COMPUTER NETWORKS

Network Threats
IT-9102

Contents :
1. What is Attack ?
2. List of common network Attack .
3. DOS Attack .
4. Spoofing Attack .
5. Man in the middle Attack .
6. Password Attack .
7. Social engineering Attack .
8. Wireless security issue .
 1. What is Attack ?

In computer systems and networks, security is concerned with privacy, integrity, and
protection from unauthorized access, modification, and deletion. It is an effort that
needs proper planning, implementation, and maintenance to ensure that the user’s data
remains secure. The first step to create a secure Internet platform is to find out the
expected attacks and then take the necessary steps to protect your computer or
network against such attacks.

Attack
An attack is the act of trying to bypass security controls on a computer system. It can be
active or passive. An active attack is an attack in which the attacker manipulates data
and adds unauthorized data. In a passive attack, the attacker only monitors and/or
records data.

To secure a network from attacks, it is necessary to detect when and what type of
attack is taking place. Some of the common attacks are listed bellow:
2. List of common networks Attack :

DoS attack

A Denial-of-Service (DoS) attack causes a negative impact on the performance of a

computer or network. This attack is designed to bring loss of network connectivity
and services by consuming the bandwidth of the user’s network. It is also known as
network saturation attack or bandwidth consumption attack. Attackers make Denial-
of-Service attacks by sending a large number of protocol packets to a network.

A Denial-of-Service attack is very common on the Internet because it is much easier

to accomplish. Most of the DoS attacks rely on the weaknesses in the TCP/IP
protocol .

Spoofing
Spoofing is a technique that makes a transmission appear to have come from an
authentic source by forging the IP address. In IP spoofing, a hacker modifies packet
headers by using someone else’s IP address to hide his identity. However, spoofing
cannot be used while surfing the Internet, chatting on-line, etc., because forging the
source IP address causes the responses to be misdirected .

Password guessing attack

This attack occurs when an unauthorized user repeatedly tries to log on to a
computer or network by guessing usernames and passwords. Many password-
guessing programs that attempt to break passwords are available on the Internet .

Man-in-the-middle attack
Man-in-the-middle attacks occur when an attacker successfully inserts an
intermediary software or program between two communicating hosts. The
intermediary software or program allows attackers to listen to and modify the
communication packets passing between the two hosts. The software intercepts the
communication packets and then sends the information to the receiving host. The
receiving host responds to the software, presuming it to be the legitimate client.
 3. DOS Attack :

What is a denial-of-service (DoS) attack?

In a denial-of-service (DoS) attack, an attacker attempts to prevent legitimate users

from accessing information or services. By targeting your computer and its network
connection, or the computers and network of the sites you are trying to use, an attacker
may be able to prevent you from accessing email, websites, online accounts (banking,
etc.), or other services that rely on the affected computer.

The most common and obvious type of DoS attack occurs when an attacker "floods" a
network with information. When you type a URL for a particular website into your
browser, you are sending a request to that site's computer server to view the page. The
server can only process a certain number of requests at once, so if an attacker
overloads the server with requests, it can't process your request. This is a "denial of
service" because you can't access that site.

An attacker can use spam email messages to launch a similar attack on your email
account. Whether you have an email account supplied by your employer or one
available through a free service such as Yahoo or Hotmail, you are assigned a specific
quota, which limits the amount of data you can have in your account at any given time.
By sending many, or large, email messages to the account, an attacker can consume
your quota, preventing you from receiving legitimate messages.

What is a distributed denial-of-service (DDoS) attack?

In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to

attack another computer. By taking advantage of security vulnerabilities or weaknesses,
an attacker could take control of your computer. He or she could then force your
computer to send huge amounts of data to a website or send spam to particular email
addresses. The attack is "distributed" because the attacker is using multiple computers,
including yours, to launch the denial-of-service attack.

Symptoms and Manifestations

The United States Computer Emergency Response Team defines symptoms of denial-
of-service attacks to include:
 • Unusually slow network performance (opening files or accessing web sites)
• Unavailability of a particular web site
• Inability to access any web site
• Dramatic increase in the number of spam emails received—(this type of DoS
attack is considered an e-mail bomb)[3]

Denial-of-service attacks can also lead to problems in the network 'branches' around the
actual computer being attacked. For example, the bandwidth of a router between the
Internet and a LAN may be consumed by an attack, compromising not only the intended
computer, but also the entire network.

If the attack is conducted on a sufficiently large scale, entire geographical regions of

Internet connectivity can be compromised without the attacker's knowledge or intent by
incorrectly configured or flimsy network infrastructure equipment.

Regular Connection :
1) 2)

3) 4)

DOS Attack :
1) 2)
 3) 4)

5) 6)

Firewall Setting :
1) 2)

3) 4)

5) 6)

How a "denial of service" attack works

In a typical connection, the user sends a message asking the server to authenticate it.
The server returns the authentication approval to the user. The user acknowledges this
approval and then is allowed onto the server.

In a denial of service attack, the user sends several authentication requests to the
server, filling it up. All requests have false return addresses, so the server can't find the
user when it tries to send the authentication approval. The server waits, sometimes
more than a minute, before closing the connection. When it does close the connection,
the attacker sends a new batch of forged requests, and the process begins again--tying
up the service indefinitely.

• One of the more common methods of blocking a "denial of service" attack is to

set up a filter, or "sniffer," on a network before a stream of information reaches a
site's Web servers. The filter can look for attacks by noticing patterns or
identifiers contained in the information. If a pattern comes in frequently, the filter
can be instructed to block messages containing that pattern, protecting the Web
servers from having their lines tied up.

Methods of attack
A "denial-of-service" attack is characterized by an explicit attempt by attackers to
prevent legitimate users of a service from using that service. Attacks can be directed at
any network device, including attacks on routing devices and web, electronic mail, or
Domain Name System servers.

A DoS attack can be perpetrated in a number of ways. The five basic types of attack
are:

1. Consumption of computational resources, such as bandwidth, disk space, or

processor time
2. Disruption of configuration information, such as routing information.
3. Disruption of state information, such as unsolicited resetting of TCP sessions.
4. Disruption of physical network components.
5. Obstructing the communication media between the intended users and the victim
so that they can no longer communicate adequately.

A DoS attack may include execution of malware intended to:

• Max out the processor's usage, preventing any work from occurring.
• Trigger errors in the microcode of the machine.
• Trigger errors in the sequencing of instructions, so as to force the computer into
an unstable state or lock-up.
• Exploit errors in the operating system, causing resource starvation and/or
thrashing, i.e. to use up all available facilities so no real work can be
accomplished.
• Crash the operating system itself.

• ICMP flood

A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It
relies on misconfigured network devices that allow packets to be sent to all computer
hosts on a particular network via the broadcast address of the network, rather than a
specific machine. The network then serves as a smurf amplifier. In such an attack, the
perpetrators will send large numbers of IP packets with the source address faked to
appear to be the address of the victim. The network's bandwidth is quickly used up,
preventing legitimate packets from getting through to their destination.[4] To combat
Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have
given network service providers the ability to identify misconfigured networks and to
take appropriate action such as filtering.
Ping flood is based on sending the victim an overwhelming number of ping packets,
usually using the "ping" command from unix-like hosts (the -t flag on Windows systems
has a far less malignant function). It is very simple to launch, the primary requirement
being access to greater bandwidth than the victim.

SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each
of these packets is handled like a connection request, causing the server to spawn a
half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a
packet in response from the sender address. However, because the sender address is
forged, the response never comes. These half-open connections saturate the number of
available connections the server is able to make, keeping it from responding to
legitimate requests until after the attack ends.

• Teardrop attacks

A Teardrop attack involves sending mangled IP fragments with overlapping, over-sized

payloads to the target machine. This can crash various operating systems due to a bug
in their TCP/IP fragmentation re-assembly code.[5] Windows 3.1x, Windows 95 and
Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32
and 2.1.63 are vulnerable to this attack.

Around September 2009, a vulnerability in Vista was referred to as a "teardrop attack",

but the attack targeted SMB2 which is a higher layer than the TCP packets that teardrop
used.[6][7]

• Peer-to-peer attacks

Attackers have found a way to exploit a number of bugs in peer-to-peer servers to

initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits
DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-
to-peer there is no botnet and the attacker does not have to communicate with the
clients it subverts. Instead, the attacker acts as a 'puppet master,' instructing clients of
large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to
connect to the victim's website instead. As a result, several thousand computers may
aggressively try to connect to a target website. While a typical web server can handle a
few hundred connections/sec before performance begins to degrade, most web servers
fail almost instantly under five or six thousand connections/sec. With a moderately big
peer-to-peer attack a site could potentially be hit with up to 750,000 connections in a
short order. The targeted web server will be plugged up by the incoming connections.
While peer-to-peer attacks are easy to identify with signatures, the large number of IP
addresses that need to be blocked (often over 250,000 during the course of a big
attack) means that this type of attack can overwhelm mitigation defenses. Even if a
mitigation device can keep blocking IP addresses, there are other problems to consider.
For instance, there is a brief moment where the connection is opened on the server side
before the signature itself comes through. Only once the connection is opened to the
server can the identifying signature be sent and detected, and the connection torn
down. Even tearing down connections takes server resources and can harm the server.

This method of attack can be prevented by specifying in the p2p protocol which ports
are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can
be very limited.

• Permanent denial-of-service attacks

A permanent denial-of-service (PDoS), also known loosely as phlashing,[8] is an attack

that damages a system so badly that it requires replacement or reinstallation of
hardware.[9] Unlike the distributed denial-of-service attack, a PDoS attack exploits
security flaws which allow remote administration on the management interfaces of the
victim's hardware, such as routers, printers, or other networking hardware. The attacker
uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or
defective firmware image—a process which when done legitimately is known as
flashing. This therefore "bricks" the device, rendering it unusable for its original purpose
until it can be repaired or replaced.

The PDoS is a pure hardware targeted attack which can be much faster and requires
fewer resources than using a botnet in a DDoS attack. Because of these features, and
the potential and high probability of security exploits on Network Enabled Embedded
Devices (NEEDs), this technique has come to the attention of numerous hacker
communities. PhlashDance is a tool created by Rich Smith[10] (an employee of Hewlett-
Packard's Systems Security Lab) used to detect and demonstrate PDoS vulnerabilities
at the 2008 EUSecWest Applied Security Conference in London.[10]

• Application level floods

On IRC, IRC floods are a common electronic warfare weapon.

Various DoS-causing exploits such as buffer overflow can cause server-running

software to get confused and fill the disk space or consume all available memory or
CPU time.

Other kinds of DoS rely primarily on brute force, flooding the target with an
overwhelming flux of packets, oversaturating its connection bandwidth or depleting the
target's system resources. Bandwidth-saturating floods rely on the attacker having
higher bandwidth available than the victim; a common way of achieving this today is via
Distributed Denial of Service, employing a botnet. Other floods may use specific packet
types or connection requests to saturate finite resources by, for example, occupying the
maximum number of open connections or filling the victim's disk space with logs.

A "banana attack" is another particular type of DoS. It involves redirecting outgoing

messages from the client back onto the client, preventing outside access, as well as
flooding the client with the sent packets.
An attacker with access to a victim's computer may slow it until it is unusable or crash it
by using a fork bomb.

• Nuke

A Nuke is an old denial-of-service attack against computer networks consisting of

fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a
modified ping utility to repeatedly send this corrupt data, thus slowing down the affected
computer until it comes to a complete stop.

A specific example of a nuke attack that gained some prominence is the WinNuke,
which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-
of-band data was sent to TCP port 139 of the victim's machine, causing it to lock up and
display a Blue Screen of Death (BSOD).

• Distributed attack

A distributed denial of service attack (DDoS) occurs when multiple systems flood the
bandwidth or resources of a targeted system, usually one or more web servers. These
systems are compromised by attackers using a variety of methods.

Malware can carry DDoS attack mechanisms; one of the better-known examples of this
was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type
of DDoS involved hardcoding the target IP address prior to release of the malware and
no further interaction was necessary to launch the attack.

A system may also be compromised with a trojan, allowing the attacker to download a
zombie agent (or the trojan may contain one). Attackers can also break into systems
using automated tools that exploit flaws in programs that listen for connections from
remote hosts. This scenario primarily concerns systems acting as servers on the web.

Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where

the attacker uses a client program to connect to handlers, which are compromised
systems that issue commands to the zombie agents, which in turn facilitate the DDoS
attack. Agents are compromised via the handlers by the attacker, using automated
routines to exploit vulnerabilities in programs that accept remote connections running on
the targeted remote hosts. Each handler can control up to a thousand agents.[11]

These collections of systems compromisers are known as botnets. DDoS tools like
stacheldraht still use classic DoS attack methods centered on IP spoofing and
amplification like smurf attacks and fraggle attacks (these are also known as bandwidth
consumption attacks). SYN floods (also known as resource starvation attacks) may also
be used. Newer tools can use DNS servers for DoS purposes. See next section.

Simple attacks such as SYN floods may appear with a wide range of source IP
addresses, giving the appearance of a well distributed DDoS. These flood attacks do
not require completion of the TCP three way handshake and attempt to exhaust the
destination SYN queue or the server bandwidth. Because the source IP addresses can
be trivially spoofed, an attack could come from a limited set of sources, or may even
originate from a single host. Stack enhancements such as syn cookies may be effective
mitigation against SYN queue flooding, however complete bandwidth exhaustion may
require involvement

Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address.
Script kiddies use them to deny the availability of well known websites to legitimate
users.[2] More sophisticated attackers use DDoS tools for the purposes of extortion —
even against their business rivals.[12]

It is important to note the difference between a DDoS and DoS attack. If an attacker
mounts an attack from a single host it would be classified as a DoS attack. In fact, any
attack against availability would be classed as a Denial of Service attack. On the other
hand, if an attacker uses a thousand systems to simultaneously launch smurf attacks
against a remote host, this would be classified as a DDoS attack.

The major advantages to an attacker of using a distributed denial-of-service attack are

that multiple machines can generate more attack traffic than one machine, multiple
attack machines are harder to turn off than one attack machine, and that the behavior of
each attack machine can be stealthier, making it harder to track down and shut down.
These attacker advantages cause challenges for defense mechanisms. For example,
merely purchasing more incoming bandwidth than the current volume of the attack
might not help, because the attacker might be able to simply add more attack machines.

• Reflected attack

A distributed reflected denial of service attack (DRDoS) involves sending forged

requests of some type to a very large number of computers that will reply to the
requests. Using Internet protocol spoofing, the source address is set to that of the
targeted victim, which means all the replies will go to (and flood) the target.

ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected
attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-
configured networks, thereby enticing many hosts to send Echo Reply packets to the
victim. Some early DDoS programs implemented a distributed form of this attack.

Many services can be exploited to act as reflectors, some harder to block than others.[13]
DNS amplification attacks involve a new mechanism that increased the amplification
effect, using a much larger list of DNS servers than seen earlier.[14]

• gradation-of-service attacks

"Pulsing" zombies are compromised computers that are directed to launch intermittent
and short-lived floodings of victim websites with the intent of merely slowing it rather
than crashing it. This type of attack, referred to as "degradation-of-service" rather than
"denial-of-service", can be more difficult to detect than regular zombie invasions and
can disrupt and hamper connection to websites for prolonged periods of time, potentially
causing more damage than concentrated floods.[15][16] Exposure of degradation-of-
service attacks is complicated further by the matter of discerning whether the attacks
really are attacks or just healthy and likely desired increases in website traffic.[17]

What is a DDoS attack?

Trojans are often used to launch Distributed Denial of Service (DDoS) attacks against
targeted systems, but just what is a DDoS attack and how are they performed?

At its most basic level, a Distributed Denial of Service (DDoS) attack overwhelms the
target system with data, such that the response from the target system is either slowed
or stopped altogether. In order to create the necessary amount of traffic, a network of
zombie or bot computers is most often used.

Zombies or botnets are computers that have been compromised by attackers, generally
through the use of Trojans, allowing these compromised systems to be remotely
controlled. Collectively, these systems are manipulated to create the high traffic flow
necessary to create a DDoS attack.

Use of these botnets are often auctioned and traded among attackers, thus a
compromised system may be under the control of multiple criminals – each with a
different purpose in mind. Some attackers may use the botnet as a spam-relay, others
to act as a download site for malicious code, some to host phishing scams, and others
for the aforementioned DDoS attacks.

Several techniques can be used to facilitate a Distributed Denial of Service attack. Two
of the more common are HTTP GET requests and SYN Floods. One of the most
notorious examples of an HTTP GET attack was from the MyDoom worm, which
targeted the SCO.com website. The GET attack works as its name suggests – it sends
a request for a specific page (generally the homepage) to the target server. In the case
of the MyDoom worm, 64 requests were sent every second from every infected system.
With tens of thousands of computers estimated to be infected by MyDoom, the attack
quickly proved overwhelming to SCO.com, knocking it offline for several days.

A SYN Flood is basically an aborted handshake. Internet communications use a three-

way handshake. The initiating client initiates with a SYN, the server responds with a
SYN-ACK, and the client is then supposed to respond with an ACK. Using spoofed IP
addresses, an attacker sends the SYN which results in the SYN-ACK being sent to a
non-requesting (and often non-existing) address. The server then waits for the ACK
response to no avail. When large numbers of these aborted SYN packets are sent to a
target, the server resources are exhausted and the server succumbs to the SYN Flood
DDoS.

Several other types of DDoS attacks can be launched, including UDP Fragment
Attacks, ICMP Floods, and the Ping of Death.

DDoS Stacheldraht Attack diagram

 4. Spoofing Attack :

In computer networking, the term IP address spoofing or IP spoofing refers to the

creation of Internet Protocol (IP) packets with a forged source IP address, called
spoofing, with the purpose of concealing the identity of the sender or impersonating
another computing system.

The basic protocol for sending data over the Internet network and many other computer
networks is the Internet Protocol ("IP"). The header of each IP packet contains, among
other things, the numerical source and destination address of the packet. The source
address is normally the address that the packet was sent from. By forging the header so
it contains a different address, an attacker can make it appear that the packet was sent
by a different machine. The machine that receives spoofed packets will send response
back to the forged source address, which means that this technique is mainly used
when the attacker does not care about the response or the attacker has some way of
guessing the response.

In certain cases, it might be possible for the attacker to see or redirect the response to
his own machine. The most usual case is when the attacker is spoofing an address on
the same LAN or WAN. Hence the attackers have an unauthorized access over
computers.

• Man-in-the-middle attack and internet protocol spoofing

An example from cryptography is the man-in-the-middle attack, in which an attacker
spoofs Alice into believing the attacker is Bob, and spoofs Bob into believing the
attacker is Alice, thus gaining access to all messages in both directions without the
trouble of any cryptanalytic effort.

The attacker must monitor the packets sent from Alice to Bob and then guess the
sequence number of the packets. Then the attacker knocks out Alice with a SYN attack
and injects his own packets, claiming to have the address of Alice. Alice's firewall can
defend against some spoof attacks when it has been configured with knowledge of all
the IP addresses connected to each of its interfaces. It can then detect a spoofed
packet if it arrives at an interface that is not known to be connected to the IP address.

Many carelessly designed protocols are subject to spoof attacks, including many of
those used on the Internet. See Internet protocol spoofing.
 • URL spoofing and phishing
Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack,
a legitimate web page such as a bank's site is reproduced in "look and feel" on another
server under control of the attacker. The main intent is to fool the users into thinking that
they are connected to a trusted site, for instance to harvest usernames and passwords.

This attack is often performed with the aid of URL spoofing, which exploits web browser
bugs in order to display incorrect URLs in the browsers location bar; or with DNS cache
poisoning in order to direct the user away from the legitimate site and to the fake one.
Once the user puts in their password, the attack-code reports a password error, then
redirects the user back to the legitimate site.

• Referrer spoofing
Some websites, especially pornographic paysites, allow access to their materials only
from certain approved (login-) pages. This is enforced by checking the referrer header
of the HTTP request. This referrer header however can be changed (known as "referrer
spoofing" or "Ref-tar spoofing"), allowing users to gain unauthorized access to the
materials.

• Poisoning of file-sharing networks

"Spoofing" can also refer to copyright holders placing distorted or unlistenable versions
of works on file-sharing networks, to discourage downloading from these sources.

• Caller ID spoofing
In public telephone networks, it has for a long while been possible to find out who is
calling you by looking at the Caller ID information that is transmitted with the call. There
are technologies that transmit this information on landlines, on cellphones and also with
VoIP. Unfortunately, there are now technologies (especially associated with VoIP) that
allow callers to lie about their identity, and present false names and numbers, which
could of course be used as a tool to defraud or harass. Because there are services and
gateways that interconnect VoIP with other public phone networks, these false Caller
IDs can be transmitted to any phone on the planet, which makes the whole Caller ID
information now next to useless. Due to the distributed geographic nature of the
Internet, VoIP calls can be generated in a different country to the receiver, which means
that it is very difficult to have a legal framework to control those who would use fake
Caller IDs as part of a scam.

• E-mail address spoofing

The sender information shown in e-mails (the "From" field) can be spoofed easily. This
technique is commonly used by spammers to hide the origin of their e-mails and leads
to problems such as misdirected bounces (i.e. e-mail spam backscatter).

E-mail address spoofing is done in quite the same way as writing a forged return
address using snail mail. As long as the letter fits the protocol, (i.e. stamp, postal code)
the SMTP protocol will send the message. It can be done using a mail server with
telnet.

• Applications
IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the
goal is to flood the victim with overwhelming amounts of traffic, and the attacker does
not care about receiving responses to the attack packets. Packets with spoofed
addresses are thus suitable for such attacks. They have additional advantages for this
purpose—they are more difficult to filter since each spoofed packet appears to come
from a different address, and they hide the true source of the attack. Denial of service
attacks that use spoofing typically randomly choose addresses from the entire IP
address space, though more sophisticated spoofing mechanisms might avoid
unroutable addresses or unused portions of the IP address space. The proliferation of
large botnets makes spoofing less important in denial of service attacks, but attackers
typically have spoofing available as a tool, if they want to use it, so defenses against
denial-of-service attacks that rely on the validity of the source IP address in attack
packets might have trouble with spoofed packets. Backscatter, a technique used to
observe denial-of-service attack activity in the Internet, relies on attackers' use of IP
spoofing for its effectiveness.

IP spoofing can also be a method of attack used by network intruders to defeat

network security measures, such as authentication based on IP addresses. This
method of attack on a remote system can be extremely difficult, as it involves
modifying thousands of packets at a time. This type of attack is most effective
where trust relationships exist between machines. For example, it is common on
some corporate networks to have internal systems trust each other, so that users
can log in without a username or password provided they are connecting from
another machine on the internal network (and so must already be logged in). By
spoofing a connection from a trusted machine, an attacker may be able to access
the target machine without an authentication.

• Services vulnerable to IP spoofing

Configuration and services that are vulnerable to IP spoofing:

• RPC (Remote Procedure Call services)

• Any service that uses IP address authentication
 • The X Window System
• The R services suite (rlogin, rsh, etc.)

• Defense against spoofing

Packet filtering is one defense against IP spoofing attacks. The gateway to a network
usually performs ingress filtering, which is blocking of packets from outside the network
with a source address inside the network. This prevents an outside attacker spoofing
the address of an internal machine. Ideally the gateway would also perform egress
filtering on outgoing packets, which is blocking of packets from inside the network with a
source address that is not inside. This prevents an attacker within the network
performing filtering from launching IP spoofing attacks against external machines.

It is also recommended to design network protocols and services so that they do not
rely on the IP source address for authentication.

• Upper layers

Some upper layer protocols provide their own defense against IP spoofing. For
example, Transmission Control Protocol (TCP) uses sequence numbers negotiated with
the remote machine to ensure that arriving packets are part of an established
connection. Since the attacker normally can't see any reply packets, the sequence
number must be guessed in order to hijack the connection. The poor implementation in
many older operating systems and network devices, however, means that TCP
sequence numbers can be predicted.

Other definitions
The term spoofing is also sometimes used to refer to header forgery, the insertion of
false or misleading information in e-mail or netnews headers. Falsified headers are
used to mislead the recipient, or network applications, as to the origin of a message.
This is a common technique of spammers and sporgers, who wish to conceal the origin
of their messages to avoid being tracked down.
 5. Man in the middle Attack :

A man in the middle attack is one in which the attacker intercepts messages in a public
key exchange and then retransmits them, substituting his own public key for the
requested one, so that the two original parties still appear to be communicating with
each other.

The attack gets its name from the ball game where two people try to throw a ball directly
to each other while one person in between them attempts to catch it. In a man in the
middle attack, the intruder uses a program that appears to be the server to the client
and appears to be the client to the server. The attack may be used simply to gain
access to the message, or enable the attacker to modify the message before
retransmitting it.

Man in the middle attacks are sometimes known as fire brigade attacks. The term
derives from the bucket brigade method of putting out a fire by handing buckets of water
from one person to another between a water source and the fire.

In the real world game of keep-away, two people toss a ball back and forth while a third
person - the man in the middle - tries to intercept the ball while its enroute. In the
cyberworld, the game of keep-away gets a new twist; the two players have no idea the
man in the middle (MITM) exists. It works like this:

• Computer A initiates conversation with Computer B

• Computer C intercepts that attempt and then relays the request to Computer B
• Computer B responds, Computer C intercepts it, and returns that response to
Compuer A.

While Computer C has the intercepted communication, it can modify the communication
or even redirect it to an entirely new destination (i.e. Computer D). Meanwhile,
Computer A continues to believe that it is communicating only with Computer B.

So how does Computer C manage to interject itself between A and B? One way is
through a process known as ARP poisoning. ARP, or Address Resolution Protocol,
uses a 'pick me' approach to resolving computers on a network. When Computer A tries
to communicate with B, ARP sends out a broadcast to the network devices asking 'who
is B?'. But there is no authentication built into ARP and thus ARP has no way of
determining whether the response (pick me) is really B or not. By exploiting this lack of
authentication, Computer C can tell ARP it is Computer B, after which ARP will begin
directing future requests for Computer B to the MITM Computer C.

DNS poisoning is another form of MITM attack. The DNS, or Domain Name System,
resolves IP addresses to domain names. Vulnerabilities on the DNS server can allow
attackers to insert malicious DNS information, for example directing all attempts to
access a particular banking site to a lookalike site under the attacker's control.

Hosts file manipulation is another method used to redirect traffic. Every Windows-based
computer has a local Hosts file which, like DNS, resolves IP address to domain names.
However, entries in the local Hosts file typically override DNS and the Hosts file is
generally more accessible to attackers - thus malicious Hosts file manipulation is
common. Spybot's TeaTimer is an excellent option for protecting the Hosts file and
preventing malicious modification.
6 . Password Attack Or Password cracking :

Password cracking

Password cracking is the process of recovering passwords from data that has been
stored in or transmitted by a computer system. A common approach is to repeatedly try
guesses for the password. The purpose of password cracking might be to help a user
recover a forgotten password (though installing an entirely new password is less of a
security risk, but involves system administration privileges), to gain unauthorized access
to a system, or as a preventive measure by system administrators to check for easily
crackable passwords. On a file-by file basis, password cracking is utilized to gain
access to digital evidence for which a judge has allowed access but the particular file's
access is restricted .

Different types of password attack

• Dictionary Attack

A dictionary attack is an attempt to identify your password by using common words,

names of loved ones, names of pets, birth dates, addresses, and phone numbers.
A dictionary attack begins with the dictionary, essentially a database of commonly used
words to which the attacker can add custom words or conduct a forensic analysis, in
which software scans text documents and adds all words to the dictionary.

• Brute Force Attack

A brute force attack is an attempt to identify your password by systematically evaluating

the bits that make up the password.

• Social Engineering Attack

In a social engineering attack, someone attempts to obtain your password, while
masquerading as a support technician or other authorized individual who needs your
login information, relying on social engineering.

• Keyboard Attack

In a keyboard attack, the perpetrator installs keystroke capture software or hardware on

the victim’s computer.

• Man-in-the Middle Attack

In a man-in-the-middle attack, a fake login screen is substituted for the real one; user
names and passwords entered on this screen are then sent directly to the attacker.

Brute force attack

In cryptography, a brute force attack or exhaustive key search is a strategy that can
in theory be used against any encrypted data[1] by an attacker who is unable to take
advantage of any weakness in an encryption system that would otherwise make his task
easier. It involves systematically checking all possible keys until the correct key is
found. In the worst case, this would involve traversing the entire search space.

The key length used in the encryption determines the practical feasibility of performing a
brute force attack, with longer keys exponentially more difficult to crack than shorter
ones. Brute force attacks can be made less effective by obfuscating the data to be
encoded, something that makes it more difficult for an attacker to recognise when he
has cracked the code. One of the measures of the strength of an encryption system is
how long it would theoretically take an attacker to mount a successful brute force attack
against it.
 7 . Social Engineering Attacks :

Social engineering is the act of manipulating people into performing actions or

divulging confidential information, rather than by breaking in or using technical cracking
techniques; essentially a fancier, more technical way of lying.[1] While similar to a
confidence trick or simple fraud, the term typically applies to trickery or deception for the
purpose of information gathering, fraud, or computer system access; in most cases the
attacker never comes face-to-face with the victim.

"Social engineering" as an act of psychological manipulation was popularized by

hacker-turned-consultant Kevin Mitnick. The term had previously been associated with
the social sciences, but its usage has caught on among computer professionals.

Social engineering techniques and terms

All social engineering techniques are based on specific attributes of human decision-
making known as cognitive biases.[2] These biases, sometimes called "bugs in the
human hardware," are exploited in various combinations to create attack techniques,
some of which are listed here:

Pretexting

Pretexting is the act of creating and using an invented scenario (the pretext) to engage
a targeted victim in a manner that increases the chance the victim will divulge
information or perform actions that would be unlikely in ordinary circumstances. It is
more than a simple lie, as it most often involves some prior research or setup and the
use of priori information for impersonation (e.g., date of birth, Social Security Number,
last bill amount) to establish legitimacy in the mind of the target.[3]

This technique can be used to trick a business into disclosing customer information as
well as by private investigators to obtain telephone records, utility records, banking
records and other information directly from junior company service representatives. The
information can then be used to establish even greater legitimacy under tougher
questioning with a manager, e.g., to make account changes, get specific balances, etc.
Pretexting has been an observed law enforcement technique, under the auspices of
which, a law officer may leverage the threat of an alleged infraction to detain a suspect
for questioning and conduct close inspection of a vehicle or premises.
Pretexting can also be used to impersonate co-workers, police, bank, tax authorities, or
insurance investigators — or any other individual who could have perceived authority or
right-to-know in the mind of the targeted victim. The pretexter must simply prepare
answers to questions that might be asked by the victim. In some cases all that is
needed is a voice that sounds authoritative, an earnest tone, and an ability to think on
one's feet.

Diversion theft

Diversion theft, also known as the "Corner Game"[4] or "Round the Corner Game",
originated in the East End of London.

In summary, diversion theft is a "con" exercised by professional thieves, normally

against a transport or courier company. The objective is to persuade the persons
responsible for a legitimate delivery that the consignment is requested elsewhere —
hence, "round the corner".

With a load/consignment redirected, the thieves persuade the driver to unload the
consignment near to, or away from, the consignee's address, in the pretense that it is
"going straight out" or "urgently required somewhere else".

The "con" or deception has many different facets, which include social engineering
techniques to persuade legitimate administrative or traffic personnel of a transport or
courier company to issue instructions to the driver to redirect the consignment or load.

Another variation of diversion theft is stationing a security van outside a bank on a

Friday evening. Smartly dressed guards use the line "Night safe's out of order Sir". By
this method shopkeepers etc. are gulled into depositing their takings into the van. They
do of course obtain a receipt but later this turns out to be worthless. A similar technique
was used many years ago to steal a Steinway grand piano from a radio studio in
London "Come to overhaul the piano guv" was the chat line. Nowadays ID would
probably be asked for but even that can be faked.

The social engineering skills of these thieves are well rehearsed, and are extremely
effective. Most companies do not prepare their staff for this type of deception.

Phishing

Phishing is a technique of fraudulently obtaining private information. Typically, the

phisher sends an e-mail that appears to come from a legitimate business — a bank, or
credit card company — requesting "verification" of information and warning of some dire
consequence if it is not provided. The e-mail usually contains a link to a fraudulent web
page that seems legitimate — with company logos and content — and has a form
requesting everything from a home address to an ATM card's PIN.
For example, 2003 saw the proliferation of a phishing scam in which users received e-
mails supposedly from eBay claiming that the user's account was about to be
suspended unless a link provided was clicked to update a credit card (information that
the genuine eBay already had). Because it is relatively simple to make a Web site
resemble a legitimate organization's site by mimicking the HTML code, the scam
counted on people being tricked into thinking they were being contacted by eBay and
subsequently, were going to eBay's site to update their account information. By
spamming large groups of people, the "phisher" counted on the e-mail being read by a
percentage of people who already had listed credit card numbers with eBay legitimately,
who might respond.

IVR or phone phishing

This technique uses a rogue Interactive voice response (IVR) system to recreate a
legitimate-sounding copy of a bank or other institution's IVR system. The victim is
prompted (typically via a phishing e-mail) to call in to the "bank" via a (ideally toll free)
number provided in order to "verify" information. A typical system will reject log-ins
continually, ensuring the victim enters PINs or passwords multiple times, often
disclosing several different passwords. More advanced systems transfer the victim to
the attacker posing as a customer service agent for further questioning.

One could even record the typical commands ("Press one to change your password,
press two to speak to customer service" ...) and play back the direction manually in real
time, giving the appearance of being an IVR without the expense.

Phone phishing is also called vishing.

Baiting

Baiting is like the real-world Trojan Horse that uses physical media and relies on the
curiosity or greed of the victim.[5]

In this attack, the attacker leaves a malware infected floppy disk, CD ROM, or USB
flash drive in a location sure to be found (bathroom, elevator, sidewalk, parking lot),
gives it a legitimate looking and curiosity-piquing label, and simply waits for the victim to
use the device.

For example, an attacker might create a disk featuring a corporate logo, readily
available from the target's web site, and write "Executive Salary Summary Q2 2010" on
the front. The attacker would then leave the disk on the floor of an elevator or
somewhere in the lobby of the targeted company. An unknowing employee might find it
and subsequently insert the disk into a computer to satisfy their curiosity, or a good
samaritan might find it and turn it in to the company.
In either case as a consequence of merely inserting the disk into a computer to see the
contents, the user would unknowingly install malware on it, likely giving an attacker
unfettered access to the victim's PC and perhaps, the targeted company's internal
computer network.

Unless computer controls block the infection, PCs set to "auto-run" inserted media may
be compromised as soon as a rogue disk is inserted.

Quid pro quo

Quid pro quo means something for something:

• An attacker calls random numbers at a company claiming to be calling back from

technical support. Eventually they will hit someone with a legitimate problem,
grateful that someone is calling back to help them. The attacker will "help" solve
the problem and in the process have the user type commands that give the
attacker access or launch malware.

• In a 2003 information security survey, 90% of office workers gave researchers

what they claimed was their password in answer to a survey question in
exchange for a cheap pen.[6] Similar surveys in later years obtained similar
results using chocolates and other cheap lures, although they made no attempt
to validate the passwords.[7]

Other types

Common confidence tricksters or fraudsters also could be considered "social engineers"

in the wider sense, in that they deliberately deceive and manipulate people, exploiting
human weaknesses to obtain personal benefit. They may, for example, use social
engineering techniques as part of an IT fraud.

A very recent type of social engineering techniques include spoofing or hacking IDs of
people having popular e-mail IDs such as Yahoo!, GMail, Hotmail, etc. Among the many
motivations for deception are:

• Phishing credit-card account numbers and their passwords.

• Hacking private e-mails and chat histories, and manipulating them by using
common editing techniques before using them to extort money and creating
distrust among individuals.
• Hacking websites of companies or organizations and destroying their reputation.
• Computer virus hoaxes
 8 . Wireless Security issue :

• Threats to the Wireless Network

One critical difference between Ethernet and wireless is that wireless networks are built
on a shared medium. They more closely resemble the old network hubs than modern
switches, in that every computer connected to the network can “see” the traffic of every
other user. To monitor all network traffic on an access point, one can simply tune to the
channel being used, put the network card into monitor mode, and log every frame. This
data might be directly valuable to an eavesdropper (including data such as email, voice
data, or online chat logs). It may also provide passwords and other sensitive data,
making it possible to compromise the network even further. As we'll see later in this
chapter, this problem can be mitigated by the use of encryption.

Another serious problem with wireless networks is that its users are relatively
anonymous. While it is true that every wireless device includes a unique MAC address
that is supplied by the manufacturer, these addresses can often be changed with
software. Even given the MAC address, it can be very difficult to judge where a wireless
user is physically located. Multipath effects, high gain antennas, and widely varying
radio transmitter characteristics can make it impossible to determine if a malicious
wireless user is sitting in the next room or is in an apartment building a mile away.

While unlicensed spectrum provides a huge cost savings to the user, it has the
unfortunate side effect that denial of service (DoS) attacks are trivially simple. By simply
turning on a high powered access point, cordless phone, video transmitter, or other
2.4GHz device, a malicious person could cause significant problems on the network.
Many network devices are vulnerable to other forms of denial of service attacks as well,
such as disassociation flooding and ARP table overflows.

Here are several categories of individuals who may cause problems on a wireless
network:

• Unintentional users. As more wireless networks are installed in densely

populated areas, it is common for laptop users to accidentally associate to the
wrong network. Most wireless clients will simply choose any available wireless
network when their preferred network is unavailable. The user may then make
use of this network as usual, completely unaware that they may be transmitting
sensitive data on someone else's network. Malicious people may even take
advantage of this by setting up access points in strategic locations, to try to
attract unwitting users and capture their data.

The first step in avoiding this problem is educating your users, and stressing the
importance of connecting only to known and trusted networks. Many wireless
 clients can be configured to only connect to trusted networks, or to ask
permission before joining a new network. As we will see later in this chapter,
users can safely connect to open public networks by using strong encryption.
• War drivers. The “war driving” phenomenon draws its name from the popular
1983 hacker film, “War Games”. War drivers are interested in finding the physical
location of wireless networks. They typically drive around with a laptop, GPS, and
omnidirectional antenna, logging the name and location of any networks they
find. These logs are then combined with logs from other war drivers, and are
turned into graphical maps depicting the wireless “footprint” of a particular city.

The vast majority of war drivers likely pose no direct threat to networks, but the
data they collect might be of interest to a network cracker. For example, it might
be obvious that an unprotected access point detected by a war driver is located
inside a sensitive building, such as a government or corporate office. A malicious
person could use this information to illegally access the network there. Arguably,
such an AP should never have been set up in the first place, but war driving
makes the problem all the more urgent. As we will see later in this chapter, war
drivers who use the popular program NetStumbler can be detected with
programs such as Kismet. For more information about war driving, see sites such
as www.wifimaps.com, www.nodedb.com, or www.netstumbler.com .

• Rogue access points. There are two general classes of rogue access points:
those incorrectly installed by legitimate users, and those installed by malicious
people who intend to collect data or do harm to the network. In the simplest case,
a legitimate network user may want better wireless coverage in their office, or
they might find security restrictions on the corporate wireless network too difficult
to comply with. By installing an inexpensive consumer access point without
permission, the user opens the entire network up to potential attacks from the
inside. While it is possible to scan for unauthorized access points on your wired
network, setting a clear policy that prohibits them is very important.

The second class of rogue access point can be very difficult to deal with. By
installing a high powered AP that uses the same ESSID as an existing network, a
malicious person can trick people into using their equipment, and log or even
manipulate all data that passes through it. Again, if your users are trained to use
strong encryption, this problem is significantly reduced.
• Eavesdroppers. As mentioned earlier, eavesdropping is a very difficult problem
to deal with on wireless networks. By using a passive monitoring tool (such as
Kismet), an eavesdropper can log all network data from a great distance away,
without ever making their presence known. Poorly encrypted data can simply be
logged and cracked later, while unencrypted data can be easily read in real time.

If you have difficulty convincing others of this problem, you might want to
demonstrate tools such as Etherpeg (www.etherpeg.org) or Driftnet (www.ex-
 parrot.com/~chris/driftnet/). These tools watch a wireless network for graphical
data, such as GIF and JPEG files. While other users are browsing the Internet,
these tools simply display all graphics found in a graphical collage. I often use
tools such as this as a demonstration when lecturing on wireless security. While
you can tell a user that their email is vulnerable without encryption, nothing drives
the message home like showing them the pictures they are looking at in their
web browser.

Again, while it cannot be completely prevented, proper application of strong

encryption will discourage eavesdropping.

This introduction is intended to give you an idea of the problems you are up against
when designing a wireless network. Later in this chapter, we will look at tools and
techniques that will help you to mitigate these problems.