Network attacks and how to avoid them

Nowadays it is impossible to list all the different types of attacks that can be carried out on a network, as in the world of security this varies continuously. We bring you the most common ones according to the network attack databases, so that we can keep up to date and keep our network as secure as possible. In order to build a defence, we must first know how we are attacked and what these threats consist of, so that we can maintain a certain degree of security. Through this list we will be able to see and understand the exact definition of each of the most known or widespread attacks, and what are the symptoms associated with them.

Over the last ten to fifteen years, we have seen the paradigm shift whereby crackers or cybercriminals seek to exploit every possible vulnerability within any organisation or national infrastructure. In order to counteract this, what each and every one of us must be clear about is that we must change our perspective on how we view security in the IT and network environment, we must be aware of certain attacks and understand what we can learn from them, so that we can be as well prepared as possible for them, and sometimes even prevent them. In this world of security, we cannot say that we are prepared to avoid every attack.

Table of contents

• DoS attack or denial of service attack
• Distributed Denial of Service attack - Distributed Denial of Service (DDos)
• ARP Spoofing
• Man-In-The-Middle attack
• Social Engineering Attack
• OS Finger Printing
• Port Scanning
• ICMP Tunneling
• LOKI Attack
• TCP Sequence Attack
• ICMP redirection attacks
• DNS zone transfer attack

We will start the list of threats with the most common since the beginning of cybercriminal activity.

DoS attack or denial of service attack

A denial of service attack aims to disable the use of a system, an application, a computer or a server, in order to block the service for which it is intended. This attack can affect both the source of the information, such as an application or the transmission channel, and the computer network, or in other words, the cybercriminal will try to prevent users from accessing information or services. The most common type is when an attacker "floods" a network with a large amount of data, causing the entire network to become saturated. For example, in a DoS attack on a website, when we type in a URL and access it, we will be sending a request for information to be displayed, in this case, an attacker could make millions of requests with the aim of collapsing the entire system. This is why this attack takes the name "denial of service", as the site in question cannot be accessed.

Some of the problems you will encounter if you get a DoS attack is that you will notice a huge drop in network performance and a lot of slowness (opening files or accessing websites). A particular website is totally inaccessible and unavailable. We will be unable to enter any website we try to access. Drastic increase in the amount of spam we receive.

Tipos de ataques DoS

ICMP Flood Attack

This type of denial of service attack allows the victim's bandwidth to be exhausted. It consists of sending a large amount of information using ICMP Echo Request packets, i.e. the typical ping, but modified to be larger than usual. In addition, the victim could reply with ICMP Echo Reply packets, so we will have an additional overload, both on the network and on the victim. It is most common to use one or more very powerful computers to attack the same victim, so the victim will not be able to handle the generated traffic correctly.

Ping of the Dead

This attack is similar to the previous one, it consists of sending a packet of more than 65536 bytes, making the operating system not know how to handle such a large packet, causing the operating system to crash when trying to assemble it again. Nowadays this attack does not work, because the operating system will discard the packets directly. It is very important to know about this attack in order to avoid it in the future, but we already tell you that this attack does not work anymore because the operating systems incorporate a lot of protections to avoid it.

Tear Drop Attack

This type of attack consists of sending a series of very large packets, with the aim that the destination (the victim) is not able to assemble these packets, saturating the operating system and crashing it. It is possible that once the attack stops, it needs to be restarted in order to work properly again. Today's operating system kernels incorporate protections against such attacks.

Jolt Two Attack

This type of attack consists of fragmenting an ICMP packet, so that the victim cannot reassemble it. This causes the victim's CPU usage to increase, and it has a significant bottleneck. The result of this attack is usually that the victim's PC becomes very slow, because the CPU is very busy trying to reassemble the packet.

Land Attack

This type of attack consists of sending a spoofed TCP SYN packet, where the IP address of the target is used as both source and destination, so that when it receives the packet, it gets confused and does not know where to send the packet, and blocks itself. This type of attack is usually recognised by operating systems, firewalls and even antivirus suites.

Smurf Attack

This attack consists of sending a large number of ICMP Echo request messages to the broadcast IP address with the victim's source IP. In this way, the real victim will receive all the ICMP Echo Reply ICMP responses from the entire network, causing it to be saturated. Before performing this attack, IP Spoofing must be done to spoof the source IP address of the ICMP Echo Request, in order to perform this massive attack. The network will stop functioning normally while the attack is being carried out, because we will have high broadcast traffic. Nowadays, switches are prepared to avoid these attacks automatically, depending on the PPS (Packets per second), these requests t

SYN Flood

This type of attack is one of the most widely used in the world. It consists of sending TCP packets with the SYN flag activated, with the aim of sending hundreds or thousands of packets to a server and opening different connections to it, in order to saturate it completely. Normally this attack is used with a false source IP, so that all the responses go to an IP that does not exist, or to a victim IP that will also be saturated by all the TCP responses sent from the server.

SYN Flood attacks can be easily prevented by the firewall, by limiting the number of TCP SYN packets that can be received, and even by setting an intermediate proxy to add an additional check before passing messages to the web server or any other service that makes use of the TCP protocol.

Fraggle Two Attack

This attack consists of sending a lot of UDP traffic to a broadcast IP address, these packets have the IP of origin of the victim, logically an IP Spoofing has been performed to carry out this attack. The network will deliver the network traffic to all the hosts, because we are sending UDP packets to the broadcast address, and the computers will respond. This will cause the victim to receive a large amount of traffic that it will not be able to handle properly, and it will be unable to work normally.

Distributed denial of service attack - DDos

This network attack consists of collapsing a victim from multiple computers of origin, for example, a botnet made up of a thousand computers could attack a certain target. This type of attack is very common, making use of the techniques we have explained above, such as the SYN Flood. Even if there is a very powerful server capable of handling millions of SYN Flood requests, if we make use of a botnet with hundreds or thousands of computers, it will not be able to withstand it and will end up blocking itself. This attack is "distributed" between different equipment, be it computers, other infected servers, hacked IoT devices and more.

Some tips for mitigating DDoS attacks are as follows:

• Configure the router's firewall correctly.
• Block all network traffic except what we specifically allow.
• Disable any services you are not using.
• Regularly check the network configuration, and the logs we have.
• Robust logging policy, allowing event correlation (SIEM).
• Have a good password policy with the corresponding permissions.
• Limit network bandwidth per port, to avoid attacks from our own network.

ARP Spoofing

This attack on data networks is one of the most popular, it allows attacking computers that are on the same local network, either wired or wireless. When an ARP Spoofing attack is carried out, what we are doing is that the attacker can impersonate the router or gateway, and that all network traffic or traffic from a specific PC (victim) passes through it, allowing to read, modify and even block network traffic.

This attack only works on IPv4 networks, but a similar attack also exists on IPv6 networks, because the ARP protocol is only available on IPv4 networks. This attack is the easiest way to perform a Man in the Middle attack and capture all information from the victim. To detect these attacks, one could use Reverse ARP, a protocol used to query the IPs associated with a MAC, if we have more than one IP it means that we are facing an attack. Some security suites already detect this type of attack, and even manageable switches can prevent this type of attack by IP-MAC Binding.

MAC flooding attack

This is one of the most typical attacks in data networks. It consists of flooding a network with MAC addresses where we have a switch, each one with different MAC addresses of origin, with the aim of taking the CAM table of the switches and making the switch function as a hub. However, nowadays, all switches have protections against this attack, so that MAC addresses can be eliminated quickly, and never collapse, but the CPU of the switch will be at 100% and we will notice slowness in the network.

In the case of manageable switches with VLANs, the overflow would only be in the affected VLAN, not affecting the rest of the VLANs in the network. To prevent this type of attack, it is advisable to configure Port Security on the switches, and limit to a certain number of MAC addresses per port, so that the port can be automatically shut down, or directly restrict the registration of new MAC addresses until further notice.

DNS cache poisoning

This type of attack consists of providing false data via DNS; so that a victim obtains that information and visits fake websites or websites under our control. The computer making DNS requests could receive spoofed IP addresses based on its DNS request, so we can redirect a victim to any website under our control.

IP Spoofing

This attack consists of spoofing the source IP address of a given computer, in this way, TCP, UDP or IP packets could be sent with a false source IP, spoofing the real IP address of a device. This has several objectives: to hide the real identity of the source, or to impersonate another computer so that all responses go directly to it.

ACK Flood

This attack consists of sending a TCP ACK packet to a certain target, usually with a spoofed IP, so IP spoofing will be necessary. It is similar to TCP SYN attacks, but if the firewall is blocking TCP SYN packets, this is an alternative to block the victim.

TCP Session Hijacking

This attack consists of taking over an existing TCP session, where the victim is using it. For this attack to be successful, it is necessary to be carried out at an exact moment, at the beginning of the TCP connections is where the authentication is carried out, it is just at that point when the cybercriminal will execute the attack.

Man-In-The-Middle attack

Man-in-the-Middle attacks are a type of attack that subsequently allows other attacks to be carried out. MITM attacks consist in placing themselves between the communication of two or more computers by the attacker, with the aim of reading, modifying on the fly and even denying the passage of traffic from an origin to a destination. This type of attack allows the attacker to know the entire online navigation and any communication to be carried out, in addition, all the information could be directed to another existing computer.

An example of a MITM attack would be when a cybercriminal intercepts a communication between two people, or between us and a web server, and the cybercriminal can intercept and capture all the sensitive information that we send to the site.

How to prevent Man-In-The-Middle attacks?

MITM attacks are not impossible to avoid, thanks to the "Public Key Infrastructure" technology we can protect the different equipment from attacks, and this would allow us to authenticate ourselves to other users securely, proving our identity and verifying the identity of the recipient with public cryptography, in addition, we can digitally sign the information, guarantee the property of non-repudiation, and even send fully encrypted information to preserve confidentiality.

In a cryptographic operation using Public Key Infrastructure, at least the following parties are conceptually involved:

• A user initiating the operation.
• Server systems that attest to the operation and guarantee the validity of the certificates, the Certification Authority (CA), Registration Authority and Time Stamping System.
• A recipient of the encrypted data that is signed, guaranteed by the user initiating the operation.

Public key cryptographic operations are processes using asymmetric encryption algorithms that are known and accessible to all, such as RSA or elliptic curve based. For this reason, the security that PKI technology can provide is strongly linked to the privacy of the so-called private key.

Social engineering attacks

Although social engineering attacks are not an attack on data networks, it is a very popular type of attack used by cybercriminals. This type of attack involves manipulating a person into providing user credentials, private information and more. Cybercriminals are always looking for every possible way to get hold of user credentials, credit card numbers, bank accounts, etc. To achieve this, they will try to lie to the victims by pretending to be other people.

These types of attacks are very successful because they attack the weakest link in cybersecurity: the human being. It is easier to try to get a person's user credentials through social engineering than it is to try to attack a service like Google to extract passwords. It is critical who to trust, when to trust and also when not to trust. No matter how secure our network is, if we trust our security to the wrong person, all that security is worthless.

How to prevent social engineering attacks?

The first recommendation is not to be in a hurry to respond to cyber attackers, many of these attacks are always transmitted with a certain urgency, for example, that it is urgently necessary to make a money transfer to a recipient that we have never had before. You need to be suspicious of any strange or unsolicited messages - if the email you receive is from a website or company you use, you should undertake a little investigation of your own, including contacting the company to verify the information.

• Beware of requests for banking information
• Never give out passwords, even to banks.
• Refuse any kind of help from third parties, as they may be cybercriminals trying to steal information or money.
• Do not click on links by email, they could be phishing, avoid downloading any suspicious documents.
• Set up anti-spam filters, configure your computer with antivirus and firewalls, check your email filters and keep everything up to date.

OS Finger Printing

The term OS Finger Printing refers to any method of determining the operating system used on the victim, with the aim of breaching it. Normally this type of attack is carried out in the pentesting phase, this recognition of the operating system is done by analysing protocol indicators, the time it takes to respond to a particular request, and other values. Nmap is one of the most commonly used programs for OS Finger Printing. What will it do for an attacker to know the victim's operating system? To perform more targeted attacks on that operating system, to know the vulnerabilities and exploit them, and much more.

There are two different types of OS Finger Printing:

Active: this is achieved by sending specially modified and crafted packets to the target machine, and looking in detail at the response and analysing the information gathered. Nmap performs this type of attack to obtain as much information as possible.

Passive: In this case, the information received is analysed, without sending specially crafted packets to the target machine.

Port scanning

In any pentesting, port scanning is the first thing that is performed in an attempt to breach a target. It is one of the most common reconnaissance techniques used by cybercriminals to discover exposed services with open ports, whether a firewall is being used and even what operating system the victim is using. All computers that are connected in the local network or on the Internet make use of a large number of services that listen on certain TCP and UDP ports. These port scans make it possible to find out which ports are open, and even which service is behind them, in order to exploit a vulnerability to that service.

In port scans, we will send messages to each port, one by one, depending on the type of response received, the port will be open, filtered or closed. One of the most used programs for port scanning is Nmap, it is the Swiss army knife of port scanning because we also have Nmap NSE that allows us to use scripts to exploit known vulnerabilities, or to attack Samba, FTP, SSH servers, etc.

Knowing which ports we have open is also very important, because a port identifies a service running on the system. For example, the FTP protocol uses port 21, if it is open it could be because we have an FTP server listening, and we could attack it. Port scanning is the first phase of pentesting.

How to prevent port scanning?

Port scanning cannot be prevented, because we cannot prevent a cybercriminal or cybercriminal from trying to see which ports we have open, but what we can do is to protect all ports with a well-configured and restrictive firewall. It should be noted that port scanning is illegal, as several courts have ruled, because it is the first step in an intrusion or to exploit a vulnerability.

To limit the information we will provide to an attacker in a port scan, we should do the following:

• Close all ports on the firewall, except those that need to be open for the proper functioning of the system.
• Use a restrictive firewall policy, only open what is going to be used.
• Shut down operating system services that are not needed.
• Configure web services, SSH, FTP in such a way that they provide us with information such as the version number, to avoid the exploitation of possible vulnerabilities.
• Use TCP Wrappers, a TCP encapsulator that will give the administrator more flexibility to allow or deny access to certain services.
• Make use of software such as fail2ban to block attacking IP addresses.
• Use IDS/IPS such as Snort or Suricata to block attacker IPs.

ICMP Tunneling

This type of attack is mainly used to evade firewalls, because firewalls normally do not block ICMP packets. They could also be used to establish a communication channel that is encrypted and difficult to trace. An ICMP tunnel establishes a covert connection between two computers, this can also be used with UDP by making use of DNS.

To prevent ICMP tunnels, it is necessary to inspect the ICMP traffic in detail, and to see what kind of messages are exchanged. Also, this is complicated if data encryption is used, but we will be able to detect it because it will be ICMP traffic that is not "normal", so all IDS/IPS alerts will be triggered if we configure them correctly.

LOKI attack

This is not an attack on data networks, it is a client/server program that allows to exfiltrate information through protocols that normally do not contain payload, e.g. SSH traffic could be tunneled inside ICMP protocol with ping and even with UDP for DNS. This can be used as a backdoor in Linux systems to extract information and send it remotely without raising suspicion. This is something we should also control through firewalls.

TCP sequence attack

This type of attack consists of trying to predict the sequence number of a TCP traffic, in order to identify the packets of a TCP connection, and hijack the session. The typical example is a scenario where an attacker is monitoring the data flow between two computers, the attacker could cut off communication with the real computer, and establish himself as the real computer, all by predicting the sequence number of the next TCP packet. The attacker would "kill" the real computer, using a denial-of-service (DoS) attack or similar.

Thanks to this sequence number prediction, the packet will be able to reach its destination before any information from the legitimate host, because the latter is under a DoS attack and will not allow communication to the victim host. This attacker's packet could be used to gain access to the system, terminate a connection by force, or directly send a malicious payload.

How to prevent TCP sequence attack?

The IETF in 2012 launched a new standard to establish an improved algorithm to prevent an attacker from guessing the initial sequence number in TCP communications. This standard is designed to increase the robustness of TCP communications against predictive analysis and monitoring by attackers. Currently all operating systems make use of this new standard to prevent this attack, so an attacker will not be able to predict sequence numbers, but attackers in certain circumstances can still guess them, although it is much more difficult than before.

ICMP Redirect Attacks

This network attack, called ICMP Redirect, allows a source host to be redirected using a different gateway so that it can be closer to the destination. Logically, an attacker will set himself as a gateway, with the aim of having all traffic pass through him in order to capture, modify or block it. These messages are sent to the different hosts, but nowadays this type of ICMP Redirect attacks on Linux systems are not affected, because they are internally disabled, but it is possible that on other operating systems they are affected.

DNS zone transfer attack

This attack affects DNS servers, where the DNS server returns a list of hostname and IP addresses in the domain. These zone transfers are normally done between authoritative DNS servers, but this attack could cause cybercriminals to query DNS servers for a list of hosts to attack.

Silvia Mazzetta

Web Developer, Blogger, Creative Thinker, Social media enthusiast, Italian expat in Spain, mom of little 9 years old geek, founder of  @manoweb. A strong conceptual and creative thinker who has a keen interest in all things relate to the Internet. A technically savvy web developer, who has multiple  years of website design expertise behind her.  She turns conceptual ideas into highly creative visual digital products.