Network attacks: an overview
A network attack is defined as an intrusion on a communication infrastructure in order to get unauthorised access to resources or exploit existing vulnerabilities. It is usually made of two phases: a passive attack that will first analyse the technical environment and collect information, then an active attack.
A passive attack analyses network traffic, monitors communications and looks for sensitive information that can be used in other types of attacks, such as passwords. Unencrypted traffic is particularly targeted, and weakly encrypted traffic may be decrypted. Passive interception of network operations results in the disclosure of information without the knowledge of users, but the system resources are not altered or disabled in any way.
Best countermeasure against passive attacks is the use of encrypted communication between the device and the server.
The attacker tries to bypass or break into a secured system to steal, alter, disable or destroy resources or data. Successful active attacks result in the disclosure or modification of data. They may be combined with an introduction of a malware component to the targeted system.
Attacks targeting the network infrastructure
These attacks use information necessary to the network to allow data to be shunted from a device to a server, and conversely.
Ping (or ICMP) flood
A ping flood is a simple denial-of-service attack where the attacker sends ping requests to the server in order to overload it with traffic to the point where it cannot answer any more. A variant, the Ping of Death ("PoD") attack, involves sending a malformed ping to the server to lead to a system crash.
A smurf attack is a ping flood attack with a difference: the source IP address of the attacker is spoofed with IP address of a non-malicious device. Such attack causes disruption both on the targeted server (receiving large number of ICMP requests) as well as on the victim device (receiving large number of ICMP replies).
Spoofing is a technique used to masquerade an Internet (IP) address as another by falsifying the data with purpose of unauthorized access. There are a few common spoofing types:
- IP Address spoofing: creates IP packets with forged source address to impersonate a legitimate system - often used in smurf attacks,
- ARP spoofing / poisoning: sends faked ARP messages in the network - an ARP message associates a system logical (IP) address with its hardware (MAC) address,
- DNS spoofing / cache poisoning: inserts wrong data into DNS server cache, causing the DNS server to divert the traffic by returning wrong IP addresses for device queries.
Denial of Service (DoS) and Distributed Denial of Service (DDoS) attack
DoS attacks are designed to cause a service interruption of a targeted server by flooding it with large quantities of useless traffic or external requests. When the DoS attack succeeds, the server is not able to answer any more, even to legitimate requests.
The attacker tries to crack the passwords stored in a database or a file. There are three major types of password attacks: a dictionary attack, a brute-force attack, and a hybrid attack. A dictionary attack uses a list of potential passwords. In a brute-force attack, the attacker tries every possible combination of characters. An hybrid attack combines both previous approaches.
Attacks targeting the server application
These attacks are designed to exploit server application vulnerabilities in order to steal private informations, execute dangerous commands or alter a database. They are detailed specifically in dedicated articles.
Attacks targeting the server application-layer
They target the server inner workings (application-layer) to cause a fault in its operating system or applications, and gain the ability to bypass normal access controls.
Buffer / Heap / Stack overflow
In overflow attacks, the attacker sends to a server application more data than is expected. These attacks may result in the attacker gaining administrative access to the server (or the ability to disable security controls to enable future attacks).
In exploit attacks, the attacker knows of a security problem within an operating system or a software, and leverages that knowledge by exploiting the vulnerability.
Attacks targeting the end-users
These attacks are not part of the technical attacks affecting network devices. Their description is given here for the sake of completeness and because they are widely widespread.
The attacker creates a fake web site that looks exactly like the targeted site. He sends then an email tricking users into clicking a link that leads to the fake site. When a user attempts to log in with their account information, the attacker records the username and password and then logs in the targeted site with that information.
The attacker attempts to get physically close to network systems, data and components in order to learn more about the network. One popular form is the social engineering attack, that refers to a psychological manipulation of employees to perform actions that potentially lead to leak of confidential information, that will be used in a later attack to gain unauthorized access to a system or network.