data hashing is used to take the fingerprint of data and protect integrity.
  • Availability: defines how we keep data available to good users. User rate limit and firewall are always used to guarantee availability.

All network attacks try to break at least one of the goals above.

  • Alice, Bob and Trudy We will use standard names to illustrate the concepts. Say Hello to our friends! Alice and Bob are good guys in our story trying to communicate. Trudy is a bad girl who always wants to do something bad to disrupt the communication.

Attacks

Absolutely, we could not cover all the existing possible attacks in the world. I just choose some represented attacks and at the end of day hope you get a big picture of networks attack. Note that there are many ways of categorizing networks attacks, we are not focusing on the rigorous terminologies because some attacks involve multiple technologies.

1. Reconnaissance Attacks

Means the attackers try to gather enough information for other potential attacks. Some famous attacks are Packet sniffers/Moniters, Ping sweeps, Port scans and Information queries. The main purpose of Reconnaissance Attacks is to find weakness of the network, which are commonly used by penetration testers.

It's hard to avoid information gathering as long as we could be accessed by the outside world, but there are still things we could do. eg, defend ourselves by using tools to detect port scanner packets.

2. Access Attacks

Means the unauthorized access to network for improper means, including unauthorized users and trusted user getting into unauthorized area. The attackers first get initial access to the system, then behave improperly to evade authentication step and then do something bad.

Password Attacks

This is the most common attack that threats our daily life. Good websites should provide comprehensive password system to prevent password guess and database break-in threat. eg. They require users to come up complicated password scheme to prevent cracker and then they save them encrypted to prevent attackers break into server.

For users, we should choose trusted websites and create different complicated passwords for different websites. Never use any critical information[eg. birthday, name, national identity] in your password! If memorizing is painful, never write down them to a paper or notepad, instead, we could use softwares like 1Password to make life easier.

For websites, we try to reduce the number of attempting the password guess. eg. block out users after several wrong guesses or use reverse turing test to make sure no bots there.

Man-in-the-middle Attack

mitmmitm source MITM attack

Trudy impersonates Alice and Bob, making them feel like they are still talking with each other. In this way, Trudy silently passes mutual authentication with both parts and then could sit between them, interpret the data, and steal information

To deal with MINM attack, we should have stronger authentication for example:

  • Use public key infrastructure like TLS.
  • Use VPN
  • Avoid using public/unauthorized networks for sensitive communication.
  • Logout sensitive websites when they not in use.

Reflection Attacks

refectionrefection reflection attack

This happens between only two parts. Let's say Trudy impersonate Alice and starts a connection with Bob. During the authentication phase, Trudy could not answer challenge c from Bob because she's not Alice. Instead, Trudy reopens a new connection to Bob and sends c to Bob, then she could use the answer sent by Bob to the consume the previous connection.

There are several ways to prevent reflection attack like:

  • Include sequence number in response.
  • Avoid using same key or protocol for different parties.
  • Require solving challenges before getting any responses.

Replay Attacks

Also called playback attacks. Like its name implies, Trudy eavesdrops conversation between Alice and Bob then she impersonates Alice. When Bob asks for a proof of identity, she sends the information read from last session that Bob accepts and passes the authentication. source reply attack

To prevent such attacks, we should invalid authentication token after an approximate time range and always attach a nonce in each session.

3. DoS Attacks

source DDoS attack

DoS means Denial-of-Service. The incident we mentioned in the first section is a kind of DDoS attack, which is a distributed version of DoS. The purpose of DoS is not to steal or tamper the information, but to take down the service itself and make legit users could not get access to it. During DoS, attackers first spoof agents and infect them, then send attack commands and generate huge traffics.

DoS is the natural consequence of the way the Internet is designed -- routers forward packets based on the destination address and enforce no security/authentication. Packets are first come first serve, if attackers get first they will occupy the resources. The interesting part is that people don't usually prevent themselves being agents. DoS has no harm to agents, they don't care or even don't know they are agents.

There are several ways of preventing DoS attack in research papers:

  • Pushback: Drop attack traffic to relieve congestion in routers. The drawback is deployability. It requires modification of routers and contiguous deployment.
  • IP trackback: Locate attack agents that are using spoofed IP address. This solution is not robust again DDoS.
  • Botz-for-sale: require solving challenges before connecting to service to make sure human is behind.

Deploying a reverse proxy could defend HTTP flood, then the crush of incoming traffic is split into fractions, reducing the possibility of becoming overwhelmed.

There is also DDoS visualization website you may find useful.

Appendix

It's necessary to quickly go over some basic concepts.

Secret Key Cryptography

Also called Symmetric-key algorithms, means Alice and Bob share a secret key k. Alice encrypts plaintext with K. Bob receives encrypted message and decrypts with k. The main drawback of this algorithms is to require Alice and Bob both have access to k. Secret key encryption could use either Stream Cipher or Block Cipher, which we won't explain here.

Public Key Cryptography

Also called Asymmetric-key algorithms, means Alice and Bob both have a pair of keys -- Secret Key is only known to key owner, Public Key is known to the entire world. If you ever used Git or SSH, you may know what I'm talking about -- first time, you generate a pair of keys and upload the public one to the server.

public-keypublic-key source An example

The widely used protocols are RSA and Diffie-Hellman

Passive/Active

In general, attacks are categorized into Passive Attack and Active Attack. Passive means attackers are monitoring, eavesdropping or spoofing your information. Active on the other hand, means information may be modified, corrupted or even destroyed.

Reference

  1. Microsoft article
  2. CS6490 class materials by Prof. Sneha
  3. http://etutorials.org/
  4. symantec article
  5. mitre definitions
  6. Wiki Public-key_cryptography
  7. Wiki MITM
Previous Post
Binary Indexed Tree
Next Post
Intro to Collaborative Editing