ASSIGNMENT

Network layer security attacks

1. Eavesdropping
Eavesdropping is the unauthorized real-time interception of a private communication, such as a
phone call, instant message, video conference or fax transmission. The term eavesdrop derives
from the practice of actually standing under the eaves of a house, listening to conversations
inside.

VoIP systems that don't use encryption make it relatively easy for an intruder to intercept calls.

Eavesdropping is easier to perform with IP-based calls than TDM-based calls. Any
protocol analyzer can pick and record the calls without being observed by the callers.
There are software packages for PCs that will convert digitized voice from standard
CODECs into WAV files.

The speakerphone function can be turned on remotely, with the caller on mute so that
there is no sound coming from the phone. This has happened with some IP phones in
executives' offices. Their offices can be listened to without their knowledge.

PCs and laptops that have microphones attached or integrated into them can be enabled as
listening devices without the user's knowledge. There is a rootkit available for this
purpose.

Even systems that do use encryption can be vulnerable, however. In August 2009, Symantec
issued a security bulletin about a wiretap Trojan known as pesky spy. Pesky spy was designed to
access Skype call audio before it was encrypted.

Eavesdropping on a conventional telephone line through technical methods is known as

wiretapping.

2. Replay attack
A replay attack occurs when an attacker copies a stream of messages between two parties and
replays the stream to one or more of the parties. Unless mitigated, the computers subject to the
attack process the stream as legitimate messages, resulting in a range of bad consequences, such
as redundant orders of an item.
Suppose Alice wants to prove her identity to Bob. Bob requests her password as proof of
identity, which Alice dutifully provides (possibly after some transformation like a hash function);
meanwhile, Eve is eavesdropping on the conversation and keeps the password (or the hash).
After the interchange is over, Eve (posing as Alice) connects to Bob; when asked for a proof of
identity, Eve sends Alice's password (or hash) read from the last session which Bob accepts, thus
granting Eve access.

3. IP spoofing

IP spoofing, also known as IP address forgery or a host file hijack, is a hijacking technique in
which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack
browsers, or gain access to a network.

Here's how it works: The hijacker obtains the IP address of a legitimate host and
alters packet headers so that the legitimate host appears to be the source.

When IP spoofing is used to hijack a browser, a visitor who types in the URL (Uniform Resource
Locator) of a legitimate site is taken to a fraudulent Web page created by the hijacker. For
example, if the hijacker spoofed the Library of Congress Web site, then any Internet user who
typed in the URL www.loc.gov would see spoofed content created by the hijacker.

If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to
sensitive information or computer or network resources. He could steal or alter sensitive data,
such as a credit card number or password, or install malware. The hijacker would also be able to
take control of a compromised computer to use it as part of a zombie army in order to send out
spam.

Web site administrators can minimize the danger that their IP addresses will be spoofed by
implementing hierarchical or one-time passwords and data encryption/decryption techniques.
Users and administrators can protect themselves and their networks by installing and
implementing firewalls that block outgoing packets with source addresses that differ from the IP
address of the user's computer or internal network.

4. DNS attack

A DNS attack is an exploit in which an attacker takes advantage of vulnerabilities in the domain
name system (DNS).

DNS is a protocol that translates a user-friendly domain name, like WhatIs.com, into
the computer-friendly IP address 206.19.49.154.

When an end user types the people-friendly domain name WhatIs.com into a clients browser, a
program in the clients operating system called a DNS resolver looks up WhatIs.coms
numerical IP address. First, the DNS resolver checks its own local cache to see if it already has
the IP address for WhatIs.com. If it doesnt have the address, the resolver then queries a DNS
server to see if it knows the correct IP address for WhatIs.com. DNS servers are recursive, which
simply means that they can query each other to either find another DNS server that knows the
correct IP address or find the authoritative DNS server that stores the canonical mapping of the
WhatIs.com domain name to its IP address. As soon as the resolver locates the IP address, it
returns the IP address to the requesting program and caches the address for future use.
Although the DNS is quite robust, it was designed for usability, not security, and the types of
DNS attacks in use today are numerous and quite complex, taking advantage of the
communication back and forth between clients and servers.

To lessen the chance of a DNS attack, server administrators should use the latest version of DNS
software, consistently monitor traffic and configure servers to duplicate, separate and isolate the
various DNS functions.

5. Sniffer attack

A sniffer is an application or device that can read, monitor, and capture network data exchanges
and read network packets. If the packets are not encrypted, a sniffer provides a full view of the
data inside the packet. Even encapsulated (tunneled) packets can be broken open and read unless
they are encrypted and the attacker does not have access to the key.

Using a sniffer, an attacker can do any of the following:

Analyze your network and gain information to eventually cause your network to crash or
to become corrupted.

Read your communications.

6. Port scanning attack

Ports are like little doors on your system. Most packets leaving your machine
come out of a certain door. They are destined for another door on another
system. There are two different protocols that use ports: TCP and UDP. Each
of these two protocols has 65,536 different ports. Various Internet services
listen on certain well-known doors. For example, Web servers usually listen
on TCP port 80. Mail servers usually listen on TCP door port 25.

An attacker launches a port scan to see what ports are open, with a listening service, on your
machine. A port scan attack, therefore, occurs when an attacker sends packets to your machine,
varying the destination port. The attacker can use this to find out what services you are running
and to get a pretty good idea of the operating system you have. Most Internet sites get a dozen or
more port scans per day. As long as you harden your firewall and minimize the services allowed
through it, these attacks shouldn't worry you.

7. DoS Attack

Unlike a password-based attack, the denial-of-service attack prevents normal use of your
computer or network by valid users.

After gaining access to your network, the attacker can do any of the following:

Randomize the attention of your internal Information Systems staff so that they do not
see the intrusion immediately, which allows the attacker to make more attacks during the
diversion.

Send invalid data to applications or network services, which causes abnormal termination
or behavior of the applications or services.

Flood a computer or the entire network with traffic until a shutdown occurs because of
the overload.

Block traffic, which results in a loss of access to network resources by authorized users.
 8. DDoS attack

DDoS is short for Distributed Denial of Service. DDoS is a type of DOS attack where multiple
compromised systems, which are often infected with a Trojan, are used to target a single system
causing a Denial of Service (DoS) attack. Victims of a DDoS attack consist of both the end
targeted system and all systems maliciously used and controlled by the hacker in the distributed
attack.

How DDoS Attacks Work

In a DDoS attack, the incoming traffic flooding the victim originates from many different
sources potentially hundreds of thousands or more. This effectively makes it impossible to stop
the attack simply by blocking a single IP address; plus, it is very difficult to distinguish
legitimate user traffic from attack traffic when spread across so many points of origin.

The Difference between DoS and DDoS Attacks

A Denial of Service (DoS) attack is different from a DDoS attack. The DoS attack typically uses
one computer and one Internet connection to flood a targeted system or resource. The DDoS
attack uses multiple computers and Internet connections to flood the targeted resource. DDoS
attacks are often global attacks, distributed via botnets.

Types of DDoS Attacks

There are many types of DDoS attacks. Common attacks include the following:

Traffic attacks: Traffic flooding attacks send a huge volume of TCP, UDP and ICPM
packets to the target. Legitimate requests get lost and these attacks may be accompanied by
malware exploitation.
Bandwidth attacks: This DDos attack overloads the target with massive amounts of junk
data. This results in a loss of network bandwidth and equipment resources and can lead to a
complete denial of service.
Application attacks: Application-layer data messages can deplete resources in the
application layer, leaving the target's system services unavailable

Host level security attack

1. Hypervisor attack

A hypervisor attack is an exploit in which an intruder takes advantage of vulnerabilities in the

program used to allow multiple operating systems to share a single hardware processor.

Most often, the attacker uses hypervisor services such as create/delete, clone and migrate to
execute and extend a threat. Rootkits are another potential means of hypervisor attack, although
that method is less common.

A compromised hypervisor can allow the hacker to attack each virtual machine (VM) on a virtual
host. One possible result is an increase in the resource usage of a VM that causes a denial of
service across the host or even across a collection of servers. If multiple virtual servers are
involved, the problem is made that much worse.

Larger software stacks and greater numbers of APIs, along with a lower degree of security
assurance in the code, increase the risk. Larger software stacks and APIs for third-
party applications present a larger attack surface because the larger the amount of code, the more
coding errors it is likely to contain.

Solar Winds Inc., VMware, and HyTrust Inc. are among the vendors of monitoring products that
can detect and prevent hypervisor attacks.

2. Virtual server security

When youre running sensitive data in fluid virtual machines, a lot can changeincluding the
location of a given asset, the underlying physical server, and more. However, critical demands
dont change: sensitive assets need to be secured at all times. To address security policies and
compliance mandates in virtualized machines, robust, persistent, and auditable controls need to
be applied.

Vormetric Transparent Encryption delivers the virtual server security capabilities you need to
safeguard your sensitive assets. Whether youre running VMware, Microsoft Hyper-V, KVM
(Kernel-based Virtual Machine), or any other standard virtualization platform, Vormetric can
help you address your critical security compliance requirements, with unparalleled efficiency and
low cost of ownership. Vormetric Transparent Encryption delivers these security capabilities for
virtual server protection:
 Data-at-rest encryption. Vormetric enables you to encrypt data at the file system or
volume level within virtual machines (VMs) and then use fine-grained, centrally managed
policies to control access to protected data. As a result, you can enforce security policies and
track access, no matter where data is copied or moved.

Granular access controls. Vormetric Transparent Encryption provides fine-grained,

policy-based access controls that restrict access to encrypted data. Privileged userswhether
cloud, virtualization, or storage administratorscan manage systems, without gaining access to
encrypted data, unless they have expressly been granted permissions to do so.

Detailed security intelligence. Vormetric logs capture all access attempts to protected
data. These security intelligence logs can accelerate detection of advance persistent threats
(APTs) and insider abuse because they offer visibility into file access. Further, these logs provide
vital intelligence needed to track and demonstrate security compliance.

Example of Vormetric Transparent Encryption protecting virtual machine data

In addition, Vormetric Application Encryption can be used to add encryption capabilities to

existing applications. With Vormetric Application Encryption, specific columns in a database,
such as social security numbers or credit card numbers, can be encrypted.

Key Features

Automation. For fast rollouts and integration within virtualized machines, both web and
command-line level APIs provide access to the Vormetric Data Security environment for policy
management, deployment, and monitoring.
 Multi-tenancy. By delivering capabilities for segregating security management domains,
Vormetric helps organizations address internal security policies and compliance mandates.
Further, these security capabilities enable service providers to establish strong boundaries
between customer environments, while still leveraging centralized visibility and control of
security policies and activities.

Flexible, central administration. Vormetric Transparent Encryption offers support for

implementation in a range of Linux and Windows operating systems. All policy and encryption
key administration is done through the Vormetric Data Security Manager, which can be deployed
as a physical appliance or virtualized service, and either on or off premise, according to your
objectives and environments.

Complete data protection. Vormetric Transparent Encryption is part of the Vormetric

Data Security Platform, a comprehensive encryption security solution that makes it simple to
secure all your organizations sensitive data, whether it resides in virtualized, physical, big data,
or cloud environments.

Application level security attack

1. SQL injection attack

SQL Injection (SQLi) refers to an injection attack wherein an attacker can execute malicious
SQL statements (also commonly referred to as a malicious payload) that control a web
applications database server (also commonly referred to as a Relational Database Management
System RDBMS). Since an SQL Injection vulnerability could possibly affect any website or
web application that makes use of an SQL-based database, the vulnerability is one of the oldest,
most prevalent and most dangerous of web application vulnerabilities.

By leveraging an SQL Injection vulnerability, given the right circumstances, an attacker can use
it to bypass a web applications authentication and authorization mechanisms and retrieve the
contents of an entire database. SQL Injection can also be used to add, modify and delete records
in a database, affecting data integrity.

To such an extent, SQL Injection can provide an attacker with unauthorized access to sensitive
data including, customer data, personally identifiable information (PII), trade secrets, intellectual
property and other sensitive information.

How SQL Injection works

In order to run malicious SQL queries against a database server, an attacker must first find an
input within the web application that is included inside of an SQL query.
In order for an SQL Injection attack to take place, the vulnerable website needs to directly
include user input within an SQL statement. An attacker can then insert a payload that will be
included as part of the SQL query and run against the database server.

The following server-side pseudo-code is used to authenticate users to the web application.

# Define POST variables

uname = request.POST['username']
passwd = request.POST['password']

# SQL query vulnerable to SQLi

sql = SELECT id FROM users WHERE username= + uname + AND password= +
passwd +

# Execute the SQL statement

database.execute(sql)

The above script is a simple example of authenticating a user with a username and a password
against a database with a table named users, and a username and password column.

The above script is vulnerable to SQL Injection because an attacker could submit malicious input
in such a way that would alter the SQL statement being executed by the database server.

A simple example of an SQL Injection payload could be something as simple as setting the
password field to password OR 1=1.

This would result in the following SQL query being run against the database server.

SELECT id FROM users WHERE username=username AND password=password OR

1=1

An attacker can also comment out the rest of the SQL statement to control the execution of the
SQL query further.

-- MySQL, MSSQL, Oracle, PostgreSQL, SQLite

' OR '1'='1' --
' OR '1'='1' /*
-- MySQL
' OR '1'='1' #
-- Access (using null characters)
' OR '1'='1' %00
' OR '1'='1' %16

Once the query executes, the result is returned to the application to be processed, resulting in an
authentication bypass. In the event of authentication bypass being possible, the application will
most likely log the attacker in with the first account from the query result the first account in a
database is usually of an administrative user.

2. Cross site scripting (XSS)

Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can
execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate
website or web application. XSS is amongst the most rampant of web application vulnerabilities
and occurs when a web application makes use of invalidated or unencoded user input within the
output it generates.

By leveraging XSS, an attacker does not target a victim directly. Instead, an attacker would
exploit vulnerability within a website or web application that the victim would visit, essentially
using the vulnerable website as a vehicle to deliver a malicious script to the victims browser.

While XSS can be taken advantage of within VBScript, ActiveX and Flash (although now
considered legacy or even obsolete), unquestionably, the most widely abused is JavaScript
primarily because JavaScript is fundamental to most browsing experiences.

How Cross-site Scripting works

In order to run malicious JavaScript code in a victims browser, an attacker must first find a way
to inject a payload into a web page that the victim visits. Of course, an attacker could use social
engineering techniques to convince a user to visit a vulnerable page with an injected JavaScript
payload.

In order for an XSS attack to take place the vulnerable website needs to directly include user
input in its pages. An attacker can then insert a string that will be used within the web page and
treated as code by the victims browser.

The following server-side pseudo-code is used to display the most recent comment on a web
page.
print "<html>"
print "<h1>Most recent comment</h1>"
print database.latestComment
print "</html>"

The above script is simply printing out the latest comment from a comments database and
printing the contents out to an HTML page, assuming that the comment printed out only consists
of text.

The above page is vulnerable to XSS because an attacker could submit a comment that contains a
malicious payload such as <script>doSomethingEvil();</script>.

Users visiting the web page will get served the following HTML page.

<html>
<h1>Most recent comment</h1>
<script>doSomethingEvil();</script>
</html>

When the page loads in the victims browser, the attackers malicious script will execute, most
often without the user realizing or being able to prevent such an attack.

Important Note An XSS vulnerability can only exist if the payload (malicious script) that the
attacker inserts ultimately get parsed (as HTML in this case) in the victims browser

3. EDoS
Some interesting discussions recently on the topic of attacking the economic viability of cloud
computing. Christofer Hoff, a popular security blogger and Chief Security Architect
at Unisys has coined a new approach to the use of so-called "cloud based denial-of-service
attacks" or what he calls an "Economic Denial of Sustainability" (EDoS).

The general idea of an EDoS attack is to utilize cloud resources to disable the economic drivers
of using cloud computing infrastructure services. In an EDoS attack the goal is to make the cloud
cost model unsustainable and therefore making it no longer viable for a company to affordability
use or pay for their cloud based infrastructure.

In Hoff's post he says "Specifically, this usage-based model potentially enables $evil_person who
knows that a service is cloud-based to manipulate service usage billing in orders of magnitude
that could be disguised easily as legitimate use of the service but drive costs to unmanageable
levels. "
Adam O'Donnell, the Director of Emerging Technologies at Cloud mark, points out that "The
billing models that underlie cloud services may not be mature enough to properly account for an
EDoS like attack."

What this means is that just using the cloud for the purposes of easily scaling your environment
may soon not be enough. Traditional scaling and performance planning may quickly be giving
way to cost based scaling methodologies. These new cost centric approaches to scaling cloud
infrastructure will look at more than just monitoring the superficial aspects of your applications
load time but instead focus on how much it's actually costing you.

The ability to adjust based on real time economic factors may soon play an equally critical role
in a company's decision to use "the cloud" or potentially continuing to use the it. This is
particularly true of infrastructure as a service offering such as Amazon or Gogrid, where the cost
are passed directly onto the users of the service in a pay per use fashion.

In the platform-as-a-service world, this may not be as big of an issue because of the economies
of scale that companies like Google and Microsoft bring to bear. But for the smaller guys or DIY
clouds, this could pose a major problem.

The classic example Amazon and others use is that of Animoto, but what if 50% of Animoto's
traffic was purely that of an upset customer looking to break the bank? Never under estimate the
power of a upset customer or ex-employee's vendetta. Worse yet, what if that irate customer used
the very cloud as the method to create a denial of sustainability attack? It's become easier than
ever to acquire fake credit card numbers.

For a while it seems the cloud computing was advancing more quickly than criminals, but this is
probably going to be a short lived trend, a trend which may have already passed. In the very near
future the next generation of cloud based capacity planning and scaling may start to focus more
on building cost based strategies along with the load and user experience. A strategy capable of
being able to determine the optimal cost while also providing comparisons along with everything
else you need to be competitive.

4. Cookie poisoning

On the Web, cookie poisoning is the modification of a cookie (personal information in a Web
user's computer) by an attacker to gain unauthorized information about the user for purposes
such as identity theft. The attacker may use the information to open new accounts or to gain
access to the user's existing accounts.

Cookies stored on your computer's hard drive maintain bits of information that allow Web sites
you visit to authenticate your identity, speed up your transactions, monitor your behavior, and
personalize their presentations for you. However, cookies can also be accessed by persons
unauthorized to do so. Unless security measures are in place, an attacker can examine a cookie to
determine its purpose and edit it so that it helps them get user information from the Web site that
sent the cookie.

To guard against cookie poisoning, Web sites that use them should protect cookies
(through encryption, for example) before they are sent to a user's computer. Ingrian Networks'
Active Application Security platform is one means of securing cookies. When cookies pass
through the platform, sensitive information is encrypted. A digital signature is created that is
used to validate the content in all future communications between the sender and the recipient. If
the content is tampered with, the signature will no longer match the content and will be refused
access by the server.

5. Backdoor

A back door is a means of access to a computer program that bypasses security mechanisms. A
programmer may sometimes install a back door so that the program can be accessed for
troubleshooting or other purposes. However, attackers often use back doors that they detect or
install themselves, as part of an exploit. In some cases, a worm is designed to take advantage of a
back door created by an earlier attack. For example, Nimda gained entrance through a back door
left by Code Red.

Whether installed as an administrative tool or a means of attack, a back door is a security risk,
because there is always crackers out there looking for any vulnerability to exploit. In her article
"Who gets your trust?" security consultant Carole Fennelly uses an analogy to illustrate the
situation: "Think of approaching a building with an elaborate security system that does bio scans,
background checks, the works. Someone who doesn't have time to go through all that might just
rig up a back exit so they can step out for a smoke -- and then hope no one finds out about it."

6. Google hacking
Browser hijacking is a form of unwanted software that modifies a web browser's settings
without a user's permission, to inject unwanted advertising into the user's browser. A browser
hijacker may replace the existing home page, error page, or search page with its own.[1] These are
generally used to force hits to a particular website, increasing its advertising revenue.
Some browser hijackers also contain spyware, for example, some install a software key logger to
gather information such as banking and e-mail authentication details. Some browser hijackers
can also damage the registry on Windows systems, often permanently.
Some browser hijacking can be easily reversed, while other instances may be difficult to reverse.
Various software packages exist to prevent such modification.
Many browser hijacking programs are included in software bundles that the user did not choose,
and are included as "offers" in the installer for another program, often included with no uninstall
instructions, or documentation on what they do, and are presented in a way that is designed to be
confusing for the average user, in order to trick them into installing unwanted extra software.
There are several methods that browser hijackers use to gain entry to an operating system. Email
attachments and files downloaded through suspicious websites and torrents are common tactics
that browser hijackers use.

7. Man in the middle attack

As the name indicates, a man-in-the-middle attack occurs when someone between you and the
person with whom you are communicating is actively monitoring, capturing, and controlling
your communication transparently.
For example, the attacker can re-route a data exchange. When computers are communicating at
low levels of the network layer, the computers might not be able to determine with whom they
are exchanging data.

Man-in-the-middle attacks are like someone assuming your identity in order to read your
message. The person on the other end might believe it is you because the attacker might be
actively replying as you to keep the exchange going and gain more information. This attack is
capable of the same damage as an application-layer attack