Type of attacks and where they are implemented
Now that we've learned about network structures and connectivity, let's have a look at potential threats, types of attacks, and their potential causes. Let's look at the following diagram and see what can go wrong:
Figure 1.17 – The data, control, and management planes
The risks can be categorized as follows:
- Threats that cause downtime to the entire IT environment or part of it. Here, the damage is in the unavailability of IT resources to the organization. Damage here can start from relatively minor issues such as the loss of working hours, but it can also be critical to organizations that depend on the network, and the loss of computing resources can cause unrecoverable damages.
- Threats that cause damage to organization data. Here, we have risks involving the destruction or theft of the organization's data. This depends on the organization – in some cases, both are critical, in other cases, only one of them is, and in some cases, neither.
Various types of attacks can cause unavailability, while other types can damage the data. In the next section, we will look at a critical point in any organization's IT environment and what the results of such an attack are.
Attacks on the internet
Let's start with the internet. Every once in a while, we hear that "A third of the internet is under attack" (Science Daily, November 1, 2017), "China systematically hijacks internet traffic" (ITnews, October 26, 2018), "Russian Telco Hijacked Internet Traffic of Major Networks - Accident or Malicious Action?" (Security Week, April 7, 2020), "Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others. Ros Telecom involved in BGP hijacking incident this week impacting more than 200 CDNs and cloud providers." (ZDNet, April 5, 2020), and many more.
What is it? How does it work? Attacks on the internet network itself are usually attacks that deny or slow down access to the internet, along with attacks that divert traffic so that it will get to the destination through the attacker network or not get there at all.
In the first case, when the attacker tries to prevent users from using the internet, they will usually use DoS and DDoS types of attacks.
Important Note
DDoS attacks are a very wide range of attacks that intend to prevent users from using a service. A service can be a network, a server that provides several services, or a specific service. A DDoS targeting the network can be, for example, a worm that generates traffic that blocks communication lines, or sessions that are generated for attacking the routers that forward the traffic. A DDoS targeting a specific server can be, for example, loading the server interfaces with a huge amount of TCP sessions. A DDoS targeting a specific service can be traffic generated to a specific TCP port(s) of the service itself.
DDoS attacks on the internet can involve, for example, generating traffic to specific IP destinations, both from devices controlled by the attackers (referred to as direct attackers) and from third-party servers that are involuntarily used to reflect attack traffic (referred to as reflection attackers).
Another type of attack that can be performed on the internet is diverting traffic from its destination. This type of attack involves making changes to the internet routers so that traffic is diverted through the attacker network, as shown in the following diagram:
Figure 1.18 – Traffic diversion
Here, we can see traffic being sent from Alice to Bob being diverted through Trudy's network. Normally, when Alice sends traffic to Bob, it will go through region A to region B and get to Bob. Under the attack, Trudy configures the routers in region B to pull the traffic in their direction, so that traffic from router A4 will be sent to B1. Inside region B, traffic will be forwarded to the point where it can be recorded and copied, and then it will be sent to router C3 in region C on the way to its destination.
Important Note
Bob, Alice, and Trudy (from the word intruder) are the common names of fictional characters commonly used for cyber security illustrations. Here, Bob and Alice are used as placeholders for the good guys that exchange information, while Trudy is used as a placeholder for the bad guy that tries to block, intrude, damage, or steal the data that's sent between Bob and Alice.
To divert the data that should be forwarded from A4 to C3 so that it can be sent to B1 in area B, router B1 must tell router A4 that it has a higher priority so that router A4 will see that the best route to the destination is through B1 and not through C3. In the case of the internet, it is configured in the Border Gateway Protocol (BGP), which we will look at in more detail in Chapter 12, Attacking Routing Protocols.
The traffic in this example is forwarded in two directions. I used an example with single-direction traffic for simplicity.
Attacks from the internet targeting organizational networks
Attacks from the internet can be of various types. They can be intrusion attempts, DDoS, scanning, and more. Let's look at some examples.
Intrusions attempts are discovered and blocked by identifying anomalies or well-known patterns. An anomaly is, for example, a sudden increase in traffic to or from an unknown source, while an intrusion pattern is, for example, port scanning. Further discussion on suspicious traffic patterns will be provided in Chapter 6, Finding Network-Based Attacks.
A nice website called Digital Attack Types provides a daily DDoS attacks world map. It can be found at https://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=18419&view=map.
Attacks on firewalls
Attacks on firewalls usually take place when the attacker tries to penetrate the network. Penetrating the network can be done in several ways. It can be done by scanning the firewall to look for security breaches, such as ports that were left open so that we can open a connection through them to the internal network. Another method is to crash the firewall services so that the firewall will only continue to work as a router. We can also generate user login attempts to log in to the firewall as a VPN client and break into the secured network.
Another component we need to protect is the firewall management console. When the console is installed on an external device, make sure it is hidden from the internet and protected with strong passwords.
Attacks on servers
When attacking an organization's servers, the risk is to the organization's data, and sometimes, this is the most dangerous risk. In this book, we will talk about threats to networks and network services and how to secure them.
There are various types of attacks that can be carried on organization servers. Attacks can be on the availability of the servers, on the services that run on them, or their information. The following are some of the risks to servers:
- Risks to servers and software such as HTTP, mail, IP, telephony, file servers, databases, and other attacks. This will be covered in the third part of this book.
- Risks involving DDoS targeting servers to prevent users from accessing them.
- Risks involving breaking into servers to try to steal or destroy the information running on them.
- Risks involving impersonating users and data disruption.
Risks to network applications, services, and servers will be discussed in the third part of this book.
Attacks on local area networks (LANs)
Attacks on an organization's LANs can be implemented in several ways, but the intruder must be inside the LAN or break into the LAN from an external network.
The attacks here can be of several types:
- Attacks network devices, as described in Chapter 7, Detecting Device-Based Attacks, such as attacks on LAN switches and CPUs to cause them to drop packets and get to the point of inactivity.
- Attacks on network protocols, as described in Chapter 6, Finding Network-Based Attacks, and Chapter 7, Detecting Device-Based Attacks, such as attacks on Spanning Tree Protocol (STP), attacks on ARP caches, and many others.
- Another category of attacks is eavesdropping and information theft. These types of attacks will be described in Chapter 8, Network Traffic Analysis and Eavesdropping.
Attacks on network routers and routing protocols
Attack on routers and routing protocols target the routers and the interactions between them. The following are some attacks that can be performed on routers networks:
- Attacks on the router's hardware and software, as described in Chapter 7, Detecting Device-Based Attacks.
- Attacks on routing protocols, misleading the routers to stop forwarding packets or sending packets in the wrong direction.
- Attacks on protocols that are not routing protocols that come to serve other purposes such as Hot Standby Routing Protocol (HSRP)/Virtual Router Redundancy Protocol (VRRP), multicast protocols, and so on.
- Another common attack to be carried out on routers and Wide Area Networks (WANs) is a DDoS, where, by flooding the communication lines, the attacker can prevent users from using the network.
We will learn how router networks can be jeopardized and how they can be protected in Chapter 12, Attacking Routing Protocols.
Attacks on wireless networks
Attacking wireless networks and protecting against these attacks, with an emphasis on Wi-Fi networks that are based on 802.11 standardization, is a major challenge both for the attackers and the organizations that defend against them.
There are several lines of protection here that will be described in Chapter 11, Implementing Wireless Network Security, which consists of several principles:
- Authenticate users with strong authentication when accessing the organization's Wi-Fi.
- Encrypt the information that's sent over the air between users and access points.
- Don't trust Steps 1 and 2 and connect the wireless networks through a firewall.
This is a simple set of rules regarding how to protect wireless networks, but if you forget one of them, the whole chain will be broken.
As a rule, when you send something over the air, it can be heard, and when you invite guests to your network, make sure they stay guests so that if you have a guest network(s), you can isolate them completely from the organization's network.