Cyber Security: Network Threats

Network Threats

• Malicious activities on the rise: Examples of malicious attacks are everywhere, and data breaches occur in both public and private sectors.
• Top countries of origin for cyberattacks: In 2020, China was the top country of origin for cyberattacks (41%), followed by the United States (10%).

Sniffers

• Definition: A technology used to steal or observe information, allowing the viewing of email passwords, web passwords, FTP credentials, email contents, and transferred files.
• How it works: When a network adapter is in promiscuous mode, a sniffer can capture all traffic, regardless of the destination address.
• Threats to protocols: Sniffers can target Telnet, HTTP, SMTP, POP, and FTP protocols, which are sent in the clear without protection.

Application Layer Attacks

• HTTP Basic Authentication: Insecure, as full credentials pass over the wire and are sent in the clear.
• DNS Attacks: DNS poisoning occurs when an attacker attempts to change the IP associated with a server maliciously, and DNS cache poisoning occurs when false records are cached.
• Session Hijacking: Occurs when an attacker takes over a session that has authenticated access to a resource, and can be categorized into three types: man-in-the-middle, blind hijack, and session theft attacks.
• Identifying an Active Session: An attacker must locate and identify a suitable session for hijacking, and determine or guess the sequence numbers.

Network Layer Attacks

• IP Vulnerabilities: Unencrypted transmission, no source authentication, no integrity checking, and no bandwidth constraints make IP vulnerable to attacks.
• IP Spoofing Attacks: An attacker sends packets from one IP address that appear to originate from another, and can be categorized into two types: blind and non-blind spoofing.

Data Link Layer Attacks

• MAC Flooding: The goal is to flood the switch with fake MAC addresses to all ports, causing the switch to fail.
• MAC Filtering and Spoofing: MAC filtering is a security control, but it is easy to spoof the MAC address, making it ineffective.
• ARP Spoofing and Poisoning: A rogue machine can spoof other machines by updating the ARP table, and ARP poisoning is a method of bypassing a switch where sniffing is performed on an IPv4 network.

Denial of Service Attacks

• Definition: A type of attack that prevents legitimate users from accessing the system, intended to prevent services from being delivered.
• Goal: To consume resources, disrupt a service or server, or prevent services from being delivered.### Networking Fundamentals and Security

Physical Limitations of Computers

• Number of users
• Size of files
• Speed of transmission
• Amount of data stored

Denial of Service (DoS) Attacks

• Aims to prevent valid users from accessing network resources
• Types of DoS attacks:
  • Exploiting programming defects to cause a crash
  • Consuming resources (e.g. SYN flood, ICMP flood)

Distributed Denial of Service (DDoS) Attacks

• Uses multiple hosts to amplify the attack
• Difficult to detect and defend against
• Has primary and secondary victims
• Attack can be difficult or impossible to track back to the source

DoS/DDoS Attacks: Exploitation of Programming Defects

• Examples of attacks:
  • Ping of Death (PoD)
  • Teardrop Attack
  • Land DoS

DoS/DDoS Attacks: Consumption of Resources

• Examples of attacks:
  • SYN flood
  • ICMP flood
  • HTTP flood
  • Slowloris (a more potent variant of HTTP flood)

Botnets and the Internet of Things (IoT)

• Botnets consist of computers and devices (mainly IoT devices) infected with software for DDoS attacks
• Botnets can stretch across the globe
• Examples of botnets attacks:
  • DDoS attacks
  • Click fraud
  • Stealing information

Mapping the OSI Model to Cyber Threats

• The OSI model is used to understand and teach distributed communication
• Each layer interacts with the layer above and below it
• The OSI model is implemented in both hardware and software

OSI Layers

• Application Layer: interacts with end-user applications, formats data for transmission
• Presentation Layer: responsible for coding and decoding data, encryption takes place here
• Session Layer: maintains communication sessions between computers
• Transport Layer: breaks data into packets, ensures proper transmission and error checking
• Network Layer: responsible for logical implementation of the network, includes IP addresses
• Data Link Layer: prepares data for transmission over the Physical Layer, includes physical addressing
• Physical Layer: responsible for the physical operation of the network

TCP/IP Model

• Similar to the OSI model, but with fewer layers
• The four layers are:
  • Application Layer
  • Transport Layer
  • Internet Layer
  • Link Layer

Internet Packet Encapsulation

• The process of adding headers and footers to packets as they travel through the network
• Each layer adds its own header and footer

Protocols

• A set of rules and formats that govern communication between computers
• Examples of protocols:
  • TCP (Transmission Control Protocol)
  • UDP (User Datagram Protocol)
  • DNS (Domain Name System)
  • HTTP (Hypertext Transfer Protocol)

Domain Name System (DNS)

• An application-layer protocol for mapping domain names to IP addresses
• Provides a distributed database over the internet
• Resource records include:
  • Address (A) record
  • Mail exchange (MX) record
  • Name server (NS) record

DNS Caching

• DNS servers cache results for a specified amount of time
• Caching reduces network traffic and improves performance
• Associated privacy issues

Transport Layer: UDP (User Datagram Protocol)

• Lightweight and connectionless
• Small packet sizes
• No connection to create and maintain
• More control over when data is sent
• Does not compensate for loss of packet
• Does not deliver or guarantee packet delivery in order

Transport Layer: TCP (Transmission Control Protocol)

• Reliable and connection-based
• Uses sequence numbers, timeouts, and retransmissions to protect against loss and reordering
• TCP packets have a header section with a flags field
• Four possible flags:
  • SYN (Synchronise)
  • ACK (Acknowledge)
  • FIN (Finished)
  • RST (Reset)### Networking Layering Models and Protocols
• IPv4 addresses:
  • Four-byte (32-bit) addresses that uniquely identify every device on the network
  • Still the most common
• IPv6 addresses:
  • 128 bits long
  • Provide more unique device addresses
  • More secure

IP Addressing

• IPv4 addressing:
  • 32-bit binary address
  • Divided into four parts, separated by dots, with each part consisting of 8 binary digits
  • Each 8 binary digits are converted to decimal, hence called Dotted Decimal
  • Each IP address represents both the network address and the host address
• Example: 192.168.10.0 is the network address, 192.168.10.255 is the broadcast address, and hosts can have any IP between 192.168.10.1 and 192.168.10.254
• Class C IP address: the network part is the first three dots, and the host part is only the last decimal number of the IP

IP Addressing - Dynamic

• Dynamic Host Configuration Protocol (DHCP):
  • Used within a network to simplify the configuration of each user's computer
  • To obtain, renew, or refresh a DHCP IP address dynamically, you can use:
    • In Windows: ipconfig /registerdns
    • In Linux: sudo dhclient

MAC Address

• Most network interfaces come with a pre-defined MAC address
• A MAC address is a 48-bit number usually represented in hex (e.g., 00-1A-92-D4-BF-86)
• On Windows, you can use getmac to obtain the MAC address of your machine, which is also listed when you type ipconfig
• On Linux, you can see your MAC address when you type ip addr, which is labeled as "link/ether"

Address Resolution Protocol (ARP)

• Connects the network layer to the data layer by converting IP addresses to MAC addresses
• ARP works by broadcasting requests and caching responses for future use
• The protocol begins with a computer broadcasting a message of the form "who has tell "
• When the machine with the IP address receives this message, it broadcasts the response " belongs to "
• The Linux and Windows command arp -a displays the ARP table

Network Interface

• A network interface is a physical device that connects a computer to a network
• It determines which network interface card the system will use
• Network interfaces are considered both Physical layer and Data link layer interfaces
• A computer may have multiple network interfaces
• Packets are transmitted between network interfaces
• Most local area networks (including Ethernet and WiFi) broadcast frames
• Each network interface gets the frames intended for it