1.4 Given a scenario, analyze potential indicators associated with network attacks

  • Wireless
    • Evil Twin
    • Rogue Access Point
    • Bluesnarfing
    • Bluejacking
    • Disassociation
    • Jamming
    • Radio Frequency Identification (RFID)
    • Near-Field Communication (NFC)
    • Initialization Vector (IV)
  • On-Path Attack (Previously Man-in-the-Middle Attack / Man-in-the-Browser Attack)
  • Layer 2 Attacks
    • Address Resolution Protocol (ARP) Poisoning
    • Media Access Control (MAC) Flooding
    • MAC Cloning
  • Domain Name System (DNS)
    • Domain Hijacking
    • DNS Poisoning
    • Uniform Resource Locator (URL) Redirection
    • Domain Reputation
  • Distributed Denial-of-Service (DDoS)
    • Network
    • Application
    • Operational Technology (OT)
  • Malicious Code or Script Execution
    • PowerShell
    • Python
    • Bash
    • Macros
    • Visual Basic for Applications (VBA)


Wireless

There are many types of wireless attacks.

  • Evil Twin.  A wireless client will connect to the access point that has the highest signal (typically the one that is nearest to the client).  In an Evil Twin attack, the hacker deploys a wireless access point with the same SSIDs as the legitimate access points, but with a higher signal strength.  Clients that are preconfigured to connect to the SSIDs will connect to the evil twin.

    The evil twin attack can be prevented by authenticating all wireless connections through certificates.  The client should be required to verify the identity of the network that it is connecting to.  A rogue access point will not be able to prove its identity.
  • Rogue AP.  A Rogue AP is an evil twin that forwards traffic to the main network.  The Rogue AP allows a hacker to act as a man-in-the-middle and intercept all traffic.

    Preventing Rogue APs can be done by

    • Using access points that detect Rogue APs (for example, Cisco Aironet APs have optional Rogue AP detection modules)

    • Using MAC address filtering on the network to prevent unauthorized devices from connecting
  • Jamming.  Wireless Access Points operate on a specific band of the electromagnetic frequency spectrum (2.4 GHz and 5 GHz).  A hacker can flood the air with useless signals in the same frequency.  If these signals are more powerful than those put out by the access point, and if they are the same direction, they will prevent legitimate users from connecting.  Signal jamming has applications in other types of networks (cell phone jamming, radar jamming).

  • WPS.  WPS, or Wireless Protected Setup, was a feature that allowed devices to connect to a wireless network without having to enter a security key.  It was designed for cheaper devices such as printers (that often didn’t have a keypad/touchscreen interface to enter the key).  A user could connect their printer to the network by pressing the “WPS” button on their access point and then waiting for it to pair with their wireless device.  WPS exchanges an 8-digit code with the wireless device, which can be easily detected through brute force.

    WPS is less common now but still exists on older devices.

  • Bluejacking.  In Bluejacking, a hacker sends an unsolicited message to another person’s cellular telephone over Bluetooth.  Bluejacking can be prevented by setting the device to undiscoverable or by prohibiting devices from automatically pairing.  Bluejacking is not common.

  • Bluesnarfing.  In Bluesnarfing, a hacker copies data off a victim’s phone over Bluetooth.  Each Bluetooth device has a unique 48-bit MAC address.  In older versions of Bluetooth, the hacker could connect to the device by guessing its MAC address through brute force.  This is no longer possible because a user must either set to discoverable or specifically allow a new Bluetooth connection.

  • RFID.  RFID or Radio Frequency Identification tags are used to track inventory, keys, and equipment.  They are used in large warehouses and smaller retail stores.  They are also used to provide access control.  RFID tags take two forms: active (contains a battery and broadcasts a signal) and passive (does not contain a battery and is activated when it is near an antenna).  A hacker could target the

    • Communication between the RFID tag and its antenna (intercept an unencrypted or weakly encrypted communication)

    • The RFID reader (by posing as a fake RFID card)

    • The RFID tags (by posing as a fake RFID reader)


RFID attacks can be mitigated by encrypting the data that is stored on the card.  It is difficult to clone some access control cards because the chip on the card cannot be read by an unauthorized external device.

  • NFC.  NFC or Near Field Communication is a technology that allows smartphones to communicate with each other and with other devices.  The most common type of NFC technology allows users to engage in debit/credit card transactions via their smartphones.  A user registers a payment card with an application on the phone and then passes their phone over a credit card terminal to complete the payment.

    A hacker could steal NFC data from a smartphone if he was able to get close enough.  NFC attacks can be prevented by turning NFC off.  Only turn NFC on when you are ready to use it.

  • Disassociation.  In a disassociation attack, a hacker forces a client to disassociate from an access point.  A hacker can force a client to disassociate from an access point by sending a “disassociation” message to the client.
    • The disassociation message is a standard message that an access point could sent to a client to disconnect it

    • It contains the MAC address of the client and the SSID of the access point

    • If a hacker intercepts communication between the client and the access point, he could learn the MAC address of the client, and then create a fake disassociation message

    • The hacker must send these messages to the client constantly, because it will try to reconnect each time it is disconnected.
  • IV.  IV is also known as Initialization Vector.  Remember that an access point and a client use an encryption key to encrypt data (i.e. your Wi-Fi password).  When a client connects to an access point, the access point generates an IV to randomize the encryption key used in the connection.  That way, the communication between the Wi-Fi access point and each user is encrypted with a different key.  If all the communications were encrypted with the same key, then one user could intercept and read the communications addressed to all the other users.

    The IV is originally sent to the client in plain text (unencrypted).  If a hacker detects the IV, then he can use it to guess the encryption key that will be generated and decrypt all further communication between the client and the access point. 

On-Path Attack (Previously Man-in-the-Middle Attack / Man-in-the-Browser Attack)

In a Man-in-the-Middle attack, a hacker inserts himself between the sender and recipient of an electronic communication.  Keep in mind that more than 60% of internet traffic is machine generated (one computer talking to another with no human interaction).

Consider that Alice and Bob are two hypothetical internet users having an encrypted conversation.  They could be two humans, or it could be that Alice is an online banking user and Bob is the bank.  The purpose of the communication is irrelevant.  Consider that the hacker, Eve, wants to spy on them.

Alice and Bob’s messages pass through a central server.  Depending on Alice and Bob’s geographical locations, the messages may pass through many servers, routers, switches, fiber optic cables, and copper lines.  The internet is fragmented, and different parts are owned by different companies.  If Alice is in New York and Bob is in Los Angeles, the traffic must pass through many states, and many internet service providers.

  • If the traffic between Alice and Bob is unencrypted, and Eve can obtain access to one of the servers, routers, switches, or physical connections, then Eve can spy on the conversation.

  • If the traffic is unencrypted, but Alice does not have access to one of the servers in the connection, Eve could trick Alice into sending messages addressed to Bob to her instead (by corrupting/modifying Alice’s address book).  Eve would do the same to Bob.  In Alice’s address book, Eve replaces Bob’s address with her own.  In Bob’s address book, Alice replaces Alice’s address with her own.  Alice sends messages to Eve thinking she is sending them to Bob, and Bob sends messages to Eve thinking he is sending them to Alice.  Now Eve can read Alice’s messages and forward them to Bob.  Eve can also read Bob’s messages and forward them to Alice.  Neither Alice nor Bob is aware that Eve is reading their communications.

  • If the communication is encrypted and uses public key cryptography (such as Apple iMessage), a man-in-the-middle attack is more difficult.  Users encrypt messages with public keys (which they obtain from a central directory).  If Alice wants to send a message to Bob, she obtains Bob’s public key from Apple, encrypts the message, and sends it to Bob.  Bob uses his private key (which only he knows) to decrypt the message.  If Eve can intercept the message, she could perform a man-in-the-middle attack

    • We will discuss public key cryptography in more depth later, but in general consider this

      • A private key can only decrypt a message.  A user keeps his private key secret.

      • The user generates a public key from his private key.  He gives the public key to everybody who wants to send him a message.  The public key can only encrypt a message.

    • Eve generates her own public and private keys

    • She hacks into the central directory and changes Bob’s public key to her own

    • Alice decides to send a message to Bob.  She checks the directory for Bob’s public key, and receives what she thinks is Bob’s public key (but is in fact Eve’s public key)

    • Alice sends the message to Eve (thinking she is sending it to Bob)

    • Eve decrypts the message, reads it, and then encrypts it with Bob’s public key.  Eve sends the message to Bob

    • Bob receives the message, thinking it came from Alice and decrypts it with his own private key

    • Eve does the same thing with Alice’s public key so that she can intercept messages that Bob is sending to Alice

How to prevent

  • The best way to prevent a man-in-the-middle attack is to encrypt all communications with a reliable encryption algorithm (one that uses a long enough key length and is generated through open-source methods)

  • Second, ensure the integrity of the public key.  Do not trust apps with centralized “key directories” such as Apple iMessage or WhatsApp for obtaining public keys, especially for sensitive communications.  Apple controls all the public keys in iMessage and a rogue operator could inject their own public keys, creating the man-in-the-middle attack illustrated above.  There is no way to guarantee that those directories are 100% secure, or that they will stay secure.

    The best way to ensure the integrity of the public key is to personally distribute it to the person that you want to communicate with.

Man-in-the-Browser

In the Man-in-the-Browser attack, a piece of malware infects the user’s computer and intercepts web browser activity.  The malware must be designed to recognize specific behaviors such as online banking, PayPal, eBay, or ecommerce sites.

For example, malware is installed on a user’s computer.  The user logs in to Amazon and makes a purchase, but the malware changes the shipping address to one belonging to the thief, without the user seeing.  The package is then routed to the thief instead of the victim.

Zeus was a popular piece of man-in-the-browser malware.  It was transmitted through e-mail.  Hackers used Zeus to capture online banking passwords, logged in to those online bank accounts, and made monetary transfers to their own accounts.  To avoid getting caught, the hackers created bank accounts under fake names.  They hired mules to withdraw the cash from ATMs and ship it to the hackers’ European destinations.  The losses exceeded $70 million.  After an extensive FBI investigation, over 100 people were arrested and charged with bank fraud and money laundering.

How to prevent

  • It is difficult to detect Zeus and other Man-in-the-Browser applications even with antivirus programs.  Nevertheless, good antivirus programs are necessary.

  • Use multi-factor authentication for online services.  Even if the username/password is compromised, the hacker won’t be able to gain access to the account.

  • Set limits on the amount of money that can be transferred through online banking, and regularly monitor all accounts for suspicious transactions.

ARP Poisoning

ARP is the Address Resolution Protocol.  Remember that every network device has a unique MAC address, set from the factory.  A MAC address is kind of like a serial number.  When a device connects to a network, it announces its MAC address.

Every network device is assigned (or should be assigned) a unique IP address.  On a LAN (Local Area Network), devices communicate by addressing data to the each other’s MAC addresses.  A device will not address a communication to another device’s IP address unless they are on different networks.

If the sender knows the recipient device’s IP address, but not it’s MAC address, it uses ARP to discover the MAC address.  It does so by flooding the network with a request for the MAC address.  Since the device doesn’t know who it is looking for, every device on the network receives the request.  It sends the electronic equivalent of a “hey if this is your IP address, reply with your MAC address”.  The device in question replies with its MAC address.

The opposite is also possible.  A device can flood the network with a request for an IP address when the MAC address is known.  This is known as reverse ARP or RARP.

Each network device stores common MAC addresses and their corresponding IP addresses in a table known as the ARP table, so that it doesn’t have to look them up each time it needs to send data (too many ARP lookups can overload the network).

There is no authentication mechanism for the ARP table on a local device.  Each device simply adds/updates the ARP table when data is received.  A device will update the ARP table with new data even if it did not create an ARP request for the data.  There is no way to check if a device has lied about its MAC address.

ARP Poisoning is when a hacker sends wrong data to corrupt the ARP table.

  • Let’s say our office has a printer with an IP address of 10.10.1.1 and a MAC address of AB:CD:EF:12:34:56

  • Bob wants to print some sensitive documents.  His computer knows that the printer’s IP address is 10.10.1.1 but doesn’t know its MAC address.  It sends out an ARP request to 10.10.1.1, and the printer responds with AB:CD:EF:12:34:56

  • Bob’s computer stores this data in its ARP table

  • Bob’s computer sends documents to be printed to AB:CD:EF:12:34:56

  • A hacker comes along and plugs a laptop into an open ethernet port in Bob’s office.  The hacker’s laptop has an IP address of 10.10.1.2 and a MAC address of AA:BB:CC:11:22:33. 

  • The hacker sends out an ARP message saying that 10.10.1.1 belongs to AA:BB:CC:11:22:33, the hacker’s computer.  He does so manually or by using a tool such as Cain & Abel.

  • Bob’s computer receives the ARP message and records the data in the ARP table.

  • Bob’s computer sends all printed documents to the hacker’s computer instead of the printer.

  • The hacker can forward Bob’s documents to the printer, so that they print correctly, and Bob doesn’t suspect that his documents have been stolen

How to prevent

  • Obviously, the hacker should never have been able to plug his laptop into an open ethernet port in Bob’s office. 

    • Somebody should have noticed that there was an intruder and called the police

    • An open ethernet port should never be patched into a switch

    • The hacker’s laptop should never have been permitted to access the network, even if the port was open

  • Use ARP spoofing detection software.  The software can perform cross-checking of ARP entries against a DHCP server or switch, which has accurate information.  Newer network switches include a feature known as Dynamic ARP Inspection, which can check for spoofed ARP data.

  • Critical system components should have static ARP entries that cannot be changed.  This could require a substantial amount of maintenance for hosts that are DHCP.

Media Access Control (MAC) Flooding

Look at this switch below.  It has 48 ports.  We won’t get into all the details about how it works, but in general,

  • We know that each port connects to a different device

  • We know that it receives data in the form of “frames

  • Each frame has a source MAC address and destination MAC address

  • The switch reads the destination MAC address of the frame and decides which port to send the frame out of.

How does the switch know which frame to forward the port out of? 

  • Each time it receives a frame, it records the source MAC address of that frame in the table, along with the port that it was received on.  Eventually, the switch has a table of MAC addresses and the ports that they are connected to.

  • When a switch receives a new frame, it looks up the MAC address of the destination in the table and forwards it out of the correct port.

  • When the switch receives a frame and cannot find the destination in the table, then it forwards the frame out of all the ports.

The MAC address table has limited capacity.  A hacker can take advantage of this by sending many frames with many different fake source MAC addresses.  This will overload the table, forcing it to delete many of the earlier legitimate entries.  When the switch receives new legitimate data, it won’t know where to forward it, so it will flood it out of all the ports.  This might crash the switch or cause congestion.  If the hacker is connected to one of the switch ports, he will be able to intercept all the flooded traffic.  In other words, by flooding the switch, the hacker can intercept all the traffic on the network.

MAC Cloning

Recall that each network device is manufactured with a unique, unmodifiable (in theory) MAC address.  One security measure to prevent rogue devices is to only allow traffic between trusted MAC addresses.  If an intruder attempts to connect a new device to the network, it will not be permitted to communicate because its MAC address is not approved.

If a hacker learns the MAC address of a legitimate network device, he can change his device’s MAC address and gain access to the network (and to the traffic originally directed to the legitimate device).

How to prevent

  • Require additional user authentication before allowing a device to access the network

  • Use port security on switches.  A switch can remember which MAC address sent traffic on which port.  If the switch detects the same MAC address on a different port, or detects a new MAC address on a port, it can either shut down the port or alert an administrator of the discrepancy.

IP Address Spoofing

Recall that each network device should assigned a unique IP address.  Two network devices can communicate over a WAN or public network if they know each other’s IP addresses.  A hacker can intercept their communication by changing his machine’s IP address to match that of one of the devices.  This method takes special skill and control/modification of network routers, because

  • Most computers will detect the IP address conflict and turn off their network adapters until a new IP address is set.

  • The device whose IP address is spoofed will not receive any traffic because it is being intercepted by the hacker’s computer.  The hacker’s computer would pretend to be the legitimate computer and carry on the communication.

  • To remain undetected, the hacker will have to intercept the IP traffic through the router and then forward it to the legitimate recipient.  It is more difficult to intercept traffic through the router.

In any TCP/IP communication, data is broken into fragments known as packets.  The sender numbers each packet in order (1, 2, 3, etc.), but the increment is not necessarily one (it could be any random integer).  The hacker must be able to guess the correct sequence number and increment when creating spoofed IP packets.  A hacker can do so by intercepting enough packets and analyzing their sequence numbers.

A broadcast IP address is a special type of IP address that exists in every network.  The broadcast address allows a device to send a single message to all the IP addresses on that network.  One type of broadcast message is known as an “echo”.  Devices receiving the “echo” message reply to the sending device.

In a Smurf Attack, the hacker forges the “from” portion of the echo message so that it appears to have come from another system (not his own).  The device whose address appears in the “from” portion will receive all the replies.  Depending on the size of the network, and the number of echo messages sent, that device could receive hundreds or thousands of replies, and go offline.

How to prevent

  • Encrypt all traffic.  An IP spoofing attempt will not allow a hacker to read encrypted traffic.

  • Set firewalls to drop traffic that originates from outside the network but appears to come from inside the network (could indicate that the address has been spoofed).

Domain Hijacking

Each domain name must be registered at an accredited registrar.  Each domain name must be renewed yearly.  Registrars are licensed by ICANN (Internet Corporation for Assigned Names & Numbers).  The registrars control the original data regarding the owner of the domain name and the original name servers.  The name servers tell visitors which DNS servers to check with when looking up domain name information.

A domain name owner can edit or update their domain name data by logging in to a web-based control panel at their registrar.  A domain name owner can transfer a domain name from one registrar to another.

Domain Hijacking is the act of stealing another person’s domain name.  The thief could do so by

  • Hacking in to the registrar’s website and transferring the name to another registrar.  The original owner would have difficulty retrieving control over the domain name after this is completed.

  • Hacking in to the registrar’s website and forwarding the domain name to a server controlled by the hacker.  Visitors would then be directed to the wrong server.  The hacker could place advertisements, malware, or phishing schemes on the server.

  • In both cases, the thief would likely obtain the owner’s password via social engineering or a phishing scam or gain access to the registrar’s system through a security vulnerability.

How to prevent

  • Register the domain name with a large registrar that takes security seriously

  • Lock the domain name at the registrar so that it cannot be transferred to another registrar

  • Choose a difficult password and use multi-factor authentication where possible

DNS Poisoning

DNS Poisoning is like ARP Poisoning. 

What is DNS?  Recall that every computer on the internet has a unique IP address.  That means, every website’s server has a unique IP address.  Humans are not good at remembering IP addresses.  If you had to remember and type in the IP address for every website you visited, the internet would not be very useful.  Instead, you type in a domain name, such as google.com.

The DNS (Domain Name System) knows what every domain name is, and what its corresponding IP address is.  When you type in a Domain Name, your computer queries the DNS to find the correct IP address for that website’s server.

Who operates DNS

  • There are many online public DNS servers such as Google DNS (8.8.8.8 and 8.8.4.4).  These provide records for publicly-available websites.

  • Many ISPs operate DNS servers for their own customers.  These provide records for publicly-available websites and are only accessible to their own customers.  For example, Comcast might operate a DNS for their own customers.  A customer can choose to bypass Comcast’s DNS and use Google’s DNS.

  • Many companies operate their own DNS servers for their own offices.  These provide DNS for internal systems and internal websites and may also provide DNS for publicly-available websites.  A public DNS would not be able to provide a DNS record for an internal device.

  • Each Windows machine operates its own DNS to keep track of the most recently visited websites.

An authoritative DNS server (or nameserver) holds the original records for the website in question.  Different DNS servers can be authoritative for different websites.  A recursive (non-authoritative) DNS server is one that requests DNS data from the authoritative DNS server.

  • For example, AWS Route 53 DNS Servers are authoritative for amazon.com because they hold amazon.com’s original DNS records

  • If a user queries the AWS server, he will receive an authoritative answer about the location of the amazon.com servers

  • After querying the AWS DNS server, DNS servers at the user’s ISP and office cache the DNS data.  Now, DNS servers closer to the user know the IP address of amazon.com

  • The user (or other users) can go back to these servers to perform DNS lookups, but the answer will be non-authoritative.

In DNS Poisoning, a hacker corrupts the DNS records.  The hack can take place at the top-level DNS servers, at the ISP level, at the office level, or at the computer level.  The corrupted DNS can force a user to visit a fake server.  For example,

  • Bank of America’s website is located at IP address 11.11.11.11

  • A hacker sets up fake web server with an IP address of 9.9.9.9 and then corrupts a DNS server to point users to Bank of America’s website at 9.9.9.9.  The users’ computers visit the website at 9.9.9.9 thinking they are accessing a legitimate Bank of America server.

How to prevent

  • Use an authoritative DNS server each time you make a query.  An authoritative DNS server is one that provides original DNS data.  An authoritative DNS server can be hacked, but it is less likely.

  • Use Domain Name System Security Extensions or DNSSEC.  This program digitally signs each DNS response, so that non-authoritative name servers can verify that they have received legitimate data.

Uniform Resource Locator (URL) Redirection

A hacker can register a similar domain name as yours, and trick users into visiting it.  For example, if your domain name is www.amazon.com, a hacker can register www.amazonn.com and trick people into visiting it.  At the fake domain name, the hacker can set up a fake website that looks like the original.

You should register common misspellings of all your domain names.  You should also file a complaint with the World Intellectual Property Organization if you see that somebody has registered a domain name with a common misspelling of yours.

Domain Reputation

The reputation of your domain name is important.  The reputation of your domain name is tracked by search engines, web browsers, and SPAM filters.  If your domain name has a poor reputation, SPAM filters will block your e-mail, and search engines won’t direct users to your website.

Things that lower your reputation

  • Not using SSL security

  • Having your web server infected with malware

  • Sending SPAM or allowing others to send SPAM through your domain name

  • Having a domain name registered for a short time

SPAM filters and search engines can block websites based on their IP address.  If a server hosts multiple websites, and all the websites on the server share the same IP address, and if one website has a poor reputation, the other websites might also be affected.

Denial of Service

There are millions of web servers operating on the internet (which host websites).  If a hacker wants to bring down a web server, the hacker would flood that server with massive amounts of traffic.  The web server would then be unable to respond to legitimate traffic, and ordinary users would be unable to visit the website.  This is known as DoS, or Denial of Service.  Services other than websites exist on the internet (credit card processing, databases, etc.), and all are vulnerable to DoS.

There are many types of DoS attacks

  • SYN flooding.  When a user wants to connect to a web server, a three-way handshake (SYN, SYN/ACK, ACK) process occurs between the two computers. 

    • The user sends a SYN message to the server; the server responds with a SYN/ACK message to the user, and the user responds with an ACK message to the server

    • In SYN flooding, the hacker imitates a legitimate user and sends more SYN requests than the web server can handle.  The web server responds with the SYN/ACK response, but the hacker does not complete the third part by sending the SYN.

    • The server keeps a connection open waiting for an ACK message that never arrives.  The server can only keep a limited number of connections open.  If all of them are waiting for ACK messages that will never arrive, then the server won’t be able to establish new connections with legitimate users

  • Fragmenting.  When data travels over the internet, the sending computer breaks it down into pieces known as packets.  The packets may take different routes to reach their destination.  The receiving computer puts the packets back together.  The data in each packet should not overlap.

    • In a fragmenting attack, the hacker send data to the server, but puts overlapping data into each packet

    • The server attempts to put the data back together but can’t.  If the operating system isn’t equipped to recognize this attack and discard the bad packets, then it will crash.

How to prevent Denial of Service

  • Most DoS attacks are preventable now.  A hacker will not have enough bandwidth to bring down a large web service.  Major websites such as Google, Facebook, eBay, etc. use distributed server farms consisting of millions of servers, with redundant pathways to the internet.  A hacker will not have enough capacity to overload their systems.

  • Most enterprise systems contain firewalls that can easily detect and block DoS attacks.  If a substantial amount of illegitimate traffic appears to be originating from a single source, it can simply be turned off.

  • For a small monthly fee, services such as CloudFlare offer large-scale cloud-based firewalls to protect smaller websites from DoS attacks (which they normally could not afford).

  • A company should never be a victim to the same attack twice.  After the first attack, they must investigate and rewrite their systems so that it never happens again.  The most common types of attacks are well documented, and systems are available to prevent them.

Distributed Denial-of-Service (DDoS)

Distributed Denial of Service was invented after DoS became less effective (due to improvements in internet infrastructure). 

With DDoS, a hacker infects thousands (or hundreds of thousands) of computers (or other IP devices such as cameras) and uses all of them to send traffic to a web server that he wants to crash (remember botnets?).  These computers are known as bots.  Since the traffic appears legitimate (and is in fact originating from hundreds of thousands of different sources, in different geographic locations, different internet service providers, and different computer types), it is difficult to filter or prevent.

The botnet operator will continue to acquire additional bots, to grow his botnet.  The operator will lease his network of bots to a person or organization that wants to bring down a website (for revenge, competition, or other reasons).

The original DDoS attacks target the Network Layer.  That is, they are attacking the IP address of the server that is hosting the application.   

Newer DDoS attacks target the Application Layer.  They use less resources to achieve the same effect.  A server hosting a website has physical website files, which talk to the web server software, which talks to the router/switch/firewall, which talks to the internet.

We need a lot of resources to overload the network because the network has plenty of capacity for traffic that is unrelated of the application.  The network equipment can absorb much of that extra traffic.  The application layer is allocated much less resources.

A DDoS attack can also happen against Operational Technology.  Operational Technology consists of devices that manage critical infrastructure, including traffic lights, power grids, water purification plants, and factories.  Their effects can be devastating.

Some examples of DDoS attacks

  • BGP Hijacking.  BGP is a protocol that routes traffic between different internet service providers.  If a hacker targets the routers that forward traffic to your network, they can put your entire network offline without you realizing it.  Since you don’t have control of these routers, there is little that you can do to prevent or reverse the attack.

  • Sloloris Attack.  As mentioned earlier, in the DoS section.  The hacker imitates a legitimate user and sends more SYN requests (requests to open a connection) than the web server can handle.  The web server responds with the SYN/ACK response, but the hacker does not complete the third part by sending the SYN.

The server keeps a connection open waiting for an ACK message that never arrives.  The server can only keep a limited number of connections open.  If all of them are waiting for ACK messages that will never arrive, then the server won’t be able to establish new connections with legitimate users.

We can mitigate these attacks by limiting the time that a connection can stay open without a response.

  • Slow Post.  In response to the Slowloris attack mitigation, hackers found a new threat.  They can open many connections and send the data to the server slowly.  The server can’t close any connections because it is receiving data on each one, but each connection is operating so slowly that none of them ever close.

  • Slow Read.  The slow read functions like the slow post.  The hacker opens many connections but receives the data slowly.  The server can’t close any connections because it is sending data on each one, but each connection is operating so slowly that none of them ever close.

How to prevent

  • Services such as CloudFlare use large scale cloud-based firewalls to mitigate DDoS attacks.  They set up a server farm with a large amount of bandwidth that can be “donated” to a website facing a DDoS attack.  CloudFlare’s bandwidth can accept most DDoS attacks.

  • Users should use antivirus and firewall programs to prevent their computers from becoming infected and turned into bots.

  • Manufacturers of IP cameras and wireless routers should put in the effort to make their devices more secure (so that they do not become infected and used in DDoS attacks).

Malicious Code or Script Execution

Malicious code can be injected into many types of systems and applications.  We should not run code that we don’t trust.  The following types of code are not compiled but run inside an operating system or inside an application.  The operating system or application can run an external piece of code that was placed by a hacker, even without our explicit permission.

  • PowerShell.  A PowerShell script is one that runs on a Windows operating system.  PowerShell was developed by Microsoft to allow an administrator to program common tasks.  A PowerShell script can do almost anything that an administrator can do when logged in to a Windows computer, including creating user accounts and installing applications.

    We can also use PowerShell to log in and make changes to a remote server or Microsoft Azure and Azure Active Directory.

  • Python.  Python is a programming language that can run on any operating system – including Windows, Mac, and UNIX.  Python scripts can provision servers, install applications, create user accounts and perform other administrative functions.  An operating system will not recognize a Python script unless the Python software is first installed.  

  • Bash.  A Bash script is like a PowerShell script but runs on a UNIX operating system.  It can perform any function that an administrator can.

  • Macros.  A Macro is a script that runs inside a Microsoft Office application.  It is embedded into a document.  A Macro can perform any action in an office application that a user can perform.  A Macro is created by recording the actions that a user takes.  The Macro then repeats the action.  Macros are useful for automating functions.

    In order for a Macro to run, the user must first open the document and then explicitly allow the Macro to run.  The user might not see the contents of the Macro before allowing it to run.

  • Visual Basic for Applications (VBA).  A VBA script is an application that runs inside a Microsoft Office application.  It can do more than a Macro.  It can use programming logic including if statements and other types of logic.  It can also open and modify external files.  A VBA script can perform any action that a user can perform and additional actions.

    In order for a VBA script to run, the user must first open the document and then explicitly allow the Macro to run.  The user might not see the contents of the VBA script before allowing it to run.