Common Types of Network Attacks

Without security measures and controls in place, your data might be subjected to an attack. Some
attacks are passive, meaning information is monitored; others are active, meaning the
information is altered with intent to corrupt or destroy the data or the network itself.

Your networks and data are vulnerable to any of the following types of attacks if you do not have
a security plan in place.

Eavesdropping

In general, the majority of network communications occur in an unsecured or "cleartext" format,

which allows an attacker who has gained access to data paths in your network to "listen in" or
interpret (read) the traffic. When an attacker is eavesdropping on your communications, it is
referred to as sniffing or snooping. The ability of an eavesdropper to monitor the network is
generally the biggest security problem that administrators face in an enterprise. Without strong
encryption services that are based on cryptography, your data can be read by others as it
traverses the network.

Data Modification

After an attacker has read your data, the next logical step is to alter it. An attacker can modify the
data in the packet without the knowledge of the sender or receiver. Even if you do not require
confidentiality for all communications, you do not want any of your messages to be modified in
transit. For example, if you are exchanging purchase requisitions, you do not want the items,
amounts, or billing information to be modified.

Identity Spoofing (IP Address Spoofing)

Most networks and operating systems use the IP address of a computer to identify a valid entity.
In certain cases, it is possible for an IP address to be falsely assumed— identity spoofing. An
attacker might also use special programs to construct IP packets that appear to originate from
valid addresses inside the corporate intranet.

After gaining access to the network with a valid IP address, the attacker can modify, reroute, or
delete your data. The attacker can also conduct other types of attacks, as described in the
following sections.

Password-Based Attacks

A common denominator of most operating system and network security plans is password-based
access control. This means your access rights to a computer and network resources are
determined by who you are, that is, your user name and your password.
Older applications do not always protect identity information as it is passed through the network
for validation. This might allow an eavesdropper to gain access to the network by posing as a
valid user.

When an attacker finds a valid user account, the attacker has the same rights as the real user.
Therefore, if the user has administrator-level rights, the attacker also can create accounts for
subsequent access at a later time.

After gaining access to your network with a valid account, an attacker can do any of the
following:

 Obtain lists of valid user and computer names and network information.
 Modify server and network configurations, including access controls and routing tables.
 Modify, reroute, or delete your data.

Denial-of-Service Attack

Unlike a password-based attack, the denial-of-service attack prevents normal use of your
computer or network by valid users.

After gaining access to your network, the attacker can do any of the following:

 Randomize the attention of your internal Information Systems staff so that they do not
see the intrusion immediately, which allows the attacker to make more attacks during the
diversion.
 Send invalid data to applications or network services, which causes abnormal termination
or behavior of the applications or services.
 Flood a computer or the entire network with traffic until a shutdown occurs because of
the overload.
 Block traffic, which results in a loss of access to network resources by authorized users.

Man-in-the-Middle Attack

As the name indicates, a man-in-the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring, capturing, and controlling
your communication transparently. For example, the attacker can re-route a data exchange.
When computers are communicating at low levels of the network layer, the computers might not
be able to determine with whom they are exchanging data.

Man-in-the-middle attacks are like someone assuming your identity in order to read your
message. The person on the other end might believe it is you because the attacker might be
actively replying as you to keep the exchange going and gain more information. This attack is
capable of the same damage as an application-layer attack, described later in this section.

Compromised-Key Attack
A key is a secret code or number necessary to interpret secured information. Although obtaining
a key is a difficult and resource-intensive process for an attacker, it is possible. After an attacker
obtains a key, that key is referred to as a compromised key.

An attacker uses the compromised key to gain access to a secured communication without the
sender or receiver being aware of the attack.With the compromised key, the attacker can decrypt
or modify data, and try to use the compromised key to compute additional keys, which might
allow the attacker access to other secured communications.

Sniffer Attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges
and read network packets. If the packets are not encrypted, a sniffer provides a full view of the
data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless
they are encrypted and the attacker does not have access to the key.

Using a sniffer, an attacker can do any of the following:

 Analyze your network and gain information to eventually cause your network to crash or
to become corrupted.
 Read your communications.
EXTRA
Introduction to network attacks : Network Layer

Let’s continue our small review of network attacks, by checking this time some typical attacks
on the network layer. There are the most known examples of what can be done.

ARP cache poisoning

ARP works basically on broadcast :

 when a machine connects to the network, it broadcasts its MAC address to the LAN (ethernet
broadcast)
 when a machine needs to find a recipient (for a given IP), it sends a request using broadcast.

When this learning process is over, the machine keeps the information in its ARP cache, that to
save the network resources. The cache is a simple correspondence table of MAC / IP addresses.

You can have a look to your ARP cache with :

$ arp -a

Beyond its convenience, the big problem with broadcasting is that it does not authentication at
all.

So, you can easily see how easy it is to corrupt an ARP cache with some forged packet. As the
MAC address the only way to route date on an ethernet LAN, the potential impact of this attack
is huge !

For best efficiency, the attacker will flood the targets with faked ARP responses at an high rate.
That way, it gives little chance to a valid ARP record to survive long, as it will get quickly
overwritten in the cache.

Nowadays, there are many convenient tools to drive this attack, like Ettercap.

You can start it in graphic mode :

$ ettercap -G

Got to the “Sniff / United sniffing” menu and select your network interface :
“Hosts / scan for hosts” menu allow you to quickly visualize the machines of the LAN.
Then, in the “Mitm” (Man In The Middle) menu, choose “Arp cache poisonning” :

Finally, “start / start sniffing” (default is all machines are targeted) :

Immediatly, Ettercap starts collecting data. Here some POP credentials can be read :
Several workaround can be set against this, though none is really satisfying :

1. use static ARP entries for the LAN (arp -s 192.168.1.1 11-22-33-44-11-11) ; that is really not
convenient, not scalable and unpractical for mobile devices ;
2. some switches can detect MAC address changes and deactivate their port (look at switchport
port-security on Cisco switches) ;
3. there are some tools to be set on a probe ; arpwatch for Linux checks the LAN and send an alert
by mail or to syslog in case of maliscious ARP events ;
4. more generic IDS / IPS like Snort should also be able to detect this attack ;
5. Radius / EAP hardware devices authentication is a more complex solution but the recommended
one on large networks.

ICMP Attacks

ICMP is a protocol that is just over IP in the networking stack, aimed to diagnose links. A
standard ping, for instance, is based on this protocol.
In some cases, it could be used to drive some attacks.

Ping of the Death

That’s the historical attack. An ICMP packet is encapsulated inside an IP datagram.

An ICMP datagram is structured as below :

A few ICMP requests types :

0 = echo reply
8 = echo request
11 = TTL expired
12 = option error (wrong header)

The maximum size of an IP datagram is 65 535 octets, though each ethernet link has a maximum
ethernet packet size that it can support. That is the MTU value (default is 1500 octets).
When a packet bigger than this size must be sent, it is fragmented in smaller sized packets which
are sent one after another. They will be reassembled by the recipient in the right order.
For instance in the case of an ICMP echo request (ping), the ICMP header has a lenght of 8
octets and the IP header in which it is encapsulated is of 20 octets (without any additional
option).
So :
65535 – 20 – 8 = 65507 octets are left available at most for the data field of the ICMP packet.
If an ICMP packet bigger than this size is built and sent, it will be send fragmented to the
recipient.
When the recipient reassembles it, it gets an invalid IP datagram with a size bigger than 65 535
octets.

A sane IP stack would just drop it.

But in the past, that leaded to a buffer overflow DoS attack.
with many old IP stacks (Windows 95, NT, Linux 2.0, …), this caused some unexpected
behaviour : networking crash, system freeze, reboot…
The IP stack had a buffer for 65 535 octets without exception catching in case of superior sized
packet. That caused the memory to be written with the extra bits anywhere, with unpredictable
effects.

Nowadays, all systems must be protected against this well known attack, but unfortunately the
same kind of behaviour is regularly found in different protocols or applications.

If you try to practice this attack, you will see that ping prevents it :

$ ping -s 65508 192.168.1.1

Error: packet size 65508 is too large. Maximum is 65507

Sing is a nice tool to easily play with ICMP packets. No problem this time :

$ sing -s 65508 192.168.1.1

The capture below shows the packet fragmentation that results :

How to protect from such issues ? Check regularly vulnerabilities issues and keep your system
up to date.
Many administrators just block all the ICMP protocol on their firewall. It is a kind of
overreaction : ICMP is in no way a danger, but is really useful when you need some diagnosis. If
you also think that blocking it hides your network topology, you are wrong but that is another
subject.
So update your systems, allow ICMP (and somehow prepare yourself for IPv6 ).
ICMP Flood

Another very basic attack. It consists in sending as many and as big as possible ping requests at a
high rate.
The goal is to saturate the target ressources : bandwith and responsiveness as the target network
card has to process a lot of data.

On modern hardware, there are little chances that an isolated attack has any sensible impact.
Also, a well configured firewall or a good OS should discard high rated requests.

However, this still can be efficient on weak topologies and when it comes from multiples
sources.
I am of course thinking about botnets, built with infected PC, that can scale from hundreds to
thousands of machines.

Hping is a famous tool that allow to easily forge all kind of TCP, UDP and ICMP packets with
their options.

It takes just one line to flood a taget :

$ hping3 --flood -1 192.168.1.1

Just to mention that you could have done it as well with Sing :

$ sing -T 0 192.168.1.1

Pong attack

This attack may lay to topology discovery.

As mentioned above, many administrator block ICMP from their firewall for security purpose. In
general, the applied rule filters requests from the outside, but still responses from inside’s
requests are allowed.

The trick here is to send a response on a target list of IP which are supposed to be find behind the
firewall.

If it goes through the firewall, two cases are possible :

1. the packet reaches the target, but this one destroys the packet as it was not waiting for
anything. As a result, the attacker does not get any response.
2. the packet never reaches its target, because there is no target (the machine is off or the IP is not
allocated) ; in that case, the firewall should answer with an ICMP packet “host unreachable”.

By scanning an IP range, we are able that way to guess the network map that is behind the
firewall.
If you just want to try it using ping, you will need something like tcpdump to see the “host
unreachable response”.

For instance, on my network, there is not an IP such as 192.168.1.99 :

$ sing -reply 192.168.1.99

$ tcpdump icmp
tcpdump: WARNING: arptype 65534 not supported by libpcap - falling back to
cooked socket
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
15:21:55.142086 IP 10.8.0.6 > 192.168.1.99: ICMP echo reply, id 58219, seq 0,
length 16
15:21:58.192068 IP 10.8.0.1 > 10.8.0.6: ICMP host 192.168.1.99 unreachable,
length 44
15:22:23.086762 IP 10.8.0.6 > star.int.jcbnet.org: ICMP echo reply, id 64619,
seq 0, length 16

That’s confirmed.
Other uses of this attack can be imagined. Like firing up a flood attack targeting something
behind the firewall.
It shows one of the limit of filtered based firewalling. A well configured IDS/IPS must be set up 
to detect all these well known ICMP attacks and block them.

IP spoofing

The goal of IP spoofing is to take advantage of the network accesses a target may be granted
with.
Nowadays, the fact is that still many applications rely – sometimes uniquely – on the IP address
as a source of authentication. Not only obsolete services (rsh, login, telnet), but some widely
used like DNS or SMTP. Not to mention the firewalling rules.
Altering an IP packet with an IP address that is not yours is not a difficult thing. It just consists in
using a raw socket not to use the system IP stack that would certainly discard such packets.
Many tools can do it.
However, because the IP address is reused the higher layer – transport layer, the attacker has to
consider the UDP and TCP protocol.
There is nothing much to do concerning UDP, as it is a non-connected protocol. The attacker will
be free to send the requests he wants.
However, because the TCP protocol opens a session, the attacker will have much more work to
do.
The big issue is that he will never receive the answers from the packets he sends – the real host
will. Therefore, it is necessary to blindly guess what is going on, not to loose the session.

There are several methods :

1. Initiating a new session and guessing the TCP sequence numbers :To be established, a TCP
session follow a strict order : SYN, SYN-ACK and ACK. Each packet sent through TCP must be
aknowledge. To differentiate the packets and send back that way an individual ACK, each
 packets has its own TCP sequence number. For every new packet, the sequence number is
increased by the sender.
This illustrates better :

What the attacker has to do is sending the right ACK at the right moment, with not only the
good TCP content but a proper TCP sequence number.
This technic is somehow historical, as nowadays modern systems generate a random TCP
sequence number that is very hard to predict (even using flood).
2. Stealing an existing session :It requires the attacker to be somewhere on the ethernet link
between the two targets. It becomes easier to generate proper sequence numbers by sniffing a
legitimate conversation.
3. Combining several LAN attacks :If the attacker is on the LAN, he can combine several attacks
(ARP, DoS, SNAT) to sniff and block legitimate traffic and replay it.

As this attack requires pretty much efforts, an alternative driving to the same effect is often used
instead : DNS poisoning.
Otherwise, if the goal of IP spoofing is just DoS, the attacker don’t need to care about all that.
This is unfortunately the most frequent use.
The goal is to hide a bit more the attacker and to make it difficult to build a proper defensive
firewalling rule (what IP to use to block the aggressive packets ?).
All the attacker need to do is to send the forged packets without caring of responses at all.
A good protection starts by controlling the lower layer attacks (ARP, sniffing, …).

Then, firewalls should have a proper rule limiting the rate of SYN packets for any source, to
prevent flood attacks trying to catch a valid TCP number.

Finally, always use up-to-date systems that have a strong randomization algorithm for TCP
sequence numbers.
I would like to add that, as much as possible, weak authenticated application should be
suppressed. Unfortunately, it won’t be an easy thing to work without DNS, SMTP and so on…

Conclusion

That’s it for this quick tour of network layer attacks. It shows how weak many protocols are and
the power an attacker can get. Next time, we will quickly talk about transport layer attacks, as
this article already started to cover it (TCP).