Pass your certification exam. Faster. Guaranteed.

Network Attacks Transcription

Welcome to our Common Network Attacks and Countermeasures module. Wireless networks are detectable, even if you attempt to hide the SSID from broadcasting. Once a wireless local area network is discovered, attackers can then attempt to exploit vulnerabilities. There are several free utilities that allow attackers to footprint networks in the area.

Terms have been developed for this type of activity, including war walking where someone walks around attempting to find networks. War driving, where a person drives around in a vehicle equipped with a laptop, an antenna and a GPS, in order to locate available wireless local area networks. And plot the locations of those networks on a map using Global Positioning System, or GPS.

Warchalking is when individuals mark buildings or sidewalks to notify other users in the area of available wireless networks. This is commonly used for pedestrians. Site surveys are an analysis conducted by your engineers. This can help you to plan your wireless local area network, and also verify that everything is functioning properly after the system is installed.

It can also help you to detect rogue or unauthorized wireless access points, and you should remember that site surveys are a method to discover these unauthorized devices for the CISSP examination. Impersonation, or spoofing, is where an individual attempts to impersonate a person who is authorized on your network by using their credentials.

They can steal the credentials that are used to authenticate on the wireless local area network because pre-shared keys are very susceptible to theft and dictionary attacks. You can also spoof a MAC address to trick the wireless local area network device into thinking that you are in authorized device attempting to connect.

In order to prevent these type of attacks, you should use strong authentication mechanisms, preferably at least two factor authentication, as well as digital signatures and one time use passwords. You also have to be concerned about individuals intercepting your packets because this is very easy on public wireless networks.

You should never use public wireless networks to perform any type of sensitive communications. If you do find yourself needing to use a public wireless network, you should use a virtual private network to encrypt the communications between you and your recipient. You should never use your passwords or log into any websites using public WiFi, because individuals can capture your log in session and then pretend to be you on that website.

You also have to be concerned with individuals modifying, or altering, the data before you receive it. Man in the middle attacks is where an individual sets up an evil twin rogue access point. For example, if you go in to Starbucks, there could be an individual in there who has set up a fake access point on their laptop computer called Starbucks, causing individuals to connect to it thinking they are connecting to the actual Starbucks.

Instead, they are now connecting to the man in the middle, who is able to view all of the traffic that they send to wherever they're communicating with. In order to avoid these types of attacks, you can use WIFI protected access or WPA or WPA2, digital signatures to provide for mutual authentication.

And virtual private networks to encrypt the traffic so the individual is not able to place themselves between the two parties that are communicating. You can also have flooding attacks, which is a denial of service attack, attempting to take your system offline, so that your legitimate users are not able to use it.

For example, if an attacker sends more data than a system can handle, or sends several pings, or mail bombs, or malformed packets, they may be able to take your system offline. They can also jam the radio frequencies so that WiFi will not function correctly. In order to avoid these types of attacks, you should use multiple frequencies, filter packets before they reach the destination to insure that they are not malformed, or otherwise malicious.

And also patch your systems and your wireless network devices to make sure that they are up to date to avoid any attacks that have already been corrected by the manufacturer. Web spoofing attacks is where an impersonation occurs at the server level. The attacker redirects a user to a different site that appears to be the legitimate site.

For example, a PayPal login page that is not actually PayPal. Then your user attempts to log in, and the attacker now has the users username and password. This is common with email phishing, which is a social engineering technique, in which an attacker sends out an email message attempting to get an employee or user to click on a malicious link or a link to a fictitious website.

With a DNS poisoning attack, an attacker inserts bad information into a DNS server record, to point a legitimate website to a different hostile website. For example, when a user enters google.com, now the DNS server has been modified and they are forwarded to the fictitious google.com, which is a malicious site, rather than the real google.com.

In order to avoid this, you should use the most updated version of DNS and also provide for authentication of the DNS server using DNSSEC. You should be familiar with these types of attacks for the CISSP examination. We also have a few older style attacks that you should be familiar with because they could still occur, although they are much less popular.

The smurf attack is where the attacker uses ICMP echo broadcast traffic, and transmits it to all hosts on a network with a spoofed source address. All of the systems on the network will then begin sending ICMP echo reply packets to the victim. This causes the victim's system to go offline. The fragal attack is a denial of service attack similar to the smurf attack, but instead of broadcasting ICMP traffic, it broadcasts UDP data. You should be familiar with both of these types of attacks for the CISSP examination. With a distributed denial of service attack, or DDOS attack, you attempt to commit available resources on a system, so that it cannot respond to valid requests from legitimate users.

These attacks can be distributed and amplified by many other systems known as a botnet to commit the attack. Zombies are part of the botnet and they are compromised hosts, which are used to launch attacks against a specific target. The bot herder is the command in control center, which notifies the zombies of who to attack.

Here we can see a command and control system on the left, the attacker is notifying the bots or zombies via the handlers to attack a specific target. This is much more effective than attacking with a single machine. We call this a distributed denial of service attack because we have many different systems which can all be in different geographic locations, or distributed to attack a single target.

You can attempt to prevent distributed denial of service attacks at your land perimeter by dropping all ICMP packets, which originate from the internet at the firewall. There is no reason for individual's outside of your network on the internet to send you ICMP packets to your internal network. You should also drop any requests to broadcast addresses, because you do not want external individuals broadcasting traffic to all of the systems on your network.

You can also use ingress and egress filtering. Ingress filtering prohibits packets within internal source addresses from entering your network. And egress filtering prohibits packets from leaving your network with internal source addresses. Egress filtering prevents your network from being used to attack other individual's networks. This concludes our common network attacks, and counter measures module.

Thank you for watching.