NS Short notes

Viraj Dissanayake

Lecture – Network attacks

Malware is malicious software

Malware types

 Virus – A malicious code. Need user interaction to execute. Need a host program to run. Have a
form of exe file.
 Worm – Replicate by itself. Doesn’t need user interaction. Doesn’t need a host program
 Trojan horse – Malicious code is hidden in a program/ function
 Ransomware – Block service to legitimate user and ask money to unblock it again
 Spyware – Gather user information without users’ permission
 Adware – Display pop up ads and collect browser (cookie) data/ user data
 Phishing – Convince users to give their information
 Rootkits – Provide administrative control to the attacker

Network attacks

 Reconnaissance attack (information gathering)

 Access attacks –
 Password attacks (social engineering, brute force, dictionary attack, rainbow
table attack)
 Trust exploitation
 Man in the middle attack
 Spoofing attack
 Buffer overflow
 Eavesdropping (sniffing, snooping)
 Social Engineering (pre texting, phishing, whaling, spam)
 DOS

In DOS attacks attacker focus on one system. But in DDOS attacks, attacker target multiple systems at
once
Lecture – Layer 2 attacks
Attacker focus on switches to attack

Layer 2 attack types

 CAM Table attack (attacker inject false MAC address to the CAM Table). To mitigate enable port
security
 VLAN Hopping attack (Attacker use VLAN trunk port and access traffic). To mitigate disable DTP
(Dynamic Trunking protocol), use manual trunking
 VLAN Double tagging attack (Attacker add another VLAN Tag to the segment). To mitigate assign
unused VLAN as native VLAN
 DHCP Spoofing (Attacker pretend as a DHCP server)
 DHCP starvation (Form of DOS attack. Attacker overload the DHCP Server)
To mitigate DHCP attacks - Dropping untrusted DHCP messages, configuring switch port’s DHCP
trust state
 ARP spoofing (poisoning) – Attacker use unsolicited ARP Replies called “gratuitous ARPs”. To
mitigate use Dynamic ARP inspection
 Address spoofing – Attacker use an address within the network and pretend as legitimate user.
And perform DOS attack. To mitigate, enable IPSG (IP Source guard) to filter IP addresses
 STP Manipulation attack – Attacker use trunk port of a switch in the network and add a rogue
switch and make the bridge Id of it as 0. So it becomes the toot bridge. All the traffic goes
through attacker’s switch. To mitigate, disable DTP protocol (Disable trunking ports)

BPDU (Bridge protocol data unit) – contains switch id and MAC address
Root guard – prevent designated port becoming a root port
Loop guard – Prevent network loops by optimizing STP

Lecture – Layer 3 attacks

Network layer use IP as the protocol

ICMP is part of IP

Network layer attack types (IP Attacks)

 Information gathering (ICMP Sweep/ ping sweep)

 Header abuse
o IP Spoofing – Attacker use address of the network and act as legitimate user
o TTL Expiry attack - attacker sends a flood of packets with the TTL value set such that the
packets expire on the switch. Form of DOS attack
o TTL Evasion attack - attacker need a prior knowledge of the topology of the victim's
network
- Attacker break the packet and send it in way that IDS can’t detect the
malicious code
o Tear Drop attack (fragmentation attack) – A form of DOS attack. Attacker sends
fragmented packets which can’t be reassembled
  Ping of death – A form of DOS attack. Attacker sends ICMP request in an IP packet larger than
the maximum packet size
 Smurf attacks – A form of DOS attack. Attacker spoofs ICMP Echo Request to a network
broadcast address
 Routing attacks
Routing table overflow – add non existing router details to the routing table by attacker
Routing table poisoning - modify genuine route update with false details

Lecture – Layer 4 attacks

Transport layer use TCP and UDP as the protocols

TCP connection oriented and UDP is not connection oriented. So UDP is not reliable. UDP use in wireless
transmission (Wi-Fi). UDP is stateless and TCP is a stateful protocol

TCP features

Establishing a session

o Connection establishment
o Data transfer
o Connection termination

Reliable delivery

Same-Order delivery

Flow control

Sending data and ACK together is called as piggy backing

Athma, please go through the TCP Control bits lecture in DCCNII, or google it. You might need to know
about that

TCP Attacks

Information gathering

o TCP Port scan (searches for multiple TCP services on a single host) – (normal scan –TCP-SYN /
stealth scan – FIN, SYSN-FIN, null, push, fragmented packets)
o TCP Port/Host sweep (searches for a single TCP service on multiple hosts) - (normal scan –TCP-
SYN / stealth scan – FIN, SYSN-FIN, null, push, fragmented packets)
o OS Finger printing – TCP fields are varying from OS to OS.

Header abuse

o TCP Hijacking - Access-attempt to take over a TCP session

Connection resource exhaustion (DOS attack)

 o TCP SYS Flood – Attacker send load of SYN requests to the target. Target repays with SYN-
ACK. But attacker doesn’t reply back. So the target is waiting for the replies. In the
meantime, target is vulnerable

The pieces of communication in UDP are called Datagrams

UDP Attacks

Information gathering

o UDP Port scan

o UDP Host sweep

Header abuse

o UDP Bomb attack – Form of a DOS attack. Triggers when the UDP length specified is less
than the IP length specified

Connection resource exhaustion (DOS attack)

o UDP Flood attack – Attacker send request load of asking open ports to the server. Server
get overload. A form of a DOS attack

In each layer we name Data in different name

Network layer – Packets

Transport layer – segments

Data link layer - Frames